aikido-zen 1.0.2.beta.10 → 1.0.3

data/lib/aikido/zen/rails_engine.rb

@@ -12,8 +12,10 @@ module Aikido::Zen
     initializer "aikido.add_middleware" do |app|
       app.middleware.insert_before 0, Aikido::Zen::Middleware::ForkDetector
 
-      app.middleware.use Aikido::Zen::Middleware::SetContext
-      app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
+      app.middleware.use Aikido::Zen::Middleware::ContextSetter
+      app.middleware.use Aikido::Zen::Middleware::AllowedAddressChecker
+      app.middleware.use Aikido::Zen::Middleware::AttackProtector
+      app.middleware.use Aikido::Zen::Middleware::AttackWaveProtector
       # Request Tracker stats do not consider failed request or 40x, so the middleware
       # must be the last one wrapping the request.
       app.middleware.use Aikido::Zen::Middleware::RequestTracker

data/lib/aikido/zen/request/rails_router.rb

@@ -62,16 +62,31 @@ module Aikido::Zen
       nil
     end
 
-    private def build_route(route, request, prefix: request.script_name)
+    private
+
+    def build_route(route, request, prefix: request.script_name)
       route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
 
       path = if prefix.present?
-        File.join(prefix.to_s, route_wrapper.path).chomp("/")
+        prefix_route_path(prefix.to_s, route_wrapper.path)
       else
         route_wrapper.path
       end
 
       Aikido::Zen::Route.new(verb: request.request_method, path: path)
     end
+
+    def prefix_route_path(string1, string2)
+      # The strings appear to start with "/", allowing them to be concatenated
+      # directly after removing trailing "/". However, as it is not currently
+      # known whether this is guaranteed, we insert a separator when necessary.
+
+      separator = string2.start_with?("/") ? "" : "/"
+
+      string1 = string1.chomp("/")
+      string2 = string2.chomp("/")
+
+      "#{string1}#{separator}#{string2}"
+    end
   end
 end

data/lib/aikido/zen/request.rb

@@ -22,13 +22,11 @@ module Aikido::Zen
       @config = config
       @framework = framework
       @router = router
-      @body_read = false
     end
 
     def __setobj__(delegate) # :nodoc:
       super
-      @body_read = false
-      @route = @normalized_header = @truncated_body = nil
+      @route = @normalized_header = nil
     end
 
     # @return [Aikido::Zen::Route] the framework route being requested.
@@ -41,8 +39,6 @@ module Aikido::Zen
       @schema ||= Aikido::Zen::Request::Schema.build
     end
 
-    # @api private
-    #
     # @return [String] the IP address of the client making the request.
     def client_ip
       return @client_ip if @client_ip
@@ -74,42 +70,12 @@ module Aikido::Zen
         }
     end
 
-    # @api private
-    #
-    # Reads the first 16KiB of the request body, to include in attack reports
-    # back to the Aikido server. This method should only be called if an attack
-    # is detected during the current request.
-    #
-    # If the underlying IO object has been partially (or fully) read before,
-    # this will attempt to restore the previous cursor position after reading it
-    # if possible, or leave if rewund if not.
-    #
-    # @param max_size [Integer] number of bytes to read at most.
-    #
-    # @return [String]
-    def truncated_body(max_size: 16384)
-      return @truncated_body if @body_read
-      return nil if body.nil?
-
-      begin
-        initial_pos = body.pos if body.respond_to?(:pos)
-        body.rewind
-        @truncated_body = body.read(max_size)
-      ensure
-        @body_read = true
-        body.rewind
-        body.seek(initial_pos) if initial_pos && body.respond_to?(:seek)
-      end
-    end
-
     def as_json
       {
-        method: request_method.downcase,
+        method: request_method.upcase,
         url: url,
         ipAddress: client_ip,
         userAgent: user_agent,
-        headers: normalized_headers.reject { |_, val| val.to_s.empty? },
-        body: truncated_body,
         source: framework,
         route: route&.path
       }

data/lib/aikido/zen/route.rb

@@ -39,8 +39,58 @@ module Aikido::Zen
       [verb, path].hash
     end
 
+    # Sort routes by wildcard matching order deterministically:
+    #
+    #   1. Exact path before wildcard path
+    #   2. Fewer wildcards in path relative to path length
+    #   3. Earliest wildcard position in path
+    #   4. Exact verb before wildcard verb
+    #   5. Lexicographic path (tie-break)
+    #   6. Lexicographic verb (tie-break)
+    #
+    # @return [Array] the sort key
+    def sort_key
+      @sort_key ||= begin
+        stars = []
+        i = -1
+        while (i = path.index("*", i + 1))
+          stars << i
+        end
+
+        [
+          stars.empty? ? 0 : 1,
+          stars.length - path.length,
+          stars,
+          (verb == "*") ? 1 : 0,
+          path,
+          verb
+        ].freeze
+      end
+    end
+
+    def match?(other)
+      other.is_a?(Route) &&
+        pattern(verb).match?(other.verb) &&
+        pattern(path).match?(other.path)
+    end
+
     def inspect
       "#<#{self.class.name} #{verb} #{path.inspect}>"
     end
+
+    # Construct a regular expression equivalent to the wildcard string,
+    # where '*' is the wildcard operator.
+    #
+    # The resulting pattern matches the entire input, allows an optional
+    # trailing slash, and is case-insensitive.
+    #
+    # All other special characters in the regular expression are escaped
+    # so that they are treated literally.
+    #
+    # @param string [String] wildcard string
+    # @return [Regexp] regular expression matching the wildcard string
+    private def pattern(string)
+      /^#{Regexp.escape(string).gsub("\\*", ".*")}\/?$/i
+    end
   end
 end

data/lib/aikido/zen/runtime_settings/endpoints.rb

@@ -16,24 +16,53 @@ module Aikido::Zen
     # @param data [Array<Hash>]
     # @return [Aikido::Zen::RuntimeSettings::Endpoints]
     def self.from_json(data)
-      data = Array(data).map { |item|
-        route = Route.new(verb: item["method"], path: item["route"])
-        settings = RuntimeSettings::ProtectionSettings.from_json(item)
+      endpoint_pairs = Array(data).map do |value|
+        route = Route.new(verb: value["method"], path: value["route"])
+        settings = RuntimeSettings::ProtectionSettings.from_json(value)
         [route, settings]
-      }.to_h
+      end
 
-      new(data)
+      # Sort endpoints by wildcard matching order
+      endpoint_pairs.sort_by! do |route, settings|
+        route.sort_key
+      end
+
+      new(endpoint_pairs.to_h)
     end
 
-    def initialize(data = {})
-      @endpoints = data
+    # @param endpoints [Hash] the endpoints in wildcard matching order
+    # @return [Aikido::Zen::RuntimeSettings::Endpoints]
+    def initialize(endpoints = {})
+      @endpoints = endpoints
       @endpoints.default = RuntimeSettings::ProtectionSettings.none
     end
 
     # @param route [Aikido::Zen::Route]
     # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings]
     def [](route)
-      @endpoints[route]
+      return @endpoints[route] if @endpoints.key?(route)
+
+      # Wildcard endpoint matching
+
+      @endpoints.each do |pattern, settings|
+        return settings if pattern.match?(route)
+      end
+
+      @endpoints.default
+    end
+
+    # @param route [Aikido::Zen::Route]
+    # @return [Array<Aikido::Zen::RuntimeSettings::ProtectionSettings>]
+    def match(route)
+      matches = []
+
+      @endpoints.each do |pattern, settings|
+        matches << settings if pattern.match?(route)
+      end
+
+      matches << @endpoints.default if matches.empty?
+
+      matches
     end
 
     # @!visibility private

data/lib/aikido/zen/runtime_settings.rb

@@ -11,11 +11,11 @@ module Aikido::Zen
   #
   # You can subscribe to changes with +#add_observer(object, func_name)+, which
   # will call the function passing the settings as an argument.
-  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :skip_protection_for_ips, :received_any_stats) do
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :allowed_ips, :received_any_stats, :blocking_mode) do
     def initialize(*)
       super
       self.endpoints ||= RuntimeSettings::Endpoints.new
-      self.skip_protection_for_ips ||= RuntimeSettings::IPSet.new
+      self.allowed_ips ||= RuntimeSettings::IPSet.new
     end
 
     # @!attribute [rw] updated_at
@@ -35,7 +35,7 @@ module Aikido::Zen
     # @!attribute [rw] blocked_user_ids
     #   @return [Array]
 
-    # @!attribute [rw] skip_protection_for_ips
+    # @!attribute [rw] allowed_ips
     #   @return [Aikido::Zen::RuntimeSettings::IPSet]
 
     # Parse and interpret the JSON response from the core API with updated
@@ -53,8 +53,9 @@ module Aikido::Zen
       self.heartbeat_interval = data["heartbeatIntervalInMS"].to_i / 1000
       self.endpoints = RuntimeSettings::Endpoints.from_json(data["endpoints"])
       self.blocked_user_ids = data["blockedUserIds"]
-      self.skip_protection_for_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      self.allowed_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
       self.received_any_stats = data["receivedAnyStats"]
+      self.blocking_mode = data["block"]
 
       updated_at != last_updated_at
     end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -21,14 +21,15 @@ module Aikido::Zen
       # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
       def self.call(filepath:, sink:, context:, operation:)
         context.payloads.each do |payload|
-          next unless new(filepath, payload.value).attack?
+          next unless new(filepath, payload.value.to_s).attack?
 
           return Attacks::PathTraversalAttack.new(
             sink: sink,
             input: payload,
             filepath: filepath,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -16,14 +16,15 @@ module Aikido::Zen
       #
       def self.call(command:, sink:, context:, operation:)
         context.payloads.each do |payload|
-          next unless new(command, payload.value).attack?
+          next unless new(command, payload.value.to_s).attack?
 
           return Attacks::ShellInjectionAttack.new(
             sink: sink,
             input: payload,
             command: command,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -32,7 +32,7 @@ module Aikido::Zen
         end
 
         context.payloads.each do |payload|
-          next unless new(query, payload.value, dialect).attack?
+          next unless new(query, payload.value.to_s, dialect).attack?
 
           return Attacks::SQLInjectionAttack.new(
             sink: sink,
@@ -40,7 +40,8 @@ module Aikido::Zen
             input: payload,
             dialect: dialect,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -51,7 +51,8 @@ module Aikido::Zen
             request: request,
             input: payload,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
 
           return attack

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb

@@ -20,7 +20,8 @@ module Aikido::Zen
           address: offending_address,
           sink: sink,
           context: context,
-          operation: "#{sink.operation}.#{operation}"
+          operation: "#{sink.operation}.#{operation}",
+          stack: Aikido::Zen.clean_stack_trace
         )
       end
 
@@ -44,6 +45,9 @@ module Aikido::Zen
 
       DANGEROUS_ADDRESSES = [
         IPAddr.new("169.254.169.254"),
+        IPAddr.new("100.100.100.200"),
+        IPAddr.new("::ffff:169.254.169.254"),
+        IPAddr.new("::ffff:100.100.100.200"),
         IPAddr.new("fd00:ec2::254")
       ]
     end

data/lib/aikido/zen/sinks/action_controller.rb

@@ -43,8 +43,10 @@ module Aikido::Zen
         end
 
         private def should_throttle?(request)
+          # Bypass rate limiting for allowed IPs
+          return false if @settings.allowed_ips.include?(request.ip)
+
           return false unless @settings.endpoints[request.route].rate_limiting.enabled?
-          return false if @settings.skip_protection_for_ips.include?(request.ip)
 
           result = @detached_agent.calculate_rate_limits(request)
           return false unless result

data/lib/aikido/zen/sinks/pg.rb

@@ -42,9 +42,15 @@ module Aikido::Zen
           ::PG::Connection.class_eval do
             extend Sinks::DSL
 
-            %i[
-              send_query exec sync_exec async_exec
-              send_query_params exec_params sync_exec_params async_exec_params
+            [
+              :send_query,
+              :exec,
+              :sync_exec,
+              :async_exec,
+              :send_query_params,
+              :exec_params,
+              :sync_exec_params,
+              :async_exec_params
             ].each do |method_name|
               presafe_sink_before method_name do |query|
                 Helpers.safe do
@@ -53,8 +59,11 @@ module Aikido::Zen
               end
             end
 
-            %i[
-              send_prepare prepare async_prepare sync_prepare
+            [
+              :send_prepare,
+              :prepare,
+              :async_prepare,
+              :sync_prepare
             ].each do |method_name|
               presafe_sink_before method_name do |_, query|
                 Helpers.safe do

data/lib/aikido/zen/sinks/socket.rb

@@ -68,6 +68,13 @@ module Aikido::Zen
             # :nocov:
             Helpers.scan(remote_host, socket, "open")
             # :nocov:
+          rescue Aikido::Zen::UnderAttackError, Aikido::Zen::Sinks::DSL::PresafeError
+            # If the scan raises an exception that will escape the safe block,
+            # the open socket must be closed because it will not be returned,
+            # so the user cannot close it.
+            socket.close
+
+            raise
           end
         end
       end

data/lib/aikido/zen/sinks.rb

@@ -28,6 +28,7 @@ require_relative "sinks/patron"
 require_relative "sinks/typhoeus" if defined?(::Typhoeus)
 require_relative "sinks/async_http"
 require_relative "sinks/em_http"
+
 require_relative "sinks/mysql2"
 require_relative "sinks/pg"
 require_relative "sinks/sqlite3"

data/lib/aikido/zen/system_info.rb

@@ -8,12 +8,8 @@ require_relative "package"
 module Aikido::Zen
   # Provides information about the currently running Agent.
   class SystemInfo
-    def initialize(config = Aikido::Zen.config)
-      @config = config
-    end
-
     def attacks_block_requests?
-      !!@config.blocking_mode
+      !!Aikido::Zen.blocking_mode?
     end
 
     def attacks_are_only_reported?

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "1.0.2.beta.10"
+    VERSION = "1.0.3"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.48"

data/lib/aikido/zen.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative "zen/helpers"
 require_relative "zen/version"
 require_relative "zen/errors"
 require_relative "zen/actor"
@@ -13,13 +14,16 @@ require_relative "zen/context"
 require_relative "zen/detached_agent"
 require_relative "zen/middleware/middleware"
 require_relative "zen/middleware/fork_detector"
-require_relative "zen/middleware/set_context"
-require_relative "zen/middleware/check_allowed_addresses"
+require_relative "zen/middleware/context_setter"
+require_relative "zen/middleware/allowed_address_checker"
+require_relative "zen/middleware/attack_protector"
+require_relative "zen/middleware/attack_wave_protector"
 require_relative "zen/middleware/request_tracker"
 require_relative "zen/outbound_connection"
 require_relative "zen/outbound_connection_monitor"
 require_relative "zen/runtime_settings"
 require_relative "zen/rate_limiter"
+require_relative "zen/attack_wave"
 require_relative "zen/scanners"
 
 module Aikido
@@ -77,6 +81,16 @@ module Aikido
       @runtime_settings = settings
     end
 
+    # @return [Boolean] whether the Aikido agent is currently blocking requests.
+    #   Blocking mode is configured at startup and can be controlled through the
+    #   Aikido dashboard at runtime.
+    def self.blocking_mode?
+      blocking_mode = runtime_settings.blocking_mode
+      return blocking_mode unless blocking_mode.nil?
+
+      config.blocking_mode
+    end
+
     # Gets information about the current system configuration, which is sent to
     # the server along with any events.
     def self.system_info
@@ -89,10 +103,6 @@ module Aikido
       @collector ||= Collector.new
     end
 
-    def self.detached_agent
-      @detached_agent ||= DetachedAgent::Agent.new
-    end
-
     # Gets the current context object that holds all information about the
     # current request.
     #
@@ -118,6 +128,18 @@ module Aikido
       collector.track_request
     end
 
+    # Track statistics about an attack wave the app is handling.
+    #
+    # @param attack_wave [Aikido::Zen::Events::AttackWave]
+    # @return [void]
+    def self.track_attack_wave(attack_wave)
+      collector.track_attack_wave(being_blocked: false)
+    end
+
+    # Track statistics about a route that the app has discovered.
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [void]
     def self.track_discovered_route(request)
       collector.track_route(request)
     end
@@ -173,6 +195,11 @@ module Aikido
       collector.middleware_installed!
     end
 
+    # @return [Aikido::Zen::AttackWave::Detector] the attack wave detector.
+    def self.attack_wave_detector
+      @attack_wave_detector ||= AttackWave::Detector.new
+    end
+
     # @!visibility private
     # Load all sources.
     #
@@ -210,6 +237,10 @@ module Aikido
       @agent ||= Agent.start
     end
 
+    def self.detached_agent
+      @detached_agent ||= DetachedAgent::Agent.new
+    end
+
     def self.detached_agent_server
       @detached_agent_server ||= DetachedAgent::Server.start
     end
@@ -250,5 +281,24 @@ module Aikido
         @detached_agent&.handle_fork
       end
     end
+
+    # @!visibility private
+    # Returns the stack trace trimmed to where execution last entered Zen.
+    #
+    # @return [String]
+    def self.clean_stack_trace
+      stack_trace = caller_locations
+
+      spec = Gem.loaded_specs["aikido-zen"]
+
+      # Only trim stack frames from .../lib/aikido/zen/ in the aikido-zen gem,
+      # so calls in sample apps are preserved.
+      lib_path_start = File.expand_path(File.join(spec.full_gem_path, "lib", "aikido", "zen")) + File::SEPARATOR
+
+      index = stack_trace.index { |frame| !File.expand_path(frame.path).start_with?(lib_path_start) }
+      stack_trace = stack_trace[index..] if index
+
+      stack_trace.map(&:to_s).join("\n")
+    end
   end
 end

data/tasklib/bench.rake

@@ -87,7 +87,7 @@ Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
       end
 
       task :boot_unprotected_app do
-        boot_server(dir, port: PORT_UNPROTECTED, env: {"AIKIDO_DISABLED" => "true"})
+        boot_server(dir, port: PORT_UNPROTECTED, env: {"AIKIDO_DISABLE" => "true"})
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.2.beta.10
+  version: 1.0.3
 platform: ruby
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-10-30 00:00:00.000000000 Z
+date: 2025-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -74,6 +74,7 @@ files:
 - docs/config.md
 - docs/proxy.md
 - docs/rails.md
+- docs/troubleshooting.md
 - lib/aikido-zen.rb
 - lib/aikido/zen.rb
 - lib/aikido/zen/actor.rb
@@ -81,7 +82,10 @@ files:
 - lib/aikido/zen/agent/heartbeats_manager.rb
 - lib/aikido/zen/api_client.rb
 - lib/aikido/zen/attack.rb
+- lib/aikido/zen/attack_wave.rb
+- lib/aikido/zen/attack_wave/helpers.rb
 - lib/aikido/zen/background_worker.rb
+- lib/aikido/zen/cache.rb
 - lib/aikido/zen/capped_collections.rb
 - lib/aikido/zen/collector.rb
 - lib/aikido/zen/collector/event.rb
@@ -100,13 +104,16 @@ files:
 - lib/aikido/zen/detached_agent/server.rb
 - lib/aikido/zen/errors.rb
 - lib/aikido/zen/event.rb
+- lib/aikido/zen/helpers.rb
 - lib/aikido/zen/internals.rb
-- lib/aikido/zen/middleware/check_allowed_addresses.rb
+- lib/aikido/zen/middleware/allowed_address_checker.rb
+- lib/aikido/zen/middleware/attack_protector.rb
+- lib/aikido/zen/middleware/attack_wave_protector.rb
+- lib/aikido/zen/middleware/context_setter.rb
 - lib/aikido/zen/middleware/fork_detector.rb
 - lib/aikido/zen/middleware/middleware.rb
 - lib/aikido/zen/middleware/rack_throttler.rb
 - lib/aikido/zen/middleware/request_tracker.rb
-- lib/aikido/zen/middleware/set_context.rb
 - lib/aikido/zen/outbound_connection.rb
 - lib/aikido/zen/outbound_connection_monitor.rb
 - lib/aikido/zen/package.rb