immunio 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: eed22d9b0d29d87e8588a1ea05cb335844a9c2de
-  data.tar.gz: 266aabbb71480c97f415e1a37d2fb409819df311
+  metadata.gz: 82b5c85531ac725190ae7c039e598236a8279631
+  data.tar.gz: 1cf2cf8df3d7d2395b01be335d1e6b735b20b730
 SHA512:
-  metadata.gz: abe3ab45685f8a71434bf16b5cbbbb64673cb21c16c85099ad0665b17b78f112e236900e83a1f90c1f54a42ee4d7065ec90fd03f210a8c12949c96c106d48e21
-  data.tar.gz: 3d21078b9c2e84f2f9885ed96008817ede608d7bab3beba1a9a5c4d0dc5cdd527ea0c92500cac78df7f97e4e07a176a79627f5effa2ed565a3a5a747001cff87
+  metadata.gz: 359c0aab9d3c0057cc834c82b31286eeac03a0e6d8b47f4816b722b379d0ff3e4a5e2cb84d430411d2c1e9833da1b459e4d9e82a9c1b42dddc5f9e1f328ef846
+  data.tar.gz: 1812771888e04260f9bc31bdfc085c0072e29e1e52232567564653a9510385f015f3fd9f65ebde40661000fe312bdba9156a5b3899fc73321121d406f38840e3

data/lib/immunio/plugins/action_view.rb

@@ -85,50 +85,56 @@ module Immunio
     def mark_var(content, code, template_id, file, line, escape)
       id = Template.next_var_id
       nonce = Template.get_nonce
-      Template.vars[id.to_s] = {
-        template_sha: template_sha,
-        template_id: template_id.to_s,
-        nonce: nonce,
-        code: wrap_code(code, escape: escape),
-        file: file,
-        line: line
-      }
 
-      rval = ""
       # NOTE: What happens here is pretty funky to preserve the html_safe SafeBuffer behaviour in ruby.
       # If escaped is true we directly concatenate the content between two SafeBuffers. This will cause
       # escaping if content is not itself a SafeBuffer.
       # Otherwise we explicitly convert to a string, and convert that to a SafeBuffer to ensure that
       # for instance no escaping is performed on the contents of a <%== %> Erubis interpolation.
-      if escape and not is_text? then
+      rendering = if escape && !is_text?
+
         # explicitly convert (w/ escapes) and mark safe things that aren't String (SafeBuffer is_a String also)
         # `to_s` is used to render any object passed to a template.
         # It is called internally when appending to ActionView::OutputBuffer.
         # We force rendering to get the actual string.
         # This has no impact if `rendered` is already a string.
         content = content.to_s.html_safe unless content.is_a? String
+
         # As a failsafe, just return the content if it already contains our markers. This can occur when
         # a helper calls render partial to generate a component of a page. Both render calls are root level
         # templates from our perspective.
         if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
           # don't add markers.
           Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
-          rval = content
-        else
-          rval = "{immunio-var:#{id}:#{nonce}}".html_safe + content + "{/immunio-var:#{id}:#{nonce}}".html_safe
+          return content
         end
+
+        "{immunio-var:#{id}:#{nonce}}".html_safe + content + "{/immunio-var:#{id}:#{nonce}}".html_safe
       else
         content = "" if content.nil?
+
         # See comment above
         if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
           # don't add markers.
           Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
-          rval = content.html_safe
-        else
-          rval = "{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
+          return content.html_safe
         end
+
+        "{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
       end
-      rval
+
+      # If we got here, the interpolation has been wrapped in our markers and we
+      # need to record send data about it to the hook
+      Template.vars[id.to_s] = {
+        template_sha: template_sha,
+        template_id: template_id.to_s,
+        nonce: nonce,
+        code: wrap_code(code, escape: escape),
+        file: file,
+        line: line
+      }
+
+      rendering
     end
 
     def mark_and_defer_fragment_write(key, content, options)

data/lib/immunio/version.rb

@@ -1,5 +1,5 @@
 module Immunio
   AGENT_TYPE = "agent-ruby"
-  VERSION = "1.0.0"
+  VERSION = "1.0.1"
   VM_VERSION = "2.2.0"
 end

data/lua-hooks/Makefile

@@ -1,4 +1,6 @@
-CC = gcc
+CROSS =
+CC = $(CROSS)cc
+AR = $(CROSS)ar
 
 # Source of extensions compiled w/ Lua's source.
 # Only include .c files that can't be directly included in ext/all.c.
@@ -16,12 +18,14 @@ OBJ = ${SRC:.c=.o}
 
 # Library archive. Used for compiling along agent bindings.
 SO_OUT = libimmunio.so
+A_OUT = libimmunio.a
 
 # CLI for running tests
 CLI = lua
 CLI_SRC = ext/luajit/src/luajit.c ${SRC}
 
-CFLAGS = -DLUA_USE_APICHECK -DLUAJIT -Dlua_assert=assert -O3 -fPIC
+XCFLAGS =
+CFLAGS = -DLUA_USE_APICHECK -DLUAJIT -Dlua_assert=assert -O3 -fPIC ${XCFLAGS}
 INCS = -Iext -Iext/luajit/src
 LIBS = -lm -ldl
 
@@ -32,9 +36,12 @@ HOOKS_TARBALL = hooks.tgz
 HOOKS_SRCS_TARBALL = hooks_srcs.tgz
 
 LUAJIT_OBJ = ext/luajit/src/libluajit.a
+LUAJIT_OUT = libluajit.a
 LUAJIT_XCFLAGS = -fPIC
 
-ifeq (${shell uname}, Darwin)
+SYS = $(shell uname -s)
+
+ifeq (${SYS}, Darwin)
 	# Disable the JIT on OS X
 	LUAJIT_XCFLAGS += -DLUAJIT_ENABLE_GC64
 endif
@@ -43,13 +50,19 @@ endif
 all: ${CLI} ${INIT_HOOK} ${HOOKS_TARBALL} ${HOOKS_SRCS_TARBALL}
 
 .c.o:
-	${CC} ${CFLAGS} -c ${INCS} -o $@ $<
+	MACOSX_DEPLOYMENT_TARGET="10.9" ${CC} ${CFLAGS} -c ${INCS} -o $@ $<
 
 ${SO_OUT}: ${OBJ} ${LUAJIT_OBJ}
 	${CC} -shared ${CFLAGS} ${LIBS} -o $@ -lc $^
 
+${A_OUT}: ${OBJ}
+	${AR} -rcus $@ $^
+
+${LUAJIT_OUT}: ${LUAJIT_OBJ}
+	cp $^ $@
+
 ${LUAJIT_OBJ}:
-	cd ext/luajit && make XCFLAGS="${LUAJIT_XCFLAGS}"
+	cd ext/luajit && MACOSX_DEPLOYMENT_TARGET="10.9" make CROSS="${CROSS}" CC=cc HOST_CC=cc TARGET_SYS=${SYS} XCFLAGS="${LUAJIT_XCFLAGS}"
 
 # Build lua executable for testing and compilation
 # Seperate compilation as we need the LUA_UNSAFE_MODE flag set...
@@ -76,7 +89,7 @@ ${HOOKS_SRCS_TARBALL}: ${HOOK_SRCS}
 	tar -czf $@ -C hooks . --exclude="init"
 
 clean:
-	rm -f ${CLI} ${OBJ} ${SO_OUT}
+	rm -f ${CLI} ${OBJ} ${SO_OUT} ${A_OUT} ${LUAJIT_OUT}
 	cd ext/luajit && make clean
 	rm -f ${INIT_HOOK}
 	rm -f test_failed

data/lua-hooks/lib/boot.lua

@@ -126,7 +126,6 @@ SANDBOX_ENV = {
     lexer = require('lexers/lexer'),
     bash = require('lexers/lexer').load('bash'), -- bash
     bash_dqstr = require('lexers/lexer').load('bash_dqstr'),  -- bash strings
-    markers = require('lexers/lexer').load('markers'),
     html = require('lexers/lexer').load('html'),
     javascript = require('lexers/lexer').load('javascript'),
     css = require('lexers/lexer').load('css'),

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: immunio
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Immunio
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-09-29 00:00:00.000000000 Z
+date: 2015-10-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -149,7 +149,6 @@ files:
 - lib/immunio/plugins/eval.rb
 - lib/immunio/plugins/exception_handler.rb
 - lib/immunio/plugins/gems_tracker.rb
-- lib/immunio/plugins/haml.rb
 - lib/immunio/plugins/http_finisher.rb
 - lib/immunio/plugins/http_tracker.rb
 - lib/immunio/plugins/io.rb
@@ -424,7 +423,6 @@ files:
 - lua-hooks/lib/lexers/html.lua
 - lua-hooks/lib/lexers/javascript.lua
 - lua-hooks/lib/lexers/lexer.lua
-- lua-hooks/lib/lexers/markers.lua
 homepage: http://immun.io/
 licenses:
 - Immunio

data/lib/immunio/plugins/haml.rb

@@ -1,36 +0,0 @@
-# Haml compiles templates to something like:
-#
-#begin;extend Haml::Helpers;_hamlout = @haml_buffer = Haml::Buffer.new(haml_buffer, {:autoclose=>["area", "base", "basefont", "br", "col", "command", "embed", "frame", "hr", "img", "input", "isindex", "keygen", "link", "menuitem", "meta", "param", "source", "track", "wbr"], :preserve=>["textarea", "pre", "code"], :attr_wrapper=>"'", :ugly=>true, :format=>:html5, :encoding=>"UTF-8", :escape_html=>true, :escape_attrs=>true, :hyphenate_data_attrs=>true, :cdata=>false});_erbout = _hamlout.buffer;@output_buffer = output_buffer ||= ActionView::OutputBuffer.new rescue nil;;_hamlout.buffer << "<script>console.log('test')</script>\n";::Haml::Util.html_safe(_erbout);ensure;@haml_buffer = @haml_buffer.upper if @haml_buffer;end;
-#
-# In there is a call to ::Haml::Util.html_safe, which calls the real html_safe.
-# But lots of haml code paths call ::Haml::Util.html_safe, so we can't mark it
-# as safe. Instead, we need to modify the compiled template code to call the
-# method in a marked-safe context.
-#
-# But haml doesn't make it easy, as it alias-method-chains its own methods. This
-# module continues the chain to subvert the
-# precompiled_method_return_value_with_haml_xss method and instead call our own
-# method, which calls html_safe while in a safe context.
-
-module Immunio
-  module Haml
-    module Compiler
-      extend ActiveSupport::Concern
-
-      included do
-        alias_method :precompiled_method_return_value_without_haml_xss_without_immunio, :precompiled_method_return_value_without_haml_xss
-        alias_method :precompiled_method_return_value, :precompiled_method_return_value_with_haml_xss_with_immunio
-      end
-
-      def self.immunio_html_safe(string)
-        Immunio::UnsafeBufferDetection.in_safe_context { ::Haml::Util.html_safe(string) }
-      end
-
-      def precompiled_method_return_value_with_haml_xss_with_immunio
-        "Immunio::Haml::Compiler.immunio_html_safe(#{precompiled_method_return_value_without_haml_xss_without_immunio})"
-      end
-    end
-  end
-end
-
-::Haml::Compiler.send :include, Immunio::Haml::Compiler if defined? ::Haml::Compiler

data/lua-hooks/lib/lexers/markers.lua

@@ -1,33 +0,0 @@
--- Copyright (C) 2015 Immunio, Inc.
-
--- Lexer for HTML markers used in Immunio.io XSS
-
--- NOTE: not covered by Scintillua MIT license in this directory.
-
-local l = require('lexer')
-local token, parent_token, word_match = l.token, l.parent_token, l.word_match
-local P, R, S, V = lpeg.P, lpeg.R, lpeg.S, lpeg.V
-
-local M = {_NAME = 'markers'}
-
-local start_marker = l.token('start_marker', P('{immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
-local end_marker = l.token('end_marker', P('{/immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
-local marker = start_marker + end_marker
-
--- Data between markers
-local data = token('data', (l.any - ( marker ) )^1 )
-local substitution = l.parent_token( 'substitution', start_marker * data^0 * end_marker )
-
-M._rules = {
-  {'substitution', substitution},
-  {'marker', marker},
-  {'data', data},
-}
-
-M._tokenstyles = {
-}
-
-M._foldsymbols = {
-}
-
-return M