diff --git a/aikido_firewall/helpers/blocking_enabled.py b/aikido_firewall/helpers/blocking_enabled.py new file mode 100644 index 000000000..e528b1711 --- /dev/null +++ b/aikido_firewall/helpers/blocking_enabled.py @@ -0,0 +1,13 @@ +"""Helper function file, see function docstring""" + +from aikido_firewall.background_process import get_comms + + +def is_blocking_enabled(): + """ + Checks with the background process if blocking is enabled + """ + should_block_res = get_comms().send_data_to_bg_process( + action="READ_PROPERTY", obj="block", receive=True + ) + return should_block_res["success"] and should_block_res["data"] diff --git a/aikido_firewall/sinks/builtins.py b/aikido_firewall/sinks/builtins.py index 3a451bcc3..6118965c3 100644 --- a/aikido_firewall/sinks/builtins.py +++ b/aikido_firewall/sinks/builtins.py @@ -11,6 +11,7 @@ from aikido_firewall.context import get_current_context from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoPathTraversal +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled @importhook.on_import("builtins") @@ -34,10 +35,7 @@ def aikido_new_open(*args, **kwargs): ) if len(result) != 0: get_comms().send_data_to_bg_process("ATTACK", (result, context)) - should_block_res = get_comms().send_data_to_bg_process( - action="READ_PROPERTY", obj="block", receive=True - ) - if should_block_res["success"] and should_block_res["data"]: + if is_blocking_enabled(): raise AikidoPathTraversal() return former_open(*args, **kwargs) diff --git a/aikido_firewall/sinks/mysqlclient.py b/aikido_firewall/sinks/mysqlclient.py index d38ae543b..e59fba8f9 100644 --- a/aikido_firewall/sinks/mysqlclient.py +++ b/aikido_firewall/sinks/mysqlclient.py @@ -14,6 +14,7 @@ from aikido_firewall.helpers.logging import logger from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoSQLInjection +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled @importhook.on_import("MySQLdb.connections") @@ -39,10 +40,7 @@ def aikido_new_query(_self, sql): logger.debug("sql_injection results : %s", json.dumps(contains_injection)) if contains_injection: get_comms().send_data_to_bg_process("ATTACK", (contains_injection, context)) - should_block_res = get_comms().send_data_to_bg_process( - action="READ_PROPERTY", obj="block", receive=True - ) - if should_block_res["success"] and should_block_res["data"]: + if is_blocking_enabled(): raise AikidoSQLInjection("SQL Injection [aikido_firewall]") return prev_query_function(_self, sql) diff --git a/aikido_firewall/sinks/os.py b/aikido_firewall/sinks/os.py index a45aa10d2..8225d66fd 100644 --- a/aikido_firewall/sinks/os.py +++ b/aikido_firewall/sinks/os.py @@ -11,6 +11,7 @@ from aikido_firewall.context import get_current_context from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoPathTraversal +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled # File functions : OS_FILE_FUNCTIONS = [ @@ -59,10 +60,7 @@ def aikido_new_func(*args, op=op, former_func=former_func, **kwargs): ) if len(result) != 0: get_comms().send_data_to_bg_process("ATTACK", (result, context)) - should_block_res = get_comms().send_data_to_bg_process( - action="READ_PROPERTY", obj="block", receive=True - ) - if should_block_res["success"] and should_block_res["data"]: + if is_blocking_enabled(): raise AikidoPathTraversal() return former_func(*args, **kwargs) diff --git a/aikido_firewall/sinks/os_system.py b/aikido_firewall/sinks/os_system.py index 6cf6f3aa5..6e2eebd1b 100644 --- a/aikido_firewall/sinks/os_system.py +++ b/aikido_firewall/sinks/os_system.py @@ -12,6 +12,7 @@ from aikido_firewall.helpers.logging import logger from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoShellInjection +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled @importhook.on_import("os") @@ -37,10 +38,7 @@ def aikido_new_system(*args, former_system_func=former_system_func, **kwargs): logger.debug("Shell injection results : %s", json.dumps(contains_injection)) if contains_injection: get_comms().send_data_to_bg_process("ATTACK", (contains_injection, context)) - should_block_res = get_comms().send_data_to_bg_process( - action="READ_PROPERTY", obj="block", receive=True - ) - if should_block_res["success"] and should_block_res["data"]: + if is_blocking_enabled(): raise AikidoShellInjection() return former_system_func(*args, **kwargs) diff --git a/aikido_firewall/sinks/psycopg2.py b/aikido_firewall/sinks/psycopg2.py index b53608f92..bdfcf16af 100644 --- a/aikido_firewall/sinks/psycopg2.py +++ b/aikido_firewall/sinks/psycopg2.py @@ -13,6 +13,7 @@ from aikido_firewall.vulnerabilities.sql_injection.dialects import Postgres from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoSQLInjection +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled class MutableAikidoConnection: @@ -46,10 +47,7 @@ def execute_sql_detection_code(sql): logger.info("sql_injection results : %s", json.dumps(contains_injection)) if contains_injection: get_comms().send_data_to_bg_process("ATTACK", (contains_injection, context)) - should_block_res = get_comms().send_data_to_bg_process( - action="READ_PROPERTY", obj="block", receive=True - ) - if should_block_res["success"] and should_block_res["data"]: + if is_blocking_enabled(): raise AikidoSQLInjection("SQL Injection [aikido_firewall]") diff --git a/aikido_firewall/sinks/pymongo.py b/aikido_firewall/sinks/pymongo.py index 66579b319..b5004a001 100644 --- a/aikido_firewall/sinks/pymongo.py +++ b/aikido_firewall/sinks/pymongo.py @@ -10,6 +10,7 @@ from aikido_firewall.context import get_current_context from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoNoSQLInjection +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled OPERATIONS_WITH_FILTER = [ "replace_one", # L1087 @@ -55,7 +56,8 @@ def wrapped_operation_function( get_comms().send_data_to_bg_process( "ATTACK", (injection_results, context) ) - raise AikidoNoSQLInjection("NOSQL Injection [aikido_firewall]") + if is_blocking_enabled(): + raise AikidoNoSQLInjection("NOSQL Injection [aikido_firewall]") return prev_func(_self, _filter, *args, **kwargs) setattr(modified_pymongo.Collection, operation, wrapped_operation_function) diff --git a/aikido_firewall/sinks/pymysql.py b/aikido_firewall/sinks/pymysql.py index cbe9da1f3..6f2081cf4 100644 --- a/aikido_firewall/sinks/pymysql.py +++ b/aikido_firewall/sinks/pymysql.py @@ -14,6 +14,7 @@ from aikido_firewall.vulnerabilities.sql_injection.dialects import MySQL from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoSQLInjection +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled logger = logging.getLogger("aikido_firewall") @@ -41,10 +42,7 @@ def aikido_new_query(_self, sql, unbuffered=False): logger.info("sql_injection results : %s", json.dumps(contains_injection)) if contains_injection: get_comms().send_data_to_bg_process("ATTACK", (contains_injection, context)) - should_block_res = get_comms().send_data_to_bg_process( - action="READ_PROPERTY", obj="block", receive=True - ) - if should_block_res["success"] and should_block_res["data"]: + if is_blocking_enabled(): raise AikidoSQLInjection("SQL Injection [aikido_firewall]") return prev_query_function(_self, sql, unbuffered=False) diff --git a/aikido_firewall/sinks/subprocess.py b/aikido_firewall/sinks/subprocess.py index b40f86673..53bb9c7a6 100644 --- a/aikido_firewall/sinks/subprocess.py +++ b/aikido_firewall/sinks/subprocess.py @@ -12,6 +12,7 @@ from aikido_firewall.helpers.logging import logger from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoShellInjection +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled SUBPROCESS_OPERATIONS = ["call", "run", "check_call", "Popen", "check_output"] @@ -39,10 +40,7 @@ def aikido_new_func(*args, op=op, former_func=former_func, **kwargs): logger.debug("Shell injection results : %s", json.dumps(contains_injection)) if contains_injection: get_comms().send_data_to_bg_process("ATTACK", (contains_injection, context)) - should_block_res = get_comms().send_data_to_bg_process( - action="READ_PROPERTY", obj="block", receive=True - ) - if should_block_res["success"] and should_block_res["data"]: + if is_blocking_enabled(): raise AikidoShellInjection() return former_func(*args, **kwargs) diff --git a/aikido_firewall/vulnerabilities/ssrf/inspect_getaddrinfo_result.py b/aikido_firewall/vulnerabilities/ssrf/inspect_getaddrinfo_result.py index 5a40f0dfc..369c8fa6e 100644 --- a/aikido_firewall/vulnerabilities/ssrf/inspect_getaddrinfo_result.py +++ b/aikido_firewall/vulnerabilities/ssrf/inspect_getaddrinfo_result.py @@ -8,6 +8,7 @@ from aikido_firewall.helpers.logging import logger from aikido_firewall.background_process import get_comms from aikido_firewall.errors import AikidoSSRF +from aikido_firewall.helpers.blocking_enabled import is_blocking_enabled from .imds import is_trusted_hostname, is_imds_ip_address from .is_private_ip import is_private_ip from .find_hostname_in_context import find_hostname_in_context @@ -23,17 +24,12 @@ def inspect_getaddrinfo_result(dns_results, hostname, port): context = get_current_context() - should_block_res = get_comms().send_data_to_bg_process( - action="READ_PROPERTY", obj="block", receive=True - ) - should_block = should_block_res["success"] and should_block_res["data"] - ip_addresses = extract_ip_array_from_results(dns_results) if resolves_to_imds_ip(ip_addresses, hostname): # Block stored SSRF attack that target IMDS IP addresses # An attacker could have stored a hostname in a database that points to an IMDS IP address # We don't check if the user input contains the hostname because there's no context - if should_block: + if is_blocking_enabled(): raise AikidoSSRF() if not context: @@ -47,6 +43,7 @@ def inspect_getaddrinfo_result(dns_results, hostname, port): if not found: return + should_block = is_blocking_enabled() stack = " ".join(traceback.format_stack()) attack = { "module": "socket",