RubyGems - aikido-zen - Versions diffs - 1.0.2.beta.5-arm64-linux-musl → 1.0.2.beta.6-arm64-linux-musl - Mend

aikido-zen 1.0.2.beta.5-arm64-linux-musl → 1.0.2.beta.6-arm64-linux-musl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

checksums.yaml +4 -4
data/.simplecov +6 -0
data/README.md +1 -0
data/benchmarks/README.md +0 -1
data/benchmarks/rails7.1_benchmark.js +1 -0
data/benchmarks/rails7.1_sql_injection.js +52 -20
data/docs/rails.md +5 -7
data/lib/aikido/zen/actor.rb +34 -4
data/lib/aikido/zen/agent/heartbeats_manager.rb +5 -5
data/lib/aikido/zen/agent.rb +17 -15
data/lib/aikido/zen/collector/event.rb +209 -0
data/lib/aikido/zen/collector/routes.rb +13 -8
data/lib/aikido/zen/collector/stats.rb +16 -19
data/lib/aikido/zen/collector/users.rb +3 -1
data/lib/aikido/zen/collector.rb +94 -29
data/lib/aikido/zen/config.rb +4 -10
data/lib/aikido/zen/context.rb +8 -7
data/lib/aikido/zen/detached_agent/agent.rb +28 -27
data/lib/aikido/zen/detached_agent/front_object.rb +10 -6
data/lib/aikido/zen/internals.rb +23 -3
data/lib/aikido/zen/libzen-v0.1.48-arm64-linux-musl.so +0 -0
data/lib/aikido/zen/middleware/fork_detector.rb +23 -0
data/lib/aikido/zen/middleware/request_tracker.rb +1 -1
data/lib/aikido/zen/outbound_connection.rb +7 -0
data/lib/aikido/zen/rails_engine.rb +2 -6
data/lib/aikido/zen/route.rb +7 -0
data/lib/aikido/zen/runtime_settings.rb +1 -1
data/lib/aikido/zen/scanners/path_traversal/helpers.rb +10 -7
data/lib/aikido/zen/scanners/path_traversal_scanner.rb +2 -2
data/lib/aikido/zen/sink.rb +1 -1
data/lib/aikido/zen/sinks/file.rb +43 -4
data/lib/aikido/zen/sinks/kernel.rb +1 -1
data/lib/aikido/zen/version.rb +2 -2
data/lib/aikido/zen.rb +8 -9
metadata +6 -3
data/lib/aikido/zen/libzen-v0.1.39-arm64-linux-musl.so +0 -0

data/lib/aikido/zen/scanners/path_traversal/helpers.rb CHANGED Viewed

@@ -4,7 +4,8 @@ module Aikido::Zen
   module Scanners
     module PathTraversal
       DANGEROUS_PATH_PARTS = ["../", "..\\"]
-      LINUX_ROOT_FOLDERS = [
+      LINUX_PATH_STARTS = [
         "/bin/",
         "/boot/",
         "/dev/",
@@ -26,10 +27,12 @@ module Aikido::Zen
         "/var/"
       ]
-      DANGEROUS_PATH_STARTS = LINUX_ROOT_FOLDERS + ["c:/", "c:\\"]
+      WINDOWS_PATH_STARTS = ["c:/", "c:\\"]
+      DANGEROUS_PATH_STARTS = LINUX_PATH_STARTS + WINDOWS_PATH_STARTS
       module Helpers
-        def self.contains_unsafe_path_parts(filepath)
+        def self.include_unsafe_path_parts?(filepath)
           DANGEROUS_PATH_PARTS.each do |dangerous_part|
             return true if filepath.include?(dangerous_part)
           end
@@ -37,7 +40,7 @@ module Aikido::Zen
           false
         end
-        def self.starts_with_unsafe_path(filepath, user_input)
+        def self.start_with_unsafe_path?(filepath, user_input)
           # Check if path is relative (not absolute or drive letter path)
           # Required because `expand_path` will build absolute paths from relative paths
           return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
@@ -51,12 +54,12 @@ module Aikido::Zen
               # to prevent false positives.
               # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
               # as long as the user input does not contain a subdirectory or filename
-              if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
-                return false
-              end
+              return false if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
               return true
             end
           end
           false
         end
       end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb CHANGED Viewed

@@ -51,12 +51,12 @@ module Aikido::Zen
         # We ignore cases where the user input is not part of the file path.
         return false unless @filepath.include?(@input)
-        if PathTraversal::Helpers.contains_unsafe_path_parts(@filepath) && PathTraversal::Helpers.contains_unsafe_path_parts(@input)
+        if PathTraversal::Helpers.include_unsafe_path_parts?(@filepath) && PathTraversal::Helpers.include_unsafe_path_parts?(@input)
           return true
         end
         # Check for absolute path traversal
-        PathTraversal::Helpers.starts_with_unsafe_path(@filepath, @input)
+        PathTraversal::Helpers.start_with_unsafe_path?(@filepath, @input)
       end
     end
   end

data/lib/aikido/zen/sink.rb CHANGED Viewed

@@ -4,7 +4,7 @@ require_relative "scan"
 module Aikido::Zen
   module Sinks
-    # @api internal
+    # @api private
     # @return [Hash<String, Sink>]
     def self.registry
       @registry ||= {}

data/lib/aikido/zen/sinks/file.rb CHANGED Viewed

@@ -18,11 +18,12 @@ module Aikido::Zen
         ::File.singleton_class.class_eval do
           extend Sinks::DSL
-          # Create a copy of the original method for internal use only to prevent
+          # Create a copy of the original methods for internal use only to prevent
           # recursion in PathTraversalScanner.
           #
-          # IMPORTANT: The alias must be created before the method is overridden.
+          # IMPORTANT: The aliases must be created before the method is overridden.
           alias_method :expand_path__internal_for_aikido_zen, :expand_path
+          alias_method :join__internal_for_aikido_zen, :join
           sink_before :open do |path|
             Helpers.scan(path, "open")
@@ -80,8 +81,46 @@ module Aikido::Zen
             end
           end
-          sink_after :join do |result|
-            Helpers.scan(result, "join")
+          def join(*args, **kwargs, &blk)
+            # IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
+            #
+            # File.join has undocumented behavior:
+            #
+            # File.join recursively joins nested string arrays.
+            #
+            # This prevents path traversal detection when an array originates
+            # from user input that was assumed to be a string.
+            #
+            # This undocumented behavior has been restricted to support path
+            # traversal detection.
+            #
+            # File.join no longer joins nested string arrays, but still accepts
+            # a single string array argument.
+            # File.join is often incorrectly called with a single array argument.
+            #
+            # i.e.
+            #
+            # File.join(["prefix", "filename"])
+            #
+            # This is considered acceptable.
+            #
+            # Calling File.join with a single string argument returns the string
+            # argument itself, having no practical effect. Therefore, it can be
+            # presumed that if File.join is called with a single array argument
+            # then this was its intended usage, and the array did not originate
+            # from user input that was assumed to be a string.
+            strings = args
+            strings = args.first if args.size == 1 && args.first.is_a?(Array)
+            strings.each do |string|
+              raise TypeError.new("Zen prevented implicit conversion of Array to String") if string.is_a?(Array)
+            end
+            result = join__internal_for_aikido_zen(*args, **kwargs, &blk)
+            Sinks::DSL.safe do
+              Helpers.scan(result, "join")
+            end
+            result
           end
           sink_before :expand_path do |file_name|

data/lib/aikido/zen/sinks/kernel.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module Aikido::Zen
           klass.class_eval do
             extend Sinks::DSL
-            %i[system spawn].each do |method_name|
+            %i[system spawn `].each do |method_name|
               sink_before method_name do |*args|
                 # Remove the optional environment argument before the command-line.
                 args.shift if args.first.is_a?(Hash)

data/lib/aikido/zen/version.rb CHANGED Viewed

@@ -2,9 +2,9 @@
 module Aikido
   module Zen
-    VERSION = "1.0.2.beta.5"
+    VERSION = "1.0.2.beta.6"
     # The version of libzen_internals that we build against.
-    LIBZEN_VERSION = "0.1.39"
+    LIBZEN_VERSION = "0.1.48"
   end
 end

data/lib/aikido/zen.rb CHANGED Viewed

@@ -11,10 +11,11 @@ require_relative "zen/agent"
 require_relative "zen/api_client"
 require_relative "zen/context"
 require_relative "zen/detached_agent"
-require_relative "zen/middleware/check_allowed_addresses"
 require_relative "zen/middleware/middleware"
-require_relative "zen/middleware/request_tracker"
+require_relative "zen/middleware/fork_detector"
 require_relative "zen/middleware/set_context"
+require_relative "zen/middleware/check_allowed_addresses"
+require_relative "zen/middleware/request_tracker"
 require_relative "zen/outbound_connection"
 require_relative "zen/outbound_connection_monitor"
 require_relative "zen/runtime_settings"
@@ -36,8 +37,6 @@ module Aikido
         return
       end
-      return unless config.protect?
       unless load_sources! && load_sinks!
         config.logger.warn("Zen could not find any supported libraries or frameworks. Visit https://github.com/AikidoSec/firewall-ruby for more information.")
         return
@@ -87,12 +86,10 @@ module Aikido
     # Manages runtime metrics extracted from your app, which are uploaded to the
     # Aikido servers if configured to do so.
     def self.collector
-      check_and_handle_fork
       @collector ||= Collector.new
     end
     def self.detached_agent
-      check_and_handle_fork
       @detached_agent ||= DetachedAgent::Agent.new
     end
@@ -231,9 +228,7 @@ module Aikido
       end
       def check_and_handle_fork
-        if has_forked
-          @detached_agent&.handle_fork
-        end
+        handle_fork if has_forked
       end
       def has_forked
@@ -241,6 +236,10 @@ module Aikido
         @pid = Process.pid
         pid_changed
       end
+      def handle_fork
+        @detached_agent&.handle_fork
+      end
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.2.beta.5
+  version: 1.0.2.beta.6
 platform: arm64-linux-musl
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-09-09 00:00:00.000000000 Z
+date: 2025-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -71,6 +71,7 @@ files:
 - README.md
 - Rakefile
 - benchmarks/README.md
+- benchmarks/rails7.1_benchmark.js
 - benchmarks/rails7.1_sql_injection.js
 - docs/banner.svg
 - docs/config.md
@@ -86,6 +87,7 @@ files:
 - lib/aikido/zen/background_worker.rb
 - lib/aikido/zen/capped_collections.rb
 - lib/aikido/zen/collector.rb
+- lib/aikido/zen/collector/event.rb
 - lib/aikido/zen/collector/hosts.rb
 - lib/aikido/zen/collector/routes.rb
 - lib/aikido/zen/collector/sink_stats.rb
@@ -102,8 +104,9 @@ files:
 - lib/aikido/zen/errors.rb
 - lib/aikido/zen/event.rb
 - lib/aikido/zen/internals.rb
-- lib/aikido/zen/libzen-v0.1.39-arm64-linux-musl.so
+- lib/aikido/zen/libzen-v0.1.48-arm64-linux-musl.so
 - lib/aikido/zen/middleware/check_allowed_addresses.rb
+- lib/aikido/zen/middleware/fork_detector.rb
 - lib/aikido/zen/middleware/middleware.rb
 - lib/aikido/zen/middleware/rack_throttler.rb
 - lib/aikido/zen/middleware/request_tracker.rb

data/lib/aikido/zen/libzen-v0.1.39-arm64-linux-musl.so DELETED Viewed

Binary file