immunio 1.0.6 → 1.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: eb728b89874b8fcb5cfdf79a7fb0c9664d904b34
-  data.tar.gz: b071e26dc05fad5a700468dbf9d3ed00e64157e5
+  metadata.gz: 80267dd0327d92f9af47b91f658a46a3e38cd000
+  data.tar.gz: be17e29bba57536a8d8cdb5a35134cfe64977510
 SHA512:
-  metadata.gz: 68afdf33589ca1563f3da1506ab01e0a5e9bd0754b8ae3a2ed4e2e8c27b2625d0b8b62b055fe4559f84de90203643ed4192f32c1e6d4a30a72fd0d292b9c6d24
-  data.tar.gz: da4aad9e43545ce56e37ae5f573efba5f8e6511f293611b8b31ff757bffe21671c0d4b484f6d49ba7ad965d9ee59c05c445ea8c07ed0b89cbf76ebc85b7ed983
+  metadata.gz: 26355aaa28340307c3a6766ddda207e67484d6e9b0f33601d229660338d1e7becffc3e6140092fd0a10ed7d0bc2d0b3c5f494aaf29fd8e61f66759ac1eb62463
+  data.tar.gz: 218fbac35d91313ebf8dec8ca81cb1be22b05b8b388b79294db8e1750a1ce6f193da04a305b304dcf99544d27e4b503d28af074d98c05f3fed8ee4feafad0b35

data/lib/immunio/context.rb

@@ -3,6 +3,14 @@ module Immunio
     RAILS_TEMPLATE_FILTER = Regexp.new("(.*(_erb|_haml))__+\\d+_\\d+(.*)")
     # Cache for contexts (named in tribute to our buddy Adam Back who invented proof of work)
     @@hash_cache = {}
+    FILE_CHECKSUM_CACHE = Hash.new do |cache, filepath|
+      begin
+        contents = IOHooks.paused { File.read(filepath) }
+        cache[filepath] = Digest::SHA1.hexdigest(contents)
+      rescue StandardError
+        cache[filepath] = ""
+      end
+    end
 
     # Calculate context hashes and a stack trace. Additional data, in the form
     # of a String, may be provided to mix into the strict context hash.
@@ -29,7 +37,7 @@ module Immunio
         # are filtered by the Gem regex.
         locations = caller(1).map do |frame|
           frame = frame.split(":", 3)
-          {path: frame[0], line: frame[1], label: frame[2]}
+          { path: frame[0], line: frame[1], label: frame[2] }
         end
 
         locations.each do |frame|
@@ -44,7 +52,7 @@ module Immunio
           # relocation. If there's no rails root, or the path doesn't start with
           # the rails root, just use the filename part.
           if defined?(Rails) && defined?(Rails.root) &&
-             Rails.root && frame[:path].start_with?(Rails.root.to_s)
+            Rails.root && frame[:path].start_with?(Rails.root.to_s)
             strict_path = frame[:path].sub(Rails.root.to_s, '')
           else
             strict_path = File.basename(frame[:path])
@@ -64,6 +72,10 @@ module Immunio
           strict_context_rope << ":"
           strict_context_rope << frame[:label]
 
+          # Include checksums of file contents in the strict context
+          checksum = FILE_CHECKSUM_CACHE[frame[:path]]
+          strict_context_rope << ":#{checksum}" unless checksum.blank?
+
           # Remove pathname from the loose context. The goal here is to prevent
           # upgrading gem versions from changing the loose context key, so for instance
           # users don't have to rebuild their whitelists every time they update a gem

data/lib/immunio/plugins/action_view.rb

@@ -55,7 +55,7 @@ module Immunio
       old_formats = context.lookup_context.formats
       begin
         context.lookup_context.formats = @template.formats
-        refreshed = @template.refresh(context)
+        refreshed = Immunio::IOHooks.paused { @template.refresh(context) }
       ensure
         context.lookup_context.formats = old_formats
       end
@@ -158,7 +158,7 @@ module Immunio
     def render(context)
       load_source context
       # Don't handle templates with no source (inline text templates).
-      if not has_source? then
+      unless has_source?
         rendered = yield
         rendered.instance_variable_set("@__immunio_processed", true)
         return rendered

data/lib/immunio/plugins/active_record_relation.rb

@@ -129,8 +129,10 @@ module Immunio
 
             caller_method = frame.label
             caller_line = frame.lineno
+            checksum = Immunio::Context::FILE_CHECKSUM_CACHE[frame.path]
 
             data = "Relation for #{name}, method called: #{method}, caller: #{caller_method}:#{caller_line}"
+            data << ", checksum: #{checksum}" unless checksum.blank?
           else
             data = "Relation for #{name}, method called: #{method}"
           end

data/lib/immunio/plugins/io.rb

@@ -3,6 +3,20 @@ require_relative '../context'
 module Immunio
   module IOHooks
 
+    def self.paused
+      old_paused = Thread.current["immunio.file_io_paused"]
+      Thread.current["immunio.file_io_paused"] = true
+      begin
+        yield
+      ensure
+        Thread.current["immunio.file_io_paused"] = old_paused
+      end
+    end
+
+    def self.paused?
+      !!Thread.current["immunio.file_io_paused"]
+    end
+
     def self.inject(mod, name, methods)
       mod.class_eval <<-EOF
         def self.extended(base)                                        # def self.extended(base)
@@ -21,16 +35,21 @@ module Immunio
       methods.each do |method|
         mod.class_eval <<-EOF
           def #{method}_with_immunio(*args, &block)                    # def read_with_immunio(*args, &block)
-            Request.time "plugin", "IO::#{method}" do                  #
-              strict_context, loose_context, stack, loose_stack = Immunio::Context.context()
-              Immunio.run_hook! "io", "file_io",                       #   Immunio.run_hook! "io", "open",
-                              method: "#{name}#{method}",              #      open_method: "IO.read",
-                              parameters: args,                        #      parameters: args
-                              stack: loose_stack,                      #
-                              context_key: loose_context,              #
-                              cwd: Dir.pwd
-              Request.pause "plugin", "IO::#{method}" do               #
-                #{method}_without_immunio(*args, &block)               #   read_without_immunio(*args, &block)
+            if Immunio::IOHooks.paused?
+              #{method}_without_immunio(*args, &block)
+            else
+              Request.time "plugin", "IO::#{method}" do                  #
+                strict_context, loose_context, stack, loose_stack = Immunio::Context.context()
+
+                Immunio.run_hook! "io", "file_io",                       #   Immunio.run_hook! "io", "open",
+                                method: "#{name}#{method}",              #      open_method: "IO.read",
+                                parameters: args,                        #      parameters: args
+                                stack: loose_stack,                      #
+                                context_key: loose_context,              #
+                                cwd: Dir.pwd
+                Request.pause "plugin", "IO::#{method}" do               #
+                  #{method}_without_immunio(*args, &block)               #   read_without_immunio(*args, &block)
+                end
               end
             end
           end                                                          # end

data/lib/immunio/version.rb

@@ -1,5 +1,5 @@
 module Immunio
   AGENT_TYPE = "agent-ruby"
-  VERSION = "1.0.6"
+  VERSION = "1.0.7"
   VM_VERSION = "2.2.0"
 end

data/lua-hooks/Makefile

@@ -28,6 +28,7 @@ LUA_SRC = \
 	lib/paths.lua \
 	lib/permit.lua \
 	lib/sanitize_sql.lua \
+	lib/sanitize_command.lua \
 	lib/semver.lua \
 	lib/sha1.lua \
 	lib/snap.lua \

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: immunio
 version: !ruby/object:Gem::Version
-  version: 1.0.6
+  version: 1.0.7
 platform: ruby
 authors:
 - Immunio
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-01 00:00:00.000000000 Z
+date: 2015-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails