aikido-zen 1.0.2.beta.5-x86_64-linux-musl → 1.0.2.beta.7-x86_64-linux-musl

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a32fbdc4c688bbf3ace4a8432e7b1a8a906f2b2b6e649aad2d73baf99a065a3c
-  data.tar.gz: 40da174f060715faeaa2397d2a96c685363425e9248d01d05d5b45629494d44f
+  metadata.gz: '08a5166218ef33bff1e3bd5d2210a7d0d486f313392d1f0cd1267d1e532d7e3b'
+  data.tar.gz: ecdd09fd9e950159f384fbdca19a4a195834a9c678cc8971b33d985cc6177d02
 SHA512:
-  metadata.gz: 2cd3aaaaef9e469e97a21a082e27e1044642ce0f57d694a8831978e74dd3e14eab39eaebc9ee45ee62368299802e6804fdcd422abb7af0085e5191eee0c8f3de
-  data.tar.gz: aeabc3a0de7f1d3322bc425c8302e847739057f9ab12d3fd99b41ae3d831abe89942b51192b59c02ffa7a13453548671498b5233a4b7001be7304a93a02144f1
+  metadata.gz: d1d56405c7e298ed9eb09792fd30dbd76713359ea58d8a1105f3685a08c7f512ac46dc1f20c6af4c0730e256c6528f53ef32f69bff2ec3b868c457e31a9e7eaf
+  data.tar.gz: 6fbd473f19fc40c13ce0bf12528256e20e80ed20828035bd4f18f6a0d7553ecd7459a23e8b50d6faf81e01698e11bb3b637a24279b81809fc7e1d569756aac4c

data/.simplecov

@@ -6,6 +6,12 @@
 return if RUBY_VERSION < "3.0"
 return if ENV["DISABLE_COVERAGE"] == "true"
 
+# Output coverage as LCOV to support CodeCov
+if ENV["COVERAGE_OUTPUT_LCOV"] == "true"
+  SimpleCov::Formatter::LcovFormatter.config.report_with_single_file = true
+  SimpleCov.formatter = SimpleCov::Formatter::LcovFormatter
+end
+
 SimpleCov.start do
   # Make sure SimpleCov waits until after the tests
   # are finished to generate the coverage reports.

data/README.md

@@ -6,6 +6,7 @@
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
 [![Unit tests](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml)
 [![Release](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml)
+[![codecov](https://codecov.io/gh/AikidoSec/firewall-ruby/graph/badge.svg?token=X0MLST7S15)](https://codecov.io/gh/AikidoSec/firewall-ruby)
 
 Zen, your in-app firewall for peace of mind - at runtime.
 

data/benchmarks/README.md

@@ -1,6 +1,5 @@
 # Benchmarking Zen for Ruby
 
-
 We use [WRK](https://github.com/wg/wrk) & [Grafana K6](https://k6.io) for these.
 
 WRK benchmarks are only requesting a URL (`/benchmark`). In case you want to add more 

data/benchmarks/rails7.1_benchmark.js

@@ -0,0 +1 @@
+rails7.1_sql_injection.js

data/benchmarks/rails7.1_sql_injection.js

@@ -1,5 +1,5 @@
-import http from 'k6/http';
-import {Trend} from 'k6/metrics';
+import http from "k6/http";
+import {Trend} from "k6/metrics";
 
 const HTTP = {
   withZen: {
@@ -10,7 +10,7 @@ const HTTP = {
     get: (path, ...args) => http.get("http://localhost:3002" + path, ...args),
     post: (path, ...args) => http.post("http://localhost:3002" + path, ...args)
   }
-}
+};
 
 function test(name, fn) {
   const withZen = fn(HTTP.withZen);
@@ -36,35 +36,67 @@ function buildTestTrends(prefix) {
 
 const tests = {
   test_post_page_with_json_body: buildTestTrends("test_post_page_with_json_body"),
-  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack"),
-  test_get_page_with_sql_injection: buildTestTrends("test_get_page_with_sql_injection")
-}
+  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack")
+};
+
 export const options = {
   vus: 1, // Number of virtual users
-  iterations: 200,
+  duration: "60s",
   thresholds: {
-    http_req_failed: ['rate==0'], // we are marking the attacks as expected, so we should have no errors
+    http_req_failed: ["rate==0"], // We are marking the attacks as expected, so we should have no errors.
     test_post_page_with_json_body_delta: ["med<10"],
-    test_get_page_without_attack_delta: ["med<10"],
-    test_get_page_with_sql_injection_delta: ["med<10"],
+    test_get_page_without_attack_delta: ["med<10"]
   }
 };
 
+const headers = {
+  Authorization:
+    "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.Bw8sSk3kdnT9d803kqqE_LZJzY1PzMl5cbmuanQKxrI",
+  Accept:
+    "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+  "Accept-Language": "en-US,en;q=0.9",
+  Dnt: "1",
+  Priority: "u=0, i",
+  "Sec-Ch-Ua":
+    '"Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"',
+  "Sec-Ch-Ua-Arch": '"arm"',
+  "Sec-Ch-Ua-Bitness": '"64"',
+  "Sec-Ch-Ua-Full-Version-List":
+    '"Not)A;Brand";v="99.0.0.0", "Google Chrome";v="127.0.6533.72", "Chromium";v="127.0.6533.72"',
+  "Sec-Ch-Ua-Mobile": "?0",
+  "Sec-Ch-Ua-Model": '""',
+  "Sec-Ch-Ua-Platform": '"macOS"',
+  "Sec-Ch-Ua-Platform-Version": '"14.5.0"',
+  "Sec-Ch-Ua-Wow64": "?0",
+  "Sec-Fetch-Dest": "document",
+  "Sec-Fetch-Mode": "navigate",
+  "Sec-Fetch-Site": "cross-site",
+  "Sec-Fetch-User": "?1",
+  "Sec-Gpc": "1",
+  "Upgrade-Insecure-Requests": "1",
+  "User-Agent":
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
+};
+
 const expectAttack = http.expectedStatuses(200, 500);
 
 export default function () {
   test("test_post_page_with_json_body",
-    (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
-      headers: {
-        "Content-Type": "application/json",
-        "Accept": "application/json"
-      }
-    })
+    (http) => http.post("/cats",
+      JSON.stringify({cat: {name: "Féline Dion"}}),
+      {
+        headers: {
+          ...headers,
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        }
+      })
   )
 
-  test("test_get_page_without_attack", (http) => http.get("/cats"))
-
-  test("test_get_page_with_sql_injection", (http) =>
-    http.get("/cats/1'%20OR%20''='", { responseCallback: expectAttack })
+  test("test_get_page_without_attack",
+    (http) => http.get("/cats/count",
+    {
+        headers: headers
+    })
   )
 }

data/docs/rails.md

@@ -60,7 +60,7 @@ modify in an initializer if desired:
 
 ```ruby
 # config/initializers/zen.rb
-Rails.application.config.zen.api_timeouts = 20
+Rails.application.config.zen.option = value
 ```
 
 You can access the configuration object both as `Aikido::Zen.config` or
@@ -80,7 +80,7 @@ zen:
   token: "AIKIDO_RUNTIME_..."
 ```
 
-You can just tell Zen to use it like so:
+You can tell Zen to use it like so:
 
 ```ruby
 # config/initializers/zen.rb
@@ -102,13 +102,11 @@ way.
 
 ## Logging
 
-By default, Zen will use the Rails logger, prefixing messages with `[aikido]`.
-You can redirect the log to a separate stream by overriding the logger:
+You can override the logger to integrate with your application logging strategy:
 
 ```ruby
 # config/initializers/zen.rb
-Rails.application.config.zen.logger = Logger.new(...)
+Rails.application.config.zen.logger = ::Rails.logger
 ```
 
-You should supply an instance of ruby's [Logger](https://github.com/ruby/logger)
-class.
+Zen expects an instance of Ruby's [Logger](https://github.com/ruby/logger) class.

data/lib/aikido/zen/actor.rb

@@ -38,6 +38,16 @@ module Aikido::Zen
 
   # Represents someone connecting to the application and making requests.
   class Actor
+    def self.from_json(data)
+      new(
+        id: data[:id],
+        name: data[:name],
+        ip: data[:lastIpAddress],
+        first_seen_at: Time.at(data[:firstSeenAt] / 1000),
+        last_seen_at: Time.at(data[:lastSeenAt] / 1000)
+      )
+    end
+
     # @return [String] a unique identifier for this user.
     attr_reader :id
 
@@ -50,18 +60,20 @@ module Aikido::Zen
     # @param id [String]
     # @param name [String, nil]
     # @param ip [String, nil]
-    # @param seen_at [Time]
+    # @param first_seen_at [Time]
+    # @param last_seen_at [Time]
     def initialize(
       id:,
       name: nil,
       ip: Aikido::Zen.current_context&.request&.ip,
-      seen_at: Time.now.utc
+      first_seen_at: Time.now.utc,
+      last_seen_at: first_seen_at
     )
       @id = id
       @name = name
-      @first_seen_at = seen_at
-      @last_seen_at = Concurrent::AtomicReference.new(seen_at)
       @ip = Concurrent::AtomicReference.new(ip)
+      @first_seen_at = first_seen_at
+      @last_seen_at = Concurrent::AtomicReference.new(last_seen_at)
     end
 
     # @return [Time]
@@ -89,6 +101,24 @@ module Aikido::Zen
       @ip.try_update { |last_ip| [ip, last_ip].compact.first }
     end
 
+    # Merges the actor with another actor.
+    #
+    # @param other [Aikido::Zen::Actor]
+    # @return [Aikido::Zen::Actor]
+    def merge(other)
+      older = (first_seen_at < other.first_seen_at) ? self : other
+      newer = (last_seen_at > other.last_seen_at) ? self : other
+
+      self.class.new(
+        id: @id,
+        name: newer.name,
+        ip: newer.ip,
+        first_seen_at: older.first_seen_at,
+        last_seen_at: newer.last_seen_at
+      )
+    end
+    alias_method :|, :merge
+
     # @return [self]
     def to_aikido_actor
       self

data/lib/aikido/zen/agent/heartbeats_manager.rb

@@ -20,7 +20,7 @@ module Aikido::Zen
     # @return [Boolean] whether the currently running heartbeat matches the
     #   expected interval in the runtime settings.
     def stale_settings?
-      running? && @timer.execution_interval != @settings.heartbeat_interval
+      running? && @timer.execution_interval != interval
     end
 
     # Sets up the the timer to run the given block at the appropriate interval.
@@ -30,11 +30,11 @@ module Aikido::Zen
     def start(&task)
       return if running?
 
-      if @settings.heartbeat_interval&.nonzero?
-        @config.logger.debug "Scheduling heartbeats every #{@settings.heartbeat_interval} seconds"
-        @timer = @worker.every(@settings.heartbeat_interval, run_now: false, &task)
+      if interval&.nonzero?
+        @config.logger.debug "Scheduling heartbeats every #{interval} seconds"
+        @timer = @worker.every(interval, run_now: false, &task)
       else
-        @config.logger.warn(format("Heartbeat could not be set up (interval: %p)", @settings.heartbeat_interval))
+        @config.logger.warn(format("Heartbeat could not be set up (interval: %p)", interval))
       end
     end
 

data/lib/aikido/zen/agent.rb

@@ -37,22 +37,22 @@ module Aikido::Zen
     end
 
     def start!
-      @config.logger.info "Starting Aikido agent v#{Aikido::Zen::VERSION}"
+      @config.logger.info("Starting Aikido agent v#{Aikido::Zen::VERSION}")
 
       raise Aikido::ZenError, "Aikido Agent already started!" if started?
       @started_at = Time.now.utc
       @collector.start(at: @started_at)
 
       if @config.blocking_mode?
-        @config.logger.info "Requests identified as attacks will be blocked"
+        @config.logger.info("Requests identified as attacks will be blocked")
       else
-        @config.logger.warn "Non-blocking mode enabled! No requests will be blocked."
+        @config.logger.warn("Non-blocking mode enabled! No requests will be blocked.")
       end
 
       if @api_client.can_make_requests?
-        @config.logger.info "API Token set! Reporting has been enabled."
+        @config.logger.info("API Token set! Reporting has been enabled.")
       else
-        @config.logger.warn "No API Token set! Reporting has been disabled."
+        @config.logger.warn("No API Token set! Reporting has been disabled.")
         return
       end
 
@@ -60,15 +60,18 @@ module Aikido::Zen
 
       report(Events::Started.new(time: @started_at)) do |response|
         updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
-        @config.logger.info "Updated runtime settings."
+        @config.logger.info("Updated runtime settings.")
       rescue => err
         @config.logger.error(err.message)
       end
 
       poll_for_setting_updates
 
-      @worker.delay(@config.initial_heartbeat_delay) do
-        send_heartbeat if @collector.stats.any?
+      @config.initial_heartbeat_delays.each do |heartbeat_delay|
+        @worker.delay(heartbeat_delay) do
+          send_heartbeat
+          @config.logger.info("Executed initial heartbeat after #{heartbeat_delay} seconds")
+        end
       end
     end
 
@@ -77,7 +80,7 @@ module Aikido::Zen
     #
     # @return [void]
     def stop!
-      @config.logger.info "Stopping Aikido agent"
+      @config.logger.info("Stopping Aikido agent")
       @started_at = nil
       @worker.shutdown
     end
@@ -143,11 +146,10 @@ module Aikido::Zen
     def send_heartbeat(at: Time.now.utc)
       return unless @api_client.can_make_requests?
 
-      @collector.flush_heartbeats.each do |heartbeat|
-        report(heartbeat) do |response|
-          updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
-          @config.logger.info "Updated runtime settings after heartbeat"
-        end
+      heartbeat = @collector.flush
+      report(heartbeat) do |response|
+        updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
+        @config.logger.info("Updated runtime settings after heartbeat")
       end
     end
 
@@ -162,7 +164,7 @@ module Aikido::Zen
       @worker.every(@config.polling_interval) do
         if @api_client.should_fetch_settings?
           updated_settings! if Aikido::Zen.runtime_settings.update_from_json(@api_client.fetch_settings)
-          @config.logger.info "Updated runtime settings after polling"
+          @config.logger.info("Updated runtime settings after polling")
         end
       end
     end

data/lib/aikido/zen/collector/event.rb

@@ -0,0 +1,209 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  class Collector
+    class Event
+      @@registry = {}
+
+      # @api protected
+      def self.register(type)
+        const_set(:TYPE, type)
+        @@registry[type] = self
+      end
+
+      def self.from_json(data)
+        type = data[:type]
+        subclass = @@registry[type]
+        subclass.from_json(data)
+      end
+
+      attr_reader :type
+
+      def initialize
+        @type = self.class::TYPE
+      end
+
+      def as_json
+        {
+          type: @type
+        }
+      end
+
+      def handle(collector)
+        raise NotImplementedError, "implement in subclasses"
+      end
+    end
+
+    # @api private
+    module Events
+      class TrackRequest < Event
+        register "track_request"
+
+        def self.from_json(data)
+          new
+        end
+
+        def handle(collector)
+          collector.handle_track_request
+        end
+
+        def inspect
+          "#<#{self.class.name}>"
+        end
+      end
+
+      class TrackScan < Event
+        register "track_scan"
+
+        def self.from_json(data)
+          new(
+            data[:sink_name],
+            data[:duration],
+            has_errors: data[:has_errors]
+          )
+        end
+
+        def initialize(sink_name, duration, has_errors:)
+          super()
+          @sink_name = sink_name
+          @duration = duration
+          @has_errors = has_errors
+        end
+
+        def as_json
+          super.update({
+            sink_name: @sink_name,
+            duration: @duration,
+            has_errors: @has_errors
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_scan(@sink_name, @duration, has_errors: @has_errors)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@sink_name} #{format "%0.6f", @duration} #{@has_errors}>"
+        end
+      end
+
+      class TrackAttack < Event
+        register "track_attack"
+
+        def self.from_json(data)
+          new(
+            data[:sink_name],
+            being_blocked: data[:being_blocked]
+          )
+        end
+
+        def initialize(sink_name, being_blocked:)
+          super()
+          @sink_name = sink_name
+          @being_blocked = being_blocked
+        end
+
+        def as_json
+          super.update({
+            sink_name: @sink_name,
+            being_blocked: @being_blocked
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_attack(@sink_name, being_blocked: @being_blocked)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@sink_name} #{@being_blocked}>"
+        end
+      end
+
+      class TrackUser < Event
+        register "track_user"
+
+        def self.from_json(data)
+          new(Aikido::Zen::Actor.from_json(data[:actor]))
+        end
+
+        def initialize(actor)
+          super()
+          @actor = actor
+        end
+
+        def as_json
+          super.update({
+            actor: @actor.as_json
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_user(@actor)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@actor.id} #{@actor.name}>"
+        end
+      end
+
+      class TrackOutbound < Event
+        register "track_outbound"
+
+        def self.from_json(data)
+          new(OutboundConnection.from_json(data[:connection]))
+        end
+
+        def initialize(connection)
+          super()
+          @connection = connection
+        end
+
+        def as_json
+          super.update({
+            connection: @connection.as_json
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_outbound(@connection)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@connection.host}:#{@connection.port}>"
+        end
+      end
+
+      class TrackRoute < Event
+        register "track_route"
+
+        def self.from_json(data)
+          new(
+            Route.from_json(data[:route]),
+            Request::Schema.from_json(data[:schema])
+          )
+        end
+
+        def initialize(route, schema)
+          super()
+          @route = route
+          @schema = schema
+        end
+
+        def as_json
+          super.update({
+            route: @route.as_json,
+            schema: @schema.as_json
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_route(@route, @schema)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@route.verb} #{@route.path.inspect}>"
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/collector/routes.rb

@@ -7,6 +7,8 @@ module Aikido::Zen
   #
   # Keeps track of the visited routes.
   class Collector::Routes
+    # @api private
+    # Visible for testing.
     attr_reader :visits
 
     def initialize(config = Aikido::Zen.config)
@@ -14,11 +16,11 @@ module Aikido::Zen
       @visits = Hash.new { |h, k| h[k] = Record.new }
     end
 
-    # @param request [Aikido::Zen::Request].
-    # @return [self]
-    def add(request)
-      @visits[request.route].increment(request) unless request.route.nil?
-      self
+    # @param route [Aikido::Zen::Route] the route of the request
+    # @param schema [Aikido::Zen::Request::Schema] the schema for the request
+    # @return [void]
+    def add(route, schema)
+      @visits[route].increment(schema) unless route.nil?
     end
 
     def as_json
@@ -33,6 +35,7 @@ module Aikido::Zen
     end
 
     # @api private
+    # Visible for testing.
     def [](route)
       @visits[route]
     end
@@ -49,16 +52,18 @@ module Aikido::Zen
         @config = config
       end
 
-      def increment(request)
+      def increment(schema)
         self.hits += 1
 
         if sample_schema?
           self.samples += 1
-          self.schema |= request.schema
+          self.schema |= schema
         end
       end
 
-      private def sample_schema?
+      private
+
+      def sample_schema?
         samples < @config.api_schema_max_samples
       end
     end