console1984 0.1.15 → 0.1.19

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26a59332236edcf9b00811ef8fe7a7d6e3667763d0a58771bb09a5ef3935a64c
-  data.tar.gz: 03a89cc1fedb6e0837941730afb811a1e0f3f6b13393778e81993a5c577162c4
+  metadata.gz: 4341afd03a8560ccada70b03687e27a3e7b36aad9ee0e2ec914861df4c9457c8
+  data.tar.gz: 9f304ed8cc187d1ab43eb393b6c7ddba38855de5dea6793f4abb3ba6a1394dad
 SHA512:
-  metadata.gz: f21b2f38b9d1d1f136f7d3f83dac67cedd49fa47343e98b365c083aa58485d2a61aa0959ab8e9c6ff3086120b72bc6122e8a2c55f319419e812923e92badaf74
-  data.tar.gz: 50e7fdea76f8128744486dd5fddf59fd216118b7db7e51ff8c42aec0ff427fe720e94ffd308b95a6fee5c80b356dbf062e3802e1eaaac9829ac0a60e2d9c3742
+  metadata.gz: cdb5812e2a23ff74037eb7290ec5960ba593b8cd999031275a4fdfbe26ec3186d195744190e575c31768b8307058bce13110980ba46083d3889f2d76af59de38
+  data.tar.gz: c738ea7bf36946273ab054aa2cf4cd33d0186fc8251b9ec6303bdd156d9851ac2203a62c213f97f081a200e63511844e6cb2d72fbae192f07b16227d60c03c00

data/README.md

@@ -35,6 +35,9 @@ By default, console1984 is only enabled in `production`. You can configure the t
 config.console1984.protected_environments = %i[ production staging ]
 ```
 
+Finally, you need to [configure Active Record Encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html#setup) in your
+project. This is because the library stores the tracked console commands encrypted.
+
 ## How it works
 
 ### Session activity logging
@@ -155,9 +158,9 @@ These config options are namespaced in `config.console1984`:
 
 ## About built-in protection mechanisms
 
-`console1984` uses Ruby to add several protection mechanisms. However, because Ruby is highly dynamic, it's technically possible to circumvent most of these controls if you know what you are doing. We have made an effort to prevent such attempts, but if your organization needs bullet-proof protection against malicious actors using the console, you should consider additional security measures.
+`console1984` adds many protection mechanisms to prevent tampering. This includes attempts to alter data in auditing tables or monkey patching certain classes to change how the system works. If you find a way to circumvent these tampering controls, please [report an issue](https://github.com/basecamp/console1984/issues).
 
-The current version includes protection mechanisms to avoid tampering the tables that store console sessions. A bullet-proof mechanism would be using a read only connection when user commands are evaluated. Implementing such scheme is possible by writing a custom session logger and leveraging Rails' multi-database support. We would like that future versions of `console1984` supported this scheme directly as a configuration option.
+We aim to make these defense mechanisms as robust as possible, but there might always be open doors because Ruby is highly dynamic. If your organization needs bullet-proof protection against malicious actors using the console, you should consider additional security measures. An example would be using a read-only database user for auditing data while in a console. The gem doesn't offer direct support for doing this, but it's on our radar for future improvement.
 
 ## Running the test suite
 

data/app/models/console1984/session/incineratable.rb

@@ -25,6 +25,6 @@ module Console1984::Session::Incineratable
     end
 
     def earliest_possible_incineration_date
-      created_at + Console1984.incinerate_after
+      created_at + Console1984.incinerate_after - 1.second
     end
 end

data/lib/console1984/command_executor.rb

@@ -10,6 +10,7 @@ class Console1984::CommandExecutor
   include Console1984::Freezeable
 
   delegate :username_resolver, :session_logger, :shield, to: Console1984
+  attr_reader :last_suspicious_command_error
 
   # Logs and validates +commands+, and executes the passed block in a protected environment.
   #
@@ -19,14 +20,14 @@ class Console1984::CommandExecutor
     run_as_system { session_logger.before_executing commands }
     validate_command commands
     execute_in_protected_mode(&block)
-  rescue Console1984::Errors::ForbiddenCommandAttempted, FrozenError
-    flag_suspicious(commands)
-  rescue Console1984::Errors::SuspiciousCommandAttempted
-    flag_suspicious(commands)
+  rescue Console1984::Errors::ForbiddenCommandAttempted, FrozenError => error
+    flag_suspicious(commands, error: error)
+  rescue Console1984::Errors::SuspiciousCommandAttempted => error
+    flag_suspicious(commands, error: error)
     execute_in_protected_mode(&block)
-  rescue Console1984::Errors::ForbiddenCommandExecuted
+  rescue Console1984::Errors::ForbiddenCommandExecuted => error
     # We detected that a forbidden command was executed. We exit IRB right away.
-    flag_suspicious(commands)
+    flag_suspicious(commands, error: error)
     Console1984.supervisor.exit_irb
   ensure
     run_as_system { session_logger.after_executing commands }
@@ -70,11 +71,7 @@ class Console1984::CommandExecutor
   end
 
   def from_irb?(backtrace)
-    executing_user_command? && backtrace.find do |line|
-      line_from_irb = line =~ /^[^\/]/
-      break if !(line =~ /console1984\/lib/ || line_from_irb)
-      line_from_irb
-    end
+    executing_user_command? && backtrace.first.to_s =~ /^[^\/]/
   end
 
   private
@@ -86,9 +83,10 @@ class Console1984::CommandExecutor
       Console1984::CommandValidator.from_config(Console1984.protections_config.validations)
     end
 
-    def flag_suspicious(commands)
+    def flag_suspicious(commands, error: nil)
       puts "Forbidden command attempted: #{commands.join("\n")}"
       run_as_system { session_logger.suspicious_commands_attempted commands }
+      @last_suspicious_command_error = error
       nil
     end
 

data/lib/console1984/ext/active_record/protected_auditable_tables.rb

@@ -5,7 +5,7 @@ module Console1984::Ext::ActiveRecord::ProtectedAuditableTables
   %i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
     define_method method do |*args, **kwargs|
       sql = args.first
-      if Console1984.command_executor.executing_user_command? && sql =~ auditable_tables_regexp
+      if Console1984.command_executor.executing_user_command? && sql.b =~ auditable_tables_regexp
         raise Console1984::Errors::ForbiddenCommandAttempted, "#{sql}"
       else
         super(*args, **kwargs)

data/lib/console1984/ext/core/object.rb

@@ -16,7 +16,7 @@ module Console1984::Ext::Core::Object
 
   class_methods do
     def const_get(*arguments)
-      if Console1984.command_executor.executing_user_command?
+      if Console1984.command_executor.from_irb?(caller)
         begin
           # To validate if it's an invalid constant, we try to declare a class with it.
           # We essentially leverage Console1984::CommandValidator::ForbiddenReopeningValidation here:

data/lib/console1984/ext/core/string.rb

@@ -0,0 +1,24 @@
+# Prevents loading forbidden classes dynamically.
+#
+# See extension to +Console1984::Ext::Core::Object#const_get+.
+module Console1984::Ext::Core::String
+  extend ActiveSupport::Concern
+
+  include Console1984::Freezeable
+  self.prevent_instance_data_manipulation_after_freezing = false
+
+  def constantize
+    if Console1984.command_executor.from_irb?(caller)
+      begin
+        Console1984.command_executor.validate_command("class #{self}; end")
+        super
+      rescue Console1984::Errors::ForbiddenCommandAttempted
+        raise
+      rescue StandardError
+        super
+      end
+    else
+      super
+    end
+  end
+end

data/lib/console1984/ext/irb/commands.rb

@@ -13,4 +13,13 @@ module Console1984::Ext::Irb::Commands
   def encrypt!
     shield.enable_protected_mode
   end
+
+  # This returns the last error that prevented a command execution in the console
+  # or nil if there isn't any.
+  #
+  # This is meant for internal usage when debugging legit commands that are wrongly
+  # prevented.
+  def _console_last_suspicious_command_error
+    Console1984.command_executor.last_suspicious_command_error
+  end
 end

data/lib/console1984/ext/socket/tcp_socket.rb

@@ -2,13 +2,13 @@
 module Console1984::Ext::Socket::TcpSocket
   include Console1984::Freezeable
 
-  def write(*args)
+  def write(...)
     protecting do
       super
     end
   end
 
-  def write_nonblock(*args)
+  def write_nonblock(...)
     protecting do
       super
     end

data/lib/console1984/shield.rb

@@ -40,6 +40,7 @@ class Console1984::Shield
     def extend_core_ruby
       Object.prepend Console1984::Ext::Core::Object
       Module.prepend Console1984::Ext::Core::Module
+      String.prepend Console1984::Ext::Core::String
     end
 
     def extend_sockets
@@ -63,7 +64,6 @@ class Console1984::Shield
         if Object.const_defined?(class_string)
           klass = class_string.constantize
           klass.prepend(Console1984::Ext::ActiveRecord::ProtectedAuditableTables)
-          klass.include(Console1984::Freezeable)
         end
       end
     end

data/lib/console1984/version.rb

@@ -1,3 +1,3 @@
 module Console1984
-  VERSION = '0.1.15'
+  VERSION = '0.1.19'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: console1984
 version: !ruby/object:Gem::Version
-  version: 0.1.15
+  version: 0.1.19
 platform: ruby
 authors:
 - Jorge Manrubia
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-17 00:00:00.000000000 Z
+date: 2021-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -225,6 +225,7 @@ files:
 - lib/console1984/ext/active_record/protected_auditable_tables.rb
 - lib/console1984/ext/core/module.rb
 - lib/console1984/ext/core/object.rb
+- lib/console1984/ext/core/string.rb
 - lib/console1984/ext/irb/commands.rb
 - lib/console1984/ext/irb/context.rb
 - lib/console1984/ext/socket/tcp_socket.rb
@@ -260,7 +261,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="