RubyGems - aikido-zen - Versions diffs - 1.0.6-aarch64-linux → 1.0.8-aarch64-linux - Mend

aikido-zen 1.0.6-aarch64-linux → 1.0.8-aarch64-linux

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/aikido/zen/attack.rb +3 -1
data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +10 -2
data/lib/aikido/zen/sinks/action_controller.rb +5 -0
data/lib/aikido/zen/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60c160168f6f193cb0f5e0062968484475f9407113378e6c2a39c8bcd301f590
-  data.tar.gz: 6d30e758d4592f9b82c2b5eef818021ccbdc334476ed08d89b397d471b5ab9c2
+  metadata.gz: 4d97c57c19281c802f269540fc57e2f5f0bb438587935756a3b4d83ec3f2b163
+  data.tar.gz: b0d32e012a62991caa54df7da691c9bb8fb6bb0ed749376cb35e5e35b1c7b2a2
 SHA512:
-  metadata.gz: 0f7708b61d0c3370c12f00dd12c59459377bc824dac3fc50492be874024a038b792bbaf9690d0889dd76c16699cb60a5009cb16464ac0b88170df6cd29ff33eb
-  data.tar.gz: 2d961f1d77803357be22fdb21791ef3ad09d1a51dc227cfee3bea038596924b05194f477336b5b2d82bad65a8e74d9def4ed3e20f2bbaf6fa8c8829d603cc530
+  metadata.gz: 931decbcaf4b971d9ac8e6c662451eb23decd82477e67acb8bcd9d6b1b141f967fd250fe9f1830d007f017bfa4b8f94021db81da19cf7ffb8041926b2d869bda
+  data.tar.gz: 025a400fc80936f17b7d4e7bb6fec386ee6ba2266ffb70737b8c4622097f01588dfbc5e7a63018e93c95c290cb8d4cda034d2bb90be8f9e8eb4ab49ccf624284

data/lib/aikido/zen/attack.rb CHANGED Viewed

@@ -203,7 +203,9 @@ module Aikido::Zen
       end
       def input
-        Aikido::Zen::Payload::UNKNOWN_PAYLOAD
+        # When the payload is unknown the payload, source, and path properties
+        # should be undefined, not "unknown".
+        {}
       end
       def metadata

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb CHANGED Viewed

@@ -38,11 +38,19 @@ module Aikido::Zen
         return if @config.imds_allowed_hosts.include?(@hostname)
-        @addresses.find do |candidate|
-          DANGEROUS_ADDRESSES.any? { |address| address === candidate }
+        @addresses.find do |address|
+          DANGEROUS_ADDRESSES.any? do |dangerous_address|
+            # Addresses are not considered stored IMDS addresses if the address
+            # is the same as the hostname. (These are valid IMDS requests, not spoofed ones)
+            next if address == @hostname
+            # True if the dangerous address is address or includes the address.
+            dangerous_address === address
+          end
         end
       end
+      # A dangerous address may be an individual address or an address range.
       DANGEROUS_ADDRESSES = [
         IPAddr.new("169.254.169.254"),
         IPAddr.new("100.100.100.200"),

data/lib/aikido/zen/sinks/action_controller.rb CHANGED Viewed

@@ -20,6 +20,11 @@ module Aikido::Zen
         end
         def block?(controller)
+          # The abstract controller running the callback is typically an ActionController
+          # but it may also be an ActionMailer. ActionMailer does not respond to request.
+          # This feature requires a request object to perform checks and enforce blocking.
+          return false unless controller.respond_to?(:request)
           context = controller.request.env[Aikido::Zen::ENV_KEY]
           request = context.request

data/lib/aikido/zen/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 module Aikido
   module Zen
-    VERSION = "1.0.6"
+    VERSION = "1.0.8"
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.48"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.6
+  version: 1.0.8
 platform: aarch64-linux
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-12-29 00:00:00.000000000 Z
+date: 2026-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby