aikido-zen 1.3.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da6cdcfab4ab64c1d5f25d652fe71da5f869e32516faffec48ad4c542abb2aec
-  data.tar.gz: 87ff936a996e0f4b4cd459cd4293cb60853c6f8f26f7b5b61ef698600e4921a9
+  metadata.gz: bfcc07a5e3256e9d9d35f89bea1cf884d2c51bf23d497a40401f61d7335a3dbc
+  data.tar.gz: 81055a97f6a640bafb3bfd29fbc96f0c0eeb165046191bd68518109908d92817
 SHA512:
-  metadata.gz: 42e79d8f15a8bdb3ec3fb4fe7b83648ae86784ee3c52a383b2052a7ed28957506aac56a1d90b18f5a0baa0eef65ea449aa46c0fde95a87e57ffbd7382fcf1b55
-  data.tar.gz: 979ee37703c1198f9a3b261819410e88ad53542e13a80b18cfe9458b5088fab5ce7cda228ef54ba01db2277eeda94db15bc23c396b0fa718fb9bf3f8cd7f3971
+  metadata.gz: dba14387480fa74530c2120e123aa62c9e9b81054fa58149f26a5e4d6aeca4da5fc96732add6313ba02d3fecc5c6c8a587a208e47916e2a136a277159a86b429
+  data.tar.gz: 523e4fe6c7b14586a5d9e893ad51407fe6c46c52c408eea730ad8f45bab544d5861198a8e8fa5f6e6e19c69bc532bacdadcf1da4e8c74c6e89549c3f3108e68e

data/.simplecov

@@ -3,7 +3,7 @@
 # Due to dependency resolution, on Ruby 2.x we're stuck with a _very_ old
 # SimpleCov version, and it doesn't really give us any benefit to run coverage
 # in separate ruby versions since we don't branch on ruby version in the code.
-return if RUBY_VERSION < "3.0"
+return if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0")
 return if ENV["DISABLE_COVERAGE"] == "true"
 
 # Output coverage as LCOV to support CodeCov

data/docs/invalid-sql-queries.md

@@ -0,0 +1,9 @@
+# Blocking invalid SQL queries
+
+Zen blocks SQL queries that it can't tokenize when they contain user input. This prevents attackers from bypassing SQL injection detection with malformed queries. For example, ClickHouse ignores invalid SQL after `;`, and SQLite runs queries before an unclosed `/*` comment.
+
+This is on by default. In blocking mode, these queries are blocked. In detection-only mode, they are reported but still executed.
+
+If you see false positives (legitimate queries being blocked), set
+`AIKIDO_BLOCK_INVALID_SQL=false` in your environment, or set
+`Aikido::Zen.config.block_invalid_sql = false`.

data/lib/aikido/zen/attack.rb

@@ -121,11 +121,12 @@ module Aikido::Zen
       attr_reader :input
       attr_reader :dialect
 
-      def initialize(query:, input:, dialect:, **opts)
+      def initialize(query:, input:, dialect:, failed_to_tokenize:, **opts)
         super(**opts)
         @query = query
         @input = input
         @dialect = dialect
+        @failed_to_tokenize = failed_to_tokenize
       end
 
       def humanized_name
@@ -139,8 +140,9 @@ module Aikido::Zen
       def metadata
         {
           sql: @query,
-          dialect: @dialect.name
-        }
+          dialect: @dialect.name,
+          failedToTokenize: @failed_to_tokenize || nil
+        }.compact
       end
 
       def exception(*)

data/lib/aikido/zen/config.rb

@@ -28,6 +28,14 @@ module Aikido::Zen
     attr_accessor :blocking_mode
     alias_method :blocking_mode?, :blocking_mode
 
+    # @return [Boolean] is the agent in debugging mode?
+    attr_accessor :debugging
+    alias_method :debugging?, :debugging
+
+    # @return [String] the token obtained when configuring the Firewall in the
+    #   Aikido interface.
+    attr_accessor :api_token
+
     # @return [URI] The HTTP host for the Aikido API. Defaults to
     #   +https://guard.aikido.dev+.
     attr_reader :api_endpoint
@@ -39,10 +47,6 @@ module Aikido::Zen
     # @return [Hash] HTTP timeouts for communicating with the API.
     attr_reader :api_timeouts
 
-    # @return [String] the token obtained when configuring the Firewall in the
-    #   Aikido interface.
-    attr_accessor :api_token
-
     # @return [Integer] the interval in seconds to poll the runtime API for
     #   settings changes. Defaults to evey 60 seconds.
     attr_accessor :polling_interval
@@ -67,10 +71,6 @@ module Aikido::Zen
     # Defaults to `aikido-detached-agent.sock`.
     attr_accessor :detached_agent_socket_path
 
-    # @return [Boolean] is the agent in debugging mode?
-    attr_accessor :debugging
-    alias_method :debugging?, :debugging
-
     # @return [String] environment specific HTTP header providing the client IP.
     attr_accessor :client_ip_header
 
@@ -165,6 +165,12 @@ module Aikido::Zen
     attr_accessor :harden
     alias_method :harden?, :harden
 
+    # @return [Boolean] whether Aikido Zen should block SQL queries that fail
+    #   tokenization when user input is present. Defaults to false. Can be set
+    #   through AIKIDO_BLOCK_INVALID_SQL environment variable.
+    attr_accessor :block_invalid_sql
+    alias_method :block_invalid_sql?, :block_invalid_sql
+
     # @return [Integer] how many suspicious requests are allowed before an
     #   attack wave detected event is reported.
     #   Defaults to 15 requests.
@@ -188,19 +194,24 @@ module Aikido::Zen
     #   Defaults to 15 entries.
     attr_accessor :attack_wave_max_cache_samples
 
+    # @return [Float, nil] the timeout in seconds for regular expression matching.
+    #  Applied to selected internal regular expressions to mitigate ReDoS risks.
+    #  Defaults to 1.0 seconds.
+    attr_accessor :redos_regexp_timeout
+
     def initialize
       self.insert_middleware_after = ::ActionDispatch::RemoteIp
       self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
       self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
-      self.api_timeouts = 10
+      self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
+      self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
       self.api_endpoint = ENV.fetch("AIKIDO_ENDPOINT", DEFAULT_AIKIDO_ENDPOINT)
       self.realtime_endpoint = ENV.fetch("AIKIDO_REALTIME_ENDPOINT", DEFAULT_RUNTIME_BASE_URL)
-      self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
+      self.api_timeouts = 10
       self.polling_interval = 60 # 1 min
       self.initial_heartbeat_delays = [30, 60 * 2] # 30 sec, 2 min
       self.json_encoder = DEFAULT_JSON_ENCODER
       self.json_decoder = DEFAULT_JSON_DECODER
-      self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
       self.logger = Logger.new($stdout, progname: "aikido", level: debugging ? Logger::DEBUG : Logger::INFO)
       self.detached_agent_socket_path = ENV.fetch("AIKIDO_DETACHED_AGENT_SOCKET_PATH", DEFAULT_DETACHED_AGENT_SOCKET_PATH)
       self.client_ip_header = ENV.fetch("AIKIDO_CLIENT_IP_HEADER", nil)
@@ -208,25 +219,27 @@ module Aikido::Zen
       self.max_compressed_stats = 100
       self.max_outbound_connections = 200
       self.max_users_tracked = 1000
-      self.request_builder = Aikido::Zen::Context::RACK_REQUEST_BUILDER
       self.blocked_responder = DEFAULT_BLOCKED_RESPONDER
       self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER
       self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR
-      self.server_rate_limit_deadline = 30 * 60 # 30 min
-      self.client_rate_limit_period = 60 * 60 # 1 hour
-      self.client_rate_limit_max_events = 100
       self.collect_api_schema = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_COLLECT_API_SCHEMA", true))
       self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10))
       self.api_schema_collection_max_depth = 20
       self.api_schema_collection_max_properties = 20
+      self.request_builder = Aikido::Zen::Context::RACK_REQUEST_BUILDER
+      self.client_rate_limit_period = 60 * 60 # 1 hour
+      self.client_rate_limit_max_events = 100
+      self.server_rate_limit_deadline = 30 * 60 # 30 min
       self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true))
       self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
       self.harden = read_boolean_from_env(ENV.fetch("AIKIDO_HARDEN", true))
+      self.block_invalid_sql = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK_INVALID_SQL", false))
       self.attack_wave_threshold = 15
       self.attack_wave_min_time_between_requests = 60 * 1000 # 1 min (ms)
       self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms)
       self.attack_wave_max_cache_entries = 10_000
       self.attack_wave_max_cache_samples = 15
+      self.redos_regexp_timeout = 1.0
     end
 
     # Set the base URL for API requests.

data/lib/aikido/zen/context/rack_request.rb

@@ -14,12 +14,36 @@ module Aikido::Zen
     request = Aikido::Zen::Request.new(delegate, framework: "rack", router: router)
 
     Context.new(request) do |req|
+      query = begin
+        req.GET
+      rescue
+        {}
+      end
+
+      body = begin
+        req.POST
+      rescue
+        {}
+      end
+
+      header = begin
+        req.normalized_headers
+      rescue
+        {}
+      end
+
+      cookie = begin
+        req.cookies
+      rescue
+        {}
+      end
+
       {
-        query: req.GET,
-        body: req.POST,
+        query: query,
+        body: body,
         route: {},
-        header: req.normalized_headers,
-        cookie: req.cookies,
+        header: header,
+        cookie: cookie,
         subdomain: []
       }
     end

data/lib/aikido/zen/context/rails_request.rb

@@ -34,13 +34,49 @@ module Aikido::Zen
     end
 
     Context.new(request) do |req|
+      query = begin
+        req.query_parameters
+      rescue
+        {}
+      end
+
+      body = begin
+        req.request_parameters
+      rescue
+        {}
+      end
+
+      route = begin
+        req.path_parameters
+      rescue
+        {}
+      end
+
+      header = begin
+        req.normalized_headers
+      rescue
+        {}
+      end
+
+      cookie = begin
+        decrypt_cookies.call(req)
+      rescue
+        {}
+      end
+
+      subdomain = begin
+        req.subdomains
+      rescue
+        []
+      end
+
       {
-        query: req.query_parameters,
-        body: req.request_parameters,
-        route: req.path_parameters,
-        header: req.normalized_headers,
-        cookie: decrypt_cookies.call(req),
-        subdomain: req.subdomains
+        query: query,
+        body: body,
+        route: route,
+        header: header,
+        cookie: cookie,
+        subdomain: subdomain
       }
     end
   end

data/lib/aikido/zen/helpers.rb

@@ -19,6 +19,16 @@ module Aikido
         normalized_path.chomp!("/") unless normalized_path == "/"
         normalized_path
       end
+
+      # Returns a copy of the regexp with the timeout set if timeout is supported.
+      #
+      # @param regexp [Regexp] the regexp
+      # @return [Regexp] the regexp with timeout set
+      def self.regexp_with_timeout(regexp, timeout: Aikido::Zen.config.redos_regexp_timeout)
+        return regexp if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.2")
+
+        Regexp.new(regexp.source, regexp.options, timeout: timeout)
+      end
     end
   end
 end

data/lib/aikido/zen/internals.rb

@@ -99,16 +99,14 @@ module Aikido::Zen
         query_ptr.put_bytes(0, query_bytes)
         input_ptr.put_bytes(0, input_bytes)
 
-        case detect_sql_injection_native(query_ptr, query_bytes.bytesize, input_ptr, input_bytes.bytesize, dialect)
-        when 0 then false
-        when 1 then true
-        when 2
+        result = detect_sql_injection_native(query_ptr, query_bytes.bytesize, input_ptr, input_bytes.bytesize, dialect)
+
+        if result == 2
           attempt = format("%s query %p with input %p", dialect, query, input)
           raise InternalsError.new(attempt, "calling detect_sql_injection in", libzen_name)
-        when 3
-          # SQL tokenization failed - return false (no injection detected)
-          false
         end
+
+        result
       end
     end
 

data/lib/aikido/zen/request.rb

@@ -26,7 +26,7 @@ module Aikido::Zen
 
     def __setobj__(delegate) # :nodoc:
       super
-      @route = @normalized_header = nil
+      @route = @normalized_headers = nil
     end
 
     # @return [Aikido::Zen::Route] the framework route being requested.
@@ -64,10 +64,14 @@ module Aikido::Zen
     def normalized_headers
       @normalized_headers ||= env.slice(*BLESSED_CGI_HEADERS)
         .merge(env.select { |key, _| key.start_with?("HTTP_") })
-        .transform_keys { |header|
-          name = header.sub(/^HTTP_/, "").downcase
-          name.split("_").map { |part| part[0].upcase + part[1..] }.join("-")
-        }
+        .transform_keys do |header|
+          header
+            .delete_prefix("HTTP_")
+            .downcase
+            .split("_")
+            .map(&:capitalize)
+            .join("-")
+        end
     end
 
     def as_json

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -13,13 +13,14 @@ module Aikido::Zen
       # Path Traversal kind of attacks.
       #
       # @param filepath [String] the expanded path that is tried to be read
-      # @param context [Aikido::Zen::Context]
+      # @param scan [Aikido::Zen::Scan] the running scan.
       # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param context [Aikido::Zen::Context]
       # @param operation [Symbol, String] name of the method being scanned.
       #
       # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
       # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
-      def self.call(filepath:, sink:, context:, operation:)
+      def self.call(scan:, sink:, context:, filepath:, operation:)
         context.payloads.each do |payload|
           next unless new(filepath, payload.value.to_s).attack?
 
@@ -31,6 +32,8 @@ module Aikido::Zen
             operation: "#{sink.operation}.#{operation}",
             stack: Aikido::Zen.clean_stack_trace
           )
+        rescue => error
+          scan.track_error(error, self)
         end
 
         nil

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -10,11 +10,12 @@ module Aikido::Zen
       end
 
       # @param command [String]
+      # @param scan [Aikido::Zen::Scan]
       # @param sink [Aikido::Zen::Sink]
       # @param context [Aikido::Zen::Context]
       # @param operation [Symbol, String]
       #
-      def self.call(command:, sink:, context:, operation:)
+      def self.call(command:, scan:, sink:, context:, operation:)
         context.payloads.each do |payload|
           next unless new(command, payload.value.to_s).attack?
 
@@ -26,6 +27,8 @@ module Aikido::Zen
             operation: "#{sink.operation}.#{operation}",
             stack: Aikido::Zen.clean_stack_trace
           )
+        rescue => error
+          scan.track_error(error, self)
         end
 
         nil

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -14,25 +14,24 @@ module Aikido::Zen
       # and returns an Attack if so, based on the current request.
       #
       # @param query [String]
-      # @param context [Aikido::Zen::Context]
-      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
       # @param dialect [Symbol] one of +:mysql+, +:postgesql+, or +:sqlite+.
+      # @param scan [Aikido::Zen::Scan] the running scan.
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param context [Aikido::Zen::Context]
       # @param operation [Symbol, String] name of the method being scanned.
       #   Expects +sink.operation+ being set to get the full module/name combo.
       #
       # @return [Aikido::Zen::Attack, nil] an Attack if any user input is
       #   detected to be attempting a SQL injection, or nil if this is safe.
-      #
-      # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
-      #   calling zenlib. See Sink#scan.
-      def self.call(query:, dialect:, sink:, context:, operation:)
+      def self.call(query:, dialect:, scan:, sink:, context:, operation:)
         dialect = DIALECTS.fetch(dialect) do
           Aikido::Zen.config.logger.warn "Unknown SQL dialect #{dialect.inspect}"
           DIALECTS[:common]
         end
 
         context.payloads.each do |payload|
-          next unless new(query, payload.value.to_s, dialect).attack?
+          scanner = new(query, payload.value.to_s, dialect)
+          next unless scanner.attack?
 
           return Attacks::SQLInjectionAttack.new(
             sink: sink,
@@ -41,13 +40,21 @@ module Aikido::Zen
             dialect: dialect,
             context: context,
             operation: "#{sink.operation}.#{operation}",
-            stack: Aikido::Zen.clean_stack_trace
+            stack: Aikido::Zen.clean_stack_trace,
+            failed_to_tokenize: scanner.failed_to_tokenize
           )
+        rescue Aikido::Zen::InternalsError => error
+          Aikido::Zen.config.logger.warn(error.message)
+          scan.track_error(error, self)
+        rescue => error
+          scan.track_error(error, self)
         end
 
         nil
       end
 
+      attr_reader :failed_to_tokenize
+
       def initialize(query, input, dialect)
         @query = query.downcase
         @input = input.downcase
@@ -65,12 +72,26 @@ module Aikido::Zen
         return false unless @query.include?(@input)
 
         # If the input is solely alphanumeric, we can ignore it
-        return false if /\A[[:alnum:]_]+\z/i.match?(@input)
+        return false if Aikido::Zen::Helpers.regexp_with_timeout(/\A[[:alnum:]_]+\z/i).match?(@input)
 
         # If the input is a comma-separated list of numbers, ignore it.
-        return false if /\A(?:\d+(?:,\s*)?)+\z/i.match?(@input)
+        return false if Aikido::Zen::Helpers.regexp_with_timeout(/\A[ ,]*\d[ ,\d]*\z/).match?(@input)
+
+        result = Internals.detect_sql_injection(@query, @input, @dialect)
+
+        case result
+        when 0
+          false
+        when 1
+          true
+        when 3
+          @failed_to_tokenize = true
+          Aikido::Zen.config.block_invalid_sql?
+        end
+      rescue => err
+        return true if defined?(Regexp::TimeoutError) && err.is_a?(Regexp::TimeoutError)
 
-        Internals.detect_sql_injection(@query, @input, @dialect)
+        raise err
       end
 
       # @api private

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -30,14 +30,15 @@ module Aikido::Zen
       #
       # @param request [Aikido::Zen::Scanners::SSRFScanner::Request, nil]
       #   the ongoing outbound HTTP request.
-      # @param context [Aikido::Zen::Context]
+      # @param scan [Aikido::Zen::Scan] the running scan.
       # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param context [Aikido::Zen::Context]
       # @param operation [Symbol, String] name of the method being scanned.
       #   Expects +sink.operation+ being set to get the full module/name combo.
       #
       # @return [Aikido::Zen::Attacks::SSRFAttack, nil] an Attack if any user
       #   input is detected to be attempting SSRF, or +nil+ if not.
-      def self.call(request:, sink:, context:, operation:, **)
+      def self.call(request:, scan:, sink:, context:, operation:, **)
         return if request.nil? # See NOTE above.
 
         context["ssrf.redirects"] ||= RedirectChains.new
@@ -46,7 +47,7 @@ module Aikido::Zen
           scanner = new(request.uri, payload.value, context["ssrf.redirects"])
           next unless scanner.attack?
 
-          attack = Attacks::SSRFAttack.new(
+          return Attacks::SSRFAttack.new(
             sink: sink,
             request: request,
             input: payload,
@@ -54,8 +55,8 @@ module Aikido::Zen
             operation: "#{sink.operation}.#{operation}",
             stack: Aikido::Zen.clean_stack_trace
           )
-
-          return attack
+        rescue => error
+          scan.track_error(error, self)
         end
 
         nil
@@ -109,17 +110,21 @@ module Aikido::Zen
       private
 
       def match?(conn_uri, input_uri)
-        return false if conn_uri.hostname.nil? || conn_uri.hostname.empty?
+        # If a URI does not include a scheme then hostname and port are nil.
+        # No further comparison is necessary, because the conn_uri hostname
+        # and port are presumed to be non-nil.
         return false if input_uri.hostname.nil? || input_uri.hostname.empty?
 
-        # The URI library will automatically set the port to the default port
-        # for the current scheme if not provided, which means we can't just
-        # check if the port is present, as it always will be.
+        # If a URI does not include a port then port is the default port
+        # for the scheme, otherwise, port is nil. If the input_uri port is
+        # the default port for the scheme then port comparison is skipped,
+        # because the user input is presumed not to have included a port.
         is_port_relevant = input_uri.port != input_uri.default_port
-        return false if is_port_relevant && input_uri.port != conn_uri.port
+        return false if is_port_relevant && conn_uri.port != input_uri.port
 
-        conn_uri.hostname == input_uri.hostname &&
-          conn_uri.port == input_uri.port
+        # The port is either not relevant or is relevant and the conn_uri
+        # port and the input_uri port match. Do not force port comparison!
+        conn_uri.hostname == input_uri.hostname
       end
 
       def private_ip?(hostname)

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb

@@ -11,7 +11,7 @@ module Aikido::Zen
         false
       end
 
-      def self.call(hostname:, addresses:, operation:, sink:, context:, **opts)
+      def self.call(hostname:, addresses:, operation:, scan:, sink:, context:, **opts)
         offending_address = new(hostname, addresses).attack?
         return if offending_address.nil?
 

data/lib/aikido/zen/sink.rb

@@ -94,13 +94,10 @@ module Aikido::Zen
         scanners.each do |scanner|
           next if scanner.skips_on_nil_context? && context.nil?
 
-          result = scanner.call(sink: self, context: context, **scan_params)
+          result = scanner.call(scan: scan, sink: self, context: context, **scan_params)
           scans_performed += 1
 
           break result if result
-        rescue Aikido::Zen::InternalsError => error
-          Aikido::Zen.config.logger.warn(error.message)
-          scan.track_error(error, scanner)
         rescue => error
           scan.track_error(error, scanner)
         end

data/lib/aikido/zen/sinks.rb

@@ -21,7 +21,7 @@ require_relative "sinks/net_http"
 
 # http.rb aims to support and is tested against Ruby 3.0+:
 # https://github.com/httprb/http?tab=readme-ov-file#supported-ruby-versions
-require_relative "sinks/http" if RUBY_VERSION >= "3.0"
+require_relative "sinks/http" if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.0")
 
 require_relative "sinks/httpx"
 require_relative "sinks/httpclient"

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "1.3.0"
+    VERSION = "1.3.1"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.60"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.1
 platform: ruby
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-04-28 00:00:00.000000000 Z
+date: 2026-05-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -87,6 +87,7 @@ files:
 - benchmarks/rails7.1_sql_injection.js
 - docs/banner.svg
 - docs/config.md
+- docs/invalid-sql-queries.md
 - docs/proxy.md
 - docs/rails.md
 - docs/troubleshooting.md