immunio 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: eed22d9b0d29d87e8588a1ea05cb335844a9c2de
4
- data.tar.gz: 266aabbb71480c97f415e1a37d2fb409819df311
3
+ metadata.gz: 82b5c85531ac725190ae7c039e598236a8279631
4
+ data.tar.gz: 1cf2cf8df3d7d2395b01be335d1e6b735b20b730
5
5
  SHA512:
6
- metadata.gz: abe3ab45685f8a71434bf16b5cbbbb64673cb21c16c85099ad0665b17b78f112e236900e83a1f90c1f54a42ee4d7065ec90fd03f210a8c12949c96c106d48e21
7
- data.tar.gz: 3d21078b9c2e84f2f9885ed96008817ede608d7bab3beba1a9a5c4d0dc5cdd527ea0c92500cac78df7f97e4e07a176a79627f5effa2ed565a3a5a747001cff87
6
+ metadata.gz: 359c0aab9d3c0057cc834c82b31286eeac03a0e6d8b47f4816b722b379d0ff3e4a5e2cb84d430411d2c1e9833da1b459e4d9e82a9c1b42dddc5f9e1f328ef846
7
+ data.tar.gz: 1812771888e04260f9bc31bdfc085c0072e29e1e52232567564653a9510385f015f3fd9f65ebde40661000fe312bdba9156a5b3899fc73321121d406f38840e3
@@ -85,50 +85,56 @@ module Immunio
85
85
  def mark_var(content, code, template_id, file, line, escape)
86
86
  id = Template.next_var_id
87
87
  nonce = Template.get_nonce
88
- Template.vars[id.to_s] = {
89
- template_sha: template_sha,
90
- template_id: template_id.to_s,
91
- nonce: nonce,
92
- code: wrap_code(code, escape: escape),
93
- file: file,
94
- line: line
95
- }
96
88
 
97
- rval = ""
98
89
  # NOTE: What happens here is pretty funky to preserve the html_safe SafeBuffer behaviour in ruby.
99
90
  # If escaped is true we directly concatenate the content between two SafeBuffers. This will cause
100
91
  # escaping if content is not itself a SafeBuffer.
101
92
  # Otherwise we explicitly convert to a string, and convert that to a SafeBuffer to ensure that
102
93
  # for instance no escaping is performed on the contents of a <%== %> Erubis interpolation.
103
- if escape and not is_text? then
94
+ rendering = if escape && !is_text?
95
+
104
96
  # explicitly convert (w/ escapes) and mark safe things that aren't String (SafeBuffer is_a String also)
105
97
  # `to_s` is used to render any object passed to a template.
106
98
  # It is called internally when appending to ActionView::OutputBuffer.
107
99
  # We force rendering to get the actual string.
108
100
  # This has no impact if `rendered` is already a string.
109
101
  content = content.to_s.html_safe unless content.is_a? String
102
+
110
103
  # As a failsafe, just return the content if it already contains our markers. This can occur when
111
104
  # a helper calls render partial to generate a component of a page. Both render calls are root level
112
105
  # templates from our perspective.
113
106
  if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
114
107
  # don't add markers.
115
108
  Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
116
- rval = content
117
- else
118
- rval = "{immunio-var:#{id}:#{nonce}}".html_safe + content + "{/immunio-var:#{id}:#{nonce}}".html_safe
109
+ return content
119
110
  end
111
+
112
+ "{immunio-var:#{id}:#{nonce}}".html_safe + content + "{/immunio-var:#{id}:#{nonce}}".html_safe
120
113
  else
121
114
  content = "" if content.nil?
115
+
122
116
  # See comment above
123
117
  if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
124
118
  # don't add markers.
125
119
  Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
126
- rval = content.html_safe
127
- else
128
- rval = "{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
120
+ return content.html_safe
129
121
  end
122
+
123
+ "{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
130
124
  end
131
- rval
125
+
126
+ # If we got here, the interpolation has been wrapped in our markers and we
127
+ # need to record send data about it to the hook
128
+ Template.vars[id.to_s] = {
129
+ template_sha: template_sha,
130
+ template_id: template_id.to_s,
131
+ nonce: nonce,
132
+ code: wrap_code(code, escape: escape),
133
+ file: file,
134
+ line: line
135
+ }
136
+
137
+ rendering
132
138
  end
133
139
 
134
140
  def mark_and_defer_fragment_write(key, content, options)
@@ -1,5 +1,5 @@
1
1
  module Immunio
2
2
  AGENT_TYPE = "agent-ruby"
3
- VERSION = "1.0.0"
3
+ VERSION = "1.0.1"
4
4
  VM_VERSION = "2.2.0"
5
5
  end
data/lua-hooks/Makefile CHANGED
@@ -1,4 +1,6 @@
1
- CC = gcc
1
+ CROSS =
2
+ CC = $(CROSS)cc
3
+ AR = $(CROSS)ar
2
4
 
3
5
  # Source of extensions compiled w/ Lua's source.
4
6
  # Only include .c files that can't be directly included in ext/all.c.
@@ -16,12 +18,14 @@ OBJ = ${SRC:.c=.o}
16
18
 
17
19
  # Library archive. Used for compiling along agent bindings.
18
20
  SO_OUT = libimmunio.so
21
+ A_OUT = libimmunio.a
19
22
 
20
23
  # CLI for running tests
21
24
  CLI = lua
22
25
  CLI_SRC = ext/luajit/src/luajit.c ${SRC}
23
26
 
24
- CFLAGS = -DLUA_USE_APICHECK -DLUAJIT -Dlua_assert=assert -O3 -fPIC
27
+ XCFLAGS =
28
+ CFLAGS = -DLUA_USE_APICHECK -DLUAJIT -Dlua_assert=assert -O3 -fPIC ${XCFLAGS}
25
29
  INCS = -Iext -Iext/luajit/src
26
30
  LIBS = -lm -ldl
27
31
 
@@ -32,9 +36,12 @@ HOOKS_TARBALL = hooks.tgz
32
36
  HOOKS_SRCS_TARBALL = hooks_srcs.tgz
33
37
 
34
38
  LUAJIT_OBJ = ext/luajit/src/libluajit.a
39
+ LUAJIT_OUT = libluajit.a
35
40
  LUAJIT_XCFLAGS = -fPIC
36
41
 
37
- ifeq (${shell uname}, Darwin)
42
+ SYS = $(shell uname -s)
43
+
44
+ ifeq (${SYS}, Darwin)
38
45
  # Disable the JIT on OS X
39
46
  LUAJIT_XCFLAGS += -DLUAJIT_ENABLE_GC64
40
47
  endif
@@ -43,13 +50,19 @@ endif
43
50
  all: ${CLI} ${INIT_HOOK} ${HOOKS_TARBALL} ${HOOKS_SRCS_TARBALL}
44
51
 
45
52
  .c.o:
46
- ${CC} ${CFLAGS} -c ${INCS} -o $@ $<
53
+ MACOSX_DEPLOYMENT_TARGET="10.9" ${CC} ${CFLAGS} -c ${INCS} -o $@ $<
47
54
 
48
55
  ${SO_OUT}: ${OBJ} ${LUAJIT_OBJ}
49
56
  ${CC} -shared ${CFLAGS} ${LIBS} -o $@ -lc $^
50
57
 
58
+ ${A_OUT}: ${OBJ}
59
+ ${AR} -rcus $@ $^
60
+
61
+ ${LUAJIT_OUT}: ${LUAJIT_OBJ}
62
+ cp $^ $@
63
+
51
64
  ${LUAJIT_OBJ}:
52
- cd ext/luajit && make XCFLAGS="${LUAJIT_XCFLAGS}"
65
+ cd ext/luajit && MACOSX_DEPLOYMENT_TARGET="10.9" make CROSS="${CROSS}" CC=cc HOST_CC=cc TARGET_SYS=${SYS} XCFLAGS="${LUAJIT_XCFLAGS}"
53
66
 
54
67
  # Build lua executable for testing and compilation
55
68
  # Seperate compilation as we need the LUA_UNSAFE_MODE flag set...
@@ -76,7 +89,7 @@ ${HOOKS_SRCS_TARBALL}: ${HOOK_SRCS}
76
89
  tar -czf $@ -C hooks . --exclude="init"
77
90
 
78
91
  clean:
79
- rm -f ${CLI} ${OBJ} ${SO_OUT}
92
+ rm -f ${CLI} ${OBJ} ${SO_OUT} ${A_OUT} ${LUAJIT_OUT}
80
93
  cd ext/luajit && make clean
81
94
  rm -f ${INIT_HOOK}
82
95
  rm -f test_failed
@@ -126,7 +126,6 @@ SANDBOX_ENV = {
126
126
  lexer = require('lexers/lexer'),
127
127
  bash = require('lexers/lexer').load('bash'), -- bash
128
128
  bash_dqstr = require('lexers/lexer').load('bash_dqstr'), -- bash strings
129
- markers = require('lexers/lexer').load('markers'),
130
129
  html = require('lexers/lexer').load('html'),
131
130
  javascript = require('lexers/lexer').load('javascript'),
132
131
  css = require('lexers/lexer').load('css'),
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: immunio
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Immunio
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-09-29 00:00:00.000000000 Z
11
+ date: 2015-10-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -149,7 +149,6 @@ files:
149
149
  - lib/immunio/plugins/eval.rb
150
150
  - lib/immunio/plugins/exception_handler.rb
151
151
  - lib/immunio/plugins/gems_tracker.rb
152
- - lib/immunio/plugins/haml.rb
153
152
  - lib/immunio/plugins/http_finisher.rb
154
153
  - lib/immunio/plugins/http_tracker.rb
155
154
  - lib/immunio/plugins/io.rb
@@ -424,7 +423,6 @@ files:
424
423
  - lua-hooks/lib/lexers/html.lua
425
424
  - lua-hooks/lib/lexers/javascript.lua
426
425
  - lua-hooks/lib/lexers/lexer.lua
427
- - lua-hooks/lib/lexers/markers.lua
428
426
  homepage: http://immun.io/
429
427
  licenses:
430
428
  - Immunio
@@ -1,36 +0,0 @@
1
- # Haml compiles templates to something like:
2
- #
3
- #begin;extend Haml::Helpers;_hamlout = @haml_buffer = Haml::Buffer.new(haml_buffer, {:autoclose=>["area", "base", "basefont", "br", "col", "command", "embed", "frame", "hr", "img", "input", "isindex", "keygen", "link", "menuitem", "meta", "param", "source", "track", "wbr"], :preserve=>["textarea", "pre", "code"], :attr_wrapper=>"'", :ugly=>true, :format=>:html5, :encoding=>"UTF-8", :escape_html=>true, :escape_attrs=>true, :hyphenate_data_attrs=>true, :cdata=>false});_erbout = _hamlout.buffer;@output_buffer = output_buffer ||= ActionView::OutputBuffer.new rescue nil;;_hamlout.buffer << "<script>console.log('test')</script>\n";::Haml::Util.html_safe(_erbout);ensure;@haml_buffer = @haml_buffer.upper if @haml_buffer;end;
4
- #
5
- # In there is a call to ::Haml::Util.html_safe, which calls the real html_safe.
6
- # But lots of haml code paths call ::Haml::Util.html_safe, so we can't mark it
7
- # as safe. Instead, we need to modify the compiled template code to call the
8
- # method in a marked-safe context.
9
- #
10
- # But haml doesn't make it easy, as it alias-method-chains its own methods. This
11
- # module continues the chain to subvert the
12
- # precompiled_method_return_value_with_haml_xss method and instead call our own
13
- # method, which calls html_safe while in a safe context.
14
-
15
- module Immunio
16
- module Haml
17
- module Compiler
18
- extend ActiveSupport::Concern
19
-
20
- included do
21
- alias_method :precompiled_method_return_value_without_haml_xss_without_immunio, :precompiled_method_return_value_without_haml_xss
22
- alias_method :precompiled_method_return_value, :precompiled_method_return_value_with_haml_xss_with_immunio
23
- end
24
-
25
- def self.immunio_html_safe(string)
26
- Immunio::UnsafeBufferDetection.in_safe_context { ::Haml::Util.html_safe(string) }
27
- end
28
-
29
- def precompiled_method_return_value_with_haml_xss_with_immunio
30
- "Immunio::Haml::Compiler.immunio_html_safe(#{precompiled_method_return_value_without_haml_xss_without_immunio})"
31
- end
32
- end
33
- end
34
- end
35
-
36
- ::Haml::Compiler.send :include, Immunio::Haml::Compiler if defined? ::Haml::Compiler
@@ -1,33 +0,0 @@
1
- -- Copyright (C) 2015 Immunio, Inc.
2
-
3
- -- Lexer for HTML markers used in Immunio.io XSS
4
-
5
- -- NOTE: not covered by Scintillua MIT license in this directory.
6
-
7
- local l = require('lexer')
8
- local token, parent_token, word_match = l.token, l.parent_token, l.word_match
9
- local P, R, S, V = lpeg.P, lpeg.R, lpeg.S, lpeg.V
10
-
11
- local M = {_NAME = 'markers'}
12
-
13
- local start_marker = l.token('start_marker', P('{immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
14
- local end_marker = l.token('end_marker', P('{/immunio-var:') * l.integer * ':' * l.xdigit^1 * '}')
15
- local marker = start_marker + end_marker
16
-
17
- -- Data between markers
18
- local data = token('data', (l.any - ( marker ) )^1 )
19
- local substitution = l.parent_token( 'substitution', start_marker * data^0 * end_marker )
20
-
21
- M._rules = {
22
- {'substitution', substitution},
23
- {'marker', marker},
24
- {'data', data},
25
- }
26
-
27
- M._tokenstyles = {
28
- }
29
-
30
- M._foldsymbols = {
31
- }
32
-
33
- return M