aikido-zen 1.2.3-arm64-linux → 1.3.0-arm64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1da639c1cf13d6c71a123a6190cbab65741a3d0f3135e47840ed0130dd24d8f9
-  data.tar.gz: 3b0a7fa624bd53ee43a3b68fcae46f9d5496299706cfe0b2dfa576370a475a1e
+  metadata.gz: 29ba9f159c292e608cbe95092d79ebe8b1deaead1e4520fecebf5c12cd98d5b2
+  data.tar.gz: 74089a226d69444bb22941cef2af77b16eea38f57a6f292fe1ba69fa281e6256
 SHA512:
-  metadata.gz: a3711025c73893353bf4c1e9c35cd29cbc8cb5a79aaeeb5a7c0f39ef087bcfd1d5275b872eca3caf57ca6917ef921f4b8ca9d97f6866f1305a25ab9708bb3638
-  data.tar.gz: 213a948b684fcd9433c2c3fd686c785553fa367aa16e7a2b52ca3b3e8ed42fd16f1c73fbbc1af2ed8cac3429c82b6d316f752649dfa6f1e16199f0476cae57d3
+  metadata.gz: d901c1021e6e37969296ada67fa49bb3a6c22c345cf0534d46927fc4cf4eae0560b385965cc998d0edfb8b4aa9e4f3cc426f1473e9e5e92f8472ce25142af773
+  data.tar.gz: 041476ab0a053ed6d13730976e8fdbd4abbb4f64fa96d8f1143e224a1d7edfc82db1777ddd064599c1976f343a5059987c16a78cb17d847e5b0f9a6b0ac55fb9

data/benchmarks/ip_list/benchmark.rb

@@ -0,0 +1,39 @@
+#!/usr/bin/env ruby
+
+require "benchmark"
+require "aikido-zen"
+
+random_ipv4_ranges = (0..).lazy.map do
+  ip_int = rand(2**32)
+  prefix = rand(8..32)
+  network = IPAddr.new(ip_int, Socket::AF_INET).mask(prefix)
+  "#{network}/#{prefix}"
+end
+
+random_ipv6_ranges = (0..).lazy.map do
+  ip_int = rand(2**128)
+  prefix = rand(1..128)
+  network = IPAddr.new(ip_int, Socket::AF_INET6).mask(prefix)
+  "#{network}/#{prefix}"
+end
+
+random_ip_ranges = (0..).lazy.map do
+  (rand < 0.5) ? random_ipv4_ranges.next : random_ipv6_ranges.next
+end
+
+if __FILE__ == $0
+  ip_ranges = random_ip_ranges.take(1000)
+
+  ip_list = Aikido::Zen::RuntimeSettings::IPList.from_json({
+    "key" => "key",
+    "source" => "source",
+    "description" => "description",
+    "ips" => ip_ranges
+  })
+
+  result = Benchmark.measure do
+    ip_ranges.all? { |ip_range| ip_list.include?(ip_range) }
+  end
+
+  puts result
+end

data/lib/aikido/zen/agent.rb

@@ -160,6 +160,9 @@ module Aikido::Zen
         if Aikido::Zen.runtime_settings.update_from_runtime_config_json(response)
           updated_settings!
           @config.logger.info("Updated runtime settings after heartbeat")
+
+          Aikido::Zen.runtime_settings.update_from_runtime_firewall_lists_json(@api_client.fetch_runtime_firewall_lists)
+          @config.logger.info("Updated runtime firewall list after heartbeat")
         end
       end
     end

data/lib/aikido/zen/collector/event.rb

@@ -95,6 +95,33 @@ module Aikido::Zen
         end
       end
 
+      class TrackIPList < Event
+        register "track_ip_list"
+
+        def self.from_json(data)
+          new(data[:ip_list_keys])
+        end
+
+        def initialize(ip_list_keys)
+          super()
+          @ip_list_keys = ip_list_keys
+        end
+
+        def as_json
+          super.update({
+            ip_list_keys: @ip_list_keys
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_ip_list(@ip_list_keys)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@ip_list_keys.inspect}>"
+        end
+      end
+
       class TrackAttackWave < Event
         register "track_attack_wave"
 

data/lib/aikido/zen/collector/stats.rb

@@ -8,7 +8,7 @@ module Aikido::Zen
   # Tracks information about how the Aikido Agent is used in the app.
   class Collector::Stats
     # @!visibility private
-    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :rate_limited_requests, :user_agents, :attack_waves, :blocked_attack_waves, :sinks
+    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :rate_limited_requests, :user_agents, :ip_lists, :attack_waves, :blocked_attack_waves, :sinks
 
     # @!visibility private
     attr_writer :ended_at
@@ -22,6 +22,7 @@ module Aikido::Zen
       @aborted_requests = 0
       @rate_limited_requests = 0
       @user_agents = Hash.new { |h, k| h[k] = 0 }
+      @ip_lists = Hash.new { |h, k| h[k] = 0 }
       @attack_waves = 0
       @blocked_attack_waves = 0
       @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
@@ -79,6 +80,12 @@ module Aikido::Zen
       user_agent_keys&.each { |user_agent_key| @user_agents[user_agent_key] += 1 }
     end
 
+    # @param user_agent_keys [Array<String>] the user agent keys
+    # @return [void]
+    def add_ip_list(ip_list_keys)
+      ip_list_keys&.each { |ip_list_key| @ip_lists[ip_list_key] += 1 }
+    end
+
     # @param being_blocked [Boolean] whether the Agent blocked the request
     # @return [void]
     def add_attack_wave(being_blocked:)
@@ -127,6 +134,9 @@ module Aikido::Zen
         },
         userAgents: {
           breakdown: @user_agents
+        },
+        ipAddresses: {
+          breakdown: @ip_lists
         }
       }
     end

data/lib/aikido/zen/collector.rb

@@ -101,10 +101,10 @@ module Aikido::Zen
 
     # Track stats about monitored and blocked user agents
     #
-    # @param [Array<String>, nil] the user agent keys
+    # @param user_agent_keys [Array<String>, nil] the user agent keys
     # @return [void]
     def track_user_agent(user_agent_keys)
-      return if user_agent_keys.nil?
+      return if user_agent_keys.nil? || user_agent_keys.empty?
 
       add_event(Events::TrackUserAgent.new(user_agent_keys))
     end
@@ -113,6 +113,20 @@ module Aikido::Zen
       synchronize(@stats) { |stats| stats.add_user_agent(user_agent_keys) }
     end
 
+    # Track stats about blocked and monitored IP lists
+    #
+    # @param ip_list_keys [Array<String>, nil]
+    # @return [void]
+    def track_ip_list(ip_list_keys)
+      return if ip_list_keys.nil? || ip_list_keys.empty?
+
+      add_event(Events::TrackIPList.new(ip_list_keys))
+    end
+
+    def handle_track_ip_list(ip_list_keys)
+      synchronize(@stats) { |stats| stats.add_ip_list(ip_list_keys) }
+    end
+
     # Track stats about an attack detected by our scanners.
     #
     # @param attack [Aikido::Zen::Events::AttackWave]

data/lib/aikido/zen/config.rb

@@ -322,10 +322,18 @@ module Aikido::Zen
     DEFAULT_DETACHED_AGENT_SOCKET_PATH = "aikido-detached-agent.%h.sock"
 
     # @!visibility private
-    DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type) do
+    DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type, reason = nil) do
       message = case blocking_type
       when :ip
-        format("Your IP address is not allowed to access this resource. (Your IP: %s)", request.ip)
+        "Your IP address is not allowed to access this resource. (Your IP: #{request.ip})"
+      when :ip_allowed_list
+        "Your IP address is not allowed to access this resource. (Your IP: #{request.client_ip})"
+      when :ip_blocked_list
+        if reason.nil?
+          "Your IP is blocked."
+        else
+          "Your IP is blocked due to #{reason}."
+        end
       when :user_agent
         "You are not allowed to access this resource because you have been identified as a bot."
       else

data/lib/aikido/zen/middleware/ip_list_checker.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Middleware
+    class IPListChecker
+      def initialize(app, zen: Aikido::Zen, config: zen.config, settings: zen.runtime_settings)
+        @app = app
+        @zen = zen
+        @config = config
+        @settings = settings
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+
+        client_ip = request.client_ip
+
+        return @app.call(env) if bypassed_ip?(client_ip)
+
+        if !@settings.allowed_ip?(client_ip)
+          return @config.blocked_responder.call(request, :ip_allowed_list)
+        end
+
+        monitored_ip_list_keys = @settings.monitored_ip_list_keys(client_ip)
+        @zen.track_ip_list(monitored_ip_list_keys)
+
+        blocked_ip_lists = @settings.blocked_ip_lists.filter { |ip_list| ip_list.include?(client_ip) }
+
+        if !blocked_ip_lists.empty?
+          @zen.track_ip_list(blocked_ip_lists.map(&:key))
+
+          return @config.blocked_responder.call(
+            request,
+            :ip_blocked_list,
+            blocked_ip_lists.first.description
+          )
+        end
+
+        @app.call(env)
+      end
+
+      def bypassed_ip?(client_ip)
+        @settings.bypassed_ips.include?(client_ip)
+      end
+    end
+  end
+end

data/lib/aikido/zen/rails_engine.rb

@@ -17,6 +17,7 @@ module Aikido::Zen
         Aikido::Zen::Middleware::ForkDetector,
         Aikido::Zen::Middleware::ContextSetter,
         Aikido::Zen::Middleware::AllowedAddressChecker,
+        Aikido::Zen::Middleware::IPListChecker,
         Aikido::Zen::Middleware::UserAgentChecker,
         Aikido::Zen::Middleware::AttackProtector,
         Aikido::Zen::Middleware::AttackWaveProtector,

data/lib/aikido/zen/runtime_settings/ip_list.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  class RuntimeSettings::IPList
+    attr_reader :key
+    attr_reader :source
+    attr_reader :description
+    attr_reader :ips
+
+    attr_reader :ipv4_ranges
+    attr_reader :ipv6_ranges
+
+    def self.from_json(data)
+      new(
+        key: data["key"],
+        source: data["source"],
+        description: data["description"],
+        ips: Array(data["ips"]).map { |ip| IPAddr.new(ip) }
+      )
+    end
+
+    def initialize(key:, source:, description:, ips:)
+      @key = key
+      @source = source
+      @description = description
+      @ips = ips
+
+      @ipv4_ranges = []
+      @ipv6_ranges = []
+
+      ips.each do |ip|
+        if ip.ipv4?
+          @ipv4_ranges << ip.to_range
+        elsif ip.ipv6?
+          @ipv6_ranges << ip.to_range
+        else
+          raise ArgumentError, "Unsupported IP address family: #{ip.inspect}"
+        end
+      end
+
+      @ipv4_ranges.sort_by!(&:begin)
+      @ipv6_ranges.sort_by!(&:begin)
+    end
+
+    def inspect
+      "#<#{self.class} #{@key}>"
+    end
+
+    def include?(ip)
+      native_ip = nativize_ip(ip)
+      return false if native_ip.nil?
+
+      if native_ip.ipv4?
+        ranges_cover?(@ipv4_ranges, native_ip)
+      elsif native_ip.ipv6?
+        ranges_cover?(@ipv6_ranges, native_ip)
+      else
+        raise ArgumentError, "Unsupported IP address family: #{ip.inspect}"
+      end
+    end
+
+    private
+
+    def nativize_ip(ip)
+      case ip
+      when IPAddr
+        ip.native
+      when String
+        begin
+          IPAddr.new(ip).native
+        rescue IPAddr::InvalidAddressError
+          nil
+        end
+      when nil
+        nil
+      else
+        raise ArgumentError, "no explicit conversion of #{ip.class} to IPAddr"
+      end
+    end
+
+    def ranges_cover?(ranges, ip)
+      index = ranges.bsearch_index { |range| range.begin > ip }
+      index = index ? index - 1 : ranges.size - 1
+      return false if index < 0
+
+      ranges[index].cover?(ip)
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/ip_set.rb

@@ -20,6 +20,8 @@ module Aikido::Zen
 
     def include?(ip)
       native_ip = nativize_ip(ip)
+      return false if native_ip.nil?
+
       @ips.any? { |pattern| pattern === native_ip }
     end
     alias_method :===, :include?

data/lib/aikido/zen/runtime_settings.rb

@@ -11,11 +11,14 @@ module Aikido::Zen
   #
   # You can subscribe to changes with +#add_observer(object, func_name)+, which
   # will call the function passing the settings as an argument
-  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :bypassed_ips, :received_any_stats, :blocking_mode, :blocked_user_agent_regexp, :monitored_user_agent_regexp, :user_agent_details, :block_new_outbound, :domains, :excluded_user_ids_from_rate_limiting) do
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :bypassed_ips, :received_any_stats, :blocking_mode, :blocked_user_agent_regexp, :monitored_user_agent_regexp, :user_agent_details, :blocked_ip_lists, :allowed_ip_lists, :monitored_ip_lists, :block_new_outbound, :domains, :excluded_user_ids_from_rate_limiting) do
     def initialize(*)
       super
       self.endpoints ||= RuntimeSettings::Endpoints.new
       self.bypassed_ips ||= RuntimeSettings::IPSet.new
+      self.blocked_ip_lists ||= []
+      self.allowed_ip_lists ||= []
+      self.monitored_ip_lists ||= []
       self.domains ||= RuntimeSettings::Domains.new
     end
 
@@ -42,6 +45,15 @@ module Aikido::Zen
     # @!attribute [rw] blocking_mode
     #   @return [Boolean]
 
+    # @!attribute [rw] blocked_ip_lists
+    #   @return [Array<Aikido::Zen::RuntimeSettings::IPList>]
+
+    # @!attribute [rw] allowed_ip_lists
+    #   @return [Array<Aikido::Zen::RuntimeSettings::IPList>]
+
+    # @!attribute [rw] monitored_ip_lists
+    #   @return [Array<Aikido::Zen::RuntimeSettings::IPList>]
+
     # @!attribute [rw] blocked_user_agent_regexp
     #   @return [Regexp]
 
@@ -112,6 +124,24 @@ module Aikido::Zen
           pattern: pattern
         }
       end
+
+      self.blocked_ip_lists = []
+
+      data["blockedIPAddresses"]&.each do |ip_list|
+        blocked_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
+      end
+
+      self.allowed_ip_lists = []
+
+      data["allowedIPAddresses"]&.each do |ip_list|
+        allowed_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
+      end
+
+      self.monitored_ip_lists = []
+
+      data["monitoredIPAddresses"]&.each do |ip_list|
+        monitored_ip_lists << RuntimeSettings::IPList.from_json(ip_list)
+      end
     end
 
     # Construct a regular expression from the non-nil and non-empty string,
@@ -165,9 +195,25 @@ module Aikido::Zen
     def user_agent_keys(user_agent)
       return [] if user_agent_details.nil?
 
-      user_agent_details
-        .filter { |record| record[:pattern].match?(user_agent) }
-        .map { |record| record[:key] }
+      user_agent_details.filter_map { |record| record[:key] if record[:pattern].match?(user_agent) }
+    end
+
+    def allowed_ip?(ip)
+      allowed_ip_lists.empty? || allowed_ip_lists.any? { |ip_list| ip_list.include?(ip) }
+    end
+
+    def blocked_ip?(ip)
+      blocked_ip_lists.any? { |ip_list| ip_list.include?(ip) }
+    end
+
+    def monitored_ip?(ip)
+      monitored_ip_lists.any? { |ip_list| ip_list.include?(ip) }
+    end
+
+    def monitored_ip_list_keys(ip)
+      return [] if ip.nil?
+
+      monitored_ip_lists.filter_map { |ip_list| ip_list.key if ip_list.include?(ip) }
     end
 
     def block_outbound?(connection)
@@ -181,5 +227,6 @@ module Aikido::Zen
 end
 
 require_relative "runtime_settings/ip_set"
+require_relative "runtime_settings/ip_list"
 require_relative "runtime_settings/endpoints"
 require_relative "runtime_settings/domains"

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "1.2.3"
+    VERSION = "1.3.0"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.60"

data/lib/aikido/zen.rb

@@ -17,6 +17,7 @@ require_relative "zen/middleware/middleware"
 require_relative "zen/middleware/fork_detector"
 require_relative "zen/middleware/context_setter"
 require_relative "zen/middleware/allowed_address_checker"
+require_relative "zen/middleware/ip_list_checker"
 require_relative "zen/middleware/user_agent_checker"
 require_relative "zen/middleware/attack_protector"
 require_relative "zen/middleware/attack_wave_protector"
@@ -133,7 +134,7 @@ module Aikido
       collector.track_rate_limited_request
     end
 
-    # Track monitored and blocked user agents.
+    # Track blocked and monitored user agents.
     #
     # @param user_agent_keys [Array<String>, nil] the user agent keys
     #   from matching runtime firewall list user agent details.
@@ -142,6 +143,15 @@ module Aikido
       collector.track_user_agent(user_agent_keys)
     end
 
+    # Track blocked and monitored IP lists.
+    #
+    # @param ip_list_keys [Array<String>, nil] the IP list keys
+    #   from matching runtime firewall list IP lists.
+    # @return [void]
+    def self.track_ip_list(ip_list_keys)
+      collector.track_ip_list(ip_list_keys)
+    end
+
     # Track statistics about an attack wave the app is handling.
     #
     # @param attack_wave [Aikido::Zen::Events::AttackWave]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.2.3
+  version: 1.3.0
 platform: arm64-linux
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-04-14 00:00:00.000000000 Z
+date: 2026-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -86,6 +86,7 @@ files:
 - README.md
 - Rakefile
 - benchmarks/README.md
+- benchmarks/ip_list/benchmark.rb
 - benchmarks/rails7.1_benchmark.js
 - benchmarks/rails7.1_sql_injection.js
 - docs/banner.svg
@@ -131,6 +132,7 @@ files:
 - lib/aikido/zen/middleware/attack_wave_protector.rb
 - lib/aikido/zen/middleware/context_setter.rb
 - lib/aikido/zen/middleware/fork_detector.rb
+- lib/aikido/zen/middleware/ip_list_checker.rb
 - lib/aikido/zen/middleware/middleware.rb
 - lib/aikido/zen/middleware/rack_throttler.rb
 - lib/aikido/zen/middleware/request_tracker.rb
@@ -157,6 +159,7 @@ files:
 - lib/aikido/zen/runtime_settings/domain_settings.rb
 - lib/aikido/zen/runtime_settings/domains.rb
 - lib/aikido/zen/runtime_settings/endpoints.rb
+- lib/aikido/zen/runtime_settings/ip_list.rb
 - lib/aikido/zen/runtime_settings/ip_set.rb
 - lib/aikido/zen/runtime_settings/protection_settings.rb
 - lib/aikido/zen/runtime_settings/rate_limit_settings.rb