Module: Aikido::Zen::Sinks::Net::HTTP

Defined in:
lib/aikido/zen/sinks/net_http.rb

Defined Under Namespace

Modules: Helpers

Constant Summary collapse

SINK = 
Sinks.add("net-http", scanners: [
  Scanners::SSRFScanner
])

Class Method Summary collapse

Class Method Details

.load_sinks!Object 



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'lib/aikido/zen/sinks/net_http.rb', line 68

def self.load_sinks!
  # In stdlib but not always required
  require "net/http"

  ::Net::HTTP.class_eval do
    extend Sinks::DSL

    sink_around :request do |original_call, req|
      wrapped_request = Helpers.wrap_request(req, self)

      # Store the request information so the DNS sinks can pick it up.
      context = Aikido::Zen.current_context
      if context
        prev_request = context["ssrf.request"]
        context["ssrf.request"] = wrapped_request
      end

      connection = Helpers.build_outbound(self)

      settings = Aikido::Zen.runtime_settings

      client_ip = context&.request&.client_ip

      unless settings.bypassed_ip?(client_ip)
        Aikido::Zen.track_outbound(connection)

        if settings.block_outbound?(connection)
          Sinks::DSL.presafe do
            raise OutboundConnectionBlockedError.new(connection)
          end
        end
      end

      Helpers.scan(wrapped_request, connection, "request")

      response = original_call.call

      Scanners::SSRFScanner.track_redirects(
        request: wrapped_request,
        response: Helpers.wrap_response(response)
      )

      response
    ensure
      context["ssrf.request"] = prev_request if context
    end
  end
end