aikido-zen 1.0.2.beta.2-aarch64-linux

data/lib/aikido/zen/detached_agent/front_object.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+# dRB Front object that will work as a bridge communication between child & parent
+# processes.
+# Every method is called from the child but it runs in the parent process.
+module Aikido::Zen::DetachedAgent
+  class FrontObject
+    def initialize(
+      config: Aikido::Zen.config,
+      collector: Aikido::Zen.collector,
+      runtime_settings: Aikido::Zen.runtime_settings,
+      rate_limiter: Aikido::Zen::RateLimiter.new
+    )
+      @config = config
+      @collector = collector
+      @rate_limiter = rate_limiter
+      @runtime_settings = runtime_settings
+    end
+
+    RequestKind = Struct.new(:route, :schema, :ip, :actor)
+
+    def send_heartbeat_to_parent_process(heartbeat)
+      @collector.push_heartbeat(heartbeat)
+    end
+
+    # Method called by child processes to get an up-to-date version of the
+    # runtime_settings
+    def updated_settings
+      @runtime_settings
+    end
+
+    def calculate_rate_limits(route, ip, actor_hash)
+      actor = Aikido::Zen::Actor(actor_hash) if actor_hash
+      @rate_limiter.calculate_rate_limits(RequestKind.new(route, nil, ip, actor))
+    end
+  end
+end

data/lib/aikido/zen/detached_agent/server.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "fileutils"
+
+module Aikido::Zen::DetachedAgent
+  class Server
+    # Initialize and start a detached agent server instance.
+    #
+    # @return [Aikido::Zen::DetachedAgent::Server]
+    def self.start(**opts)
+      new(**opts).tap(&:start!)
+    end
+
+    def initialize(config: Aikido::Zen.config)
+      @started_at = nil
+
+      @config = config
+
+      @socket_path = config.detached_agent_socket_path
+      @socket_uri = config.detached_agent_socket_uri
+    end
+
+    def started?
+      !!@started_at
+    end
+
+    def start!
+      @config.logger.info("Starting DRb Server...")
+
+      # Try to ensure that the DRb service can start if the DRb service did
+      # not stop cleanly.
+      begin
+        # Check whether the Unix domain socket is in use by another process.
+        UNIXSocket.new(@socket_path).close
+      rescue Errno::ECONNREFUSED
+        @config.logger.debug("Removing residual Unix domain socket...")
+
+        # Remove the residual Unix domain socket.
+        FileUtils.rm_f(@socket_path)
+      rescue
+        # empty
+      end
+
+      @front = FrontObject.new
+
+      # If the Unix domain socket is in use by another process and/or the
+      # residual Unix domain socket could not be removed DRb will raise an
+      # appropriate error.
+      @drb_server = DRb.start_service(@socket_uri, @front)
+
+      # Only show DRb output in debug mode.
+      @drb_server.verbose = @config.logger.debug?
+
+      # Ensure that the DRb server is alive.
+      max_attempts = 10
+      attempts = 0
+      until @drb_server.alive?
+        @config.logger.info("DRb Server still not alive. #{max_attempts - attempts} attempts remaining")
+        sleep 0.1
+        attempts += 1
+        raise Aikido::Zen::DetachedAgentError.new("Impossible to start the dRB server (socket=#{Aikido::Zen.config.detached_agent_socket_path})") \
+          if attempts == max_attempts
+      end
+
+      @started_at = Time.now.utc
+
+      at_exit { stop! if started? }
+    end
+
+    def stop!
+      @config.logger.info("Stopping DRb Server...")
+      @started_at = nil
+
+      @drb_server.stop_service if @drb_server.alive?
+      DRb.stop_service
+    end
+  end
+end

data/lib/aikido/zen/detached_agent.rb

@@ -0,0 +1,2 @@
+require_relative "detached_agent/agent"
+require_relative "detached_agent/server"

data/lib/aikido/zen/errors.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require "forwardable"
+
+module Aikido
+  # @!visibility private
+  # Support rescuing Aikido::Error without forcing a single base class to all
+  # errors (so things that should be e.g. a TypeError, can have the correct
+  # superclass).
+  module Error; end # :nodoc:
+
+  # @!visibility private
+  # Generic error for problems with the Agent.
+  class ZenError < RuntimeError
+    include Error
+  end
+
+  module Zen
+    # Wrapper for all low-level network errors communicating with the API. You
+    # can access the original error by calling #cause.
+    class NetworkError < StandardError
+      include Error
+
+      def initialize(request, cause = nil)
+        @request = request.dup
+
+        super("Error in #{request.method} #{request.path}: #{cause.message}")
+      end
+    end
+
+    # Raised whenever a request to the API results in a 4XX or 5XX response.
+    class APIError < StandardError
+      include Error
+
+      attr_reader :request
+      attr_reader :response
+
+      def initialize(request, response)
+        @request = anonimize_token(request.dup)
+        @response = response
+
+        super("Error in #{request.method} #{request.path}: #{response.code} #{response.message} (#{response.body})")
+      end
+
+      private def anonimize_token(request)
+        # Anonimize the token to `********************xxxx`,
+        # mimicking what we show in the dashbaord.
+        request["Authorization"] = request["Authorization"].to_s
+          .gsub(/\A.*(.{4})\z/, ("*" * 20) + "\\1")
+        request
+      end
+    end
+
+    # Raised whenever a response to the API results in a 429 response.
+    class RateLimitedError < APIError; end
+
+    class UnderAttackError < StandardError
+      include Error
+
+      attr_reader :attack
+
+      def initialize(attack)
+        @attack = attack
+      end
+    end
+
+    class SQLInjectionError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :query, :input, :dialect
+    end
+
+    class SSRFDetectedError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :request, :input
+    end
+
+    class PathTraversalError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :input
+    end
+
+    class ShellInjectionError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :input
+    end
+
+    # Raised when there's any problem communicating (or loading) libzen.
+    class InternalsError < ZenError
+      # @param attempt [String] description of what we were trying to do.
+      # @param problem [String] what couldn't be done.
+      # @param libname [String] the name of the file (including the arch).
+      def initialize(attempt, problem, libname)
+        super(format(<<~MSG.chomp, attempt, problem, libname))
+          Zen could not scan %s due to a problem %s the library `%s'
+        MSG
+      end
+    end
+
+    class DetachedAgentError < ZenError
+      extend Forwardable
+
+      def initialize(msg)
+        super
+      end
+    end
+  end
+end

data/lib/aikido/zen/event.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Base class for all events. You should be using one of the subclasses defined
+  # in the Events module.
+  class Event
+    attr_reader :type
+    attr_reader :time
+    attr_reader :system_info
+
+    def initialize(type:, system_info: Aikido::Zen.system_info, time: Time.now.utc)
+      @type = type
+      @time = time
+      @system_info = system_info
+    end
+
+    def as_json
+      {
+        type: type,
+        time: time.to_i * 1000,
+        agent: system_info.as_json
+      }
+    end
+  end
+
+  module Events
+    # Event sent when starting up the agent.
+    class Started < Event
+      def initialize(**opts)
+        super(type: "started", **opts)
+      end
+    end
+
+    class Attack < Event
+      attr_reader :attack
+
+      def initialize(attack:, **opts)
+        @attack = attack
+        super(type: "detected_attack", **opts)
+      end
+
+      def as_json
+        super.update(
+          attack: @attack.as_json,
+          request: @attack.context.request.as_json
+        )
+      end
+    end
+
+    class Heartbeat < Event
+      def initialize(stats:, users:, hosts:, routes:, middleware_installed:, **opts)
+        super(type: "heartbeat", **opts)
+        @stats = stats
+        @users = users
+        @hosts = hosts
+        @routes = routes
+        @middleware_installed = middleware_installed
+      end
+
+      def as_json
+        super.update(
+          stats: @stats.as_json,
+          users: @users.as_json,
+          routes: @routes.as_json,
+          hostnames: @hosts.as_json,
+          middlewareInstalled: @middleware_installed
+        )
+      end
+    end
+  end
+end

data/lib/aikido/zen/internals.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require "ffi"
+require_relative "errors"
+
+module Aikido::Zen
+  module Internals
+    extend FFI::Library
+
+    def self.libzen_names
+      lib_name = "libzen-v#{LIBZEN_VERSION}"
+      lib_ext = FFI::Platform::LIBSUFFIX
+
+      # Gem::Platform#version should be understood as an arbitrary Ruby defined
+      # OS specific string. A platform with a version string is considered more
+      # specific than a platform without a version string.
+      # https://docs.ruby-lang.org/en/3.3/Gem/Platform.html
+
+      platform = Gem::Platform.local.dup
+
+      # Library names in preferred order.
+      #
+      # If two library names are added, the specific platform library names is
+      # first and the generic platform library name is second.
+      names = []
+
+      names << "#{lib_name}-#{platform}.#{lib_ext}"
+
+      unless platform.version.nil?
+        platform.version = nil
+        names << "#{lib_name}-#{platform}.#{lib_ext}"
+      end
+
+      names
+    end
+
+    # @return [String] the name of the extension we're loading, which we can
+    # use in error messages.
+    def self.libzen_name
+      # The most generic platform library name.
+      libzen_names.last
+    end
+
+    # Load the most specific library
+    def self.load_libzen
+      libzen_names.each do |name|
+        path = File.expand_path(name, __dir__)
+        begin
+          return ffi_lib(path)
+        rescue LoadError
+          # empty
+        end
+      end
+      raise LoadError, "Zen could not load its native extension #{libzen_name}"
+    end
+
+    begin
+      load_libzen
+
+      # @!method self.detect_sql_injection_native(query, input, dialect)
+      # @param (see .detect_sql_injection)
+      # @returns [Integer] 0 if no injection detected, 1 if an injection was
+      #   detected, or 2 if there was an internal error.
+      # @raise [Aikido::Zen::InternalsError] if there's a problem loading or
+      #   calling libzen.
+      attach_function :detect_sql_injection_native, :detect_sql_injection,
+        [:string, :string, :int], :int
+    rescue LoadError, FFI::NotFoundError => err # rubocop:disable Lint/ShadowedException
+      # :nocov:
+
+      # Emit an $stderr warning at startup.
+      warn "Zen could not load its native extension #{libzen_name}: #{err}"
+
+      def self.detect_sql_injection(query, *)
+        attempt = format("%p for SQL injection", query)
+        raise InternalsError.new(attempt, "loading", libzen_name)
+      end
+
+      # :nocov:
+    else
+      # Analyzes the SQL query to detect if the provided user input is being
+      # passed as-is without escaping.
+      #
+      # @param query [String]
+      # @param input [String]
+      # @param dialect [Integer, #to_int] the SQL Dialect identifier in libzen.
+      #   See {Aikido::Zen::Scanners::SQLInjectionScanner::DIALECTS}.
+      #
+      # @returns [Boolean]
+      # @raise [Aikido::Zen::InternalsError] if there's a problem loading or
+      #   calling libzen.
+      def self.detect_sql_injection(query, input, dialect)
+        case detect_sql_injection_native(query, input, dialect)
+        when 0 then false
+        when 1 then true
+        when 2
+          attempt = format("%s query %p with input %p", dialect, query, input)
+          raise InternalsError.new(attempt, "calling detect_sql_injection in", libzen_name)
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/check_allowed_addresses.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Middleware
+    # Middleware that rejects requests from IPs blocked in the Aikido dashboard.
+    class CheckAllowedAddresses
+      def initialize(app, config: Aikido::Zen.config, settings: Aikido::Zen.runtime_settings)
+        @app = app
+        @config = config
+        @settings = settings
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+
+        allowed_ips = @settings.endpoints[request.route].allowed_ips
+
+        if allowed_ips.empty? || allowed_ips.include?(request.ip)
+          @app.call(env)
+        else
+          @config.blocked_responder.call(request, :ip)
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/middleware.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::Middleware
+  def self.request_from(env)
+    if (current_context = Aikido::Zen.current_context)
+      current_context.request
+    else
+      Aikido::Zen::Context.from_rack_env(env).request
+    end
+  end
+end

data/lib/aikido/zen/middleware/rack_throttler.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative "../context"
+
+module Aikido::Zen
+  module Middleware
+    # Rack middleware that rejects requests from clients that are making too many
+    # requests to a given endpoint, based in the runtime configuration in the
+    # Aikido dashboard.
+    class RackThrottler
+      def initialize(
+        app,
+        config: Aikido::Zen.config,
+        settings: Aikido::Zen.runtime_settings,
+        detached_agent: Aikido::Zen.detached_agent
+      )
+        @app = app
+        @config = config
+        @settings = settings
+        @detached_agent = detached_agent
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+
+        if should_throttle?(request)
+          @config.rate_limited_responder.call(request)
+        else
+          @app.call(env)
+        end
+      end
+
+      private
+
+      def should_throttle?(request)
+        return false unless @settings.endpoints[request.route].rate_limiting.enabled?
+        return false if @settings.skip_protection_for_ips.include?(request.ip)
+
+        result = @detached_agent.calculate_rate_limits(request)
+
+        return false unless result
+
+        request.env["aikido.rate_limiting"] = result
+        request.env["aikido.rate_limiting"].throttled?
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -0,0 +1,192 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Middleware
+    # Rack middleware used to track request
+    # It implements the logic under that which is considered worthy of being tracked.
+    class RequestTracker
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+        response = @app.call(env)
+
+        if request.route && track?(
+          status_code: response[0],
+          route: request.route.path,
+          http_method: request.request_method
+        )
+          Aikido::Zen.track_request request
+
+          if Aikido::Zen.config.collect_api_schema?
+            Aikido::Zen.track_discovered_route(request)
+          end
+        end
+
+        response
+      end
+
+      IGNORED_METHODS = %w[OPTIONS HEAD]
+      IGNORED_EXTENSIONS = %w[properties config webmanifest]
+      IGNORED_SEGMENTS = ["cgi-bin"]
+      WELL_KNOWN_URIS = %w[
+        /.well-known/acme-challenge
+        /.well-known/amphtml
+        /.well-known/api-catalog
+        /.well-known/appspecific
+        /.well-known/ashrae
+        /.well-known/assetlinks.json
+        /.well-known/broadband-labels
+        /.well-known/brski
+        /.well-known/caldav
+        /.well-known/carddav
+        /.well-known/change-password
+        /.well-known/cmp
+        /.well-known/coap
+        /.well-known/coap-eap
+        /.well-known/core
+        /.well-known/csaf
+        /.well-known/csaf-aggregator
+        /.well-known/csvm
+        /.well-known/did.json
+        /.well-known/did-configuration.json
+        /.well-known/dnt
+        /.well-known/dnt-policy.txt
+        /.well-known/dots
+        /.well-known/ecips
+        /.well-known/edhoc
+        /.well-known/enterprise-network-security
+        /.well-known/enterprise-transport-security
+        /.well-known/est
+        /.well-known/genid
+        /.well-known/gnap-as-rs
+        /.well-known/gpc.json
+        /.well-known/gs1resolver
+        /.well-known/hoba
+        /.well-known/host-meta
+        /.well-known/host-meta.json
+        /.well-known/hosting-provider
+        /.well-known/http-opportunistic
+        /.well-known/idp-proxy
+        /.well-known/jmap
+        /.well-known/keybase.txt
+        /.well-known/knx
+        /.well-known/looking-glass
+        /.well-known/masque
+        /.well-known/matrix
+        /.well-known/mercure
+        /.well-known/mta-sts.txt
+        /.well-known/mud
+        /.well-known/nfv-oauth-server-configuration
+        /.well-known/ni
+        /.well-known/nodeinfo
+        /.well-known/nostr.json
+        /.well-known/oauth-authorization-server
+        /.well-known/oauth-protected-resource
+        /.well-known/ohttp-gateway
+        /.well-known/openid-federation
+        /.well-known/open-resource-discovery
+        /.well-known/openid-configuration
+        /.well-known/openorg
+        /.well-known/oslc
+        /.well-known/pki-validation
+        /.well-known/posh
+        /.well-known/privacy-sandbox-attestations.json
+        /.well-known/private-token-issuer-directory
+        /.well-known/probing.txt
+        /.well-known/pvd
+        /.well-known/rd
+        /.well-known/related-website-set.json
+        /.well-known/reload-config
+        /.well-known/repute-template
+        /.well-known/resourcesync
+        /.well-known/sbom
+        /.well-known/security.txt
+        /.well-known/ssf-configuration
+        /.well-known/sshfp
+        /.well-known/stun-key
+        /.well-known/terraform.json
+        /.well-known/thread
+        /.well-known/time
+        /.well-known/timezone
+        /.well-known/tdmrep.json
+        /.well-known/tor-relay
+        /.well-known/tpcd
+        /.well-known/traffic-advice
+        /.well-known/trust.txt
+        /.well-known/uma2-configuration
+        /.well-known/void
+        /.well-known/webfinger
+        /.well-known/webweaver.json
+        /.well-known/wot
+      ]
+
+      # @param status_code [Integer]
+      # @param route [String]
+      # @param http_method [String]
+      def track?(status_code:, route:, http_method:)
+        # In the UI we want to show only successful (2xx) or redirect (3xx) responses
+        # anything else is discarded.
+        return false unless status_code >= 200 && status_code <= 399
+
+        return false if IGNORED_METHODS.include?(http_method)
+
+        segments = route.split "/"
+
+        # Do not discover routes with dot files like `/path/to/.file` or `/.directory/file`
+        # We want to allow discovery of well-known URIs like `/.well-known/acme-challenge`
+        return false if segments.any? { |s| is_dot_file s } && !is_well_known_uri(route)
+
+        return false if segments.any? { |s| contains_ignored_string s }
+
+        # Check for every file segment if it contains a file extension and if it
+        # should be discovered or ignored
+        segments.all? { |s| should_track_extension s }
+      end
+
+      private
+
+      # Check if a path is a well-known URI
+      # e.g. /.well-known/acme-challenge
+      # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
+      def is_well_known_uri(route)
+        WELL_KNOWN_URIS.include?(route)
+      end
+
+      def is_dot_file(segment)
+        segment.start_with?(".") && segment.size > 1
+      end
+
+      def contains_ignored_string(segment)
+        IGNORED_SEGMENTS.any? { |ignored| segment.include?(ignored) }
+      end
+
+      # Ignore routes which contain file extensions
+      def should_track_extension(segment)
+        extension = get_file_extension(segment)
+
+        return true unless extension
+
+        # Do not discover files with extensions of 1 to 5 characters,
+        # e.g. file.css, file.js, file.woff2
+        return false if extension.size > 1 && extension.size < 6
+
+        # Ignore some file extensions that are longer than 5 characters or shorter than 2 chars
+        return false if IGNORED_EXTENSIONS.include?(extension)
+
+        true
+      end
+
+      def get_file_extension(segment)
+        extension = File.extname(segment)
+        if extension&.start_with?(".")
+          # Remove the dot from the extension
+          return extension[1..]
+        end
+        extension
+      end
+    end
+  end
+end