aikido-zen 1.0.2.beta.2-x86_64-mingw-64 → 1.0.2.beta.5-x86_64-mingw-64
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/aikido/zen/attack.rb +12 -4
- data/lib/aikido/zen/config.rb +10 -3
- data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +3 -1
- data/lib/aikido/zen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4052b91cc3b58179ae6d97ba79f9fa8577ebf0302b79371029194a04bf63b0a2
|
|
4
|
+
data.tar.gz: 70dcefe99d1eacf6fc855b4cb4e0d9a9d437d6c2939fa16f33c3d9ec5685c78b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 50f28c46252e78156401160ac9b5b10c5be975b85511c4ff5956a3d0c9338839625ea2efcd187b6164fb330db686a155489ef7947038f18ac22f484a3311efc5
|
|
7
|
+
data.tar.gz: fd81224aed695c7e30230967a6ccf72a51581ff731d876bb9db7a6f54498a162315d821df5b7bb77fc2f802cd6326d306a98fb29bc286d63f5cf61e72d4b2ef6
|
data/lib/aikido/zen/attack.rb
CHANGED
|
@@ -67,7 +67,9 @@ module Aikido::Zen
|
|
|
67
67
|
end
|
|
68
68
|
|
|
69
69
|
def metadata
|
|
70
|
-
{
|
|
70
|
+
{
|
|
71
|
+
filename: filepath
|
|
72
|
+
}
|
|
71
73
|
end
|
|
72
74
|
|
|
73
75
|
def humanized_name
|
|
@@ -133,7 +135,10 @@ module Aikido::Zen
|
|
|
133
135
|
end
|
|
134
136
|
|
|
135
137
|
def metadata
|
|
136
|
-
{
|
|
138
|
+
{
|
|
139
|
+
sql: @query,
|
|
140
|
+
dialect: @dialect
|
|
141
|
+
}
|
|
137
142
|
end
|
|
138
143
|
|
|
139
144
|
def exception(*)
|
|
@@ -165,7 +170,7 @@ module Aikido::Zen
|
|
|
165
170
|
|
|
166
171
|
def metadata
|
|
167
172
|
{
|
|
168
|
-
|
|
173
|
+
hostname: @request.uri.hostname,
|
|
169
174
|
port: @request.uri.port
|
|
170
175
|
}
|
|
171
176
|
end
|
|
@@ -200,7 +205,10 @@ module Aikido::Zen
|
|
|
200
205
|
end
|
|
201
206
|
|
|
202
207
|
def metadata
|
|
203
|
-
{
|
|
208
|
+
{
|
|
209
|
+
hostname: @hostname,
|
|
210
|
+
resolvedIP: @address
|
|
211
|
+
}
|
|
204
212
|
end
|
|
205
213
|
end
|
|
206
214
|
end
|
data/lib/aikido/zen/config.rb
CHANGED
|
@@ -70,6 +70,9 @@ module Aikido::Zen
|
|
|
70
70
|
attr_accessor :debugging
|
|
71
71
|
alias_method :debugging?, :debugging
|
|
72
72
|
|
|
73
|
+
# @return [String] environment specific HTTP header providing the client IP.
|
|
74
|
+
attr_accessor :client_ip_header
|
|
75
|
+
|
|
73
76
|
# @return [Integer] maximum number of timing measurements to keep in memory
|
|
74
77
|
# before compressing them.
|
|
75
78
|
attr_accessor :max_performance_samples
|
|
@@ -146,13 +149,16 @@ module Aikido::Zen
|
|
|
146
149
|
# the server returns a 429 response.
|
|
147
150
|
attr_accessor :server_rate_limit_deadline
|
|
148
151
|
|
|
152
|
+
# @return [Boolean] whether Aikido Zen should scan for stored SSSRF attacks.
|
|
153
|
+
# Defaults to true. Can be set through AIKIDO_FEATURE_STORED_SSRF
|
|
154
|
+
# environment variable.
|
|
155
|
+
attr_accessor :stored_ssrf
|
|
156
|
+
alias_method :stored_ssrf?, :stored_ssrf
|
|
157
|
+
|
|
149
158
|
# @return [Array<String>] when checking for stored SSRF attacks, we want to
|
|
150
159
|
# allow known hosts that should be able to resolve to the IMDS service.
|
|
151
160
|
attr_accessor :imds_allowed_hosts
|
|
152
161
|
|
|
153
|
-
# @return [String] environment specific HTTP header providing the client IP.
|
|
154
|
-
attr_accessor :client_ip_header
|
|
155
|
-
|
|
156
162
|
def initialize
|
|
157
163
|
self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
|
|
158
164
|
self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
|
|
@@ -183,6 +189,7 @@ module Aikido::Zen
|
|
|
183
189
|
self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10))
|
|
184
190
|
self.api_schema_collection_max_depth = 20
|
|
185
191
|
self.api_schema_collection_max_properties = 20
|
|
192
|
+
self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true))
|
|
186
193
|
self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
|
|
187
194
|
end
|
|
188
195
|
|
|
@@ -33,7 +33,9 @@ module Aikido::Zen
|
|
|
33
33
|
# @return [String, nil] either the offending address, or +nil+ if no
|
|
34
34
|
# address is deemed dangerous.
|
|
35
35
|
def attack?
|
|
36
|
-
return
|
|
36
|
+
return unless @config.stored_ssrf? # Feature flag
|
|
37
|
+
|
|
38
|
+
return if @config.imds_allowed_hosts.include?(@hostname)
|
|
37
39
|
|
|
38
40
|
@addresses.find do |candidate|
|
|
39
41
|
DANGEROUS_ADDRESSES.any? { |address| address === candidate }
|
data/lib/aikido/zen/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aikido-zen
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.2.beta.
|
|
4
|
+
version: 1.0.2.beta.5
|
|
5
5
|
platform: x86_64-mingw-64
|
|
6
6
|
authors:
|
|
7
7
|
- Aikido Security
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-09-
|
|
11
|
+
date: 2025-09-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: concurrent-ruby
|