Module: Aikido::Zen::Sinks::Patron

Defined in:
lib/aikido/zen/sinks/patron.rb

Defined Under Namespace

Modules: Helpers

Constant Summary collapse

SINK = 
Sinks.add("patron", scanners: [
  Scanners::SSRFScanner
])

Class Method Summary collapse

Class Method Details

.load_sinks!Object 



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# File 'lib/aikido/zen/sinks/patron.rb', line 37

def self.load_sinks!
  if Aikido::Zen.satisfy "patron", ">= 0.6.4"
    require "patron"

    ::Patron::Session.class_eval do
      extend Sinks::DSL

      sink_around :handle_request do |original_call, request|
        wrapped_request = Scanners::SSRFScanner::Request.new(
          verb: request.action,
          uri: URI(request.url),
          headers: request.headers
        )

        # Store the request information so the DNS sinks can pick it up.
        context = Aikido::Zen.current_context
        if context
          prev_request = context["ssrf.request"]
          context["ssrf.request"] = wrapped_request
        end

        connection = OutboundConnection.from_uri(URI(request.url))

        settings = Aikido::Zen.runtime_settings

        client_ip = context&.request&.client_ip

        unless settings.bypassed_ip?(client_ip)
          Aikido::Zen.track_outbound(connection)

          if settings.block_outbound?(connection)
            Sinks::DSL.presafe do
              raise OutboundConnectionBlockedError.new(connection)
            end
          end
        end

        Helpers.scan(wrapped_request, connection, "request")

        response = original_call.call

        Scanners::SSRFScanner.track_redirects(
          request: wrapped_request,
          response: Helpers.wrap_response(request, response)
        )

        # When libcurl has follow_location set, it will handle redirections
        # internally, and expose the response.url as the URI that was last
        # requested in the redirect chain.
        #
        # In this case, we can't actually stop the request from happening, but
        # we can scan again (now that we know another request happened), to
        # stop the response from being exposed to the user. This downgrades
        # the SSRF into a blind SSRF, which is better than doing nothing.
        if request.url != response.url && !response.url.to_s.empty?
          last_effective_request = Scanners::SSRFScanner::Request.new(
            verb: request.action,
            uri: URI(response.url),
            headers: request.headers
          )
          context["ssrf.request"] = last_effective_request if context

          connection = OutboundConnection.from_uri(URI(response.url))

          Helpers.scan(last_effective_request, connection, "request")
        end

        response
      ensure
        context["ssrf.request"] = prev_request if context
      end
    end
  end
end