Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
import dev.aikido.agent_api.context.User;
import dev.aikido.agent_api.vulnerabilities.Attack;

import java.util.List;
import java.util.Map;

import static dev.aikido.agent_api.background.cloud.GetManagerInfo.getManagerInfo;
Expand Down Expand Up @@ -46,24 +45,41 @@ public record AttackData (

public static DetectedAttackEvent createAPIEvent(Attack attack, ContextObject context) {
boolean blocking = getConfig().isBlockingEnabled();
RequestData requestData = new RequestData(
return new DetectedAttackEvent(
"detected_attack", // type
buildRequestData(context), // request
buildAttackData(attack, blocking), // attack
getManagerInfo(), // agent
getUnixTimeMS() // time
);
}

private static RequestData buildRequestData(ContextObject context) {
if (context == null) {
Comment thread
bitterpanda63 marked this conversation as resolved.
return null;
}
return new RequestData(
context.getMethod(),
context.getRemoteAddress(),
context.getHeader("user-agent"),
context.getUrl(),
context.getSource(),
context.getRoute()
);
AttackData attackData = new AttackData(
attack.kind, attack.operation, attack.source, attack.pathToPayload, attack.payload, attack.metadata,
"module", blocking, attack.stack, attack.user
);
return new DetectedAttackEvent(
"detected_attack", // type
requestData, // request
attackData, // attack
getManagerInfo(), // agent
getUnixTimeMS() // time
}

private static AttackData buildAttackData(Attack attack, boolean blocking) {
return new AttackData(
attack.kind,
attack.operation,
attack.source,
attack.pathToPayload,
attack.payload,
attack.metadata,
"module",
blocking,
attack.stack,
attack.user
);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
package background.cloud.api;

import dev.aikido.agent_api.background.cloud.api.events.DetectedAttack;
import dev.aikido.agent_api.context.ContextObject;
import dev.aikido.agent_api.vulnerabilities.Attack;
import dev.aikido.agent_api.vulnerabilities.Vulnerabilities;
import org.junit.jupiter.api.Test;
import utils.EmptySampleContextObject;

import java.util.HashMap;
import java.util.Map;

import static org.junit.jupiter.api.Assertions.*;

class DetectedAttackTest {

@Test
void createAPIEvent_WithValidContextAndAttack_ReturnsDetectedAttackEvent() {
// Arrange
ContextObject context = new EmptySampleContextObject("test", "/api/resource", "POST");

Map<String, String> metadata = new HashMap<>();
metadata.put("key", "value");

Attack attack = new Attack(
"read",
new Vulnerabilities.SQLInjectionVulnerability(),
"web",
"/api/resource",
metadata,
"test_payload",
"stack_trace",
null
);

// Act
DetectedAttack.DetectedAttackEvent event = DetectedAttack.createAPIEvent(attack, context);

// Assert
assertNotNull(event);
assertEquals("detected_attack", event.type());
assertNotNull(event.request());
assertEquals("POST", event.request().method());
assertEquals("web", event.request().source());
assertEquals("/api/resource", event.request().route());
assertNotNull(event.attack());
assertEquals("sql_injection", event.attack().kind());
assertEquals("read", event.attack().operation());
assertEquals("web", event.attack().source());
assertEquals("/api/resource", event.attack().path());
assertEquals("test_payload", event.attack().payload());
assertEquals(metadata, event.attack().metadata());
assertEquals("module", event.attack().module());
assertEquals("stack_trace", event.attack().stack());
assertNull(event.attack().user());
assertNotNull(event.agent());
assertTrue(event.time() > 0);
}

@Test
void createAPIEvent_WithNullContext_ReturnsDetectedAttackEventWithNullRequest() {
// Arrange
Attack attack = new Attack(
"read",
new Vulnerabilities.SQLInjectionVulnerability(),
"web",
"/api/resource",
Map.of("key", "value"),
"test_payload",
"stack_trace",
null
);

// Act
DetectedAttack.DetectedAttackEvent event = DetectedAttack.createAPIEvent(attack, null);

// Assert
assertNotNull(event);
assertEquals("detected_attack", event.type());
assertNull(event.request());
assertNotNull(event.attack());
assertEquals("sql_injection", event.attack().kind());
assertEquals("read", event.attack().operation());
assertEquals("web", event.attack().source());
assertEquals("/api/resource", event.attack().path());
assertEquals("test_payload", event.attack().payload());
assertEquals(Map.of("key", "value"), event.attack().metadata());
assertEquals("module", event.attack().module());
assertEquals("stack_trace", event.attack().stack());
assertNull(event.attack().user());
assertNotNull(event.agent());
assertTrue(event.time() > 0);
}
}
32 changes: 32 additions & 0 deletions agent_api/src/test/java/collectors/DNSRecordCollectorTest.java
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
package collectors;

import dev.aikido.agent_api.background.cloud.api.events.DetectedAttack;
import dev.aikido.agent_api.collectors.DNSRecordCollector;
import dev.aikido.agent_api.context.Context;
import dev.aikido.agent_api.context.ContextObject;
import dev.aikido.agent_api.storage.AttackQueue;
import dev.aikido.agent_api.storage.Hostnames;
import dev.aikido.agent_api.storage.HostnamesStore;
import dev.aikido.agent_api.storage.ServiceConfigStore;
import dev.aikido.agent_api.vulnerabilities.Attack;
import dev.aikido.agent_api.vulnerabilities.ssrf.SSRFException;
import dev.aikido.agent_api.vulnerabilities.ssrf.StoredSSRFException;
import org.junit.jupiter.api.*;
Expand All @@ -29,12 +32,14 @@ void setup() throws UnknownHostException {
inetAddress1 = InetAddress.getByName("1.1.1.1");
inetAddress2 = InetAddress.getByName("127.0.0.1");
imdsAddress1 = InetAddress.getByName("169.254.169.254");
AttackQueue.clear();
}

@AfterEach
public void cleanup() {
HostnamesStore.clear();
Context.set(null);
AttackQueue.clear();
}

@Test
Expand Down Expand Up @@ -129,4 +134,31 @@ public void testHostnameSameWithContextAsAStoredSSRFAttack() {
});
});
}

@Test
public void testStoredSSRFWithNoContext() throws InterruptedException {
ServiceConfigStore.updateBlocking(true);

Context.set(null);

Exception exception = assertThrows(StoredSSRFException.class, () -> {
DNSRecordCollector.report("dev.aikido", new InetAddress[]{
imdsAddress1, inetAddress2
});
});
DetectedAttack.DetectedAttackEvent event = (DetectedAttack.DetectedAttackEvent) AttackQueue.get();
assertEquals("stored_ssrf", event.attack().kind());
assertNull(event.request());

assertEquals("Aikido Zen has blocked a stored server-side request forgery", exception.getMessage());

assertDoesNotThrow(() -> {
DNSRecordCollector.report("metadata.goog", new InetAddress[]{
imdsAddress1, inetAddress2
});
DNSRecordCollector.report("metadata.google.internal", new InetAddress[]{
imdsAddress1, inetAddress2
});
});
}
}