aikido-zen 0.1.0.alpha4-x86_64-linux → 0.1.0-x86_64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb3e9def57efa65f36ad936f752fea0e61695252c185e87ca9c1f91fa675b7e1
-  data.tar.gz: 47effea853a3d7f58549ed4c0a98a37d1f6811f8e64888bcc54aad1fd43b9008
+  metadata.gz: 0f0b2a3174ea5cb98412aad7981aa6b669490e4c125cb23d179419027a349c7d
+  data.tar.gz: 6009a16031c7935f9243b99ef64d9735d692f705d18ba612dc214eafffb1aa7b
 SHA512:
-  metadata.gz: b2c3136e777008f9009e529e41fa3bcc418326e8dccdb3a862acc67eea33825099fe8215ddf9d4d52e90349c6ebed109bf2a49fcfb895e392a2e91ee7183a1bf
-  data.tar.gz: 8ce803adf9897680dcd7ab20ee9f4ced0145727815fad10f97cf40fe6a6325860de1c93e78686ddf48a85dc32d19a2ecce04259856acdb31bdac6fc54d0a21a7
+  metadata.gz: ecf36ae3339b10fbf6b34c5baaeb071cb7d4c5785ddfb593af1145bd4063f617d9869ddad3a99361ebfeaea914bd9d32c2a7c53dad6a4772b453dc23f96f200d
+  data.tar.gz: f0c4833d629ebdf1ec2ad07df541bc02c88e96c57a76a14537bbf6df875eccd0c5440b1f2f6831c5cfb77336514365fe6deecf6a6c25466d5e0576e1c2478006

data/README.md

@@ -1,40 +1,153 @@
-# Aikido::Firewall
+![Zen by Aikido for Ruby](./docs/banner.svg)
 
-TODO: Write me :)
+# Zen, in-app firewall for Ruby | by Aikido
+
+Zen, your in-app firewall for peace of mind—at runtime.
+
+Zen by Aikido is an embedded Web Application Firewall that autonomously protects
+Ruby on Rails apps against common and critical attacks.
+
+It protects your Rails apps by preventing user input containing dangerous
+strings, preventing SQL injection and SSRF attacks. It runs embedded on your
+Rails application, for simple installation and zero maintenance.
+
+* 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
+* 🛡️ [Server-side request forgery (SSRF)](https://github.com/AikidoSec/firewall-node/blob/main/docs/ssrf.md)
+* 🛡️ [Command injection attacks](https://owasp.org/www-community/attacks/Command_Injection) (coming soon)
+* 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
+* 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
+
+Zen operates autonomously on the same server as your Rails app to:
+
+* ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
+* ✅ Rate limit specific API endpoints by IP or by user.
+* ✅ Allow you to block specific users manually.
+
+## Supported libraries and frameworks
+
+Zen for Ruby 2.7+ is compatible with:
+
+### Database drivers
+
+* ✅ [sqlite3](https://github.com/sparklemotion/sqlite3-ruby) 1.x, 2.x
+* ✅ [pg](https://github.com/ged/ruby-pg) 1.x
+* ✅ [trilogy](https://github.com/trilogy-libraries/trilogy) 2.x
+* ✅ [mysql2](https://github.com/brianmario/mysql2) 0.x
+
+### ORMs and Query Builders
+
+See list above for supported database drivers.
+
+* ✅ [ActiveRecord](https://github.com/rails/rails)
+* ✅ [Sequel](https://github.com/jeremyevans/sequel)
+
+### HTTP Clients
+
+* ✅ [net-http](https://github.com/ruby/net-http)
+* ✅ [http.rb](https://github.com/httprb/http) 1.x, 2.x, 3.x, 4.x, 5.x
+* ✅ [httpx](https://gitlab.com/os85/httpx) 1.x (1.1.3+)
+* ✅ [HttpClient](https://github.com/nahi/httpclient) 2.x, 3.x
+* ✅ [excon](https://github.com/excon/excon) 0.x (0.50.0+), 1.x
+* ✅ [patron](https://github.com/toland/patron) 0.x (0.6.4+)
+* ✅ [typhoeus](https://github.com/typhoeus/typhoeus) 0.x (0.5.0+), 1.x
+* ✅ [curb](https://github.com/taf2/curb) 0.x (0.2.3+), 1.x
+* ✅ [em-http-request](https://github.com/igrigorik/em-http-request) 1.x
+* ✅ [async-http](https://github.com/igrigorik/em-http-request) 0.x (0.70.0+)
 
 ## Installation
 
-Install the gem and add to the application's Gemfile by executing:
+We recommend testing Zen locally or on staging before deploying to production.
+
+```
+bundle add aikido-zen
+```
+
+or, if not using bundler:
+
+```
+gem install aikido-zen
+```
 
-    $ bundle add aikido-firewall
+For framework specific instructions, check out our docs:
 
-If bundler is not being used to manage dependencies, install the gem by executing:
+* [Ruby on Rails apps](docs/rails.md)
 
-    $ gem install aikido-firewall
+## Running in production (blocking) mode
 
-## Development
+By default, Zen will only detect and report attacks to Aikido.
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run
-`rake test` to run the tests. You can also run `bin/console` for an interactive
-prompt that will allow you to experiment.
+To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To
-release a new version, update the version number in `version.rb`, and then run
-`bundle exec rake release`, which will create a git tag for the version, push
-git commits and the created tag, and push the `.gem` file to
-[rubygems.org](https://rubygems.org).
+See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn
+how to send events to Aikido.
+
+## Reporting to your Aikido Security dashboard
+
+> Aikido is your no nonsense application security platform. One central system
+> that scans your source code & cloud, shows you what vulnerabilities matter,
+> and how to fix them - fast. So you can get back to building.
+
+Zen is a new product by Aikido. Built for developers to level up their security.
+While Aikido scans, get Zen for always-on protection.
+
+You can use some of Zen’s features without Aikido, of course. Peace of mind is
+just a few lines of code away.
+
+But you will get the most value by reporting your data to Aikido.
+
+You will need an Aikido account and a token to report events to Aikido. If you
+don't have an account, you can sign up for free.
+
+Here's how:
+
+* Log in to your Aikido account.
+* Go to "Zen" on the sidebar.
+* Click on "Add App".
+* Choose a name for your App.
+* Click "Continue to Install"
+* Click "Generate Token".
+* Copy the token.
+* Set the token as an environment variable, `AIKIDO_TOKEN`, using
+  [dotenv](https://github.com/bkeepers/dotenv) or another method
+  of your choosing.
+
+## Performance
+
+We run a benchmark on every commit to ensure Zen has a minimal impact on your
+application's performance.
+
+For example, here's a benchmark that runs a single GET request to a Rails
+endpoint that performs a single SQL SELECT query:
+
+| Without Zen      | With Zen      | Difference    |
+|------------------|---------------|---------------|
+| 3.527ms          | 3.583ms       | +0.056ms      |
+
+Using Ruby 3.3, Rails 7.1, SQLite 1.7, running on a MacBook Pro M1 Pro. Results
+will vary based on hardware.
+
+See [benchmarks](benchmarks) for more information.
+
+## Bug bounty program
+
+Our bug bounty program is public and can be found by all registered Intigriti
+users at: https://app.intigriti.com/researcher/programs/aikido/aikidoruntime
 
 ## Contributing
 
-Bug reports and pull requests are welcome [on GitHub][repo]. This project is
-intended to be a safe, welcoming space for collaboration, and contributors are
-expected to adhere to the [code of conduct][coc].
+See [CONTRIBUTING.md](.github/CONTRIBUTING.md) for more information.
 
 ## Code of Conduct
 
-Everyone interacting in the `Aikido::Firewall` project's codebases, issue
-trackers, chat rooms and mailing lists is expected to follow the [code of
-conduct][coc].
+See [CODE_OF_CONDUCT.md](.github/CODE_OF_CONDUCT.md) for more information.
+
+## License
+
+This program is offered under a commercial and under the AGPL license. You can
+be released from the requirements of the AGPL license by purchasing a commercial
+license. Buying such a license is mandatory as soon as you develop commercial
+activities involving the Zen software without disclosing the source code of your
+own applications.
 
-[repo]: https://github.com/aikidosec/firewall-ruby
-[coc]: https://github.com/aikidosec/firewall-ruby/blob/main/CODE_OF_CONDUCT.md
+For more information, please contact Aikido Security at this address:
+support@aikido.dev or create an account at https://app.aikido.dev.

data/Rakefile

@@ -6,6 +6,10 @@ require "standard/rake"
 require "rake/clean"
 
 load "tasklib/libzen.rake"
+load "tasklib/bench.rake"
+
+desc "Run all benchmarks"
+task bench: "bench:default"
 
 namespace :build do
   desc "Ensure Gemfile.lock is up-to-date"

data/benchmarks/README.md

@@ -0,0 +1,27 @@
+# Benchmarking Zen for Ruby
+
+This directory contains the benchmarking scripts that we use to ensure adding
+Zen to your application does not impact performance significantly.
+
+We use [Grafana K6](https://k6.io) for these. For each sample application we
+include in this repo under [sample_apps](../sample_apps), you should find
+a script here that runs certain benchmarks against that app.
+
+To run all the benchmarks, run the following from the root of the project:
+
+```
+$ bundle exec rake bench
+```
+
+In order to run a benchmarks against a single application, run the following
+from the root of the project:
+
+```
+$ bundle exec rake bench:{app}:run
+```
+
+For example, for the `rails7.1_sql_injection` application:
+
+```
+$ bundle exec rake bench:rails7.1_sql_injection:run
+```

data/benchmarks/rails7.1_sql_injection.js

@@ -0,0 +1,74 @@
+import http from 'k6/http';
+import { textSummary } from 'https://jslib.k6.io/k6-summary/0.0.2/index.js';
+import { check, sleep, fail } from 'k6';
+import exec from 'k6/execution';
+import { Trend } from 'k6/metrics';
+
+const HTTP = {
+  withZen: {
+    get: (path, ...args) => http.get("http://localhost:3001" + path, ...args),
+    post: (path, ...args) => http.post("http://localhost:3001" + path, ...args)
+  },
+  withoutZen: {
+    get: (path, ...args) => http.get("http://localhost:3002" + path, ...args),
+    post: (path, ...args) => http.post("http://localhost:3002" + path, ...args)
+  }
+}
+
+function test(name, fn) {
+  const duration = tests[name].duration;
+  const overhead = tests[name].overhead;
+
+  const withZen = fn(HTTP.withZen);
+  const withoutZen = fn(HTTP.withoutZen);
+
+  const timeWithZen = withZen.timings.duration,
+        timeWithoutZen = withoutZen.timings.duration;
+
+  duration.add(timeWithZen - timeWithoutZen);
+
+  const ratio = withZen.timings.duration / withoutZen.timings.duration;
+  overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
+}
+
+const defaultHeaders = {
+  "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
+};
+
+const tests = {
+  test_post_page_with_json_body: {
+    duration: new Trend("test_post_page_with_json_body"),
+    overhead: new Trend("test_overhead_with_json_body")
+  },
+  test_get_page_without_attack: {
+    duration: new Trend("test_get_page_without_attack"),
+    overhead: new Trend("test_overhead_without_attack")
+  },
+  test_get_page_with_sql_injection: {
+    duration: new Trend("test_get_page_with_sql_injection"),
+    overhead: new Trend("test_overhead_with_sql_injection"),
+  }
+}
+export const options = {
+  vus: 1, // Number of virtual users
+  iterations: 200,
+  thresholds: {
+    test_post_page_with_json_body: ["med<10"],
+    test_get_page_without_attack: ["med<10"],
+    test_get_page_with_sql_injection: ["med<10"],
+  }
+};
+
+const expectAttack = http.expectedStatuses(500);
+
+export default function () {
+  test("test_post_page_with_json_body",
+    (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
+      headers: {"Content-Type": "application/json"}
+    })
+  )
+  test("test_get_page_without_attack", (http) => http.get("/cats"))
+  test("test_get_page_with_sql_injection", (http) =>
+    http.get("/cats/1'%20OR%20''='", {responseCallback: expectAttack})
+  )
+}