console1984 0.1.8 → 0.1.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/config/protections.yml +13 -12
- data/lib/console1984/command_executor.rb +15 -3
- data/lib/console1984/command_validator/forbidden_constant_reference_validation.rb +2 -2
- data/lib/console1984/command_validator/forbidden_reopening_validation.rb +2 -2
- data/lib/console1984/command_validator/parsed_command.rb +1 -1
- data/lib/console1984/command_validator/suspicious_terms_validation.rb +1 -1
- data/lib/console1984/command_validator.rb +1 -1
- data/lib/console1984/errors.rb +6 -2
- data/lib/console1984/ext/active_record/protected_auditable_tables.rb +1 -1
- data/lib/console1984/ext/core/module.rb +18 -1
- data/lib/console1984/ext/core/object.rb +1 -1
- data/lib/console1984/freezeable.rb +1 -1
- data/lib/console1984/protections_config.rb +2 -2
- data/lib/console1984/refrigerator.rb +0 -4
- data/lib/console1984/shield/method_invocation_shell.rb +6 -12
- data/lib/console1984/supervisor.rb +5 -0
- data/lib/console1984/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2f1312b244e339b0196d4baa80fc989ed3871cd722f166a278f4877ca1dee4da
|
|
4
|
+
data.tar.gz: a66ab76f426a50cb99c4de2223d420c9d2d246b5dd0a6ec8f1712deca56244f9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d46797d8751dde38fccb25fef4e86e3a8ee42b17251d932e5cbc9ffc381bba2bd42c2a946ce8e7e867ff8e6270700dec73d8425534f52970c87bffbc682365f8
|
|
7
|
+
data.tar.gz: cd1a43abe5170dfb94a83ed375b8517b4263354ba30a53cb2287f3ffd240ab18984134df79801657fcb07fea1826d6fc3f978f6ae752c013ead820330d8e024a
|
data/config/protections.yml
CHANGED
|
@@ -1,12 +1,14 @@
|
|
|
1
|
-
|
|
1
|
+
validations:
|
|
2
2
|
forbidden_reopening:
|
|
3
3
|
- ActiveRecord
|
|
4
4
|
- Console1984
|
|
5
5
|
- PG
|
|
6
6
|
- Mysql2
|
|
7
|
+
- IRB
|
|
7
8
|
forbidden_constant_reference:
|
|
8
9
|
always:
|
|
9
10
|
- Console1984
|
|
11
|
+
- IRB
|
|
10
12
|
protected:
|
|
11
13
|
- PG
|
|
12
14
|
- Mysql2
|
|
@@ -16,15 +18,14 @@ static_validations:
|
|
|
16
18
|
- Console1984
|
|
17
19
|
- secret
|
|
18
20
|
- credentials
|
|
21
|
+
- irb
|
|
19
22
|
forbidden_methods:
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
Module:
|
|
30
|
-
- class_eval
|
|
23
|
+
Kernel:
|
|
24
|
+
- eval
|
|
25
|
+
Object:
|
|
26
|
+
- eval
|
|
27
|
+
BasicObject:
|
|
28
|
+
- eval
|
|
29
|
+
- instance_eval
|
|
30
|
+
Module:
|
|
31
|
+
- class_eval
|
|
@@ -19,11 +19,15 @@ class Console1984::CommandExecutor
|
|
|
19
19
|
run_as_system { session_logger.before_executing commands }
|
|
20
20
|
validate_command commands
|
|
21
21
|
execute_in_protected_mode(&block)
|
|
22
|
-
rescue Console1984::Errors::
|
|
22
|
+
rescue Console1984::Errors::ForbiddenCommandAttempted, FrozenError
|
|
23
23
|
flag_suspicious(commands)
|
|
24
|
-
rescue Console1984::Errors::
|
|
24
|
+
rescue Console1984::Errors::SuspiciousCommandAttempted
|
|
25
25
|
flag_suspicious(commands)
|
|
26
26
|
execute_in_protected_mode(&block)
|
|
27
|
+
rescue Console1984::Errors::ForbiddenCommandExecuted
|
|
28
|
+
# We detected that a forbidden command was executed. We exit IRB right away.
|
|
29
|
+
flag_suspicious(commands)
|
|
30
|
+
Console1984.supervisor.exit_irb
|
|
27
31
|
ensure
|
|
28
32
|
run_as_system { session_logger.after_executing commands }
|
|
29
33
|
end
|
|
@@ -65,13 +69,21 @@ class Console1984::CommandExecutor
|
|
|
65
69
|
command_validator.validate(command)
|
|
66
70
|
end
|
|
67
71
|
|
|
72
|
+
def from_irb?(backtrace)
|
|
73
|
+
executing_user_command? && backtrace.find do |line|
|
|
74
|
+
line_from_irb = line =~ /^[^\/]/
|
|
75
|
+
break if !(line =~ /console1984\/lib/ || line_from_irb)
|
|
76
|
+
line_from_irb
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
|
|
68
80
|
private
|
|
69
81
|
def command_validator
|
|
70
82
|
@command_validator ||= build_command_validator
|
|
71
83
|
end
|
|
72
84
|
|
|
73
85
|
def build_command_validator
|
|
74
|
-
Console1984::CommandValidator.from_config(Console1984.protections_config.
|
|
86
|
+
Console1984::CommandValidator.from_config(Console1984.protections_config.validations)
|
|
75
87
|
end
|
|
76
88
|
|
|
77
89
|
def flag_suspicious(commands)
|
|
@@ -14,11 +14,11 @@ class Console1984::CommandValidator::ForbiddenConstantReferenceValidation
|
|
|
14
14
|
@constant_names_forbidden_in_protected_mode = config[:protected] || []
|
|
15
15
|
end
|
|
16
16
|
|
|
17
|
-
# Raises a Console1984::Errors::
|
|
17
|
+
# Raises a Console1984::Errors::ForbiddenCommandAttempted if a banned constant is referenced.
|
|
18
18
|
def validate(parsed_command)
|
|
19
19
|
if contains_invalid_const_reference?(parsed_command, @forbidden_constants_names) ||
|
|
20
20
|
(@shield.protected_mode? && contains_invalid_const_reference?(parsed_command, @constant_names_forbidden_in_protected_mode))
|
|
21
|
-
raise Console1984::Errors::
|
|
21
|
+
raise Console1984::Errors::ForbiddenCommandAttempted
|
|
22
22
|
end
|
|
23
23
|
end
|
|
24
24
|
|
|
@@ -8,11 +8,11 @@ class Console1984::CommandValidator::ForbiddenReopeningValidation
|
|
|
8
8
|
@banned_class_or_module_names = banned_classes_or_modules.collect(&:to_s)
|
|
9
9
|
end
|
|
10
10
|
|
|
11
|
-
# Raises a Console1984::Errors::
|
|
11
|
+
# Raises a Console1984::Errors::ForbiddenCommandAttempted if an banned class or module reopening
|
|
12
12
|
# is detected.
|
|
13
13
|
def validate(parsed_command)
|
|
14
14
|
if contains_invalid_class_or_module_declaration?(parsed_command)
|
|
15
|
-
raise Console1984::Errors::
|
|
15
|
+
raise Console1984::Errors::ForbiddenCommandAttempted
|
|
16
16
|
end
|
|
17
17
|
end
|
|
18
18
|
|
|
@@ -9,7 +9,7 @@ class Console1984::CommandValidator::SuspiciousTermsValidation
|
|
|
9
9
|
# Raises a Console1984::Errors::SuspiciousCommand if the term is referenced.
|
|
10
10
|
def validate(parsed_command)
|
|
11
11
|
if contains_suspicious_term?(parsed_command)
|
|
12
|
-
raise Console1984::Errors::
|
|
12
|
+
raise Console1984::Errors::SuspiciousCommandAttempted
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
15
|
|
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
#
|
|
6
6
|
# The validation itself happens as a chain of validation objects. The system will invoke
|
|
7
7
|
# each validation in order. Validations will raise an error if the validation fails (typically
|
|
8
|
-
# a Console1984::Errors::
|
|
8
|
+
# a Console1984::Errors::ForbiddenCommandAttempted or Console1984::Errors::SuspiciousCommands).
|
|
9
9
|
#
|
|
10
10
|
# Internally, validations will receive a Console1984::CommandValidator::ParsedCommand object. This
|
|
11
11
|
# exposes parsed constructs in addition to the raw strings so that validations can use those.
|
data/lib/console1984/errors.rb
CHANGED
|
@@ -10,11 +10,15 @@ module Console1984
|
|
|
10
10
|
|
|
11
11
|
# Attempt to execute a command that is not allowed. The system won't
|
|
12
12
|
# execute such commands and will flag them as sensitive.
|
|
13
|
-
class
|
|
13
|
+
class ForbiddenCommandAttempted < StandardError; end
|
|
14
14
|
|
|
15
15
|
# A suspicious command was executed. The command will be flagged but the system
|
|
16
16
|
# will let it run.
|
|
17
|
-
class
|
|
17
|
+
class SuspiciousCommandAttempted < StandardError; end
|
|
18
|
+
|
|
19
|
+
# A forbidden command was executed. The system will flag the command
|
|
20
|
+
# and exit.
|
|
21
|
+
class ForbiddenCommandExecuted < StandardError; end
|
|
18
22
|
|
|
19
23
|
# Attempt to incinerate a session ahead of time as determined by
|
|
20
24
|
# +config.console1984.incinerate_after+.
|
|
@@ -6,7 +6,7 @@ module Console1984::Ext::ActiveRecord::ProtectedAuditableTables
|
|
|
6
6
|
define_method method do |*args, **kwargs|
|
|
7
7
|
sql = args.first
|
|
8
8
|
if Console1984.command_executor.executing_user_command? && sql =~ auditable_tables_regexp
|
|
9
|
-
raise Console1984::Errors::
|
|
9
|
+
raise Console1984::Errors::ForbiddenCommandAttempted, "#{sql}"
|
|
10
10
|
else
|
|
11
11
|
super(*args, **kwargs)
|
|
12
12
|
end
|
|
@@ -7,9 +7,26 @@ module Console1984::Ext::Core::Module
|
|
|
7
7
|
|
|
8
8
|
def instance_eval(*)
|
|
9
9
|
if Console1984.command_executor.executing_user_command?
|
|
10
|
-
raise Console1984::Errors::
|
|
10
|
+
raise Console1984::Errors::ForbiddenCommandAttempted
|
|
11
11
|
else
|
|
12
12
|
super
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
|
+
|
|
16
|
+
def method_added(method)
|
|
17
|
+
if Console1984.command_executor.from_irb?(caller) && banned_for_reopening?
|
|
18
|
+
raise Console1984::Errors::ForbiddenCommandExecuted, "Trying to add method `#{method}` to #{self.name}"
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
private
|
|
23
|
+
def banned_for_reopening?
|
|
24
|
+
classes_and_modules_banned_for_reopening.find do |banned_class_or_module_name|
|
|
25
|
+
"#{self.name}::".start_with?("#{banned_class_or_module_name}::")
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def classes_and_modules_banned_for_reopening
|
|
30
|
+
@classes_and_modules_banned_for_reopening ||= Console1984.protections_config.validations[:forbidden_reopening]
|
|
31
|
+
end
|
|
15
32
|
end
|
|
@@ -25,7 +25,7 @@ module Console1984::Ext::Core::Object
|
|
|
25
25
|
# See the list +forbidden_reopening+ in +config/command_protections.yml+.
|
|
26
26
|
Console1984.command_executor.validate_command("class #{arguments.first}; end")
|
|
27
27
|
super
|
|
28
|
-
rescue Console1984::Errors::
|
|
28
|
+
rescue Console1984::Errors::ForbiddenCommandAttempted
|
|
29
29
|
raise
|
|
30
30
|
rescue StandardError
|
|
31
31
|
super
|
|
@@ -39,7 +39,7 @@ module Console1984::Freezeable
|
|
|
39
39
|
private
|
|
40
40
|
def prevent_sensitive_method(method_name)
|
|
41
41
|
define_method method_name do |*arguments|
|
|
42
|
-
raise Console1984::Errors::
|
|
42
|
+
raise Console1984::Errors::ForbiddenCommandAttempted, "You can't invoke #{method_name} on #{self}"
|
|
43
43
|
end
|
|
44
44
|
end
|
|
45
45
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
class Console1984::ProtectionsConfig
|
|
2
2
|
include Console1984::Freezeable
|
|
3
3
|
|
|
4
|
-
delegate :
|
|
4
|
+
delegate :validations, to: :instance
|
|
5
5
|
|
|
6
6
|
attr_reader :config
|
|
7
7
|
|
|
@@ -9,7 +9,7 @@ class Console1984::ProtectionsConfig
|
|
|
9
9
|
@config = config
|
|
10
10
|
end
|
|
11
11
|
|
|
12
|
-
%i[
|
|
12
|
+
%i[ validations forbidden_methods ].each do |method_name|
|
|
13
13
|
define_method method_name do
|
|
14
14
|
config[method_name].symbolize_keys
|
|
15
15
|
end
|
|
@@ -3,22 +3,20 @@ class Console1984::Shield::MethodInvocationShell
|
|
|
3
3
|
include Console1984::Freezeable
|
|
4
4
|
|
|
5
5
|
class << self
|
|
6
|
-
def install_for(
|
|
7
|
-
Array(
|
|
8
|
-
Array(config[:system]).each { |invocation| self.new(invocation, only_for_user_commands: false).prevent_methods_invocation }
|
|
6
|
+
def install_for(invocations)
|
|
7
|
+
Array(invocations).each { |invocation| self.new(invocation).prevent_methods_invocation }
|
|
9
8
|
end
|
|
10
9
|
end
|
|
11
10
|
|
|
12
11
|
attr_reader :class_name, :methods, :only_for_user_commands
|
|
13
12
|
|
|
14
|
-
def initialize(invocation
|
|
13
|
+
def initialize(invocation)
|
|
15
14
|
@class_name, methods = invocation.to_a
|
|
16
15
|
@methods = Array(methods)
|
|
17
|
-
@only_for_user_commands = only_for_user_commands
|
|
18
16
|
end
|
|
19
17
|
|
|
20
18
|
def prevent_methods_invocation
|
|
21
|
-
class_name.constantize.prepend build_protection_module
|
|
19
|
+
class_name.to_s.constantize.prepend build_protection_module
|
|
22
20
|
end
|
|
23
21
|
|
|
24
22
|
def build_protection_module
|
|
@@ -37,12 +35,8 @@ class Console1984::Shield::MethodInvocationShell
|
|
|
37
35
|
def protected_method_invocation_source_for(method)
|
|
38
36
|
<<~RUBY
|
|
39
37
|
def #{method}(*args)
|
|
40
|
-
if
|
|
41
|
-
|
|
42
|
-
break if !(line =~ /console1984\\/lib/ || line_from_irb)
|
|
43
|
-
line_from_irb
|
|
44
|
-
end
|
|
45
|
-
raise Console1984::Errors::ForbiddenCommand
|
|
38
|
+
if Console1984.command_executor.from_irb?(caller)
|
|
39
|
+
raise Console1984::Errors::ForbiddenCommandAttempted
|
|
46
40
|
else
|
|
47
41
|
super
|
|
48
42
|
end
|
data/lib/console1984/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: console1984
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jorge Manrubia
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-09-
|
|
11
|
+
date: 2021-09-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: colorize
|