Class: Aikido::Zen::IDOR::Protector

Inherits:

Object

Object
Aikido::Zen::IDOR::Protector

show all

Defined in:: lib/aikido/zen/idor/protector.rb

Instance Attribute Summary collapse

#cache ⇒ Object private

Visible for testing.

Instance Method Summary collapse

#initialize(config: Aikido::Zen.config) ⇒ Protector constructor

A new instance of Protector.
#protect(sql, dialect_name, params, context) ⇒ Object

Constructor Details

#initialize(config: Aikido::Zen.config) ⇒ `Protector`

Returns a new instance of Protector.

# File 'lib/aikido/zen/idor/protector.rb', line 13

def initialize(config: Aikido::Zen.config)
  @config = config

  @cache = CappedMap.new(@config.idor_max_cache_entries, mode: :lru)
end

Instance Attribute Details

#cache ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Visible for testing.



11
12
13

# File 'lib/aikido/zen/idor/protector.rb', line 11

def cache
  @cache
end

Instance Method Details

#protect(sql, dialect_name, params, context) ⇒ `Object`

Parameters:

sql (String)
dialect_name (Symbol)
params (Array, nil)
context (Aikido::Zen::Context)

Raises:

(Aikido::Zen::IDOR::Error, Aikido::Zen::InternalsError)

# File 'lib/aikido/zen/idor/protector.rb', line 24

def protect(sql, dialect_name, params, context)
  return unless @config.idor_protection_enabled? && context.idor_protection_enabled?

  tenant_id = context.request.tenant_id

  if tenant_id.nil?
    raise Aikido::Zen::IDOR::Error.new("Zen IDOR protection: Aikido::Zen.set_tenant_id was not called for this request. Every request must have a tenant ID when IDOR protection is enabled.")
  end

  dialect = Aikido::Zen::SQL::Dialects.fetch(dialect_name)

  analysis = analyze(sql, dialect)

  analysis.each do |query_result|
    if query_result.kind == :insert
      protect_insert(dialect, query_result, tenant_id, params)
    else
      protect_filter(dialect, query_result, tenant_id, params)
    end
  end
end