aikido-zen 1.0.2.beta.2-aarch64-linux

data/lib/aikido/zen/middleware/set_context.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "../context"
+
+module Aikido::Zen
+  # @!visibility private
+  ENV_KEY = "aikido.context"
+
+  module Middleware
+    # Rack middleware that keeps the current context in a Thread/Fiber-local
+    # variable so that other parts of the agent/firewall can access it.
+    class SetContext
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        Aikido::Zen.current_context = env[ENV_KEY] = Context.from_rack_env(env)
+
+        @app.call(env)
+      ensure
+        Aikido::Zen.current_context = nil
+      end
+    end
+  end
+end

data/lib/aikido/zen/outbound_connection.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Simple data object to identify connections performed to outbound servers.
+  class OutboundConnection
+    # Convenience factory to create connection descriptions out of URI objects.
+    #
+    # @param uri [URI]
+    # @return [Aikido::Zen::OutboundConnection]
+    def self.from_uri(uri)
+      new(host: uri.hostname, port: uri.port)
+    end
+
+    # @return [String] the hostname or IP address to which the connection was
+    #   attempted.
+    attr_reader :host
+
+    # @return [Integer] the port number to which the connection was attempted.
+    attr_reader :port
+
+    def initialize(host:, port:)
+      @host = host
+      @port = port
+    end
+
+    def as_json
+      {hostname: host, port: port}
+    end
+
+    def ==(other)
+      other.is_a?(OutboundConnection) &&
+        host == other.host &&
+        port == other.port
+    end
+    alias_method :eql?, :==
+
+    def hash
+      [host, port].hash
+    end
+
+    def inspect
+      "#<#{self.class.name} #{host}:#{port}>"
+    end
+  end
+end

data/lib/aikido/zen/outbound_connection_monitor.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # This simple callable follows the Scanner API so that it can be injected into
+  # any Sink that wraps an HTTP library, and lets us keep track of any hosts to
+  # which the app communicates over HTTP.
+  module OutboundConnectionMonitor
+    def self.skips_on_nil_context?
+      false
+    end
+
+    # This simply reports the connection to the Agent, and always returns +nil+
+    # as it's not scanning for any particular attack.
+    #
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [nil]
+    def self.call(connection:, **)
+      Aikido::Zen.track_outbound(connection)
+
+      nil
+    end
+  end
+end

data/lib/aikido/zen/package.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "sink"
+
+module Aikido::Zen
+  Package = Struct.new(:name, :version) do
+    def initialize(name, version, sinks = Aikido::Zen::Sinks.registry)
+      super(name, version)
+      @sinks = sinks
+    end
+
+    # @return [Boolean] whether we explicitly protect against exploits in this
+    #   library.
+    def supported?
+      @sinks.include?(name)
+    end
+
+    def as_json
+      {name => version.to_s}
+    end
+  end
+end

data/lib/aikido/zen/payload.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # An individual user input in a request, which may come from different
+  # sources (query string, body, cookies, etc).
+  class Payload
+    attr_reader :value, :source, :path
+
+    def initialize(value, source, path)
+      @value = value
+      @source = source
+      @path = path
+    end
+
+    UNKNOWN_PAYLOAD = Payload.new("unknown", "unknown", "unknown")
+
+    alias_method :to_s, :value
+
+    def ==(other)
+      other.is_a?(Payload) &&
+        other.value == value &&
+        other.source == source &&
+        other.path == path
+    end
+
+    def as_json
+      {
+        payload: value.to_s,
+        source: SOURCE_SERIALIZATIONS[source],
+        path: path.to_s
+      }
+    end
+
+    SOURCE_SERIALIZATIONS = {
+      query: "query",
+      body: "body",
+      header: "headers",
+      cookie: "cookies",
+      route: "routeParams",
+      graphql: "graphql",
+      xml: "xml",
+      subdomain: "subdomains"
+    }
+
+    def inspect
+      val = (value.to_s.size > 128) ? value[0..125] + "..." : value
+      "#<Aikido::Zen::Payload #{source}(#{path}) #{val.inspect}>"
+    end
+  end
+end

data/lib/aikido/zen/rails_engine.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require "action_dispatch"
+
+module Aikido::Zen
+  class RailsEngine < ::Rails::Engine
+    config.before_configuration do
+      # Access library configuration at `Rails.application.config.zen`.
+      config.zen = Aikido::Zen.config
+    end
+
+    initializer "aikido.add_middleware" do |app|
+      app.middleware.use Aikido::Zen::Middleware::SetContext
+      app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
+      # Request Tracker stats do not consider failed request or 40x, so the middleware
+      # must be the last one wrapping the request.
+      app.middleware.use Aikido::Zen::Middleware::RequestTracker
+
+      ActiveSupport.on_load(:action_controller) do
+        # Due to how Rails sets up its middleware chain, the routing is evaluated
+        # (and the Request object constructed) in the app that terminates the
+        # chain, so no amount of middleware will be able to access it.
+        #
+        # This way, we overwrite the Request object as early as we can in the
+        # request handling, so that by the time we start evaluating inputs, we
+        # have assigned the request correctly.
+        before_action { Aikido::Zen.current_context.update_request(request) }
+      end
+    end
+
+    initializer "aikido.configuration" do |app|
+      # Allow the logger to be configured before checking if disabled? so we can
+      # let the user know that the agent is disabled.
+      logger = ::Rails.logger
+      logger = logger.tagged("aikido") if logger.respond_to?(:tagged)
+      app.config.zen.logger = logger
+
+      app.config.zen.request_builder = Aikido::Zen::Context::RAILS_REQUEST_BUILDER
+
+      # Plug Rails' JSON encoder/decoder, but only if the user hasn't changed
+      # them for something else.
+      if app.config.zen.json_encoder == Aikido::Zen::Config::DEFAULT_JSON_ENCODER
+        app.config.zen.json_encoder = ActiveSupport::JSON.method(:encode)
+      end
+
+      if app.config.zen.json_decoder == Aikido::Zen::Config::DEFAULT_JSON_DECODER
+        app.config.zen.json_decoder = ActiveSupport::JSON.method(:decode)
+      end
+    end
+
+    config.after_initialize do
+      # Start the Aikido Agent only once the application starts.
+      Aikido::Zen.start!
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/breaker.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "bucket"
+
+module Aikido::Zen
+  # @api private
+  #
+  # Circuit breaker that rate limits internal API requests in two ways: By using
+  # a sliding window, to allow only a certain number of events over that window,
+  # and with the ability of manually being tripped open when the API responds to
+  # a request with a 429.
+  class RateLimiter::Breaker
+    def initialize(config: Aikido::Zen.config, clock: RateLimiter::Bucket::DEFAULT_CLOCK)
+      @config = config
+      @clock = clock
+
+      @bucket = RateLimiter::Bucket.new(
+        ttl: config.client_rate_limit_period,
+        max_size: config.client_rate_limit_max_events,
+        clock: clock
+      )
+      @opened_at = nil
+    end
+
+    # Trip the circuit open to force all events to be throttled until the
+    # deadline passes.
+    #
+    # @see Aikido::Zen::Config#server_rate_limit_deadline
+    # @return [void]
+    def open!
+      @opened_at = @clock.call
+    end
+
+    # @param event_type [String] an event type which we'll use to decide
+    #   if we should throttle it.
+    # @return [Boolean]
+    def throttle?(event_type)
+      return true if open? && !try_close
+
+      result = @bucket.increment(event_type)
+      result.throttled?
+    end
+
+    # @!visibility private
+    # @return [Boolean]
+    def open?
+      @opened_at
+    end
+
+    private
+
+    def past_deadline?
+      @opened_at < @clock.call - @config.server_rate_limit_deadline
+    end
+
+    def try_close
+      @opened_at = nil if past_deadline?
+      @opened_at.nil?
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/bucket.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require_relative "../synchronizable"
+require_relative "result"
+
+module Aikido::Zen
+  # This models a "sliding window" rate limiting bucket (where we keep a bucket
+  # per endpoint). The timestamps of requests are kept grouped by client, and
+  # when a new request is made, we check if the number of requests falls within
+  # the configured limit.
+  #
+  # @example
+  #   bucket = Aikido::Zen::RateLimiter::Bucket.new(ttl: 60, max_size: 3)
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 1)
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 2)
+  #
+  #   # 30 seconds go by
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 3)
+  #
+  #   # 20 more seconds go by
+  #   bucket.increment("1.2.3.4") #=> false (count for this key: 3)
+  #
+  #   # 20 more seconds go by
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 2)
+  #
+  class RateLimiter::Bucket
+    prepend Synchronizable
+
+    # @!visibility private
+    #
+    # Use the monotonic clock to ensure time differences are consistent
+    # and not affected by timezones.or daylight savings changes.
+    DEFAULT_CLOCK = -> { Process.clock_gettime(Process::CLOCK_MONOTONIC).round }
+
+    def initialize(ttl:, max_size:, clock: DEFAULT_CLOCK)
+      @ttl = ttl
+      @max_size = max_size
+      @data = Hash.new { |h, k| h[k] = [] }
+      @clock = clock
+    end
+
+    # Increments the key if the number of entries within the current TTL window
+    # is below the configured threshold.
+    #
+    # @param key [String] discriminating key to identify a client.
+    #   See {Aikido::Zen::Config#rate_limiting_discriminator}.
+    #
+    # @return [Aikido::Zen::RateLimiter::Result] the result of the operation and
+    #   statistics on this bucket for the given key.
+    def increment(key)
+      synchronize do
+        time = @clock.call
+        evict(key, at: time)
+
+        entries = @data[key]
+        throttled = entries.size >= @max_size
+
+        entries << time unless throttled
+
+        RateLimiter::Result.new(
+          throttled: throttled,
+          discriminator: key,
+          current_requests: entries.size,
+          max_requests: @max_size,
+          time_remaining: @ttl - (time - entries.min)
+        )
+      end
+    end
+
+    private
+
+    def evict(key, at: @clock.call)
+      synchronize { @data[key].delete_if { |time| time < (at - @ttl) } }
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/result.rb

@@ -0,0 +1,31 @@
+module Aikido::Zen
+  # Holds the stats after checking if a request should be rate limited, which
+  # will be added to the Rack env.
+  class RateLimiter::Result
+    # @return [String] the output of the configured discriminator block, used to
+    #   uniquely identify a client (e.g. the remote IP).
+    attr_reader :discriminator
+
+    # @return [Integer] number of requests for the client in the current window.
+    attr_reader :current_requests
+
+    # @return [Integer] configured max number of requests per client.
+    attr_reader :max_requests
+
+    # @return [Integer] number of seconds remaining until the window resets.
+    attr_reader :time_remaining
+
+    def initialize(throttled:, discriminator:, current_requests:, max_requests:, time_remaining:)
+      @throttled = throttled
+      @discriminator = discriminator
+      @current_requests = current_requests
+      @max_requests = max_requests
+      @time_remaining = time_remaining
+    end
+
+    # @return [Boolean] whether the current request was throttled or not.
+    def throttled?
+      @throttled
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require_relative "synchronizable"
+require_relative "middleware/rack_throttler"
+
+module Aikido::Zen
+  # Keeps track of all requests in this process, broken up by Route and further
+  # discriminated by client. Provides a single method that checks if a certain
+  # Request needs to be throttled or not.
+  class RateLimiter
+    prepend Synchronizable
+
+    def initialize(
+      config: Aikido::Zen.config,
+      settings: Aikido::Zen.runtime_settings
+    )
+      @config = config
+      @settings = settings
+      @buckets = Hash.new { |store, route|
+        synchronize {
+          settings = settings_for(route)
+          store[route] = Bucket.new(ttl: settings.period, max_size: settings.max_requests)
+        }
+      }
+    end
+
+    # Calculate based on the configuration whether a request will be
+    # rate-limited or not.
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [Aikido::Zen::RateLimiter::Result, nil]
+    def calculate_rate_limits(request)
+      settings = settings_for(request.route)
+      return nil unless settings.enabled?
+
+      bucket = @buckets[request.route]
+      key = @config.rate_limiting_discriminator.call(request)
+      bucket.increment(key)
+    end
+
+    private
+
+    def settings_for(route)
+      @settings.endpoints[route].rate_limiting
+    end
+  end
+end
+
+require_relative "rate_limiter/bucket"
+require_relative "rate_limiter/breaker"

data/lib/aikido/zen/request/heuristic_router.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+require_relative "../route"
+require_relative "../request"
+
+module Aikido::Zen
+  # Simple router implementation that just identifies the currently requested
+  # URL as a route, attempting to heuristically substitute any path segments
+  # that may look like a parameterized value by something descriptive.
+  #
+  # For example, "/categories/123/events/2024-10-01" would be matched as
+  # "/categories/:number/events/:date"
+  class Request::HeuristicRouter
+    # @param request [Aikido::Zen::Request]
+    # @return [Aikido::Zen::Route, nil]
+    def recognize(request)
+      path = parameterize(request.path)
+      Route.new(verb: request.request_method, path: path)
+    end
+
+    private def parameterize(path)
+      return if path.nil?
+
+      path = path.split("/").map { |part| parameterize_segment(part) }.join("/")
+      path.prepend("/") unless path.start_with?("/")
+      path.chomp!("/") if path.size > 1
+      path
+    end
+
+    private def parameterize_segment(segment)
+      case segment
+      when ULID
+        ":ulid"
+      when OBJECT_ID
+        ":objectId"
+      when NUMBER
+        ":number"
+      when UUID
+        ":uuid"
+      when DATE
+        ":date"
+      when EMAIL
+        ":email"
+      when IP
+        ":ip"
+      when HASH
+        ":hash"
+      when SecretMatcher
+        ":secret"
+      else
+        segment
+      end
+    end
+
+    NUMBER = /\A\d+\z/
+    HEX = /\A[a-f0-9]+\z/i
+    DATE = /\A\d{4}-\d{2}-\d{2}|\d{2}-\d{2}-\d{4}\z/
+    UUID = /\A
+            (?:[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}
+            | 00000000-0000-0000-0000-000000000000
+            | ffffffff-ffff-ffff-ffff-ffffffffffff
+            )\z/ix
+    ULID = /\A[0-9A-HJKMNP-TV-Z]{26}\z/i
+    OBJECT_ID = /\A[0-9a-f]{24}\z/i
+    EMAIL = /\A
+              [a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+
+              @
+              [a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?
+              (?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*
+            \z/x
+    IP = ->(segment) {
+      IPAddr::RE_IPV4ADDRLIKE.match?(segment) ||
+        IPAddr::RE_IPV6ADDRLIKE_COMPRESSED.match?(segment) ||
+        IPAddr::RE_IPV6ADDRLIKE_FULL.match?(segment)
+    }
+    HASH = ->(segment) { [32, 40, 64, 128].include?(segment.size) && HEX === segment }
+
+    class SecretMatcher
+      # Decides if a given string looks random enough to be a "secret".
+      #
+      # @param candidate [String]
+      # @return [Boolean]
+      def self.===(candidate)
+        new(candidate).matches?
+      end
+
+      private def initialize(string)
+        @string = string
+      end
+
+      def matches?
+        return false if @string.size <= MIN_LENGTH
+        return false if SEPARATORS === @string
+        return false unless DIGIT === @string
+        return false if [LOWER, UPPER, SPECIAL].none? { |pattern| pattern === @string }
+
+        ratios = @string.chars.each_cons(MIN_LENGTH).map do |window|
+          window.to_set.size / MIN_LENGTH.to_f
+        end
+
+        ratios.sum / ratios.size > SECRET_THRESHOLD
+      end
+
+      MIN_LENGTH = 10
+      SECRET_THRESHOLD = 0.75
+
+      LOWER = /[[:lower:]]/
+      UPPER = /[[:upper:]]/
+      DIGIT = /[[:digit:]]/
+      SPECIAL = /[!#\$%^&*|;:<>]/
+      SEPARATORS = /[[:space:]]|-/
+    end
+  end
+end

data/lib/aikido/zen/request/rails_router.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require_relative "../route"
+require_relative "../request"
+
+module Aikido::Zen
+  # The Rails router relies on introspecting the routes defined in the Rails
+  # app to match the current request to the correct route, building Route
+  # objects that have the exact pattern defined by the developer, rather than
+  # a heuristic approximation.
+  #
+  # For example, given the following route definitions:
+  #
+  #   resources :posts do
+  #     resources :comments
+  #   end
+  #
+  # The router will map a request to "/posts/123/comments/234" to
+  # "/posts/:post_id/comments/:id(.:format)".
+  #
+  # @see Aikido::Zen::Router::HeuristicRouter
+  class Request::RailsRouter
+    def initialize(route_set)
+      @route_set = route_set
+    end
+
+    def recognize(request)
+      recognize_in_route_set(request, @route_set)
+    end
+
+    private def recognize_in_route_set(request, route_set, prefix: nil)
+      # ActionDispatch::Journey::Router#recognize modifies the Rack environment.
+      # This is correct for Rails routing, but it is not expected to be used in
+      # Rack middleware, and using it here can break Rails routing.
+      #
+      # To avoid this, the Rack environment is duplicated when building request.
+      route_set.router.recognize(request) do |route, _|
+        app = route.app
+        next unless app.matches?(request)
+
+        if app.dispatcher?
+          return build_route(route, request, prefix: prefix)
+        end
+
+        if app.engine?
+          # If the SCRIPT_NAME has any path parameters, we want those to be
+          # captured by the router. (eg `mount API => "/api/:version/`)
+          prefix = ActionDispatch::Routing::RouteWrapper.new(route).path
+          return recognize_in_route_set(request, app.rack_app.routes, prefix: prefix)
+        end
+
+        if app.rack_app.respond_to?(:redirect?) && app.rack_app.redirect?
+          return build_route(route, request, prefix: prefix)
+        end
+
+        # At this point we're matching plain Rack apps, where Rails does not
+        # remove the SCRIPT_NAME from PATH_INFO, so we should avoid adding
+        # SCRIPT_NAME twice.
+        return build_route(route, request, prefix: nil)
+      end
+
+      nil
+    end
+
+    private def build_route(route, request, prefix: request.script_name)
+      route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
+
+      path = if prefix.present?
+        File.join(prefix.to_s, route_wrapper.path).chomp("/")
+      else
+        route_wrapper.path
+      end
+
+      Aikido::Zen::Route.new(verb: request.request_method, path: path)
+    end
+  end
+end