immunio 1.0.19 → 1.0.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fa6484d2fd07102fbdc20e1e0efb80e896fe7fd3
-  data.tar.gz: 1f3f3b0b1489dc425ac437f349b53b581719b4cc
+  metadata.gz: 5dd373f29d340641801017f1a196715854a6468f
+  data.tar.gz: 2de3aa70ccdafcd66b9ea033acc7435558099d0e
 SHA512:
-  metadata.gz: 12ec429dfc0384009851ae4cc9f27db31678e13a45b39974c0e72fdea2f6dbeb832aa8847bb277f5adbd2918ec385a6a4c5eef8d594d6de79e11dfbbc61ba3cc
-  data.tar.gz: 818548e67dfa6d9e954903aa2da1d2e54745541164eb3de70bbc32bac74dc58adca741fd109c346c86dc96513fa85f1877c5f07a480cd66189fb9d9eaa7b2997
+  metadata.gz: a82c3d9390e98de817cd372c2b141d375c630bba443a8966619229e1ada1856dc9d18938100e89dd61a286f0e6ea5c7158c393e5a4907b361ae4cdb8e1169ec0
+  data.tar.gz: 586de295f66cb96b02d521bf3ef09baf5f307303acedfafb91c527fea48725bfef1382eaa73035d3fabd874e83997c6db9539487da4cce1a0af21ae33bf317fc

data/LICENSE

@@ -212,6 +212,33 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
 
+This product includes content covered by the following license:
+Under the MIT license.
+copyright(c) 2006~2007 hanzhao (abrash_han@hotmail.com)
+
+
+This product includes content covered by the following license:
+Copyright (C) 2012 by Paul Moore
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
 All other components of this product are
 Copyright (c) 2015 Immunio, Inc.  All rights reserved.
 

data/lib/immunio/plugins/http_tracker.rb

@@ -15,6 +15,7 @@ module Immunio
         Immunio.new_request(request)
 
         Immunio.run_hook! "http_tracker", "http_request_start", meta_from_env(env)
+        Immunio.run_hook! "http_tracker", "framework_route", route_name: route_name(env)
 
         env['rack.input'] = InputWrapper.new(env['rack.input'])
 
@@ -26,14 +27,14 @@ module Immunio
         session = env["rack.session"]
         if session_was_loaded?(session)
           Immunio.run_hook! "http_tracker", "framework_session",
-            session_id: extract_session_id(session)
+                            session_id: extract_session_id(session)
         end
 
         # Immunio expects response headers as a list of tuples.
         list_headers = headers_to_list(headers)
 
         result = Immunio.run_hook! "http_tracker", "http_response_start",
-          status: status, headers: list_headers
+                                   status: status, headers: list_headers
 
         # If new headers are specified, convert them back to the Ruby hash format.
         if result["headers"] != nil
@@ -50,112 +51,121 @@ module Immunio
         status, headers, body = Immunio.blocked_app.call(env)
         # Do not allow blocking the request here
         Immunio.run_hook "http_tracker", "http_response_start",
-          status: status, headers: headers
+                         status: status, headers: headers
 
         [status, headers, body]
       end
     rescue OverrideResponse => override
-       status, headers, body = Immunio.override_response.call(env, override)
+      status, headers, body = Immunio.override_response.call(env, override)
 
-       Immunio.run_hook "http_tracker", "http_response_start",
-         status: status, headers: headers
-       [status, headers, body]
+      Immunio.run_hook "http_tracker", "http_response_start",
+                       status: status, headers: headers
+      [status, headers, body]
     end
 
     private
-      def headers_to_list(headers)
-        list_headers = []
-        headers.each do |name, value|
-          # Ruby treats the `Set-Cookie` header specially. If there are multiple
-          # Set-Cookie headers to send, they are joined into a single field,
-          # separated by line-feeds.
-          if name == "Set-Cookie"
-            value.split("\n").each do |cookie_val|
-              list_headers.push(["Set-Cookie", cookie_val])
-            end
-          else
-            list_headers.push([name, value])
+
+    def headers_to_list(headers)
+      list_headers = []
+      headers.each do |name, value|
+        # Ruby treats the `Set-Cookie` header specially. If there are multiple
+        # Set-Cookie headers to send, they are joined into a single field,
+        # separated by line-feeds.
+        if name == "Set-Cookie"
+          value.split("\n").each do |cookie_val|
+            list_headers.push(["Set-Cookie", cookie_val])
           end
+        else
+          list_headers.push([name, value])
         end
-        list_headers
       end
+      list_headers
+    end
 
-      def list_to_headers(list)
-        new_headers = {}
-        list.each do |name, value|
-          # If this header is already in `new_headers`, append to the
-          # existing value with a linefeed separator.
-          if new_headers.has_key?(name)
-            new_headers[name] += ("\n" + value)
-          else
-            new_headers[name] = value
-          end
+    def list_to_headers(list)
+      new_headers = {}
+      list.each do |name, value|
+        # If this header is already in `new_headers`, append to the
+        # existing value with a linefeed separator.
+        if new_headers.has_key?(name)
+          new_headers[name] += ("\n" + value)
+        else
+          new_headers[name] = value
         end
-        new_headers
       end
+      new_headers
+    end
 
-      def meta_from_env(env)
-        request = Rack::Request.new(env)
-
-        # Extract request headers from `env`.
-        headers = env.select { |k| k.starts_with? "HTTP_" }.
-                      each_with_object({}) { |(k, v), h| h.store k[5..-1].downcase.tr('_', '-'), v }
+    def rack_request(env)
+      Rack::Request.new(env)
+    end
 
-        # Determine scheme (http://www.rubydoc.info/github/rack/rack/master/file/SPEC)
-        # There are also some HTTP headers from proxies that may affect the
-        # scheme seen by the end user. We process those in the hooks.
-        scheme = env["rack.url_scheme"]
-        if env["HTTPS"] == "on"
-          # Some servers will set the HTTPS var explicity. If set, use it
-          scheme = "https"
-        end
+    def meta_from_env(env)
+      request = rack_request(env)
 
-        # Determine the route name in controller#action format:
-        route_name = nil
-
-        if defined?(Rails.application) && Rails.application.present?
-          begin
-            path = request.env['PATH_INFO']
-            method = request.env['REQUEST_METHOD'].downcase.to_sym
-            url = Rails.application.routes.recognize_path(path, method: method)
-            route_name = "#{url[:controller]}##{url[:action]}"
-          rescue StandardError
-            route_name = nil
-          end
-        end
+      # Extract request headers from `env`.
+      headers = env.select { |k| k.starts_with? "HTTP_" }.
+                each_with_object({}) { |(k, v), h| h.store k[5..-1].downcase.tr('_', '-'), v }
 
-        {
-          protocol: env["SERVER_PROTOCOL"],
-          scheme: scheme,
-          uri: env["REQUEST_URI"],
-          server_name: env["SERVER_NAME"],
-          # SERVER_ADDR is non-standard, but rack uses it as a fallback, so
-          # include it here as well so we can access it from Lua.
-          server_addr: env["SERVER_ADDR"],
-          server_port: env["SERVER_PORT"],
-          route_name: route_name,
-          querystring: request.query_string,
-          method: request.request_method,
-          path: request.path_info,
-          socket_ip: request.ip,
-          socket_port: request.port,
-          headers: headers
-        }
+      # Determine scheme (http://www.rubydoc.info/github/rack/rack/master/file/SPEC)
+      # There are also some HTTP headers from proxies that may affect the
+      # scheme seen by the end user. We process those in the hooks.
+      scheme = env["rack.url_scheme"]
+      if env["HTTPS"] == "on"
+        # Some servers will set the HTTPS var explicity. If set, use it
+        scheme = "https"
       end
 
-      def session_was_loaded?(session)
-        session && (session.respond_to?(:loaded?) ? session.loaded? : true)
-      end
+      {
+        protocol: env["SERVER_PROTOCOL"],
+        scheme: scheme,
+        uri: env["REQUEST_URI"],
+        server_name: env["SERVER_NAME"],
+        # SERVER_ADDR is non-standard, but rack uses it as a fallback, so
+        # include it here as well so we can access it from Lua.
+        server_addr: env["SERVER_ADDR"],
+        server_port: env["SERVER_PORT"],
+        querystring: request.query_string,
+        method: request.request_method,
+        path: request.path_info,
+        socket_ip: request.ip,
+        socket_port: request.port,
+        headers: headers
+      }
+    end
 
-      def extract_session_id(session)
-        session_id = if session.respond_to?(:id)
-          session.id
-        else
-          session[:id] || session[:session_id]
+    def route_name(env)
+      # Determine the route name in controller#action format:
+      route_name = nil
+
+      if defined?(Rails.application) && Rails.application.present?
+        begin
+          request = rack_request(env)
+          path = request.env['PATH_INFO']
+          method = request.env['REQUEST_METHOD'].downcase.to_sym
+          url = Rails.application.routes.recognize_path(path, method: method)
+          route_name = "#{url[:controller]}##{url[:action]}"
+        rescue StandardError
+          route_name = nil
         end
-
-        Digest::SHA1.hexdigest(session_id) if session_id
       end
+
+      route_name
+    end
+
+    def session_was_loaded?(session)
+      session && (session.respond_to?(:loaded?) ? session.loaded? : true)
+    end
+
+    def extract_session_id(session)
+      session_id = if session.respond_to?(:id)
+                     session.id
+                   else
+                     session[:id] || session[:session_id]
+                   end
+
+      Digest::SHA1.hexdigest(session_id) if session_id
+    end
   end
 
   class InputWrapper < SimpleDelegator
@@ -192,9 +202,10 @@ module Immunio
     end
 
     private
-      def report_chunk(chunk)
-        Immunio.run_hook! "http_tracker", "http_request_body_chunk",
-          chunk: chunk
-      end
+
+    def report_chunk(chunk)
+      Immunio.run_hook! "http_tracker", "http_request_body_chunk",
+                        chunk: chunk
+    end
   end
 end

data/lib/immunio/version.rb

@@ -1,5 +1,5 @@
 module Immunio
   AGENT_TYPE = "agent-ruby"
-  VERSION = "1.0.19"
+  VERSION = "1.0.22"
   VM_VERSION = "2.2.0"
 end

data/lib/immunio/vm.rb

@@ -193,6 +193,11 @@ module Immunio
       @error_handler = @state["debug.traceback"]
       @call_function = @state['sandboxed_call']
 
+      # The pass function acts as a Ruby => Lua converter.
+      # It simply passes back it's first argument.
+      # Arguments are converted from Ruby to Lua by rufus-lua.
+      @pass_function = @state.eval "return function(obj) return obj end"
+
       self.class.check_rufus_stack @state, "Stack not empty after bootstrap"
     end
 
@@ -207,7 +212,7 @@ module Immunio
       return object if object.is_a?(Rufus::Lua::Ref)
 
       lua_call do
-        @state.eval "return #{Rufus::Lua.to_lua_s(object)}"
+        @pass_function.call(object)
       end
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: immunio
 version: !ruby/object:Gem::Version
-  version: 1.0.19
+  version: 1.0.22
 platform: ruby
 authors:
 - Immunio
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-05-19 00:00:00.000000000 Z
+date: 2016-07-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -164,8 +164,6 @@ files:
 - lib/immunio/utils.rb
 - lib/immunio/version.rb
 - lib/immunio/vm.rb
-- lib/immunio_tasks/version_bump.rake
-- lib/immunio_tasks/version_bumper.rb
 - lua-hooks/Makefile
 - lua-hooks/ext/all.c
 - lua-hooks/ext/libinjection/COPYING
@@ -447,7 +445,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 2.6.4
 signing_key: 
 specification_version: 4
 summary: Immunio Ruby agent

data/lib/immunio_tasks/version_bump.rake

@@ -1,44 +0,0 @@
-require_relative 'version_bumper'
-
-namespace 'version' do
-  YES_TRUE_REGEX = /yes|y|true|t/
-
-  def test_mode?
-    !!(ENV.fetch('TEST', 'no').downcase =~ YES_TRUE_REGEX)
-  end
-
-  def quiet_mode?
-    !!(ENV.fetch('QUIET', 'yes').downcase =~ YES_TRUE_REGEX)
-  end
-
-  task :setup do
-    @bumper = VersionBumper.new(test_mode?, quiet_mode?)
-    @bumper.status
-    abort "You must be on a clean master branch!" unless VersionBumper.on_clean_master?
-  end
-
-  desc "Show status"
-  task :status => [ :setup ] do
-  end
-
-  namespace 'release' do
-    desc "Prepare a new release"
-    task :prepare => [ :setup ] do
-      @bumper.prepare
-    end
-  end
-
-  desc "Bump version"
-  task :bump => [ :setup ] do
-    new_version = @bumper.prompt_for_new_version
-    @bumper.ask_and_bump_version(new_version)
-  end
-
-  namespace :bump do
-    desc "Bump version to development"
-    task :development => [ :setup ] do
-      abort "Version already set for development" if VersionBumper.development?
-      @bumper.bump_development_version
-    end
-  end
-end

data/lib/immunio_tasks/version_bumper.rb

@@ -1,128 +0,0 @@
-require_relative '../immunio/version'
-require 'highline'
-
-class VersionBumper
-  def self.current_version
-    Immunio::VERSION
-  end
-
-  def self.version_file
-    @version_file ||= File.join Dir.pwd, 'lib/', 'immunio', 'version.rb'
-  end
-
-  def self.current_branch
-    %x[git symbolic-ref HEAD 2>/dev/null | cut -d"/" -f 3].strip
-  end
-
-  def self.on_master?
-    current_branch == 'master'
-  end
-
-  def self.clean_branch?
-    %x[git status --porcelain --ignore-submodules].split.count == 0
-  end
-
-  def self.on_clean_master?
-    on_master? && clean_branch?
-  end
-
-  def self.development?
-    current_version =~ /master/
-  end
-
-
-  def initialize(test_mode, quiet_mode)
-    @test_mode = test_mode
-    @quiet_mode = quiet_mode
-  end
-
-  attr_reader :test_mode, :quiet_mode
-  
-  def status
-    cli.say "<%= color('You are not on the master branch!', BOLD) %>" unless self.class.on_master?
-    cli.say "<%= color('There are uncommitted changes OR untracked files!', BOLD) %>" unless self.class.clean_branch?
-    cli.say "Current version is: #{self.class.current_version}"
-  end
-
-  def prepare
-    if cli.agree("Are you sure? (yes/no)")
-      exec 'git submodule init' # When we have a fresh clone
-      exec 'git fetch origin'
-      exec 'git clean -fxd'
-      exec 'git submodule foreach --recursive git clean -fxd'
-      exec 'git submodule update'
-      cli.say 'Now run `bundle exec rake version:bump`'
-    else
-      cli.say 'Nothing done.'
-    end
-  end
-
-  def prompt_for_new_version
-    @new_version ||= cli.ask('New version? ') do |v|
-      v.default = self.class.current_version.sub('.master', '')
-    end
-  end
-
-  def ask_and_bump_version(version)
-    unless version_valid?
-      cli.say 'Version is unchanged'
-      return
-    end
-
-    if cli.agree("Bump version to #{version}? (yes/no)")
-      bump_version(version)
-    else
-      cli.say 'Nothing done.'
-    end
-  end
-
-  def bump_development_version
-    return if self.class.development?
-
-    arr = self.class.current_version.split('.')
-    new_patch_level = (arr.last.to_i + 1).to_s
-    version = (arr[0...2] << new_patch_level).join('.') << '.master'
-
-    ask_and_bump_version(version)
-  end
-
-  private
-
-  def exec(cmd)
-    echo = test_mode ? 'echo' : ''
-    puts "=> #{echo} #{cmd}" unless quiet_mode
-    %x[#{echo} #{cmd}]
-  end
-
-  def cli
-    @cli ||= HighLine.new
-  end
-
-  def version_valid?
-    @new_version != self.class.current_version
-  end
-
-  def bump_version(new_version)
-    return unless self.class.on_clean_master?
-
-    cli.say "Bumping version to v#{new_version}"
-    update_version_file(new_version)
-    commit_changes(new_version)
-  end
-
-  def update_version_file(new_version)
-    cli.say "Updating #{self.class.version_file}"
-    cli.say exec(%Q[sed -i '' 's/#{self.class.current_version}/#{new_version}/' #{self.class.version_file}])
-  end
-
-  def commit_changes(new_version)
-    cli.say "Committing changes"
-    if new_version =~ /master/
-      cli.say exec(%Q[git commit -a -m \"Open v#{new_version} for development\"])
-    else
-      cli.say exec(%Q[git commit -a -m \"Bump agent version to v#{new_version}\"])
-      cli.say "Next, run `gem_push=no bundle exec rake release`"
-      cli.say "Then, run `bundle exec rake version:bump:development`"
-    end
-  end
-end