aikido-zen 1.0.2.beta.2-aarch64-linux

data/README.md

@@ -0,0 +1,146 @@
+![Zen by Aikido for Ruby](./docs/banner.svg)
+
+# Zen, in-app firewall for Ruby | by Aikido
+
+[![Gem Version](https://badge.fury.io/rb/aikido-zen.svg?icon=si%3Arubygems&style=flat)](https://badge.fury.io/rb/aikido-zen)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
+[![Unit tests](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml)
+[![Release](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml)
+
+Zen, your in-app firewall for peace of mind - at runtime.
+
+Zen by Aikido is an embedded Web Application Firewall that autonomously protects Ruby apps against common and critical attacks.
+
+It protects your Ruby apps by preventing user input containing dangerous strings, which allow injection, pollution, and path traversal attacks. It runs on the same server as your Ruby app for simple [installation](#installation) and zero maintenance.
+
+## Features
+
+Zen will autonomously protect your Ruby applications against:
+
+* 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
+* 🛡️ [Server-side request forgery (SSRF)](https://github.com/AikidoSec/firewall-node/blob/main/docs/ssrf.md)
+* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
+* 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked)
+* 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
+
+Zen operates autonomously on the same server as your Ruby app to:
+
+* ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost
+* ✅ Rate limit specific API endpoints by IP or by user
+* ✅ Allow you to block specific users manually
+
+## Supported libraries and frameworks
+
+Zen for Ruby 2.7+ is compatible with:
+
+### Web frameworks
+
+* ✅ [Ruby on Rails](docs/rails.md) 7.x, 8.x
+
+### Database drivers
+
+* ✅ [`sqlite3`](https://github.com/sparklemotion/sqlite3-ruby) 1.x, 2.x
+* ✅ [`pg`](https://github.com/ged/ruby-pg) 1.x
+* ✅ [`mysql2`](https://github.com/brianmario/mysql2) 0.x
+* ✅ [`trilogy`](https://github.com/trilogy-libraries/trilogy) 2.x
+
+### ORMs and query builders
+
+See list above for supported database drivers.
+
+* ✅ [ActiveRecord](https://github.com/rails/rails)
+* ✅ [Sequel](https://github.com/jeremyevans/sequel)
+
+### HTTP clients
+
+* ✅ [`net-http`](https://github.com/ruby/net-http)
+* ✅ [`http.rb`](https://github.com/httprb/http) 1.x, 2.x, 3.x, 4.x, 5.x
+* ✅ [`httpx`](https://gitlab.com/os85/httpx) 1.x (1.1.3+)
+* ✅ [`httpclient`](https://github.com/nahi/httpclient) 2.x, 3.x
+* ✅ [`excon`](https://github.com/excon/excon) 0.x (0.50.0+), 1.x
+* ✅ [`curb`](https://github.com/taf2/curb) 0.x (0.2.3+), 1.x
+* ✅ [`patron`](https://github.com/toland/patron) 0.x (0.6.4+)
+* ✅ [`typhoeus`](https://github.com/typhoeus/typhoeus) 0.x (0.5.0+), 1.x
+* ✅ [`async-http`](https://github.com/socketry/async-http) 0.x (0.70.0+)
+* ✅ [`em-http-request`](https://github.com/igrigorik/em-http-request) 1.x
+
+## Installation
+
+We recommend testing Zen locally or on staging before deploying to production.
+
+```sh
+bundle add aikido-zen
+```
+
+or, if not using bundler:
+
+```sh
+gem install aikido-zen
+```
+
+For framework specific instructions, check out our docs:
+
+* [Ruby on Rails](docs/rails.md)
+
+## Reporting to your Aikido Security dashboard
+
+> Aikido is your no nonsense application security platform. One central system that scans your source code & cloud, shows you what vulnerabilities matter, and how to fix them - fast. So you can get back to building.
+
+Zen is a new product by Aikido. Built for developers to level up their security. While Aikido scans, get Zen for always-on protection.
+
+You can use some of Zen's features without Aikido, of course. Peace of mind is just a few lines of code away.
+
+But you will get the most value by reporting your data to Aikido.
+
+You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can [sign up for free](https://app.aikido.dev/login).
+
+Here's how:
+
+* [Log in to your Aikido account](https://app.aikido.dev/login).
+* Go to [Zen](https://app.aikido.dev/runtime/services).
+* Go to apps.
+* Click on **Add app**.
+* Choose a name for your app.
+* Click **Generate token**.
+* Copy the token.
+* Set the token as an environment variable, `AIKIDO_TOKEN`, using [dotenv](https://github.com/bkeepers/dotenv) or another method of your choosing.
+
+## Running in production (blocking) mode
+
+By default, Zen will only detect and report attacks to Aikido.
+
+To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
+
+See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn how to send events to Aikido.
+
+## Additional configuration
+
+[Configure Zen using environment variables for authentication, mode settings, debugging, and more.](https://help.aikido.dev/doc/configuration-via-env-vars/docrSItUkeR9)
+
+## License
+
+This program is offered under a commercial and under the AGPL license. You can be released from the requirements of the AGPL license by purchasing a commercial license. Buying such a license is mandatory as soon as you develop commercial activities involving the Zen software without disclosing the source code of your own applications. 
+
+For more information, please contact Aikido Security at this address: support@aikido.dev or create an account at https://app.aikido.dev.
+
+## Benchmarks
+
+We run a benchmark on every commit to ensure Zen has a minimal impact on your application's performance.
+
+See [benchmarks](benchmarks)
+
+## Bug bounty program
+
+Our bug bounty program is public and can be found by all registered Intigriti users at: https://app.intigriti.com/researcher/programs/aikido/aikidozenbeta
+
+## Contributing
+
+See [CONTRIBUTING.md](.github/CONTRIBUTING.md) for more information.
+
+## Code of Conduct
+
+See [CODE_OF_CONDUCT.md](.github/CODE_OF_CONDUCT.md) for more information.
+
+## Security
+
+See [SECURITY.md](.github/SECURITY.md) for more information.

data/Rakefile

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+require "standard/rake"
+require "rake/clean"
+
+load "tasklib/libzen.rake"
+load "tasklib/bench.rake"
+
+desc "Run all benchmarks"
+task bench: "bench:default"
+
+namespace :build do
+  desc "Ensure Gemfile.lock is up-to-date"
+  task "update_gem_lockfile" do
+    sh "bundle check >/dev/null || bundle"
+  end
+end
+task build: ["build:update_gem_lockfile", "libzen:download:all"]
+
+# Build all the native gems as well
+Rake::Task["build"].enhance(["libzen:gems"])
+
+# rake release wants to tag the commit and push the tag, but we run the release
+# workflow after creating the tag, and so we don't need another one.
+Rake::Task["release:source_control_push"].clear
+task "release:source_control_push" do
+  # do nothing
+end
+
+# Push all the native gems before the libzen-less one.
+task "release:rubygem_push" => "libzen:release"
+
+Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
+  namespace :build do
+    desc "Ensure Gemfile.lock is up-to-date in the #{dir.basename} sample app"
+    task "update_#{dir.basename}_lockfile" do
+      Dir.chdir(dir) { sh "bundle check >/dev/null || bundle" }
+    end
+  end
+
+  task build: "build:update_#{dir.basename}_lockfile"
+end
+
+Minitest::TestTask.create do |test_task|
+  test_task.test_globs = FileList["test/**/{test_*,*_test}.rb"]
+    .exclude("test/e2e/**/*.rb")
+end
+task test: "libzen:download:current"
+
+Pathname.glob("test/e2e/*").select(&:directory?).each do |dir|
+  namespace :e2e do
+    desc "Run e2e tests for the #{dir.basename} sample app"
+    task dir.basename do
+      Dir.chdir(dir) do
+        sh "rake ci:setup"
+        sh "rake test"
+      end
+    end
+  end
+
+  desc "Run all e2e tests"
+  task e2e: "e2e:#{dir.basename}"
+end
+
+task default: %i[test standard]

data/benchmarks/README.md

@@ -0,0 +1,23 @@
+# Benchmarking Zen for Ruby
+
+
+We use [WRK](https://github.com/wg/wrk) & [Grafana K6](https://k6.io) for these.
+
+WRK benchmarks are only requesting a URL (`/benchmark`). In case you want to add more 
+of those test, you have to code them in the file `tasklib/bench.rake`.
+
+K6 tests are defined in `benchmarks` folder. They are a javascript file, with calls 
+to different endpoints.
+
+In order to run a benchmarks against a single application, run the following
+from the root of the project:
+
+```
+$ BUNDLE_GEMFILE=./sample_apps/{app}/Gemfile bundle exec rake bench:{app}:(k6|wrk)_run
+```
+
+For example, for the WRK of `rails7.1_benchmark` application:
+
+```
+$ BUNDLE_GEMFILE=./sample_apps/rails7.1_benchmark/Gemfile bundle exec rake bench:rails7.1_benchmark:wrk_run
+```

data/benchmarks/rails7.1_sql_injection.js

@@ -0,0 +1,70 @@
+import http from 'k6/http';
+import {Trend} from 'k6/metrics';
+
+const HTTP = {
+  withZen: {
+    get: (path, ...args) => http.get("http://localhost:3001" + path, ...args),
+    post: (path, ...args) => http.post("http://localhost:3001" + path, ...args)
+  },
+  withoutZen: {
+    get: (path, ...args) => http.get("http://localhost:3002" + path, ...args),
+    post: (path, ...args) => http.post("http://localhost:3002" + path, ...args)
+  }
+}
+
+function test(name, fn) {
+  const withZen = fn(HTTP.withZen);
+  const withoutZen = fn(HTTP.withoutZen);
+  const timeWithZen = withZen.timings.duration;
+  const timeWithoutZen = withoutZen.timings.duration;
+
+  tests[name].delta.add(timeWithZen - timeWithoutZen);
+  tests[name].overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
+
+  tests[name].with_zen.add(timeWithZen);
+  tests[name].without_zen.add(timeWithoutZen);
+}
+
+function buildTestTrends(prefix) {
+  return {
+    delta: new Trend(`${prefix}_delta`),
+    with_zen: new Trend(`${prefix}_with_zen`),
+    without_zen: new Trend(`${prefix}_without_zen`),
+    overhead: new Trend(`${prefix}_overhead`)
+  };
+}
+
+const tests = {
+  test_post_page_with_json_body: buildTestTrends("test_post_page_with_json_body"),
+  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack"),
+  test_get_page_with_sql_injection: buildTestTrends("test_get_page_with_sql_injection")
+}
+export const options = {
+  vus: 1, // Number of virtual users
+  iterations: 200,
+  thresholds: {
+    http_req_failed: ['rate==0'], // we are marking the attacks as expected, so we should have no errors
+    test_post_page_with_json_body_delta: ["med<10"],
+    test_get_page_without_attack_delta: ["med<10"],
+    test_get_page_with_sql_injection_delta: ["med<10"],
+  }
+};
+
+const expectAttack = http.expectedStatuses(200, 500);
+
+export default function () {
+  test("test_post_page_with_json_body",
+    (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
+      headers: {
+        "Content-Type": "application/json",
+        "Accept": "application/json"
+      }
+    })
+  )
+
+  test("test_get_page_without_attack", (http) => http.get("/cats"))
+
+  test("test_get_page_with_sql_injection", (http) =>
+    http.get("/cats/1'%20OR%20''='", { responseCallback: expectAttack })
+  )
+}