immunio 1.0.12 → 1.0.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 15b0dfa60eb5dc43c942e4d0329d592343e6c4cb
-  data.tar.gz: 74713b51655c5ab55152a5b671ad99c377fe6bdd
+  metadata.gz: d5de4fe5e22b12a72cb97953b87a947c447f0803
+  data.tar.gz: 3c004b6a90391a8b23fe5d54b48bf770adbd4c01
 SHA512:
-  metadata.gz: 0210c5e5ecea34b100d68becaab8bd150a3e4399403297669ea2ce967a393a26c8c1f5cfce03fbede1fcb38954b43beba6a229c2af3ad7441b9f65197fa54129
-  data.tar.gz: c5e51ce49246eedb93a88a79ba9599c1e97f2c527b6a7a90f7ad570b1edd336f5e6c0c778c72e12a91cee5e3ea245c2b1c7f32c52534ff8544293893554e39d2
+  metadata.gz: 5a94e59b6b6e0defbdb18aa08b955de7ce3700c053b2f8f247db61931dd67ff788379584c791503d844d47c220e394aa93e753d7f40953220683199e6a05be1c
+  data.tar.gz: 83ad5fc59f7bd320e2881f11bcbdad261c21a2734645921c4df4ab58e5849b167c0d6e2905d5eb242c6fee76711bb9d215b7ba1a2c37fd6ecfe4c65bb3b00868

data/lib/immunio/version.rb

@@ -1,5 +1,5 @@
 module Immunio
   AGENT_TYPE = "agent-ruby"
-  VERSION = "1.0.12"
+  VERSION = "1.0.13"
   VM_VERSION = "2.2.0"
 end

data/lua-hooks/Makefile

@@ -20,8 +20,8 @@ LUA_SRC = \
 	lib/date.lua \
 	lib/defence.lua \
 	lib/diag.lua \
-	lib/escape.lua \
 	lib/extensions.lua \
+	lib/hmac.lua \
 	lib/hooks.lua \
 	lib/idn.lua \
 	lib/lexgraph.lua \
@@ -59,12 +59,15 @@ LUA_SRC = \
 	lib/hooks/http_response_start.lua \
 	lib/hooks/should_report.lua \
 	lib/hooks/sql_execute.lua \
-	lib/hooks/template_render_done.lua
+	lib/hooks/template_render_done.lua \
+	lib/hooks/xss/escape.lua \
+	lib/hooks/xss/escape_js.lua
 
 OBJ = ${SRC:.c=.o}
 
 SHA1OBJ = ext/sha1/sha1.o
-OBJ = ${SRC:.c=.o} ${SHA1OBJ}
+SHA2OBJ = ext/sha2/sha256.o
+OBJ = ${SRC:.c=.o} ${SHA1OBJ} ${SHA2OBJ}
 
 # Library archive. Used for compiling along agent bindings.
 SO_OUT = libimmunio.so
@@ -99,7 +102,7 @@ endif
 # Build lua, run tests, and create hooks archive
 all: ${CLI} ${INIT_HOOK} ${HOOKS_TARBALL} ${HOOKS_SRCS_TARBALL}
 
-.c.o:
+%.o: %.c
 	MACOSX_DEPLOYMENT_TARGET="10.9" ${CC} ${CFLAGS} -c ${INCS} -o $@ $<
 
 # There is a huge performance advantage compiling sha1.o with just -O
@@ -107,6 +110,9 @@ all: ${CLI} ${INIT_HOOK} ${HOOKS_TARBALL} ${HOOKS_SRCS_TARBALL}
 ${SHA1OBJ}:
 	${CC} -O -c ${INCS} -o ${SHA1OBJ} ${SHA1OBJ:.o=.c}
 
+${SHA2OBJ}:
+	${CC} -O -c ${INCS} -o ${SHA2OBJ} ${SHA2OBJ:.o=.c}
+
 ${SO_OUT}: ${OBJ} ${LUAJIT_OBJ}
 	${CC} -shared ${CFLAGS} ${LIBS} -o $@ -lc $^
 
@@ -121,7 +127,7 @@ ${LUAJIT_OBJ}:
 
 # Build lua executable for testing and compilation
 # Seperate compilation as we need the LUA_UNSAFE_MODE flag set...
-${CLI}: ${CLI_SRC} ${LUAJIT_OBJ} ${SHA1OBJ}
+${CLI}: ${CLI_SRC} ${LUAJIT_OBJ} ${SHA1OBJ} ${SHA2OBJ}
 	${CC} ${CFLAGS} -DLUA_UNSAFE_MODE ${INCS} -o $@ $^ ${LIBS}
 
 # Concatenate init hooks into one __init__.lua hook with two newlines in between
@@ -146,7 +152,7 @@ cleanhooks:
 	rm -f build/*.lua
 
 clean: cleanhooks
-	rm -f ${CLI} ${OBJ} ${SO_OUT} ${A_OUT} ${LUAJIT_OUT} ${SHA1OBJ}
+	rm -f ${CLI} ${OBJ} ${SO_OUT} ${A_OUT} ${LUAJIT_OUT} ${SHA1OBJ} ${SHA2OBJ}
 	cd ext/luajit && make clean
 	rm -f test_failed
 	rm -rf build

data/lua-hooks/ext/all.c

@@ -16,6 +16,7 @@
 #include "lua-cmsgpack/lua_cmsgpack.c"
 #include "lua-snapshot/snapshot.c"
 #include "sha1/luasha1.c"
+#include "sha2/luasha256.c"
 
 static const luaL_Reg lj_lib_load[] = {
   // Default Lua modules
@@ -44,6 +45,7 @@ static const luaL_Reg lj_lib_load[] = {
   {LUACMSGPACK_NAME, luaopen_cmsgpack},
   {"snapshot", luaopen_snapshot},
   {"sha1", luaopen_sha1},
+  {"sha2", luaopen_sha256},
 
   { NULL,   NULL }
 };

data/lua-hooks/ext/libinjection/lualib.c

@@ -1,3 +1,5 @@
+#include <stdlib.h>
+
 #define LUA_LIB
 #include "lua.h"
 #include "lauxlib.h"
@@ -5,7 +7,7 @@
 #include "libinjection.h"
 #include "libinjection_sqli.h"
 
-#define MAX_FINGERPRINT_SIZE 4096
+#define MAX_FINGERPRINT_STACK_SIZE 4096
 
 int sqli(lua_State *L) {
   sfilter state;
@@ -22,16 +24,31 @@ int sqli(lua_State *L) {
 }
 
 int fingerprint(lua_State *L) {
-  char result[MAX_FINGERPRINT_SIZE + 1];
+  char stack_result[MAX_FINGERPRINT_STACK_SIZE];
+  char *result = stack_result;
   struct libinjection_sqli_state state;
   size_t slen = 0;
   const char *input = luaL_checklstring(L, 1, &slen);
 
   libinjection_sqli_init(&state, input, slen, 0);
 
-  // This is some ugly code, but that's how libinjection works...
+  // libinjection tokenizes in a streaming fashion, meaning we won't know until
+  // the end of the process how long the resulting string of tokens will be. But
+  // we do know that it will be less than or equal to the length of the SQL
+  // string.
+  //
+  // For speed, use stack-allocated fingerprint result strings unless we need
+  // more than 4KB.
+  if (slen > sizeof(stack_result)) {
+    result = malloc(slen + 1);
+    if (!result) {
+      lua_pushstring(L, ""); // Push something at least...
+      return 1;
+    }
+  }
+
   int fp_idx = 0;
-  while (fp_idx < (sizeof(result) - 1) && state.pos < state.slen) {
+  while (state.pos < state.slen) {
     libinjection_sqli_tokenize(&state);
     result[fp_idx++] = state.tokenvec[0].type;
   }
@@ -39,6 +56,9 @@ int fingerprint(lua_State *L) {
 
   lua_pushstring(L, result);
 
+  // If we dynamically allocated the result above, free it
+  if (result != stack_result) free(result);
+
   return 1;
 }
 

data/lua-hooks/ext/sha2/luasha256.c

@@ -0,0 +1,75 @@
+#include <stdio.h>
+
+#define LUA_LIB
+#include "lua.h"
+#include "lauxlib.h"
+
+// Link this program with an external C or x86 compression function
+extern void sha256_compress(uint32_t state[8], const uint8_t block[64]);
+
+/* This function is implements the padding and blocking around the SHA2 compression function
+ *
+ * Copyright (c) 2014 Project Nayuki
+ * http://www.nayuki.io/page/fast-sha2-hashes-in-x86-assembly
+ */
+static void
+sha256_hash(const uint8_t *message, uint32_t len, uint32_t hash[8]) {
+	hash[0] = UINT32_C(0x6A09E667);
+	hash[1] = UINT32_C(0xBB67AE85);
+	hash[2] = UINT32_C(0x3C6EF372);
+	hash[3] = UINT32_C(0xA54FF53A);
+	hash[4] = UINT32_C(0x510E527F);
+	hash[5] = UINT32_C(0x9B05688C);
+	hash[6] = UINT32_C(0x1F83D9AB);
+	hash[7] = UINT32_C(0x5BE0CD19);
+	
+	uint32_t i;
+	for (i = 0; len - i >= 64; i += 64)
+		sha256_compress(hash, message + i);
+	
+	uint8_t block[64];
+	uint32_t rem = len - i;
+	memcpy(block, message + i, rem);
+	
+	block[rem] = 0x80;
+	rem++;
+	if (64 - rem >= 8)
+		memset(block + rem, 0, 56 - rem);
+	else {
+		memset(block + rem, 0, 64 - rem);
+		sha256_compress(hash, block);
+		memset(block, 0, 56);
+	}
+	
+	uint64_t longLen = ((uint64_t)len) << 3;
+	for (i = 0; i < 8; i++)
+		block[64 - 1 - i] = (uint8_t)(longLen >> (i * 8));
+	sha256_compress(hash, block);
+}
+
+/* Immunio Lua bindings */
+
+static int
+lua_sha256(lua_State *L) {
+	uint32_t hash[8] = {};
+	char buf[65];
+	size_t slen = 0;
+
+	const char *input = luaL_checklstring(L, 1, &slen);
+	sha256_hash(input, slen, hash);
+	sprintf(buf, "%08x%08x%08x%08x%08x%08x%08x%08x", hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7]);
+	lua_pushlstring(L, buf, 64);
+	return 1;
+}
+
+static const luaL_Reg libsha256[] = {
+  {"sha256", lua_sha256},
+  {NULL, NULL}
+};
+
+int
+luaopen_sha256(lua_State *L) {
+  luaL_checkversion(L);
+  luaL_register(L, "sha2", libsha256);
+  return 1;
+}

data/lua-hooks/ext/sha2/sha256.c

@@ -0,0 +1,196 @@
+/* 
+ * SHA-256 hash in C
+ * 
+ * Copyright (c) 2014 Project Nayuki
+ * http://www.nayuki.io/page/fast-sha2-hashes-in-x86-assembly
+ * 
+ * (MIT License)
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of
+ * this software and associated documentation files (the "Software"), to deal in
+ * the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ * the Software, and to permit persons to whom the Software is furnished to do so,
+ * subject to the following conditions:
+ * - The above copyright notice and this permission notice shall be included in
+ *   all copies or substantial portions of the Software.
+ * - The Software is provided "as is", without warranty of any kind, express or
+ *   implied, including but not limited to the warranties of merchantability,
+ *   fitness for a particular purpose and noninfringement. In no event shall the
+ *   authors or copyright holders be liable for any claim, damages or other
+ *   liability, whether in an action of contract, tort or otherwise, arising from,
+ *   out of or in connection with the Software or the use or other dealings in the
+ *   Software.
+ */
+
+#include <stdint.h>
+
+
+void sha256_compress(uint32_t state[8], const uint8_t block[64]) {
+	// 32-bit right rotation
+	#define ROR(x, i)  \
+		(((x) << (32 - (i))) | ((x) >> (i)))
+	
+	#define LOADSCHEDULE(i)  \
+		schedule[i] =                           \
+			  (uint32_t)block[i * 4 + 0] << 24  \
+			| (uint32_t)block[i * 4 + 1] << 16  \
+			| (uint32_t)block[i * 4 + 2] <<  8  \
+			| (uint32_t)block[i * 4 + 3];
+	
+	#define SCHEDULE(i)  \
+		schedule[i] = schedule[i - 16] + schedule[i - 7]  \
+			+ (ROR(schedule[i - 15], 7) ^ ROR(schedule[i - 15], 18) ^ (schedule[i - 15] >> 3))  \
+			+ (ROR(schedule[i - 2], 17) ^ ROR(schedule[i - 2], 19) ^ (schedule[i - 2] >> 10));
+	
+	#define ROUND(a, b, c, d, e, f, g, h, i, k) \
+		h += (ROR(e, 6) ^ ROR(e, 11) ^ ROR(e, 25)) + (g ^ (e & (f ^ g))) + UINT32_C(k) + schedule[i];  \
+		d += h;  \
+		h += (ROR(a, 2) ^ ROR(a, 13) ^ ROR(a, 22)) + ((a & (b | c)) | (b & c));
+	
+	uint32_t schedule[64];
+	LOADSCHEDULE( 0)
+	LOADSCHEDULE( 1)
+	LOADSCHEDULE( 2)
+	LOADSCHEDULE( 3)
+	LOADSCHEDULE( 4)
+	LOADSCHEDULE( 5)
+	LOADSCHEDULE( 6)
+	LOADSCHEDULE( 7)
+	LOADSCHEDULE( 8)
+	LOADSCHEDULE( 9)
+	LOADSCHEDULE(10)
+	LOADSCHEDULE(11)
+	LOADSCHEDULE(12)
+	LOADSCHEDULE(13)
+	LOADSCHEDULE(14)
+	LOADSCHEDULE(15)
+	SCHEDULE(16)
+	SCHEDULE(17)
+	SCHEDULE(18)
+	SCHEDULE(19)
+	SCHEDULE(20)
+	SCHEDULE(21)
+	SCHEDULE(22)
+	SCHEDULE(23)
+	SCHEDULE(24)
+	SCHEDULE(25)
+	SCHEDULE(26)
+	SCHEDULE(27)
+	SCHEDULE(28)
+	SCHEDULE(29)
+	SCHEDULE(30)
+	SCHEDULE(31)
+	SCHEDULE(32)
+	SCHEDULE(33)
+	SCHEDULE(34)
+	SCHEDULE(35)
+	SCHEDULE(36)
+	SCHEDULE(37)
+	SCHEDULE(38)
+	SCHEDULE(39)
+	SCHEDULE(40)
+	SCHEDULE(41)
+	SCHEDULE(42)
+	SCHEDULE(43)
+	SCHEDULE(44)
+	SCHEDULE(45)
+	SCHEDULE(46)
+	SCHEDULE(47)
+	SCHEDULE(48)
+	SCHEDULE(49)
+	SCHEDULE(50)
+	SCHEDULE(51)
+	SCHEDULE(52)
+	SCHEDULE(53)
+	SCHEDULE(54)
+	SCHEDULE(55)
+	SCHEDULE(56)
+	SCHEDULE(57)
+	SCHEDULE(58)
+	SCHEDULE(59)
+	SCHEDULE(60)
+	SCHEDULE(61)
+	SCHEDULE(62)
+	SCHEDULE(63)
+	
+	uint32_t a = state[0];
+	uint32_t b = state[1];
+	uint32_t c = state[2];
+	uint32_t d = state[3];
+	uint32_t e = state[4];
+	uint32_t f = state[5];
+	uint32_t g = state[6];
+	uint32_t h = state[7];
+	ROUND(a, b, c, d, e, f, g, h,  0, 0x428A2F98)
+	ROUND(h, a, b, c, d, e, f, g,  1, 0x71374491)
+	ROUND(g, h, a, b, c, d, e, f,  2, 0xB5C0FBCF)
+	ROUND(f, g, h, a, b, c, d, e,  3, 0xE9B5DBA5)
+	ROUND(e, f, g, h, a, b, c, d,  4, 0x3956C25B)
+	ROUND(d, e, f, g, h, a, b, c,  5, 0x59F111F1)
+	ROUND(c, d, e, f, g, h, a, b,  6, 0x923F82A4)
+	ROUND(b, c, d, e, f, g, h, a,  7, 0xAB1C5ED5)
+	ROUND(a, b, c, d, e, f, g, h,  8, 0xD807AA98)
+	ROUND(h, a, b, c, d, e, f, g,  9, 0x12835B01)
+	ROUND(g, h, a, b, c, d, e, f, 10, 0x243185BE)
+	ROUND(f, g, h, a, b, c, d, e, 11, 0x550C7DC3)
+	ROUND(e, f, g, h, a, b, c, d, 12, 0x72BE5D74)
+	ROUND(d, e, f, g, h, a, b, c, 13, 0x80DEB1FE)
+	ROUND(c, d, e, f, g, h, a, b, 14, 0x9BDC06A7)
+	ROUND(b, c, d, e, f, g, h, a, 15, 0xC19BF174)
+	ROUND(a, b, c, d, e, f, g, h, 16, 0xE49B69C1)
+	ROUND(h, a, b, c, d, e, f, g, 17, 0xEFBE4786)
+	ROUND(g, h, a, b, c, d, e, f, 18, 0x0FC19DC6)
+	ROUND(f, g, h, a, b, c, d, e, 19, 0x240CA1CC)
+	ROUND(e, f, g, h, a, b, c, d, 20, 0x2DE92C6F)
+	ROUND(d, e, f, g, h, a, b, c, 21, 0x4A7484AA)
+	ROUND(c, d, e, f, g, h, a, b, 22, 0x5CB0A9DC)
+	ROUND(b, c, d, e, f, g, h, a, 23, 0x76F988DA)
+	ROUND(a, b, c, d, e, f, g, h, 24, 0x983E5152)
+	ROUND(h, a, b, c, d, e, f, g, 25, 0xA831C66D)
+	ROUND(g, h, a, b, c, d, e, f, 26, 0xB00327C8)
+	ROUND(f, g, h, a, b, c, d, e, 27, 0xBF597FC7)
+	ROUND(e, f, g, h, a, b, c, d, 28, 0xC6E00BF3)
+	ROUND(d, e, f, g, h, a, b, c, 29, 0xD5A79147)
+	ROUND(c, d, e, f, g, h, a, b, 30, 0x06CA6351)
+	ROUND(b, c, d, e, f, g, h, a, 31, 0x14292967)
+	ROUND(a, b, c, d, e, f, g, h, 32, 0x27B70A85)
+	ROUND(h, a, b, c, d, e, f, g, 33, 0x2E1B2138)
+	ROUND(g, h, a, b, c, d, e, f, 34, 0x4D2C6DFC)
+	ROUND(f, g, h, a, b, c, d, e, 35, 0x53380D13)
+	ROUND(e, f, g, h, a, b, c, d, 36, 0x650A7354)
+	ROUND(d, e, f, g, h, a, b, c, 37, 0x766A0ABB)
+	ROUND(c, d, e, f, g, h, a, b, 38, 0x81C2C92E)
+	ROUND(b, c, d, e, f, g, h, a, 39, 0x92722C85)
+	ROUND(a, b, c, d, e, f, g, h, 40, 0xA2BFE8A1)
+	ROUND(h, a, b, c, d, e, f, g, 41, 0xA81A664B)
+	ROUND(g, h, a, b, c, d, e, f, 42, 0xC24B8B70)
+	ROUND(f, g, h, a, b, c, d, e, 43, 0xC76C51A3)
+	ROUND(e, f, g, h, a, b, c, d, 44, 0xD192E819)
+	ROUND(d, e, f, g, h, a, b, c, 45, 0xD6990624)
+	ROUND(c, d, e, f, g, h, a, b, 46, 0xF40E3585)
+	ROUND(b, c, d, e, f, g, h, a, 47, 0x106AA070)
+	ROUND(a, b, c, d, e, f, g, h, 48, 0x19A4C116)
+	ROUND(h, a, b, c, d, e, f, g, 49, 0x1E376C08)
+	ROUND(g, h, a, b, c, d, e, f, 50, 0x2748774C)
+	ROUND(f, g, h, a, b, c, d, e, 51, 0x34B0BCB5)
+	ROUND(e, f, g, h, a, b, c, d, 52, 0x391C0CB3)
+	ROUND(d, e, f, g, h, a, b, c, 53, 0x4ED8AA4A)
+	ROUND(c, d, e, f, g, h, a, b, 54, 0x5B9CCA4F)
+	ROUND(b, c, d, e, f, g, h, a, 55, 0x682E6FF3)
+	ROUND(a, b, c, d, e, f, g, h, 56, 0x748F82EE)
+	ROUND(h, a, b, c, d, e, f, g, 57, 0x78A5636F)
+	ROUND(g, h, a, b, c, d, e, f, 58, 0x84C87814)
+	ROUND(f, g, h, a, b, c, d, e, 59, 0x8CC70208)
+	ROUND(e, f, g, h, a, b, c, d, 60, 0x90BEFFFA)
+	ROUND(d, e, f, g, h, a, b, c, 61, 0xA4506CEB)
+	ROUND(c, d, e, f, g, h, a, b, 62, 0xBEF9A3F7)
+	ROUND(b, c, d, e, f, g, h, a, 63, 0xC67178F2)
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+	state[4] += e;
+	state[5] += f;
+	state[6] += g;
+	state[7] += h;
+}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: immunio
 version: !ruby/object:Gem::Version
-  version: 1.0.12
+  version: 1.0.13
 platform: ruby
 authors:
 - Immunio
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-16 00:00:00.000000000 Z
+date: 2016-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -417,6 +417,8 @@ files:
 - lua-hooks/ext/luautf8/unidata.h
 - lua-hooks/ext/sha1/luasha1.c
 - lua-hooks/ext/sha1/sha1.c
+- lua-hooks/ext/sha2/luasha256.c
+- lua-hooks/ext/sha2/sha256.c
 - lua-hooks/lib/boot.lua
 homepage: http://immun.io/
 licenses: