Add IDOR protection

Author: marksmith

docs/idor-protection.md

@@ -0,0 +1,129 @@
+# IDOR Protection
+
+IDOR stands for Insecure Direct Object Reference — it's when one account can access another account's data because a query doesn't properly filter by account.
+
+If your SaaS has accounts (or organizations, workspaces, teams, ...) and uses a column like `tenant_id` to keep each account's data separate, IDOR protection ensures every SQL query filters on the correct tenant. Zen analyzes queries at runtime and raises an error if a query is missing that filter or uses the wrong tenant ID, catching mistakes like:
+
+- A `SELECT` that forgets the tenant filter, letting one account read another's orders
+- An `UPDATE` or `DELETE` without a tenant filter, letting one account modify another's data
+- An `INSERT` that omits the tenant column, creating orphaned or misassigned rows
+
+Zen catches these at runtime so they surface during development and testing, not in production. See [IDOR vulnerability explained](https://www.aikido.dev/blog/idor-vulnerability-explained) for more background.
+
+> [!IMPORTANT]
+> IDOR protection always raises an `Aikido::Zen::IDOR::Error` on violations regardless of block/detect mode. A missing filter is a developer bug, not an external attack.
+
+## Setup
+
+### 1. Enable IDOR protection at startup
+
+```ruby
+...
+
+Aikido::Zen.config.idor_tenant_column_name = "tenant_id"
+Aikido::Zen.config.idor_excluded_table_names = ["users"]
+
+...
+```
+
+- `idor_tenant_column_name` — the column name that identifies the tenant in your database tables (e.g. `account_id`, `organization_id`, `team_id`).
+- `idor_excluded_table_names` — tables that Zen should skip IDOR checks for, because rows aren't scoped to a single tenant (e.g. a shared `users` table that stores users across all tenants).
+
+### 2. Set the tenant ID per request
+
+Every request must have a tenant ID when IDOR protection is enabled. Call `Aikido::Zen.set_tenant_id` early in your request handler (e.g. in middleware after authentication):
+
+```ruby
+Aikido::Zen.set_tenant_id(1)
+```
+
+> [!IMPORTANT]
+> If `Aikido::Zen.set_tenant_id` is not called for a request, Zen will raise an `Aikido::Zen::IDOR::Error` when a SQL query is executed.
+
+### 3. Bypass for specific queries (optional)
+
+Some queries don't need tenant filtering (e.g. aggregations across all tenants for an admin dashboard). Use `Aikido::Zen.without_idor_protection` to bypass the check for a specific block:
+
+```ruby
+...
+
+# IDOR checks are skipped for queries inside this block
+result = Aikido::Zen.without_idor_protection do
+  db.query("SELECT count(*) FROM agents WHERE status = 'running'");
+end
+
+...
+```
+
+## Troubleshooting
+
+<details>
+<summary>Missing tenant filter</summary>
+
+```
+Zen IDOR protection: query on table 'orders' is missing a filter on column 'tenant_id'
+```
+
+This means you have a query like `SELECT * FROM orders WHERE status = 'active'` that doesn't filter on `tenant_id`. The same check applies to `UPDATE` and `DELETE` queries.
+
+</details>
+
+<details>
+<summary>Wrong tenant ID value</summary>
+
+```
+Zen IDOR protection: query on table 'orders' filters 'tenant_id' with value '456' but tenant ID is '123'
+```
+
+This means the query filters on `tenant_id`, but the value doesn't match the tenant ID set via `Aikido::Zen.set_tenant_id`.
+
+</details>
+
+<details>
+<summary>Missing tenant column in INSERT</summary>
+
+```
+Zen IDOR protection: INSERT on table 'orders' is missing column 'tenant_id'
+```
+
+This means an `INSERT` statement doesn't include the tenant column. Every INSERT must include the tenant column with the correct tenant ID value.
+
+</details>
+
+<details>
+<summary>Wrong tenant ID in INSERT</summary>
+
+```
+Zen IDOR protection: INSERT on table 'orders' sets 'tenant_id' to '456' but tenant ID is '123'
+```
+
+This means the INSERT includes the tenant column, but the value doesn't match the tenant ID set via `Aikido::Zen.set_tenant_id`.
+
+</details>
+
+<details>
+<summary>Missing Aikido::Zen.set_tenant_id call</summary>
+
+```
+Zen IDOR protection: Aikido::Zen.set_tenant_id was not called for this request. Every request must have a tenant ID when IDOR protection is enabled.
+```
+
+</details>
+
+## Supported databases
+
+- SQLite (via `sqlite3` Gem)
+- PostgreSQL (via `pg` Gem)
+- MySQL (via `mysql2` and `trilogy` Gems)
+
+Any ORM or query builder that uses these database packages under the hood is supported (e.g. ActiveRecord). ORMs that use their own database engine are not supported unless configured to use a supported driver adapter.
+
+## Limitations
+
+## Statements that are always allowed
+
+Zen only checks statements that read or modify row data (`SELECT`, `INSERT`, `UPDATE`, `DELETE`). The following statement types are also recognized and never trigger an IDOR error:
+
+- DDL — `CREATE TABLE`, `ALTER TABLE`, `DROP TABLE`, ...
+- Session commands — `SET`, `SHOW`, ...
+- Transactions — `BEGIN`, `COMMIT`, `ROLLBACK`, ...

lib/aikido/zen.rb

@@ -26,6 +26,8 @@
 require_relative "zen/runtime_settings"
 require_relative "zen/rate_limiter"
 require_relative "zen/attack_wave"
+require_relative "zen/sql"
+require_relative "zen/idor"
 require_relative "zen/scanners"
 
 module Aikido
@@ -213,17 +215,87 @@ class << self
       alias_method :set_user, :track_user
     end
 
+    # @return [Aikido::Zen::AttackWave::Detector] the attack wave detector.
+    def self.attack_wave_detector
+      @attack_wave_detector ||= AttackWave::Detector.new
+    end
+
+    # @param id [Integer, String, nil]
+    # @return [void]
+    def self.set_tenant_id(id)
+      context = current_context
+      return unless context
+
+      context.request.tenant_id = id
+    end
+
+    # @return [void]
+    def self.enable_idor_protection
+      context = current_context
+      return unless context
+
+      context.idor_protection_enabled = true
+    end
+
+    # @return [void]
+    def self.disable_idor_protection
+      context = current_context
+      return unless context
+
+      context.idor_protection_enabled = false
+    end
+
+    # @return [Aikido::Zen::IDOR::Protector]
+    def self.idor_protector
+      @idor_protector ||= IDOR::Protector.new
+    end
+
+    # @param sql [String]
+    # @param dialet [Symbol]
+    # @return [void]
+    # @raise [Aikido::Zen::IDOR::Error]
+    def self.idor_protect(sql, dialect_name, params = [])
+      context = current_context
+      return unless context
+
+      idor_protector.protect(sql, dialect_name, params, context)
+    end
+
+    # Execute a block with the IDOR protection state set.
+    #
+    # @yield the block to execute with the IDOR protection state set.
+    # @return [Object] the result of the block
+    # @raise [ArgumentError] if no block is given
+    def self.idor_protection(enabled)
+      raise ArgumentError, "block required" unless block_given?
+
+      if current_context
+        begin
+          idor_protection_enabled = current_context.idor_protection_enabled
+          current_context.idor_protection_enabled = enabled
+          yield
+        ensure
+          current_context.idor_protection_enabled = idor_protection_enabled
+        end
+      else
+        yield
+      end
+    end
+
+    def self.with_idor_protection(&blk)
+      idor_protection(true, &blk)
+    end
+
+    def self.without_idor_protection(&blk)
+      idor_protection(false, &blk)
+    end
+
     # Marks that the Zen middleware was installed properly
     # @return void
     def self.middleware_installed!
       collector.middleware_installed!
     end
 
-    # @return [Aikido::Zen::AttackWave::Detector] the attack wave detector.
-    def self.attack_wave_detector
-      @attack_wave_detector ||= AttackWave::Detector.new
-    end
-
     # @!visibility private
     # Load all sources.
     #

lib/aikido/zen/config.rb

@@ -188,6 +188,18 @@ class Config
     #   Defaults to 15 entries.
     attr_accessor :attack_wave_max_cache_samples
 
+    # @return [String] the tenant column name for IDOR protection.
+    #   Defaults to nil.
+    attr_accessor :idor_tenant_column_name
+
+    # @return [Array<String>] the table names to exclude for IDOR protection.
+    #   Defaults to [].
+    attr_accessor :idor_excluded_table_names
+
+    # @return [Integer] the maximum number of entries in the LRU cache.
+    #   Defaults to 1000 entries.
+    attr_accessor :idor_max_cache_entries
+
     def initialize
       self.insert_middleware_after = ::ActionDispatch::RemoteIp
       self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
@@ -227,6 +239,9 @@ def initialize
       self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms)
       self.attack_wave_max_cache_entries = 10_000
       self.attack_wave_max_cache_samples = 15
+      self.idor_tenant_column_name = nil
+      self.idor_excluded_table_names = []
+      self.idor_max_cache_entries = 1000
     end
 
     # Set the base URL for API requests.

lib/aikido/zen/context.rb

@@ -30,6 +30,9 @@ def self.from_rack_env(env, config = Aikido::Zen.config)
     attr_accessor :protection_disabled
     alias_method :protection_disabled?, :protection_disabled
 
+    # @return [Boolean]
+    attr_accessor :idor_protection_enabled
+
     # @param request [Rack::Request] a Request object that implements the
     #   Rack::Request API, to which we will delegate behavior.
     # @param settings [Aikido::Zen::RuntimeSettings]
@@ -45,6 +48,7 @@ def initialize(request, settings: Aikido::Zen.runtime_settings, &sources)
       @metadata = {}
       @scanning = false
       @protection_disabled = false
+      @idor_protection_enabled = false
     end
 
     # Fetch some metadata stored in the Context.

lib/aikido/zen/idor.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative "idor/analysis_result"
+require_relative "idor/protector"