Class: Aikido::Zen::Middleware::RequestTracker

Inherits:

Object

Object
Aikido::Zen::Middleware::RequestTracker

show all

Defined in:: lib/aikido/zen/middleware/request_tracker.rb

Overview

Rack middleware used to track request It implements the logic under that which is considered worthy of being tracked.

Constant Summary collapse

IGNORED_METHODS =

%w[OPTIONS HEAD]

IGNORED_EXTENSIONS =

%w[properties config webmanifest]

IGNORED_SEGMENTS =

["cgi-bin"]

WELL_KNOWN_URIS =

%w[
  /.well-known/acme-challenge
  /.well-known/amphtml
  /.well-known/api-catalog
  /.well-known/appspecific
  /.well-known/ashrae
  /.well-known/assetlinks.json
  /.well-known/broadband-labels
  /.well-known/brski
  /.well-known/caldav
  /.well-known/carddav
  /.well-known/change-password
  /.well-known/cmp
  /.well-known/coap
  /.well-known/coap-eap
  /.well-known/core
  /.well-known/csaf
  /.well-known/csaf-aggregator
  /.well-known/csvm
  /.well-known/did.json
  /.well-known/did-configuration.json
  /.well-known/dnt
  /.well-known/dnt-policy.txt
  /.well-known/dots
  /.well-known/ecips
  /.well-known/edhoc
  /.well-known/enterprise-network-security
  /.well-known/enterprise-transport-security
  /.well-known/est
  /.well-known/genid
  /.well-known/gnap-as-rs
  /.well-known/gpc.json
  /.well-known/gs1resolver
  /.well-known/hoba
  /.well-known/host-meta
  /.well-known/host-meta.json
  /.well-known/hosting-provider
  /.well-known/http-opportunistic
  /.well-known/idp-proxy
  /.well-known/jmap
  /.well-known/keybase.txt
  /.well-known/knx
  /.well-known/looking-glass
  /.well-known/masque
  /.well-known/matrix
  /.well-known/mercure
  /.well-known/mta-sts.txt
  /.well-known/mud
  /.well-known/nfv-oauth-server-configuration
  /.well-known/ni
  /.well-known/nodeinfo
  /.well-known/nostr.json
  /.well-known/oauth-authorization-server
  /.well-known/oauth-protected-resource
  /.well-known/ohttp-gateway
  /.well-known/openid-federation
  /.well-known/open-resource-discovery
  /.well-known/openid-configuration
  /.well-known/openorg
  /.well-known/oslc
  /.well-known/pki-validation
  /.well-known/posh
  /.well-known/privacy-sandbox-attestations.json
  /.well-known/private-token-issuer-directory
  /.well-known/probing.txt
  /.well-known/pvd
  /.well-known/rd
  /.well-known/related-website-set.json
  /.well-known/reload-config
  /.well-known/repute-template
  /.well-known/resourcesync
  /.well-known/sbom
  /.well-known/security.txt
  /.well-known/ssf-configuration
  /.well-known/sshfp
  /.well-known/stun-key
  /.well-known/terraform.json
  /.well-known/thread
  /.well-known/time
  /.well-known/timezone
  /.well-known/tdmrep.json
  /.well-known/tor-relay
  /.well-known/tpcd
  /.well-known/traffic-advice
  /.well-known/trust.txt
  /.well-known/uma2-configuration
  /.well-known/void
  /.well-known/webfinger
  /.well-known/webweaver.json
  /.well-known/wot
]

Instance Method Summary collapse

#call(env) ⇒ Object
#initialize(app) ⇒ RequestTracker constructor

A new instance of RequestTracker.
#track?(status_code:, route:, http_method:) ⇒ Boolean

Constructor Details

#initialize(app) ⇒ `RequestTracker`

Returns a new instance of RequestTracker.



8
9
10

# File 'lib/aikido/zen/middleware/request_tracker.rb', line 8

def initialize(app)
  @app = app
end

Instance Method Details

#call(env) ⇒ `Object`

# File 'lib/aikido/zen/middleware/request_tracker.rb', line 12

def call(env)
  request = Aikido::Zen::Middleware.request_from(env)
  response = @app.call(env)

  Aikido::Zen.track_request request

  if Aikido::Zen.config.collect_api_schema? && request.route && track?(
    status_code: response[0],
    route: request.route.path,
    http_method: request.request_method
  )
    Aikido::Zen.track_discovered_route(request)
  end

  response
end

#track?(status_code:, route:, http_method:) ⇒ `Boolean`

Parameters:

status_code (Integer)
route (String)
http_method (String)

Returns:

(Boolean)

# File 'lib/aikido/zen/middleware/request_tracker.rb', line 127

def track?(status_code:, route:, http_method:)
  # In the UI we want to show only successful (2xx) or redirect (3xx) responses
  # anything else is discarded.
  return false unless status_code >= 200 && status_code <= 399

  return false if IGNORED_METHODS.include?(http_method)

  segments = route.split "/"

  # Do not discover routes with dot files like `/path/to/.file` or `/.directory/file`
  # We want to allow discovery of well-known URIs like `/.well-known/acme-challenge`
  return false if segments.any? { |s| is_dot_file s } && !is_well_known_uri(route)

  return false if segments.any? { |s| contains_ignored_string s }

  # Check for every file segment if it contains a file extension and if it
  # should be discovered or ignored
  segments.all? { |s| should_track_extension s }
end