immunio 1.1.19 → 1.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f0cf95fe27e81261056bdc9388cb78021e3f3e33
4
- data.tar.gz: 91d07872cd32dbc236299020a62337c1296691ce
3
+ metadata.gz: c287a47d42c9475ecbae55e00ff6c4e14cd45e4f
4
+ data.tar.gz: 89925d6f6c506a1a42a3a64c9f6f290ab5e1fb46
5
5
  SHA512:
6
- metadata.gz: c4d6a75b2a7d974ccd9cfc3e3e7c6744f72330ae6f4f23c926021ba002635a4bf807b32e8b15be17c39a70d3cba90a4f4da67c4ab003c70b466e7240b152e9e8
7
- data.tar.gz: fd8e3009626ddbb2a97b1b72ce542f37f5df6d6b7f59f291738de125ec6c8ee312926791dbcf5eda634198a718ca6f107a0daf1f5e771322c23d054950f0d13a
6
+ metadata.gz: cac6affff43c65bccfcd448958b350a4690af6de096c6f43d5d240ad352bc62e4521d5f7c5a023ec68b9a5867be9d8a00ef3297d4460441be7a37dcc2f95f547
7
+ data.tar.gz: 59d721edc0ed0d570574aa9e328b57744b76d42d89a1ba96966460739359b2bcc96254a21302b9f6c4880565e4830277aa024e78374b2a902da66e5a21e9c7a4
@@ -58,6 +58,7 @@ module Immunio
58
58
  # hash: { foo: ['bar', 'baz'] }
59
59
  # -> 'hash[foo]' => ['bar', 'baz']
60
60
  #
61
+ # A complex form like:
61
62
  # user: {
62
63
  # name: 'john',
63
64
  # email: 'john@example.com',
@@ -75,38 +76,66 @@ module Immunio
75
76
  # 'user[address_attributes][city]' => ['Montreal'],
76
77
  # 'user[address_attributes][id]' => ['1']
77
78
  #
79
+ #
80
+ # A malicious payload like:
81
+ #
82
+ # "evil" =>
83
+ # {
84
+ # "payload" =>
85
+ # [
86
+ # {
87
+ # "lurks" =>
88
+ # [
89
+ # {
90
+ # "here" =>
91
+ # [
92
+ # {"indeed" => "1" }
93
+ # ]
94
+ # }
95
+ # ]
96
+ # }
97
+ # ]
98
+ # }
99
+ #
100
+ # becomes:
101
+ #
102
+ # "evil[payload]" => ["{\"lurks\"=>[{\"here\"=>[{\"indeed\"=>\"1\"}]}]}"]
103
+ #
78
104
  def convert_value(hash, key, value, nested_keys = nil)
79
105
  # Filter out UploadedFile.
80
106
  unless value.respond_to?(:open)
81
107
  if value.respond_to?(:keys)
82
- nested = nested_keys ? nested_keys : "#{key}"
108
+ nested = nested_keys ? nested_keys : key
83
109
  value.each do |k, val|
84
110
  if val.respond_to?(:keys)
85
111
  convert_value(hash, k, val, nested + "[#{k}]")
86
112
  else
87
- hash["#{nested}[#{k}]"] = [val].flatten
113
+ hash["#{nested}[#{k}]"] = [val].flatten.map(&:to_s)
88
114
  end
89
115
  end
90
116
  else
91
- hash[key] = [value].flatten
117
+ hash[key] = [value].flatten.map(&:to_s)
92
118
  end
93
119
  end
94
120
  end
95
121
 
96
122
  def request_parameters_with_immunio
97
123
  params = request_parameters_without_immunio
98
-
99
124
  Request.time 'plugin', "#{Module.nesting[0]}::#{__method__}" do
100
125
  if params.any?
101
126
  filtered = {}.tap do |hash|
102
127
  params.each do |key, value|
103
- convert_value(hash, key, value)
128
+ # Ensure top-level keys are strings
129
+ k = key.is_a?(String) ? key : key.to_s
130
+ convert_value(hash, k, value)
104
131
  end
105
132
  end
133
+
106
134
  Immunio.run_hook!(
107
135
  'action_dispatch',
108
136
  'framework_input_params',
109
- params: filtered)
137
+ params: filtered
138
+ )
110
139
  end
111
140
  end
112
141
 
@@ -600,9 +600,24 @@ module Immunio
600
600
  @relation_data[relation_id][:ast_data] << "Arel AST visited node: #{ast_node_name}"
601
601
  end
602
602
 
603
+ # Adapter name / db_dialect
604
+ DIALECTS = {
605
+ sqlite: 'sqlite3',
606
+ postgres: 'postgres',
607
+ mysql: 'mysql',
608
+ mysql2: 'mysql',
609
+ ibm_db: 'db2',
610
+ oracle: 'oracle',
611
+ oracleenhanced: 'oracle',
612
+ }.freeze
613
+
614
+ def db_dialect(adapter_name)
615
+ DIALECTS.fetch(adapter_name.downcase.to_sym, 'unknown')
616
+ end
617
+
603
618
  # Evaluate a SQL call. This occurs after Arel AST conversion of a relation
604
619
  # to a statement.
605
- def call(payload)
620
+ def call(payload, adapter_name)
606
621
  Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
607
622
  # The #{payload} in the log string is causing lots of Rails 3.2
608
623
  # upstream test failures with Ruby 1.9.3.
@@ -659,6 +674,7 @@ module Immunio
659
674
  "sql_execute",
660
675
  sql: payload[:sql],
661
676
  connection_uuid: connection_id.to_s,
677
+ db_dialect: db_dialect(adapter_name),
662
678
  params: params,
663
679
  modifiers: modifiers,
664
680
  context_key: strict_context,
@@ -703,9 +719,12 @@ module Immunio
703
719
  def log_with_immunio(sql, name = "SQL", binds = [], *args)
704
720
  # Some rails tests (in particular postresql) call :log with nil `sql`.
705
721
  QueryTracker.instance.call(
706
- sql: sql,
707
- connection_id: object_id,
708
- binds: binds) if sql
722
+ {
723
+ sql: sql,
724
+ connection_id: object_id,
725
+ binds: binds
726
+ },
727
+ adapter_name) if sql
709
728
 
710
729
  # Log and execute the query
711
730
  log_without_immunio(sql, name, binds, *args) { yield }
@@ -213,6 +213,7 @@ module Immunio
213
213
  # so to be on the safe side make sure we catch anything raised within the VM call --ol
214
214
  rescue StandardError => e
215
215
  # Log and discard VM errors
216
+ Immunio.logger.debug { request.inspect }
216
217
 
217
218
  log_and_send_error e, "Error running hook #{hook}",
218
219
  request_id: request.id,
@@ -1,5 +1,5 @@
1
1
  module Immunio
2
2
  AGENT_TYPE = "agent-ruby"
3
- VERSION = "1.1.19"
3
+ VERSION = "1.2.1"
4
4
  VM_VERSION = "2.2.0"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: immunio
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.19
4
+ version: 1.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Immunio
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-07-31 00:00:00.000000000 Z
11
+ date: 2017-08-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -438,10 +438,6 @@ files:
438
438
  - lua-hooks/ext/sysutils/lua_utils.c
439
439
  - lua-hooks/ext/sysutils/module.mk
440
440
  - lua-hooks/lib/boot.lua
441
- - lua-hooks/lib/hooks/module.mk
442
- - lua-hooks/lib/hooks/xss/module.mk
443
- - lua-hooks/lib/lexers/module.mk
444
- - lua-hooks/lib/module.mk
445
441
  - lua-hooks/options.mk
446
442
  homepage: http://immun.io/
447
443
  licenses:
@@ -1,36 +0,0 @@
1
- MODULES := lib/hooks/xss
2
-
3
-
4
- LUA_PROTECT_SRC += \
5
- lib/hooks/file_io.lua \
6
- lib/hooks/framework_redirect.lua \
7
- lib/hooks/template_render_done.lua \
8
- lib/hooks/sql_execute.lua \
9
-
10
- LUA_BASE_SRC += \
11
- lib/hooks/authenticate.lua \
12
- lib/hooks/bad_cookie.lua \
13
- lib/hooks/custom_event.lua \
14
- lib/hooks/custom_threat.lua \
15
- lib/hooks/encode.lua \
16
- lib/hooks/eval.lua \
17
- lib/hooks/exception.lua \
18
- lib/hooks/framework_csrf_check.lua \
19
- lib/hooks/framework_login.lua \
20
- lib/hooks/framework_password_reset.lua \
21
- lib/hooks/framework_account_created.lua \
22
- lib/hooks/framework_session.lua \
23
- lib/hooks/framework_user.lua \
24
- lib/hooks/framework_route.lua \
25
- lib/hooks/framework_bad_response_header.lua \
26
- lib/hooks/framework_input_params.lua \
27
- lib/hooks/get_telemetry_config.lua \
28
- lib/hooks/headers/header_validation.lua \
29
- lib/hooks/headers/useragent.lua \
30
- lib/hooks/http_request_finish.lua \
31
- lib/hooks/http_request_start.lua \
32
- lib/hooks/http_response_start.lua \
33
- lib/hooks/mongodb_execute.lua \
34
- lib/hooks/should_report.lua \
35
-
36
- include $(patsubst %, %/module.mk,$(MODULES))
@@ -1,4 +0,0 @@
1
- LUA_PROTECT_SRC += \
2
- lib/hooks/xss/escape.lua \
3
- lib/hooks/xss/escape_js.lua \
4
- lib/hooks/xss/html_const.lua
@@ -1,9 +0,0 @@
1
- LUA_BASE_SRC += \
2
- lib/lexers/bash.lua \
3
- lib/lexers/css_attr.lua \
4
- lib/lexers/css.lua \
5
- lib/lexers/html.lua \
6
- lib/lexers/html_entities.lua \
7
- lib/lexers/html_entities_ws.lua \
8
- lib/lexers/javascript.lua \
9
- lib/lexers/markers.lua
@@ -1,42 +0,0 @@
1
- MODULES := lib/hooks lib/lexers
2
-
3
- LUA_BASE_SRC += \
4
- lib/base64.lua \
5
- lib/bit.lua \
6
- lib/cookie.lua \
7
- lib/counters.lua \
8
- lib/DataDumper.lua \
9
- lib/date.lua \
10
- lib/defence.lua \
11
- lib/diag.lua \
12
- lib/dkjson.lua \
13
- lib/extensions.lua \
14
- lib/globtopattern.lua \
15
- lib/hkdf.lua \
16
- lib/hmac.lua \
17
- lib/hooks.lua \
18
- lib/idn.lua \
19
- lib/immunio-schemas/immunio_schemas/schemas/request_schema.lua \
20
- lib/immunio-schemas/immunio_schemas/schemas/validation.lua \
21
- lib/ip.lua \
22
- lib/learn.lua \
23
- lib/lexgraph.lua \
24
- lib/lexer.lua \
25
- lib/lru.lua \
26
- lib/neturl.lua \
27
- lib/pathname.lua \
28
- lib/perf.lua \
29
- lib/permit.lua \
30
- lib/profiler.lua \
31
- lib/real_ip.lua \
32
- lib/sanitize_sql.lua \
33
- lib/sanitize_command.lua \
34
- lib/semver.lua \
35
- lib/sha1.lua \
36
- lib/snap.lua \
37
- lib/term.lua \
38
- lib/tracking.lua \
39
- lib/utils.lua \
40
- lib/verb_tamper.lua
41
-
42
- include $(patsubst %, %/module.mk,$(MODULES))