RubyGems - aikido-zen - Versions diffs - 1.0.2.beta.8-x86_64-mingw-64 → 1.0.2.beta.10-x86_64-mingw-64 - Mend

aikido-zen 1.0.2.beta.8-x86_64-mingw-64 → 1.0.2.beta.10-x86_64-mingw-64

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/docs/config.md +8 -0
data/lib/aikido/zen/attack.rb +1 -1
data/lib/aikido/zen/config.rb +6 -0
data/lib/aikido/zen/context.rb +33 -1
data/lib/aikido/zen/sinks/file.rb +34 -32
data/lib/aikido/zen/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d8fefad5b4898ff6ca8f37847c0abc833565df3105086d5b920f5aa4e4b258c
-  data.tar.gz: ec02f2357e668d0039e9cae2c193fc41e024d856cc42611d6f4125c0c578485c
+  metadata.gz: 81414a1bab0ff77082e17c1741a2d053116ed6c9de8419d28c114767a06d35a4
+  data.tar.gz: d1781ad585b9c2f1246a018afd2a853e9882572f0e4139c685001182ff37e407
 SHA512:
-  metadata.gz: e03d5b6a6b2ad53b1141f12a4c3ca2f0ab91920ec8562cae3523090860119f43702f99060e6d5fa2421c663855634d974a3746070655cc3f278e3fd8d860630a
-  data.tar.gz: 435ecc05865e246e8d0c54284e9e31c8440056377d9c0d5c5ef8edd002b84e6b3d290d6de29be92ab7702e657c8699e273922c1039588f652695150002c06273
+  metadata.gz: 17506c3fec21b4c33fa8c76f4e14a67e8e3ad39879aae23a2aa0b9f95c932e0fd3e08669a9b5ed2b24a84cb210bb912af655c9bfbcbc1f6e2e424f9b718e9791
+  data.tar.gz: 5b7de487f934f3743ee184a7cfd7374a5c6049fb0eec376d836fdc87122a9f4eadca911a74da44c4c48b5bd55d685ac1ed518e65ba80b921b2865b8454833877

data/docs/config.md CHANGED Viewed

@@ -34,6 +34,14 @@ set it via `Aikido::Zen.config.token = <token>`.
 **NOTE**: Never commit your token to the source code repository in plain text.
+## Hardened mode
+Zen hardens methods, restricting dangerous undocumented behavior to improve
+security and performance.
+To disable method hardening, set `AIKIDO_HARDEN=false` in your environment,
+or set `Aikido::Zen.config.harden = false`.
 ## Logger
 Zen logs to standard output by default. You can change this by changing the

data/lib/aikido/zen/attack.rb CHANGED Viewed

@@ -137,7 +137,7 @@ module Aikido::Zen
       def metadata
         {
           sql: @query,
-          dialect: @dialect
+          dialect: @dialect.name
         }
       end

data/lib/aikido/zen/config.rb CHANGED Viewed

@@ -153,6 +153,11 @@ module Aikido::Zen
     #   allow known hosts that should be able to resolve to the IMDS service.
     attr_accessor :imds_allowed_hosts
+    # @return [Boolean] whether Aikido Zen should harden methods where possible.
+    #   Defaults to true. Can be set through AIKIDO_HARDEN environment variable.
+    attr_accessor :harden
+    alias_method :harden?, :harden
     def initialize
       self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
       self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
@@ -185,6 +190,7 @@ module Aikido::Zen
       self.api_schema_collection_max_properties = 20
       self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true))
       self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
+      self.harden = read_boolean_from_env(ENV.fetch("AIKIDO_HARDEN", true))
     end
     # Set the base URL for API requests.

data/lib/aikido/zen/context.rb CHANGED Viewed

@@ -99,13 +99,45 @@ module Aikido::Zen
           extract_payloads_from(value, source_type, [prefix, key].compact.join("."))
         end
       elsif data.respond_to?(:to_ary)
-        data.to_ary.flat_map.with_index do |value, index|
+        array = data.to_ary
+        return array if array.empty?
+        payloads = array.flat_map.with_index do |value, index|
           extract_payloads_from(value, source_type, [prefix, index].compact.join("."))
         end
+        unless Aikido::Zen.config.harden?
+          # Special case for File.join given a possibly nested array of strings,
+          # as might occur when a query parameter is an array.
+          begin
+            string = File.join__internal_for_aikido_zen(*array)
+            if unsafe_path?(string)
+              payloads << Payload.new(string, source_type, [prefix, "__File.join__"].compact.join("."))
+            end
+          rescue
+            # Could not create special payload for File.join.
+          end
+        end
+        payloads
       else
         [Payload.new(data, source_type, prefix.to_s)]
       end
     end
+    def unsafe_path?(filepath)
+      normalized_filepath = Pathname.new(filepath).cleanpath.to_s.downcase
+      Scanners::PathTraversal::DANGEROUS_PATH_PARTS.each do |dangerous_path_part|
+        return true if normalized_filepath.include?(dangerous_path_part)
+      end
+      Scanners::PathTraversal::DANGEROUS_PATH_STARTS.each do |dangerous_path_start|
+        return true if normalized_filepath.start_with?(dangerous_path_start)
+      end
+      false
+    end
   end
 end

data/lib/aikido/zen/sinks/file.rb CHANGED Viewed

@@ -82,38 +82,40 @@ module Aikido::Zen
           end
           def join(*args, **kwargs, &blk)
-            # IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
-            #
-            # File.join has undocumented behavior:
-            #
-            # File.join recursively joins nested string arrays.
-            #
-            # This prevents path traversal detection when an array originates
-            # from user input that was assumed to be a string.
-            #
-            # This undocumented behavior has been restricted to support path
-            # traversal detection.
-            #
-            # File.join no longer joins nested string arrays, but still accepts
-            # a single string array argument.
-            # File.join is often incorrectly called with a single array argument.
-            #
-            # i.e.
-            #
-            # File.join(["prefix", "filename"])
-            #
-            # This is considered acceptable.
-            #
-            # Calling File.join with a single string argument returns the string
-            # argument itself, having no practical effect. Therefore, it can be
-            # presumed that if File.join is called with a single array argument
-            # then this was its intended usage, and the array did not originate
-            # from user input that was assumed to be a string.
-            strings = args
-            strings = args.first if args.size == 1 && args.first.is_a?(Array)
-            strings.each do |string|
-              raise TypeError.new("Zen prevented implicit conversion of Array to String") if string.is_a?(Array)
+            if Aikido::Zen.config.harden?
+              # IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
+              #
+              # File.join has undocumented behavior:
+              #
+              # File.join recursively joins nested string arrays.
+              #
+              # This prevents path traversal detection when an array originates
+              # from user input that was assumed to be a string.
+              #
+              # This undocumented behavior has been restricted to support path
+              # traversal detection.
+              #
+              # File.join no longer joins nested string arrays, but still accepts
+              # a single string array argument.
+              # File.join is often incorrectly called with a single array argument.
+              #
+              # i.e.
+              #
+              # File.join(["prefix", "filename"])
+              #
+              # This is considered acceptable.
+              #
+              # Calling File.join with a single string argument returns the string
+              # argument itself, having no practical effect. Therefore, it can be
+              # presumed that if File.join is called with a single array argument
+              # then this was its intended usage, and the array did not originate
+              # from user input that was assumed to be a string.
+              strings = args
+              strings = args.first if args.size == 1 && args.first.is_a?(Array)
+              strings.each do |string|
+                raise TypeError.new("Zen prevented implicit conversion of Array to String in hardened method. Visit https://github.com/AikidoSec/firewall-ruby for more information.") if string.is_a?(Array)
+              end
             end
             result = join__internal_for_aikido_zen(*args, **kwargs, &blk)

data/lib/aikido/zen/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 module Aikido
   module Zen
-    VERSION = "1.0.2.beta.8"
+    VERSION = "1.0.2.beta.10"
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.48"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.2.beta.8
+  version: 1.0.2.beta.10
 platform: x86_64-mingw-64
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-10-28 00:00:00.000000000 Z
+date: 2025-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby