immunio 1.0.4 → 1.0.5

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: immunio
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Immunio
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-10-27 00:00:00.000000000 Z
+date: 2015-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -417,15 +417,6 @@ files:
 - lua-hooks/ext/sha1/luasha1.c
 - lua-hooks/ext/sha1/sha1.c
 - lua-hooks/lib/boot.lua
-- lua-hooks/lib/encode.lua
-- lua-hooks/lib/lexers/LICENSE
-- lua-hooks/lib/lexers/bash.lua
-- lua-hooks/lib/lexers/bash_dqstr.lua
-- lua-hooks/lib/lexers/css.lua
-- lua-hooks/lib/lexers/css_attr.lua
-- lua-hooks/lib/lexers/html.lua
-- lua-hooks/lib/lexers/javascript.lua
-- lua-hooks/lib/lexers/lexer.lua
 homepage: http://immun.io/
 licenses:
 - Immunio

data/lua-hooks/lib/encode.lua

@@ -1,4 +0,0 @@
--- Encode a Lua object to be sent to the server.
-function encode(object)
-  return cmsgpack.pack(object)
-end

data/lua-hooks/lib/lexers/LICENSE

@@ -1,21 +0,0 @@
-The MIT License
-
-Copyright (c) 2007-2015 Mitchell
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

data/lua-hooks/lib/lexers/bash.lua

@@ -1,134 +0,0 @@
--- Copyright 2006-2015 Mitchell mitchell.att.foicica.com.
--- Copyright 2015 Immunio, Inc.
-
--- Shell LPeg lexer.
-
--- This is based on the lexer from the Scintillua package, with a ot of extension
--- The goal isn't a complete parser for bash, but a lexer that can extract a useful
--- amount of structure to detect tampering. The emphasis is more on common injection
--- techniques and lexical structure than actually extracting properly formed bash
--- statements. Down the road we may need to go as far as to parse statements, and that
--- should be possible at the cost of a lot more complexity.
-
-local l = require('lexer')
-local token = l.token
-local P, R, S = lpeg.P, lpeg.R, lpeg.S
-
-local M = {_NAME = 'bash'}
-
--- Whitespace.
-local ws = token(l.WHITESPACE, l.space^1)
-
-local bash_word = (l.alpha + '_') * (l.alnum + '_' + '\\ ' + '.')^0
-
-
--- Comments.
-local comment = token(l.COMMENT, '#' * l.nonnewline^0)
-
--- Strings.
-local sq_str = token('sq_str', l.delimited_range("'", false, true))
-local dq_str = token('dq_str', l.delimited_range('"'))
-local ex_str = token('ex_str', l.delimited_range('`'))
-local heredoc = token('heredoc', '<<' * P(function(input, index)
-  local s, e, _, delimiter =
-    input:find('%-?(["\']?)([%a_][%w_]*)%1[\n\r\f;]+', index)
-  if s == index and delimiter then
-    local _, e = input:find('[\n\r\f]+'..delimiter, e)
-    return e and e + 1 or #input + 1
-  end
-end))
-local bash_string = sq_str + dq_str + ex_str + heredoc
-
--- Numbers.
-local number = token(l.NUMBER, l.float + l.integer)
-
--- Keywords.
-local keyword = token(l.KEYWORD, l.word_match({
-  'if', 'then', 'elif', 'else', 'fi', 'case', 'in', 'esac', 'while', 'for',
-  'do', 'done', 'continue', 'local', 'return', 'select',
--- Operators. These could be split into individual tokens...
-  '-a', '-b', '-c', '-d', '-e', '-f', '-g', '-h', '-k', '-p', '-r', '-s', '-t',
-  '-u', '-w', '-x', '-O', '-G', '-L', '-S', '-N', '-nt', '-ot', '-ef', '-o',
-  '-z', '-n', '-eq', '-ne', '-lt', '-le', '-gt', '-ge'
-}, '-'))
-
--- Common commands ... this is not exhaustive nor does it need to be.
-local command = token("command", l.word_match({
-  'awk', 'cat', 'cmp', 'cp', 'curl', 'cut', 'date', 'find', 'grep', 'gunzip', 'gvim',
-  'gzip', 'kill', 'lua', 'make', 'mkdir', 'mv', 'php', 'pkill', 'python', 'rm',
-  'rmdir', 'rsync', 'ruby', 'scp', 'sed', 'sleep', 'ssh', 'sudo', 'tar', 'unlink',
-  'wget', 'zip'
-}, '-'))
-
--- Builtins
-local builtin = token("builtin", l.word_match({
-  'alias', 'bind', 'builtin', 'caller', 'command', 'declare', 'echo', 'enable',
-  'help', 'let', 'local', 'logout', 'mapfile', 'printf', 'read', 'readarray',
-  'source', 'type', 'typeset', 'ulimit', 'unalias',
-}, '-'))
-
--- Filenames. This is a bit sloppy, but tries to discern filenames from other identifiers
--- Very much a case of R&D 'suck it and see'
-local filename = token("filename", P('/')^0 * (bash_word + '.') * (
-                                    '/' + bash_word + '.' )^0 * ('.' * bash_word )^0 )
-
-local ip = (l.integer * P('.') * l.integer * P('.') * l.integer * P('.') * l.integer)
-
-local protocol = ((P('https') + 'http' + 'ftp' + 'irc') * '://') + 'mailto:'
-local remainder = ((1-S'\r\n\f\t\v ,."}])') + (S',."}])' * (1-S'\r\n\f\t\v ')))^0
-local url = protocol * remainder
-
--- Identifiers.
-local identifier = token(l.IDENTIFIER, url + ip + bash_word)
-
--- Variables.
-local ex_variable = token("ex_variable",
-                          '$' * l.delimited_range('()', true, true))
-
-local variable = token(l.VARIABLE,
-                       '$' * (S('!#?*@$') + l.digit^1 + bash_word +
-                              l.delimited_range('{}', true, true)))
-
-local var = ex_variable + variable
-
--- Operators. These could be split into individual tokens...
-local operator = token(l.OPERATOR, S('=!<>+-/*^&|~.,:;?()[]{}'))
-
-M._rules = {
-  {'whitespace', ws},
-  {'keyword', keyword},
-  {'builtin', builtin},
-  {'command', command},
-  {'identifier', identifier},
-  {'filename', filename},
-  {'string', bash_string},
-  {'comment', comment},
-  {'number', number},
-  {'variable', var},
-  {'operator', operator},
-}
-
--- This is the main function for lexing bash data. It recurses and uses
--- the dqstr sub-lexer instance provided (we don't instantiate it directly
--- to allow the caller to cache the instance and avoid recompiling the grammar)
-function M.lex_recursive( self, str, bash_dqstr_lexer )
-  local tokens = self:lex(str)
-  for i = 1, #tokens do
-    if tokens[i]['token'] == "ex_str" then
-      tokens[i]['val'] = self:lex_recursive(string.sub(tokens[i]['val'], 2, -2), bash_dqstr_lexer)
-    elseif tokens[i]['token'] == "ex_variable" then
-      tokens[i]['val'] = self:lex_recursive(string.sub(tokens[i]['val'], 3, -2), bash_dqstr_lexer)
-    elseif tokens[i]['token'] == "dq_str" then
-      tokens[i]['val'] =
-        bash_dqstr_lexer:lex_recursive(string.sub(tokens[i]['val'], 2, -2), self)
-    elseif tokens[i]['token'] == "heredoc" then
-      tokens[i]['val'] =
-        bash_dqstr_lexer:lex_recursive(tokens[i]['val'], self)
-    end
-  end
-  return tokens
-end
-
-return M
-
-

data/lua-hooks/lib/lexers/bash_dqstr.lua

@@ -1,59 +0,0 @@
--- Copyright (C) 2015 Immunio, Inc.
-
--- Lexer for bash magic double quotes
-
--- NOTE: not covered by Scintillua MIT license in this directory.
-
--- While our lexer has the ability to embed this sort of thing as a child of another lexer
--- I didn't bother here due to the recursion; we need to lex the parent (bash) language
--- for some tokens which would be very complex at best. It's cleaner to use two lexers
--- and handle the recursion in higher level lua at a minute performance cost.
-
-local l = require('lexer')
-local token = l.token
-local P, R, S = lpeg.P, lpeg.R, lpeg.S
-
-local M = {_NAME = 'bash_dqstr'}
-
--- Generic token.
-local bash_word = (l.alpha + '_') * (l.alnum + '_' + '\\ ')^0
-
--- Strings.
---  Shell substitution.
-local ex_str = token('ex_str', l.delimited_range('`'))
-
---  Other string data
-local bash_string = token('str_data', (l.any - '$' - '`')^1)
-
--- Variables.
---  Shell Substitution.
-local ex_variable = token("ex_variable",
-                          '$' * l.delimited_range('()', true, true))
---  Other variables
-local variable = token(l.VARIABLE,
-                       '$' * (S('!#?*@$') + l.digit^1 + bash_word +
-                              l.delimited_range('{}', true, true)))
-
-local var = ex_variable + variable
-
-M._rules = {
-  {'variable', var},
-  {'ex_str', ex_str},
-  {'string', bash_string},
-}
-
-function M.lex_recursive( self, str, bash_lexer )
-  local tokens = self:lex(str)
-  for i = 1, #tokens do
-    if tokens[i]['token'] == "ex_str" then
-      tokens[i]['val'] = bash_lexer:lex_recursive(string.sub(tokens[i]['val'], 2, -2), self)
-    elseif tokens[i]['token'] == "ex_variable" then
-      tokens[i]['val'] = bash_lexer:lex_recursive(string.sub(tokens[i]['val'], 3, -2), self)
-    end
-  end
-  return tokens
-end
-
-return M
-
-

data/lua-hooks/lib/lexers/css.lua

@@ -1,101 +0,0 @@
--- Copyright 2006-2010 Mitchell Foral mitchell<att>caladbolg.net. See LICENSE.
--- CSS LPeg lexer
-local M = {_NAME = 'css'}
-
-local l = require('lexer')
-local token, parent_token, word_match, delimited_range =
-  l.token, l.parent_token, l.word_match, l.delimited_range
-
-local P, R, S, V = lpeg.P, lpeg.R, lpeg.S, lpeg.V
-
-local ws = token('whitespace', l.space^1)
-
--- comments
-local comment = token('comment', '/*' * (l.any - '*/')^0 * P('*/')^-1)
-
-local word_char = l.alnum + S('_-')
-local identifier = (l.alpha + '-')^1 * word_char^0
-
--- strings
-local sq_str = delimited_range("'", '\\', true)
-local dq_str = delimited_range('"', '\\', true)
-local string = token('string', sq_str + dq_str)
-
-local colon = token('operator', ':')
-local semicolon = token('operator', ';')
-local comma = token('operator', ',')
-local obrace = token('operator', '{')
-local cbrace = token('operator', '}')
-local bang = token('operator', '!')
-
--- selectors
-local attribute = '[' * word_char^1 * (S('|~')^-1 * '=' * (identifier + sq_str + dq_str))^-1 * ']'
-local class_id_selector = identifier^-1 * S('.#') * identifier
-local pseudoclass = word_match({
-  'first-letter', 'first-line', 'link', 'active', 'visited',
-  'first-child', 'focus', 'hover', 'lang', 'before', 'after',
-  'left', 'right', 'first'
-}, '-', true)
-local selector = P('*') * ws + (class_id_selector + identifier + '*') * attribute^-1
-selector =  token('selector', selector * (ws * selector)^0) *
-  (token('selector', ':' * pseudoclass) + token('default_selector', ':' * word_char^1))^-1
-selector = selector * (ws^0 * (comma + token('selector', S('>+*'))) * ws^0 * selector)^0
-
--- css properties and values
-local property_name = token('property_name', word_char^1)
-local value = token('value', bang^0 * word_char^1)
-
--- colors, units, numbers, and urls
-local hexcolor = token('color', '#' * l.xdigit * l.xdigit * l.xdigit * (l.xdigit * l.xdigit * l.xdigit)^-1)
-local rgbunit = (l.digit^1 * P('%')^-1)
-local rgbcolor = token('color', word_match({'rgb'}, nil, true) * '(' * rgbunit * ',' * rgbunit * ',' * rgbunit * ')')
-local color = hexcolor + rgbcolor
-local unit = word_match({
-  'pt', 'mm', 'cm', 'pc', 'in', 'px', 'em', 'ex', 'deg',
-  'rad', 'grad', 'ms', 's', 'Hz', 'kHz'
-}, nil, true)
-unit = token('unit', unit + '%')
-local css_float = l.digit^0 * '.' * l.digit^1 + l.digit^1 * '.' * l.digit^0 + l.digit^1
-local number = token('number', S('+-')^-1 * css_float) * unit^-1
-local func = parent_token('function', token('function_name', identifier) * token('function_param', delimited_range('()', true, false, true)))
--- declaration block
-local block_default_char = token('default_block_char', (l.any - '}')^1)
-local property_value = parent_token('property_value', string + number + color + func + value)
-local property_values = { property_value * (ws * property_value)^0 * (ws^0 * comma * ws^0 * V(1))^0 }
-local declaration_value = colon * ws^0 * property_values * ws^0 * semicolon^0
-local declaration_property = property_name * ws^0
-local declaration = parent_token('declaration', (declaration_property * (declaration_value + block_default_char)) + comment + block_default_char)
-local declaration_block = parent_token('declaration_block', obrace * ws^0 * declaration * (ws * declaration)^0 * ws^0 * cbrace^-1)
-
-local css_element = selector * ws^0 * declaration_block^-1
-
--- at rules
-local at_rule_name = token('at_rule_name', '@' * word_match({
-  'import', 'media', 'page', 'font-face', 'charset'
-}, '-', true))
-local at_rule_arg = token('at_rule_arg', word_match({
-  'all', 'aural', 'braille', 'embossed', 'handheld', 'print',
-  'projection', 'screen', 'tty', 'tv'
-}, nil, true))
-local at_rule = parent_token('at_rule', at_rule_name * (ws * (at_rule_arg + func + string) )^-1)
-
--- Immunio marker
-local marker = l.token('marker', P('{immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
-
-M._rules = {
-  {'whitespace', ws},
-  {'comment', comment},
-  {'marker', marker},
-  {'at_rule', at_rule},
-  {'string', string},
-  {'css_element', css_element},
-}
-M.declaration = declaration -- so we can access it in sub-lexer for attrs
-
-M._tokenstyles = {
-}
-
-M._foldsymbols = {
-}
-
-return M

data/lua-hooks/lib/lexers/css_attr.lua

@@ -1,13 +0,0 @@
--- Lexer for CSS style attributes. These are slightly different as we need to
--- start lexing inside a declaration rather than at the selector level...
-M = require('css')
--- For attributes, remove the css_element rule which includes
--- selector and delaration block tokens
-for k,v in ipairs(M._rules) do
-	if v[1] == 'css_element' then
-		M._rules[k] = nil
-	end
-end
--- Instead insert a top level token for declarations.
-table.insert(M._rules, {'declaration', M.declaration})
-return M

data/lua-hooks/lib/lexers/html.lua

@@ -1,113 +0,0 @@
--- Copyright (C) 2015 Immunio, Inc.
-
--- HTML: Simple h5 like HTML lexer for Immun.io.
-
--- NOTE: not covered by Scintillua MIT license in this directory.
-
-local l = require('lexer')
-local token, parent_token, word_match = l.token, l.parent_token, l.word_match
-local P, R, S, V = lpeg.P, lpeg.R, lpeg.S, lpeg.V
-
-local M = {_NAME = 'html'}
-
-local case_insensitive_tags = true
-
--- Whitespace.
-local ws = l.space^1
--- This is broad to both accept our placeholders and be very liberal about what may be
--- interpreted as an attribute to ensure we escape attributes fairly aggressively.
-local element_chars = (l.any - '<' - '>' - '=' - '"' - "'" - ws)^1
-
--- Comments.
-local comment = token(l.COMMENT, '<!--' * (l.any - '-->')^0 * P('-->'))
-
--- IE Conditional Comments.
-local ie_condcomment_hidden_open = token(l.COMMENT, P('<!--[') * (l.any - ']>')^0 * P(']>'))
-local ie_condcomment_hidden_close = token(l.COMMENT, P('<![') * (l.any - ']-->')^0 * P(']-->'))
-local ie_condcomment_revealed = token(l.COMMENT, P('<![') * (l.any - '>')^0 * P('>'))
-local condcomment = token('condcomment', ie_condcomment_hidden_open + ie_condcomment_hidden_close + ie_condcomment_revealed)
-
--- Strings.
-local sq_str = l.delimited_range("'")
-local dq_str = l.delimited_range('"')
-local string = sq_str + dq_str
-
--- Attributes. Individual recognition is handled in our XSS processing code.
-local attr_name = token('attr_name', element_chars - '=')
-local attr_value = token('attr_value', string + element_chars)
-local attribute = parent_token('attribute', attr_name * '=' * attr_value)
-
--- Tags.
-local tag_name = token('tag_name', element_chars - '/')
-local tag_data = token('tag_data', (l.any - l.space - '>')^1 ) -- crap in a tag
-
--- XXX how should we handle void tags... right now they are an unmatched tag_open
-local tag_open = parent_token('tag_open', P('<') * tag_name * ( (ws * attribute) + ( tag_data ) + ws )^0 * (P('>') + '/>') )
-local tag_close = parent_token('tag_close', P('</') * tag_name * ( ( tag_data ) + ws )^0 * '>')
-
--- Special case for script and style tags.
-local style_tag_name = token("tag_name", word_match({'style'}, nil, case_insensitive_tags))
-local style_tag_open = parent_token("tag_open", P('<') * style_tag_name * ((ws * attribute) + tag_data)^0 * P('>'))
-local style_tag_close = parent_token("tag_close", P('</') * style_tag_name * tag_data^0 * '>')
-local style_data = token("style_data", (l.any - style_tag_close)^0)
-local style_tag = parent_token('style_tag', style_tag_open * style_data * style_tag_close)
-
-local script_tag_name = token("tag_name", word_match({'script'}, nil, case_insensitive_tags))
-local script_tag_open = parent_token("tag_open", P('<') * script_tag_name * ((ws * attribute) + tag_data)^0 * P('>'))
-local script_tag_close = parent_token("tag_close", P('</') * script_tag_name * tag_data^0 * '>')
-local script_data = token("script_data", (l.any - script_tag_close)^0)
-local script_tag = parent_token('script_tag', script_tag_open * script_data * script_tag_close)
-
--- Top level rules
-
--- Note: the ordering is important here as <script> and <style> have to supercede tag_open...
-local tag = style_tag + script_tag + tag_open + tag_close
-
--- Entities.
-local entity = token('entity', '&' * (l.any - l.space - ';' - '<' - '>' - "'" - '"' - "/" )^1 * ';')
-
--- Doctype.
-local doctype = token('doctype', '<!' *
-                      word_match({'doctype'}, nil, case_insensitive_tags) *
-                      (l.any - '>')^1 * '>')
-
--- Data between tags
-local data = token('data', (l.any - '<')^1)
-
-M._rules = {
-  {'condcomment', condcomment}, -- must preceed comment
-  {'comment', comment},
-  {'doctype', doctype},
-  {'tag', tag},
-  {'entity', entity},
-  {'data', data},
-}
-
-M._tokenstyles = {
-}
-
-M._foldsymbols = {
-}
-
-M.unlex_rules = {
-  ["tag_open"] = {
-    ["prefix"] = "<",
-    ["suffix"] = ">",
-  },
-  ["tag_close"] = {
-    ["prefix"] = "</",
-    ["suffix"] = ">",
-  },
-  ["attribute"] = {
-    ["prefix"] = " ",
-  },
-  ["tag_data"] = {
-    ["prefix"] = " ",
-  },
-  ["attr_name"] = {
-    ["suffix"] = "=",
-  },
-}
-
-
-return M