console1984 0.1.13 → 0.1.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78f591775f469668e6d50741f421c188e048e42942ce4a9c9c707e9a34328c69
-  data.tar.gz: 190d0069e0bc4268400e59f1884539403233fd66fb873892d41ecf5e3d888323
+  metadata.gz: 58a963520fed8a86952cee9b02443b61d42ac4bf0a80d1abaabfd3ff390f431b
+  data.tar.gz: a63a68db2a2e46a129f4f97f79a59b41a88fe98ecb9d6028d67ca0e8d4b1e6fa
 SHA512:
-  metadata.gz: d6930e488260091857f8f2196ef88ec3c364391de1b1a9e9385a246153c80a1b5c7cd3cafd76d988d54f3ded5b4b3f66b2ae1d9735cc5ebeacadabd4a3bbe12e
-  data.tar.gz: 19746bce408667fb06d48e5a98032999e46a44b47f3620d510b5ce4a707a9414c76f57b996d5a707372bf533b5904aa2af19bd0b9c2866fc8d00e4b2e5228f70
+  metadata.gz: 2bb93f84dc7e078b4d357739b337b2277fce627408cb619c816a04fc94db7451faf7d2095d0861ca211726ce973481161ae47c4add5e185c8813904462d1c011
+  data.tar.gz: d1b623b30f72e49d744934e4623159bfabf5cd7b9a4fab94fc08c26c30fc8bf1115bd70bf4b92b12609874d6ab75dc0d978663079745df2b9b1e238cadaf11ed

data/README.md

@@ -155,9 +155,9 @@ These config options are namespaced in `config.console1984`:
 
 ## About built-in protection mechanisms
 
-`console1984` uses Ruby to add several protection mechanisms. However, because Ruby is highly dynamic, it's technically possible to circumvent most of these controls if you know what you are doing. We have made an effort to prevent such attempts, but if your organization needs bullet-proof protection against malicious actors using the console, you should consider additional security measures.
+`console1984` adds many protection mechanisms to prevent tampering. This includes attempts to alter data in auditing tables or monkey patching certain classes to change how the system works. If you find a way to circumvent these tampering controls, please [report an issue](https://github.com/basecamp/console1984/issues).
 
-The current version includes protection mechanisms to avoid tampering the tables that store console sessions. A bullet-proof mechanism would be using a read only connection when user commands are evaluated. Implementing such scheme is possible by writing a custom session logger and leveraging Rails' multi-database support. We would like that future versions of `console1984` supported this scheme directly as a configuration option.
+We aim to make these defense mechanisms as robust as possible, but there might always be open doors because Ruby is highly dynamic. If your organization needs bullet-proof protection against malicious actors using the console, you should consider additional security measures. An example would be using a read-only database user for auditing data while in a console. The gem doesn't offer direct support for doing this, but it's on our radar for future improvement.
 
 ## Running the test suite
 

data/config/protections.yml

@@ -5,6 +5,7 @@ validations:
     - PG
     - Mysql2
     - IRB
+    - Parser
   forbidden_constant_reference:
     always:
       - Console1984

data/lib/console1984/command_executor.rb

@@ -10,6 +10,7 @@ class Console1984::CommandExecutor
   include Console1984::Freezeable
 
   delegate :username_resolver, :session_logger, :shield, to: Console1984
+  attr_reader :last_suspicious_command_error
 
   # Logs and validates +commands+, and executes the passed block in a protected environment.
   #
@@ -19,14 +20,14 @@ class Console1984::CommandExecutor
     run_as_system { session_logger.before_executing commands }
     validate_command commands
     execute_in_protected_mode(&block)
-  rescue Console1984::Errors::ForbiddenCommandAttempted, FrozenError
-    flag_suspicious(commands)
-  rescue Console1984::Errors::SuspiciousCommandAttempted
-    flag_suspicious(commands)
+  rescue Console1984::Errors::ForbiddenCommandAttempted, FrozenError => error
+    flag_suspicious(commands, error: error)
+  rescue Console1984::Errors::SuspiciousCommandAttempted => error
+    flag_suspicious(commands, error: error)
     execute_in_protected_mode(&block)
-  rescue Console1984::Errors::ForbiddenCommandExecuted
+  rescue Console1984::Errors::ForbiddenCommandExecuted => error
     # We detected that a forbidden command was executed. We exit IRB right away.
-    flag_suspicious(commands)
+    flag_suspicious(commands, error: error)
     Console1984.supervisor.exit_irb
   ensure
     run_as_system { session_logger.after_executing commands }
@@ -70,11 +71,7 @@ class Console1984::CommandExecutor
   end
 
   def from_irb?(backtrace)
-    executing_user_command? && backtrace.find do |line|
-      line_from_irb = line =~ /^[^\/]/
-      break if !(line =~ /console1984\/lib/ || line_from_irb)
-      line_from_irb
-    end
+    executing_user_command? && backtrace.first.to_s =~ /^[^\/]/
   end
 
   private
@@ -86,9 +83,10 @@ class Console1984::CommandExecutor
       Console1984::CommandValidator.from_config(Console1984.protections_config.validations)
     end
 
-    def flag_suspicious(commands)
+    def flag_suspicious(commands, error: nil)
       puts "Forbidden command attempted: #{commands.join("\n")}"
       run_as_system { session_logger.suspicious_commands_attempted commands }
+      @last_suspicious_command_error = error
       nil
     end
 

data/lib/console1984/ext/core/module.rb

@@ -6,7 +6,7 @@ module Console1984::Ext::Core::Module
   extend ActiveSupport::Concern
 
   def instance_eval(*)
-    if Console1984.command_executor.executing_user_command?
+    if Console1984.command_executor.from_irb?(caller)
       raise Console1984::Errors::ForbiddenCommandAttempted
     else
       super

data/lib/console1984/ext/core/object.rb

@@ -16,7 +16,7 @@ module Console1984::Ext::Core::Object
 
   class_methods do
     def const_get(*arguments)
-      if Console1984.command_executor.executing_user_command?
+      if Console1984.command_executor.from_irb?(caller)
         begin
           # To validate if it's an invalid constant, we try to declare a class with it.
           # We essentially leverage Console1984::CommandValidator::ForbiddenReopeningValidation here:

data/lib/console1984/ext/core/string.rb

@@ -0,0 +1,24 @@
+# Prevents loading forbidden classes dynamically.
+#
+# See extension to +Console1984::Ext::Core::Object#const_get+.
+module Console1984::Ext::Core::String
+  extend ActiveSupport::Concern
+
+  include Console1984::Freezeable
+  self.prevent_instance_data_manipulation_after_freezing = false
+
+  def constantize
+    if Console1984.command_executor.from_irb?(caller)
+      begin
+        Console1984.command_executor.validate_command("class #{self}; end")
+        super
+      rescue Console1984::Errors::ForbiddenCommandAttempted
+        raise
+      rescue StandardError
+        super
+      end
+    else
+      super
+    end
+  end
+end

data/lib/console1984/ext/irb/commands.rb

@@ -13,4 +13,13 @@ module Console1984::Ext::Irb::Commands
   def encrypt!
     shield.enable_protected_mode
   end
+
+  # This returns the last error that prevented a command execution in the console
+  # or nil if there isn't any.
+  #
+  # This is meant for internal usage when debugging legit commands that are wrongly
+  # prevented.
+  def _console_last_suspicious_command_error
+    Console1984.command_executor.last_suspicious_command_error
+  end
 end

data/lib/console1984/refrigerator.rb

@@ -11,6 +11,11 @@ class Console1984::Refrigerator
   end
 
   private
+    def eager_load_all_classes
+      Rails.application.eager_load! unless Rails.application.config.eager_load
+      Console1984.class_loader.eager_load
+    end
+
     def freeze_internal_instances
       Console1984.config.freeze unless Console1984.config.test_mode
     end
@@ -23,9 +28,4 @@ class Console1984::Refrigerator
       # Not using a constant because we want this to run lazily (console-dependant dependencies might not be loaded).
       [Parser::CurrentRuby]
     end
-
-    def eager_load_all_classes
-      Rails.application.eager_load! unless Rails.application.config.eager_load
-      Console1984.class_loader.eager_load
-    end
 end

data/lib/console1984/shield.rb

@@ -40,6 +40,7 @@ class Console1984::Shield
     def extend_core_ruby
       Object.prepend Console1984::Ext::Core::Object
       Module.prepend Console1984::Ext::Core::Module
+      String.prepend Console1984::Ext::Core::String
     end
 
     def extend_sockets

data/lib/console1984/version.rb

@@ -1,3 +1,3 @@
 module Console1984
-  VERSION = '0.1.13'
+  VERSION = '0.1.17'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: console1984
 version: !ruby/object:Gem::Version
-  version: 0.1.13
+  version: 0.1.17
 platform: ruby
 authors:
 - Jorge Manrubia
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-10 00:00:00.000000000 Z
+date: 2021-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -38,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: activeresource
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: benchmark-ips
   requirement: !ruby/object:Gem::Requirement
@@ -211,6 +225,7 @@ files:
 - lib/console1984/ext/active_record/protected_auditable_tables.rb
 - lib/console1984/ext/core/module.rb
 - lib/console1984/ext/core/object.rb
+- lib/console1984/ext/core/string.rb
 - lib/console1984/ext/irb/commands.rb
 - lib/console1984/ext/irb/context.rb
 - lib/console1984/ext/socket/tcp_socket.rb