aikido-zen 1.0.2.beta.5-x86_64-mingw-64 → 1.0.2.beta.7-x86_64-mingw-64

data/lib/aikido/zen/scanners/path_traversal/helpers.rb

@@ -4,7 +4,8 @@ module Aikido::Zen
   module Scanners
     module PathTraversal
       DANGEROUS_PATH_PARTS = ["../", "..\\"]
-      LINUX_ROOT_FOLDERS = [
+
+      LINUX_PATH_STARTS = [
         "/bin/",
         "/boot/",
         "/dev/",
@@ -26,10 +27,12 @@ module Aikido::Zen
         "/var/"
       ]
 
-      DANGEROUS_PATH_STARTS = LINUX_ROOT_FOLDERS + ["c:/", "c:\\"]
+      WINDOWS_PATH_STARTS = ["c:/", "c:\\"]
+
+      DANGEROUS_PATH_STARTS = LINUX_PATH_STARTS + WINDOWS_PATH_STARTS
 
       module Helpers
-        def self.contains_unsafe_path_parts(filepath)
+        def self.include_unsafe_path_parts?(filepath)
           DANGEROUS_PATH_PARTS.each do |dangerous_part|
             return true if filepath.include?(dangerous_part)
           end
@@ -37,7 +40,7 @@ module Aikido::Zen
           false
         end
 
-        def self.starts_with_unsafe_path(filepath, user_input)
+        def self.start_with_unsafe_path?(filepath, user_input)
           # Check if path is relative (not absolute or drive letter path)
           # Required because `expand_path` will build absolute paths from relative paths
           return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
@@ -51,12 +54,12 @@ module Aikido::Zen
               # to prevent false positives.
               # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
               # as long as the user input does not contain a subdirectory or filename
-              if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
-                return false
-              end
+              return false if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
+
               return true
             end
           end
+
           false
         end
       end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -51,12 +51,12 @@ module Aikido::Zen
         # We ignore cases where the user input is not part of the file path.
         return false unless @filepath.include?(@input)
 
-        if PathTraversal::Helpers.contains_unsafe_path_parts(@filepath) && PathTraversal::Helpers.contains_unsafe_path_parts(@input)
+        if PathTraversal::Helpers.include_unsafe_path_parts?(@filepath) && PathTraversal::Helpers.include_unsafe_path_parts?(@input)
           return true
         end
 
         # Check for absolute path traversal
-        PathTraversal::Helpers.starts_with_unsafe_path(@filepath, @input)
+        PathTraversal::Helpers.start_with_unsafe_path?(@filepath, @input)
       end
     end
   end

data/lib/aikido/zen/sink.rb

@@ -4,7 +4,7 @@ require_relative "scan"
 
 module Aikido::Zen
   module Sinks
-    # @api internal
+    # @api private
     # @return [Hash<String, Sink>]
     def self.registry
       @registry ||= {}

data/lib/aikido/zen/sinks/file.rb

@@ -18,11 +18,12 @@ module Aikido::Zen
         ::File.singleton_class.class_eval do
           extend Sinks::DSL
 
-          # Create a copy of the original method for internal use only to prevent
+          # Create a copy of the original methods for internal use only to prevent
           # recursion in PathTraversalScanner.
           #
-          # IMPORTANT: The alias must be created before the method is overridden.
+          # IMPORTANT: The aliases must be created before the method is overridden.
           alias_method :expand_path__internal_for_aikido_zen, :expand_path
+          alias_method :join__internal_for_aikido_zen, :join
 
           sink_before :open do |path|
             Helpers.scan(path, "open")
@@ -80,8 +81,46 @@ module Aikido::Zen
             end
           end
 
-          sink_after :join do |result|
-            Helpers.scan(result, "join")
+          def join(*args, **kwargs, &blk)
+            # IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
+            #
+            # File.join has undocumented behavior:
+            #
+            # File.join recursively joins nested string arrays.
+            #
+            # This prevents path traversal detection when an array originates
+            # from user input that was assumed to be a string.
+            #
+            # This undocumented behavior has been restricted to support path
+            # traversal detection.
+            #
+            # File.join no longer joins nested string arrays, but still accepts
+            # a single string array argument.
+
+            # File.join is often incorrectly called with a single array argument.
+            #
+            # i.e.
+            #
+            # File.join(["prefix", "filename"])
+            #
+            # This is considered acceptable.
+            #
+            # Calling File.join with a single string argument returns the string
+            # argument itself, having no practical effect. Therefore, it can be
+            # presumed that if File.join is called with a single array argument
+            # then this was its intended usage, and the array did not originate
+            # from user input that was assumed to be a string.
+            strings = args
+            strings = args.first if args.size == 1 && args.first.is_a?(Array)
+            strings.each do |string|
+              raise TypeError.new("Zen prevented implicit conversion of Array to String") if string.is_a?(Array)
+            end
+
+            result = join__internal_for_aikido_zen(*args, **kwargs, &blk)
+            Sinks::DSL.safe do
+              Helpers.scan(result, "join")
+            end
+            result
           end
 
           sink_before :expand_path do |file_name|

data/lib/aikido/zen/sinks/kernel.rb

@@ -16,7 +16,7 @@ module Aikido::Zen
           klass.class_eval do
             extend Sinks::DSL
 
-            %i[system spawn].each do |method_name|
+            %i[system spawn `].each do |method_name|
               sink_before method_name do |*args|
                 # Remove the optional environment argument before the command-line.
                 args.shift if args.first.is_a?(Hash)

data/lib/aikido/zen/version.rb

@@ -2,9 +2,9 @@
 
 module Aikido
   module Zen
-    VERSION = "1.0.2.beta.5"
+    VERSION = "1.0.2.beta.7"
 
     # The version of libzen_internals that we build against.
-    LIBZEN_VERSION = "0.1.39"
+    LIBZEN_VERSION = "0.1.48"
   end
 end

data/lib/aikido/zen.rb

@@ -11,10 +11,11 @@ require_relative "zen/agent"
 require_relative "zen/api_client"
 require_relative "zen/context"
 require_relative "zen/detached_agent"
-require_relative "zen/middleware/check_allowed_addresses"
 require_relative "zen/middleware/middleware"
-require_relative "zen/middleware/request_tracker"
+require_relative "zen/middleware/fork_detector"
 require_relative "zen/middleware/set_context"
+require_relative "zen/middleware/check_allowed_addresses"
+require_relative "zen/middleware/request_tracker"
 require_relative "zen/outbound_connection"
 require_relative "zen/outbound_connection_monitor"
 require_relative "zen/runtime_settings"
@@ -36,8 +37,6 @@ module Aikido
         return
       end
 
-      return unless config.protect?
-
       unless load_sources! && load_sinks!
         config.logger.warn("Zen could not find any supported libraries or frameworks. Visit https://github.com/AikidoSec/firewall-ruby for more information.")
         return
@@ -87,12 +86,10 @@ module Aikido
     # Manages runtime metrics extracted from your app, which are uploaded to the
     # Aikido servers if configured to do so.
     def self.collector
-      check_and_handle_fork
       @collector ||= Collector.new
     end
 
     def self.detached_agent
-      check_and_handle_fork
       @detached_agent ||= DetachedAgent::Agent.new
     end
 
@@ -231,9 +228,7 @@ module Aikido
       end
 
       def check_and_handle_fork
-        if has_forked
-          @detached_agent&.handle_fork
-        end
+        handle_fork if has_forked
       end
 
       def has_forked
@@ -241,6 +236,10 @@ module Aikido
         @pid = Process.pid
         pid_changed
       end
+
+      def handle_fork
+        @detached_agent&.handle_fork
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.2.beta.5
+  version: 1.0.2.beta.7
 platform: x86_64-mingw-64
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-09-09 00:00:00.000000000 Z
+date: 2025-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -71,6 +71,7 @@ files:
 - README.md
 - Rakefile
 - benchmarks/README.md
+- benchmarks/rails7.1_benchmark.js
 - benchmarks/rails7.1_sql_injection.js
 - docs/banner.svg
 - docs/config.md
@@ -86,6 +87,7 @@ files:
 - lib/aikido/zen/background_worker.rb
 - lib/aikido/zen/capped_collections.rb
 - lib/aikido/zen/collector.rb
+- lib/aikido/zen/collector/event.rb
 - lib/aikido/zen/collector/hosts.rb
 - lib/aikido/zen/collector/routes.rb
 - lib/aikido/zen/collector/sink_stats.rb
@@ -102,8 +104,9 @@ files:
 - lib/aikido/zen/errors.rb
 - lib/aikido/zen/event.rb
 - lib/aikido/zen/internals.rb
-- lib/aikido/zen/libzen-v0.1.39-x86_64-mingw-64.dll
+- lib/aikido/zen/libzen-v0.1.48-x86_64-mingw-64.dll
 - lib/aikido/zen/middleware/check_allowed_addresses.rb
+- lib/aikido/zen/middleware/fork_detector.rb
 - lib/aikido/zen/middleware/middleware.rb
 - lib/aikido/zen/middleware/rack_throttler.rb
 - lib/aikido/zen/middleware/request_tracker.rb