aikido-zen 1.0.2.beta.2-aarch64-linux

data/lib/aikido/zen/sinks/trilogy.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Sinks
+    module Trilogy
+      SINK = Sinks.add("trilogy", scanners: [Scanners::SQLInjectionScanner])
+
+      module Helpers
+        def self.scan(query, operation)
+          SINK.scan(query: query, dialect: :mysql, operation: operation)
+        end
+      end
+
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "trilogy", ">= 2.0"
+          require "trilogy"
+
+          ::Trilogy.class_eval do
+            extend Sinks::DSL
+
+            sink_before :query do |query|
+              Helpers.scan(query, "query")
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::Trilogy.load_sinks!

data/lib/aikido/zen/sinks/typhoeus.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Typhoeus
+      SINK = Sinks.add("typhoeus", scanners: [
+        Aikido::Zen::Scanners::SSRFScanner,
+        Aikido::Zen::OutboundConnectionMonitor
+      ])
+
+      before_callback = ->(request) {
+        wrapped_request = Aikido::Zen::Scanners::SSRFScanner::Request.new(
+          verb: request.options[:method],
+          uri: URI(request.url),
+          headers: request.options[:headers]
+        )
+
+        # Store the request information so the DNS sinks can pick it up.
+        if (context = Aikido::Zen.current_context)
+          prev_request = context["ssrf.request"]
+          context["ssrf.request"] = wrapped_request
+        end
+
+        SINK.scan(
+          connection: Aikido::Zen::OutboundConnection.from_uri(URI(request.base_url)),
+          request: wrapped_request,
+          operation: "request"
+        )
+
+        request.on_headers do |response|
+          context["ssrf.request"] = prev_request if context
+
+          Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+            request: wrapped_request,
+            response: Aikido::Zen::Scanners::SSRFScanner::Response.new(
+              status: response.code,
+              headers: response.headers.to_h
+            )
+          )
+        end
+
+        # When Typhoeus is configured with followlocation: true, the redirect
+        # following happens between the on_headers and the on_complete callback,
+        # so we need this one to detect if the request resulted in an automatic
+        # redirect that was followed.
+        request.on_complete do |response|
+          break if response.effective_url == request.url
+
+          last_effective_request = Aikido::Zen::Scanners::SSRFScanner::Request.new(
+            verb: request.options[:method],
+            uri: URI(response.effective_url),
+            headers: request.options[:headers]
+          )
+          context["ssrf.request"] = last_effective_request if context
+
+          # In this case, we can't actually stop the request from happening, but
+          # we can scan again (now that we know another request happened), to
+          # stop the response from being exposed to the user. This downgrades
+          # the SSRF into a blind SSRF, which is better than doing nothing.
+          SINK.scan(
+            connection: Aikido::Zen::OutboundConnection.from_uri(URI(response.effective_url)),
+            request: last_effective_request,
+            operation: "request"
+          )
+        ensure
+          context["ssrf.request"] = nil if context
+        end
+
+        true
+      }
+
+      ::Typhoeus.before.prepend(before_callback)
+    end
+  end
+end

data/lib/aikido/zen/sinks.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# Code coverage is disabled in this file because it is environment-specific and
+# not intended to be tested directly.
+# :nocov:
+
+require_relative "sink"
+require_relative "sinks_dsl"
+
+require_relative "sinks/action_controller" if defined?(::ActionController)
+
+require_relative "sinks/kernel"
+
+require_relative "sinks/file"
+require_relative "sinks/socket"
+require_relative "sinks/resolv"
+require_relative "sinks/net_http"
+
+# http.rb aims to support and is tested against Ruby 3.0+:
+# https://github.com/httprb/http?tab=readme-ov-file#supported-ruby-versions
+require_relative "sinks/http" if RUBY_VERSION >= "3.0"
+
+require_relative "sinks/httpx"
+require_relative "sinks/httpclient"
+require_relative "sinks/excon"
+require_relative "sinks/curb"
+require_relative "sinks/patron"
+require_relative "sinks/typhoeus" if defined?(::Typhoeus)
+require_relative "sinks/async_http"
+require_relative "sinks/em_http"
+require_relative "sinks/mysql2"
+require_relative "sinks/pg"
+require_relative "sinks/sqlite3"
+require_relative "sinks/trilogy"
+
+# :nocov:

data/lib/aikido/zen/sinks_dsl.rb

@@ -0,0 +1,250 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Sinks
+    module DSL
+      extend self
+
+      # In the context of `Aikido::Zen::Sinks::DSL`, the terms safe and presafe
+      # are defined as follows:
+      #
+      # safe: the desired state for a sink, particularly with respect to rescue.
+      #
+      # A sink is considered safe when unintended errors in the sink are handled,
+      # and-so are prevented from disrupting the operation of the original method
+      # (by raising unintended errors).
+      #
+      # presafe: the default state of a sink, particularly with respect to rescue.
+      #
+      # A sink is in the presafe state before and while unintended errors in the
+      # sink are not handled.
+      #
+      # Sink methods (like all methods) are in the presafe state when defined and
+      # become safe when unexpected errors cannot cause harm. The `safe` method
+      # is used to establish a safe state for the duration of the block executed.
+      # It is sometimes useful to be able to reestablish the presafe safe while
+      # inside a `safe` block; the `presafe` method allows this.
+      #
+      # Methods that contain the term presafe in their name should be used with
+      # appropriate care and understanding.
+      #
+      # IMPORTANT: All sinks should be safe!
+      #
+      # While this DSL proves useful for defining safe sink methods that follow
+      # common patterns, there are exceptions. It is always possible to define
+      # sink methods without using this DSL, but this should only be done when
+      # absolutely necessary. The sink methods defined using this DSL are safe,
+      # unless explicitly declared presafe.
+      #
+      # IMPORTANT: No sinks should be presafe in production!
+      #
+      # We are all responsible for ensuring that the sinks we implement are safe
+      # for production use. This DSL is only here to assist, by taking care of
+      # delicate edge cases and reducing the space for errors.
+      #
+      # When writing sink methods manually, some principles should be considered,
+      # to ensure safety for production:
+      #
+      # 1. Sink methods should ensure that the original method is always called,
+      # passing all parameters (positional, keyword, and block) exactly as they
+      # were passed to the original method, and return the result returned by
+      # the original method exactly as it was returned by the original method.
+      # (Unless intervention is required.)
+      #
+      # 2. Sink methods should not predict the signature of the original method,
+      # and-so restrict it from varying. The original method implementation is
+      # the sole and ultimate reference for its own behavior. We are observers
+      # (unless intervention is required).
+      #
+      # 3. Unexpected errors that are encountered in sink methods should not be
+      # capable of interfering with or preventing the normal operation of the
+      # original method. This includes but is not limited to exceptions that
+      # that may be raised when the sink method is called. Safe sink methods
+      # should return control to their caller (unless intervention is required).
+      #
+      # These are the guidelines adhered to by the `Aikido::Zen::Sinks::DSL`.
+
+      # The error with an original error as its cause to re-raise in `safe`.
+      class PresafeError < StandardError
+      end
+
+      # Safely execute the given block
+      #
+      # All standard errors are suppressed except `Aikido::Zen::UnderAttackError`s.
+      # This ensures that unexpected errors do not interrupt the execution of the
+      # original method, while all detected attacks are raised.
+      #
+      # When an error is wrapped in `PresafeError` the original error is reraised.
+      #
+      # @yield the block to execute
+      def safe
+        yield
+      rescue Aikido::Zen::UnderAttackError
+        raise
+      rescue PresafeError => err
+        raise err.cause
+      rescue => err
+        Aikido::Zen.config.logger.debug("[safe] #{err.class}: #{err.message}")
+      end
+
+      # Presafely execute the given block
+      #
+      # Safely wrap standard errors in `PresafeError` so that the original error is
+      # reraised when rescued in `safe`.
+      #
+      # @yield the block to execute
+      def presafe
+        yield
+      rescue => err
+        raise PresafeError, cause: err
+      end
+
+      # Define a method `method_name` that presafely executes the given block before
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute before the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      def presafe_sink_before(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
+        original = instance_method(method_name)
+
+        define_method(method_name) do |*args, **kwargs, &blk|
+          instance_exec(*args, **kwargs, &block)
+          original.bind_call(self, *args, **kwargs, &blk)
+        end
+      rescue NameError
+        Aikido::Zen.config.logger.warn("cannot wrap method `#{method_name}' for class `#{self}'")
+      end
+
+      # Define a method `method_name` that safely executes the given block before
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute before the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      #
+      # @note the block is executed within `safe` to handle errors safely; the original method is executed outside of `safe` to preserve the original behavior
+      def sink_before(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
+        presafe_sink_before(method_name) do |*args, **kwargs|
+          DSL.safe do
+            instance_exec(*args, **kwargs, &block)
+          end
+        end
+      end
+
+      # Define a method `method_name` that presafely executes the given block after
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute after the original method
+      # @yieldparam result [Object] the result returned by the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      def presafe_sink_after(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
+        original = instance_method(method_name)
+
+        define_method(method_name) do |*args, **kwargs, &blk|
+          result = original.bind_call(self, *args, **kwargs, &blk)
+          instance_exec(result, *args, **kwargs, &block)
+          result
+        end
+      rescue NameError
+        Aikido::Zen.config.logger.warn("cannot wrap method `#{method_name}' for class `#{self}'")
+      end
+
+      # Define a method `method_name` that safely executes the given block after
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute after the original method
+      # @yieldparam result [Object] the result returned by the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      #
+      # @note the block is executed within `safe` to handle errors safely; the original method is executed outside of `safe` to preserve the original behavior
+      def sink_after(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
+        presafe_sink_after(method_name) do |result, *args, **kwargs|
+          DSL.safe do
+            instance_exec(result, *args, **kwargs, &block)
+          end
+        end
+      end
+
+      # Define a method `method_name` that presafely executes the given block around
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute around the original method
+      # @yieldparam original_call [Proc] the proc that calls the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      def presafe_sink_around(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
+        original = instance_method(method_name)
+
+        define_method(method_name) do |*args, **kwargs, &blk|
+          result = nil
+          original_call = proc do
+            result = original.bind_call(self, *args, **kwargs, &blk)
+          end
+          instance_exec(original_call, *args, **kwargs, &block)
+          result
+        end
+      rescue NameError
+        Aikido::Zen.config.logger.warn("cannot wrap method `#{method_name}' for class `#{self}'")
+      end
+
+      # Define a method `method_name` that safely executes the given block around
+      # the original method.
+      #
+      # @param method_name [Symbol, String] the name of the method to define
+      # @yield the block to execute around the original method
+      # @yieldparam original_call [Proc] the proc that calls the original method
+      # @yieldparam args [Array] the positional arguments passed to the original method
+      # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
+      #
+      # @return [void]
+      #
+      # @note the block is executed within `safe` to handle errors safely; the original method is executed within `presafe` to preserve the original behavior
+      # @note if the block does not call `original_call`, the original method is called automatically after the block is executed
+      def sink_around(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
+        presafe_sink_around(method_name) do |presafe_original_call, *args, **kwargs|
+          original_called = false
+          original_call = proc do
+            original_called = true
+            DSL.presafe do
+              presafe_original_call.call
+            end
+          end
+          DSL.safe do
+            instance_exec(original_call, *args, **kwargs, &block)
+          end
+          presafe_original_call.call unless original_called
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/synchronizable.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # @!visibility private
+  #
+  # Provides the synchronization part of Concurrent's LockableObject, but allows
+  # objects to take keyword arguments as well.
+  #
+  # NOTE: This is meant to be prepennded.
+  module Synchronizable
+    def initialize(*, **)
+      @__lock__ = ::Mutex.new
+      super
+    end
+
+    def synchronize
+      if @__lock__.owned?
+        yield
+      else
+        @__lock__.synchronize { yield }
+      end
+    end
+  end
+end

data/lib/aikido/zen/system_info.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "socket"
+require "rubygems"
+
+require_relative "package"
+
+module Aikido::Zen
+  # Provides information about the currently running Agent.
+  class SystemInfo
+    def initialize(config = Aikido::Zen.config)
+      @config = config
+    end
+
+    def attacks_block_requests?
+      !!@config.blocking_mode
+    end
+
+    def attacks_are_only_reported?
+      !attacks_block_requests?
+    end
+
+    def library_name
+      "firewall-ruby"
+    end
+
+    def library_version
+      VERSION
+    end
+
+    def platform_version
+      RUBY_VERSION
+    end
+
+    def hostname
+      @hostname ||= Socket.gethostname
+    end
+
+    # @return [Array<Aikido::Zen::Package>] a list of loaded rubygems that are
+    #   supported by Aikido (i.e. we have a Sink that scans the package for
+    #   vulnerabilities and protects you).
+    def packages
+      @packages ||= Gem.loaded_specs
+        .map { |_, spec| Package.new(spec.name, spec.version) }
+        .select(&:supported?)
+    end
+
+    # @return [String] the first non-loopback IPv4 address that we can use
+    #   to identify this host. If the machine is solely identified by IPv6
+    #   addresses, then this will instead return an IPv6 address.
+    def ip_address
+      @ip_address ||= Socket.ip_address_list
+        .reject { |ip| ip.ipv4_loopback? || ip.ipv6_loopback? || ip.unix? }
+        .min_by { |ip| ip.ipv4? ? 0 : 1 }
+        .ip_address
+    end
+
+    def os_name
+      Gem::Platform.local.os
+    end
+
+    def os_version
+      Gem::Platform.local.version || "unknown"
+    end
+
+    def as_json
+      {
+        dryMode: attacks_are_only_reported?,
+        library: library_name,
+        version: library_version,
+        hostname: hostname,
+        ipAddress: ip_address,
+        platform: {version: platform_version},
+        os: {name: os_name, version: os_version},
+        packages: packages.reduce({}) { |all, package| all.update(package.as_json) },
+        incompatiblePackages: {},
+        stack: [],
+        serverless: false,
+        nodeEnv: "",
+        preventedPrototypePollution: false
+      }
+    end
+  end
+end

data/lib/aikido/zen/version.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Aikido
+  module Zen
+    VERSION = "1.0.2.beta.2"
+
+    # The version of libzen_internals that we build against.
+    LIBZEN_VERSION = "0.1.39"
+  end
+end

data/lib/aikido/zen/worker.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require "concurrent"
+
+module Aikido::Zen
+  # @api private
+  #
+  # The worker manages the background thread in which Zen communicates with the
+  # Aikido server.
+  class Worker
+    # @return [Concurrent::ExecutorService]
+    attr_reader :executor
+
+    # @!visibility private
+    attr_reader :timers, :deferrals
+
+    def initialize(config: Aikido::Zen.config)
+      @config = config
+      @timers = []
+      @deferrals = []
+      @executor = Concurrent::SingleThreadExecutor.new
+    end
+
+    # Queue a block to be run asynchronously in the background thread.
+    #
+    # @return [void]
+    def perform(&block)
+      executor.post do
+        yield
+      rescue Exception => err # rubocop:disable Lint/RescueException
+        @config.logger.error "Error in background worker: #{err.inspect}"
+      end
+    end
+
+    # Queue a block to be run asynchronously after a delay.
+    #
+    # @param interval [Integer] amount of seconds to wait.
+    # @return [void]
+    def delay(interval, &task)
+      Concurrent::ScheduledTask
+        .execute(interval, executor: executor) { perform(&task) }
+        .tap { |deferral| @deferrals << deferral }
+    end
+
+    # Queue a block to run repeatedly on a timer on the background thread. The
+    # timer will consider how long the block takes to run to schedule the next
+    # run. For example, if you schedule a block to run every 10 seconds, and the
+    # block itself takes 2 seconds, the second iteration will be run 8 seconds
+    # after the first one.
+    #
+    # If the block takes longer than the given interval, the second iteration
+    # will be run immediately.
+    #
+    # @param interval [Integer] amount of seconds to wait between runs.
+    # @param run_now [Boolean] whether to run the block immediately, or wait for
+    #   +interval+ seconds before the first run. Defaults to +true+.
+    # @return [void]
+    def every(interval, run_now: true, &task)
+      Concurrent::TimerTask
+        .execute(
+          run_now: run_now,
+          executor: executor,
+          interval_type: :fixed_rate,
+          execution_interval: interval
+        ) {
+          perform(&task)
+        }
+        .tap { |timer| @timers << timer }
+    end
+
+    # Safely clean up and kill the thread, giving time to kill any ongoing tasks
+    # on the queue.
+    #
+    # @return [void]
+    def shutdown
+      @deferrals.each { |task| task.cancel if task.pending? }
+      @timers.each { |task| task.shutdown }
+      @executor.shutdown
+      @executor.wait_for_termination(30)
+    end
+
+    def restart
+      shutdown
+      @executor = Concurrent::SingleThreadExecutor.new
+    end
+  end
+end