Merge pull request #625 from AikidoSec/report-tokenize-failure-stats

Count SQL tokenization failures

Author: hansott

.github/workflows/end-to-end-tests.yml

@@ -45,7 +45,7 @@ jobs:
           "CLICKHOUSE_DEFAULT_ACCESS": "MANAGEMENT=1"
         ports:
           - "27019:8123"
-    timeout-minutes: 10
+    timeout-minutes: 15
     strategy:
       matrix:
         node-version: [18.x]

.github/workflows/unit-test.yml

@@ -52,7 +52,7 @@ jobs:
         ports:
           - "27019:8123"
       mongodb-replica:
-        image: bitnami/mongodb:8.0
+        image: bitnami/mongodb:4.4
         env:
           MONGODB_ADVERTISED_HOSTNAME: 127.0.0.1
           MONGODB_REPLICA_SET_MODE: primary

end2end/server/src/zen/config.js

@@ -9,7 +9,7 @@ function generateConfig(app) {
     endpoints: [],
     blockedUserIds: [],
     allowedIPAddresses: [],
-    receivedAnyStats: true,
+    receivedAnyStats: false,
   };
 }
 

end2end/server/src/zen/events.js

@@ -1,11 +1,6 @@
 const events = new Map();
 
 function captureEvent(event, app) {
-  if (event.type === "heartbeat") {
-    // Ignore heartbeats
-    return;
-  }
-
   if (!events.has(app.id)) {
     events.set(app.id, []);
   }

end2end/tests/express-mysql.test.js

@@ -9,6 +9,17 @@ const pathToApp = resolve(
   "app.js"
 );
 
+const testServerUrl = "http://localhost:5874";
+
+let token;
+t.beforeEach(async () => {
+  const response = await fetch(`${testServerUrl}/api/runtime/apps`, {
+    method: "POST",
+  });
+  const body = await response.json();
+  token = body.token;
+});
+
 t.test("it blocks in blocking mode", (t) => {
   const server = spawn(`node`, [pathToApp, "4000"], {
     env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCKING: "true" },
@@ -144,3 +155,86 @@ t.test("it does not block in dry mode", (t) => {
       server.kill();
     });
 });
+
+t.setTimeout(80000);
+
+t.test(
+  "it increments sqlTokenizationFailures counter for invalid SQL queries",
+  (t) => {
+    const server = spawn(`node`, [pathToApp, "4003"], {
+      env: {
+        ...process.env,
+        AIKIDO_DEBUG: "true",
+        AIKIDO_BLOCKING: "true",
+        AIKIDO_TOKEN: token,
+        AIKIDO_ENDPOINT: testServerUrl,
+        AIKIDO_REALTIME_ENDPOINT: testServerUrl,
+      },
+    });
+
+    server.on("close", () => {
+      t.end();
+    });
+
+    server.on("error", (err) => {
+      t.fail(err);
+    });
+
+    let stdout = "";
+    server.stdout.on("data", (data) => {
+      stdout += data.toString();
+    });
+
+    let stderr = "";
+    server.stderr.on("data", (data) => {
+      stderr += data.toString();
+    });
+
+    // Wait for the server to start
+    timeout(2000)
+      .then(() => {
+        return fetch(
+          `http://localhost:4003/invalid-query?sql=${encodeURIComponent("SELECT * FROM test")}`,
+          {
+            signal: AbortSignal.timeout(5000),
+            method: "POST",
+          }
+        );
+      })
+      .then((response) => {
+        return response.text();
+      })
+      .then((responseText) => {
+        t.match(responseText, /You have an error in your SQL syntax/);
+
+        // Wait for the heartbeat event to be sent
+        return timeout(60000);
+      })
+      .then(() => {
+        return fetch(`${testServerUrl}/api/runtime/events`, {
+          method: "GET",
+          headers: {
+            Authorization: token,
+          },
+          signal: AbortSignal.timeout(5000),
+        });
+      })
+      .then((response) => {
+        return response.json();
+      })
+      .then((events) => {
+        const heartbeatEvents = events.filter(
+          (event) => event.type === "heartbeat"
+        );
+        t.same(heartbeatEvents.length, 1);
+        const [heartbeat] = heartbeatEvents;
+        t.equal(heartbeat.stats.sqlTokenizationFailures, 1);
+      })
+      .catch((error) => {
+        t.error(error);
+      })
+      .finally(() => {
+        server.kill();
+      });
+  }
+);

library/agent/Agent.ts

@@ -318,6 +318,7 @@ export class Agent {
             requests: stats.requests,
             userAgents: stats.userAgents,
             ipAddresses: stats.ipAddresses,
+            sqlTokenizationFailures: stats.sqlTokenizationFailures,
           },
           packages,
           hostnames: outgoingDomains,

library/agent/InspectionStatistics.test.ts

@@ -48,6 +48,7 @@ t.test("it resets stats", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   clock.tick(1000);
@@ -69,6 +70,7 @@ t.test("it resets stats", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   clock.uninstall();
@@ -101,6 +103,7 @@ t.test("it keeps track of amount of calls", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.onInspectedCall({
@@ -141,6 +144,7 @@ t.test("it keeps track of amount of calls", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.onInspectedCall({
@@ -181,6 +185,7 @@ t.test("it keeps track of amount of calls", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.interceptorThrewError("mongodb.query", "nosql_op");
@@ -214,6 +219,7 @@ t.test("it keeps track of amount of calls", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.onInspectedCall({
@@ -254,6 +260,7 @@ t.test("it keeps track of amount of calls", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.onInspectedCall({
@@ -294,6 +301,7 @@ t.test("it keeps track of amount of calls", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   t.same(stats.hasCompressedStats(), false);
@@ -353,6 +361,7 @@ t.test("it keeps track of amount of calls", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   t.ok(
@@ -409,6 +418,7 @@ t.test("it keeps track of requests", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.onRequest();
@@ -430,6 +440,7 @@ t.test("it keeps track of requests", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.onRequest();
@@ -452,6 +463,7 @@ t.test("it keeps track of requests", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.onRequest();
@@ -474,6 +486,7 @@ t.test("it keeps track of requests", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   clock.tick(1000);
@@ -497,6 +510,7 @@ t.test("it keeps track of requests", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   clock.uninstall();
@@ -527,6 +541,7 @@ t.test("it force compresses stats", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   stats.onRequest();
@@ -576,6 +591,7 @@ t.test("it keeps track of aborted requests", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   clock.uninstall();
@@ -614,6 +630,7 @@ t.test("it keeps track of matched IPs and user agents", async () => {
         "known_threat_actors/public_scanners": 1,
       },
     },
+    sqlTokenizationFailures: 0,
   });
 
   // Test multiple occurrences
@@ -642,6 +659,7 @@ t.test("it keeps track of matched IPs and user agents", async () => {
         "known_threat_actors/public_scanners": 2,
       },
     },
+    sqlTokenizationFailures: 0,
   });
 
   clock.uninstall();
@@ -713,6 +731,7 @@ t.test("it keeps track of multiple operations of the same kind", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   // Test that each operation maintains its own stats
@@ -774,6 +793,7 @@ t.test("it keeps track of multiple operations of the same kind", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
   });
 
   clock.uninstall();
@@ -818,6 +838,40 @@ t.test("it handles empty operation strings", async () => {
     ipAddresses: {
       breakdown: {},
     },
+    sqlTokenizationFailures: 0,
+  });
+
+  clock.uninstall();
+});
+
+t.test("it increments sqlTokenizationFailures", async () => {
+  const clock = FakeTimers.install();
+
+  const stats = new InspectionStatistics({
+    maxPerfSamplesInMemory: 50,
+    maxCompressedStatsInMemory: 5,
+  });
+
+  stats.onSqlTokenizationFailure();
+
+  t.same(stats.getStats(), {
+    operations: {},
+    startedAt: 0,
+    requests: {
+      total: 0,
+      aborted: 0,
+      attacksDetected: {
+        total: 0,
+        blocked: 0,
+      },
+    },
+    userAgents: {
+      breakdown: {},
+    },
+    ipAddresses: {
+      breakdown: {},
+    },
+    sqlTokenizationFailures: 1,
   });
 
   clock.uninstall();

library/agent/InspectionStatistics.ts

@@ -39,6 +39,7 @@ export class InspectionStatistics {
   private operations: Record<string, OperationStats> = {};
   private readonly maxPerfSamplesInMemory: number;
   private readonly maxCompressedStatsInMemory: number;
+  private sqlTokenizationFailures: number = 0;
   private requests: {
     total: number;
     aborted: number;
@@ -97,11 +98,13 @@ export class InspectionStatistics {
       breakdown: {},
     };
     this.startedAt = Date.now();
+    this.sqlTokenizationFailures = 0;
   }
 
   getStats(): {
     operations: Record<string, OperationStatsWithoutTimings>;
     startedAt: number;
+    sqlTokenizationFailures: number;
     requests: {
       total: number;
       aborted: number;
@@ -136,6 +139,7 @@ export class InspectionStatistics {
     return {
       operations: operations,
       startedAt: this.startedAt,
+      sqlTokenizationFailures: this.sqlTokenizationFailures,
       requests: this.requests,
       userAgents: this.userAgents,
       ipAddresses: this.ipAddresses,
@@ -299,4 +303,8 @@ export class InspectionStatistics {
       this.compressPerfSamples(kind as OperationKind);
     }
   }
+
+  onSqlTokenizationFailure() {
+    this.sqlTokenizationFailures += 1;
+  }
 }

library/agent/api/Event.ts

@@ -97,6 +97,7 @@ type Heartbeat = {
     operations: Record<string, OperationStats>;
     startedAt: number;
     endedAt: number;
+    sqlTokenizationFailures: number;
     requests: {
       total: number;
       aborted: number;