Count 404 requests with foreign extensions as attack wave scans

[bitterpanda63]

Summary

• Ports Count 404 requests with foreign extensions as scans firewall-node#1041 to Ruby
• Requests to foreign-platform extensions (php, php3, php4, php5, phtml, java, jsp, jspx) are only counted as scan hits when the HTTP response status is 404
• A 200 response may mean the Ruby app is proxying to a PHP/Java backend, so those requests should not be flagged as scanning behaviour

Changes

• lib/aikido/zen/attack_wave/helpers.rb: Added FOREIGN_EXTENSIONS set; updated suspicious_path? and web_scanner? to accept and use status_code
• lib/aikido/zen/attack_wave.rb: Updated Detector#attack_wave? to accept and forward status_code
• lib/aikido/zen/middleware/attack_wave_protector.rb: Extracts status_code from the Rack response and passes it through protect → attack_wave? → detector
• test/aikido/zen/attack_wave_test.rb: Added HelpersTest covering the 404-only and always-suspicious behaviours

Test plan

• suspicious_path?("/admin.php", 404) → true
• suspicious_path?("/admin.php", 200) → false
• suspicious_path?("/app.jsp", 404) → true
• Always-suspicious extensions (.sql, .db, .bak) still return true regardless of status
• Suspicious file names (e.g. wp-config.php) still return true regardless of status
• Run bundle exec rake test and confirm no regressions

🤖 Generated with Claude Code

Summary by Aikido

Security Issues: 0	🔍 Quality Issues: 1	Resolved Issues: 0

⚡ Enhancements

• Flagged foreign extensions as scans only on 404; updated detector and tests

^{More info}

[aikido-pr-checks]

Avoid a chained condition in the nested file_name branch. Split FOREIGN_EXTENSIONS check and status_code check into clearer guard/early-return steps to reduce nesting and improve readability.

Suggested change

	return true if FOREIGN_EXTENSIONS.include?(file_extension) && status_code == 404
	if FOREIGN_EXTENSIONS.include?(file_extension)
	return true if status_code == 404
	end

Details

✨ AI Reasoning
​The change inserted a new return that combines two checks with && inside the nested file_name branch, increasing branching complexity in a block that already contains multiple return-true checks. Separating these into explicit guard checks (e.g., check file_extension membership first, then check status_code) or inverting the condition into an early-return/guard would flatten nesting and improve readability and maintainability.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!