aikido-zen 1.0.2.beta.8-arm64-linux → 1.0.2.beta.10-arm64-linux
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/docs/config.md +8 -0
- data/lib/aikido/zen/attack.rb +1 -1
- data/lib/aikido/zen/config.rb +6 -0
- data/lib/aikido/zen/context.rb +33 -1
- data/lib/aikido/zen/sinks/file.rb +34 -32
- data/lib/aikido/zen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0bd8185e67b01aaed6c97fbbd1d44231f47df061a8ca51cb1bd28d1673d22040
|
|
4
|
+
data.tar.gz: f6e472a2fe1155bda122f7d07823b40e24d1485df5339efbd5b53084421f2cd5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5a0680c9f64f18be0dbc42226e85423f354304864aae4cb647da9a040399e585795a279cabcc33360758fc2e17ce988eb2f795472a1f03a2bc1dfacb9674cbf2
|
|
7
|
+
data.tar.gz: bc5bb5a3a0d3cb1ff60cc960e333a539fd03181f8fe6c815f1b7bb411a75601caacc9f8408b679924f852f515822a3f06071ddee4251bb49f195181b4a13d5f3
|
data/docs/config.md
CHANGED
|
@@ -34,6 +34,14 @@ set it via `Aikido::Zen.config.token = <token>`.
|
|
|
34
34
|
|
|
35
35
|
**NOTE**: Never commit your token to the source code repository in plain text.
|
|
36
36
|
|
|
37
|
+
## Hardened mode
|
|
38
|
+
|
|
39
|
+
Zen hardens methods, restricting dangerous undocumented behavior to improve
|
|
40
|
+
security and performance.
|
|
41
|
+
|
|
42
|
+
To disable method hardening, set `AIKIDO_HARDEN=false` in your environment,
|
|
43
|
+
or set `Aikido::Zen.config.harden = false`.
|
|
44
|
+
|
|
37
45
|
## Logger
|
|
38
46
|
|
|
39
47
|
Zen logs to standard output by default. You can change this by changing the
|
data/lib/aikido/zen/attack.rb
CHANGED
data/lib/aikido/zen/config.rb
CHANGED
|
@@ -153,6 +153,11 @@ module Aikido::Zen
|
|
|
153
153
|
# allow known hosts that should be able to resolve to the IMDS service.
|
|
154
154
|
attr_accessor :imds_allowed_hosts
|
|
155
155
|
|
|
156
|
+
# @return [Boolean] whether Aikido Zen should harden methods where possible.
|
|
157
|
+
# Defaults to true. Can be set through AIKIDO_HARDEN environment variable.
|
|
158
|
+
attr_accessor :harden
|
|
159
|
+
alias_method :harden?, :harden
|
|
160
|
+
|
|
156
161
|
def initialize
|
|
157
162
|
self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
|
|
158
163
|
self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
|
|
@@ -185,6 +190,7 @@ module Aikido::Zen
|
|
|
185
190
|
self.api_schema_collection_max_properties = 20
|
|
186
191
|
self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true))
|
|
187
192
|
self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
|
|
193
|
+
self.harden = read_boolean_from_env(ENV.fetch("AIKIDO_HARDEN", true))
|
|
188
194
|
end
|
|
189
195
|
|
|
190
196
|
# Set the base URL for API requests.
|
data/lib/aikido/zen/context.rb
CHANGED
|
@@ -99,13 +99,45 @@ module Aikido::Zen
|
|
|
99
99
|
extract_payloads_from(value, source_type, [prefix, key].compact.join("."))
|
|
100
100
|
end
|
|
101
101
|
elsif data.respond_to?(:to_ary)
|
|
102
|
-
data.to_ary
|
|
102
|
+
array = data.to_ary
|
|
103
|
+
return array if array.empty?
|
|
104
|
+
|
|
105
|
+
payloads = array.flat_map.with_index do |value, index|
|
|
103
106
|
extract_payloads_from(value, source_type, [prefix, index].compact.join("."))
|
|
104
107
|
end
|
|
108
|
+
|
|
109
|
+
unless Aikido::Zen.config.harden?
|
|
110
|
+
# Special case for File.join given a possibly nested array of strings,
|
|
111
|
+
# as might occur when a query parameter is an array.
|
|
112
|
+
begin
|
|
113
|
+
string = File.join__internal_for_aikido_zen(*array)
|
|
114
|
+
if unsafe_path?(string)
|
|
115
|
+
payloads << Payload.new(string, source_type, [prefix, "__File.join__"].compact.join("."))
|
|
116
|
+
end
|
|
117
|
+
rescue
|
|
118
|
+
# Could not create special payload for File.join.
|
|
119
|
+
end
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
payloads
|
|
105
123
|
else
|
|
106
124
|
[Payload.new(data, source_type, prefix.to_s)]
|
|
107
125
|
end
|
|
108
126
|
end
|
|
127
|
+
|
|
128
|
+
def unsafe_path?(filepath)
|
|
129
|
+
normalized_filepath = Pathname.new(filepath).cleanpath.to_s.downcase
|
|
130
|
+
|
|
131
|
+
Scanners::PathTraversal::DANGEROUS_PATH_PARTS.each do |dangerous_path_part|
|
|
132
|
+
return true if normalized_filepath.include?(dangerous_path_part)
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
Scanners::PathTraversal::DANGEROUS_PATH_STARTS.each do |dangerous_path_start|
|
|
136
|
+
return true if normalized_filepath.start_with?(dangerous_path_start)
|
|
137
|
+
end
|
|
138
|
+
|
|
139
|
+
false
|
|
140
|
+
end
|
|
109
141
|
end
|
|
110
142
|
end
|
|
111
143
|
|
|
@@ -82,38 +82,40 @@ module Aikido::Zen
|
|
|
82
82
|
end
|
|
83
83
|
|
|
84
84
|
def join(*args, **kwargs, &blk)
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
85
|
+
if Aikido::Zen.config.harden?
|
|
86
|
+
# IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
|
|
87
|
+
#
|
|
88
|
+
# File.join has undocumented behavior:
|
|
89
|
+
#
|
|
90
|
+
# File.join recursively joins nested string arrays.
|
|
91
|
+
#
|
|
92
|
+
# This prevents path traversal detection when an array originates
|
|
93
|
+
# from user input that was assumed to be a string.
|
|
94
|
+
#
|
|
95
|
+
# This undocumented behavior has been restricted to support path
|
|
96
|
+
# traversal detection.
|
|
97
|
+
#
|
|
98
|
+
# File.join no longer joins nested string arrays, but still accepts
|
|
99
|
+
# a single string array argument.
|
|
100
|
+
|
|
101
|
+
# File.join is often incorrectly called with a single array argument.
|
|
102
|
+
#
|
|
103
|
+
# i.e.
|
|
104
|
+
#
|
|
105
|
+
# File.join(["prefix", "filename"])
|
|
106
|
+
#
|
|
107
|
+
# This is considered acceptable.
|
|
108
|
+
#
|
|
109
|
+
# Calling File.join with a single string argument returns the string
|
|
110
|
+
# argument itself, having no practical effect. Therefore, it can be
|
|
111
|
+
# presumed that if File.join is called with a single array argument
|
|
112
|
+
# then this was its intended usage, and the array did not originate
|
|
113
|
+
# from user input that was assumed to be a string.
|
|
114
|
+
strings = args
|
|
115
|
+
strings = args.first if args.size == 1 && args.first.is_a?(Array)
|
|
116
|
+
strings.each do |string|
|
|
117
|
+
raise TypeError.new("Zen prevented implicit conversion of Array to String in hardened method. Visit https://github.com/AikidoSec/firewall-ruby for more information.") if string.is_a?(Array)
|
|
118
|
+
end
|
|
117
119
|
end
|
|
118
120
|
|
|
119
121
|
result = join__internal_for_aikido_zen(*args, **kwargs, &blk)
|
data/lib/aikido/zen/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aikido-zen
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.2.beta.
|
|
4
|
+
version: 1.0.2.beta.10
|
|
5
5
|
platform: arm64-linux
|
|
6
6
|
authors:
|
|
7
7
|
- Aikido Security
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-10-
|
|
11
|
+
date: 2025-10-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: concurrent-ruby
|