immunio 1.1.19 → 1.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/immunio/plugins/action_dispatch.rb +35 -6
- data/lib/immunio/plugins/active_record.rb +23 -4
- data/lib/immunio/processor.rb +1 -0
- data/lib/immunio/version.rb +1 -1
- metadata +2 -6
- data/lua-hooks/lib/hooks/module.mk +0 -36
- data/lua-hooks/lib/hooks/xss/module.mk +0 -4
- data/lua-hooks/lib/lexers/module.mk +0 -9
- data/lua-hooks/lib/module.mk +0 -42
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c287a47d42c9475ecbae55e00ff6c4e14cd45e4f
|
|
4
|
+
data.tar.gz: 89925d6f6c506a1a42a3a64c9f6f290ab5e1fb46
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cac6affff43c65bccfcd448958b350a4690af6de096c6f43d5d240ad352bc62e4521d5f7c5a023ec68b9a5867be9d8a00ef3297d4460441be7a37dcc2f95f547
|
|
7
|
+
data.tar.gz: 59d721edc0ed0d570574aa9e328b57744b76d42d89a1ba96966460739359b2bcc96254a21302b9f6c4880565e4830277aa024e78374b2a902da66e5a21e9c7a4
|
|
@@ -58,6 +58,7 @@ module Immunio
|
|
|
58
58
|
# hash: { foo: ['bar', 'baz'] }
|
|
59
59
|
# -> 'hash[foo]' => ['bar', 'baz']
|
|
60
60
|
#
|
|
61
|
+
# A complex form like:
|
|
61
62
|
# user: {
|
|
62
63
|
# name: 'john',
|
|
63
64
|
# email: 'john@example.com',
|
|
@@ -75,38 +76,66 @@ module Immunio
|
|
|
75
76
|
# 'user[address_attributes][city]' => ['Montreal'],
|
|
76
77
|
# 'user[address_attributes][id]' => ['1']
|
|
77
78
|
#
|
|
79
|
+
#
|
|
80
|
+
# A malicious payload like:
|
|
81
|
+
#
|
|
82
|
+
# "evil" =>
|
|
83
|
+
# {
|
|
84
|
+
# "payload" =>
|
|
85
|
+
# [
|
|
86
|
+
# {
|
|
87
|
+
# "lurks" =>
|
|
88
|
+
# [
|
|
89
|
+
# {
|
|
90
|
+
# "here" =>
|
|
91
|
+
# [
|
|
92
|
+
# {"indeed" => "1" }
|
|
93
|
+
# ]
|
|
94
|
+
# }
|
|
95
|
+
# ]
|
|
96
|
+
# }
|
|
97
|
+
# ]
|
|
98
|
+
# }
|
|
99
|
+
#
|
|
100
|
+
# becomes:
|
|
101
|
+
#
|
|
102
|
+
# "evil[payload]" => ["{\"lurks\"=>[{\"here\"=>[{\"indeed\"=>\"1\"}]}]}"]
|
|
103
|
+
#
|
|
78
104
|
def convert_value(hash, key, value, nested_keys = nil)
|
|
79
105
|
# Filter out UploadedFile.
|
|
80
106
|
unless value.respond_to?(:open)
|
|
81
107
|
if value.respond_to?(:keys)
|
|
82
|
-
nested = nested_keys ? nested_keys :
|
|
108
|
+
nested = nested_keys ? nested_keys : key
|
|
83
109
|
value.each do |k, val|
|
|
84
110
|
if val.respond_to?(:keys)
|
|
85
111
|
convert_value(hash, k, val, nested + "[#{k}]")
|
|
86
112
|
else
|
|
87
|
-
hash["#{nested}[#{k}]"] = [val].flatten
|
|
113
|
+
hash["#{nested}[#{k}]"] = [val].flatten.map(&:to_s)
|
|
88
114
|
end
|
|
89
115
|
end
|
|
90
116
|
else
|
|
91
|
-
hash[key] = [value].flatten
|
|
117
|
+
hash[key] = [value].flatten.map(&:to_s)
|
|
92
118
|
end
|
|
93
119
|
end
|
|
94
120
|
end
|
|
95
121
|
|
|
96
122
|
def request_parameters_with_immunio
|
|
97
123
|
params = request_parameters_without_immunio
|
|
98
|
-
|
|
99
124
|
Request.time 'plugin', "#{Module.nesting[0]}::#{__method__}" do
|
|
100
125
|
if params.any?
|
|
101
126
|
filtered = {}.tap do |hash|
|
|
102
127
|
params.each do |key, value|
|
|
103
|
-
|
|
128
|
+
# Ensure top-level keys are strings
|
|
129
|
+
k = key.is_a?(String) ? key : key.to_s
|
|
130
|
+
convert_value(hash, k, value)
|
|
104
131
|
end
|
|
105
132
|
end
|
|
133
|
+
|
|
106
134
|
Immunio.run_hook!(
|
|
107
135
|
'action_dispatch',
|
|
108
136
|
'framework_input_params',
|
|
109
|
-
params: filtered
|
|
137
|
+
params: filtered
|
|
138
|
+
)
|
|
110
139
|
end
|
|
111
140
|
end
|
|
112
141
|
|
|
@@ -600,9 +600,24 @@ module Immunio
|
|
|
600
600
|
@relation_data[relation_id][:ast_data] << "Arel AST visited node: #{ast_node_name}"
|
|
601
601
|
end
|
|
602
602
|
|
|
603
|
+
# Adapter name / db_dialect
|
|
604
|
+
DIALECTS = {
|
|
605
|
+
sqlite: 'sqlite3',
|
|
606
|
+
postgres: 'postgres',
|
|
607
|
+
mysql: 'mysql',
|
|
608
|
+
mysql2: 'mysql',
|
|
609
|
+
ibm_db: 'db2',
|
|
610
|
+
oracle: 'oracle',
|
|
611
|
+
oracleenhanced: 'oracle',
|
|
612
|
+
}.freeze
|
|
613
|
+
|
|
614
|
+
def db_dialect(adapter_name)
|
|
615
|
+
DIALECTS.fetch(adapter_name.downcase.to_sym, 'unknown')
|
|
616
|
+
end
|
|
617
|
+
|
|
603
618
|
# Evaluate a SQL call. This occurs after Arel AST conversion of a relation
|
|
604
619
|
# to a statement.
|
|
605
|
-
def call(payload)
|
|
620
|
+
def call(payload, adapter_name)
|
|
606
621
|
Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
|
|
607
622
|
# The #{payload} in the log string is causing lots of Rails 3.2
|
|
608
623
|
# upstream test failures with Ruby 1.9.3.
|
|
@@ -659,6 +674,7 @@ module Immunio
|
|
|
659
674
|
"sql_execute",
|
|
660
675
|
sql: payload[:sql],
|
|
661
676
|
connection_uuid: connection_id.to_s,
|
|
677
|
+
db_dialect: db_dialect(adapter_name),
|
|
662
678
|
params: params,
|
|
663
679
|
modifiers: modifiers,
|
|
664
680
|
context_key: strict_context,
|
|
@@ -703,9 +719,12 @@ module Immunio
|
|
|
703
719
|
def log_with_immunio(sql, name = "SQL", binds = [], *args)
|
|
704
720
|
# Some rails tests (in particular postresql) call :log with nil `sql`.
|
|
705
721
|
QueryTracker.instance.call(
|
|
706
|
-
|
|
707
|
-
|
|
708
|
-
|
|
722
|
+
{
|
|
723
|
+
sql: sql,
|
|
724
|
+
connection_id: object_id,
|
|
725
|
+
binds: binds
|
|
726
|
+
},
|
|
727
|
+
adapter_name) if sql
|
|
709
728
|
|
|
710
729
|
# Log and execute the query
|
|
711
730
|
log_without_immunio(sql, name, binds, *args) { yield }
|
data/lib/immunio/processor.rb
CHANGED
|
@@ -213,6 +213,7 @@ module Immunio
|
|
|
213
213
|
# so to be on the safe side make sure we catch anything raised within the VM call --ol
|
|
214
214
|
rescue StandardError => e
|
|
215
215
|
# Log and discard VM errors
|
|
216
|
+
Immunio.logger.debug { request.inspect }
|
|
216
217
|
|
|
217
218
|
log_and_send_error e, "Error running hook #{hook}",
|
|
218
219
|
request_id: request.id,
|
data/lib/immunio/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: immunio
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.1
|
|
4
|
+
version: 1.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Immunio
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-08-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -438,10 +438,6 @@ files:
|
|
|
438
438
|
- lua-hooks/ext/sysutils/lua_utils.c
|
|
439
439
|
- lua-hooks/ext/sysutils/module.mk
|
|
440
440
|
- lua-hooks/lib/boot.lua
|
|
441
|
-
- lua-hooks/lib/hooks/module.mk
|
|
442
|
-
- lua-hooks/lib/hooks/xss/module.mk
|
|
443
|
-
- lua-hooks/lib/lexers/module.mk
|
|
444
|
-
- lua-hooks/lib/module.mk
|
|
445
441
|
- lua-hooks/options.mk
|
|
446
442
|
homepage: http://immun.io/
|
|
447
443
|
licenses:
|
|
@@ -1,36 +0,0 @@
|
|
|
1
|
-
MODULES := lib/hooks/xss
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
LUA_PROTECT_SRC += \
|
|
5
|
-
lib/hooks/file_io.lua \
|
|
6
|
-
lib/hooks/framework_redirect.lua \
|
|
7
|
-
lib/hooks/template_render_done.lua \
|
|
8
|
-
lib/hooks/sql_execute.lua \
|
|
9
|
-
|
|
10
|
-
LUA_BASE_SRC += \
|
|
11
|
-
lib/hooks/authenticate.lua \
|
|
12
|
-
lib/hooks/bad_cookie.lua \
|
|
13
|
-
lib/hooks/custom_event.lua \
|
|
14
|
-
lib/hooks/custom_threat.lua \
|
|
15
|
-
lib/hooks/encode.lua \
|
|
16
|
-
lib/hooks/eval.lua \
|
|
17
|
-
lib/hooks/exception.lua \
|
|
18
|
-
lib/hooks/framework_csrf_check.lua \
|
|
19
|
-
lib/hooks/framework_login.lua \
|
|
20
|
-
lib/hooks/framework_password_reset.lua \
|
|
21
|
-
lib/hooks/framework_account_created.lua \
|
|
22
|
-
lib/hooks/framework_session.lua \
|
|
23
|
-
lib/hooks/framework_user.lua \
|
|
24
|
-
lib/hooks/framework_route.lua \
|
|
25
|
-
lib/hooks/framework_bad_response_header.lua \
|
|
26
|
-
lib/hooks/framework_input_params.lua \
|
|
27
|
-
lib/hooks/get_telemetry_config.lua \
|
|
28
|
-
lib/hooks/headers/header_validation.lua \
|
|
29
|
-
lib/hooks/headers/useragent.lua \
|
|
30
|
-
lib/hooks/http_request_finish.lua \
|
|
31
|
-
lib/hooks/http_request_start.lua \
|
|
32
|
-
lib/hooks/http_response_start.lua \
|
|
33
|
-
lib/hooks/mongodb_execute.lua \
|
|
34
|
-
lib/hooks/should_report.lua \
|
|
35
|
-
|
|
36
|
-
include $(patsubst %, %/module.mk,$(MODULES))
|
data/lua-hooks/lib/module.mk
DELETED
|
@@ -1,42 +0,0 @@
|
|
|
1
|
-
MODULES := lib/hooks lib/lexers
|
|
2
|
-
|
|
3
|
-
LUA_BASE_SRC += \
|
|
4
|
-
lib/base64.lua \
|
|
5
|
-
lib/bit.lua \
|
|
6
|
-
lib/cookie.lua \
|
|
7
|
-
lib/counters.lua \
|
|
8
|
-
lib/DataDumper.lua \
|
|
9
|
-
lib/date.lua \
|
|
10
|
-
lib/defence.lua \
|
|
11
|
-
lib/diag.lua \
|
|
12
|
-
lib/dkjson.lua \
|
|
13
|
-
lib/extensions.lua \
|
|
14
|
-
lib/globtopattern.lua \
|
|
15
|
-
lib/hkdf.lua \
|
|
16
|
-
lib/hmac.lua \
|
|
17
|
-
lib/hooks.lua \
|
|
18
|
-
lib/idn.lua \
|
|
19
|
-
lib/immunio-schemas/immunio_schemas/schemas/request_schema.lua \
|
|
20
|
-
lib/immunio-schemas/immunio_schemas/schemas/validation.lua \
|
|
21
|
-
lib/ip.lua \
|
|
22
|
-
lib/learn.lua \
|
|
23
|
-
lib/lexgraph.lua \
|
|
24
|
-
lib/lexer.lua \
|
|
25
|
-
lib/lru.lua \
|
|
26
|
-
lib/neturl.lua \
|
|
27
|
-
lib/pathname.lua \
|
|
28
|
-
lib/perf.lua \
|
|
29
|
-
lib/permit.lua \
|
|
30
|
-
lib/profiler.lua \
|
|
31
|
-
lib/real_ip.lua \
|
|
32
|
-
lib/sanitize_sql.lua \
|
|
33
|
-
lib/sanitize_command.lua \
|
|
34
|
-
lib/semver.lua \
|
|
35
|
-
lib/sha1.lua \
|
|
36
|
-
lib/snap.lua \
|
|
37
|
-
lib/term.lua \
|
|
38
|
-
lib/tracking.lua \
|
|
39
|
-
lib/utils.lua \
|
|
40
|
-
lib/verb_tamper.lua
|
|
41
|
-
|
|
42
|
-
include $(patsubst %, %/module.mk,$(MODULES))
|