immunio 1.1.18 → 1.1.19

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6055543c258054ef2deee718998ada2e1ee72b22
-  data.tar.gz: cd78217a6233a81e01126f5a15f523e89325150f
+  metadata.gz: f0cf95fe27e81261056bdc9388cb78021e3f3e33
+  data.tar.gz: 91d07872cd32dbc236299020a62337c1296691ce
 SHA512:
-  metadata.gz: a361784ac3f389ebbfe6c9e5511ebf422ab171a54a28f72fc30eeb8efab108b63ddc78ea2e2b912358a7c876dcd79b7f390cea9e96bbb42db11881e1123961e3
-  data.tar.gz: 3811d95d95a73a07e0635061a110a3564e043fab77bfc5cb76c895fb927f7f07def36e445441246143f1b4054d53e146cf4311002d929491db5099009c6b327c
+  metadata.gz: c4d6a75b2a7d974ccd9cfc3e3e7c6744f72330ae6f4f23c926021ba002635a4bf807b32e8b15be17c39a70d3cba90a4f4da67c4ab003c70b466e7240b152e9e8
+  data.tar.gz: fd8e3009626ddbb2a97b1b72ce542f37f5df6d6b7f59f291738de125ec6c8ee312926791dbcf5eda634198a718ca6f107a0daf1f5e771322c23d054950f0d13a

data/lib/immunio/context.rb

@@ -19,8 +19,12 @@ module Immunio
     # Calculate context hashes and a stack trace. Additional data, in the form
     # of a String, may be provided to mix into the strict context hash.
     def self.context(additional_data=nil)
-      # We can filter out at least the top two frames
-      stack = caller(2).join "\n"
+      # Filter out agent stack frames. This includes string class_evals in `io`.
+      filtered_stack_frames = caller.reject do |frame|
+        frame =~ /lib\/immunio|^\(eval\):\d+:.+`.+_with_immunio'$/
+      end
+
+      stack = filtered_stack_frames.join "\n"
 
       cache_key = Digest::SHA1.hexdigest stack
 
@@ -38,13 +42,12 @@ module Immunio
 
         # drop the top frame as it's us, but retain the rest. Immunio frames
         # are filtered by the Gem regex.
-        locations = caller(1).map do |frame|
+        locations = filtered_stack_frames.map do |frame|
           frame = frame.split(":", 3)
           { path: frame[0], line: frame[1], label: frame[2] }
         end
 
         locations.each do |frame|
-
           # Filter frame names from template rendering to remove generated random bits
           template_match = RAILS_TEMPLATE_FILTER.match(frame[:label])
           frame[:label] = template_match[1] + template_match[3] if template_match

data/lib/immunio/plugins/action_dispatch.rb

@@ -10,12 +10,12 @@ module Immunio
         alias_method :lookup_without_immunio, :[]
         alias_method :[], :lookup_with_immunio
       end
-
     end
 
     def lookup_with_immunio(name)
       Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
-        raw_cookie_value = @parent_jar[name]
+        cookie_name = (Rails::VERSION::MAJOR > 4) ? name.to_s : name
+        raw_cookie_value = @parent_jar[cookie_name]
 
         cookie_value = Request.pause(
           'plugin',
@@ -27,7 +27,7 @@ module Immunio
           Immunio.run_hook!(
             'action_dispatch',
             'bad_cookie',
-            key: name,
+            key: cookie_name,
             value: raw_cookie_value)
         end
 
@@ -135,6 +135,10 @@ Immunio::Plugin.load(
     if defined? UpgradeLegacyEncryptedCookieJar
       UpgradeLegacyEncryptedCookieJar.send :include, Immunio::CookieHooks
     end
+
+    if defined? PermanentCookieJar
+      PermanentCookieJar.send :include, Immunio::CookieHooks
+    end
   end
 
   plugin.loaded! ActionPack::VERSION::STRING

data/lib/immunio/plugins/action_view.rb

@@ -30,7 +30,8 @@ module Immunio
     end
 
     def id
-      (@template.respond_to?(:virtual_path) && @template.virtual_path) || (@template.respond_to?(:source) && @template.source)
+      (@template.respond_to?(:virtual_path) && @template.virtual_path) ||
+        (@template.respond_to?(:source) && @template.source)
     end
 
     def ==(other)
@@ -146,7 +147,8 @@ module Immunio
         content = "" if content.nil?
 
         # See comment above
-        if content =~ /\{immunio-var:\d+:#{nonce}\}/ then
+        if (content.respond_to? :=~) &&
+           (content =~ /\{immunio-var:\d+:#{nonce}\}/)
           # don't add markers.
           Immunio.logger.debug {"WARNING: ActionView not marking interpolation which already contains markers: \"#{content}\""}
           return content.html_safe
@@ -349,61 +351,68 @@ module Immunio
     end
 
     private
-      def rendering_stack
-        self.class.rendering_stack
-      end
 
-      def run_hook!(name, meta={})
-        default_meta = {
-          template_sha: template_sha,
-          name: (@template.respond_to?(:virtual_path) && @template.virtual_path) || nil,
-          origin: @template.identifier,
-          nonce: Template.get_nonce
-        }
-        Immunio.run_hook! "action_view", name, default_meta.merge(meta)
-      end
+    def rendering_stack
+      self.class.rendering_stack
+    end
 
-      def write_and_remove_fragments!(context, content)
-        # Rails tests do use the context as the view context sometimes.
-        if context.is_a? ActionController::Base
-          controller = context
-        elsif context.respond_to? :controller
-          controller = context.controller
-        else
-          # Some rails unit tests don't have a controller...
-          remove_all_markers! content
-          return
-        end
+    def run_hook!(name, meta={})
+      default_meta = {
+        template_sha: template_sha,
+        name: (@template.respond_to?(:virtual_path) && @template.virtual_path) || nil,
+        origin: @template.identifier,
+        nonce: Template.get_nonce
+      }
+      Immunio.run_hook! "action_view", name, default_meta.merge(meta)
+    end
 
-        # Iterate to handle nested fragments. Child fragments have lower ids than their parents.
-        nonce = Template.get_nonce
-        @scheduled_fragments_writes.each_with_index do |(key, _, options), id|
-          # Remove the markers ...
-          content.sub!(/\{immunio-fragment:#{id}:#{nonce}\}(.*)\{\/immunio-fragment:#{id}:#{nonce}\}/m) do
-            # The escaped content inside the markers ($1), is written to cache.
-            output = $1
-            remove_all_markers! output
-            controller.write_fragment_without_immunio key, output, options
-            output
-          end
-        end
-        # To be extra safe strip all markers from content
+    def write_and_remove_fragments!(context, content)
+      # Rails tests do use the context as the view context sometimes.
+      if context.is_a? ActionController::Base
+        controller = context
+      elsif context.respond_to? :controller
+        controller = context.controller
+      else
+        # Some rails unit tests don't have a controller...
         remove_all_markers! content
+        return
       end
 
-      def remove_var_markers!(input)
-        nonce = Template.get_nonce
-        # TODO is this the fastest way to remove the markers? Needs benchmarking ...
-        input.gsub!(/\{\/?immunio-var:\d+:#{nonce}\}/, "")
+      # Iterate to handle nested fragments. Child fragments have lower ids than their parents.
+      nonce = Template.get_nonce
+      @scheduled_fragments_writes.each_with_index do |(key, _, options), id|
+        # Remove the markers ...
+        content.sub!(/\{immunio-fragment:#{id}:#{nonce}\}(.*)\{\/immunio-fragment:#{id}:#{nonce}\}/m) do
+          # The escaped content inside the markers ($1), is written to cache.
+          output = $1
+          remove_all_markers! output
+          controller.write_fragment_without_immunio key, output, options
+          output
+        end
       end
+      # To be extra safe strip all markers from content
+      remove_all_markers! content
+    end
 
+    def remove_var_markers!(input)
+      nonce = Template.get_nonce
+      # TODO is this the fastest way to remove the markers? Needs benchmarking ...
+      input.gsub!(/\{\/?immunio-var:\d+:#{nonce}\}/, "")
+    end
+
+    def remove_all_markers!(input)
+      self.class.remove_all_markers!(input)
+    end
+
+    class << self
       def remove_all_markers!(input)
         input.gsub!(/\{\/?immunio-(fragment|var):\d+:[a-zA-Z0-9]+\}/, "")
       end
+    end
   end
 
   # Hooks for the ERB template engine.
-  # (Default one used in Rails).
+  # (Default one used in Rails < 5).
   module ErubisHooks
     extend ActiveSupport::Concern
 
@@ -428,6 +437,30 @@ module Immunio
     end
   end
 
+  module ErubiHooks
+    extend ActiveSupport::Concern
+
+    included do
+      Immunio::Utils.alias_method_chain self, :add_expression, :immunio
+    end
+
+    def add_expression_with_immunio(indicator, code)
+      # Wrap expressions in the templates to track their rendered value.
+      # Do not wrap expressions with blocks, eg.: <%= form_tag do %>
+      # TODO should we support blocks?
+      Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
+        unless code =~ ActionView::Template::Handlers::ERB::Erubi::BLOCK_EXPR
+          # escape unless we see the == indicator
+          escape = !(indicator == '==')
+          code = Immunio::Template.generate_render_var_code(code, escape)
+        end
+        Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
+          add_expression_without_immunio(indicator, code)
+        end
+      end
+    end
+  end
+
   # Hooks for the HAML template engine.
   module HamlHooks
     extend ActiveSupport::Concern
@@ -439,7 +472,13 @@ module Immunio
     def push_script_with_immunio(code, opts = {}, &block)
       # Wrap expressions in the templates to track their rendered value.
       Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
-        if code !~ ActionView::Template::Handlers::Erubis::BLOCK_EXPR
+        block_expr = if Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR > 0
+                       ActionView::Template::Handlers::ERB::Erubi::BLOCK_EXPR
+                     else
+                       ActionView::Template::Handlers::Erubis::BLOCK_EXPR
+                     end
+
+        if code !~ block_expr
           # escape if we're told to by HAML
           code = Immunio::Template.generate_render_var_code(code, opts[:escape_html])
         end
@@ -519,6 +558,29 @@ module Immunio
     end
   end
 
+  module CacheStoreHooks
+    extend ActiveSupport::Concern
+
+    included do
+      Immunio::Utils.alias_method_chain self, :write, :immunio
+    end
+
+    # Rails 5 adds CollectionCaching. When used in the context of
+    # rendering a collection of items with a partial template, we
+    # need to remove our markers before writing to the cache store.
+    # See this blog post for more:
+    # http://blog.bigbinary.com/2016/03/09/rails-5-makes-partial-redering-from-cache-substantially-faster.html
+    def write_with_immunio(name, value, options = nil)
+      Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
+        Template.remove_all_markers! value if value.is_a? String
+
+        Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
+          write_without_immunio(name, value, options)
+        end
+      end
+    end
+  end
+
   # Hook for the `ActiveSupport::Hash#to_query`.
   # Use case: building a url within a decorator that renders a partial with an interpolation.
   module ActiveSupportHooks
@@ -539,18 +601,32 @@ module Immunio
       escaped_string
     end
   end
+
+  XSS_HOOKS = %w[template_render_done template_render_var]
 end
 
 # Load the plugins
 
-Immunio::Plugin.load(
-  'Erubis',
-  feature: 'xss',
-  hooks: %w( template_render_done template_render_var )) do |plugin|
+if Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR > 0
+  Immunio::Plugin.load(
+    'Erubi',
+    feature: 'xss',
+    hooks: Immunio::XSS_HOOKS) do |plugin|
 
-  ActionView::Template::Handlers::Erubis.send :include, Immunio::ErubisHooks
+    ActionView::Template::Handlers::ERB::Erubi.send :include, Immunio::ErubiHooks
 
-  plugin.loaded! Rails.version
+    plugin.loaded! Rails.version
+  end
+else
+  Immunio::Plugin.load(
+    'Erubis',
+    feature: 'xss',
+    hooks: Immunio::XSS_HOOKS) do |plugin|
+
+    ActionView::Template::Handlers::Erubis.send :include, Immunio::ErubisHooks
+
+    plugin.loaded! Rails.version
+  end
 end
 
 ActiveSupport.on_load(:after_initialize) do
@@ -558,7 +634,7 @@ ActiveSupport.on_load(:after_initialize) do
   Immunio::Plugin.load(
     'Haml',
     feature: 'xss',
-    hooks: %w( template_render_done template_render_var )) do |plugin|
+    hooks: Immunio::XSS_HOOKS) do |plugin|
 
     if defined? Haml::Compiler
       Haml::Compiler.send :include, Immunio::HamlHooks
@@ -574,7 +650,7 @@ end
 Immunio::Plugin.load(
   'ActionView',
   feature: 'xss',
-  hooks: %w( template_render_done template_render_var )) do |plugin|
+  hooks: Immunio::XSS_HOOKS) do |plugin|
 
   ActionView::TemplateRenderer.send :include, Immunio::TemplateRendererHooks
   ActionView::Template.send :include, Immunio::TemplateHooks
@@ -585,6 +661,7 @@ Immunio::Plugin.load(
       Immunio::FragmentCachingHooks)
   else
     AbstractController::Caching.send(:include, Immunio::FragmentCachingHooks)
+    ActiveSupport::Cache::Store.send(:include, Immunio::CacheStoreHooks)
   end
 
   plugin.loaded! Rails.version

data/lib/immunio/plugins/active_record.rb

@@ -15,21 +15,37 @@ module Immunio
 
     IGNORED_TYPES = [TrueClass, FalseClass, NilClass, Fixnum, Bignum, Float].freeze
 
-    def quote_with_immunio(value, column = nil)
-      Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
-        if column
-          column_name = column.name
-        else
-          column_name = nil
-        end
+    if Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR > 0
+      # Passing a column to `quote` has been deprecated in 5.0.
+      def quote_with_immunio(value)
+        Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
+          # Ignored empty strings and values that can't contain injections.
+          unless value.blank? || IGNORED_TYPES.include?(value.class)
+            QueryTracker.instance.add_param nil, value.to_s, object_id
+          end
 
-        # Ignored empty strings and values that can't contain injections.
-        unless value.blank? || IGNORED_TYPES.include?(value.class)
-          QueryTracker.instance.add_param column_name, value.to_s, object_id
+          Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
+            quote_without_immunio(value)
+          end
         end
+      end
+    else
+      def quote_with_immunio(value, column = nil)
+        Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
+          if column
+            column_name = column.name
+          else
+            column_name = nil
+          end
+
+          # Ignored empty strings and values that can't contain injections.
+          unless value.blank? || IGNORED_TYPES.include?(value.class)
+            QueryTracker.instance.add_param column_name, value.to_s, object_id
+          end
 
-        Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
-          quote_without_immunio(value, column)
+          Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
+            quote_without_immunio(value, column)
+          end
         end
       end
     end
@@ -629,21 +645,26 @@ module Immunio
             # When using the activerecord-sqlserver-adapter gem, the "column" is
             # the actual param name.
             name = column.respond_to?(:name) ? column.name : column.to_s
-            params[name] = value.to_s
+
+            # Some AR tests (sqlite3 in particular) initialize a QueryAttribute
+            # with a nil `name`. This guards againt passing a nil key to Lua.
+            params[name] = value.to_s if name
           end
         end
 
         strict_context, loose_context, stack = Immunio::Context.context context_data
 
         # Send in additional_context_data for debugging purposes
-        Immunio.run_hook! "active_record", "sql_execute", sql: payload[:sql],
-                                                          connection_uuid: connection_id.to_s,
-                                                          params: params,
-                                                          modifiers: modifiers,
-                                                          context_key: strict_context,
-                                                          loose_context_key: loose_context,
-                                                          stack: stack,
-                                                          additional_context_data: context_data
+        Immunio.run_hook! "active_record",
+                          "sql_execute",
+                          sql: payload[:sql],
+                          connection_uuid: connection_id.to_s,
+                          params: params,
+                          modifiers: modifiers,
+                          context_key: strict_context,
+                          loose_context_key: loose_context,
+                          stack: stack,
+                          additional_context_data: context_data
 
         reset relation_id
       end
@@ -673,13 +694,18 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      Immunio::Utils.alias_method_chain self, :log, :immunio if method_defined? :log
+      # As of Rails 5.1, :log is now private
+      if method_defined?(:log) || private_instance_methods.include?(:log)
+        Immunio::Utils.alias_method_chain self, :log, :immunio
+      end
     end
 
     def log_with_immunio(sql, name = "SQL", binds = [], *args)
-      QueryTracker.instance.call sql: sql,
-                                 connection_id: object_id,
-                                 binds: binds
+      # Some rails tests (in particular postresql) call :log with nil `sql`.
+      QueryTracker.instance.call(
+        sql: sql,
+        connection_id: object_id,
+        binds: binds) if sql
 
       # Log and execute the query
       log_without_immunio(sql, name, binds, *args) { yield }

data/lib/immunio/plugins/active_record_relation.rb

@@ -211,6 +211,9 @@ module Immunio
         :where!,
         :build_where
       ]
+
+      # Prevent infinite recursion!
+      self.methods_to_wrap.delete :merge
     end
 
     self.methods_to_wrap.each do |method|
@@ -267,13 +270,13 @@ module Immunio
 
     # When a statement is executed, push the original relation onto the
     # connection relation stack.
-    def execute_with_immunio(*args)
+    def execute_with_immunio(*args, &block)
       Request.time "plugin", "Immunio::RelationTracking" do
         QueryTracker.instance.push_relation @__immunio_relation
       end
 
       begin
-        execute_without_immunio(*args)
+        execute_without_immunio(*args, &block)
       ensure
         Request.time "plugin", "Immunio::RelationTracking" do
           QueryTracker.instance.pop_relation @__immunio_relation
@@ -300,60 +303,111 @@ module Immunio
   module HasManyThroughAssociationHooks
     extend ActiveSupport::Concern
 
-  private
+    private
+
     # One off, non-ActiveRecord::Relation method that under one condition
     # executes a query in Rails 4.1 and up. Unfortunately, wrapping won't work
     # as the relation used to generate the query is a temporary relation that is
     # created in the method. The easiest way to deal with it, though very hacky,
     # is to copy the method from upstream Rails and push the temporary relation
     # onto the stack for the connection right before the query is executed.
-    def delete_records_with_immunio(records, method, *args)
-      scope = through_association.scope
+    if Rails::VERSION::MAJOR == 4 && Rails::VERSION::MINOR >= 1
+      def delete_records_with_immunio(records, method, *args)
+        scope = through_association.scope
 
-      unless method == :destroy && !scope.klass.primary_key
-        return delete_records_without_immunio(records, method, *args)
-      end
+        unless method == :destroy && !scope.klass.primary_key
+          return delete_records_without_immunio(records, method, *args)
+        end
 
-      # From here on down, copied from upstream Rails 4.2. Verified to work on
-      # Rails 4.1, too.
-      ensure_not_nested
+        # From here on down, copied from upstream Rails 4.2. Verified to work on
+        # Rails 4.1, too.
+        ensure_not_nested
 
-      scope.where! construct_join_attributes(*records)
+        scope.where! construct_join_attributes(*records)
 
-      scope.each do |record|
-        record.run_callbacks :destroy
-      end
+        scope.each do |record|
+          record.run_callbacks :destroy
+        end
 
-      arel = scope.arel
+        arel = scope.arel
 
-      stmt = Arel::DeleteManager.new arel.engine
-      stmt.from scope.klass.arel_table
-      stmt.wheres = arel.constraints
+        stmt = Arel::DeleteManager.new arel.engine
+        stmt.from scope.klass.arel_table
+        stmt.wheres = arel.constraints
 
-      Request.time "plugin", "Immunio::RelationTracking" do
-        QueryTracker.instance.push_relation scope
+        Request.time "plugin", "Immunio::RelationTracking" do
+          QueryTracker.instance.push_relation scope
+        end
+
+        begin
+          count = scope.klass.connection.delete(stmt, 'SQL', scope.bind_values)
+        ensure
+          Request.time "plugin", "Immunio::RelationTracking" do
+            QueryTracker.instance.pop_relation scope
+          end
+        end
+
+        delete_through_records(records)
+
+        if source_reflection.options[:counter_cache] && method != :destroy
+          counter = source_reflection.counter_cache_column
+          klass.decrement_counter counter, records.map(&:id)
+        end
+
+        if through_reflection.collection? && update_through_counter?(method)
+          update_counter(-count, through_reflection)
+        end
+
+        update_counter(-count)
       end
+    end
+
+    if Rails::VERSION::MAJOR == 5
+      def delete_records_with_immunio(records, method)
+        scope = through_association.scope
+
+        unless method == :destroy && !scope.klass.primary_key
+          return delete_records_without_immunio(records, method)
+        end
+
+        # From here on down, copied from upstream Rails 5.1.
+        ensure_not_nested
+
+        scope.where! construct_join_attributes(*records)
+
+        scope.each(&:_run_destroy_callbacks)
+
+        arel = scope.arel
+
+        stmt = Arel::DeleteManager.new
+        stmt.from scope.klass.arel_table
+        stmt.wheres = arel.constraints
 
-      begin
-        count = scope.klass.connection.delete(stmt, 'SQL', scope.bind_values)
-      ensure
         Request.time "plugin", "Immunio::RelationTracking" do
-          QueryTracker.instance.pop_relation scope
+          QueryTracker.instance.push_relation scope
         end
-      end
 
-      delete_through_records(records)
+        begin
+          count = scope.klass.connection.delete(stmt, "SQL", scope.bound_attributes)
+        ensure
+          Request.time "plugin", "Immunio::RelationTracking" do
+            QueryTracker.instance.pop_relation scope
+          end
+        end
 
-      if source_reflection.options[:counter_cache] && method != :destroy
-        counter = source_reflection.counter_cache_column
-        klass.decrement_counter counter, records.map(&:id)
-      end
+        delete_through_records(records)
 
-      if through_reflection.collection? && update_through_counter?(method)
-        update_counter(-count, through_reflection)
-      end
+        if source_reflection.options[:counter_cache] && method != :destroy
+          counter = source_reflection.counter_cache_column
+          klass.decrement_counter counter, records.map(&:id)
+        end
 
-      update_counter(-count)
+        if through_reflection.collection? && update_through_counter?(method)
+          update_counter(-count, through_reflection)
+        else
+          update_counter(-count)
+        end
+      end
     end
 
     included do

data/lib/immunio/plugins/csrf.rb

@@ -3,23 +3,35 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      if method_defined? :verify_authenticity_token
-        Immunio::Utils.alias_method_chain self, :verify_authenticity_token, :immunio
+      # As of Rails 5.1, :verify_authenticity_token is now private
+      if method_defined?(:verify_authenticity_token) ||
+         private_instance_methods.include?(:verify_authenticity_token)
+
+        Immunio::Utils.alias_method_chain(
+          self,
+          :verify_authenticity_token,
+          :immunio
+        )
       end
     end
 
     protected
-      def verify_authenticity_token_with_immunio
-        Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
-          Immunio.logger.debug { "ActiveSupport checking CSRF token" }
 
-          Immunio.run_hook! "csrf", "framework_csrf_check", valid: verified_request?
+    def verify_authenticity_token_with_immunio
+      Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
+        Immunio.logger.debug { "ActiveSupport checking CSRF token" }
+
+        Immunio.run_hook!(
+          "csrf",
+          "framework_csrf_check",
+          valid: verified_request?
+        )
 
-          Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
-            verify_authenticity_token_without_immunio
-          end
+        Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
+          verify_authenticity_token_without_immunio
         end
       end
+    end
   end
 end
 

data/lib/immunio/plugins/redirect.rb

@@ -5,7 +5,9 @@ module Immunio
     extend ActiveSupport::Concern
 
     included do
-      Immunio::Utils.alias_method_chain self, :redirect_to, :immunio if method_defined? :redirect_to
+      if method_defined? :redirect_to
+        Immunio::Utils.alias_method_chain self, :redirect_to, :immunio
+      end
     end
 
     protected

data/lib/immunio/processor.rb

@@ -135,7 +135,7 @@ module Immunio
     def run_hook(plugin, hook, meta={})
       request = Request.current
 
-      # Hooks called outside of a request are ignored since they are triggered while the framework is loaded.
+        # Hooks called outside of a request are ignored since they are triggered while the framework is loaded.
       return {} unless request
 
       # Notify about the hook. This has no perf cost if there are no subscribers.

data/lib/immunio/version.rb

@@ -1,5 +1,5 @@
 module Immunio
   AGENT_TYPE = "agent-ruby"
-  VERSION = "1.1.18"
+  VERSION = "1.1.19"
   VM_VERSION = "2.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: immunio
 version: !ruby/object:Gem::Version
-  version: 1.1.18
+  version: 1.1.19
 platform: ruby
 authors:
 - Immunio
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-18 00:00:00.000000000 Z
+date: 2017-07-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -464,9 +464,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.6.12
 signing_key: 
 specification_version: 4
 summary: Immunio Ruby agent
 test_files: []
-has_rdoc: