immunio 0.15.2

data/lua-hooks/lib/boot.lua

@@ -0,0 +1,254 @@
+-- This file is executed when the Lua VM boots.
+require 'encode'
+
+-- This is required to make lexers load from test harness.
+-- In VM the path is handled for us by vm.rb --ol
+lexer_path='lib/lexers/?.lua'
+package.path = package.path..';'..lexer_path
+
+-- Define the environment available to code executing in the VM.
+-- All available functions must be declared here.
+-- Make sure the function is safe before adding it here.
+-- See http://lua-users.org/wiki/SandBoxes
+SANDBOX_ENV = {
+  -- Lua libs
+  ipairs = ipairs,
+  next = next,
+  pairs = pairs,
+  pcall = pcall,
+  tonumber = tonumber,
+  tostring = tostring,
+  type = type,
+  unpack = unpack,
+  assert = assert,
+  error = error,
+  getmetatable = getmetatable,
+  setmetatable = setmetatable,
+  rawget = rawget,
+  rawset = rawset,
+  collectgarbage = collectgarbage,
+  math = math,
+  string = string,
+  bit = {
+    band = bit.band,
+    extract = bit.extract,
+    bor = bit.bor,
+    bnot = bit.bnot,
+    arshift = bit.arshift,
+    rshift = bit.rshift,
+    rrotate = bit.rrotate,
+    replace = bit.replace,
+    lshift = bit.lshift,
+    lrotate = bit.lrotate,
+    btest = bit.btest,
+    bxor = bit.bxor
+  },
+  coroutine = {
+    create = coroutine.create,
+    resume = coroutine.resume,
+    running = coroutine.running,
+    status = coroutine.status,
+    wrap = coroutine.wrap,
+    yield = coroutine.yield,
+  },
+  debug = {
+    -- Block most debug in sandbox, but allow tracebacks
+    traceback = debug.traceback
+  },
+  select = select,
+  utf8 = {
+    byte = utf8.byte,
+    char = utf8.char,
+    find = utf8.find,
+    format = utf8.format,
+    gmatch = utf8.gmatch,
+    gsub = utf8.gsub,
+    len = utf8.len,
+    lower = utf8.lower,
+    match = utf8.match,
+    rep = utf8.rep,
+    reverse = utf8.reverse,
+    sub = utf8.sub,
+    upper = utf8.upper,
+    split = utf8.split,
+    escape = utf8.escape,
+    charpos = utf8.charpos,
+    insert = utf8.insert,
+    remove = utf8.remove,
+    next = utf8.next,
+    ncasecmp = utf8.ncasecmp,
+  },
+  table = {
+    insert = table.insert,
+    maxn = table.maxn,
+    remove = table.remove,
+    sort = table.sort,
+    map = table.map,
+    reduce = table.reduce,
+    length = table.length,
+    concat = table.concat,
+  },
+  libinjection = {
+    sqli = libinjection.sqli,
+    fingerprint = libinjection.fingerprint,
+    xss = libinjection.xss,
+    sqli_tokenize = libinjection.sqli_tokenize
+  },
+  -- LPeg Library
+  lpeg = {
+    ptree = lpeg.ptree,
+    pcode = lpeg.pcode,
+    match = lpeg.match,
+    B = lpeg.B,
+    V = lpeg.V,
+    C = lpeg.C,
+    Cc = lpeg.Cc,
+    Cmt = lpeg.Cmt,
+    Cb = lpeg.Cb,
+    Carg = lpeg.Carg,
+    Cp = lpeg.Cp,
+    Cs = lpeg.Cs,
+    Ct = lpeg.Ct,
+    Cf = lpeg.Cf,
+    Cg = lpeg.Cg,
+    P = lpeg.P,
+    S = lpeg.S,
+    R = lpeg.R,
+    locale = lpeg.locale,
+    version = lpeg.version,
+    setmaxstack = lpeg.setmaxstack,
+    type = lpeg.type,
+  },
+  -- pre built lexer library
+  -- the call to load here will both load the code
+  -- and compile the LPeg grammar
+  lexers = {
+    lexer = require('lexers/lexer'),
+    bash = require('lexers/lexer').load('bash'), -- bash
+    bash_dqstr = require('lexers/lexer').load('bash_dqstr'),  -- bash strings
+    markers = require('lexers/lexer').load('markers'),
+    html = require('lexers/lexer').load('html'),
+    javascript = require('lexers/lexer').load('javascript'),
+    css = require('lexers/lexer').load('css'),
+  },
+  -- Immunio vars
+  serverdata = {}, -- Default empty serverdata
+  agentdata = {},
+  utils = {}, -- Used to store utility functions declared in the sandbox.
+  -- pass mode flags into the VM
+  DEV_MODE = DEV_MODE,
+  DEBUG_MODE = DEBUG_MODE,
+  LUA_PLATFORM = LUA_PLATFORM or 'unix',
+  IMMUNIO_KEY = IMMUNIO_KEY,
+  IMMUNIO_SECRET = IMMUNIO_SECRET
+}
+
+-- Enable a few more things in dev mode. For debugging.
+if DEBUG_MODE or DEV_MODE then
+  SANDBOX_ENV.print = print
+  SANDBOX_ENV.snapshot = snapshot
+else
+  SANDBOX_ENV.print = function(...) end
+end
+
+
+-- Perform a VM call a method of a lua pseudo-object
+function sandboxed_method_call(method, object, vars)
+  if DEBUG_MODE then
+    SANDBOX_ENV.utils.debug_prefix = "UNKNOWN"
+      -- Change the values here to toggle debugging per module.
+    SANDBOX_ENV.utils.debug_module_prefixes = {
+      UNKNOWN = true,
+      IO = true,
+      SQLi = true,
+      ExceptionHandler = true,
+      Redirect = true,
+      XSS = true,
+      Eval = true,
+    }
+  end
+  -- Merges the vars and the default sandbox env.
+  -- The vars can override the sandbox environment.
+  -- The table is copied to keep data from leaking
+  --   out of the functions.
+  local merged_vars = {}
+  merged_vars._G = merged_vars
+  for k, v in pairs(SANDBOX_ENV) do
+    merged_vars[k] = v
+  end
+
+  if vars then
+    for k, v in pairs(vars) do
+      merged_vars[k] = v
+    end
+  end
+
+  -- XXX Open sandbox in DEBUG_MODE
+  if DEBUG_MODE then
+    merged_vars['__REAL_G'] = _G
+  end
+  -- Sets the environment of the function.
+  setfenv(method, merged_vars)
+  -- Call it!
+  local rval = nil
+  if object then
+    rval = method(object)
+  else
+    rval = method()
+  end
+  -- Hint the lua VM GC that the references held to values in merged_vars don't
+  -- count anymore. If we omit this line the function environment is held onto
+  -- by the GC and we leak the universe... --ol
+  setmetatable( merged_vars, {__mode = "v"} )
+  -- Remove merged_vars from function environment so it can be collected sooner
+  setfenv(method, _G)
+  return rval
+end
+
+-- Function called by the VM to call and sandbox a function.
+function sandboxed_call(func, vars)
+  return sandboxed_method_call(func, nil, vars)
+end
+
+if DEBUG_MODE then
+-- Memory Snapshot Debugger
+  local saved_snapshot = {}
+  function dump_snapshot( label )
+    collectgarbage()
+    collectgarbage()
+    saved_snapshot = snapshot.snapshot()
+    print("------------------------\nSNAPSHOT:\n")
+    if label then print(label) end
+    for k,v in pairs(saved_snapshot) do
+        print( "ALLOCATION:" .. tostring(k):gsub("userdata:", "") .. " " .. v)
+    end
+  end
+
+  function update_snapshot()
+    collectgarbage()
+    collectgarbage()
+    saved_snapshot = snapshot.snapshot()
+  end
+
+  function diff_snapshot( update )
+    collectgarbage()
+    collectgarbage()
+    local S = snapshot.snapshot()
+    output = ("------------------------\nDIFF SNAPSHOT:\n")
+    for k,v in pairs(S) do
+      if saved_snapshot[k] == nil then
+        output = output .. "ALLOCATION:" .. tostring(k):gsub("userdata:", "") .. " " .. v .. "\n"
+
+      end
+    end
+    if update then saved_snapshot = S end
+    return output
+  end
+
+  -- Uncomment for snapshot tracing
+  --snapshot.tron()
+  -- Uncomment to generate a snapshot at boot.
+  --dump_snapshot('BOOT')
+  --snapshot.troff()
+end
+

data/lua-hooks/lib/encode.lua

@@ -0,0 +1,4 @@
+-- Encode a Lua object to be sent to the server.
+function encode(object)
+  return cmsgpack.pack(object)
+end

data/lua-hooks/lib/lexers/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2007-2015 Mitchell
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/lua-hooks/lib/lexers/bash.lua

@@ -0,0 +1,134 @@
+-- Copyright 2006-2015 Mitchell mitchell.att.foicica.com.
+-- Copyright 2015 Immunio, Inc.
+
+-- Shell LPeg lexer.
+
+-- This is based on the lexer from the Scintillua package, with a ot of extension
+-- The goal isn't a complete parser for bash, but a lexer that can extract a useful
+-- amount of structure to detect tampering. The emphasis is more on common injection
+-- techniques and lexical structure than actually extracting properly formed bash
+-- statements. Down the road we may need to go as far as to parse statements, and that
+-- should be possible at the cost of a lot more complexity.
+
+local l = require('lexer')
+local token = l.token
+local P, R, S = lpeg.P, lpeg.R, lpeg.S
+
+local M = {_NAME = 'bash'}
+
+-- Whitespace.
+local ws = token(l.WHITESPACE, l.space^1)
+
+local bash_word = (l.alpha + '_') * (l.alnum + '_' + '\\ ' + '.')^0
+
+
+-- Comments.
+local comment = token(l.COMMENT, '#' * l.nonnewline^0)
+
+-- Strings.
+local sq_str = token('sq_str', l.delimited_range("'", false, true))
+local dq_str = token('dq_str', l.delimited_range('"'))
+local ex_str = token('ex_str', l.delimited_range('`'))
+local heredoc = token('heredoc', '<<' * P(function(input, index)
+  local s, e, _, delimiter =
+    input:find('%-?(["\']?)([%a_][%w_]*)%1[\n\r\f;]+', index)
+  if s == index and delimiter then
+    local _, e = input:find('[\n\r\f]+'..delimiter, e)
+    return e and e + 1 or #input + 1
+  end
+end))
+local bash_string = sq_str + dq_str + ex_str + heredoc
+
+-- Numbers.
+local number = token(l.NUMBER, l.float + l.integer)
+
+-- Keywords.
+local keyword = token(l.KEYWORD, l.word_match({
+  'if', 'then', 'elif', 'else', 'fi', 'case', 'in', 'esac', 'while', 'for',
+  'do', 'done', 'continue', 'local', 'return', 'select',
+-- Operators. These could be split into individual tokens...
+  '-a', '-b', '-c', '-d', '-e', '-f', '-g', '-h', '-k', '-p', '-r', '-s', '-t',
+  '-u', '-w', '-x', '-O', '-G', '-L', '-S', '-N', '-nt', '-ot', '-ef', '-o',
+  '-z', '-n', '-eq', '-ne', '-lt', '-le', '-gt', '-ge'
+}, '-'))
+
+-- Common commands ... this is not exhaustive nor does it need to be.
+local command = token("command", l.word_match({
+  'awk', 'cat', 'cmp', 'cp', 'curl', 'cut', 'date', 'find', 'grep', 'gunzip', 'gvim',
+  'gzip', 'kill', 'lua', 'make', 'mkdir', 'mv', 'php', 'pkill', 'python', 'rm',
+  'rmdir', 'rsync', 'ruby', 'scp', 'sed', 'sleep', 'ssh', 'sudo', 'tar', 'unlink',
+  'wget', 'zip'
+}, '-'))
+
+-- Builtins
+local builtin = token("builtin", l.word_match({
+  'alias', 'bind', 'builtin', 'caller', 'command', 'declare', 'echo', 'enable',
+  'help', 'let', 'local', 'logout', 'mapfile', 'printf', 'read', 'readarray',
+  'source', 'type', 'typeset', 'ulimit', 'unalias',
+}, '-'))
+
+-- Filenames. This is a bit sloppy, but tries to discern filenames from other identifiers
+-- Very much a case of R&D 'suck it and see'
+local filename = token("filename", P('/')^0 * (bash_word + '.') * (
+                                    '/' + bash_word + '.' )^0 * ('.' * bash_word )^0 )
+
+local ip = (l.integer * P('.') * l.integer * P('.') * l.integer * P('.') * l.integer)
+
+local protocol = ((P('https') + 'http' + 'ftp' + 'irc') * '://') + 'mailto:'
+local remainder = ((1-S'\r\n\f\t\v ,."}])') + (S',."}])' * (1-S'\r\n\f\t\v ')))^0
+local url = protocol * remainder
+
+-- Identifiers.
+local identifier = token(l.IDENTIFIER, url + ip + bash_word)
+
+-- Variables.
+local ex_variable = token("ex_variable",
+                          '$' * l.delimited_range('()', true, true))
+
+local variable = token(l.VARIABLE,
+                       '$' * (S('!#?*@$') + l.digit^1 + bash_word +
+                              l.delimited_range('{}', true, true)))
+
+local var = ex_variable + variable
+
+-- Operators. These could be split into individual tokens...
+local operator = token(l.OPERATOR, S('=!<>+-/*^&|~.,:;?()[]{}'))
+
+M._rules = {
+  {'whitespace', ws},
+  {'keyword', keyword},
+  {'builtin', builtin},
+  {'command', command},
+  {'identifier', identifier},
+  {'filename', filename},
+  {'string', bash_string},
+  {'comment', comment},
+  {'number', number},
+  {'variable', var},
+  {'operator', operator},
+}
+
+-- This is the main function for lexing bash data. It recurses and uses
+-- the dqstr sub-lexer instance provided (we don't instantiate it directly
+-- to allow the caller to cache the instance and avoid recompiling the grammar)
+function M.lex_recursive( self, str, bash_dqstr_lexer )
+  local tokens = self:lex(str)
+  for i = 1, #tokens do
+    if tokens[i]['token'] == "ex_str" then
+      tokens[i]['val'] = self:lex_recursive(string.sub(tokens[i]['val'], 2, -2), bash_dqstr_lexer)
+    elseif tokens[i]['token'] == "ex_variable" then
+      tokens[i]['val'] = self:lex_recursive(string.sub(tokens[i]['val'], 3, -2), bash_dqstr_lexer)
+    elseif tokens[i]['token'] == "dq_str" then
+      tokens[i]['val'] =
+        bash_dqstr_lexer:lex_recursive(string.sub(tokens[i]['val'], 2, -2), self)
+    elseif tokens[i]['token'] == "heredoc" then
+      tokens[i]['val'] =
+        bash_dqstr_lexer:lex_recursive(tokens[i]['val'], self)
+    end
+  end
+  return tokens
+end
+
+return M
+
+

data/lua-hooks/lib/lexers/bash_dqstr.lua

@@ -0,0 +1,62 @@
+-- Copyright (C) 2015 Immunio, Inc.
+
+-- Lexer for bash magic double quotes
+
+-- NOTE: not covered by Scintillua MIT license in this directory.
+
+-- While our lexer has the ability to embed this sort of thing as a child of another lexer
+-- I didn't bother here due to the recursion; we need to lex the parent (bash) language
+-- for some tokens which would be very complex at best. It's cleaner to use two lexers
+-- and handle the recursion in higher level lua at a minute performance cost.
+
+local l = require('lexer')
+local token, word_match = l.token, bash_word_match
+local P, R, S = lpeg.P, lpeg.R, lpeg.S
+
+local M = {_NAME = 'bash_dqstr'}
+
+-- Whitespace.
+local ws = token(l.WHITESPACE, l.space^1)
+
+-- Generic token.
+local bash_word = (l.alpha + '_') * (l.alnum + '_' + '\\ ')^0
+
+-- Strings.
+--  Shell substitution.
+local ex_str = token('ex_str', l.delimited_range('`'))
+
+--  Other string data
+local bash_string = token('str_data', (l.any - '$' - '`')^1)
+
+-- Variables.
+--  Shell Substitution.
+local ex_variable = token("ex_variable",
+                          '$' * l.delimited_range('()', true, true))
+--  Other variables
+local variable = token(l.VARIABLE,
+                       '$' * (S('!#?*@$') + l.digit^1 + bash_word +
+                              l.delimited_range('{}', true, true)))
+
+local var = ex_variable + variable
+
+M._rules = {
+  {'variable', var},
+  {'ex_str', ex_str},
+  {'string', bash_string},
+}
+
+function M.lex_recursive( self, str, bash_lexer )
+  local tokens = self:lex(str)
+  for i = 1, #tokens do
+    if tokens[i]['token'] == "ex_str" then
+      tokens[i]['val'] = bash_lexer:lex_recursive(string.sub(tokens[i]['val'], 2, -2), self)
+    elseif tokens[i]['token'] == "ex_variable" then
+      tokens[i]['val'] = bash_lexer:lex_recursive(string.sub(tokens[i]['val'], 3, -2), self)
+    end
+  end
+  return tokens
+end
+
+return M
+
+