immunio 1.0.19 → 1.0.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/LICENSE +27 -0
- data/lib/immunio/plugins/http_tracker.rb +100 -89
- data/lib/immunio/version.rb +1 -1
- data/lib/immunio/vm.rb +6 -1
- metadata +3 -5
- data/lib/immunio_tasks/version_bump.rake +0 -44
- data/lib/immunio_tasks/version_bumper.rb +0 -128
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5dd373f29d340641801017f1a196715854a6468f
|
4
|
+
data.tar.gz: 2de3aa70ccdafcd66b9ea033acc7435558099d0e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a82c3d9390e98de817cd372c2b141d375c630bba443a8966619229e1ada1856dc9d18938100e89dd61a286f0e6ea5c7158c393e5a4907b361ae4cdb8e1169ec0
|
7
|
+
data.tar.gz: 586de295f66cb96b02d521bf3ef09baf5f307303acedfafb91c527fea48725bfef1382eaa73035d3fabd874e83997c6db9539487da4cce1a0af21ae33bf317fc
|
data/LICENSE
CHANGED
@@ -212,6 +212,33 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
212
212
|
SOFTWARE.
|
213
213
|
|
214
214
|
|
215
|
+
This product includes content covered by the following license:
|
216
|
+
Under the MIT license.
|
217
|
+
copyright(c) 2006~2007 hanzhao (abrash_han@hotmail.com)
|
218
|
+
|
219
|
+
|
220
|
+
This product includes content covered by the following license:
|
221
|
+
Copyright (C) 2012 by Paul Moore
|
222
|
+
|
223
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
224
|
+
of this software and associated documentation files (the "Software"), to deal
|
225
|
+
in the Software without restriction, including without limitation the rights
|
226
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
227
|
+
copies of the Software, and to permit persons to whom the Software is
|
228
|
+
furnished to do so, subject to the following conditions:
|
229
|
+
|
230
|
+
The above copyright notice and this permission notice shall be included in
|
231
|
+
all copies or substantial portions of the Software.
|
232
|
+
|
233
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
234
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
235
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
236
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
237
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
238
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
239
|
+
THE SOFTWARE.
|
240
|
+
|
241
|
+
|
215
242
|
All other components of this product are
|
216
243
|
Copyright (c) 2015 Immunio, Inc. All rights reserved.
|
217
244
|
|
@@ -15,6 +15,7 @@ module Immunio
|
|
15
15
|
Immunio.new_request(request)
|
16
16
|
|
17
17
|
Immunio.run_hook! "http_tracker", "http_request_start", meta_from_env(env)
|
18
|
+
Immunio.run_hook! "http_tracker", "framework_route", route_name: route_name(env)
|
18
19
|
|
19
20
|
env['rack.input'] = InputWrapper.new(env['rack.input'])
|
20
21
|
|
@@ -26,14 +27,14 @@ module Immunio
|
|
26
27
|
session = env["rack.session"]
|
27
28
|
if session_was_loaded?(session)
|
28
29
|
Immunio.run_hook! "http_tracker", "framework_session",
|
29
|
-
|
30
|
+
session_id: extract_session_id(session)
|
30
31
|
end
|
31
32
|
|
32
33
|
# Immunio expects response headers as a list of tuples.
|
33
34
|
list_headers = headers_to_list(headers)
|
34
35
|
|
35
36
|
result = Immunio.run_hook! "http_tracker", "http_response_start",
|
36
|
-
|
37
|
+
status: status, headers: list_headers
|
37
38
|
|
38
39
|
# If new headers are specified, convert them back to the Ruby hash format.
|
39
40
|
if result["headers"] != nil
|
@@ -50,112 +51,121 @@ module Immunio
|
|
50
51
|
status, headers, body = Immunio.blocked_app.call(env)
|
51
52
|
# Do not allow blocking the request here
|
52
53
|
Immunio.run_hook "http_tracker", "http_response_start",
|
53
|
-
|
54
|
+
status: status, headers: headers
|
54
55
|
|
55
56
|
[status, headers, body]
|
56
57
|
end
|
57
58
|
rescue OverrideResponse => override
|
58
|
-
|
59
|
+
status, headers, body = Immunio.override_response.call(env, override)
|
59
60
|
|
60
|
-
|
61
|
-
|
62
|
-
|
61
|
+
Immunio.run_hook "http_tracker", "http_response_start",
|
62
|
+
status: status, headers: headers
|
63
|
+
[status, headers, body]
|
63
64
|
end
|
64
65
|
|
65
66
|
private
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
else
|
77
|
-
list_headers.push([name, value])
|
67
|
+
|
68
|
+
def headers_to_list(headers)
|
69
|
+
list_headers = []
|
70
|
+
headers.each do |name, value|
|
71
|
+
# Ruby treats the `Set-Cookie` header specially. If there are multiple
|
72
|
+
# Set-Cookie headers to send, they are joined into a single field,
|
73
|
+
# separated by line-feeds.
|
74
|
+
if name == "Set-Cookie"
|
75
|
+
value.split("\n").each do |cookie_val|
|
76
|
+
list_headers.push(["Set-Cookie", cookie_val])
|
78
77
|
end
|
78
|
+
else
|
79
|
+
list_headers.push([name, value])
|
79
80
|
end
|
80
|
-
list_headers
|
81
81
|
end
|
82
|
+
list_headers
|
83
|
+
end
|
82
84
|
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
end
|
85
|
+
def list_to_headers(list)
|
86
|
+
new_headers = {}
|
87
|
+
list.each do |name, value|
|
88
|
+
# If this header is already in `new_headers`, append to the
|
89
|
+
# existing value with a linefeed separator.
|
90
|
+
if new_headers.has_key?(name)
|
91
|
+
new_headers[name] += ("\n" + value)
|
92
|
+
else
|
93
|
+
new_headers[name] = value
|
93
94
|
end
|
94
|
-
new_headers
|
95
95
|
end
|
96
|
+
new_headers
|
97
|
+
end
|
96
98
|
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
# Extract request headers from `env`.
|
101
|
-
headers = env.select { |k| k.starts_with? "HTTP_" }.
|
102
|
-
each_with_object({}) { |(k, v), h| h.store k[5..-1].downcase.tr('_', '-'), v }
|
99
|
+
def rack_request(env)
|
100
|
+
Rack::Request.new(env)
|
101
|
+
end
|
103
102
|
|
104
|
-
|
105
|
-
|
106
|
-
# scheme seen by the end user. We process those in the hooks.
|
107
|
-
scheme = env["rack.url_scheme"]
|
108
|
-
if env["HTTPS"] == "on"
|
109
|
-
# Some servers will set the HTTPS var explicity. If set, use it
|
110
|
-
scheme = "https"
|
111
|
-
end
|
103
|
+
def meta_from_env(env)
|
104
|
+
request = rack_request(env)
|
112
105
|
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
if defined?(Rails.application) && Rails.application.present?
|
117
|
-
begin
|
118
|
-
path = request.env['PATH_INFO']
|
119
|
-
method = request.env['REQUEST_METHOD'].downcase.to_sym
|
120
|
-
url = Rails.application.routes.recognize_path(path, method: method)
|
121
|
-
route_name = "#{url[:controller]}##{url[:action]}"
|
122
|
-
rescue StandardError
|
123
|
-
route_name = nil
|
124
|
-
end
|
125
|
-
end
|
106
|
+
# Extract request headers from `env`.
|
107
|
+
headers = env.select { |k| k.starts_with? "HTTP_" }.
|
108
|
+
each_with_object({}) { |(k, v), h| h.store k[5..-1].downcase.tr('_', '-'), v }
|
126
109
|
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
server_addr: env["SERVER_ADDR"],
|
135
|
-
server_port: env["SERVER_PORT"],
|
136
|
-
route_name: route_name,
|
137
|
-
querystring: request.query_string,
|
138
|
-
method: request.request_method,
|
139
|
-
path: request.path_info,
|
140
|
-
socket_ip: request.ip,
|
141
|
-
socket_port: request.port,
|
142
|
-
headers: headers
|
143
|
-
}
|
110
|
+
# Determine scheme (http://www.rubydoc.info/github/rack/rack/master/file/SPEC)
|
111
|
+
# There are also some HTTP headers from proxies that may affect the
|
112
|
+
# scheme seen by the end user. We process those in the hooks.
|
113
|
+
scheme = env["rack.url_scheme"]
|
114
|
+
if env["HTTPS"] == "on"
|
115
|
+
# Some servers will set the HTTPS var explicity. If set, use it
|
116
|
+
scheme = "https"
|
144
117
|
end
|
145
118
|
|
146
|
-
|
147
|
-
|
148
|
-
|
119
|
+
{
|
120
|
+
protocol: env["SERVER_PROTOCOL"],
|
121
|
+
scheme: scheme,
|
122
|
+
uri: env["REQUEST_URI"],
|
123
|
+
server_name: env["SERVER_NAME"],
|
124
|
+
# SERVER_ADDR is non-standard, but rack uses it as a fallback, so
|
125
|
+
# include it here as well so we can access it from Lua.
|
126
|
+
server_addr: env["SERVER_ADDR"],
|
127
|
+
server_port: env["SERVER_PORT"],
|
128
|
+
querystring: request.query_string,
|
129
|
+
method: request.request_method,
|
130
|
+
path: request.path_info,
|
131
|
+
socket_ip: request.ip,
|
132
|
+
socket_port: request.port,
|
133
|
+
headers: headers
|
134
|
+
}
|
135
|
+
end
|
149
136
|
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
137
|
+
def route_name(env)
|
138
|
+
# Determine the route name in controller#action format:
|
139
|
+
route_name = nil
|
140
|
+
|
141
|
+
if defined?(Rails.application) && Rails.application.present?
|
142
|
+
begin
|
143
|
+
request = rack_request(env)
|
144
|
+
path = request.env['PATH_INFO']
|
145
|
+
method = request.env['REQUEST_METHOD'].downcase.to_sym
|
146
|
+
url = Rails.application.routes.recognize_path(path, method: method)
|
147
|
+
route_name = "#{url[:controller]}##{url[:action]}"
|
148
|
+
rescue StandardError
|
149
|
+
route_name = nil
|
155
150
|
end
|
156
|
-
|
157
|
-
Digest::SHA1.hexdigest(session_id) if session_id
|
158
151
|
end
|
152
|
+
|
153
|
+
route_name
|
154
|
+
end
|
155
|
+
|
156
|
+
def session_was_loaded?(session)
|
157
|
+
session && (session.respond_to?(:loaded?) ? session.loaded? : true)
|
158
|
+
end
|
159
|
+
|
160
|
+
def extract_session_id(session)
|
161
|
+
session_id = if session.respond_to?(:id)
|
162
|
+
session.id
|
163
|
+
else
|
164
|
+
session[:id] || session[:session_id]
|
165
|
+
end
|
166
|
+
|
167
|
+
Digest::SHA1.hexdigest(session_id) if session_id
|
168
|
+
end
|
159
169
|
end
|
160
170
|
|
161
171
|
class InputWrapper < SimpleDelegator
|
@@ -192,9 +202,10 @@ module Immunio
|
|
192
202
|
end
|
193
203
|
|
194
204
|
private
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
205
|
+
|
206
|
+
def report_chunk(chunk)
|
207
|
+
Immunio.run_hook! "http_tracker", "http_request_body_chunk",
|
208
|
+
chunk: chunk
|
209
|
+
end
|
199
210
|
end
|
200
211
|
end
|
data/lib/immunio/version.rb
CHANGED
data/lib/immunio/vm.rb
CHANGED
@@ -193,6 +193,11 @@ module Immunio
|
|
193
193
|
@error_handler = @state["debug.traceback"]
|
194
194
|
@call_function = @state['sandboxed_call']
|
195
195
|
|
196
|
+
# The pass function acts as a Ruby => Lua converter.
|
197
|
+
# It simply passes back it's first argument.
|
198
|
+
# Arguments are converted from Ruby to Lua by rufus-lua.
|
199
|
+
@pass_function = @state.eval "return function(obj) return obj end"
|
200
|
+
|
196
201
|
self.class.check_rufus_stack @state, "Stack not empty after bootstrap"
|
197
202
|
end
|
198
203
|
|
@@ -207,7 +212,7 @@ module Immunio
|
|
207
212
|
return object if object.is_a?(Rufus::Lua::Ref)
|
208
213
|
|
209
214
|
lua_call do
|
210
|
-
@
|
215
|
+
@pass_function.call(object)
|
211
216
|
end
|
212
217
|
end
|
213
218
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: immunio
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.22
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Immunio
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-05
|
11
|
+
date: 2016-07-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -164,8 +164,6 @@ files:
|
|
164
164
|
- lib/immunio/utils.rb
|
165
165
|
- lib/immunio/version.rb
|
166
166
|
- lib/immunio/vm.rb
|
167
|
-
- lib/immunio_tasks/version_bump.rake
|
168
|
-
- lib/immunio_tasks/version_bumper.rb
|
169
167
|
- lua-hooks/Makefile
|
170
168
|
- lua-hooks/ext/all.c
|
171
169
|
- lua-hooks/ext/libinjection/COPYING
|
@@ -447,7 +445,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
447
445
|
version: '0'
|
448
446
|
requirements: []
|
449
447
|
rubyforge_project:
|
450
|
-
rubygems_version: 2.4
|
448
|
+
rubygems_version: 2.6.4
|
451
449
|
signing_key:
|
452
450
|
specification_version: 4
|
453
451
|
summary: Immunio Ruby agent
|
@@ -1,44 +0,0 @@
|
|
1
|
-
require_relative 'version_bumper'
|
2
|
-
|
3
|
-
namespace 'version' do
|
4
|
-
YES_TRUE_REGEX = /yes|y|true|t/
|
5
|
-
|
6
|
-
def test_mode?
|
7
|
-
!!(ENV.fetch('TEST', 'no').downcase =~ YES_TRUE_REGEX)
|
8
|
-
end
|
9
|
-
|
10
|
-
def quiet_mode?
|
11
|
-
!!(ENV.fetch('QUIET', 'yes').downcase =~ YES_TRUE_REGEX)
|
12
|
-
end
|
13
|
-
|
14
|
-
task :setup do
|
15
|
-
@bumper = VersionBumper.new(test_mode?, quiet_mode?)
|
16
|
-
@bumper.status
|
17
|
-
abort "You must be on a clean master branch!" unless VersionBumper.on_clean_master?
|
18
|
-
end
|
19
|
-
|
20
|
-
desc "Show status"
|
21
|
-
task :status => [ :setup ] do
|
22
|
-
end
|
23
|
-
|
24
|
-
namespace 'release' do
|
25
|
-
desc "Prepare a new release"
|
26
|
-
task :prepare => [ :setup ] do
|
27
|
-
@bumper.prepare
|
28
|
-
end
|
29
|
-
end
|
30
|
-
|
31
|
-
desc "Bump version"
|
32
|
-
task :bump => [ :setup ] do
|
33
|
-
new_version = @bumper.prompt_for_new_version
|
34
|
-
@bumper.ask_and_bump_version(new_version)
|
35
|
-
end
|
36
|
-
|
37
|
-
namespace :bump do
|
38
|
-
desc "Bump version to development"
|
39
|
-
task :development => [ :setup ] do
|
40
|
-
abort "Version already set for development" if VersionBumper.development?
|
41
|
-
@bumper.bump_development_version
|
42
|
-
end
|
43
|
-
end
|
44
|
-
end
|
@@ -1,128 +0,0 @@
|
|
1
|
-
require_relative '../immunio/version'
|
2
|
-
require 'highline'
|
3
|
-
|
4
|
-
class VersionBumper
|
5
|
-
def self.current_version
|
6
|
-
Immunio::VERSION
|
7
|
-
end
|
8
|
-
|
9
|
-
def self.version_file
|
10
|
-
@version_file ||= File.join Dir.pwd, 'lib/', 'immunio', 'version.rb'
|
11
|
-
end
|
12
|
-
|
13
|
-
def self.current_branch
|
14
|
-
%x[git symbolic-ref HEAD 2>/dev/null | cut -d"/" -f 3].strip
|
15
|
-
end
|
16
|
-
|
17
|
-
def self.on_master?
|
18
|
-
current_branch == 'master'
|
19
|
-
end
|
20
|
-
|
21
|
-
def self.clean_branch?
|
22
|
-
%x[git status --porcelain --ignore-submodules].split.count == 0
|
23
|
-
end
|
24
|
-
|
25
|
-
def self.on_clean_master?
|
26
|
-
on_master? && clean_branch?
|
27
|
-
end
|
28
|
-
|
29
|
-
def self.development?
|
30
|
-
current_version =~ /master/
|
31
|
-
end
|
32
|
-
|
33
|
-
|
34
|
-
def initialize(test_mode, quiet_mode)
|
35
|
-
@test_mode = test_mode
|
36
|
-
@quiet_mode = quiet_mode
|
37
|
-
end
|
38
|
-
|
39
|
-
attr_reader :test_mode, :quiet_mode
|
40
|
-
|
41
|
-
def status
|
42
|
-
cli.say "<%= color('You are not on the master branch!', BOLD) %>" unless self.class.on_master?
|
43
|
-
cli.say "<%= color('There are uncommitted changes OR untracked files!', BOLD) %>" unless self.class.clean_branch?
|
44
|
-
cli.say "Current version is: #{self.class.current_version}"
|
45
|
-
end
|
46
|
-
|
47
|
-
def prepare
|
48
|
-
if cli.agree("Are you sure? (yes/no)")
|
49
|
-
exec 'git submodule init' # When we have a fresh clone
|
50
|
-
exec 'git fetch origin'
|
51
|
-
exec 'git clean -fxd'
|
52
|
-
exec 'git submodule foreach --recursive git clean -fxd'
|
53
|
-
exec 'git submodule update'
|
54
|
-
cli.say 'Now run `bundle exec rake version:bump`'
|
55
|
-
else
|
56
|
-
cli.say 'Nothing done.'
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
def prompt_for_new_version
|
61
|
-
@new_version ||= cli.ask('New version? ') do |v|
|
62
|
-
v.default = self.class.current_version.sub('.master', '')
|
63
|
-
end
|
64
|
-
end
|
65
|
-
|
66
|
-
def ask_and_bump_version(version)
|
67
|
-
unless version_valid?
|
68
|
-
cli.say 'Version is unchanged'
|
69
|
-
return
|
70
|
-
end
|
71
|
-
|
72
|
-
if cli.agree("Bump version to #{version}? (yes/no)")
|
73
|
-
bump_version(version)
|
74
|
-
else
|
75
|
-
cli.say 'Nothing done.'
|
76
|
-
end
|
77
|
-
end
|
78
|
-
|
79
|
-
def bump_development_version
|
80
|
-
return if self.class.development?
|
81
|
-
|
82
|
-
arr = self.class.current_version.split('.')
|
83
|
-
new_patch_level = (arr.last.to_i + 1).to_s
|
84
|
-
version = (arr[0...2] << new_patch_level).join('.') << '.master'
|
85
|
-
|
86
|
-
ask_and_bump_version(version)
|
87
|
-
end
|
88
|
-
|
89
|
-
private
|
90
|
-
|
91
|
-
def exec(cmd)
|
92
|
-
echo = test_mode ? 'echo' : ''
|
93
|
-
puts "=> #{echo} #{cmd}" unless quiet_mode
|
94
|
-
%x[#{echo} #{cmd}]
|
95
|
-
end
|
96
|
-
|
97
|
-
def cli
|
98
|
-
@cli ||= HighLine.new
|
99
|
-
end
|
100
|
-
|
101
|
-
def version_valid?
|
102
|
-
@new_version != self.class.current_version
|
103
|
-
end
|
104
|
-
|
105
|
-
def bump_version(new_version)
|
106
|
-
return unless self.class.on_clean_master?
|
107
|
-
|
108
|
-
cli.say "Bumping version to v#{new_version}"
|
109
|
-
update_version_file(new_version)
|
110
|
-
commit_changes(new_version)
|
111
|
-
end
|
112
|
-
|
113
|
-
def update_version_file(new_version)
|
114
|
-
cli.say "Updating #{self.class.version_file}"
|
115
|
-
cli.say exec(%Q[sed -i '' 's/#{self.class.current_version}/#{new_version}/' #{self.class.version_file}])
|
116
|
-
end
|
117
|
-
|
118
|
-
def commit_changes(new_version)
|
119
|
-
cli.say "Committing changes"
|
120
|
-
if new_version =~ /master/
|
121
|
-
cli.say exec(%Q[git commit -a -m \"Open v#{new_version} for development\"])
|
122
|
-
else
|
123
|
-
cli.say exec(%Q[git commit -a -m \"Bump agent version to v#{new_version}\"])
|
124
|
-
cli.say "Next, run `gem_push=no bundle exec rake release`"
|
125
|
-
cli.say "Then, run `bundle exec rake version:bump:development`"
|
126
|
-
end
|
127
|
-
end
|
128
|
-
end
|