Module: Aikido::Zen::Sinks::Curl

Defined in:
lib/aikido/zen/sinks/curb.rb

Defined Under Namespace

Modules: Helpers

Constant Summary collapse

SINK = 
Sinks.add("curb", scanners: [
  Scanners::SSRFScanner
])

Class Method Summary collapse

Class Method Details

.load_sinks!Object 



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
 
# File 'lib/aikido/zen/sinks/curb.rb', line 46

def self.load_sinks!
  if Aikido::Zen.satisfy "curb", ">= 0.2.3"
    require "curb"

    ::Curl::Easy.class_eval do
      extend Sinks::DSL

      sink_around :perform do |original_call|
        wrapped_request = Helpers.wrap_request(self)

        # Store the request information so the DNS sinks can pick it up.
        context = Aikido::Zen.current_context
        if context
          prev_request = context["ssrf.request"]
          context["ssrf.request"] = wrapped_request
        end

        connection = OutboundConnection.from_uri(URI(url))

        settings = Aikido::Zen.runtime_settings

        client_ip = context&.request&.client_ip

        unless settings.bypassed_ip?(client_ip)
          Aikido::Zen.track_outbound(connection)

          if settings.block_outbound?(connection)
            Sinks::DSL.presafe do
              raise OutboundConnectionBlockedError.new(connection)
            end
          end
        end

        Helpers.scan(wrapped_request, connection, "request")

        response = original_call.call

        Scanners::SSRFScanner.track_redirects(
          request: wrapped_request,
          response: Helpers.wrap_response(self)
        )

        # When libcurl has follow_location set, it will handle redirections
        # internally, and expose the "last_effective_url" as the URI that was
        # last requested in the redirect chain.
        #
        # In this case, we can't actually stop the request from happening, but
        # we can scan again (now that we know another request happened), to
        # stop the response from being exposed to the user. This downgrades
        # the SSRF into a blind SSRF, which is better than doing nothing.
        if url != last_effective_url
          last_effective_request = Helpers.wrap_request(self, url: last_effective_url)

          # Code coverage is disabled here because the else clause is a no-op,
          # so there is nothing to cover.
          # :nocov:
          if context
            context["ssrf.request"] = last_effective_request
          else
            # empty
          end
          # :nocov:

          connection = OutboundConnection.from_uri(URI(last_effective_url))

          Helpers.scan(last_effective_request, connection, "request")
        end

        response
      ensure
        context["ssrf.request"] = prev_request if context
      end
    end
  end
end