immunio 1.0.7 → 1.0.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/immunio/plugins/action_view.rb +9 -5
- data/lib/immunio/plugins/warden.rb +46 -54
- data/lib/immunio/rails.rb +0 -1
- data/lib/immunio/version.rb +1 -1
- data/lua-hooks/Makefile +1 -0
- data/lua-hooks/lib/boot.lua +1 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 99a30833d9388d3c2cf12a21d209c81983f69958
|
|
4
|
+
data.tar.gz: be529e5b823a1f0db90a4d058ba2af2f5327d2fb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 581d82074c288618bec64dd899fde256d601d2703d3da32f86436cc92e1e53545cd209935bcc3989f2d895171b2401f5705795149c4680972daa91a0b353b660
|
|
7
|
+
data.tar.gz: 8b226690a97a6984025d96c57d3322d5c6790fe9fde2723ba690946be942dab9349ab3595f4c25ad0984df4790bc3c177b8a8681985c4ae149c67a6d43598d55
|
|
@@ -131,7 +131,7 @@ module Immunio
|
|
|
131
131
|
return content.html_safe
|
|
132
132
|
end
|
|
133
133
|
|
|
134
|
-
"{immunio-var:#{id}:#{nonce}}".html_safe + content.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
|
|
134
|
+
"{immunio-var:#{id}:#{nonce}}".html_safe + content.to_s.html_safe + "{/immunio-var:#{id}:#{nonce}}".html_safe
|
|
135
135
|
end
|
|
136
136
|
|
|
137
137
|
# If we got here, the interpolation has been wrapped in our markers and we
|
|
@@ -160,7 +160,7 @@ module Immunio
|
|
|
160
160
|
# Don't handle templates with no source (inline text templates).
|
|
161
161
|
unless has_source?
|
|
162
162
|
rendered = yield
|
|
163
|
-
rendered.instance_variable_set("@__immunio_processed", true)
|
|
163
|
+
rendered.instance_variable_set("@__immunio_processed", true) unless rendered.frozen?
|
|
164
164
|
return rendered
|
|
165
165
|
end
|
|
166
166
|
|
|
@@ -172,14 +172,18 @@ module Immunio
|
|
|
172
172
|
template_sha
|
|
173
173
|
Immunio.logger.debug {"ActionView rendering template with sha #{@template_sha}, root: #{root}"}
|
|
174
174
|
rendered = yield
|
|
175
|
-
rendered.instance_variable_set("@__immunio_processed", true)
|
|
175
|
+
rendered.instance_variable_set("@__immunio_processed", true) unless rendered.frozen?
|
|
176
176
|
|
|
177
177
|
if root
|
|
178
178
|
# This is the root template. Let ActionView render it, and then look
|
|
179
179
|
# for XSS.
|
|
180
180
|
rendered = rendered.to_str
|
|
181
|
-
|
|
182
|
-
result = run_hook!
|
|
181
|
+
|
|
182
|
+
result = run_hook!("template_render_done", {
|
|
183
|
+
content_type: Mime::Type.lookup_by_extension(@template.formats.first).to_s,
|
|
184
|
+
rendered: rendered,
|
|
185
|
+
vars: @vars
|
|
186
|
+
})
|
|
183
187
|
|
|
184
188
|
# We use the return value from the hook handler if present.
|
|
185
189
|
rendered = result.fetch("rendered") { rendered.dup }
|
|
@@ -6,72 +6,64 @@ rescue LoadError # rubocop:disable Lint/HandleExceptions
|
|
|
6
6
|
# Ignore
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
-
if defined?(Warden)
|
|
10
|
-
Warden::Manager
|
|
11
|
-
|
|
12
|
-
Immunio.
|
|
13
|
-
|
|
9
|
+
if defined?(Warden::Manager)
|
|
10
|
+
class Warden::Manager
|
|
11
|
+
after_authentication do |user|
|
|
12
|
+
Immunio::Request.time "plugin", "Warden::Manager.after_authentication" do
|
|
13
|
+
Immunio.logger.debug { "Warden instrumentation fired for after_authentication" }
|
|
14
|
+
Immunio.login user_record: user, plugin: "warden"
|
|
15
|
+
end
|
|
14
16
|
end
|
|
15
|
-
end
|
|
16
17
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
18
|
+
before_failure do |env|
|
|
19
|
+
Immunio::Request.time "plugin", "Warden::Manager.before_failure" do
|
|
20
|
+
info = {plugin: "warden"}
|
|
20
21
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
22
|
+
# Devise uses these specific form fields for authentication by default
|
|
23
|
+
user_found = false
|
|
24
|
+
[:username, :email].each do |attr|
|
|
25
|
+
value = env.fetch("rack.request.form_hash", {}).fetch("user", {})[attr.to_s]
|
|
26
|
+
if value
|
|
27
|
+
info[attr] = value
|
|
28
|
+
user_found = true
|
|
29
|
+
end
|
|
28
30
|
end
|
|
29
|
-
end
|
|
30
31
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
32
|
+
# before_failure is called under many circumstances, but unfortunately
|
|
33
|
+
# there's no easy way to tell why. If we can't figure out who the
|
|
34
|
+
# attempted user was, don't report it as a failed login.
|
|
35
|
+
if user_found
|
|
36
|
+
Immunio.logger.debug { "Warden instrumentation fired for before_failure" }
|
|
37
|
+
Immunio.failed_login info
|
|
38
|
+
else
|
|
39
|
+
Immunio.logger.debug { "Failed to find user info for Warden failure, ignoring instead of reporting as failed login" }
|
|
40
|
+
end
|
|
39
41
|
end
|
|
40
42
|
end
|
|
41
|
-
end
|
|
42
|
-
|
|
43
|
-
Warden::Manager.after_set_user do |user|
|
|
44
|
-
Immunio::Request.time "plugin", "Warden::Manager.after_set_user" do
|
|
45
|
-
Immunio.logger.debug { "Warden instrumentation fired for after_set_user" }
|
|
46
|
-
Immunio.set_user user_record: user, plugin: "warden"
|
|
47
|
-
end
|
|
48
|
-
end
|
|
49
43
|
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
44
|
+
after_set_user do |user|
|
|
45
|
+
Immunio::Request.time "plugin", "Warden::Manager.after_set_user" do
|
|
46
|
+
Immunio.logger.debug { "Warden instrumentation fired for after_set_user" }
|
|
47
|
+
Immunio.set_user user_record: user, plugin: "warden"
|
|
48
|
+
end
|
|
54
49
|
end
|
|
55
|
-
end
|
|
56
50
|
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
@app = app
|
|
51
|
+
before_logout do |user|
|
|
52
|
+
Immunio::Request.time "plugin", "Warden::Manager.before_logout" do
|
|
53
|
+
Immunio.logger.debug { "Warden instrumentation fired for before_logout" }
|
|
54
|
+
Immunio.logout user_record: user, plugin: "warden"
|
|
62
55
|
end
|
|
56
|
+
end
|
|
63
57
|
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
@app.call(env)
|
|
72
|
-
end
|
|
73
|
-
end
|
|
74
|
-
end
|
|
58
|
+
# Force lookup of user info for all requests.
|
|
59
|
+
def call_with_immunio(env)
|
|
60
|
+
call_without_immunio(env)
|
|
61
|
+
ensure
|
|
62
|
+
Immunio::Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
|
|
63
|
+
env['warden'].user
|
|
64
|
+
end
|
|
75
65
|
end
|
|
66
|
+
alias :call_without_immunio :call
|
|
67
|
+
alias :call :call_with_immunio
|
|
76
68
|
end
|
|
77
69
|
end
|
data/lib/immunio/rails.rb
CHANGED
|
@@ -10,7 +10,6 @@ module Immunio
|
|
|
10
10
|
config.app_middleware.insert 0, HTTPFinisher
|
|
11
11
|
config.app_middleware.insert_before ActionDispatch::ShowExceptions, HTTPTracker
|
|
12
12
|
config.app_middleware.insert_after ActionDispatch::DebugExceptions, ExceptionHandler
|
|
13
|
-
config.app_middleware.insert_after Warden::Manager, WardenUserCaller if defined? Warden::Manager
|
|
14
13
|
config.app_middleware.use EnvironmentReporter
|
|
15
14
|
|
|
16
15
|
config.action_dispatch.rescue_responses.merge!('Immunio::RequestBlocked' => :forbidden)
|
data/lib/immunio/version.rb
CHANGED
data/lua-hooks/Makefile
CHANGED
data/lua-hooks/lib/boot.lua
CHANGED
|
@@ -9,6 +9,7 @@ serverdata = serverdata or {}
|
|
|
9
9
|
-- XXX Java agent has built in assumption that this function exists before VM
|
|
10
10
|
-- initialisation.
|
|
11
11
|
-- Encode a Lua object to be sent to the server.
|
|
12
|
+
-- This can be removed when Java agent has moved to new VM API
|
|
12
13
|
function encode(object)
|
|
13
14
|
return cmsgpack.pack(object)
|
|
14
15
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: immunio
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Immunio
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-12-
|
|
11
|
+
date: 2015-12-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|