immunio 1.1.19 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f0cf95fe27e81261056bdc9388cb78021e3f3e33
4
- data.tar.gz: 91d07872cd32dbc236299020a62337c1296691ce
3
+ metadata.gz: c287a47d42c9475ecbae55e00ff6c4e14cd45e4f
4
+ data.tar.gz: 89925d6f6c506a1a42a3a64c9f6f290ab5e1fb46
5
5
  SHA512:
6
- metadata.gz: c4d6a75b2a7d974ccd9cfc3e3e7c6744f72330ae6f4f23c926021ba002635a4bf807b32e8b15be17c39a70d3cba90a4f4da67c4ab003c70b466e7240b152e9e8
7
- data.tar.gz: fd8e3009626ddbb2a97b1b72ce542f37f5df6d6b7f59f291738de125ec6c8ee312926791dbcf5eda634198a718ca6f107a0daf1f5e771322c23d054950f0d13a
6
+ metadata.gz: cac6affff43c65bccfcd448958b350a4690af6de096c6f43d5d240ad352bc62e4521d5f7c5a023ec68b9a5867be9d8a00ef3297d4460441be7a37dcc2f95f547
7
+ data.tar.gz: 59d721edc0ed0d570574aa9e328b57744b76d42d89a1ba96966460739359b2bcc96254a21302b9f6c4880565e4830277aa024e78374b2a902da66e5a21e9c7a4
@@ -58,6 +58,7 @@ module Immunio
58
58
  # hash: { foo: ['bar', 'baz'] }
59
59
  # -> 'hash[foo]' => ['bar', 'baz']
60
60
  #
61
+ # A complex form like:
61
62
  # user: {
62
63
  # name: 'john',
63
64
  # email: 'john@example.com',
@@ -75,38 +76,66 @@ module Immunio
75
76
  # 'user[address_attributes][city]' => ['Montreal'],
76
77
  # 'user[address_attributes][id]' => ['1']
77
78
  #
79
+ #
80
+ # A malicious payload like:
81
+ #
82
+ # "evil" =>
83
+ # {
84
+ # "payload" =>
85
+ # [
86
+ # {
87
+ # "lurks" =>
88
+ # [
89
+ # {
90
+ # "here" =>
91
+ # [
92
+ # {"indeed" => "1" }
93
+ # ]
94
+ # }
95
+ # ]
96
+ # }
97
+ # ]
98
+ # }
99
+ #
100
+ # becomes:
101
+ #
102
+ # "evil[payload]" => ["{\"lurks\"=>[{\"here\"=>[{\"indeed\"=>\"1\"}]}]}"]
103
+ #
78
104
  def convert_value(hash, key, value, nested_keys = nil)
79
105
  # Filter out UploadedFile.
80
106
  unless value.respond_to?(:open)
81
107
  if value.respond_to?(:keys)
82
- nested = nested_keys ? nested_keys : "#{key}"
108
+ nested = nested_keys ? nested_keys : key
83
109
  value.each do |k, val|
84
110
  if val.respond_to?(:keys)
85
111
  convert_value(hash, k, val, nested + "[#{k}]")
86
112
  else
87
- hash["#{nested}[#{k}]"] = [val].flatten
113
+ hash["#{nested}[#{k}]"] = [val].flatten.map(&:to_s)
88
114
  end
89
115
  end
90
116
  else
91
- hash[key] = [value].flatten
117
+ hash[key] = [value].flatten.map(&:to_s)
92
118
  end
93
119
  end
94
120
  end
95
121
 
96
122
  def request_parameters_with_immunio
97
123
  params = request_parameters_without_immunio
98
-
99
124
  Request.time 'plugin', "#{Module.nesting[0]}::#{__method__}" do
100
125
  if params.any?
101
126
  filtered = {}.tap do |hash|
102
127
  params.each do |key, value|
103
- convert_value(hash, key, value)
128
+ # Ensure top-level keys are strings
129
+ k = key.is_a?(String) ? key : key.to_s
130
+ convert_value(hash, k, value)
104
131
  end
105
132
  end
133
+
106
134
  Immunio.run_hook!(
107
135
  'action_dispatch',
108
136
  'framework_input_params',
109
- params: filtered)
137
+ params: filtered
138
+ )
110
139
  end
111
140
  end
112
141
 
@@ -600,9 +600,24 @@ module Immunio
600
600
  @relation_data[relation_id][:ast_data] << "Arel AST visited node: #{ast_node_name}"
601
601
  end
602
602
 
603
+ # Adapter name / db_dialect
604
+ DIALECTS = {
605
+ sqlite: 'sqlite3',
606
+ postgres: 'postgres',
607
+ mysql: 'mysql',
608
+ mysql2: 'mysql',
609
+ ibm_db: 'db2',
610
+ oracle: 'oracle',
611
+ oracleenhanced: 'oracle',
612
+ }.freeze
613
+
614
+ def db_dialect(adapter_name)
615
+ DIALECTS.fetch(adapter_name.downcase.to_sym, 'unknown')
616
+ end
617
+
603
618
  # Evaluate a SQL call. This occurs after Arel AST conversion of a relation
604
619
  # to a statement.
605
- def call(payload)
620
+ def call(payload, adapter_name)
606
621
  Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
607
622
  # The #{payload} in the log string is causing lots of Rails 3.2
608
623
  # upstream test failures with Ruby 1.9.3.
@@ -659,6 +674,7 @@ module Immunio
659
674
  "sql_execute",
660
675
  sql: payload[:sql],
661
676
  connection_uuid: connection_id.to_s,
677
+ db_dialect: db_dialect(adapter_name),
662
678
  params: params,
663
679
  modifiers: modifiers,
664
680
  context_key: strict_context,
@@ -703,9 +719,12 @@ module Immunio
703
719
  def log_with_immunio(sql, name = "SQL", binds = [], *args)
704
720
  # Some rails tests (in particular postresql) call :log with nil `sql`.
705
721
  QueryTracker.instance.call(
706
- sql: sql,
707
- connection_id: object_id,
708
- binds: binds) if sql
722
+ {
723
+ sql: sql,
724
+ connection_id: object_id,
725
+ binds: binds
726
+ },
727
+ adapter_name) if sql
709
728
 
710
729
  # Log and execute the query
711
730
  log_without_immunio(sql, name, binds, *args) { yield }
@@ -213,6 +213,7 @@ module Immunio
213
213
  # so to be on the safe side make sure we catch anything raised within the VM call --ol
214
214
  rescue StandardError => e
215
215
  # Log and discard VM errors
216
+ Immunio.logger.debug { request.inspect }
216
217
 
217
218
  log_and_send_error e, "Error running hook #{hook}",
218
219
  request_id: request.id,
@@ -1,5 +1,5 @@
1
1
  module Immunio
2
2
  AGENT_TYPE = "agent-ruby"
3
- VERSION = "1.1.19"
3
+ VERSION = "1.2.1"
4
4
  VM_VERSION = "2.2.0"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: immunio
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.19
4
+ version: 1.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Immunio
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-07-31 00:00:00.000000000 Z
11
+ date: 2017-08-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -438,10 +438,6 @@ files:
438
438
  - lua-hooks/ext/sysutils/lua_utils.c
439
439
  - lua-hooks/ext/sysutils/module.mk
440
440
  - lua-hooks/lib/boot.lua
441
- - lua-hooks/lib/hooks/module.mk
442
- - lua-hooks/lib/hooks/xss/module.mk
443
- - lua-hooks/lib/lexers/module.mk
444
- - lua-hooks/lib/module.mk
445
441
  - lua-hooks/options.mk
446
442
  homepage: http://immun.io/
447
443
  licenses:
@@ -1,36 +0,0 @@
1
- MODULES := lib/hooks/xss
2
-
3
-
4
- LUA_PROTECT_SRC += \
5
- lib/hooks/file_io.lua \
6
- lib/hooks/framework_redirect.lua \
7
- lib/hooks/template_render_done.lua \
8
- lib/hooks/sql_execute.lua \
9
-
10
- LUA_BASE_SRC += \
11
- lib/hooks/authenticate.lua \
12
- lib/hooks/bad_cookie.lua \
13
- lib/hooks/custom_event.lua \
14
- lib/hooks/custom_threat.lua \
15
- lib/hooks/encode.lua \
16
- lib/hooks/eval.lua \
17
- lib/hooks/exception.lua \
18
- lib/hooks/framework_csrf_check.lua \
19
- lib/hooks/framework_login.lua \
20
- lib/hooks/framework_password_reset.lua \
21
- lib/hooks/framework_account_created.lua \
22
- lib/hooks/framework_session.lua \
23
- lib/hooks/framework_user.lua \
24
- lib/hooks/framework_route.lua \
25
- lib/hooks/framework_bad_response_header.lua \
26
- lib/hooks/framework_input_params.lua \
27
- lib/hooks/get_telemetry_config.lua \
28
- lib/hooks/headers/header_validation.lua \
29
- lib/hooks/headers/useragent.lua \
30
- lib/hooks/http_request_finish.lua \
31
- lib/hooks/http_request_start.lua \
32
- lib/hooks/http_response_start.lua \
33
- lib/hooks/mongodb_execute.lua \
34
- lib/hooks/should_report.lua \
35
-
36
- include $(patsubst %, %/module.mk,$(MODULES))
@@ -1,4 +0,0 @@
1
- LUA_PROTECT_SRC += \
2
- lib/hooks/xss/escape.lua \
3
- lib/hooks/xss/escape_js.lua \
4
- lib/hooks/xss/html_const.lua
@@ -1,9 +0,0 @@
1
- LUA_BASE_SRC += \
2
- lib/lexers/bash.lua \
3
- lib/lexers/css_attr.lua \
4
- lib/lexers/css.lua \
5
- lib/lexers/html.lua \
6
- lib/lexers/html_entities.lua \
7
- lib/lexers/html_entities_ws.lua \
8
- lib/lexers/javascript.lua \
9
- lib/lexers/markers.lua
@@ -1,42 +0,0 @@
1
- MODULES := lib/hooks lib/lexers
2
-
3
- LUA_BASE_SRC += \
4
- lib/base64.lua \
5
- lib/bit.lua \
6
- lib/cookie.lua \
7
- lib/counters.lua \
8
- lib/DataDumper.lua \
9
- lib/date.lua \
10
- lib/defence.lua \
11
- lib/diag.lua \
12
- lib/dkjson.lua \
13
- lib/extensions.lua \
14
- lib/globtopattern.lua \
15
- lib/hkdf.lua \
16
- lib/hmac.lua \
17
- lib/hooks.lua \
18
- lib/idn.lua \
19
- lib/immunio-schemas/immunio_schemas/schemas/request_schema.lua \
20
- lib/immunio-schemas/immunio_schemas/schemas/validation.lua \
21
- lib/ip.lua \
22
- lib/learn.lua \
23
- lib/lexgraph.lua \
24
- lib/lexer.lua \
25
- lib/lru.lua \
26
- lib/neturl.lua \
27
- lib/pathname.lua \
28
- lib/perf.lua \
29
- lib/permit.lua \
30
- lib/profiler.lua \
31
- lib/real_ip.lua \
32
- lib/sanitize_sql.lua \
33
- lib/sanitize_command.lua \
34
- lib/semver.lua \
35
- lib/sha1.lua \
36
- lib/snap.lua \
37
- lib/term.lua \
38
- lib/tracking.lua \
39
- lib/utils.lua \
40
- lib/verb_tamper.lua
41
-
42
- include $(patsubst %, %/module.mk,$(MODULES))