aikido-zen 1.0.2.beta.9-x86_64-linux-musl → 1.0.2-x86_64-linux-musl

data/lib/aikido/zen/attack_wave.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require_relative "cache"
+require_relative "attack_wave/helpers"
+
+module Aikido::Zen
+  module AttackWave
+    class Detector
+      def initialize(config: Aikido::Zen.config, clock: nil)
+        @config = config
+
+        @event_times = Cache.new(@config.attack_wave_max_cache_entries, ttl: @config.attack_wave_min_time_between_events, clock: clock)
+
+        @request_counts = Cache.new(@config.attack_wave_max_cache_entries, 0, ttl: @config.attack_wave_min_time_between_requests, clock: clock)
+      end
+
+      def attack_wave?(context)
+        client_ip = context.request.client_ip
+
+        return false unless client_ip
+
+        return false if @event_times[client_ip]
+
+        return false unless AttackWave::Helpers.web_scanner?(context)
+
+        request_count = @request_counts[client_ip] += 1
+
+        return false if request_count < @config.attack_wave_threshold
+
+        @event_times[client_ip] = Time.now.utc
+
+        true
+      end
+    end
+
+    class Request
+      # @return [String]
+      attr_reader :ip_address
+
+      # @return [String]
+      attr_reader :user_agent
+
+      # @return [String]
+      attr_reader :source
+
+      # @param ip_address [String]
+      # @param user_agent [String]
+      # @param source [String]
+      # @return [Aikido::Zen::AttackWave::Request]
+      def initialize(ip_address:, user_agent:, source:)
+        @ip_address = ip_address
+        @user_agent = user_agent
+        @source = source
+      end
+
+      def as_json
+        {
+          ipAddress: @ip_address,
+          userAgent: @user_agent,
+          source: @source
+        }.compact
+      end
+    end
+
+    class Attack
+      # @return [Hash<String, String>]
+      attr_reader :metadata
+
+      # @return [Aikido::Zen::Actor]
+      attr_reader :user
+
+      # @param metadata [Hash<String, String>]
+      # @param metadata [Aikido::Zen::Actor]
+      # @return [Aikido::Zen::AttackWave::Attack]
+      def initialize(metadata:, user:)
+        @metadata = metadata
+        @user = user
+      end
+
+      def as_json
+        {
+          metadata: @metadata.as_json,
+          user: @user.as_json
+        }.compact
+      end
+    end
+  end
+end

data/lib/aikido/zen/cache.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  class Cache
+    extend Forwardable
+
+    # @api private
+    # Visible for testing.
+    def_delegators :@data,
+      :size, :empty?
+
+    def initialize(capacity, default_value = nil, ttl:, clock: nil)
+      @default_value = default_value
+      @ttl = ttl
+      @clock = clock
+
+      @data = CappedMap.new(capacity, mode: :lru)
+    end
+
+    def key?(key)
+      @data.key?(key) && !@data[key].expired?
+    end
+
+    # @param key [Object] the key
+    # @param value [Object] the value
+    # @return [Object] the value that the key was set to
+    def []=(key, value)
+      if key?(key)
+        entry = @data[key]
+        entry.refresh
+        entry.value = value
+      else
+        @data[key] = CacheEntry.new(value, ttl: @ttl, clock: @clock)
+      end
+    end
+
+    def [](key)
+      if key?(key)
+        @data[key].value
+      else
+        @default_value
+      end
+    end
+
+    def delete(key)
+      if key?(key)
+        @data.delete(key).value
+      else
+        @data.delete(key)
+        nil
+      end
+    end
+
+    # @api private
+    # Visible for testing.
+    def to_a
+      @data.map { |key, entry| [key, entry.value] }
+    end
+
+    # @api private
+    # Visible for testing.
+    def to_h
+      to_a.to_h
+    end
+  end
+
+  class CacheEntry
+    attr_accessor :value
+
+    DEFAULT_CLOCK = -> { Process.clock_gettime(Process::CLOCK_MONOTONIC, :millisecond) }
+
+    # @param value [Object] the value
+    # @param ttl [Integer] the time-to-live in milliseconds
+    # @return [Aikido::Zen::CacheEntry]
+    def initialize(value, ttl:, clock: nil)
+      @value = value
+      @ttl = ttl
+      @clock = clock || DEFAULT_CLOCK
+
+      refresh
+    end
+
+    def refresh
+      @expires = @clock.call + @ttl
+    end
+
+    def expired?
+      @clock.call >= @expires
+    end
+  end
+end

data/lib/aikido/zen/capped_collections.rb

@@ -18,8 +18,8 @@ module Aikido::Zen
     # @return [Integer]
     attr_reader :capacity
 
-    def initialize(capacity)
-      @data = CappedMap.new(capacity)
+    def initialize(capacity, mode: :fifo)
+      @data = CappedMap.new(capacity, mode: mode)
     end
 
     def <<(element)
@@ -47,16 +47,23 @@ module Aikido::Zen
     extend Forwardable
 
     def_delegators :@data,
-      :[], :fetch, :delete, :key?,
+      :delete, :key?,
       :each, :each_key, :each_value,
       :size, :empty?, :to_hash
 
     # @return [Integer]
     attr_reader :capacity
 
-    def initialize(capacity)
+    def initialize(capacity, mode: :fifo)
       raise ArgumentError, "cannot set capacity lower than 1: #{capacity}" if capacity < 1
+
+      unless [:fifo, :lru].include?(mode)
+        raise ArgumentError, "unsupported mode: #{mode}"
+      end
+
       @capacity = capacity
+      @mode = mode
+
       @data = {}
     end
 
@@ -64,5 +71,16 @@ module Aikido::Zen
       @data[key] = value
       @data.delete(@data.each_key.first) if @data.size > @capacity
     end
+
+    def [](key)
+      @data[key] = @data.delete(key) if @mode == :lru && key?(key)
+      @data[key]
+    end
+
+    def fetch(key, ...)
+      return self[key] if key?(key)
+
+      @data.fetch(key, ...)
+    end
   end
 end

data/lib/aikido/zen/collector/event.rb

@@ -52,6 +52,35 @@ module Aikido::Zen
         end
       end
 
+      class TrackAttackWave < Event
+        register "track_attack_wave"
+
+        def self.from_json(data)
+          new(
+            being_blocked: data[:being_blocked]
+          )
+        end
+
+        def initialize(being_blocked:)
+          super()
+          @being_blocked = being_blocked
+        end
+
+        def as_json
+          super.update({
+            being_blocked: @being_blocked
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_attack_wave(being_blocked: @being_blocked)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@being_blocked}>"
+        end
+      end
+
       class TrackScan < Event
         register "track_scan"
 

data/lib/aikido/zen/collector/hosts.rb

@@ -7,9 +7,24 @@ module Aikido::Zen
   #
   # Keeps track of the hostnames to which the app has made outbound HTTP
   # requests.
-  class Collector::Hosts < Aikido::Zen::CappedSet
+  class Collector::Hosts < Aikido::Zen::CappedMap
     def initialize(config = Aikido::Zen.config)
       super(config.max_outbound_connections)
     end
+
+    # @param host [Aikido::Zen::OutboundConnection]
+    # @return [void]
+    def add(host)
+      self[host] ||= host
+      self[host].hit
+    end
+
+    def each(&blk)
+      each_value(&blk)
+    end
+
+    def as_json
+      map(&:as_json)
+    end
   end
 end

data/lib/aikido/zen/collector/stats.rb

@@ -8,7 +8,7 @@ module Aikido::Zen
   # Tracks information about how the Aikido Agent is used in the app.
   class Collector::Stats
     # @!visibility private
-    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :sinks
+    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :attack_waves, :blocked_attack_waves, :sinks
 
     # @!visibility private
     attr_writer :ended_at
@@ -16,10 +16,13 @@ module Aikido::Zen
     def initialize(config = Aikido::Zen.config)
       super()
       @config = config
-      @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
+
       @started_at = @ended_at = nil
       @requests = 0
       @aborted_requests = 0
+      @attack_waves = 0
+      @blocked_attack_waves = 0
+      @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
     end
 
     # @return [Boolean]
@@ -60,6 +63,13 @@ module Aikido::Zen
       @requests += 1
     end
 
+    # @param being_blocked [Boolean] whether the Agent blocked the request
+    # @return [void]
+    def add_attack_wave(being_blocked:)
+      @attack_waves += 1
+      @blocked_attack_waves += 1 if being_blocked
+    end
+
     # @param sink_name [String] the name of the sink
     # @param duration [Float] the length the scan in seconds
     # @param has_errors [Boolean] whether errors occurred during the scan
@@ -85,13 +95,17 @@ module Aikido::Zen
       {
         startedAt: @started_at.to_i * 1000,
         endedAt: (@ended_at.to_i * 1000 if @ended_at),
-        sinks: @sinks.transform_values(&:as_json),
+        operations: @sinks.transform_values(&:as_json),
         requests: {
           total: @requests,
           aborted: @aborted_requests,
           attacksDetected: {
             total: total_attacks,
             blocked: total_blocked
+          },
+          attackWaves: {
+            total: @attack_waves,
+            blocked: @blocked_attack_waves
           }
         }
       }

data/lib/aikido/zen/collector/users.rb

@@ -21,8 +21,8 @@ module Aikido::Zen
       end
     end
 
-    def each(&b)
-      each_value(&b)
+    def each(&blk)
+      each_value(&blk)
     end
 
     def as_json

data/lib/aikido/zen/collector.rb

@@ -88,6 +88,20 @@ module Aikido::Zen
       synchronize(@stats) { |stats| stats.add_request }
     end
 
+    # Track stats about an attack detected by our scanners.
+    #
+    # @param attack [Aikido::Zen::Events::AttackWave]
+    # @return [void]
+    def track_attack_wave(being_blocked:)
+      add_event(Events::TrackAttackWave.new(being_blocked: being_blocked))
+    end
+
+    def handle_track_attack_wave(being_blocked:)
+      synchronize(@stats) do |stats|
+        stats.add_attack_wave(being_blocked: being_blocked)
+      end
+    end
+
     # Track stats about a scan performed by one of our sinks.
     #
     # @param scan [Aikido::Zen::Scan]

data/lib/aikido/zen/config.rb

@@ -11,7 +11,7 @@ module Aikido::Zen
     # @return [Boolean] whether Aikido should be turned completely off (no
     #   intercepting calls to protect the app, no agent process running, no
     #   middleware installed). Defaults to false (so, enabled). Can be set
-    #   via the AIKIDO_DISABLED environment variable.
+    #   via the AIKIDO_DISABLE environment variable.
     attr_accessor :disabled
     alias_method :disabled?, :disabled
 
@@ -153,15 +153,39 @@ module Aikido::Zen
     #   allow known hosts that should be able to resolve to the IMDS service.
     attr_accessor :imds_allowed_hosts
 
+    # @return [Boolean] whether Aikido Zen should harden methods where possible.
+    #   Defaults to true. Can be set through AIKIDO_HARDEN environment variable.
+    attr_accessor :harden
+    alias_method :harden?, :harden
+
+    # @return [Integer] how many suspicious requests are allowed before an
+    #   attack wave detected event is reported.
+    #   Defaults to 15 requests.
+    attr_accessor :attack_wave_threshold
+
+    # @return [Integer] the minimum time in milliseconds between requests for
+    #   requests to be part of an attack wave.
+    #   Defaults to 1 minute in milliseconds.
+    attr_accessor :attack_wave_min_time_between_requests
+
+    # @return [Integer] the minimum time in milliseconds between reporting
+    #   attack wave events.
+    #   Defaults to 20 minutes in milliseconds.
+    attr_accessor :attack_wave_min_time_between_events
+
+    # @return [Integer] the maximum number of entries in the LRU cache.
+    #   Defaults to 10,000 entries.
+    attr_accessor :attack_wave_max_cache_entries
+
     def initialize
-      self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
+      self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
       self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
       self.api_timeouts = 10
       self.api_endpoint = ENV.fetch("AIKIDO_ENDPOINT", DEFAULT_AIKIDO_ENDPOINT)
       self.realtime_endpoint = ENV.fetch("AIKIDO_REALTIME_ENDPOINT", DEFAULT_RUNTIME_BASE_URL)
       self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
-      self.polling_interval = 60
-      self.initial_heartbeat_delays = [30, 60 * 2]
+      self.polling_interval = 60 # 1 min
+      self.initial_heartbeat_delays = [30, 60 * 2] # 30 sec, 2 min
       self.json_encoder = DEFAULT_JSON_ENCODER
       self.json_decoder = DEFAULT_JSON_DECODER
       self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
@@ -176,8 +200,8 @@ module Aikido::Zen
       self.blocked_responder = DEFAULT_BLOCKED_RESPONDER
       self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER
       self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR
-      self.server_rate_limit_deadline = 1800 # 30 min
-      self.client_rate_limit_period = 3600 # 1 hour
+      self.server_rate_limit_deadline = 30 * 60 # 30 min
+      self.client_rate_limit_period = 60 * 60 # 1 hour
       self.client_rate_limit_max_events = 100
       self.collect_api_schema = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_COLLECT_API_SCHEMA", true))
       self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10))
@@ -185,6 +209,11 @@ module Aikido::Zen
       self.api_schema_collection_max_properties = 20
       self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true))
       self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
+      self.harden = read_boolean_from_env(ENV.fetch("AIKIDO_HARDEN", true))
+      self.attack_wave_threshold = 15
+      self.attack_wave_min_time_between_requests = 60 * 1000 # 1 min (ms)
+      self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms)
+      self.attack_wave_max_cache_entries = 10_000
     end
 
     # Set the base URL for API requests.

data/lib/aikido/zen/context/rack_request.rb

@@ -6,6 +6,9 @@ require_relative "../request/heuristic_router"
 module Aikido::Zen
   # @!visibility private
   Context::RACK_REQUEST_BUILDER = ->(env) do
+    # Normalize PATH_INFO so routes are correctly recognized in middleware.
+    env["PATH_INFO"] = Helpers.normalize_path(env["PATH_INFO"])
+
     delegate = Rack::Request.new(env)
     router = Aikido::Zen::Request::HeuristicRouter.new
     request = Aikido::Zen::Request.new(delegate, framework: "rack", router: router)

data/lib/aikido/zen/context/rails_request.rb

@@ -12,6 +12,9 @@ module Aikido::Zen
 
   # @!visibility private
   Context::RAILS_REQUEST_BUILDER = ->(env) do
+    # Normalize PATH_INFO so routes are correctly recognized in middleware.
+    env["PATH_INFO"] = Helpers.normalize_path(env["PATH_INFO"])
+
     # Duplicate the Rack environment to prevent unexpected modifications from
     # breaking Rails routing.
     delegate = ActionDispatch::Request.new(env.dup)

data/lib/aikido/zen/context.rb

@@ -81,8 +81,8 @@ module Aikido::Zen
     def protection_disabled?
       return false if request.nil?
 
-      !@settings.endpoints[request.route].protected? ||
-        @settings.skip_protection_for_ips.include?(request.ip)
+      !@settings.endpoints.match(request.route).all?(&:protected?) ||
+        @settings.allowed_ips.include?(request.ip)
     end
 
     # @!visibility private
@@ -99,13 +99,45 @@ module Aikido::Zen
           extract_payloads_from(value, source_type, [prefix, key].compact.join("."))
         end
       elsif data.respond_to?(:to_ary)
-        data.to_ary.flat_map.with_index do |value, index|
+        array = data.to_ary
+        return array if array.empty?
+
+        payloads = array.flat_map.with_index do |value, index|
           extract_payloads_from(value, source_type, [prefix, index].compact.join("."))
         end
+
+        unless Aikido::Zen.config.harden?
+          # Special case for File.join given a possibly nested array of strings,
+          # as might occur when a query parameter is an array.
+          begin
+            string = File.join__internal_for_aikido_zen(*array)
+            if unsafe_path?(string)
+              payloads << Payload.new(string, source_type, [prefix, "__File.join__"].compact.join("."))
+            end
+          rescue
+            # Could not create special payload for File.join.
+          end
+        end
+
+        payloads
       else
         [Payload.new(data, source_type, prefix.to_s)]
       end
     end
+
+    def unsafe_path?(filepath)
+      normalized_filepath = Pathname.new(filepath).cleanpath.to_s.downcase
+
+      Scanners::PathTraversal::DANGEROUS_PATH_PARTS.each do |dangerous_path_part|
+        return true if normalized_filepath.include?(dangerous_path_part)
+      end
+
+      Scanners::PathTraversal::DANGEROUS_PATH_STARTS.each do |dangerous_path_start|
+        return true if normalized_filepath.start_with?(dangerous_path_start)
+      end
+
+      false
+    end
   end
 end
 

data/lib/aikido/zen/event.rb

@@ -41,8 +41,10 @@ module Aikido::Zen
 
       def as_json
         super.update(
-          attack: @attack.as_json,
-          request: @attack.context.request.as_json
+          {
+            attack: @attack.as_json,
+            request: @attack.context&.request&.as_json
+          }.compact
         )
       end
     end
@@ -67,5 +69,48 @@ module Aikido::Zen
         )
       end
     end
+
+    class AttackWave < Event
+      # @param [Aikido::Zen::Context] a context
+      # @return [Aikido::Zen::Events::AttackWave] an attack wave event
+      def self.from_context(context)
+        request = Aikido::Zen::AttackWave::Request.new(
+          ip_address: context.request.client_ip,
+          user_agent: context.request.user_agent,
+          source: context.request.framework
+        )
+
+        attack = Aikido::Zen::AttackWave::Attack.new(
+          metadata: {}, # not used yet
+          user: context.request.actor
+        )
+
+        new(request: request, attack: attack)
+      end
+
+      # @return [Aikido::Zen::AttackWave::Request]
+      attr_reader :request
+
+      # @return [Aikido::Zen::AttackWave::Attack]
+      attr_reader :attack
+
+      # @param [Aikido::Zen::AttackWave::Request] the attack wave request
+      # @param [Aikido::Zen::AttackWave::Attack] the attack wave attack
+      # @param opts [Hash<Symbol, Object>] any other options to pass to
+      #   the superclass initializer.
+      # @return [Aikido::Zen::Events::AttackWave] an attack wave event
+      def initialize(request:, attack:, **opts)
+        super(type: "detected_attack_wave", **opts)
+        @request = request
+        @attack = attack
+      end
+
+      def as_json
+        super.update(
+          request: @request.as_json,
+          attack: @attack.as_json
+        )
+      end
+    end
   end
 end

data/lib/aikido/zen/helpers.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Aikido
+  module Zen
+    # @api private
+    module Helpers
+      # Normalizes a path by:
+      #
+      #   1. Collapsing consecutive forward slashes into a single forward slash.
+      #   2. Removing forward trailing slash, unless the normalized path is "/".
+      #
+      # @param path [String, nil] the path to normalize.
+      # @return [String, nil] the normalized path.
+      def self.normalize_path(path)
+        return path unless path
+
+        normalized_path = path.dup
+        normalized_path.squeeze!("/")
+        normalized_path.chomp!("/") unless normalized_path == "/"
+        normalized_path
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/{check_allowed_addresses.rb → allowed_address_checker.rb}

@@ -3,7 +3,7 @@
 module Aikido::Zen
   module Middleware
     # Middleware that rejects requests from IPs blocked in the Aikido dashboard.
-    class CheckAllowedAddresses
+    class AllowedAddressChecker
       def initialize(app, config: Aikido::Zen.config, settings: Aikido::Zen.runtime_settings)
         @app = app
         @config = config

data/lib/aikido/zen/middleware/attack_wave_protector.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Aikido
+  module Zen
+    module Middleware
+      class AttackWaveProtector
+        def initialize(app, zen: Aikido::Zen, settings: Aikido::Zen.runtime_settings)
+          @app = app
+          @zen = zen
+          @settings = settings
+        end
+
+        def call(env)
+          response = @app.call(env)
+
+          context = @zen.current_context
+          protect(context)
+
+          response
+        end
+
+        # @api private
+        # Visible for testing.
+        def attack_wave?(context)
+          request = context.request
+          return false if request.nil?
+
+          # Bypass attack wave protection for allowed IPs
+          return false if @settings.allowed_ips.include?(request.ip)
+
+          @zen.attack_wave_detector.attack_wave?(context)
+        end
+
+        # @api private
+        # Visible for testing.
+        def protect(context)
+          if attack_wave?(context)
+            attack_wave = Aikido::Zen::Events::AttackWave.from_context(context)
+            @zen.track_attack_wave(attack_wave)
+            @zen.agent.report(attack_wave)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/{set_context.rb → context_setter.rb}

@@ -9,7 +9,7 @@ module Aikido::Zen
   module Middleware
     # Rack middleware that keeps the current context in a Thread/Fiber-local
     # variable so that other parts of the agent/firewall can access it.
-    class SetContext
+    class ContextSetter
       def initialize(app)
         @app = app
       end