aikido-zen 1.0.2.beta.2-aarch64-linux

data/lib/aikido/zen/sinks/action_controller.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Sinks
+    module ActionController
+      # Implements the "middleware" for blocking requests (i.e.: rate-limiting or blocking
+      # user/bots) in Rails apps, where we need to check at the end of the `before_action`
+      # chain, rather than in an actual Rack middleware, to allow for calls to
+      # `Zen.track_user` being made from before_actions in the host app, thus allowing
+      # block/rate-limit by user ID rather than solely by IP.
+      class BlockRequestChecker
+        def initialize(
+          config: Aikido::Zen.config,
+          settings: Aikido::Zen.runtime_settings,
+          detached_agent: Aikido::Zen.detached_agent
+        )
+          @config = config
+          @settings = settings
+          @detached_agent = detached_agent
+        end
+
+        def block?(controller)
+          context = controller.request.env[Aikido::Zen::ENV_KEY]
+          request = context.request
+
+          if should_block_user?(request)
+            status, headers, body = @config.blocked_responder.call(request, :user)
+            controller.headers.update(headers)
+            controller.render plain: Array(body).join, status: status
+
+            return true
+          end
+
+          if should_throttle?(request)
+            status, headers, body = @config.rate_limited_responder.call(request)
+            controller.headers.update(headers)
+            controller.render plain: Array(body).join, status: status
+
+            return true
+          end
+
+          false
+        end
+
+        private def should_throttle?(request)
+          return false unless @settings.endpoints[request.route].rate_limiting.enabled?
+          return false if @settings.skip_protection_for_ips.include?(request.ip)
+
+          result = @detached_agent.calculate_rate_limits(request)
+          return false unless result
+
+          request.env["aikido.rate_limiting"] = result
+          request.env["aikido.rate_limiting"].throttled?
+        end
+
+        # @param request [Aikido::Zen::Request]
+        private def should_block_user?(request)
+          return false if request.actor.nil?
+
+          Aikido::Zen.runtime_settings.blocked_user_ids&.include?(request.actor.id)
+        end
+      end
+
+      def self.block_request_checker
+        @block_request_checker ||= Aikido::Zen::Sinks::ActionController::BlockRequestChecker.new
+      end
+
+      module Extensions
+        def run_callbacks(kind, *)
+          return super unless kind == :process_action
+
+          super do
+            checker = Aikido::Zen::Sinks::ActionController.block_request_checker
+
+            yield if block_given? && !checker.block?(self)
+          end
+        end
+      end
+    end
+  end
+end
+
+::AbstractController::Callbacks.prepend(Aikido::Zen::Sinks::ActionController::Extensions)

data/lib/aikido/zen/sinks/async_http.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Async
+      module HTTP
+        SINK = Sinks.add("async-http", scanners: [
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
+        ])
+
+        module Helpers
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+
+        def self.load_sinks!
+          if Aikido::Zen.satisfy "async-http", ">= 0.70.0"
+            require "async/http"
+
+            ::Async::HTTP::Client.class_eval do
+              extend Sinks::DSL
+
+              sink_around :call do |original_call, request|
+                uri = URI(format("%<scheme>s://%<authority>s%<path>s", {
+                  scheme: request.scheme || scheme,
+                  authority: request.authority || authority,
+                  path: request.path
+                }))
+
+                wrapped_request = Scanners::SSRFScanner::Request.new(
+                  verb: request.method,
+                  uri: uri,
+                  headers: request.headers.to_h,
+                  header_normalizer: ->(value) { Array(value).join(", ") }
+                )
+
+                # Store the request information so the DNS sinks can pick it up.
+                context = Aikido::Zen.current_context
+                if context
+                  prev_request = context["ssrf.request"]
+                  context["ssrf.request"] = wrapped_request
+                end
+
+                connection = OutboundConnection.from_uri(uri)
+
+                Helpers.scan(wrapped_request, connection, "request")
+
+                response = original_call.call
+
+                Scanners::SSRFScanner.track_redirects(
+                  request: wrapped_request,
+                  response: Scanners::SSRFScanner::Response.new(
+                    status: response.status,
+                    headers: response.headers.to_h,
+                    header_normalizer: ->(value) { Array(value).join(", ") }
+                  )
+                )
+
+                response
+              ensure
+                context["ssrf.request"] = prev_request if context
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::Async::HTTP.load_sinks!

data/lib/aikido/zen/sinks/curb.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Curl
+      SINK = Sinks.add("curb", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+
+      module Helpers
+        def self.wrap_request(curl, url: curl.url)
+          Scanners::SSRFScanner::Request.new(
+            verb: nil, # Curb hides this by directly setting an option in C
+            uri: URI(url),
+            headers: curl.headers
+          )
+        end
+
+        def self.wrap_response(curl)
+          # Curb made an… interesting choice by not parsing the response headers
+          # and forcing users to do this manually if they need to look at them.
+          _, *headers = curl.header_str.split(/[\r\n]+/).map(&:strip)
+          headers = headers.flat_map { |str| str.scan(/\A(\S+): (.+)\z/) }.to_h
+
+          if curl.url != curl.last_effective_url
+            status = 302 # We can't know what the original status was, but we just need a 3XX
+            headers["Location"] = curl.last_effective_url
+          else
+            status = curl.status.to_i
+          end
+
+          Scanners::SSRFScanner::Response.new(status: status, headers: headers)
+        end
+
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "curb", ">= 0.2.3"
+          require "curb"
+
+          ::Curl::Easy.class_eval do
+            extend Sinks::DSL
+
+            sink_around :perform do |original_call|
+              wrapped_request = Helpers.wrap_request(self)
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+
+              connection = OutboundConnection.from_uri(URI(url))
+
+              Helpers.scan(wrapped_request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(self)
+              )
+
+              # When libcurl has follow_location set, it will handle redirections
+              # internally, and expose the "last_effective_url" as the URI that was
+              # last requested in the redirect chain.
+              #
+              # In this case, we can't actually stop the request from happening, but
+              # we can scan again (now that we know another request happened), to
+              # stop the response from being exposed to the user. This downgrades
+              # the SSRF into a blind SSRF, which is better than doing nothing.
+              if url != last_effective_url
+                last_effective_request = Helpers.wrap_request(self, url: last_effective_url)
+
+                # Code coverage is disabled here because the else clause is a no-op,
+                # so there is nothing to cover.
+                # :nocov:
+                if context
+                  context["ssrf.request"] = last_effective_request
+                else
+                  # empty
+                end
+                # :nocov:
+
+                connection = OutboundConnection.from_uri(URI(last_effective_url))
+
+                Helpers.scan(last_effective_request, connection, "request")
+              end
+
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::Curl.load_sinks!

data/lib/aikido/zen/sinks/em_http.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module EventMachine
+      module HttpRequest
+        SINK = Sinks.add("em-http-request", scanners: [
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
+        ])
+
+        module Helpers
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+
+        def self.load_sinks!
+          if Aikido::Zen.satisfy "em-http-request", ">= 1.0"
+            require "em-http-request"
+
+            ::EventMachine::HttpRequest.use(EventMachine::HttpRequest::Middleware)
+
+            # NOTE: We can't use middleware to intercept requests as we want to ensure any
+            # modifications to the request from user-supplied middleware are already applied
+            # before we scan the request.
+            ::EventMachine::HttpClient.class_eval do
+              extend Sinks::DSL
+
+              sink_before :send_request do
+                wrapped_request = Scanners::SSRFScanner::Request.new(
+                  verb: req.method.to_s,
+                  uri: URI(req.uri),
+                  headers: req.headers
+                )
+
+                # Store the request information so the DNS sinks can pick it up.
+                context = Aikido::Zen.current_context
+                context["ssrf.request"] = wrapped_request if context
+
+                connection = OutboundConnection.new(
+                  host: req.host,
+                  port: req.port
+                )
+
+                Helpers.scan(wrapped_request, connection, "request")
+              end
+            end
+          end
+        end
+
+        class Middleware
+          def response(client)
+            # Store the request information so the DNS sinks can pick it up.
+            context = Aikido::Zen.current_context
+            context["ssrf.request"] = nil if context
+
+            Scanners::SSRFScanner.track_redirects(
+              request: Scanners::SSRFScanner::Request.new(
+                verb: client.req.method,
+                uri: URI(client.req.uri),
+                headers: client.req.headers
+              ),
+              response: Scanners::SSRFScanner::Response.new(
+                status: client.response_header.status,
+                headers: client.response_header.to_h
+              )
+            )
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::EventMachine::HttpRequest.load_sinks!

data/lib/aikido/zen/sinks/excon.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Excon
+      SINK = Sinks.add("excon", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+
+      module Helpers
+        def self.build_request(connection, request)
+          uri = URI(format("%<scheme>s://%<host>s:%<port>i%<path>s", {
+            scheme: request.fetch(:scheme) { connection[:scheme] },
+            host: request.fetch(:hostname) { connection[:hostname] },
+            port: request.fetch(:port) { connection[:port] },
+            path: request.fetch(:path) { connection[:path] }
+          }))
+          uri.query = request.fetch(:query) { connection[:query] }
+
+          Scanners::SSRFScanner::Request.new(
+            verb: request.fetch(:method) { connection[:method] },
+            uri: uri,
+            headers: connection[:headers].to_h.merge(request[:headers].to_h)
+          )
+        end
+
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "excon", ">= 0.50.0"
+          require "excon"
+
+          ::Excon::Connection.class_eval do
+            extend Sinks::DSL
+
+            sink_around :request do |original_call, params = {}|
+              request = Helpers.build_request(@data, params)
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = request
+              end
+
+              connection = OutboundConnection.from_uri(request.uri)
+
+              Helpers.scan(request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: request,
+                response: Scanners::SSRFScanner::Response.new(
+                  status: response.status,
+                  headers: response.headers.to_h
+                )
+              )
+
+              response
+            rescue Sinks::DSL::PresafeError => err
+              outer_cause = err.cause
+              case outer_cause
+              when ::Excon::Error::Socket
+                inner_cause = outer_cause.cause
+                # Excon wraps errors inside the lower level layer. This only happens
+                # to our scanning exceptions when a request is using RedirectFollower,
+                # so we unwrap them when it happens so host apps can handle errors
+                # consistently.
+                raise inner_cause if inner_cause.is_a?(Aikido::Zen::UnderAttackError)
+              end
+              raise
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+
+          ::Excon::Middleware::RedirectFollower.class_eval do
+            extend Sinks::DSL
+
+            sink_before :response_call do |datum|
+              response = datum[:response]
+
+              # Code coverage is disabled here because the else clause is a no-op,
+              # so there is nothing to cover.
+              # :nocov:
+              if !response.nil?
+                Scanners::SSRFScanner.track_redirects(
+                  request: Helpers.build_request(datum, {}),
+                  response: Scanners::SSRFScanner::Response.new(
+                    status: response[:status],
+                    headers: response[:headers]
+                  )
+                )
+              else
+                # empty
+              end
+              # :nocov:
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::Excon.load_sinks!

data/lib/aikido/zen/sinks/file.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Sinks
+    module File
+      SINK = Sinks.add("File", scanners: [Scanners::PathTraversalScanner])
+
+      module Helpers
+        def self.scan(filepath, operation)
+          SINK.scan(
+            filepath: filepath,
+            operation: operation
+          )
+        end
+      end
+
+      def self.load_sinks!
+        ::File.singleton_class.class_eval do
+          extend Sinks::DSL
+
+          # Create a copy of the original method for internal use only to prevent
+          # recursion in PathTraversalScanner.
+          #
+          # IMPORTANT: The alias must be created before the method is overridden.
+          alias_method :expand_path__internal_for_aikido_zen, :expand_path
+
+          sink_before :open do |path|
+            Helpers.scan(path, "open")
+          end
+
+          sink_before :read do |path|
+            Helpers.scan(path, "read")
+          end
+
+          sink_before :write do |path|
+            Helpers.scan(path, "write")
+          end
+
+          sink_before :truncate do |file_name|
+            Helpers.scan(file_name, "truncate")
+          end
+
+          sink_before :rename do |old_name, new_name|
+            Helpers.scan(old_name, "rename")
+            Helpers.scan(new_name, "rename")
+          end
+
+          sink_before :unlink do |*file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "unlink")
+            end
+          end
+
+          sink_before :delete do |*file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "delete")
+            end
+          end
+
+          sink_before :symlink do |old_name, new_name|
+            Helpers.scan(old_name, "symlink")
+            Helpers.scan(new_name, "symlink")
+          end
+
+          sink_before :chmod do |_mode_int, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "chmod")
+            end
+          end
+
+          sink_before :chown do |_owner_int, group_int, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "chown")
+            end
+          end
+
+          sink_before :utime do |_atime, _mtime, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "utime")
+            end
+          end
+
+          sink_after :join do |result|
+            Helpers.scan(result, "join")
+          end
+
+          sink_before :expand_path do |file_name|
+            Helpers.scan(file_name, "expand_path")
+          end
+
+          sink_before :realpath do |file_name|
+            Helpers.scan(file_name, "realpath")
+          end
+
+          sink_before :realdirpath do |file_name|
+            Helpers.scan(file_name, "realdirpath")
+          end
+        end
+
+        ::File.class_eval do
+          extend Sinks::DSL
+
+          sink_before :initialize do |path|
+            Helpers.scan(path, "new")
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::File.load_sinks!

data/lib/aikido/zen/sinks/http.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module HTTP
+      SINK = Sinks.add("http", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+
+      module Helpers
+        # Maps an HTTP Request to an Aikido OutboundConnection.
+        #
+        # @param req [HTTP::Request]
+        # @return [Aikido::Zen::OutboundConnection]
+        def self.build_outbound(req)
+          OutboundConnection.new(
+            host: req.socket_host,
+            port: req.socket_port
+          )
+        end
+
+        # Wraps the HTTP request with an API we can depend on.
+        #
+        # @param req [HTTP::Request]
+        # @return [Aikido::Zen::Scanners::SSRFScanner::Request]
+        def self.wrap_request(req)
+          Scanners::SSRFScanner::Request.new(
+            verb: req.verb,
+            uri: URI(req.uri.to_s),
+            headers: req.headers.to_h
+          )
+        end
+
+        def self.wrap_response(resp)
+          Scanners::SSRFScanner::Response.new(
+            status: resp.status,
+            headers: resp.headers.to_h
+          )
+        end
+
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "http", ">= 1.0"
+          require "http"
+
+          ::HTTP::Client.class_eval do
+            extend Sinks::DSL
+
+            sink_around :perform do |original_call, req|
+              wrapped_request = Helpers.wrap_request(req)
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+
+              connection = Helpers.build_outbound(req)
+
+              Helpers.scan(wrapped_request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(response)
+              )
+
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::HTTP.load_sinks!