immunio 0.15.2

data/lib/immunio/plugins/io.rb

@@ -0,0 +1,96 @@
+require_relative '../context'
+
+module Immunio
+  module IOHooks
+
+    def self.inject(mod, name, methods)
+      mod.class_eval <<-EOF
+        def self.extended(base)                                        # def self.extended(base)
+          #{methods.inspect}.each do |method|                          #   ["read", "binread"].each do |method|
+            base.singleton_class.alias_method_chain method, :immunio   #     base.singleton_class.alias_method_chain method, :immunio
+          end                                                          #   end
+        end                                                            # end
+
+        def self.included(base)                                        # def self.included(base)
+          #{methods.inspect}.each do |method|                          #   ["read", "binread"].each do |method|
+            base.alias_method_chain method, :immunio                   #     base.alias_method_chain method, :immunio
+          end                                                          #   end
+        end                                                            # end
+      EOF
+      Immunio.logger.debug "IO: successfully chained #{name} #{methods}"
+      methods.each do |method|
+        mod.class_eval <<-EOF
+          def #{method}_with_immunio(*args, &block)                    # def read_with_immunio(*args, &block)
+            Request.time "plugin", "IO::#{method}" do                  #
+              strict_context, loose_context, stack, loose_stack = Immunio::Context.context()
+              Immunio.run_hook! "io", "file_io",                       #   Immunio.run_hook! "io", "open",
+                              method: "#{name}#{method}",              #      open_method: "IO.read",
+                              parameters: args,                        #      parameters: args
+                              stack: loose_stack,                      #
+                              context_key: loose_context,              #
+                              cwd: Dir.pwd
+              Request.pause "plugin", "IO::#{method}" do               #
+                #{method}_without_immunio(*args, &block)               #   read_without_immunio(*args, &block)
+              end
+            end
+          end                                                          # end
+        EOF
+        Immunio.logger.debug "IO: successfully created hook for #{name} #{method}"
+      end
+    end
+  end
+
+  module IOClassHooks
+    IOHooks.inject self, "IO.", %w( read write binread binwrite readlines sysopen copy_stream popen )
+  end
+  Immunio.logger.debug "IO: IOClassHooks created: #{IOClassHooks}"
+
+  module KernelModuleHooks
+    # exec() is not included currently as it replaces the running process
+    # and would never get primed correctly
+    IOHooks.inject self, "Kernel.", %w( open system spawn )
+
+    # Special handling for hooking the backtick character
+    # In *theory* this could be rolled into self.inject above.
+    # In practice it's fugly and breaks the world.
+    Kernel.class_eval <<-EOF
+      define_method :backtick_with_immunio do |cmd|
+        Request.time "plugin", "Shell::backtick" do
+          strict_context, loose_context, stack, loose_stack = Immunio::Context.context()
+          Immunio.run_hook! "io", "file_io",
+                          method: "Kernel.backtick",
+                          parameters: [cmd],
+                          stack: loose_stack,
+                          context_key: loose_context,
+                          cwd: Dir.pwd
+          Request.pause "plugin", "Shell::backtick" do
+            Kernel.send(:backtick_without_immunio, cmd)
+          end
+        end
+      end
+    EOF
+    Kernel.send :alias_method, :backtick_without_immunio, :`
+    Kernel.send :alias_method, :`, :backtick_with_immunio
+  end
+  Immunio.logger.debug "Shell: KernelModuleHooks created: #{KernelModuleHooks}"
+
+  module FileClassHooks
+    IOHooks.inject self, "File.", %w( new open )
+  end
+  Immunio.logger.debug "IO: FileClassHooks created: #{FileClassHooks}"
+end
+
+# Add FileIO hooks if enabled
+if Immunio.agent.plugin_enabled?("file_io")
+  IO.extend Immunio::IOClassHooks
+  File.extend Immunio::FileClassHooks
+  Immunio.logger.debug "IO: All hooks installed."
+end
+
+# Add Kernel hooks if enabled
+if Immunio.agent.plugin_enabled?("shell_command")
+  # Both are necessary to hook calling both Kernel.open() and open() etc.
+  Kernel.send :include, Immunio::KernelModuleHooks
+  Kernel.extend Immunio::KernelModuleHooks
+  Immunio.logger.debug "Shell: All hooks installed."
+end

data/lib/immunio/plugins/redirect.rb

@@ -0,0 +1,42 @@
+require_relative '../context'
+
+module Immunio
+  module RedirectHook
+    extend ActiveSupport::Concern
+
+    included do
+      alias_method_chain :redirect_to, :immunio if method_defined? :redirect_to
+    end
+
+    protected
+      def redirect_to_with_immunio(options = {}, response_status = {})
+        Immunio.logger.debug "ActiveSupport checking redirect."
+        Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
+          # redirect_to excepts a variety of argument types
+          # but the only one that creates a absolute URL redirect
+          # is a string, so we only call the hook in that case.
+          # However we have to call Proc arguments to determine
+          # if they return a string...
+          loptions = options
+          if loptions.is_a? Proc then
+            loptions = loptions.call
+          end
+          if loptions.is_a? String then
+            strict_context, loose_context, stack, loose_stack = Immunio::Context.context() # rubocop:disable Lint/UselessAssignment
+            Immunio.run_hook! "redirect", "framework_redirect",
+                              destination_url: loptions,
+                              context_key: loose_context,
+                              stack: loose_stack
+          end
+          Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
+            redirect_to_without_immunio( options, response_status )
+          end
+        end
+      end
+  end
+end
+
+if Immunio::agent.plugin_enabled?("redirect") then
+  ActionController::Base.send :include, Immunio::RedirectHook
+  Immunio.logger.debug "Redirect: All hooks installed."
+end

data/lib/immunio/plugins/warden.rb

@@ -0,0 +1,66 @@
+# Register callbacks to Warden (https://github.com/hassox/warden), the backend of Devise.
+
+begin
+  require "warden"
+rescue LoadError # rubocop:disable Lint/HandleExceptions
+  # Ignore
+end
+
+if defined?(Warden)
+  Warden::Manager.after_authentication do |user|
+    Immunio::Request.time "plugin", "Warden::Manager.after_authentication" do
+      Immunio.logger.debug "Warden instrumentation fired for after_authentication"
+      Immunio.login user_record: user, plugin: "warden"
+    end
+  end
+
+  Warden::Manager.before_failure do |env|
+    Immunio::Request.time "plugin", "Warden::Manager.before_failure" do
+      info = {plugin: "warden"}
+
+      # Devise uses these specific form fields for authentication by default
+      [:username, :email].each do |attr|
+        value = env.fetch("rack.request.form_hash", {}).fetch("user", {})[attr.to_s]
+        info[attr] = value if value
+      end
+
+      Immunio.logger.debug "Warden instrumentation fired for before_failure"
+      Immunio.failed_login info
+    end
+  end
+
+  Warden::Manager.after_set_user do |user|
+    Immunio::Request.time "plugin", "Warden::Manager.after_set_user" do
+      Immunio.logger.debug "Warden instrumentation fired for after_set_user"
+      Immunio.set_user user_record: user, plugin: "warden"
+    end
+  end
+
+  Warden::Manager.before_logout do |user|
+    Immunio::Request.time "plugin", "Warden::Manager.before_logout" do
+      Immunio.logger.debug "Warden instrumentation fired for before_logout"
+      Immunio.logout user_record: user, plugin: "warden"
+    end
+  end
+
+  # Force lookup of user info for all requests.
+  module Immunio
+    class WardenUserCaller
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
+          # This will end up calling Warden::Manager.after_set_user above if
+          # a valid session associated with a user is seen.
+          env['warden'].user
+
+          Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
+            @app.call(env)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/immunio/processor.rb

@@ -0,0 +1,234 @@
+require_relative "request"
+require_relative "vm"
+
+module Immunio
+  class Processor
+    attr_accessor :environment # Holds environment info for next channel transmission
+
+    def initialize(channel, vmfactory, options)
+      @channel = channel
+      @vmfactory = vmfactory
+
+      @dev_mode = options.fetch(:dev_mode, false)
+      @debug_mode = options.fetch(:debug_mode, false)
+      @log_timings = options.fetch(:log_timings, false)
+
+      # This hash is not in sync with the one in the VM. It is sent to the VM on initialization.
+      @serverdata = {}
+
+      # List of hook handlers. hook => Lua function.
+      # Stored in the request on first execution.
+      @hook_handlers = {}
+
+      @timings = Hash.new do |timings, type|
+        timings[type] = Hash.new do |type_timings, name|
+          type_timings[name] = {
+            "total_duration" => 0,
+            "count" => 0
+          }
+        end
+      end
+      @timings_mutex = Mutex.new
+
+      # Package up aggregated timings to send to backend
+      @channel.on_sending do
+        @timings_mutex.synchronize do
+          Immunio.logger.debug {"Aggregated timings since last agentmanager transmission: #{@timings}"}
+          timings = @timings.clone
+          @timings.clear
+
+          { timings: timings }.tap do |info|
+            next unless @environment
+            Immunio.logger.debug {"Reporting environment info: #{@environment}"}
+            info[:environment] = @environment
+            @environment = nil
+          end
+        end
+      end
+
+      puts "[IMMUNIO] Dev mode activated!" if @dev_mode
+    end
+
+    def new_request(request)
+      # Start channel on first request
+      @channel.start unless @channel.started?
+
+      # Wait until we've received all the hooks before continuing (if
+      # ready_timeout is set)
+      @channel.wait_until_ready!
+
+      ActiveSupport::Notifications.publish "immunio.new_request", request
+
+      # Don't process request unless channel is ready (meaning we've loaded all
+      # the hooks) or we're in dev_mode and hooks are loaded from files
+      Request.current = request if (@channel.ready? || @dev_mode)
+    end
+
+    def aggregate_timings(timings)
+      log_pieces = []
+      log_pieces << "\nTimings for request (in ms):" if @log_timings
+
+      request_total = timings["request"]["total"][:total_duration]
+      log_pieces << "\tTotal request time: #{request_total}" if @log_timings
+
+      @timings_mutex.synchronize do
+        timings.each do |type, type_timings|
+          log_pieces << "\tType: #{type}" if @log_timings && type != "request"
+
+          type_total = 0
+          type_timings.each do |name, timing|
+            if @log_timings && type != "request"
+              log_pieces << "\t\t#{name}: #{timing[:total_duration]} (#{timing[:count]})"
+            end
+
+            @timings[type][name]["total_duration"] += timing[:total_duration]
+            @timings[type][name]["count"] += timing[:count]
+
+            type_total += timing[:total_duration]
+          end
+
+          if @log_timings && type != "request"
+            log_pieces << "\tTotal time for type #{type}: #{type_total.round(3)}/#{request_total}"
+          end
+        end
+      end
+
+      Immunio.logger.info { log_pieces.join("\n") } if @log_timings
+    end
+
+    def finish_request
+      request = Request.current
+      if request
+        Immunio.logger.debug "Finishing request #{request.id}"
+        aggregate_timings(request.timings)
+        ActiveSupport::Notifications.publish "immunio.finish_request", request
+        @channel.send_encoded_message request.encode if request.should_report?
+      end
+    rescue StandardError => e
+      log_and_send_error e, "Error finishing request", request_id: request.try(:id)
+    ensure
+      Request.current = nil
+    end
+
+    # Run the `hook` and return a hash eg.: `{ "allow": true }`.
+    def run_hook(plugin, hook, meta={})
+      request = Request.current
+
+      # Hooks called outside of a request are ignored since they are triggered while the framework is loaded.
+      return {} unless request
+
+      # Notify about the hook. This has no perf cost if there are no subscribers.
+      # Used to test and debug the agent in the test Rails apps.
+      ActiveSupport::Notifications.publish "immunio.hook", plugin, hook, meta
+
+      timestamp = Time.now.utc.iso8601(6)
+
+      # The VM & handlers are changed on code update.
+      # So we ensure the request uses the same VM & hook handlers for all hooks.
+      request.vm ||= @vmfactory.new_vm
+
+      # If there is no registered handler, just log the hook and return.
+      unless request.vm.has_function? hook
+        Immunio.logger.debug "No hook code for '#{hook}' to run for request #{request.id}"
+        return {}
+      end
+
+      # Converts the request data to a Lua table to speedup future calls.
+      request.data = request.vm.create_object(request.data)
+
+      globals = {
+        "agent_type" => AGENT_TYPE,
+        "agent_version" => VERSION,
+        "timestamp" => timestamp,
+        "plugin" => plugin,
+        "hook" => hook,
+        "meta" => meta,
+        "request" => request.data,
+      }
+
+      begin
+        Immunio.logger.debug "Running #{hook} hook for request #{request.id} with global values: #{globals}"
+      rescue Encoding::CompatibilityError
+        Immunio.logger.debug "Running #{hook} hook for request #{request.id} (can't log global values due to encoding incompatibility)"
+      end
+
+      # Run the hook code in the VM and time the execution.
+      result = Request.time "hook", hook do
+        request.vm.call hook, globals
+      end
+
+      # result.to_h can be expensive, so put it in a block so it only runs when needed
+      begin
+        Immunio.logger.debug { "Result from #{hook} hook: #{result ? result.to_h : {}}" }
+      rescue Encoding::CompatibilityError
+        Immunio.logger.debug { "Result from #{hook} hook: (can't log result due to encoding incompatibility)" }
+      end
+
+      result || {}
+
+    # Previosuly this only caught VMErrors, however other exceptions can cause 500s
+    # so to be on the safe side make sure we catch anything raised within the VM call --ol
+    rescue StandardError => e
+      # Log and discard VM errors
+
+      # Some versions of rails, like 4.2.0, fail to JSONify some objects properly.
+      safe_meta = {}
+      meta.each do |key, value|
+        if value.is_a?(Numeric) || value.is_a?(String) || value.is_a?(TrueClass) || value.is_a?(FalseClass)
+          safe_meta[key] = value
+        else
+          safe_meta[key] = value.inspect
+        end
+      end
+
+      log_and_send_error e, "Error running hook #{hook}",
+                         request_id: request.id,
+                         timestamp: timestamp,
+                         plugin: plugin,
+                         hook: hook,
+                         meta: safe_meta,
+                         vmcode_version: request.vm.code_version,
+                         vmdata_version: request.vm.data_version
+
+      {} # Return empty result.
+    end
+
+    # Run the hook and raise a RequestBlocked error if the request should be blocked.
+    def run_hook!(*args)
+      result = run_hook(*args)
+
+      # Raise if not allowed (default to allow)
+      if !result.fetch("allow", true)
+        Immunio.logger.debug "Blocking request due to hook response"
+        raise RequestBlocked, "The request was blocked by the Immunio agent"
+      end
+
+      # Check result for a response override.
+      if result.has_key?(:override_status)
+        raise OverrideResponse.new(result.fetch(:override_status), result.fetch(:override_headers, []), result.fetch(:override_body, ""))
+      end
+
+      result
+    end
+
+    def log_and_send_error(e, message="Error", info={})
+      Immunio.logger.warn "#{message}: #{e.message}"
+      Immunio.logger.warn "Stack: #{e.backtrace}"
+
+      # Re-raise in dev mode before we send it to the backend.
+      raise e if @dev_mode
+
+      default_info = {
+        type: "engine.exception",
+        exception: e.message,
+        traceback: e.backtrace,
+        agent_version: Immunio::VERSION
+      }
+
+      @channel.send_message default_info.merge(info)
+
+      # Re-raise error in test mode so we know when something is broken in hook handlers.
+      raise e if Rails.env.test?
+    end
+  end
+end

data/lib/immunio/rails.rb

@@ -0,0 +1,26 @@
+require_relative "plugins/exception_handler"
+require_relative "plugins/environment_reporter"
+require_relative "plugins/gems_tracker"
+require_relative "plugins/http_finisher"
+require_relative "plugins/http_tracker"
+require_relative "plugins/warden"
+
+module Immunio
+  class Engine < ::Rails::Engine
+    config.app_middleware.insert 0, HTTPFinisher
+    config.app_middleware.insert_before ActionDispatch::ShowExceptions, HTTPTracker
+    config.app_middleware.insert_after ActionDispatch::DebugExceptions, ExceptionHandler
+    config.app_middleware.insert_after Warden::Manager, WardenUserCaller if defined? Warden::Manager
+    config.app_middleware.use EnvironmentReporter
+
+    config.action_dispatch.rescue_responses.merge!('Immunio::RequestBlocked' => :forbidden)
+
+    if Immunio::agent.plugin_enabled?("sqli") then
+      initializer "immunio.active_record", after: "active_record.initialize_database" do
+        ActiveSupport.on_load(:active_record) do
+          require_relative "plugins/active_record"
+        end
+      end
+    end
+  end
+end