console1984 0.1.8 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc64d037f2de5570292e0b09710b4543a68ba1af12759150cc68e7b7f4dd6e16
-  data.tar.gz: c5929af5061393a32c4df38022535d53c62aaaabe951727798e340322fb0d950
+  metadata.gz: 2f1312b244e339b0196d4baa80fc989ed3871cd722f166a278f4877ca1dee4da
+  data.tar.gz: a66ab76f426a50cb99c4de2223d420c9d2d246b5dd0a6ec8f1712deca56244f9
 SHA512:
-  metadata.gz: b64f422bcdd421e7a874af965c9ee615f6d873e0d2a685d68667216fd1ee91d4e8e4815d4dd9e78ef7838a75763fb898be1f328c8466a137f1782a4121531da6
-  data.tar.gz: ce7e1f60bfdb666abe3c85a02ddaa1ac25344c994a1471ec64d07cd15f8aac5735bcd0608497e71d9813cf111cdb76f414a2373eb8dbef14b983757ba3876812
+  metadata.gz: d46797d8751dde38fccb25fef4e86e3a8ee42b17251d932e5cbc9ffc381bba2bd42c2a946ce8e7e867ff8e6270700dec73d8425534f52970c87bffbc682365f8
+  data.tar.gz: cd1a43abe5170dfb94a83ed375b8517b4263354ba30a53cb2287f3ffd240ab18984134df79801657fcb07fea1826d6fc3f978f6ae752c013ead820330d8e024a

data/config/protections.yml

@@ -1,12 +1,14 @@
-static_validations:
+validations:
   forbidden_reopening:
     - ActiveRecord
     - Console1984
     - PG
     - Mysql2
+    - IRB
   forbidden_constant_reference:
     always:
       - Console1984
+      - IRB
     protected:
       - PG
       - Mysql2
@@ -16,15 +18,14 @@ static_validations:
     - Console1984
     - secret
     - credentials
+    - irb
 forbidden_methods:
-  always:
-  user:
-    Kernel:
-      - eval
-    Object:
-      - eval
-    BasicObject:
-      - eval
-      - instance_eval
-    Module:
-      - class_eval
+  Kernel:
+    - eval
+  Object:
+    - eval
+  BasicObject:
+    - eval
+    - instance_eval
+  Module:
+    - class_eval

data/lib/console1984/command_executor.rb

@@ -19,11 +19,15 @@ class Console1984::CommandExecutor
     run_as_system { session_logger.before_executing commands }
     validate_command commands
     execute_in_protected_mode(&block)
-  rescue Console1984::Errors::ForbiddenCommand, FrozenError => e
+  rescue Console1984::Errors::ForbiddenCommandAttempted, FrozenError
     flag_suspicious(commands)
-  rescue Console1984::Errors::SuspiciousCommand
+  rescue Console1984::Errors::SuspiciousCommandAttempted
     flag_suspicious(commands)
     execute_in_protected_mode(&block)
+  rescue Console1984::Errors::ForbiddenCommandExecuted
+    # We detected that a forbidden command was executed. We exit IRB right away.
+    flag_suspicious(commands)
+    Console1984.supervisor.exit_irb
   ensure
     run_as_system { session_logger.after_executing commands }
   end
@@ -65,13 +69,21 @@ class Console1984::CommandExecutor
     command_validator.validate(command)
   end
 
+  def from_irb?(backtrace)
+    executing_user_command? && backtrace.find do |line|
+      line_from_irb = line =~ /^[^\/]/
+      break if !(line =~ /console1984\/lib/ || line_from_irb)
+      line_from_irb
+    end
+  end
+
   private
     def command_validator
       @command_validator ||= build_command_validator
     end
 
     def build_command_validator
-      Console1984::CommandValidator.from_config(Console1984.protections_config.static_validations)
+      Console1984::CommandValidator.from_config(Console1984.protections_config.validations)
     end
 
     def flag_suspicious(commands)

data/lib/console1984/command_validator/forbidden_constant_reference_validation.rb

@@ -14,11 +14,11 @@ class Console1984::CommandValidator::ForbiddenConstantReferenceValidation
     @constant_names_forbidden_in_protected_mode = config[:protected] || []
   end
 
-  # Raises a Console1984::Errors::ForbiddenCommand if a banned constant is referenced.
+  # Raises a Console1984::Errors::ForbiddenCommandAttempted if a banned constant is referenced.
   def validate(parsed_command)
     if contains_invalid_const_reference?(parsed_command, @forbidden_constants_names) ||
       (@shield.protected_mode? && contains_invalid_const_reference?(parsed_command, @constant_names_forbidden_in_protected_mode))
-      raise Console1984::Errors::ForbiddenCommand
+      raise Console1984::Errors::ForbiddenCommandAttempted
     end
   end
 

data/lib/console1984/command_validator/forbidden_reopening_validation.rb

@@ -8,11 +8,11 @@ class Console1984::CommandValidator::ForbiddenReopeningValidation
     @banned_class_or_module_names = banned_classes_or_modules.collect(&:to_s)
   end
 
-  # Raises a Console1984::Errors::ForbiddenCommand if an banned class or module reopening
+  # Raises a Console1984::Errors::ForbiddenCommandAttempted if an banned class or module reopening
   # is detected.
   def validate(parsed_command)
     if contains_invalid_class_or_module_declaration?(parsed_command)
-      raise Console1984::Errors::ForbiddenCommand
+      raise Console1984::Errors::ForbiddenCommandAttempted
     end
   end
 

data/lib/console1984/command_validator/parsed_command.rb

@@ -76,7 +76,7 @@ class Console1984::CommandValidator::ParsedCommand
 
       def on_casgn(node)
         super
-        scope_node, name, value_node = *node
+        _scope_node, name, value_node = *node
         @constant_assignments.push(*extract_constants(value_node))
       end
 

data/lib/console1984/command_validator/suspicious_terms_validation.rb

@@ -9,7 +9,7 @@ class Console1984::CommandValidator::SuspiciousTermsValidation
   # Raises a Console1984::Errors::SuspiciousCommand if the term is referenced.
   def validate(parsed_command)
     if contains_suspicious_term?(parsed_command)
-      raise Console1984::Errors::SuspiciousCommand
+      raise Console1984::Errors::SuspiciousCommandAttempted
     end
   end
 

data/lib/console1984/command_validator.rb

@@ -5,7 +5,7 @@
 #
 # The validation itself happens as a chain of validation objects. The system will invoke
 # each validation in order. Validations will raise an error if the validation fails (typically
-# a Console1984::Errors::ForbiddenCommand or Console1984::Errors::SuspiciousCommands).
+# a Console1984::Errors::ForbiddenCommandAttempted or Console1984::Errors::SuspiciousCommands).
 #
 # Internally, validations will receive a Console1984::CommandValidator::ParsedCommand object. This
 # exposes parsed constructs in addition to the raw strings so that validations can use those.

data/lib/console1984/errors.rb

@@ -10,11 +10,15 @@ module Console1984
 
     # Attempt to execute a command that is not allowed. The system won't
     # execute such commands and will flag them as sensitive.
-    class ForbiddenCommand < StandardError; end
+    class ForbiddenCommandAttempted < StandardError; end
 
     # A suspicious command was executed. The command will be flagged but the system
     # will let it run.
-    class SuspiciousCommand < StandardError; end
+    class SuspiciousCommandAttempted < StandardError; end
+
+    # A forbidden command was executed. The system will flag the command
+    # and exit.
+    class ForbiddenCommandExecuted < StandardError; end
 
     # Attempt to incinerate a session ahead of time as determined by
     # +config.console1984.incinerate_after+.

data/lib/console1984/ext/active_record/protected_auditable_tables.rb

@@ -6,7 +6,7 @@ module Console1984::Ext::ActiveRecord::ProtectedAuditableTables
     define_method method do |*args, **kwargs|
       sql = args.first
       if Console1984.command_executor.executing_user_command? && sql =~ auditable_tables_regexp
-        raise Console1984::Errors::ForbiddenCommand, "#{sql}"
+        raise Console1984::Errors::ForbiddenCommandAttempted, "#{sql}"
       else
         super(*args, **kwargs)
       end

data/lib/console1984/ext/core/module.rb

@@ -7,9 +7,26 @@ module Console1984::Ext::Core::Module
 
   def instance_eval(*)
     if Console1984.command_executor.executing_user_command?
-      raise Console1984::Errors::ForbiddenCommand
+      raise Console1984::Errors::ForbiddenCommandAttempted
     else
       super
     end
   end
+
+  def method_added(method)
+    if Console1984.command_executor.from_irb?(caller) && banned_for_reopening?
+      raise Console1984::Errors::ForbiddenCommandExecuted, "Trying to add method `#{method}` to #{self.name}"
+    end
+  end
+
+  private
+    def banned_for_reopening?
+      classes_and_modules_banned_for_reopening.find do |banned_class_or_module_name|
+        "#{self.name}::".start_with?("#{banned_class_or_module_name}::")
+      end
+    end
+
+    def classes_and_modules_banned_for_reopening
+      @classes_and_modules_banned_for_reopening ||= Console1984.protections_config.validations[:forbidden_reopening]
+    end
 end

data/lib/console1984/ext/core/object.rb

@@ -25,7 +25,7 @@ module Console1984::Ext::Core::Object
           # See the list +forbidden_reopening+ in +config/command_protections.yml+.
           Console1984.command_executor.validate_command("class #{arguments.first}; end")
           super
-        rescue Console1984::Errors::ForbiddenCommand
+        rescue Console1984::Errors::ForbiddenCommandAttempted
           raise
         rescue StandardError
           super

data/lib/console1984/freezeable.rb

@@ -39,7 +39,7 @@ module Console1984::Freezeable
     private
       def prevent_sensitive_method(method_name)
         define_method method_name do |*arguments|
-          raise Console1984::Errors::ForbiddenCommand, "You can't invoke #{method_name} on #{self}"
+          raise Console1984::Errors::ForbiddenCommandAttempted, "You can't invoke #{method_name} on #{self}"
         end
       end
   end

data/lib/console1984/protections_config.rb

@@ -1,7 +1,7 @@
 class Console1984::ProtectionsConfig
   include Console1984::Freezeable
 
-  delegate :static_validations, to: :instance
+  delegate :validations, to: :instance
 
   attr_reader :config
 
@@ -9,7 +9,7 @@ class Console1984::ProtectionsConfig
     @config = config
   end
 
-  %i[ static_validations forbidden_methods ].each do |method_name|
+  %i[ validations forbidden_methods ].each do |method_name|
     define_method method_name do
       config[method_name].symbolize_keys
     end

data/lib/console1984/refrigerator.rb

@@ -26,7 +26,3 @@ class Console1984::Refrigerator
       Console1984.class_loader.eager_load
     end
 end
-
-class Parser::Ruby27
-  include Console1984::Freezeable
-end

data/lib/console1984/shield/method_invocation_shell.rb

@@ -3,22 +3,20 @@ class Console1984::Shield::MethodInvocationShell
   include Console1984::Freezeable
 
   class << self
-    def install_for(config)
-      Array(config[:user]).each { |invocation| self.new(invocation, only_for_user_commands: true).prevent_methods_invocation }
-      Array(config[:system]).each { |invocation| self.new(invocation, only_for_user_commands: false).prevent_methods_invocation }
+    def install_for(invocations)
+      Array(invocations).each { |invocation| self.new(invocation).prevent_methods_invocation }
     end
   end
 
   attr_reader :class_name, :methods, :only_for_user_commands
 
-  def initialize(invocation, only_for_user_commands:)
+  def initialize(invocation)
     @class_name, methods = invocation.to_a
     @methods = Array(methods)
-    @only_for_user_commands = only_for_user_commands
   end
 
   def prevent_methods_invocation
-    class_name.constantize.prepend build_protection_module
+    class_name.to_s.constantize.prepend build_protection_module
   end
 
   def build_protection_module
@@ -37,12 +35,8 @@ class Console1984::Shield::MethodInvocationShell
   def protected_method_invocation_source_for(method)
     <<~RUBY
       def #{method}(*args)
-        if (!#{only_for_user_commands} || Console1984.command_executor.executing_user_command?) && caller.find do |line|
-            line_from_irb = line =~ /^[^\\/]/
-            break if !(line =~ /console1984\\/lib/ || line_from_irb)
-            line_from_irb
-          end
-          raise Console1984::Errors::ForbiddenCommand
+        if Console1984.command_executor.from_irb?(caller)
+          raise Console1984::Errors::ForbiddenCommandAttempted
         else
           super
         end

data/lib/console1984/supervisor.rb

@@ -30,6 +30,11 @@ class Console1984::Supervisor
     stop_session
   end
 
+  def exit_irb
+    stop
+    IRB.CurrentContext.exit
+  end
+
   private
     def require_dependencies
       Kernel.silence_warnings do

data/lib/console1984/version.rb

@@ -1,3 +1,3 @@
 module Console1984
-  VERSION = '0.1.8'
+  VERSION = '0.1.9'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: console1984
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.9
 platform: ruby
 authors:
 - Jorge Manrubia
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-05 00:00:00.000000000 Z
+date: 2021-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize