aikido-zen 0.1.1-x86_64-linux → 0.2.0-x86_64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71dff796247be7898e6fa9a68e66a0289c3435e45721b21a4e93ca94e486f130
-  data.tar.gz: c6f2ade140275a39b8371f9068a7b8b4b96666a903248e0d1e54eeab8e85603d
+  metadata.gz: f78def42674508f2ae6b4ddfa8c9f76b480e5fac73b066df9ea777f1b81f68f2
+  data.tar.gz: 851d854d0827033acd4db4aa2d6cad3a7e405d7d9e1f1b31e26175f43a898923
 SHA512:
-  metadata.gz: d8cd7c12e2b35fb7f6be3708345d445e0ba4f92f2c453db3f404ba40c8489ac709d65e710a1660e1ac7139799493a8879944ec996c1af1d29d5487add7cbf221
-  data.tar.gz: 1283b73ee94eae915fcb7298ed00319fcef545153421dda1512e7f551d81fa003c47c16ce8892eefc8de7b97d3382a245565b72dd305c708fada87305a1f001d
+  metadata.gz: e9c02d42ec4334f06e00869c0279fcbb29a491bf4d9f8187708ea2dc6f824123a2ca57f0c60f6c080c6ec50ead687485d139fdc19a750589b98b8949f1e555e7
+  data.tar.gz: e18a83a83a8bd1579ac1a43f30de688b4d7f66cf170de1eaf315566c3c9290c2da8846b6756ed5493f23e58bca20cc0751f312f340b51655b4ff927b1333bcaf

data/.simplecov

@@ -4,6 +4,7 @@
 # SimpleCov version, and it doesn't really give us any benefit to run coverage
 # in separate ruby versions since we don't branch on ruby version in the code.
 return if RUBY_VERSION < "3.0"
+return if ENV["DISABLE_COVERAGE"] == "true"
 
 SimpleCov.start do
   # Make sure SimpleCov waits until after the tests

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+### Fixed
+
+- Avoid an infinite loop when checking for SSRFs in a circular redirects loop.
+
 ## 0.1.1
 
 ### Fixed

data/README.md

@@ -1,5 +1,10 @@
 ![Zen by Aikido for Ruby](./docs/banner.svg)
 
+[![Gem Version](https://badge.fury.io/rb/aikido-zen.svg?icon=si%3Arubygems&style=flat)](https://badge.fury.io/rb/aikido-zen)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
+[![Unit tests](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml)
+[![Release](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml)
+
 # Zen, in-app firewall for Ruby | by Aikido
 
 Zen, your in-app firewall for peace of mind—at runtime.
@@ -13,8 +18,8 @@ Rails application, for simple installation and zero maintenance.
 
 * 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
 * 🛡️ [Server-side request forgery (SSRF)](https://github.com/AikidoSec/firewall-node/blob/main/docs/ssrf.md)
-* 🛡️ [Command injection attacks](https://owasp.org/www-community/attacks/Command_Injection) (coming soon)
-* 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
+* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked) (coming soon)
+* 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked) (coming soon)
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
 
 Zen operates autonomously on the same server as your Rails app to:
@@ -81,6 +86,10 @@ To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
 See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn
 how to send events to Aikido.
 
+## Additional configuration
+
+[Configure Zen using environment variables for authentication, mode settings, debugging, and more.](https://help.aikido.dev/doc/configuration-via-env-vars/docrSItUkeR9)
+
 ## Reporting to your Aikido Security dashboard
 
 > Aikido is your no nonsense application security platform. One central system

data/benchmarks/rails7.1_sql_injection.js

@@ -1,8 +1,5 @@
 import http from 'k6/http';
-import { textSummary } from 'https://jslib.k6.io/k6-summary/0.0.2/index.js';
-import { check, sleep, fail } from 'k6';
-import exec from 'k6/execution';
-import { Trend } from 'k6/metrics';
+import {Trend} from 'k6/metrics';
 
 const HTTP = {
   withZen: {
@@ -16,59 +13,58 @@ const HTTP = {
 }
 
 function test(name, fn) {
-  const duration = tests[name].duration;
-  const overhead = tests[name].overhead;
-
   const withZen = fn(HTTP.withZen);
   const withoutZen = fn(HTTP.withoutZen);
+  const timeWithZen = withZen.timings.duration;
+  const timeWithoutZen = withoutZen.timings.duration;
 
-  const timeWithZen = withZen.timings.duration,
-        timeWithoutZen = withoutZen.timings.duration;
-
-  duration.add(timeWithZen - timeWithoutZen);
+  tests[name].delta.add(timeWithZen - timeWithoutZen);
+  tests[name].overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
 
-  const ratio = withZen.timings.duration / withoutZen.timings.duration;
-  overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
+  tests[name].with_zen.add(timeWithZen);
+  tests[name].without_zen.add(timeWithoutZen);
 }
 
-const defaultHeaders = {
-  "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
-};
+function buildTestTrends(prefix) {
+  return {
+    delta: new Trend(`${prefix}_delta`),
+    with_zen: new Trend(`${prefix}_with_zen`),
+    without_zen: new Trend(`${prefix}_without_zen`),
+    overhead: new Trend(`${prefix}_overhead`)
+  };
+}
 
 const tests = {
-  test_post_page_with_json_body: {
-    duration: new Trend("test_post_page_with_json_body"),
-    overhead: new Trend("test_overhead_with_json_body")
-  },
-  test_get_page_without_attack: {
-    duration: new Trend("test_get_page_without_attack"),
-    overhead: new Trend("test_overhead_without_attack")
-  },
-  test_get_page_with_sql_injection: {
-    duration: new Trend("test_get_page_with_sql_injection"),
-    overhead: new Trend("test_overhead_with_sql_injection"),
-  }
+  test_post_page_with_json_body: buildTestTrends("test_post_page_with_json_body"),
+  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack"),
+  test_get_page_with_sql_injection: buildTestTrends("test_get_page_with_sql_injection")
 }
 export const options = {
   vus: 1, // Number of virtual users
   iterations: 200,
   thresholds: {
-    test_post_page_with_json_body: ["med<10"],
-    test_get_page_without_attack: ["med<10"],
-    test_get_page_with_sql_injection: ["med<10"],
+    http_req_failed: ['rate==0'], // we are marking the attacks as expected, so we should have no errors
+    test_post_page_with_json_body_delta: ["med<10"],
+    test_get_page_without_attack_delta: ["med<10"],
+    test_get_page_with_sql_injection_delta: ["med<10"],
   }
 };
 
-const expectAttack = http.expectedStatuses(500);
+const expectAttack = http.expectedStatuses(200, 500);
 
 export default function () {
   test("test_post_page_with_json_body",
     (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
-      headers: {"Content-Type": "application/json"}
+      headers: {
+        "Content-Type": "application/json",
+        "Accept": "application/json"
+      }
     })
   )
+
   test("test_get_page_without_attack", (http) => http.get("/cats"))
+
   test("test_get_page_with_sql_injection", (http) =>
-    http.get("/cats/1'%20OR%20''='", {responseCallback: expectAttack})
+    http.get("/cats/1'%20OR%20''='", { responseCallback: expectAttack })
   )
 }