immunio 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/immunio/plugins/action_view.rb +23 -17
- data/lib/immunio/version.rb +1 -1
- data/lua-hooks/Makefile +19 -6
- data/lua-hooks/lib/boot.lua +0 -1
- metadata +2 -4
- data/lib/immunio/plugins/haml.rb +0 -36
- data/lua-hooks/lib/lexers/markers.lua +0 -33
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 82b5c85531ac725190ae7c039e598236a8279631
|
4
|
+
data.tar.gz: 1cf2cf8df3d7d2395b01be335d1e6b735b20b730
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 359c0aab9d3c0057cc834c82b31286eeac03a0e6d8b47f4816b722b379d0ff3e4a5e2cb84d430411d2c1e9833da1b459e4d9e82a9c1b42dddc5f9e1f328ef846
|
7
|
+
data.tar.gz: 1812771888e04260f9bc31bdfc085c0072e29e1e52232567564653a9510385f015f3fd9f65ebde40661000fe312bdba9156a5b3899fc73321121d406f38840e3
|
@@ -85,50 +85,56 @@ module Immunio
|
|
85
85
|
def mark_var(content, code, template_id, file, line, escape)
|
86
86
|
id = Template.next_var_id
|
87
87
|
nonce = Template.get_nonce
|
88
|
-
Template.vars[id.to_s] = {
|
89
|
-
template_sha: template_sha,
|
90
|
-
template_id: template_id.to_s,
|
91
|
-
nonce: nonce,
|
92
|
-
code: wrap_code(code, escape: escape),
|
93
|
-
file: file,
|
94
|
-
line: line
|
95
|
-
}
|
96
88
|
|
97
|
-
rval = ""
|
98
89
|
# NOTE: What happens here is pretty funky to preserve the html_safe SafeBuffer behaviour in ruby.
|
99
90
|
# If escaped is true we directly concatenate the content between two SafeBuffers. This will cause
|
100
91
|
# escaping if content is not itself a SafeBuffer.
|
101
92
|
# Otherwise we explicitly convert to a string, and convert that to a SafeBuffer to ensure that
|
102
93
|
# for instance no escaping is performed on the contents of a <%== %> Erubis interpolation.
|
103
|
-
if escape
|
94
|
+
rendering = if escape && !is_text?
|
95
|
+
|
104
96
|
# explicitly convert (w/ escapes) and mark safe things that aren't String (SafeBuffer is_a String also)
|
105
97
|
# `to_s` is used to render any object passed to a template.
|
106
98
|
# It is called internally when appending to ActionView::OutputBuffer.
|
107
99
|
# We force rendering to get the actual string.
|
108
100
|
# This has no impact if `rendered` is already a string.
|
109
101
|
content = content.to_s.html_safe unless content.is_a? String
|
102
|
+
|
110
103
|
# As a failsafe, just return the content if it already contains our markers. This can occur when
|
111
104
|
# a helper calls render partial to generate a component of a page. Both render calls are root level
|
112
105
|
# templates from our perspective.
|
113
106
|
if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
|
114
107
|
# don't add markers.
|
115
108
|
Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
|
116
|
-
|
117
|
-
else
|
118
|
-
rval = "{immunio-var:#{id}:#{nonce}}".html_safe + content + "{/immunio-var:#{id}:#{nonce}}".html_safe
|
109
|
+
return content
|
119
110
|
end
|
111
|
+
|
112
|
+
"{immunio-var:#{id}:#{nonce}}".html_safe + content + "{/immunio-var:#{id}:#{nonce}}".html_safe
|
120
113
|
else
|
121
114
|
content = "" if content.nil?
|
115
|
+
|
122
116
|
# See comment above
|
123
117
|
if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
|
124
118
|
# don't add markers.
|
125
119
|
Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
|
126
|
-
|
127
|
-
else
|
128
|
-
rval = "{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
|
120
|
+
return content.html_safe
|
129
121
|
end
|
122
|
+
|
123
|
+
"{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
|
130
124
|
end
|
131
|
-
|
125
|
+
|
126
|
+
# If we got here, the interpolation has been wrapped in our markers and we
|
127
|
+
# need to record send data about it to the hook
|
128
|
+
Template.vars[id.to_s] = {
|
129
|
+
template_sha: template_sha,
|
130
|
+
template_id: template_id.to_s,
|
131
|
+
nonce: nonce,
|
132
|
+
code: wrap_code(code, escape: escape),
|
133
|
+
file: file,
|
134
|
+
line: line
|
135
|
+
}
|
136
|
+
|
137
|
+
rendering
|
132
138
|
end
|
133
139
|
|
134
140
|
def mark_and_defer_fragment_write(key, content, options)
|
data/lib/immunio/version.rb
CHANGED
data/lua-hooks/Makefile
CHANGED
@@ -1,4 +1,6 @@
|
|
1
|
-
|
1
|
+
CROSS =
|
2
|
+
CC = $(CROSS)cc
|
3
|
+
AR = $(CROSS)ar
|
2
4
|
|
3
5
|
# Source of extensions compiled w/ Lua's source.
|
4
6
|
# Only include .c files that can't be directly included in ext/all.c.
|
@@ -16,12 +18,14 @@ OBJ = ${SRC:.c=.o}
|
|
16
18
|
|
17
19
|
# Library archive. Used for compiling along agent bindings.
|
18
20
|
SO_OUT = libimmunio.so
|
21
|
+
A_OUT = libimmunio.a
|
19
22
|
|
20
23
|
# CLI for running tests
|
21
24
|
CLI = lua
|
22
25
|
CLI_SRC = ext/luajit/src/luajit.c ${SRC}
|
23
26
|
|
24
|
-
|
27
|
+
XCFLAGS =
|
28
|
+
CFLAGS = -DLUA_USE_APICHECK -DLUAJIT -Dlua_assert=assert -O3 -fPIC ${XCFLAGS}
|
25
29
|
INCS = -Iext -Iext/luajit/src
|
26
30
|
LIBS = -lm -ldl
|
27
31
|
|
@@ -32,9 +36,12 @@ HOOKS_TARBALL = hooks.tgz
|
|
32
36
|
HOOKS_SRCS_TARBALL = hooks_srcs.tgz
|
33
37
|
|
34
38
|
LUAJIT_OBJ = ext/luajit/src/libluajit.a
|
39
|
+
LUAJIT_OUT = libluajit.a
|
35
40
|
LUAJIT_XCFLAGS = -fPIC
|
36
41
|
|
37
|
-
|
42
|
+
SYS = $(shell uname -s)
|
43
|
+
|
44
|
+
ifeq (${SYS}, Darwin)
|
38
45
|
# Disable the JIT on OS X
|
39
46
|
LUAJIT_XCFLAGS += -DLUAJIT_ENABLE_GC64
|
40
47
|
endif
|
@@ -43,13 +50,19 @@ endif
|
|
43
50
|
all: ${CLI} ${INIT_HOOK} ${HOOKS_TARBALL} ${HOOKS_SRCS_TARBALL}
|
44
51
|
|
45
52
|
.c.o:
|
46
|
-
${CC} ${CFLAGS} -c ${INCS} -o $@ $<
|
53
|
+
MACOSX_DEPLOYMENT_TARGET="10.9" ${CC} ${CFLAGS} -c ${INCS} -o $@ $<
|
47
54
|
|
48
55
|
${SO_OUT}: ${OBJ} ${LUAJIT_OBJ}
|
49
56
|
${CC} -shared ${CFLAGS} ${LIBS} -o $@ -lc $^
|
50
57
|
|
58
|
+
${A_OUT}: ${OBJ}
|
59
|
+
${AR} -rcus $@ $^
|
60
|
+
|
61
|
+
${LUAJIT_OUT}: ${LUAJIT_OBJ}
|
62
|
+
cp $^ $@
|
63
|
+
|
51
64
|
${LUAJIT_OBJ}:
|
52
|
-
cd ext/luajit && make XCFLAGS="${LUAJIT_XCFLAGS}"
|
65
|
+
cd ext/luajit && MACOSX_DEPLOYMENT_TARGET="10.9" make CROSS="${CROSS}" CC=cc HOST_CC=cc TARGET_SYS=${SYS} XCFLAGS="${LUAJIT_XCFLAGS}"
|
53
66
|
|
54
67
|
# Build lua executable for testing and compilation
|
55
68
|
# Seperate compilation as we need the LUA_UNSAFE_MODE flag set...
|
@@ -76,7 +89,7 @@ ${HOOKS_SRCS_TARBALL}: ${HOOK_SRCS}
|
|
76
89
|
tar -czf $@ -C hooks . --exclude="init"
|
77
90
|
|
78
91
|
clean:
|
79
|
-
rm -f ${CLI} ${OBJ} ${SO_OUT}
|
92
|
+
rm -f ${CLI} ${OBJ} ${SO_OUT} ${A_OUT} ${LUAJIT_OUT}
|
80
93
|
cd ext/luajit && make clean
|
81
94
|
rm -f ${INIT_HOOK}
|
82
95
|
rm -f test_failed
|
data/lua-hooks/lib/boot.lua
CHANGED
@@ -126,7 +126,6 @@ SANDBOX_ENV = {
|
|
126
126
|
lexer = require('lexers/lexer'),
|
127
127
|
bash = require('lexers/lexer').load('bash'), -- bash
|
128
128
|
bash_dqstr = require('lexers/lexer').load('bash_dqstr'), -- bash strings
|
129
|
-
markers = require('lexers/lexer').load('markers'),
|
130
129
|
html = require('lexers/lexer').load('html'),
|
131
130
|
javascript = require('lexers/lexer').load('javascript'),
|
132
131
|
css = require('lexers/lexer').load('css'),
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: immunio
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Immunio
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-10-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -149,7 +149,6 @@ files:
|
|
149
149
|
- lib/immunio/plugins/eval.rb
|
150
150
|
- lib/immunio/plugins/exception_handler.rb
|
151
151
|
- lib/immunio/plugins/gems_tracker.rb
|
152
|
-
- lib/immunio/plugins/haml.rb
|
153
152
|
- lib/immunio/plugins/http_finisher.rb
|
154
153
|
- lib/immunio/plugins/http_tracker.rb
|
155
154
|
- lib/immunio/plugins/io.rb
|
@@ -424,7 +423,6 @@ files:
|
|
424
423
|
- lua-hooks/lib/lexers/html.lua
|
425
424
|
- lua-hooks/lib/lexers/javascript.lua
|
426
425
|
- lua-hooks/lib/lexers/lexer.lua
|
427
|
-
- lua-hooks/lib/lexers/markers.lua
|
428
426
|
homepage: http://immun.io/
|
429
427
|
licenses:
|
430
428
|
- Immunio
|
data/lib/immunio/plugins/haml.rb
DELETED
@@ -1,36 +0,0 @@
|
|
1
|
-
# Haml compiles templates to something like:
|
2
|
-
#
|
3
|
-
#begin;extend Haml::Helpers;_hamlout = @haml_buffer = Haml::Buffer.new(haml_buffer, {:autoclose=>["area", "base", "basefont", "br", "col", "command", "embed", "frame", "hr", "img", "input", "isindex", "keygen", "link", "menuitem", "meta", "param", "source", "track", "wbr"], :preserve=>["textarea", "pre", "code"], :attr_wrapper=>"'", :ugly=>true, :format=>:html5, :encoding=>"UTF-8", :escape_html=>true, :escape_attrs=>true, :hyphenate_data_attrs=>true, :cdata=>false});_erbout = _hamlout.buffer;@output_buffer = output_buffer ||= ActionView::OutputBuffer.new rescue nil;;_hamlout.buffer << "<script>console.log('test')</script>\n";::Haml::Util.html_safe(_erbout);ensure;@haml_buffer = @haml_buffer.upper if @haml_buffer;end;
|
4
|
-
#
|
5
|
-
# In there is a call to ::Haml::Util.html_safe, which calls the real html_safe.
|
6
|
-
# But lots of haml code paths call ::Haml::Util.html_safe, so we can't mark it
|
7
|
-
# as safe. Instead, we need to modify the compiled template code to call the
|
8
|
-
# method in a marked-safe context.
|
9
|
-
#
|
10
|
-
# But haml doesn't make it easy, as it alias-method-chains its own methods. This
|
11
|
-
# module continues the chain to subvert the
|
12
|
-
# precompiled_method_return_value_with_haml_xss method and instead call our own
|
13
|
-
# method, which calls html_safe while in a safe context.
|
14
|
-
|
15
|
-
module Immunio
|
16
|
-
module Haml
|
17
|
-
module Compiler
|
18
|
-
extend ActiveSupport::Concern
|
19
|
-
|
20
|
-
included do
|
21
|
-
alias_method :precompiled_method_return_value_without_haml_xss_without_immunio, :precompiled_method_return_value_without_haml_xss
|
22
|
-
alias_method :precompiled_method_return_value, :precompiled_method_return_value_with_haml_xss_with_immunio
|
23
|
-
end
|
24
|
-
|
25
|
-
def self.immunio_html_safe(string)
|
26
|
-
Immunio::UnsafeBufferDetection.in_safe_context { ::Haml::Util.html_safe(string) }
|
27
|
-
end
|
28
|
-
|
29
|
-
def precompiled_method_return_value_with_haml_xss_with_immunio
|
30
|
-
"Immunio::Haml::Compiler.immunio_html_safe(#{precompiled_method_return_value_without_haml_xss_without_immunio})"
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
|
36
|
-
::Haml::Compiler.send :include, Immunio::Haml::Compiler if defined? ::Haml::Compiler
|
@@ -1,33 +0,0 @@
|
|
1
|
-
-- Copyright (C) 2015 Immunio, Inc.
|
2
|
-
|
3
|
-
-- Lexer for HTML markers used in Immunio.io XSS
|
4
|
-
|
5
|
-
-- NOTE: not covered by Scintillua MIT license in this directory.
|
6
|
-
|
7
|
-
local l = require('lexer')
|
8
|
-
local token, parent_token, word_match = l.token, l.parent_token, l.word_match
|
9
|
-
local P, R, S, V = lpeg.P, lpeg.R, lpeg.S, lpeg.V
|
10
|
-
|
11
|
-
local M = {_NAME = 'markers'}
|
12
|
-
|
13
|
-
local start_marker = l.token('start_marker', P('{immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
|
14
|
-
local end_marker = l.token('end_marker', P('{/immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
|
15
|
-
local marker = start_marker + end_marker
|
16
|
-
|
17
|
-
-- Data between markers
|
18
|
-
local data = token('data', (l.any - ( marker ) )^1 )
|
19
|
-
local substitution = l.parent_token( 'substitution', start_marker * data^0 * end_marker )
|
20
|
-
|
21
|
-
M._rules = {
|
22
|
-
{'substitution', substitution},
|
23
|
-
{'marker', marker},
|
24
|
-
{'data', data},
|
25
|
-
}
|
26
|
-
|
27
|
-
M._tokenstyles = {
|
28
|
-
}
|
29
|
-
|
30
|
-
M._foldsymbols = {
|
31
|
-
}
|
32
|
-
|
33
|
-
return M
|