RubyGems - aikido-zen - Versions diffs - 1.0.2.beta.2-aarch64-linux - Mend

aikido-zen 1.0.2.beta.2-aarch64-linux

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

checksums.yaml +7 -0
data/.aikido +6 -0
data/.ruby-version +1 -0
data/.simplecov +26 -0
data/.standard.yml +3 -0
data/LICENSE +674 -0
data/README.md +146 -0
data/Rakefile +67 -0
data/benchmarks/README.md +23 -0
data/benchmarks/rails7.1_sql_injection.js +70 -0
data/docs/banner.svg +202 -0
data/docs/config.md +125 -0
data/docs/proxy.md +10 -0
data/docs/rails.md +114 -0
data/lib/aikido/zen/actor.rb +116 -0
data/lib/aikido/zen/agent/heartbeats_manager.rb +66 -0
data/lib/aikido/zen/agent.rb +179 -0
data/lib/aikido/zen/api_client.rb +145 -0
data/lib/aikido/zen/attack.rb +207 -0
data/lib/aikido/zen/background_worker.rb +52 -0
data/lib/aikido/zen/capped_collections.rb +68 -0
data/lib/aikido/zen/collector/hosts.rb +15 -0
data/lib/aikido/zen/collector/routes.rb +66 -0
data/lib/aikido/zen/collector/sink_stats.rb +95 -0
data/lib/aikido/zen/collector/stats.rb +111 -0
data/lib/aikido/zen/collector/users.rb +30 -0
data/lib/aikido/zen/collector.rb +144 -0
data/lib/aikido/zen/config.rb +282 -0
data/lib/aikido/zen/context/rack_request.rb +24 -0
data/lib/aikido/zen/context/rails_request.rb +44 -0
data/lib/aikido/zen/context.rb +112 -0
data/lib/aikido/zen/detached_agent/agent.rb +78 -0
data/lib/aikido/zen/detached_agent/front_object.rb +37 -0
data/lib/aikido/zen/detached_agent/server.rb +78 -0
data/lib/aikido/zen/detached_agent.rb +2 -0
data/lib/aikido/zen/errors.rb +107 -0
data/lib/aikido/zen/event.rb +71 -0
data/lib/aikido/zen/internals.rb +103 -0
data/lib/aikido/zen/libzen-v0.1.39-aarch64-linux.so +0 -0
data/lib/aikido/zen/middleware/check_allowed_addresses.rb +26 -0
data/lib/aikido/zen/middleware/middleware.rb +11 -0
data/lib/aikido/zen/middleware/rack_throttler.rb +48 -0
data/lib/aikido/zen/middleware/request_tracker.rb +192 -0
data/lib/aikido/zen/middleware/set_context.rb +26 -0
data/lib/aikido/zen/outbound_connection.rb +45 -0
data/lib/aikido/zen/outbound_connection_monitor.rb +23 -0
data/lib/aikido/zen/package.rb +22 -0
data/lib/aikido/zen/payload.rb +50 -0
data/lib/aikido/zen/rails_engine.rb +56 -0
data/lib/aikido/zen/rate_limiter/breaker.rb +61 -0
data/lib/aikido/zen/rate_limiter/bucket.rb +76 -0
data/lib/aikido/zen/rate_limiter/result.rb +31 -0
data/lib/aikido/zen/rate_limiter.rb +50 -0
data/lib/aikido/zen/request/heuristic_router.rb +115 -0
data/lib/aikido/zen/request/rails_router.rb +77 -0
data/lib/aikido/zen/request/schema/auth_discovery.rb +86 -0
data/lib/aikido/zen/request/schema/auth_schemas.rb +54 -0
data/lib/aikido/zen/request/schema/builder.rb +121 -0
data/lib/aikido/zen/request/schema/definition.rb +107 -0
data/lib/aikido/zen/request/schema/empty_schema.rb +28 -0
data/lib/aikido/zen/request/schema.rb +87 -0
data/lib/aikido/zen/request.rb +122 -0
data/lib/aikido/zen/route.rb +39 -0
data/lib/aikido/zen/runtime_settings/endpoints.rb +49 -0
data/lib/aikido/zen/runtime_settings/ip_set.rb +36 -0
data/lib/aikido/zen/runtime_settings/protection_settings.rb +62 -0
data/lib/aikido/zen/runtime_settings/rate_limit_settings.rb +47 -0
data/lib/aikido/zen/runtime_settings.rb +65 -0
data/lib/aikido/zen/scan.rb +75 -0
data/lib/aikido/zen/scanners/path_traversal/helpers.rb +65 -0
data/lib/aikido/zen/scanners/path_traversal_scanner.rb +63 -0
data/lib/aikido/zen/scanners/shell_injection/helpers.rb +159 -0
data/lib/aikido/zen/scanners/shell_injection_scanner.rb +64 -0
data/lib/aikido/zen/scanners/sql_injection_scanner.rb +93 -0
data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb +27 -0
data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb +97 -0
data/lib/aikido/zen/scanners/ssrf_scanner.rb +265 -0
data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +49 -0
data/lib/aikido/zen/scanners.rb +7 -0
data/lib/aikido/zen/sink.rb +118 -0
data/lib/aikido/zen/sinks/action_controller.rb +83 -0
data/lib/aikido/zen/sinks/async_http.rb +80 -0
data/lib/aikido/zen/sinks/curb.rb +113 -0
data/lib/aikido/zen/sinks/em_http.rb +83 -0
data/lib/aikido/zen/sinks/excon.rb +118 -0
data/lib/aikido/zen/sinks/file.rb +112 -0
data/lib/aikido/zen/sinks/http.rb +93 -0
data/lib/aikido/zen/sinks/httpclient.rb +95 -0
data/lib/aikido/zen/sinks/httpx.rb +78 -0
data/lib/aikido/zen/sinks/kernel.rb +33 -0
data/lib/aikido/zen/sinks/mysql2.rb +31 -0
data/lib/aikido/zen/sinks/net_http.rb +101 -0
data/lib/aikido/zen/sinks/patron.rb +103 -0
data/lib/aikido/zen/sinks/pg.rb +72 -0
data/lib/aikido/zen/sinks/resolv.rb +62 -0
data/lib/aikido/zen/sinks/socket.rb +78 -0
data/lib/aikido/zen/sinks/sqlite3.rb +46 -0
data/lib/aikido/zen/sinks/trilogy.rb +31 -0
data/lib/aikido/zen/sinks/typhoeus.rb +78 -0
data/lib/aikido/zen/sinks.rb +36 -0
data/lib/aikido/zen/sinks_dsl.rb +250 -0
data/lib/aikido/zen/synchronizable.rb +24 -0
data/lib/aikido/zen/system_info.rb +84 -0
data/lib/aikido/zen/version.rb +10 -0
data/lib/aikido/zen/worker.rb +87 -0
data/lib/aikido/zen.rb +246 -0
data/lib/aikido-zen.rb +3 -0
data/placeholder/.gitignore +4 -0
data/placeholder/README.md +11 -0
data/placeholder/Rakefile +75 -0
data/placeholder/lib/placeholder.rb.template +3 -0
data/placeholder/placeholder.gemspec.template +20 -0
data/tasklib/bench.rake +94 -0
data/tasklib/libzen.rake +133 -0
data/tasklib/wrk.rb +88 -0
metadata +205 -0

data/lib/aikido/zen/sinks/httpclient.rb ADDED Viewed

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module HTTPClient
+      SINK = Sinks.add("httpclient", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        def self.wrap_request(req)
+          Scanners::SSRFScanner::Request.new(
+            verb: req.http_header.request_method,
+            uri: req.http_header.request_uri,
+            headers: req.headers
+          )
+        end
+        def self.wrap_response(resp)
+          # Code coverage is disabled here because `do_get_header` is not called,
+          # because WebMock does not mock it.
+          # :nocov:
+          Scanners::SSRFScanner::Response.new(
+            status: resp.http_header.status_code,
+            headers: resp.headers
+          )
+          # :nocov:
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+        def self.sink(req, &block)
+          wrapped_request = wrap_request(req)
+          connection = OutboundConnection.from_uri(req.http_header.request_uri)
+          # Store the request information so the DNS sinks can pick it up.
+          context = Aikido::Zen.current_context
+          if context
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+          scan(wrapped_request, connection, "request")
+          yield
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "httpclient", ">= 2.0"
+          require "httpclient"
+          ::HTTPClient.class_eval do
+            extend Sinks::DSL
+            private
+            sink_around :do_get_block do |original_call, req|
+              Helpers.sink(req, &original_call)
+            end
+            sink_around :do_get_stream do |original_call, req|
+              Helpers.sink(req, &original_call)
+            end
+            sink_after :do_get_header do |_result, req, res, _sess|
+              # Code coverage is disabled here because `do_get_header` is not called,
+              # because WebMock does not mock it.
+              # :nocov:
+              Scanners::SSRFScanner.track_redirects(
+                request: Helpers.wrap_request(req),
+                response: Helpers.wrap_response(res)
+              )
+              # :nocov:
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::HTTPClient.load_sinks!

data/lib/aikido/zen/sinks/httpx.rb ADDED Viewed

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module HTTPX
+      SINK = Sinks.add("httpx", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        def self.wrap_request(request)
+          Scanners::SSRFScanner::Request.new(
+            verb: request.verb,
+            uri: request.uri,
+            headers: request.headers.to_hash
+          )
+        end
+        def self.wrap_response(response)
+          Scanners::SSRFScanner::Response.new(
+            status: response.status,
+            headers: response.headers.to_hash
+          )
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "httpx", ">= 1.1.3"
+          require "httpx"
+          ::HTTPX::Session.class_eval do
+            extend Sinks::DSL
+            sink_around :send_request do |original_call, request|
+              wrapped_request = Helpers.wrap_request(request)
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+              connection = OutboundConnection.from_uri(request.uri)
+              Helpers.scan(wrapped_request, connection, "request")
+              request.on(:response) do |response|
+                Scanners::SSRFScanner.track_redirects(
+                  request: wrapped_request,
+                  response: Helpers.wrap_response(response)
+                )
+              end
+              original_call.call
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::HTTPX.load_sinks!

data/lib/aikido/zen/sinks/kernel.rb ADDED Viewed

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module Kernel
+      SINK = Sinks.add("Kernel", scanners: [Scanners::ShellInjectionScanner])
+      module Helpers
+        def self.scan(command, operation)
+          SINK.scan(command: command, operation: operation)
+        end
+      end
+      def self.load_sinks!
+        [::Kernel.singleton_class, ::Kernel].each do |klass|
+          klass.class_eval do
+            extend Sinks::DSL
+            %i[system spawn].each do |method_name|
+              sink_before method_name do |*args|
+                # Remove the optional environment argument before the command-line.
+                args.shift if args.first.is_a?(Hash)
+                Helpers.scan(args.first, method_name)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Kernel.load_sinks!

data/lib/aikido/zen/sinks/mysql2.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module Mysql2
+      SINK = Sinks.add("mysql2", scanners: [Scanners::SQLInjectionScanner])
+      module Helpers
+        def self.scan(query, operation)
+          SINK.scan(query: query, dialect: :mysql, operation: operation)
+        end
+      end
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "mysql2"
+          require "mysql2"
+          ::Mysql2::Client.class_eval do
+            extend Sinks::DSL
+            sink_before :query do |sql|
+              Helpers.scan(sql, "query")
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Mysql2.load_sinks!

data/lib/aikido/zen/sinks/net_http.rb ADDED Viewed

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module Net
+      module HTTP
+        SINK = Sinks.add("net-http", scanners: [
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
+        ])
+        module Helpers
+          # Maps a Net::HTTP connection to an Aikido OutboundConnection,
+          # which our tooling expects.
+          #
+          # @param http [Net::HTTP]
+          # @return [Aikido::Zen::OutboundConnection]
+          def self.build_outbound(http)
+            OutboundConnection.new(
+              host: http.address,
+              port: http.port
+            )
+          end
+          def self.wrap_request(req, session)
+            uri = req.uri if req.uri.is_a?(URI)
+            uri ||= URI(format("%<scheme>s://%<hostname>s:%<port>s%<path>s", {
+              scheme: session.use_ssl? ? "https" : "http",
+              hostname: session.address,
+              port: session.port,
+              path: req.path
+            }))
+            Scanners::SSRFScanner::Request.new(
+              verb: req.method,
+              uri: uri,
+              headers: req.to_hash,
+              header_normalizer: ->(val) { Array(val).join(", ") }
+            )
+          end
+          def self.wrap_response(response)
+            Scanners::SSRFScanner::Response.new(
+              status: response.code.to_i,
+              headers: response.to_hash,
+              header_normalizer: ->(val) { Array(val).join(", ") }
+            )
+          end
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+        def self.load_sinks!
+          # In stdlib but not always required
+          require "net/http"
+          ::Net::HTTP.class_eval do
+            extend Sinks::DSL
+            sink_around :request do |original_call, req|
+              wrapped_request = Helpers.wrap_request(req, self)
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+              connection = Helpers.build_outbound(self)
+              Helpers.scan(wrapped_request, connection, "request")
+              response = original_call.call
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(response)
+              )
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Net::HTTP.load_sinks!

data/lib/aikido/zen/sinks/patron.rb ADDED Viewed

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module Patron
+      SINK = Sinks.add("patron", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        def self.wrap_response(request, response)
+          # In this case, automatic redirection happened inside libcurl.
+          if response.url != request.url && !response.url.to_s.empty?
+            Scanners::SSRFScanner::Response.new(
+              status: 302, # We can't know what the actual status was, but we just need a 3XX
+              headers: response.headers.merge("Location" => response.url)
+            )
+          else
+            Scanners::SSRFScanner::Response.new(
+              status: response.status,
+              headers: response.headers
+            )
+          end
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "patron", ">= 0.6.4"
+          require "patron"
+          ::Patron::Session.class_eval do
+            extend Sinks::DSL
+            sink_around :handle_request do |original_call, request|
+              wrapped_request = Scanners::SSRFScanner::Request.new(
+                verb: request.action,
+                uri: URI(request.url),
+                headers: request.headers
+              )
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+              connection = OutboundConnection.from_uri(URI(request.url))
+              Helpers.scan(wrapped_request, connection, "request")
+              response = original_call.call
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(request, response)
+              )
+              # When libcurl has follow_location set, it will handle redirections
+              # internally, and expose the response.url as the URI that was last
+              # requested in the redirect chain.
+              #
+              # In this case, we can't actually stop the request from happening, but
+              # we can scan again (now that we know another request happened), to
+              # stop the response from being exposed to the user. This downgrades
+              # the SSRF into a blind SSRF, which is better than doing nothing.
+              if request.url != response.url && !response.url.to_s.empty?
+                last_effective_request = Scanners::SSRFScanner::Request.new(
+                  verb: request.action,
+                  uri: URI(response.url),
+                  headers: request.headers
+                )
+                context["ssrf.request"] = last_effective_request if context
+                connection = OutboundConnection.from_uri(URI(response.url))
+                Helpers.scan(last_effective_request, connection, "request")
+              end
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Patron.load_sinks!

data/lib/aikido/zen/sinks/pg.rb ADDED Viewed

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module PG
+      SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
+      module Helpers
+        # For some reason, the ActiveRecord pg adaptor does not wrap exceptions
+        # in ActiveRecord::StatementInvalid, leading to inconsistent handling.
+        # This guarantees that Aikido::Zen::SQLInjectionErrors are wrapped in
+        # an ActiveRecord::StatementInvalid.
+        def self.safe(&block)
+          # Code coverage is disabled here because this ActiveRecord behavior is
+          # exercised in end-to-end tests, which are not covered by SimpleCov.
+          # :nocov:
+          if !defined?(ActiveRecord::StatementInvalid)
+            Sinks::DSL.safe(&block)
+          else
+            begin
+              Sinks::DSL.safe(&block)
+            rescue Aikido::Zen::SQLInjectionError => err
+              raise ActiveRecord::StatementInvalid, cause: err
+            end
+          end
+          # :nocov:
+        end
+        def self.scan(query, operation)
+          SINK.scan(
+            query: query,
+            dialect: :postgresql,
+            operation: operation
+          )
+        end
+      end
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "pg", ">= 1.0"
+          require "pg"
+          ::PG::Connection.class_eval do
+            extend Sinks::DSL
+            %i[
+              send_query exec sync_exec async_exec
+              send_query_params exec_params sync_exec_params async_exec_params
+            ].each do |method_name|
+              presafe_sink_before method_name do |query|
+                Helpers.safe do
+                  Helpers.scan(query, method_name)
+                end
+              end
+            end
+            %i[
+              send_prepare prepare async_prepare sync_prepare
+            ].each do |method_name|
+              presafe_sink_before method_name do |_, query|
+                Helpers.safe do
+                  Helpers.scan(query, method_name)
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::PG.load_sinks!

data/lib/aikido/zen/sinks/resolv.rb ADDED Viewed

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+require_relative "../scanners/stored_ssrf_scanner"
+require_relative "../scanners/ssrf_scanner"
+module Aikido::Zen
+  module Sinks
+    module Resolv
+      SINK = Sinks.add("resolv", scanners: [
+        Scanners::StoredSSRFScanner,
+        Scanners::SSRFScanner
+      ])
+      module Helpers
+        def self.scan(name, addresses, operation)
+          context = Aikido::Zen.current_context
+          if context
+            context["dns.lookups"] ||= Scanners::SSRF::DNSLookups.new
+            context["dns.lookups"].add(name, addresses)
+          end
+          SINK.scan(
+            hostname: name,
+            addresses: addresses,
+            request: context && context["ssrf.request"],
+            operation: operation
+          )
+        end
+      end
+      def self.load_sinks!
+        # In stdlib but not always required
+        require "resolv"
+        ::Resolv.class_eval do
+          alias_method :each_address__internal_for_aikido_zen, :each_address
+          def each_address(*args, **kwargs, &blk)
+            # each_address is defined "manually" because no sink method pattern
+            # is applicable.
+            name, = args
+            addresses = []
+            each_address__internal_for_aikido_zen(*args, **kwargs) do |address|
+              addresses << address
+              blk.call(address)
+            end
+          ensure
+            # Ensure partial results are scanned.
+            Sinks::DSL.safe do
+              Helpers.scan(name, addresses, "lookup")
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Resolv.load_sinks!

data/lib/aikido/zen/sinks/socket.rb ADDED Viewed

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+require "socket"
+require_relative "../scanners/stored_ssrf_scanner"
+require_relative "../scanners/ssrf_scanner"
+module Aikido::Zen
+  module Sinks
+    # We intercept IPSocket.open to hook our DNS checks around it, since
+    # there's no way to access the internal DNS resolution that happens in C
+    # when using the socket primitives.
+    module Socket
+      SINK = Sinks.add("socket", scanners: [
+        Scanners::StoredSSRFScanner,
+        Scanners::SSRFScanner
+      ])
+      module Helpers
+        def self.scan(hostname, socket, operation)
+          # We're patching IPSocket.open(..) method.
+          # The IPSocket class hierarchy is:
+          #             IPSocket
+          #            /        \
+          #       TCPSocket    UDPSocket
+          #       /       \
+          # TCPServer     SOCKSSocket
+          #
+          # Because we want to scan only HTTP requests, we skip in case the
+          # socket is not *exactly* an instance of TCPSocket — it's any
+          # of it subclasses
+          return unless socket.instance_of?(TCPSocket)
+          # ["AF_INET", 80, "10.0.0.1", "10.0.0.1"]
+          address_family, _port, _hostname, numeric_address = socket.peeraddr(:numeric)
+          # We only care about IPv4 (AF_INET) or IPv6 (AF_INET6) sockets
+          # This might be overcautious, since this is _IP_Socket, so you
+          # would expect it's only used for IP connections?
+          # Code coverage is disabled here because the then clause is a no-op,
+          # so there is nothing to cover.
+          # :nocov:
+          return unless address_family.start_with?("AF_INET")
+          # :nocov:
+          context = Aikido::Zen.current_context
+          if context
+            context["dns.lookups"] ||= Scanners::SSRF::DNSLookups.new
+            context["dns.lookups"].add(hostname, numeric_address)
+          end
+          SINK.scan(
+            hostname: hostname,
+            addresses: [numeric_address],
+            request: context && context["ssrf.request"],
+            operation: operation
+          )
+        end
+      end
+      def self.load_sinks!
+        ::IPSocket.singleton_class.class_eval do
+          extend Sinks::DSL
+          sink_after :open do |socket, remote_host|
+            # Code coverage is disabled here because the tests are contrived and
+            # intentionally do not call open.
+            # :nocov:
+            Helpers.scan(remote_host, socket, "open")
+            # :nocov:
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Socket.load_sinks!

data/lib/aikido/zen/sinks/sqlite3.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module SQLite3
+      SINK = Sinks.add("sqlite3", scanners: [Scanners::SQLInjectionScanner])
+      module Helpers
+        def self.scan(query, operation)
+          SINK.scan(
+            query: query,
+            dialect: :sqlite,
+            operation: operation
+          )
+        end
+      end
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "sqlite3", ">= 1.0"
+          require "sqlite3"
+          ::SQLite3::Database.class_eval do
+            extend Sinks::DSL
+            private
+            # SQLite3::Database#exec_batch is an internal native private method.
+            sink_before :exec_batch do |sql|
+              Helpers.scan(sql, "exec_batch")
+            end
+          end
+          ::SQLite3::Statement.class_eval do
+            extend Sinks::DSL
+            sink_before :initialize do |_db, sql|
+              Helpers.scan(sql, "statement.execute")
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::SQLite3.load_sinks!