aikido-zen 1.0.2.beta.2-aarch64-linux

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require_relative "../attack"
+require_relative "../internals"
+
+module Aikido::Zen
+  module Scanners
+    class SQLInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # Checks if the given SQL query may have dangerous user input injected,
+      # and returns an Attack if so, based on the current request.
+      #
+      # @param query [String]
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param dialect [Symbol] one of +:mysql+, +:postgesql+, or +:sqlite+.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #   Expects +sink.operation+ being set to get the full module/name combo.
+      #
+      # @return [Aikido::Zen::Attack, nil] an Attack if any user input is
+      #   detected to be attempting a SQL injection, or nil if this is safe.
+      #
+      # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
+      #   calling zenlib. See Sink#scan.
+      def self.call(query:, dialect:, sink:, context:, operation:)
+        dialect = DIALECTS.fetch(dialect) do
+          Aikido::Zen.config.logger.warn "Unknown SQL dialect #{dialect.inspect}"
+          DIALECTS[:common]
+        end
+
+        context.payloads.each do |payload|
+          next unless new(query, payload.value, dialect).attack?
+
+          return Attacks::SQLInjectionAttack.new(
+            sink: sink,
+            query: query,
+            input: payload,
+            dialect: dialect,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      def initialize(query, input, dialect)
+        @query = query.downcase
+        @input = input.downcase
+        @dialect = dialect
+      end
+
+      def attack?
+        # Ignore single char inputs since they shouldn't be able to do much harm
+        return false if @input.length <= 1
+
+        # If the input is longer than the query, then it is not part of it
+        return false if @input.length > @query.length
+
+        # If the input is not included in the query at all, then we are safe
+        return false unless @query.include?(@input)
+
+        # If the input is solely alphanumeric, we can ignore it
+        return false if /\A[[:alnum:]_]+\z/i.match?(@input)
+
+        # If the input is a comma-separated list of numbers, ignore it.
+        return false if /\A(?:\d+(?:,\s*)?)+\z/i.match?(@input)
+
+        Internals.detect_sql_injection(@query, @input, @dialect)
+      end
+
+      # @api private
+      Dialect = Struct.new(:name, :internals_key, keyword_init: true) do
+        alias_method :to_s, :name
+        alias_method :to_int, :internals_key
+      end
+
+      # Maps easy-to-use Symbols to a struct that keeps both the name and the
+      # internal identifier used by libzen.
+      #
+      # @see https://github.com/AikidoSec/zen-internals/blob/main/src/sql_injection/helpers/select_dialect_based_on_enum.rs
+      DIALECTS = {
+        common: Dialect.new(name: "SQL", internals_key: 0),
+        mysql: Dialect.new(name: "MySQL", internals_key: 8),
+        postgresql: Dialect.new(name: "PostgreSQL", internals_key: 9),
+        sqlite: Dialect.new(name: "SQLite", internals_key: 12)
+      }
+    end
+  end
+end

data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "delegate"
+
+module Aikido::Zen
+  module Scanners
+    module SSRF
+      # Simple per-request cache of all DNS lookups performed for a given host.
+      # We can store this in the context after performing a lookup, and have the
+      # SSRF scanner make sure the hostname being inspected doesn't actually
+      # resolve to an internal/dangerous IP.
+      class DNSLookups < SimpleDelegator
+        def initialize
+          super(Hash.new { |h, k| h[k] = [] })
+        end
+
+        def add(hostname, addresses)
+          self[hostname].concat(Array(addresses))
+        end
+
+        def ===(hostname)
+          key?(hostname)
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require "resolv"
+require "ipaddr"
+
+module Aikido::Zen
+  module Scanners
+    module SSRF
+      # Little helper to check if a given hostname or address is to be
+      # considered "dangerous" when used for an outbound HTTP request.
+      #
+      # When given a hostname:
+      #
+      # * If any DNS lookups have been performed and stored in the current Zen
+      #   context (under the "dns.lookups" metadata key), we will map it to the
+      #   list of IPs that we've resolved it to.
+      #
+      # * If not, we'll still try to map it to any statically defined address in
+      #   the system hosts file (e.g. /etc/hosts).
+      #
+      # Once we mapped the hostname to an IP address (or, if given an IP
+      # address), this will check that it's not a loopback address, a private IP
+      # address (as defined by RFCs 1918 and 4193), or in one of the
+      # "special-use" IP ranges defined in RFC 5735.
+      class PrivateIPChecker
+        def initialize(resolver = Resolv::Hosts.new)
+          @resolver = resolver
+        end
+
+        # @param hostname_or_address [String]
+        # @return [Boolean]
+        def private?(hostname_or_address)
+          resolve(hostname_or_address).any? do |ip|
+            PRIVATE_RANGES.any? { |range| range === ip }
+          end
+        end
+
+        private
+
+        # Source: https://github.com/AikidoSec/firewall-node/blob/main/library/vulnerabilities/ssrf/isPrivateIP.ts
+        PRIVATE_IPV4_RANGES = [
+          IPAddr.new("0.0.0.0/8"),         # "This" network (RFC 1122)
+          IPAddr.new("10.0.0.0/8"),        # Private-Use Networks (RFC 1918)
+          IPAddr.new("100.64.0.0/10"),     # Shared Address Space (RFC 6598)
+          IPAddr.new("127.0.0.0/8"),       # Loopback (RFC 1122)
+          IPAddr.new("169.254.0.0/16"),    # Link Local (RFC 3927)
+          IPAddr.new("172.16.0.0/12"),     # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.0.0.0/24"),      # IETF Protocol Assignments (RFC 5736)
+          IPAddr.new("192.0.2.0/24"),      # TEST-NET-1 (RFC 5737)
+          IPAddr.new("192.31.196.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("192.52.193.0/24"),   # Automatic Multicast Tunneling (RFC 7450)
+          IPAddr.new("192.88.99.0/24"),    # 6to4 Relay Anycast (RFC 3068)
+          IPAddr.new("192.168.0.0/16"),    # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.175.48.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("198.18.0.0/15"),     # Network Interconnect Device Benchmark Testing (RFC 2544)
+          IPAddr.new("198.51.100.0/24"),   # TEST-NET-2 (RFC 5737)
+          IPAddr.new("203.0.113.0/24"),    # TEST-NET-3 (RFC 5737)
+          IPAddr.new("224.0.0.0/4"),       # Multicast (RFC 3171)
+          IPAddr.new("240.0.0.0/4"),       # Reserved for Future Use (RFC 1112)
+          IPAddr.new("255.255.255.255/32") # Limited Broadcast (RFC 919)
+        ]
+
+        PRIVATE_IPV6_RANGES = [
+          IPAddr.new("::/128"),            # Unspecified address (RFC 4291)
+          IPAddr.new("::1/128"),           # Loopback address (RFC 4291)
+          IPAddr.new("fc00::/7"),          # Unique local address (ULA) (RFC 4193
+          IPAddr.new("fe80::/10"),         # Link-local address (LLA) (RFC 4291)
+          IPAddr.new("100::/64"),          # Discard prefix (RFC 6666)
+          IPAddr.new("2001:db8::/32"),     # Documentation prefix (RFC 3849)
+          IPAddr.new("3fff::/20")          # Documentation prefix (RFC 9637)
+        ]
+
+        PRIVATE_RANGES = PRIVATE_IPV4_RANGES + PRIVATE_IPV6_RANGES + PRIVATE_IPV4_RANGES.map(&:ipv4_mapped)
+
+        def resolved_in_current_context
+          context = Aikido::Zen.current_context
+          context && context["dns.lookups"]
+        end
+
+        def resolve(hostname_or_address)
+          return [] if hostname_or_address.nil?
+
+          case hostname_or_address
+          when Resolv::AddressRegex
+            [IPAddr.new(hostname_or_address)]
+          when resolved_in_current_context
+            resolved_in_current_context[hostname_or_address]
+              .map { |address| IPAddr.new(address) }
+          else
+            @resolver.getaddresses(hostname_or_address.to_s)
+              .map { |address| IPAddr.new(address) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -0,0 +1,265 @@
+# frozen_string_literal: true
+
+require_relative "ssrf/private_ip_checker"
+require_relative "ssrf/dns_lookups"
+
+module Aikido::Zen
+  module Scanners
+    class SSRFScanner
+      # SSRF attacks can be triggered through external inputs, so it is essential
+      # to have a valid context to safeguard against these attacks.
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # Checks if an outbound HTTP request is to a hostname supplied from user
+      # input that resolves to a "dangerous" address. This is called from two
+      # different places:
+      #
+      # * HTTP library sinks, before we make a request. In these cases we can
+      #   detect very obvious attempts such as a request that attempts to access
+      #   localhost or an internal IP.
+      # * DNS lookup sinks, after we resolve a hostname. For HTTP requests that
+      #   are not obviously an attack, we let the DNS resolution happen, and
+      #   then check again, now knowing if the domain name provided actually
+      #   resolves to an internal IP or not.
+      #
+      # NOTE: Because not all DNS resolutions might be happening in the context
+      # of a protected HTTP request, the +request+ argument below *might* be nil
+      # and we can then skip this scan.
+      #
+      # @param request [Aikido::Zen::Scanners::SSRFScanner::Request, nil]
+      #   the ongoing outbound HTTP request.
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #   Expects +sink.operation+ being set to get the full module/name combo.
+      #
+      # @return [Aikido::Zen::Attacks::SSRFAttack, nil] an Attack if any user
+      #   input is detected to be attempting SSRF, or +nil+ if not.
+      def self.call(request:, sink:, context:, operation:, **)
+        return if request.nil? # See NOTE above.
+
+        context["ssrf.redirects"] ||= RedirectChains.new
+
+        context.payloads.each do |payload|
+          scanner = new(request.uri, payload.value, context["ssrf.redirects"])
+          next unless scanner.attack?
+
+          attack = Attacks::SSRFAttack.new(
+            sink: sink,
+            request: request,
+            input: payload,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+
+          return attack
+        end
+
+        nil
+      end
+
+      # Track the origin of a redirection so we know if an attacker is using
+      # redirect chains to mask their use of a (seemingly) safe domain.
+      #
+      # @param request [Aikido::Zen::Scanners::SSRFScanner::Request]
+      # @param response [Aikido::Zen::Scanners::SSRFScanner::Response]
+      # @param context [Aikido::Zen::Context]
+      #
+      # @return [void]
+      def self.track_redirects(request:, response:, context: Aikido::Zen.current_context)
+        return unless response.redirect?
+
+        context["ssrf.redirects"] ||= RedirectChains.new
+        context["ssrf.redirects"].add(
+          source: request.uri,
+          destination: response.redirect_to
+        )
+      end
+
+      # @api private
+      def initialize(request_uri, input, redirects)
+        @request_uri = request_uri
+        @input = input
+        @redirects = redirects
+      end
+
+      # @api private
+      def attack?
+        return false if @input.nil? || @input.to_s.empty?
+
+        # If the request is not aimed at an internal IP, we can ignore it. (It
+        # might still be an SSRF if defined strictly, but it's unlikely to be
+        # exfiltrating data from the app's servers, and the risk for false
+        # positives is too high.)
+        return false unless private_ip?(@request_uri.hostname)
+
+        origins_for_request
+          .product(uris_from_input)
+          .any? { |(conn_uri, candidate)| match?(conn_uri, candidate) }
+      end
+
+      # @!visibility private
+      def self.private_ip_checker
+        @private_ip_checker ||= SSRF::PrivateIPChecker.new
+      end
+
+      private
+
+      def match?(conn_uri, input_uri)
+        return false if conn_uri.hostname.nil? || conn_uri.hostname.empty?
+        return false if input_uri.hostname.nil? || input_uri.hostname.empty?
+
+        # The URI library will automatically set the port to the default port
+        # for the current scheme if not provided, which means we can't just
+        # check if the port is present, as it always will be.
+        is_port_relevant = input_uri.port != input_uri.default_port
+        return false if is_port_relevant && input_uri.port != conn_uri.port
+
+        conn_uri.hostname == input_uri.hostname &&
+          conn_uri.port == input_uri.port
+      end
+
+      def private_ip?(hostname)
+        self.class.private_ip_checker.private?(hostname)
+      end
+
+      def origins_for_request
+        [@request_uri, @redirects.origin(@request_uri)].compact
+      end
+
+      # Maps the current user input into a Set of URIs we can check against:
+      #
+      # * The input itself, if it already looks like a URI.
+      # * The input prefixed with http://
+      # * The input prefixed with https://
+      # * The input prefixed with the scheme of the request's URI, to consider
+      #   things like an FTP request (to "ftp://localhost") with a plain host
+      #   as a user-input ("localhost").
+      #
+      # @return [Array<URI>] a list of unique URIs based on the above criteria.
+      def uris_from_input
+        input = @input.to_s
+
+        # If you build a URI manually and set the hostname to an IPv6 string,
+        # the URI library will be helpful to wrap it in brackets so it's a
+        # valid hostname. We should do the same for the input.
+        input = format("[%s]", input) if unescaped_ipv6?(input)
+
+        [
+          input,
+          "http://#{input}",
+          "https://#{input}",
+          "#{@request_uri.scheme}://#{input}"
+        ].map { |candidate| as_uri(candidate) }.compact.uniq
+      end
+
+      def as_uri(string)
+        URI(string)
+      rescue URI::InvalidURIError
+        nil
+      end
+
+      # Check if the input is an IPv6 that is not surrounded by square brackets.
+      def unescaped_ipv6?(input)
+        (
+          IPAddr::RE_IPV6ADDRLIKE_FULL.match?(input) ||
+          IPAddr::RE_IPV6ADDRLIKE_COMPRESSED.match?(input)
+        ) && !(input.start_with?("[") && input.end_with?("]"))
+      end
+
+      # @api private
+      module Headers
+        # @param headers [Hash<String, Object>]
+        # @param header_normalizer [Proc{Object => String}]
+        def initialize(headers:, header_normalizer: :to_s.to_proc)
+          @headers = headers.to_h
+          @header_normalizer = header_normalizer
+          @normalized_headers = false
+        end
+
+        # @return [Hash<String, String>]
+        def headers
+          return @headers if @normalized_headers
+
+          @headers
+            .transform_keys!(&:downcase)
+            .transform_values!(&@header_normalizer)
+            .tap { @normalized_headers = true }
+        end
+      end
+
+      # @api private
+      class Request
+        include Headers
+
+        attr_reader :verb
+        attr_reader :uri
+
+        def initialize(verb:, uri:, **header_options)
+          super(**header_options)
+          @verb = verb.to_s.upcase
+          @uri = URI(uri)
+        end
+
+        def to_s
+          [@verb, @uri.to_s].join(" ").strip
+        end
+      end
+
+      # @api private
+      class Response
+        include Headers
+
+        attr_reader :status
+
+        def initialize(status:, **header_options)
+          super(**header_options)
+          @status = status.to_s
+        end
+
+        def redirect?
+          @status.start_with?("3") && headers["location"]
+        end
+
+        def redirect_to
+          URI(headers["location"]) if redirect?
+        rescue URI::BadURIError
+          nil
+        end
+      end
+
+      # @api private
+      class RedirectChains
+        def initialize
+          @redirects = Hash.new { |h, k| h[k] = [] }
+        end
+
+        def add(source:, destination:)
+          @redirects[destination].push(source)
+          self
+        end
+
+        # Recursively looks for the original URI that triggered the current
+        # chain. If given a URI that was not the result of a redirect chain, it
+        # returns +nil+
+        #
+        # @param uri [URI]
+        # @return [URI, nil]
+        def origin(uri, visited = Set.new)
+          source = @redirects[uri].first
+
+          return source if visited.include?(source)
+          visited << source
+
+          if !@redirects[source].empty?
+            origin(source, visited)
+          else
+            source
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Scanners
+    # Inspects the result of DNS lookups, to determine if we're being the target
+    # of a stored SSRF targeting IMDS addresses (169.254.169.254).
+    class StoredSSRFScanner
+      # Stored-SSRF can occur without external input, so we do not require a
+      # context to determine if an attack is happening.
+      def self.skips_on_nil_context?
+        false
+      end
+
+      def self.call(hostname:, addresses:, operation:, sink:, context:, **opts)
+        offending_address = new(hostname, addresses).attack?
+        return if offending_address.nil?
+
+        Attacks::StoredSSRFAttack.new(
+          hostname: hostname,
+          address: offending_address,
+          sink: sink,
+          context: context,
+          operation: "#{sink.operation}.#{operation}"
+        )
+      end
+
+      def initialize(hostname, addresses, config: Aikido::Zen.config)
+        @hostname = hostname
+        @addresses = addresses
+        @config = config
+      end
+
+      # @return [String, nil] either the offending address, or +nil+ if no
+      #   address is deemed dangerous.
+      def attack?
+        return false if @config.imds_allowed_hosts.include?(@hostname)
+
+        @addresses.find do |candidate|
+          DANGEROUS_ADDRESSES.any? { |address| address === candidate }
+        end
+      end
+
+      DANGEROUS_ADDRESSES = [
+        IPAddr.new("169.254.169.254"),
+        IPAddr.new("fd00:ec2::254")
+      ]
+    end
+  end
+end

data/lib/aikido/zen/scanners.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require_relative "scanners/sql_injection_scanner"
+require_relative "scanners/stored_ssrf_scanner"
+require_relative "scanners/ssrf_scanner"
+require_relative "scanners/path_traversal_scanner"
+require_relative "scanners/shell_injection_scanner"

data/lib/aikido/zen/sink.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require_relative "scan"
+
+module Aikido::Zen
+  module Sinks
+    # @api internal
+    # @return [Hash<String, Sink>]
+    def self.registry
+      @registry ||= {}
+    end
+
+    # Primary interface to set up a sink with a list of given scanners.
+    #
+    # @param name [String] name of the library being patched. (This must
+    #   match the name of the gem, or we won't report that gem as
+    #   supported.)
+    # @param scanners [Array<#call>] a list of objects that respond to
+    #   #call with a Hash and return an Attack or nil.
+    # @param opts [Hash<Symbol, Object>] any other options to pass to
+    #   the Sink initializer.
+    #
+    # @return [void]
+    # @raise [ArgumentError] if a Sink with this name has already been
+    #   registered.
+    def self.add(name, scanners:, **opts)
+      raise ArgumentError, "Sink #{name} already registered" if registry.key?(name.to_s)
+      registry[name.to_s] = Sink.new(name.to_s, scanners: scanners, **opts)
+    end
+  end
+
+  # Sinks serve as the proxies between a given library that we protect
+  # (such as a database adapter that we patch to prevent SQL injections)
+  # and the reporting agent.
+  #
+  # When a library is patched to track and potentially block attacks, we
+  # rely on a sink to run any scans required, and report any attacks to
+  # our agent.
+  #
+  # @see ./sinks/trilogy.rb for a reference implementation.
+  class Sink
+    # @return [String] name of the patched library (e.g. "mysql2").
+    attr_reader :name
+
+    # @return [Array<#call>] list of registered scanners for this sink.
+    attr_reader :scanners
+
+    # @return [String] descriptor of the module / method being scanned
+    #   for attacks. This is fed into Attacks when instantiated. In
+    #   certain cases, some scanners allow you to specialize this by
+    #   using an +operation+ param of their own.
+    attr_reader :operation
+
+    DEFAULT_REPORTER = ->(scan) { Aikido::Zen.track_scan(scan) }
+
+    def initialize(name, scanners:, operation: name, reporter: DEFAULT_REPORTER)
+      raise ArgumentError, "scanners cannot be empty" if scanners.empty?
+
+      @name = name
+      @operation = operation
+      @scanners = scanners
+      @reporter = reporter
+    end
+
+    # Run the given arguments through all the registered scanners, until
+    # one of them returns an Attack or all return +nil+, and report the
+    # findings back to the Sink's +reporter+ to track statistics and
+    # potentially handle the +Attack+, if anything.
+    #
+    # This checks if runtime protection has been turned off for the current
+    # route first, and if so skips the scanning altogether, returning nil.
+    #
+    # @param scan_params [Hash] data to pass to all registered scanners.
+    # @option scan_params [Aikido::Zen::Context, nil] :context
+    #   The current Context, including the HTTP request being inspected, or
+    #   +nil+ if we're scanning outside of an HTTP request.
+    #
+    # @return [Aikido::Zen::Scan, nil] the result of the scan, or +nil+ if the
+    #   scan was skipped due to protection being disabled for the current route.
+    # @raise [Aikido::UnderAttackError] if an attack is detected and
+    #   blocking_mode is enabled.
+    def scan(context: Aikido::Zen.current_context, **scan_params)
+      return if context&.scanning
+      context&.scanning = true
+
+      return if context&.protection_disabled?
+
+      scan = Scan.new(sink: self, context: context)
+
+      scans_performed = 0
+      scan.perform do
+        result = nil
+
+        scanners.each do |scanner|
+          next if scanner.skips_on_nil_context? && context.nil?
+
+          result = scanner.call(sink: self, context: context, **scan_params)
+          scans_performed += 1
+
+          break result if result
+        rescue Aikido::Zen::InternalsError => error
+          Aikido::Zen.config.logger.warn(error.message)
+          scan.track_error(error, scanner)
+        rescue => error
+          scan.track_error(error, scanner)
+        end
+
+        result
+      end
+
+      @reporter.call(scan) if scans_performed > 0
+
+      scan
+    ensure
+      context&.scanning = false
+    end
+  end
+end