aikido-zen 1.0.2.beta.9-x86_64-mingw-64 → 1.0.2-x86_64-mingw-64

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a2256eb09c96d227c423de665044f749cb92c1d6d0f79f54afa34c80e4eab9d
-  data.tar.gz: f76e40d0282dab76ddc1834d173118c3176f213a818aadaadafc996646011e16
+  metadata.gz: d5b47a88489c1a19ed7158f2c8027d10b24cfd731276b4958b3e91420d2aa03d
+  data.tar.gz: 2046a6362bb88f10e04a72bfa8b75ac06a7c4ef07d5b5b1ba65555d23f4d8e5e
 SHA512:
-  metadata.gz: 8eb15d8073729f9645de7bc2eceb00f887ac090007445393184f0d14672ccb52e2aef1f02b90cb41066847eecb2f7f31cc33a11f2c17872cc1547ae17fef8c85
-  data.tar.gz: 0eb7c89bcefd1aab4dd20d55d5eda9f7a40894926ca5d086b80d249db60bcf917d11acaf9bf207b6ae850616c61195c32d0d4b92c5f354c92e720411f2d56b30
+  metadata.gz: 4d6a1f502134f623dd8e22d081a6c71851fa96ccf73901997439146fab044759230f55750dd5bcee9737797a7a039a7c28ad6d633b6adea0ea2128d36686c086
+  data.tar.gz: fd4df6f61e58cf6281547bbadcfd0f6941a5984b4461558ecd6fb3eea82465e1180bef2e1c41dd3806cde29cca23b1f9a4d925ee3c5258cccedf4c16648b3f14

data/README.md

@@ -23,6 +23,7 @@ Zen will autonomously protect your Ruby applications against:
 * 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
 * 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked)
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
+* 🛡️ [Attack waves](https://help.aikido.dev/zen-firewall/zen-features/attack-wave-protection)
 
 Zen operates autonomously on the same server as your Ruby app to:
 

data/docs/config.md

@@ -8,7 +8,7 @@ other Rack-based apps).
 ## Disable Zen
 
 In order to fully turn off Zen and prevent it from intercepting any requests or
-reporting back to the Aikido servers, set `AIKIDO_DISABLED=true` in your
+reporting back to the Aikido servers, set `AIKIDO_DISABLE=true` in your
 environment, or set `Aikido::Zen.config.disabled = true`.
 
 (We recommend the ENV variable as you can normally change this easily without
@@ -34,6 +34,14 @@ set it via `Aikido::Zen.config.token = <token>`.
 
 **NOTE**: Never commit your token to the source code repository in plain text.
 
+## Hardened mode
+
+Zen hardens methods, restricting dangerous undocumented behavior to improve
+security and performance.
+
+To disable method hardening, set `AIKIDO_HARDEN=false` in your environment,
+or set `Aikido::Zen.config.harden = false`.
+
 ## Logger
 
 Zen logs to standard output by default. You can change this by changing the

data/docs/troubleshooting.md

@@ -0,0 +1,62 @@
+# Troubleshooting
+
+If the Zen Firewall isn't working as expected, follow these steps in order to diagnose common issues.
+
+## Review installation steps
+
+Double-check your setup against the [installation guide](../README.md#installation).
+
+Make sure:
+- Your runtime and framework are supported (see [Supported libraries and frameworks](../README.md#supported-libraries-and-frameworks)).
+- The package installed successfully.
+- Your framework-specific integration matches the example in the docs (for Rails, see the example in [docs/rails.md](../docs/rails.md)).
+
+## Check connection to Aikido
+
+The firewall must be able to reach Aikido's API endpoints.
+
+Test connectivity from the same environment where your app runs, following the instructions on this page: https://help.aikido.dev/zen-firewall/miscellaneous/outbound-network-connections-for-zen
+
+## Check logs for errors
+
+Common places:
+- Local dev: `cat log/development.log` or `tail -f log/development.log`
+- Docker: `docker logs <your-app-container>`
+- systemd: `journalctl -u <your-app-service> --since "1 hour ago"`
+
+Tip: search logs for lines containing `Aikido` or `Zen`.
+
+For example:
+
+```sh
+grep -Ei 'aikido|zen' log/development.log
+```
+
+## Enable debug output temporarily
+
+If you use Rails, set the log level to `info` or `debug` while you investigate.
+
+```ruby
+# config/environments/development.rb or production.rb
+config.log_level = :info # use :debug if needed
+```
+
+If you have your own logger, make sure Zen logs go to stdout.
+
+You can enable Zen debugging mode as follows.
+
+```ruby
+# config/initializers/zen.rb
+Rails.application.config.zen.debugging = true
+```
+
+Or set `AIKIDO_DEBUG=true` in your environment.
+
+## Contact support
+
+If you still can't resolve the problem:
+
+- Use the in-app chat to reach our support team directly.
+- Or create an issue on [GitHub](https://github.com/AikidoSec/firewall-ruby/issues) with details about your setup, framework, and logs.
+
+Include as much context as possible; this helps us respond faster.

data/lib/aikido/zen/agent.rb

@@ -43,7 +43,7 @@ module Aikido::Zen
       @started_at = Time.now.utc
       @collector.start(at: @started_at)
 
-      if @config.blocking_mode?
+      if Aikido::Zen.blocking_mode?
         @config.logger.info("Requests identified as attacks will be blocked")
       else
         @config.logger.warn("Non-blocking mode enabled! No requests will be blocked.")
@@ -106,7 +106,7 @@ module Aikido::Zen
     # @raise [Aikido::Zen::UnderAttackError] if the firewall is configured
     #   to block requests.
     def handle_attack(attack)
-      attack.will_be_blocked! if @config.blocking_mode?
+      attack.will_be_blocked! if Aikido::Zen.blocking_mode?
 
       @config.logger.error(
         format("Zen has %s a %s: %s", attack.blocked? ? "blocked" : "detected", attack.humanized_name, attack.as_json.to_json)

data/lib/aikido/zen/attack.rb

@@ -10,10 +10,11 @@ module Aikido::Zen
     attr_reader :operation
     attr_accessor :sink
 
-    def initialize(context:, sink:, operation:)
+    def initialize(context:, sink:, operation:, stack: nil)
       @context = context
       @operation = operation
       @sink = sink
+      @stack = stack
       @blocked = false
     end
 
@@ -46,8 +47,9 @@ module Aikido::Zen
         kind: kind,
         blocked: blocked?,
         metadata: metadata,
-        operation: @operation
-      }.merge(input.as_json)
+        operation: @operation,
+        stack: @stack
+      }.compact.merge(input.as_json)
     end
 
     def exception(*)
@@ -171,7 +173,7 @@ module Aikido::Zen
       def metadata
         {
           hostname: @request.uri.hostname,
-          port: @request.uri.port
+          port: @request.uri.port.to_s
         }
       end
     end
@@ -197,7 +199,7 @@ module Aikido::Zen
       end
 
       def kind
-        "ssrf"
+        "stored_ssrf"
       end
 
       def input
@@ -207,7 +209,7 @@ module Aikido::Zen
       def metadata
         {
           hostname: @hostname,
-          resolvedIP: @address
+          privateIP: @address
         }
       end
     end

data/lib/aikido/zen/attack_wave/helpers.rb

@@ -0,0 +1,457 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module AttackWave
+    module Helpers
+      def self.web_scanner?(context)
+        return true if suspicious_request?(context)
+
+        return true if include_suspicious_payload?(context)
+
+        false
+      end
+
+      def self.suspicious_request?(context)
+        request = context.request
+
+        suspicious_method?(request.request_method) || suspicious_path?(request.path_info)
+      end
+
+      def self.suspicious_method?(method)
+        SUSPICIOUS_METHODS.include?(method.downcase)
+      end
+
+      def self.suspicious_path?(path)
+        path_parts = path.downcase.split("/")
+
+        file_name = path_parts.pop if path_parts.length > 0
+
+        if file_name
+          return true if SUSPICIOUS_FILE_NAMES.include?(file_name)
+
+          file_name_parts = file_name.split(".")
+
+          file_extension = file_name_parts.pop if file_name_parts.length > 1
+
+          return true if SUSPICIOUS_FILE_EXTENSIONS.include?(file_extension)
+        end
+
+        path_parts.any? do |directory_name|
+          SUSPICIOUS_DIRECTORY_NAMES.include?(directory_name)
+        end
+      end
+
+      def self.include_suspicious_payload?(context)
+        context.payloads.each do |payload|
+          next unless payload.source == :query
+
+          value = payload.value.downcase
+
+          length = value.length
+
+          next if length < 5 || length > 1_000
+
+          return true if SUSPICIOUS_SQL_KEYWORDS.any? do |keyword|
+            value.include?(keyword)
+          end
+        end
+
+        false
+      end
+
+      SUSPICIOUS_METHODS = [
+        "BADMETHOD",
+        "BADHTTPMETHOD",
+        "BADDATA",
+        "BADMTHD",
+        "BDMTHD"
+      ].map(&:downcase).freeze
+
+      SUSPICIOUS_DIRECTORY_NAMES = [
+        ".",
+        "..",
+        ".anydesk",
+        ".aptitude",
+        ".aws",
+        ".azure",
+        ".cache",
+        ".circleci",
+        ".config",
+        ".dbus",
+        ".docker",
+        ".drush",
+        ".TODO: gem",
+        ".git",
+        ".github",
+        ".gnupg",
+        ".gsutil",
+        ".hg",
+        ".idea",
+        ".java",
+        ".kube",
+        ".lftp",
+        ".minikube",
+        ".npm",
+        ".nvm",
+        ".pki",
+        ".snap",
+        ".ssh",
+        ".subversion",
+        ".svn",
+        ".tconn",
+        ".thunderbird",
+        ".tor",
+        ".vagrant.d",
+        ".vidalia",
+        ".vim",
+        ".vmware",
+        ".vscode",
+        "apache",
+        "apache2",
+        "grub",
+        "System32",
+        "tmp",
+        "xampp",
+        "cgi-bin",
+        "%systemroot%"
+      ].map(&:downcase).freeze
+
+      SUSPICIOUS_FILE_NAMES = [
+        ".addressbook",
+        ".atom",
+        ".bashrc",
+        ".boto",
+        ".config",
+        ".config.json",
+        ".config.xml",
+        ".config.yaml",
+        ".config.yml",
+        ".envrc",
+        ".eslintignore",
+        ".fbcindex",
+        ".forward",
+        ".gitattributes",
+        ".gitconfig",
+        ".gitignore",
+        ".gitkeep",
+        ".gitlab-ci.yaml",
+        ".gitlab-ci.yml",
+        ".gitmodules",
+        ".google_authenticator",
+        ".hgignore",
+        ".htaccess",
+        ".htpasswd",
+        ".htdigest",
+        ".ksh_history",
+        ".lesshst",
+        ".lhistory",
+        ".lighttpdpassword",
+        ".lldb-history",
+        ".lynx_cookies",
+        ".my.cnf",
+        ".mysql_history",
+        ".nano_history",
+        ".netrc",
+        ".node_repl_history",
+        ".npmrc",
+        ".nsconfig",
+        ".nsr",
+        ".password-store",
+        ".pearrc",
+        ".pgpass",
+        ".php_history",
+        ".pinerc",
+        ".proclog",
+        ".procmailrc",
+        ".profile",
+        ".psql_history",
+        ".python_history",
+        ".rediscli_history",
+        ".rhosts",
+        ".selected_editor",
+        ".sh_history",
+        ".sqlite_history",
+        ".svnignore",
+        ".tcshrc",
+        ".tmux.conf",
+        ".travis.yaml",
+        ".travis.yml",
+        ".viminfo",
+        ".vimrc",
+        ".www_acl",
+        ".wwwacl",
+        ".xauthority",
+        ".yarnrc",
+        ".zhistory",
+        ".zsh_history",
+        ".zshenv",
+        ".zshrc",
+        "Dockerfile",
+        "aws-key.yaml",
+        "aws-key.yml",
+        "aws.yaml",
+        "aws.yml",
+        "docker-compose.yaml",
+        "docker-compose.yml",
+        "npm-shrinkwrap.json",
+        "package-lock.json",
+        "package.json",
+        "phpinfo.php",
+        "wp-config.php",
+        "wp-config.php3",
+        "wp-config.php4",
+        "wp-config.php5",
+        "wp-config.phtml",
+        "composer.json",
+        "composer.lock",
+        "composer.phar",
+        "yarn.lock",
+        ".env.local",
+        ".env.development",
+        ".env.test",
+        ".env.production",
+        ".env.prod",
+        ".env.dev",
+        ".env.example",
+        "php.ini",
+        "wp-settings.php",
+        "config.asp",
+        "config_dev.asp",
+        "config-dev.asp",
+        "config.dev.asp",
+        "config_prod.asp",
+        "config-prod.asp",
+        "config.prod.asp",
+        "config.sample.asp",
+        "config-sample.asp",
+        "config_sample.asp",
+        "config_test.asp",
+        "config-test.asp",
+        "config.test.asp",
+        "config.ini",
+        "config_dev.ini",
+        "config-dev.ini",
+        "config.dev.ini",
+        "config_prod.ini",
+        "config-prod.ini",
+        "config.prod.ini",
+        "config.sample.ini",
+        "config-sample.ini",
+        "config_sample.ini",
+        "config_test.ini",
+        "config-test.ini",
+        "config.test.ini",
+        "config.json",
+        "config_dev.json",
+        "config-dev.json",
+        "config.dev.json",
+        "config_prod.json",
+        "config-prod.json",
+        "config.prod.json",
+        "config.sample.json",
+        "config-sample.json",
+        "config_sample.json",
+        "config_test.json",
+        "config-test.json",
+        "config.test.json",
+        "config.php",
+        "config_dev.php",
+        "config-dev.php",
+        "config.dev.php",
+        "config_prod.php",
+        "config-prod.php",
+        "config.prod.php",
+        "config.sample.php",
+        "config-sample.php",
+        "config_sample.php",
+        "config_test.php",
+        "config-test.php",
+        "config.test.php",
+        "config.pl",
+        "config_dev.pl",
+        "config-dev.pl",
+        "config.dev.pl",
+        "config_prod.pl",
+        "config-prod.pl",
+        "config.prod.pl",
+        "config.sample.pl",
+        "config-sample.pl",
+        "config_sample.pl",
+        "config_test.pl",
+        "config-test.pl",
+        "config.test.pl",
+        "config.py",
+        "config_dev.py",
+        "config-dev.py",
+        "config.dev.py",
+        "config_prod.py",
+        "config-prod.py",
+        "config.prod.py",
+        "config.sample.py",
+        "config-sample.py",
+        "config_sample.py",
+        "config_test.py",
+        "config-test.py",
+        "config.test.py",
+        "config.rb",
+        "config_dev.rb",
+        "config-dev.rb",
+        "config.dev.rb",
+        "config_prod.rb",
+        "config-prod.rb",
+        "config.prod.rb",
+        "config.sample.rb",
+        "config-sample.rb",
+        "config_sample.rb",
+        "config_test.rb",
+        "config-test.rb",
+        "config.test.rb",
+        "config.toml",
+        "config_dev.toml",
+        "config-dev.toml",
+        "config.dev.toml",
+        "config_prod.toml",
+        "config-prod.toml",
+        "config.prod.toml",
+        "config.sample.toml",
+        "config-sample.toml",
+        "config_sample.toml",
+        "config_test.toml",
+        "config-test.toml",
+        "config.test.toml",
+        "config.txt",
+        "config_dev.txt",
+        "config-dev.txt",
+        "config.dev.txt",
+        "config_prod.txt",
+        "config-prod.txt",
+        "config.prod.txt",
+        "config.sample.txt",
+        "config-sample.txt",
+        "config_sample.txt",
+        "config_test.txt",
+        "config-test.txt",
+        "config.test.txt",
+        "config.xml",
+        "config_dev.xml",
+        "config-dev.xml",
+        "config.dev.xml",
+        "config_prod.xml",
+        "config-prod.xml",
+        "config.prod.xml",
+        "config.sample.xml",
+        "config-sample.xml",
+        "config_sample.xml",
+        "config_test.xml",
+        "config-test.xml",
+        "config.test.xml",
+        "config.yaml",
+        "config_dev.yaml",
+        "config-dev.yaml",
+        "config.dev.yaml",
+        "config_prod.yaml",
+        "config-prod.yaml",
+        "config.prod.yaml",
+        "config.sample.yaml",
+        "config-sample.yaml",
+        "config_sample.yaml",
+        "config_test.yaml",
+        "config-test.yaml",
+        "config.test.yaml",
+        "config.yml",
+        "config_dev.yml",
+        "config-dev.yml",
+        "config.dev.yml",
+        "config_prod.yml",
+        "config-prod.yml",
+        "config.prod.yml",
+        "config.sample.yml",
+        "config-sample.yml",
+        "config_sample.yml",
+        "config_test.yml",
+        "config-test.yml",
+        "config.test.yml",
+        "boot.ini",
+        "gruntfile.js",
+        "localsettings.php",
+        "my.ini",
+        "npm-debug.log",
+        "parameters.yml",
+        "parameters.yaml",
+        "services.yml",
+        "services.yaml",
+        "web.config",
+        "webpack.config.js",
+        "config.old",
+        "config.inc.php",
+        "error.log",
+        "access.log",
+        ".DS_Store",
+        "passwd",
+        "win.ini",
+        "cmd.exe",
+        "my.cnf",
+        ".bash_history",
+        "docker-compose-dev.yml",
+        "docker-compose.override.yml",
+        "docker-compose.dev.yml",
+        "Cargo.lock",
+        "secrets.yml",
+        "secrets.yaml",
+        "docker-compose.staging.yml",
+        "docker-compose.production.yml",
+        "yaws-key.pem",
+        "mysql_config.ini",
+        "firewall.log",
+        "log4j.properties",
+        "serviceAccountCredentials.json",
+        "haproxy.cfg",
+        "service-account-credentials.json",
+        "vpn.log",
+        "system.log",
+        "webuser-auth.xml",
+        "fastcgi.conf",
+        "smb.conf",
+        "iis.log",
+        "pom.xml",
+        "openapi.json",
+        "vim_settings.xml",
+        "winscp.ini",
+        "ws_ftp.ini"
+      ].map(&:downcase).freeze
+
+      SUSPICIOUS_FILE_EXTENSIONS = [
+        "env",
+        "bak",
+        "sql",
+        "sqlite",
+        "sqlite3",
+        "db",
+        "old",
+        "save",
+        "orig",
+        "sqlitedb",
+        "sqlite3db"
+      ].map(&:downcase).freeze
+
+      SUSPICIOUS_SQL_KEYWORDS = [
+        "SELECT (CASE WHEN",
+        "SELECT COUNT(",
+        "SLEEP(",
+        "WAITFOR DELAY",
+        "SELECT LIKE(CHAR(",
+        "INFORMATION_SCHEMA.COLUMNS",
+        "INFORMATION_SCHEMA.TABLES",
+        "MD5(",
+        "DBMS_PIPE.RECEIVE_MESSAGE",
+        "SYSIBM.SYSTABLES",
+        "RANDOMBLOB(",
+        "SELECT * FROM",
+        "1'='1",
+        "PG_SLEEP(",
+        "UNION ALL SELECT",
+        "../"
+      ].map(&:downcase).freeze
+    end
+  end
+end