Merge branch 'main' into add-aws-lambda-support-beta

bitterpanda63 · bitterpanda63 · commit b8d543007f54 · 2025-10-16T14:08:35.000+02:00
diff --git a/aikido_zen/__init__.py b/aikido_zen/__init__.py
@@ -10,6 +10,7 @@
 from aikido_zen.lambda_helper import protect_lambda
 from aikido_zen.context.users import set_user
 from aikido_zen.helpers.check_gevent import check_gevent
+from aikido_zen.helpers.python_version_not_supported import python_version_not_supported
 from aikido_zen.middleware import should_block_request
 from aikido_zen.middleware.set_rate_limit_group import set_rate_limit_group
 
@@ -35,6 +36,8 @@ def protect(mode="daemon", token=""):
     if aikido_disabled_flag_active():
         # Do not run any aikido code when the disabled flag is on
         return
+    if python_version_not_supported():
+        return
     if not test_uds_file_access():
         return  # Unable to start background process
     if check_gevent():
@@ -72,6 +75,7 @@ def protect(mode="daemon", token=""):
 
     import aikido_zen.sinks.builtins
     import aikido_zen.sinks.os
+    import aikido_zen.sinks.pathlib
     import aikido_zen.sinks.shutil
     import aikido_zen.sinks.io
     import aikido_zen.sinks.http_client
diff --git a/aikido_zen/helpers/python_version_not_supported.py b/aikido_zen/helpers/python_version_not_supported.py
@@ -0,0 +1,14 @@
+import sys
+from aikido_zen.helpers.logging import logger
+
+
+def python_version_not_supported() -> bool:
+    major = sys.version_info.major
+    minor = sys.version_info.minor
+    if major != 3:
+        logger.error("This version of Zen only supports Python 3")
+        return True
+    if minor > 13:
+        logger.error("This version of Zen doesn't support versions above Python 3.13")
+        return True
+    return False
diff --git a/aikido_zen/sinks/builtins_import.py b/aikido_zen/sinks/builtins_import.py
@@ -14,11 +14,14 @@ def _import(func, instance, args, kwargs, return_value):
             return
         running_import_scan.set(True)
 
-        if not hasattr(return_value, "__file__"):
-            return  # Would be built-in into the interpreter (system package)
+    if not hasattr(return_value, "__package__"):
+        return
 
-        if not hasattr(return_value, "__package__"):
+    try:
+        if running_import_scan.get():
             return
+        running_import_scan.set(True)
+
         name = getattr(return_value, "__package__")
 
         if not name:
diff --git a/aikido_zen/sinks/pathlib.py b/aikido_zen/sinks/pathlib.py
@@ -0,0 +1,29 @@
+"""
+Sink module for python's `pathlib`
+"""
+
+import aikido_zen.vulnerabilities as vulns
+from aikido_zen.helpers.get_argument import get_argument
+from aikido_zen.helpers.register_call import register_call
+from aikido_zen.sinks import before, patch_function, on_import
+
+
+@before
+def _pathlib_truediv_patch(func, instance, args, kwargs):
+    path = get_argument(args, kwargs, 0, "key")
+    op = "pathlib.PurePath.__truediv__"
+    register_call(op, "fs_op")
+
+    vulns.run_vulnerability_scan(kind="path_traversal", op=op, args=(path,))
+
+
+@on_import("pathlib")
+def patch(m):
+    """
+    patching module pathlib
+    - patches PurePath.__truediv__ : Path() / Path() -> join operation
+    """
+
+    # PurePath() / "my/path/test.txt"
+    # This is accomplished by overloading the __truediv__ function on the Path class
+    patch_function(m, "PurePath.__truediv__", _pathlib_truediv_patch)
diff --git a/aikido_zen/sinks/tests/builtins_import_test.py b/aikido_zen/sinks/tests/builtins_import_test.py
@@ -22,3 +22,35 @@ def test_django_import():
     import django
 
     assert PackagesStore.get_package("django")["version"] == "4.0"
+
+
+def test_recursive_package_store(monkeypatch):
+    """Test that recursive imports during package scanning don't cause max recursion depth errors."""
+
+    def recursive_get_package(name):
+        """Recursively add package and its dependencies to PackagesStore."""
+        import flask
+
+    PackagesStore.clear()
+    monkeypatch.setattr(PackagesStore, "get_package", recursive_get_package)
+
+    import flask
+
+    # Restore the original method after the test
+    monkeypatch.undo()
+
+
+def test_recursive_package_store_2(monkeypatch):
+    """Test that recursive imports during package scanning don't cause max recursion depth errors."""
+
+    def recursive_add_package(name, version):
+        """Recursively add package and its dependencies to PackagesStore."""
+        if name == "django":
+            import django
+
+    PackagesStore.clear()
+    monkeypatch.setattr(PackagesStore, "add_package", recursive_add_package)
+    import django
+
+    # Restore the original method after the test
+    monkeypatch.undo()
diff --git a/aikido_zen/sinks/tests/os_test.py b/aikido_zen/sinks/tests/os_test.py
@@ -1,11 +1,21 @@
 import pytest
 from pathlib import Path, PurePath
 from unittest.mock import patch
-import aikido_zen.sinks.os
+import aikido_zen
+import aikido_zen.test_utils as test_utils
+
+aikido_zen.protect()
+from aikido_zen.context import Context
+from aikido_zen.errors import AikidoPathTraversal
 
 kind = "path_traversal"
 
 
+@pytest.fixture(autouse=True)
+def set_blocking_to_true(monkeypatch):
+    monkeypatch.setenv("AIKIDO_BLOCK", "1")
+
+
 def test_ospath_commands():
     with patch(
         "aikido_zen.vulnerabilities.run_vulnerability_scan"
@@ -39,6 +49,36 @@ def test_ospath_commands():
         mock_run_vulnerability_scan.assert_any_call(kind=kind, op=op, args=args)
 
 
+def test_os_create_path_with_multiple_slashes():
+    import os
+
+    file_path = "////etc/passwd"
+    test_utils.generate_and_set_context(file_path)
+    with pytest.raises(AikidoPathTraversal):
+        full_path = Path("flaskr/resources/blogs/") / file_path
+        open(full_path, "r").close()
+
+
+def test_os_create_path_with_multiple_double_slashes():
+    import os
+
+    file_path = "////etc//passwd"
+    test_utils.generate_and_set_context(file_path)
+    with pytest.raises(AikidoPathTraversal):
+        full_path = Path("flaskr/resources/blogs/") / file_path
+        open(full_path, "r").close()
+
+
+def test_os_path_traversal_with_multiple_slashes():
+    import os
+
+    file_path = "home///..////..////my_secret.txt"
+    test_utils.generate_and_set_context(file_path)
+    with pytest.raises(AikidoPathTraversal):
+        full_path = Path("flaskr/resources/blogs/") / file_path
+        open(full_path, "r").close()
+
+
 def test_ospath_command_absolute_path():
     with patch(
         "aikido_zen.vulnerabilities.run_vulnerability_scan"
diff --git a/aikido_zen/vulnerabilities/path_traversal/unsafe_path_start.py b/aikido_zen/vulnerabilities/path_traversal/unsafe_path_start.py
@@ -28,13 +28,19 @@
 
 def starts_with_unsafe_path(file_path, user_input):
     """Check if the file path starts with any dangerous paths and the user input."""
-    lower_case_path = file_path.lower()
-    lower_case_user_input = user_input.lower()
+    path_parsed = ensure_one_leading_slash(file_path.lower())
+    input_parsed = ensure_one_leading_slash(user_input.lower())
 
     for dangerous_start in dangerous_path_starts:
-        if lower_case_path.startswith(dangerous_start) and lower_case_path.startswith(
-            lower_case_user_input
+        if path_parsed.startswith(dangerous_start) and path_parsed.startswith(
+            input_parsed
         ):
             return True
 
     return False
+
+
+def ensure_one_leading_slash(path: str) -> str:
+    if path.startswith("/"):
+        return "/" + path.lstrip("/")
+    return path
diff --git a/end2end/django_mysql_test.py b/end2end/django_mysql_test.py
@@ -82,7 +82,7 @@ def test_initial_heartbeat():
     assert len(heartbeat_events) == 1
     validate_heartbeat(
         heartbeat_events[0],
-        [{
+        routes=[{
             "apispec": {
                 'body': {
                     'type': 'form-urlencoded',
@@ -103,12 +103,16 @@ def test_initial_heartbeat():
             "hits_delta_since_sync": 0,
             "method": "POST",
             "path": "/app/create"
-        }], 
-        {
-            "aborted": 0,
-            "attacksDetected": {"blocked": 2, "total": 2},
-            "total": 3,
-            'rateLimited': 0
-        },
-        {'wrapt', 'asgiref', 'aikido_zen', 'django', 'sqlparse', 'mysqlclient'}
+        }],
+        packages={'wrapt', 'asgiref', 'aikido_zen', 'django', 'sqlparse', 'mysqlclient'}
     )
+    req_stats = heartbeat_events[0]["stats"]["requests"]
+    assert req_stats["aborted"] == 0
+    assert req_stats["rateLimited"] == 0
+    assert req_stats["attacksDetected"] == {"blocked": 2, "total": 2}
+    # There are 3-4 requests :
+    # 1. is website live request, first request not always counted
+    # 2. /app/create safe
+    # 3. /app/create sql inj
+    # 4. /app/shell/ls -la shell inj
+    assert 3 <= req_stats["total"] <= 4, f"Unexpected amount of total requests {req_stats['total']}"
