aikido-zen 1.0.2.beta.2-aarch64-linux

data/lib/aikido/zen/runtime_settings/ip_set.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+
+module Aikido::Zen
+  # Models a list of IP addresses or CIDR blocks, where we can check if a given
+  # address is part of any of the members.
+  class RuntimeSettings::IPSet
+    def self.from_json(ips)
+      new(Array(ips).map { |ip| IPAddr.new(ip) })
+    end
+
+    def initialize(ips = Set.new)
+      @ips = ips.to_set
+    end
+
+    def empty?
+      @ips.empty?
+    end
+
+    def include?(ip)
+      @ips.any? { |pattern| pattern === ip }
+    end
+    alias_method :===, :include?
+
+    def ==(other)
+      other.is_a?(RuntimeSettings::IPSet) && to_set == other.to_set
+    end
+
+    protected
+
+    def to_set
+      @ips
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/protection_settings.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require_relative "ip_set"
+require_relative "rate_limit_settings"
+
+module Aikido::Zen
+  # Models the settings for a given Route as configured in the Aikido UI.
+  class RuntimeSettings::ProtectionSettings
+    # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings] singleton
+    #   instance for endpoints with no configured protections on a given route,
+    #   that can be used as a default value for routes.
+    def self.none
+      @no_settings ||= new
+    end
+
+    # Initialize settings from an API response.
+    #
+    # @param data [Hash] the deserialized JSON data.
+    # @option data [Boolean] "forceProtectionOff" whether the user has
+    #   disabled attack protection for this route.
+    # @option data [Array<String>] "allowedIPAddresses" the list of IPs that
+    #   can make requests to this endpoint.
+    # @option data [Hash] "rateLimiting" the rate limiting options for this
+    #   endpoint. See {Aikido::Zen::RuntimeSettings::RateLimitSettings.from_json}.
+    #
+    # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings]
+    # @raise [IPAddr::InvalidAddressError] if any of the IPs in
+    #   "allowedIPAddresses" is not a valid address or family.
+    def self.from_json(data)
+      ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      rate_limiting = RuntimeSettings::RateLimitSettings.from_json(data["rateLimiting"])
+
+      new(
+        protected: !data["forceProtectionOff"],
+        allowed_ips: ips,
+        rate_limiting: rate_limiting
+      )
+    end
+
+    # @return [Aikido::Zen::RuntimeSettings::IPSet] list of IP addresses which
+    #   are allowed to make requests on this route. If empty, all IP addresses
+    #   are allowed.
+    attr_reader :allowed_ips
+
+    # @return [Aikido::Zen::RuntimeSettings::RateLimitSettings]
+    attr_reader :rate_limiting
+
+    def initialize(
+      protected: true,
+      allowed_ips: RuntimeSettings::IPSet.new,
+      rate_limiting: RuntimeSettings::RateLimitSettings.disabled
+    )
+      @protected = !!protected
+      @rate_limiting = rate_limiting
+      @allowed_ips = allowed_ips
+    end
+
+    def protected?
+      @protected
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/rate_limit_settings.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Simple data object that holds the configuration for rate limiting a given
+  # endpoint.
+  class RuntimeSettings::RateLimitSettings
+    # Initialize the settings from an API response.
+    #
+    # @param data [Hash] the deserialized JSON data.
+    # @option data [Boolean] "enabled"
+    # @option data [Integer] "maxRequests"
+    # @option data [Integer] "windowSizeInMS"
+    #
+    # @return [Aikido::Zen::RateLimitSettings]
+    def self.from_json(data)
+      new(
+        enabled: !!data["enabled"],
+        max_requests: Integer(data["maxRequests"]),
+        period: Integer(data["windowSizeInMS"]) / 1000
+      )
+    end
+
+    # Initializes a disabled object that we can use as a default value for
+    # endpoints that have not configured rate limiting.
+    #
+    # @return [Aikido::Zen::RuntimeSettings::RateLimitSettings]
+    def self.disabled
+      new(enabled: false)
+    end
+
+    # @return [Integer] the fixed window to bucket requests in, in seconds.
+    attr_reader :period
+
+    # @return [Integer]
+    attr_reader :max_requests
+
+    def initialize(enabled: false, max_requests: 1000, period: 60)
+      @enabled = enabled
+      @period = period
+      @max_requests = max_requests
+    end
+
+    def enabled?
+      @enabled
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Stores the firewall configuration sourced from the Aikido dashboard. This
+  # object is updated by the Agent regularly.
+  #
+  # Because the RuntimeSettings object can be modified in runtime, it implements
+  # the {Observable} API, allowing you to subscribe to updates. These are
+  # triggered whenever #update_from_json makes a change (i.e. if the settings
+  # don't change, no update is triggered).
+  #
+  # You can subscribe to changes with +#add_observer(object, func_name)+, which
+  # will call the function passing the settings as an argument.
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :skip_protection_for_ips, :received_any_stats) do
+    def initialize(*)
+      super
+      self.endpoints ||= RuntimeSettings::Endpoints.new
+      self.skip_protection_for_ips ||= RuntimeSettings::IPSet.new
+    end
+
+    # @!attribute [rw] updated_at
+    #   @return [Time] when these settings were updated in the Aikido dashboard.
+
+    # @!attribute [rw] heartbeat_interval
+    #   @return [Integer] duration in seconds between heartbeat requests to the
+    #     Aikido server.
+
+    # @!attribute [rw] received_any_stats
+    #   @return [Boolean] whether the Aikido server has received any data from
+    #     this application.
+
+    # @!attribute [rw] endpoints
+    #   @return [Aikido::Zen::RuntimeSettings::Endpoints]
+
+    # @!attribute [rw] blocked_user_ids
+    #   @return [Array]
+
+    # @!attribute [rw] skip_protection_for_ips
+    #   @return [Aikido::Zen::RuntimeSettings::IPSet]
+
+    # Parse and interpret the JSON response from the core API with updated
+    # settings, and apply the changes. This will also notify any subscriber
+    # to updates
+    #
+    # @param data [Hash] the decoded JSON payload from the /api/runtime/config
+    #   API endpoint.
+    #
+    # @return [bool]
+    def update_from_json(data)
+      last_updated_at = updated_at
+
+      self.updated_at = Time.at(data["configUpdatedAt"].to_i / 1000)
+      self.heartbeat_interval = (data["heartbeatIntervalInMS"].to_i / 1000)
+      self.endpoints = RuntimeSettings::Endpoints.from_json(data["endpoints"])
+      self.blocked_user_ids = data["blockedUserIds"]
+      self.skip_protection_for_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      self.received_any_stats = data["receivedAnyStats"]
+
+      updated_at != last_updated_at
+    end
+  end
+end
+
+require_relative "runtime_settings/ip_set"
+require_relative "runtime_settings/endpoints"

data/lib/aikido/zen/scan.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Scans track information about a single call made by one of our Sinks
+  # including whether it was detected as an attack or how long it took.
+  class Scan
+    # @return [Aikido::Zen::Sink] the originating Sink.
+    attr_reader :sink
+
+    # @return [Aikido::Zen::Context] the current Context, wrapping the HTTP
+    #   request during which this scan was performed.
+    attr_reader :context
+
+    # @return [Aikido::Zen::Attack, nil] a detected Attack, or
+    #   +nil+ if the scan was considered safe.
+    attr_reader :attack
+
+    # @return [Float, nil] duration in (fractional) seconds of the scan.
+    attr_reader :duration
+
+    # @return [Array<Hash>] list of captured exceptions while scanning.
+    attr_reader :errors
+
+    # @param sink [Aikido::Zen::Sink]
+    # @param context [Aikido::Zen::Context]
+    def initialize(sink:, context:)
+      @sink = sink
+      @context = context
+      @errors = []
+      @performed = false
+    end
+
+    def performed?
+      @performed
+    end
+
+    # @return [Boolean] whether this scan detected an Attack.
+    def attack?
+      @attack != nil
+    end
+
+    # @return [Boolean] whether any errors were caught by this Scan.
+    def errors?
+      @errors.any?
+    end
+
+    # Runs a block of code, capturing its return value as the potential
+    # Attack object (or nil, if safe), and how long it took to run.
+    #
+    # @yieldreturn [Aikido::Zen::Attack, nil]
+    # @return [void]
+    def perform
+      @performed = true
+      started_at = monotonic_time
+      @attack = yield
+    ensure
+      @duration = monotonic_time - started_at
+    end
+
+    # Keep track of exceptions encountered during scanning.
+    #
+    # @param error [Exception]
+    # @param scanner [#call]
+    #
+    # @return [nil]
+    def track_error(error, scanner)
+      @errors << {error: error, scanner: scanner}
+      nil
+    end
+
+    private def monotonic_time
+      Process.clock_gettime(Process::CLOCK_MONOTONIC)
+    end
+  end
+end

data/lib/aikido/zen/scanners/path_traversal/helpers.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Scanners
+    module PathTraversal
+      DANGEROUS_PATH_PARTS = ["../", "..\\"]
+      LINUX_ROOT_FOLDERS = [
+        "/bin/",
+        "/boot/",
+        "/dev/",
+        "/etc/",
+        "/home/",
+        "/init/",
+        "/lib/",
+        "/media/",
+        "/mnt/",
+        "/opt/",
+        "/proc/",
+        "/root/",
+        "/run/",
+        "/sbin/",
+        "/srv/",
+        "/sys/",
+        "/tmp/",
+        "/usr/",
+        "/var/"
+      ]
+
+      DANGEROUS_PATH_STARTS = LINUX_ROOT_FOLDERS + ["c:/", "c:\\"]
+
+      module Helpers
+        def self.contains_unsafe_path_parts(filepath)
+          DANGEROUS_PATH_PARTS.each do |dangerous_part|
+            return true if filepath.include?(dangerous_part)
+          end
+
+          false
+        end
+
+        def self.starts_with_unsafe_path(filepath, user_input)
+          # Check if path is relative (not absolute or drive letter path)
+          # Required because `expand_path` will build absolute paths from relative paths
+          return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
+
+          normalized_path = File.expand_path__internal_for_aikido_zen(filepath).downcase
+          normalized_user_input = File.expand_path__internal_for_aikido_zen(user_input).downcase
+
+          DANGEROUS_PATH_STARTS.each do |dangerous_start|
+            if normalized_path.start_with?(dangerous_start) && normalized_path.start_with?(normalized_user_input)
+              # If the user input is the same as the dangerous start, we don't want to flag it
+              # to prevent false positives.
+              # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
+              # as long as the user input does not contain a subdirectory or filename
+              if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
+                return false
+              end
+              return true
+            end
+          end
+          false
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require_relative "path_traversal/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class PathTraversalScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # Checks if the user introduced input is trying to access other path using
+      # Path Traversal kind of attacks.
+      #
+      # @param filepath [String] the expanded path that is tried to be read
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #
+      # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
+      # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
+      def self.call(filepath:, sink:, context:, operation:)
+        context.payloads.each do |payload|
+          next unless new(filepath, payload.value).attack?
+
+          return Attacks::PathTraversalAttack.new(
+            sink: sink,
+            input: payload,
+            filepath: filepath,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      def initialize(filepath, input)
+        @filepath = filepath.downcase
+        @input = input.downcase
+      end
+
+      def attack?
+        # Single character are ignored because they don't pose a big threat
+        return false if @input.length <= 1
+
+        # We ignore cases where the user input is longer than the file path.
+        # Because the user input can't be part of the file path.
+        return false if @input.length > @filepath.length
+
+        # We ignore cases where the user input is not part of the file path.
+        return false unless @filepath.include?(@input)
+
+        if PathTraversal::Helpers.contains_unsafe_path_parts(@filepath) && PathTraversal::Helpers.contains_unsafe_path_parts(@input)
+          return true
+        end
+
+        # Check for absolute path traversal
+        PathTraversal::Helpers.starts_with_unsafe_path(@filepath, @input)
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection/helpers.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::Scanners::ShellInjection
+  module Helpers
+    ESCAPE_CHARS = %W[' "]
+    DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES = %W[$ ` \\ !]
+    DANGEROUS_CHARS = [
+      "#", "!", '"', "$", "&", "'", "(", ")", "*", ";", "<", "=", ">", "?",
+      "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~"
+    ]
+
+    COMMANDS = %w[sleep shutdown reboot poweroff halt ifconfig chmod chown ping
+      ssh scp curl wget telnet kill killall rm mv cp touch echo cat head
+      tail grep find awk sed sort uniq wc ls env ps who whoami id w df du
+      pwd uname hostname netstat passwd arch printenv logname pstree hostnamectl
+      set lsattr killall5 dmesg history free uptime finger top shopt :]
+
+    PATH_PREFIXES = %w[/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/]
+
+    SEPARATORS = [" ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">"]
+
+    # @param command [string]
+    # @param user_input [string]
+    def self.is_safely_encapsulated(command, user_input)
+      segments = command.split(user_input)
+
+      # The next condition is merely here to be compliant with what javascript does when splitting strings:
+      # From js doc https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/split
+      #   > If separator appears at the beginning (or end) of the string, it still has the effect of splitting,
+      #   > resulting in an empty (i.e. zero length) string appearing at the first (or last) position of
+      #   > the returned array.
+      # This is necessary because this code is ported form the firewall-node code.
+      if user_input.length > 1
+        if command.start_with? user_input
+          segments.unshift ""
+        end
+
+        if command.end_with? user_input
+          segments << ""
+        end
+      end
+
+      # Call the helper function to get current and next segments
+      get_current_and_next_segments(segments).all? do |segments_pair|
+        char_before_user_input = segments_pair[:current_segment][-1]
+        char_after_user_input = segments_pair[:next_segment][0]
+
+        # Check if the character before is an escape character
+        is_escape_char = ESCAPE_CHARS.include?(char_before_user_input)
+
+        unless is_escape_char
+          next false
+        end
+
+        # If characters before and after the user input do not match, return false
+        next false if char_before_user_input != char_after_user_input
+
+        # If user input contains the escape character, return false
+        next false if user_input.include?(char_before_user_input)
+
+        # Handle dangerous characters inside double quotes
+        if char_before_user_input == '"' && DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES.any? { |char| user_input.include?(char) }
+          next false
+        end
+
+        next true
+      end
+    end
+
+    def self.get_current_and_next_segments(segments)
+      segments.each_cons(2).map { |current_segment, next_segment| {current_segment: current_segment, next_segment: next_segment} }
+    end
+
+    # Helper function for sorting commands by length (longer commands first)
+    def self.by_length(a, b)
+      b.length - a.length
+    end
+
+    # Escape characters with special meaning either inside or outside character sets.
+    # Use a simple backslash escape when it’s always valid, and a `\xnn` escape when the simpler
+    # form would be disallowed by Unicode patterns’ stricter grammar.
+    #
+    # Inspired by https://github.com/sindresorhus/escape-string-regexp/
+    def self.escape_string_regexp(string)
+      string.gsub(/[|\\{}()\[\]^$+*?.]/) { "\\#{$&}" }.gsub("-", '\\x2d')
+    end
+
+    # Construct the regex for commands
+    COMMANDS_REGEX = Regexp.new(
+      "([/.]*((#{PATH_PREFIXES.map { |p| Helpers.escape_string_regexp(p) }.join("|")})?((#{COMMANDS.sort(&method(:by_length)).join("|")}))))",
+      Regexp::IGNORECASE
+    )
+
+    def self.contains_shell_syntax(command, user_input)
+      # Check if input is only whitespace
+      return false if user_input.strip.empty?
+
+      # Check if the user input contains any dangerous characters
+      if DANGEROUS_CHARS.any? { |c| user_input.include?(c) }
+        return true
+      end
+
+      # If the command is exactly the same as the user input, check if it matches the regex
+      if command == user_input
+        return match_all(command, COMMANDS_REGEX).any? do |match|
+          match[:match].length == command.length && match[:match] == command
+        end
+      end
+
+      # Check if the command contains a commonly used command
+      match_all(command, COMMANDS_REGEX).each do |match|
+        # We found a command like `rm` or `/sbin/shutdown` in the command
+        # Check if the command is the same as the user input
+        # If it's not the same, continue searching
+        next if user_input != match[:match]
+
+        # Otherwise, we'll check if the command is surrounded by separators
+        # These separators are used to separate commands and arguments
+        # e.g. `rm<space>-rf`
+        # e.g. `ls<newline>whoami`
+        # e.g. `echo<tab>hello` Check if the command is surrounded by separators
+        char_before = if match[:index] - 1 < 0
+          nil
+        else
+          command[match[:index] - 1]
+        end
+
+        char_after = if match[:index] + match[:match].length >= command.length
+          nil
+        else
+          command[match[:index] + match[:match].length]
+        end
+
+        # e.g. `<separator>rm<separator>`
+        if SEPARATORS.include?(char_before) && SEPARATORS.include?(char_after)
+          return true
+        end
+
+        # e.g. `<separator>rm`
+        if SEPARATORS.include?(char_before) && char_after.nil?
+          return true
+        end
+
+        # e.g. `rm<separator>`
+        if char_before.nil? && SEPARATORS.include?(char_after)
+          return true
+        end
+      end
+
+      false
+    end
+
+    def self.match_all(string, regex)
+      string.enum_for(:scan, regex).map do |match|
+        {match: match[0], index: $~.begin(0)}
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require_relative "shell_injection/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class ShellInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # @param command [String]
+      # @param sink [Aikido::Zen::Sink]
+      # @param context [Aikido::Zen::Context]
+      # @param operation [Symbol, String]
+      #
+      def self.call(command:, sink:, context:, operation:)
+        context.payloads.each do |payload|
+          next unless new(command, payload.value).attack?
+
+          return Attacks::ShellInjectionAttack.new(
+            sink: sink,
+            input: payload,
+            command: command,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      # @param command [String]
+      # @param input [String]
+      def initialize(command, input)
+        @command = command
+        @input = input
+      end
+
+      def attack?
+        # Block single ~ character. For example `echo ~`
+        if @input == "~"
+          if @command.size > 1 && @command.include?("~")
+            return true
+          end
+        end
+
+        # we ignore single character since they don't pose a big threat.
+        # They are only able to crash the shell, not execute arbitraty commands.
+        return false if @input.size <= 1
+
+        # We ignore cases where the user input is longer than the command because
+        # the user input can't be part of the command
+        return false if @input.size > @command.size
+
+        return false unless @command.include?(@input)
+
+        return false if ShellInjection::Helpers.is_safely_encapsulated @command, @input
+
+        ShellInjection::Helpers.contains_shell_syntax @command, @input
+      end
+    end
+  end
+end