Module: Aikido::Zen::Sinks::Excon

Defined in:
lib/aikido/zen/sinks/excon.rb

Defined Under Namespace

Modules: Helpers

Constant Summary collapse

SINK = 
Sinks.add("excon", scanners: [
  Scanners::SSRFScanner
])

Class Method Summary collapse

Class Method Details

.load_sinks!Object 



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
# File 'lib/aikido/zen/sinks/excon.rb', line 38

def self.load_sinks!
  if Aikido::Zen.satisfy "excon", ">= 0.50.0"
    require "excon"

    ::Excon::Connection.class_eval do
      extend Sinks::DSL

      sink_around :request do |original_call, params = {}|
        request = Helpers.build_request(@data, params)

        # Store the request information so the DNS sinks can pick it up.
        context = Aikido::Zen.current_context
        if context
          prev_request = context["ssrf.request"]
          context["ssrf.request"] = request
        end

        connection = OutboundConnection.from_uri(request.uri)

        settings = Aikido::Zen.runtime_settings

        client_ip = context&.request&.client_ip

        unless settings.bypassed_ip?(client_ip)
          Aikido::Zen.track_outbound(connection)

          if settings.block_outbound?(connection)
            Sinks::DSL.presafe do
              raise OutboundConnectionBlockedError.new(connection)
            end
          end
        end

        Helpers.scan(request, connection, "request")

        response = original_call.call

        Scanners::SSRFScanner.track_redirects(
          request: request,
          response: Scanners::SSRFScanner::Response.new(
            status: response.status,
            headers: response.headers.to_h
          )
        )

        response
      rescue Sinks::DSL::PresafeError => err
        outer_cause = err.cause
        case outer_cause
        when ::Excon::Error::Socket
          inner_cause = outer_cause.cause
          # Excon wraps errors inside the lower level layer. This only happens
          # to our scanning exceptions when a request is using RedirectFollower,
          # so we unwrap them when it happens so host apps can handle errors
          # consistently.
          raise inner_cause if inner_cause.is_a?(Aikido::Zen::UnderAttackError)
        end
        raise
      ensure
        context["ssrf.request"] = prev_request if context
      end
    end

    ::Excon::Middleware::RedirectFollower.class_eval do
      extend Sinks::DSL

      sink_before :response_call do |datum|
        response = datum[:response]

        # Code coverage is disabled here because the else clause is a no-op,
        # so there is nothing to cover.
        # :nocov:
        if !response.nil?
          Scanners::SSRFScanner.track_redirects(
            request: Helpers.build_request(datum, {}),
            response: Scanners::SSRFScanner::Response.new(
              status: response[:status],
              headers: response[:headers]
            )
          )
        else
          # empty
        end
        # :nocov:
      end
    end
  end
end