Module: Aikido::Zen::Sinks::Socket

Defined in:

lib/aikido/zen/sinks/socket.rb

Overview

We intercept IPSocket.open to hook our DNS checks around it, since there’s no way to access the internal DNS resolution that happens in C when using the socket primitives.

Defined Under Namespace

Modules: Helpers

Constant Summary

SINK =

Sinks.add("socket", scanners: [
  Scanners::StoredSSRFScanner,
  Scanners::SSRFScanner
])

Class Method Summary

• .load_sinks! ⇒ Object

Class Method Details

.load_sinks! ⇒ Object

# File 'lib/aikido/zen/sinks/socket.rb', line 61

def self.load_sinks!
  ::IPSocket.singleton_class.class_eval do
    extend Sinks::DSL

    sink_after :open do |socket, remote_host|
      # Code coverage is disabled here because the tests are contrived and
      # intentionally do not call open.
      # :nocov:
      Helpers.scan(remote_host, socket, "open")
      # :nocov:
    rescue Aikido::Zen::UnderAttackError, Aikido::Zen::Sinks::DSL::PresafeError
      # If the scan raises an exception that will escape the safe block,
      # the open socket must be closed because it will not be returned,
      # so the user cannot close it.
      socket.close

      raise
    end
  end
end