immunio 1.0.0 → 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/lib/immunio/plugins/action_view.rb +23 -17
  3. data/lib/immunio/version.rb +1 -1
  4. data/lua-hooks/Makefile +19 -6
  5. data/lua-hooks/lib/boot.lua +0 -1
  6. metadata +2 -4
  7. data/lib/immunio/plugins/haml.rb +0 -36
  8. data/lua-hooks/lib/lexers/markers.lua +0 -33
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: eed22d9b0d29d87e8588a1ea05cb335844a9c2de
4
- data.tar.gz: 266aabbb71480c97f415e1a37d2fb409819df311
3
+ metadata.gz: 82b5c85531ac725190ae7c039e598236a8279631
4
+ data.tar.gz: 1cf2cf8df3d7d2395b01be335d1e6b735b20b730
5
5
  SHA512:
6
- metadata.gz: abe3ab45685f8a71434bf16b5cbbbb64673cb21c16c85099ad0665b17b78f112e236900e83a1f90c1f54a42ee4d7065ec90fd03f210a8c12949c96c106d48e21
7
- data.tar.gz: 3d21078b9c2e84f2f9885ed96008817ede608d7bab3beba1a9a5c4d0dc5cdd527ea0c92500cac78df7f97e4e07a176a79627f5effa2ed565a3a5a747001cff87
6
+ metadata.gz: 359c0aab9d3c0057cc834c82b31286eeac03a0e6d8b47f4816b722b379d0ff3e4a5e2cb84d430411d2c1e9833da1b459e4d9e82a9c1b42dddc5f9e1f328ef846
7
+ data.tar.gz: 1812771888e04260f9bc31bdfc085c0072e29e1e52232567564653a9510385f015f3fd9f65ebde40661000fe312bdba9156a5b3899fc73321121d406f38840e3
data/lib/immunio/plugins/action_view.rb CHANGED
@@ -85,50 +85,56 @@ module Immunio
85
85
  def mark_var(content, code, template_id, file, line, escape)
86
86
  id = Template.next_var_id
87
87
  nonce = Template.get_nonce
88
- Template.vars[id.to_s] = {
89
- template_sha: template_sha,
90
- template_id: template_id.to_s,
91
- nonce: nonce,
92
- code: wrap_code(code, escape: escape),
93
- file: file,
94
- line: line
95
- }
96
88
 
97
- rval = ""
98
89
  # NOTE: What happens here is pretty funky to preserve the html_safe SafeBuffer behaviour in ruby.
99
90
  # If escaped is true we directly concatenate the content between two SafeBuffers. This will cause
100
91
  # escaping if content is not itself a SafeBuffer.
101
92
  # Otherwise we explicitly convert to a string, and convert that to a SafeBuffer to ensure that
102
93
  # for instance no escaping is performed on the contents of a <%== %> Erubis interpolation.
103
- if escape and not is_text? then
94
+ rendering = if escape && !is_text?
95
+
104
96
  # explicitly convert (w/ escapes) and mark safe things that aren't String (SafeBuffer is_a String also)
105
97
  # `to_s` is used to render any object passed to a template.
106
98
  # It is called internally when appending to ActionView::OutputBuffer.
107
99
  # We force rendering to get the actual string.
108
100
  # This has no impact if `rendered` is already a string.
109
101
  content = content.to_s.html_safe unless content.is_a? String
102
+
110
103
  # As a failsafe, just return the content if it already contains our markers. This can occur when
111
104
  # a helper calls render partial to generate a component of a page. Both render calls are root level
112
105
  # templates from our perspective.
113
106
  if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
114
107
  # don't add markers.
115
108
  Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
116
- rval = content
117
- else
118
- rval = "{immunio-var:#{id}:#{nonce}}".html_safe + content + "{/immunio-var:#{id}:#{nonce}}".html_safe
109
+ return content
119
110
  end
111
+
112
+ "{immunio-var:#{id}:#{nonce}}".html_safe + content + "{/immunio-var:#{id}:#{nonce}}".html_safe
120
113
  else
121
114
  content = "" if content.nil?
115
+
122
116
  # See comment above
123
117
  if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
124
118
  # don't add markers.
125
119
  Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
126
- rval = content.html_safe
127
- else
128
- rval = "{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
120
+ return content.html_safe
129
121
  end
122
+
123
+ "{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
130
124
  end
131
- rval
125
+
126
+ # If we got here, the interpolation has been wrapped in our markers and we
127
+ # need to record send data about it to the hook
128
+ Template.vars[id.to_s] = {
129
+ template_sha: template_sha,
130
+ template_id: template_id.to_s,
131
+ nonce: nonce,
132
+ code: wrap_code(code, escape: escape),
133
+ file: file,
134
+ line: line
135
+ }
136
+
137
+ rendering
132
138
  end
133
139
 
134
140
  def mark_and_defer_fragment_write(key, content, options)
data/lib/immunio/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Immunio
2
2
  AGENT_TYPE = "agent-ruby"
3
- VERSION = "1.0.0"
3
+ VERSION = "1.0.1"
4
4
  VM_VERSION = "2.2.0"
5
5
  end
data/lua-hooks/Makefile CHANGED
@@ -1,4 +1,6 @@
1
- CC = gcc
1
+ CROSS =
2
+ CC = $(CROSS)cc
3
+ AR = $(CROSS)ar
2
4
 
3
5
  # Source of extensions compiled w/ Lua's source.
4
6
  # Only include .c files that can't be directly included in ext/all.c.
@@ -16,12 +18,14 @@ OBJ = ${SRC:.c=.o}
16
18
 
17
19
  # Library archive. Used for compiling along agent bindings.
18
20
  SO_OUT = libimmunio.so
21
+ A_OUT = libimmunio.a
19
22
 
20
23
  # CLI for running tests
21
24
  CLI = lua
22
25
  CLI_SRC = ext/luajit/src/luajit.c ${SRC}
23
26
 
24
- CFLAGS = -DLUA_USE_APICHECK -DLUAJIT -Dlua_assert=assert -O3 -fPIC
27
+ XCFLAGS =
28
+ CFLAGS = -DLUA_USE_APICHECK -DLUAJIT -Dlua_assert=assert -O3 -fPIC ${XCFLAGS}
25
29
  INCS = -Iext -Iext/luajit/src
26
30
  LIBS = -lm -ldl
27
31
 
@@ -32,9 +36,12 @@ HOOKS_TARBALL = hooks.tgz
32
36
  HOOKS_SRCS_TARBALL = hooks_srcs.tgz
33
37
 
34
38
  LUAJIT_OBJ = ext/luajit/src/libluajit.a
39
+ LUAJIT_OUT = libluajit.a
35
40
  LUAJIT_XCFLAGS = -fPIC
36
41
 
37
- ifeq (${shell uname}, Darwin)
42
+ SYS = $(shell uname -s)
43
+
44
+ ifeq (${SYS}, Darwin)
38
45
  # Disable the JIT on OS X
39
46
  LUAJIT_XCFLAGS += -DLUAJIT_ENABLE_GC64
40
47
  endif
@@ -43,13 +50,19 @@ endif
43
50
  all: ${CLI} ${INIT_HOOK} ${HOOKS_TARBALL} ${HOOKS_SRCS_TARBALL}
44
51
 
45
52
  .c.o:
46
- ${CC} ${CFLAGS} -c ${INCS} -o $@ $<
53
+ MACOSX_DEPLOYMENT_TARGET="10.9" ${CC} ${CFLAGS} -c ${INCS} -o $@ $<
47
54
 
48
55
  ${SO_OUT}: ${OBJ} ${LUAJIT_OBJ}
49
56
  ${CC} -shared ${CFLAGS} ${LIBS} -o $@ -lc $^
50
57
 
58
+ ${A_OUT}: ${OBJ}
59
+ ${AR} -rcus $@ $^
60
+
61
+ ${LUAJIT_OUT}: ${LUAJIT_OBJ}
62
+ cp $^ $@
63
+
51
64
  ${LUAJIT_OBJ}:
52
- cd ext/luajit && make XCFLAGS="${LUAJIT_XCFLAGS}"
65
+ cd ext/luajit && MACOSX_DEPLOYMENT_TARGET="10.9" make CROSS="${CROSS}" CC=cc HOST_CC=cc TARGET_SYS=${SYS} XCFLAGS="${LUAJIT_XCFLAGS}"
53
66
 
54
67
  # Build lua executable for testing and compilation
55
68
  # Seperate compilation as we need the LUA_UNSAFE_MODE flag set...
@@ -76,7 +89,7 @@ ${HOOKS_SRCS_TARBALL}: ${HOOK_SRCS}
76
89
  tar -czf $@ -C hooks . --exclude="init"
77
90
 
78
91
  clean:
79
- rm -f ${CLI} ${OBJ} ${SO_OUT}
92
+ rm -f ${CLI} ${OBJ} ${SO_OUT} ${A_OUT} ${LUAJIT_OUT}
80
93
  cd ext/luajit && make clean
81
94
  rm -f ${INIT_HOOK}
82
95
  rm -f test_failed
data/lua-hooks/lib/boot.lua CHANGED
@@ -126,7 +126,6 @@ SANDBOX_ENV = {
126
126
  lexer = require('lexers/lexer'),
127
127
  bash = require('lexers/lexer').load('bash'), -- bash
128
128
  bash_dqstr = require('lexers/lexer').load('bash_dqstr'), -- bash strings
129
- markers = require('lexers/lexer').load('markers'),
130
129
  html = require('lexers/lexer').load('html'),
131
130
  javascript = require('lexers/lexer').load('javascript'),
132
131
  css = require('lexers/lexer').load('css'),
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: immunio
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Immunio
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-09-29 00:00:00.000000000 Z
11
+ date: 2015-10-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -149,7 +149,6 @@ files:
149
149
  - lib/immunio/plugins/eval.rb
150
150
  - lib/immunio/plugins/exception_handler.rb
151
151
  - lib/immunio/plugins/gems_tracker.rb
152
- - lib/immunio/plugins/haml.rb
153
152
  - lib/immunio/plugins/http_finisher.rb
154
153
  - lib/immunio/plugins/http_tracker.rb
155
154
  - lib/immunio/plugins/io.rb
@@ -424,7 +423,6 @@ files:
424
423
  - lua-hooks/lib/lexers/html.lua
425
424
  - lua-hooks/lib/lexers/javascript.lua
426
425
  - lua-hooks/lib/lexers/lexer.lua
427
- - lua-hooks/lib/lexers/markers.lua
428
426
  homepage: http://immun.io/
429
427
  licenses:
430
428
  - Immunio
data/lib/immunio/plugins/haml.rb DELETED
@@ -1,36 +0,0 @@
1
- # Haml compiles templates to something like:
2
- #
3
- #begin;extend Haml::Helpers;_hamlout = @haml_buffer = Haml::Buffer.new(haml_buffer, {:autoclose=>["area", "base", "basefont", "br", "col", "command", "embed", "frame", "hr", "img", "input", "isindex", "keygen", "link", "menuitem", "meta", "param", "source", "track", "wbr"], :preserve=>["textarea", "pre", "code"], :attr_wrapper=>"'", :ugly=>true, :format=>:html5, :encoding=>"UTF-8", :escape_html=>true, :escape_attrs=>true, :hyphenate_data_attrs=>true, :cdata=>false});_erbout = _hamlout.buffer;@output_buffer = output_buffer ||= ActionView::OutputBuffer.new rescue nil;;_hamlout.buffer << "<script>console.log('test')</script>\n";::Haml::Util.html_safe(_erbout);ensure;@haml_buffer = @haml_buffer.upper if @haml_buffer;end;
4
- #
5
- # In there is a call to ::Haml::Util.html_safe, which calls the real html_safe.
6
- # But lots of haml code paths call ::Haml::Util.html_safe, so we can't mark it
7
- # as safe. Instead, we need to modify the compiled template code to call the
8
- # method in a marked-safe context.
9
- #
10
- # But haml doesn't make it easy, as it alias-method-chains its own methods. This
11
- # module continues the chain to subvert the
12
- # precompiled_method_return_value_with_haml_xss method and instead call our own
13
- # method, which calls html_safe while in a safe context.
14
-
15
- module Immunio
16
- module Haml
17
- module Compiler
18
- extend ActiveSupport::Concern
19
-
20
- included do
21
- alias_method :precompiled_method_return_value_without_haml_xss_without_immunio, :precompiled_method_return_value_without_haml_xss
22
- alias_method :precompiled_method_return_value, :precompiled_method_return_value_with_haml_xss_with_immunio
23
- end
24
-
25
- def self.immunio_html_safe(string)
26
- Immunio::UnsafeBufferDetection.in_safe_context { ::Haml::Util.html_safe(string) }
27
- end
28
-
29
- def precompiled_method_return_value_with_haml_xss_with_immunio
30
- "Immunio::Haml::Compiler.immunio_html_safe(#{precompiled_method_return_value_without_haml_xss_without_immunio})"
31
- end
32
- end
33
- end
34
- end
35
-
36
- ::Haml::Compiler.send :include, Immunio::Haml::Compiler if defined? ::Haml::Compiler
data/lua-hooks/lib/lexers/markers.lua DELETED
@@ -1,33 +0,0 @@
1
- -- Copyright (C) 2015 Immunio, Inc.
2
-
3
- -- Lexer for HTML markers used in Immunio.io XSS
4
-
5
- -- NOTE: not covered by Scintillua MIT license in this directory.
6
-
7
- local l = require('lexer')
8
- local token, parent_token, word_match = l.token, l.parent_token, l.word_match
9
- local P, R, S, V = lpeg.P, lpeg.R, lpeg.S, lpeg.V
10
-
11
- local M = {_NAME = 'markers'}
12
-
13
- local start_marker = l.token('start_marker', P('{immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
14
- local end_marker = l.token('end_marker', P('{/immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
15
- local marker = start_marker + end_marker
16
-
17
- -- Data between markers
18
- local data = token('data', (l.any - ( marker ) )^1 )
19
- local substitution = l.parent_token( 'substitution', start_marker * data^0 * end_marker )
20
-
21
- M._rules = {
22
- {'substitution', substitution},
23
- {'marker', marker},
24
- {'data', data},
25
- }
26
-
27
- M._tokenstyles = {
28
- }
29
-
30
- M._foldsymbols = {
31
- }
32
-
33
- return M