immunio 1.0.9 → 1.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 707599380d8fefd64b7025d8529745af7ed07df2
-  data.tar.gz: 294b3c9d179e6943f88f3d7b8a0db6d72c3fd1bc
+  metadata.gz: fe54e75e874948ac23bb4981980420811c7c97a3
+  data.tar.gz: e43529302f807d4035281978c1a4b90bfa2c326c
 SHA512:
-  metadata.gz: 0c8b6e5455a9806041a0049414561ee8e70161cd85f64ab7c0041cdd82cf70350a85ec83ab0a62a3d58c038dd530ebd36ca446afc09d290f64609d4d14d080f2
-  data.tar.gz: cff8a8c2d49cff6bdf635918fa94dca3fe4db3ed70d02fc937c914f1420050dfebe58bc12b515fe5dcd449eb8a87b098c482d914c9e2048e1d6a327aaa1d694e
+  metadata.gz: 3ee656e08aaf902244d38a03653ae3db83d68a23528b981040f2ac6c888b264bc8435db61ded6ffd463b6507199ec99fce765f2e5ec0f883ad68082163e67649
+  data.tar.gz: 6ec875e6850070c952880d48ef282f4a0961fdd91ccba4929cc19fa9d1a4379d9fe714f3a57e3a6036c248fa714dfd5c330168077619263252d3249be4dba4fa

data/lib/immunio.rb

@@ -2,6 +2,7 @@ module Immunio
   DIR = File.expand_path(File.dirname(__FILE__))
 
   def self.activate!
+    require_relative "immunio/utils"
     require_relative "immunio/agent"
     require_relative "immunio/authentication"
 

data/lib/immunio/agent.rb

@@ -11,7 +11,7 @@ module Immunio
 
   # Plugins that are enabled by default. Override using the `plugins_enabled`
   # and `plugins_disabled` configuration settings.
-  DEFAULT_PLUGINS = ["xss", "file_io", "redirect", "sqli", "eval", "shell_command"]
+  DEFAULT_PLUGINS = ["xss", "file_io", "redirect", "sqli", "shell_command"]
 
   CONFIG_FILENAME = "immunio.yml"
 

data/lib/immunio/context.rb

@@ -20,21 +20,20 @@ module Immunio
     # of a String, may be provided to mix into the strict context hash.
     def self.context(additional_data=nil)
       # We can filter out at least the top two frames
-      cache_key = Digest::SHA1.hexdigest(caller(2).join())
+      stack = caller(2).join "\n"
+
+      cache_key = Digest::SHA1.hexdigest stack
+
       if @@hash_cache.has_key?(cache_key) then
         loose_context = @@hash_cache[cache_key]["loose_context"]
         strict_context = @@hash_cache[cache_key]["strict_context"]
-        stack = @@hash_cache[cache_key]["stack"]
-        loose_stack = @@hash_cache[cache_key]["stack"]
 
         if Immunio.agent.config.log_context_data
           Immunio.logger.info {"Stack contexts from cache"}
         end
       else
         # Use ropes as they're faster than string concatenation
-        loose_stack_rope = []
         loose_context_rope = []
-        stack_rope = []
         strict_context_rope = []
 
         # drop the top frame as it's us, but retain the rest. Immunio frames
@@ -64,13 +63,6 @@ module Immunio
             strict_path = File.basename(frame[:path])
           end
 
-          stack_rope << "\n" unless stack_rope.empty?
-          stack_rope << frame[:path]
-          stack_rope << ":"
-          stack_rope << frame[:line]
-          stack_rope << ":"
-          stack_rope << frame[:label]
-
           strict_context_rope << "\n" unless strict_context_rope.empty?
           strict_context_rope << strict_path
           strict_context_rope << ":"
@@ -89,19 +81,9 @@ module Immunio
           loose_context_rope << File.basename(frame[:path])
           loose_context_rope << ":"
           loose_context_rope << frame[:label]
-
-          # build a second seperate rope for the stack that determines ou loose context key
-          # This includes filenames for usability -- just method names not being very good
-          # for display purposes...
-          loose_stack_rope << "\n" unless loose_stack_rope.empty?
-          loose_stack_rope << frame[:path]
-          loose_stack_rope << ":"
-          loose_stack_rope << frame[:label]
-
         end
-        stack = stack_rope.join()
         strict_stack = strict_context_rope.join()
-        loose_stack = loose_stack_rope.join()
+        loose_stack = loose_context_rope.join()
 
         if Immunio.agent.config.log_context_data
           Immunio.logger.info {"Strict context stack:\n#{strict_stack}"}
@@ -109,12 +91,10 @@ module Immunio
         end
 
         strict_context = Digest::SHA1.hexdigest(strict_stack)
-        loose_context = Digest::SHA1.hexdigest(loose_context_rope.join())
+        loose_context = Digest::SHA1.hexdigest(loose_stack)
         @@hash_cache[cache_key] = {
             "strict_context" => strict_context,
             "loose_context" => loose_context,
-            "stack" => stack,
-            "loose_stack" => loose_stack
           }
       end
 
@@ -126,7 +106,7 @@ module Immunio
         strict_context = Digest::SHA1.hexdigest(strict_context + additional_data)
       end
 
-      return strict_context, loose_context, stack, loose_stack
+      return strict_context, loose_context, stack
     end
   end
 end

data/lib/immunio/plugins/action_view.rb

@@ -49,15 +49,35 @@ module Immunio
 
       # @template is a virtual template that doesn't contain the source. We need
       # to try to load the source. But, the virtual template doesn't know the
-      # original format of the source template file. Grab the original format
-      # from the view context and override the default of just :html when
-      # when looking up the template.
-      old_formats = context.lookup_context.formats
+      # original format of the source template file.
+      #
+      # First, try to load it using the Rails defaults (usually "html" and
+      # "txt"). If that doesn't work, try to use the original format from the
+      # virtual template.
+      #
+      # Though one might think the format from the virtual template would always
+      # work, unfortunately the format from the template refers to the "type" of
+      # the template, which may or may not be the same as the format of the
+      # lookup context, which specifies the file extension of the template. Ugh,
+      # naming... For example, the lookup context format may be "txt" while the
+      # template format is "text".
+      #
+      # Astute readers may note that there's the possibility the template
+      # extension is not in the Rails default list of lookup formats, and also
+      # does not match the template type. We are just going to leave that for
+      # another day, and hope that day never comes...
       begin
-        context.lookup_context.formats = @template.formats
         refreshed = Immunio::IOHooks.paused { @template.refresh(context) }
-      ensure
-        context.lookup_context.formats = old_formats
+      rescue
+        begin
+          old_formats = context.lookup_context.formats
+          context.lookup_context.formats = @template.formats
+          refreshed = Immunio::IOHooks.paused { @template.refresh(context) }
+        rescue
+          Immunio.logger.warn { "Failed to refresh template source from #{@template} using contexts #{old_formats} and #{@template.formats}" }
+        ensure
+          context.lookup_context.formats = old_formats
+        end
       end
 
       return if refreshed.nil?
@@ -337,7 +357,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :add_expr, :immunio
+      Immunio::Utils.alias_method_chain self, :add_expr, :immunio
     end
 
     def add_expr_with_immunio(src, code, indicator)
@@ -362,7 +382,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :push_script, :immunio
+      Immunio::Utils.alias_method_chain self, :push_script, :immunio
     end
 
     def push_script_with_immunio(code, opts = {}, &block)
@@ -385,7 +405,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :render_template, :immunio
+      Immunio::Utils.alias_method_chain self, :render_template, :immunio
     end
 
     def render_template_with_immunio(template, *args)
@@ -407,7 +427,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :render, :immunio
+      Immunio::Utils.alias_method_chain self, :render, :immunio
     end
 
     def render_with_immunio(context, *args, &block)
@@ -428,7 +448,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :write_fragment, :immunio
+      Immunio::Utils.alias_method_chain self, :write_fragment, :immunio
     end
 
     def write_fragment_with_immunio(key, content, options = nil)

data/lib/immunio/plugins/active_record.rb

@@ -10,7 +10,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :quote, :immunio if method_defined? :quote
+      Immunio::Utils.alias_method_chain self, :quote, :immunio if method_defined? :quote
     end
 
     IGNORED_TYPES = [TrueClass, FalseClass, NilClass, Fixnum, Bignum, Float].freeze
@@ -69,7 +69,7 @@ module Immunio
             end
           end
         end
-        alias_method_chain :sanitize_sql_array, :immunio
+        Immunio::Utils.alias_method_chain self, :sanitize_sql_array, :immunio
       end
     end
   end
@@ -78,7 +78,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :accept, :immunio if method_defined? :accept
+      Immunio::Utils.alias_method_chain self, :accept, :immunio if method_defined? :accept
     end
 
     def accept_with_immunio(object, *args)
@@ -666,7 +666,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :log, :immunio if method_defined? :log
+      Immunio::Utils.alias_method_chain self, :log, :immunio if method_defined? :log
     end
 
     def log_with_immunio(sql, name = "SQL", binds = [], *args)

data/lib/immunio/plugins/csrf.rb

@@ -3,7 +3,9 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :verify_authenticity_token, :immunio if method_defined? :verify_authenticity_token
+      if method_defined? :verify_authenticity_token
+        Immunio::Utils.alias_method_chain self, :verify_authenticity_token, :immunio
+      end
     end
 
     protected

data/lib/immunio/plugins/devise.rb

@@ -13,7 +13,7 @@ if defined? Devise
       extend ActiveSupport::Concern
 
       included do
-        alias_method_chain :send_reset_password_instructions, :immunio
+        Immunio::Utils.alias_method_chain self, :send_reset_password_instructions, :immunio
       end
 
       def send_reset_password_instructions_with_immunio(attributes={})

data/lib/immunio/plugins/eval.rb

@@ -7,22 +7,22 @@ module Immunio
     extend ActiveSupport::Concern
 
     def self.extended(base)
-      base.singleton_class.alias_method_chain :eval, :immunio
+      Immunio::Utils.alias_method_chain base.singleton_class, :eval, :immunio
     end
 
     def self.included(base)
-      base.alias_method_chain :eval, :immunio
+      Immunio::Utils.alias_method_chain base, :eval, :immunio
     end
 
     protected
     def eval_with_immunio(*args)
       Immunio.logger.debug {"Eval_with_immunio with args: #{args}"}
       Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
-        strict_context, loose_context, stack, loose_stack = Immunio::Context.context()
+        strict_context, loose_context, stack = Immunio::Context.context()
         Immunio.run_hook! "eval", "eval",
                           parameters: args,
                           context_key: loose_context,
-                          stack: loose_stack
+                          stack: stack
         Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
           if args[1].nil?
             # eval call did not include a binding, so we eval it in the caller's binding

data/lib/immunio/plugins/http_tracker.rb

@@ -148,18 +148,13 @@ module Immunio
       end
 
       def extract_session_id(session)
-        session_id = case
-        when session.respond_to?(:id)
+        session_id = if session.respond_to?(:id)
           session.id
-        when session[:id]
-          session[:id]
-        when session[:session_id]
-          session[:session_id]
         else
-          return nil
+          session[:id] || session[:session_id]
         end
 
-        Digest::SHA1.hexdigest(session_id)
+        Digest::SHA1.hexdigest(session_id) if session_id
       end
   end
 

data/lib/immunio/plugins/io.rb

@@ -19,17 +19,17 @@ module Immunio
 
     def self.inject(mod, name, methods)
       mod.class_eval <<-EOF
-        def self.extended(base)                                        # def self.extended(base)
-          #{methods.inspect}.each do |method|                          #   ["read", "binread"].each do |method|
-            base.singleton_class.alias_method_chain method, :immunio   #     base.singleton_class.alias_method_chain method, :immunio
-          end                                                          #   end
-        end                                                            # end
+        def self.extended(base)
+          #{methods.inspect}.each do |method|
+            Immunio::Utils.alias_method_chain base.singleton_class, method, :immunio
+          end
+        end
 
-        def self.included(base)                                        # def self.included(base)
-          #{methods.inspect}.each do |method|                          #   ["read", "binread"].each do |method|
-            base.alias_method_chain method, :immunio                   #     base.alias_method_chain method, :immunio
-          end                                                          #   end
-        end                                                            # end
+        def self.included(base)
+          #{methods.inspect}.each do |method|
+            Immunio::Utils.alias_method_chain base, method, :immunio
+          end
+        end
       EOF
       Immunio.logger.debug { "IO: successfully chained #{name} #{methods}" }
       methods.each do |method|
@@ -39,12 +39,12 @@ module Immunio
               #{method}_without_immunio(*args, &block)
             else
               Request.time "plugin", "IO::#{method}" do                  #
-                strict_context, loose_context, stack, loose_stack = Immunio::Context.context()
+                strict_context, loose_context, stack = Immunio::Context.context()
 
                 Immunio.run_hook! "io", "file_io",                       #   Immunio.run_hook! "io", "open",
                                 method: "#{name}#{method}",              #      open_method: "IO.read",
                                 parameters: args,                        #      parameters: args
-                                stack: loose_stack,                      #
+                                stack: stack,                            #
                                 context_key: loose_context,              #
                                 cwd: Dir.pwd
                 Request.pause "plugin", "IO::#{method}" do               #
@@ -75,11 +75,11 @@ module Immunio
     Kernel.class_eval <<-EOF
       define_method :backtick_with_immunio do |cmd|
         Request.time "plugin", "Shell::backtick" do
-          strict_context, loose_context, stack, loose_stack = Immunio::Context.context()
+          strict_context, loose_context, stack = Immunio::Context.context()
           Immunio.run_hook! "io", "file_io",
                           method: "Kernel.backtick",
                           parameters: [cmd],
-                          stack: loose_stack,
+                          stack: stack,
                           context_key: loose_context,
                           cwd: Dir.pwd
           Request.pause "plugin", "Shell::backtick" do

data/lib/immunio/plugins/redirect.rb

@@ -5,7 +5,7 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      alias_method_chain :redirect_to, :immunio if method_defined? :redirect_to
+      Immunio::Utils.alias_method_chain self, :redirect_to, :immunio if method_defined? :redirect_to
     end
 
     protected
@@ -22,11 +22,11 @@ module Immunio
             loptions = loptions.call
           end
           if loptions.is_a? String then
-            strict_context, loose_context, stack, loose_stack = Immunio::Context.context() # rubocop:disable Lint/UselessAssignment
+            strict_context, loose_context, stack = Immunio::Context.context() # rubocop:disable Lint/UselessAssignment
             Immunio.run_hook! "redirect", "framework_redirect",
                               destination_url: loptions,
                               context_key: loose_context,
-                              stack: loose_stack
+                              stack: stack
           end
           Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
             redirect_to_without_immunio( options, response_status )

data/lib/immunio/processor.rb

@@ -110,6 +110,19 @@ module Immunio
       Request.current = nil
     end
 
+    def make_safe_meta(meta)
+      # Some versions of rails, like 4.2.0, fail to JSONify some objects properly.
+      safe_meta = {}
+      meta.each do |key, value|
+        if value.is_a?(Numeric) || value.is_a?(String) || value.is_a?(TrueClass) || value.is_a?(FalseClass)
+          safe_meta[key] = value
+        else
+          safe_meta[key] = value.inspect
+        end
+      end
+      safe_meta
+    end
+
     # Run the `hook` and return a hash eg.: `{ "allow": true }`.
     def run_hook(plugin, hook, meta={})
       request = Request.current
@@ -164,29 +177,41 @@ module Immunio
         Immunio.logger.debug { "Result from #{hook} hook: (can't log result due to encoding incompatibility)" }
       end
 
-      result || {}
-
+      result ||= {}
+
+      if result.respond_to?(:has_key?) and result.has_key?(:diagnostics)
+        result[:diagnostics].to_h.each_value do |diag|
+          Immunio.logger.debug { "Sending Diagnostic Report: #{diag['message']}" }
+          msg = {
+            type: "engine.diagnostic",
+            diagnostic_type: diag['report_type'],
+            diagnostic_message: diag['message'],
+            diagnostic_meta: diag['meta'],
+            diagnostic_version: "0.0.2",
+            agent_version: Immunio::VERSION,
+            request_id: request.id,
+            timestamp: timestamp,
+            plugin: plugin,
+            hook: hook,
+            meta: make_safe_meta(meta),
+            vmcode_version: request.vm.code_version,
+            vmdata_version: request.vm.data_version
+          }
+          @channel.send_message msg
+        end
+      end
+      result
     # Previosuly this only caught VMErrors, however other exceptions can cause 500s
     # so to be on the safe side make sure we catch anything raised within the VM call --ol
     rescue StandardError => e
       # Log and discard VM errors
 
-      # Some versions of rails, like 4.2.0, fail to JSONify some objects properly.
-      safe_meta = {}
-      meta.each do |key, value|
-        if value.is_a?(Numeric) || value.is_a?(String) || value.is_a?(TrueClass) || value.is_a?(FalseClass)
-          safe_meta[key] = value
-        else
-          safe_meta[key] = value.inspect
-        end
-      end
-
       log_and_send_error e, "Error running hook #{hook}",
                          request_id: request.id,
                          timestamp: timestamp,
                          plugin: plugin,
                          hook: hook,
-                         meta: safe_meta,
+                         meta: make_safe_meta(meta),
                          vmcode_version: request.vm.code_version,
                          vmdata_version: request.vm.data_version
 

data/lib/immunio/rufus_lua_ext/state.rb

@@ -152,6 +152,6 @@ module Rufus::Lua
         raise
       end
     end
-    alias_method_chain :call, :stack_reset
+    Immunio::Utils.alias_method_chain self, :call, :stack_reset
   end
 end

data/lib/immunio/utils.rb

@@ -0,0 +1,29 @@
+module Immunio
+  module Utils
+    # Taken by ActiveSupport to maintain privacy of aliased methods but reduce
+    # our dependency on Rails
+    def self.alias_method_chain(klass, target, feature)
+      # Strip out punctuation on predicates, bang or writer methods since
+      # e.g. target?_without_feature is not a valid method name.
+      aliased_target, punctuation = target.to_s.sub(/([?!=])$/, ''), $1
+      yield(aliased_target, punctuation) if block_given?
+
+      with_method = "#{aliased_target}_with_#{feature}#{punctuation}"
+      without_method = "#{aliased_target}_without_#{feature}#{punctuation}"
+
+      klass.class_eval do
+        alias_method without_method, target
+        alias_method target, with_method
+
+        case
+        when public_method_defined?(without_method)
+          public target
+        when protected_method_defined?(without_method)
+          protected target
+        when private_method_defined?(without_method)
+          private target
+        end
+      end
+    end
+  end
+end

data/lib/immunio/version.rb

@@ -1,5 +1,5 @@
 module Immunio
   AGENT_TYPE = "agent-ruby"
-  VERSION = "1.0.9"
+  VERSION = "1.0.10"
   VM_VERSION = "2.2.0"
 end

data/lua-hooks/Makefile

@@ -19,6 +19,7 @@ LUA_SRC = \
 	lib/DataDumper.lua \
 	lib/date.lua \
 	lib/defence.lua \
+	lib/diag.lua \
 	lib/escape.lua \
 	lib/extensions.lua \
 	lib/hooks.lua \

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: immunio
 version: !ruby/object:Gem::Version
-  version: 1.0.9
+  version: 1.0.10
 platform: ruby
 authors:
 - Immunio
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-11 00:00:00.000000000 Z
+date: 2016-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -161,6 +161,7 @@ files:
 - lib/immunio/rufus_lua_ext/state.rb
 - lib/immunio/rufus_lua_ext/table.rb
 - lib/immunio/rufus_lua_ext/utils.rb
+- lib/immunio/utils.rb
 - lib/immunio/version.rb
 - lib/immunio/vm.rb
 - lua-hooks/Makefile
@@ -438,7 +439,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Immunio Ruby agent