immunio 1.1.19 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/immunio/plugins/action_dispatch.rb +35 -6
- data/lib/immunio/plugins/active_record.rb +23 -4
- data/lib/immunio/processor.rb +1 -0
- data/lib/immunio/version.rb +1 -1
- metadata +2 -6
- data/lua-hooks/lib/hooks/module.mk +0 -36
- data/lua-hooks/lib/hooks/xss/module.mk +0 -4
- data/lua-hooks/lib/lexers/module.mk +0 -9
- data/lua-hooks/lib/module.mk +0 -42
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c287a47d42c9475ecbae55e00ff6c4e14cd45e4f
|
|
4
|
+
data.tar.gz: 89925d6f6c506a1a42a3a64c9f6f290ab5e1fb46
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cac6affff43c65bccfcd448958b350a4690af6de096c6f43d5d240ad352bc62e4521d5f7c5a023ec68b9a5867be9d8a00ef3297d4460441be7a37dcc2f95f547
|
|
7
|
+
data.tar.gz: 59d721edc0ed0d570574aa9e328b57744b76d42d89a1ba96966460739359b2bcc96254a21302b9f6c4880565e4830277aa024e78374b2a902da66e5a21e9c7a4
|
|
@@ -58,6 +58,7 @@ module Immunio
|
|
|
58
58
|
# hash: { foo: ['bar', 'baz'] }
|
|
59
59
|
# -> 'hash[foo]' => ['bar', 'baz']
|
|
60
60
|
#
|
|
61
|
+
# A complex form like:
|
|
61
62
|
# user: {
|
|
62
63
|
# name: 'john',
|
|
63
64
|
# email: 'john@example.com',
|
|
@@ -75,38 +76,66 @@ module Immunio
|
|
|
75
76
|
# 'user[address_attributes][city]' => ['Montreal'],
|
|
76
77
|
# 'user[address_attributes][id]' => ['1']
|
|
77
78
|
#
|
|
79
|
+
#
|
|
80
|
+
# A malicious payload like:
|
|
81
|
+
#
|
|
82
|
+
# "evil" =>
|
|
83
|
+
# {
|
|
84
|
+
# "payload" =>
|
|
85
|
+
# [
|
|
86
|
+
# {
|
|
87
|
+
# "lurks" =>
|
|
88
|
+
# [
|
|
89
|
+
# {
|
|
90
|
+
# "here" =>
|
|
91
|
+
# [
|
|
92
|
+
# {"indeed" => "1" }
|
|
93
|
+
# ]
|
|
94
|
+
# }
|
|
95
|
+
# ]
|
|
96
|
+
# }
|
|
97
|
+
# ]
|
|
98
|
+
# }
|
|
99
|
+
#
|
|
100
|
+
# becomes:
|
|
101
|
+
#
|
|
102
|
+
# "evil[payload]" => ["{\"lurks\"=>[{\"here\"=>[{\"indeed\"=>\"1\"}]}]}"]
|
|
103
|
+
#
|
|
78
104
|
def convert_value(hash, key, value, nested_keys = nil)
|
|
79
105
|
# Filter out UploadedFile.
|
|
80
106
|
unless value.respond_to?(:open)
|
|
81
107
|
if value.respond_to?(:keys)
|
|
82
|
-
nested = nested_keys ? nested_keys :
|
|
108
|
+
nested = nested_keys ? nested_keys : key
|
|
83
109
|
value.each do |k, val|
|
|
84
110
|
if val.respond_to?(:keys)
|
|
85
111
|
convert_value(hash, k, val, nested + "[#{k}]")
|
|
86
112
|
else
|
|
87
|
-
hash["#{nested}[#{k}]"] = [val].flatten
|
|
113
|
+
hash["#{nested}[#{k}]"] = [val].flatten.map(&:to_s)
|
|
88
114
|
end
|
|
89
115
|
end
|
|
90
116
|
else
|
|
91
|
-
hash[key] = [value].flatten
|
|
117
|
+
hash[key] = [value].flatten.map(&:to_s)
|
|
92
118
|
end
|
|
93
119
|
end
|
|
94
120
|
end
|
|
95
121
|
|
|
96
122
|
def request_parameters_with_immunio
|
|
97
123
|
params = request_parameters_without_immunio
|
|
98
|
-
|
|
99
124
|
Request.time 'plugin', "#{Module.nesting[0]}::#{__method__}" do
|
|
100
125
|
if params.any?
|
|
101
126
|
filtered = {}.tap do |hash|
|
|
102
127
|
params.each do |key, value|
|
|
103
|
-
|
|
128
|
+
# Ensure top-level keys are strings
|
|
129
|
+
k = key.is_a?(String) ? key : key.to_s
|
|
130
|
+
convert_value(hash, k, value)
|
|
104
131
|
end
|
|
105
132
|
end
|
|
133
|
+
|
|
106
134
|
Immunio.run_hook!(
|
|
107
135
|
'action_dispatch',
|
|
108
136
|
'framework_input_params',
|
|
109
|
-
params: filtered
|
|
137
|
+
params: filtered
|
|
138
|
+
)
|
|
110
139
|
end
|
|
111
140
|
end
|
|
112
141
|
|
|
@@ -600,9 +600,24 @@ module Immunio
|
|
|
600
600
|
@relation_data[relation_id][:ast_data] << "Arel AST visited node: #{ast_node_name}"
|
|
601
601
|
end
|
|
602
602
|
|
|
603
|
+
# Adapter name / db_dialect
|
|
604
|
+
DIALECTS = {
|
|
605
|
+
sqlite: 'sqlite3',
|
|
606
|
+
postgres: 'postgres',
|
|
607
|
+
mysql: 'mysql',
|
|
608
|
+
mysql2: 'mysql',
|
|
609
|
+
ibm_db: 'db2',
|
|
610
|
+
oracle: 'oracle',
|
|
611
|
+
oracleenhanced: 'oracle',
|
|
612
|
+
}.freeze
|
|
613
|
+
|
|
614
|
+
def db_dialect(adapter_name)
|
|
615
|
+
DIALECTS.fetch(adapter_name.downcase.to_sym, 'unknown')
|
|
616
|
+
end
|
|
617
|
+
|
|
603
618
|
# Evaluate a SQL call. This occurs after Arel AST conversion of a relation
|
|
604
619
|
# to a statement.
|
|
605
|
-
def call(payload)
|
|
620
|
+
def call(payload, adapter_name)
|
|
606
621
|
Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
|
|
607
622
|
# The #{payload} in the log string is causing lots of Rails 3.2
|
|
608
623
|
# upstream test failures with Ruby 1.9.3.
|
|
@@ -659,6 +674,7 @@ module Immunio
|
|
|
659
674
|
"sql_execute",
|
|
660
675
|
sql: payload[:sql],
|
|
661
676
|
connection_uuid: connection_id.to_s,
|
|
677
|
+
db_dialect: db_dialect(adapter_name),
|
|
662
678
|
params: params,
|
|
663
679
|
modifiers: modifiers,
|
|
664
680
|
context_key: strict_context,
|
|
@@ -703,9 +719,12 @@ module Immunio
|
|
|
703
719
|
def log_with_immunio(sql, name = "SQL", binds = [], *args)
|
|
704
720
|
# Some rails tests (in particular postresql) call :log with nil `sql`.
|
|
705
721
|
QueryTracker.instance.call(
|
|
706
|
-
|
|
707
|
-
|
|
708
|
-
|
|
722
|
+
{
|
|
723
|
+
sql: sql,
|
|
724
|
+
connection_id: object_id,
|
|
725
|
+
binds: binds
|
|
726
|
+
},
|
|
727
|
+
adapter_name) if sql
|
|
709
728
|
|
|
710
729
|
# Log and execute the query
|
|
711
730
|
log_without_immunio(sql, name, binds, *args) { yield }
|
data/lib/immunio/processor.rb
CHANGED
|
@@ -213,6 +213,7 @@ module Immunio
|
|
|
213
213
|
# so to be on the safe side make sure we catch anything raised within the VM call --ol
|
|
214
214
|
rescue StandardError => e
|
|
215
215
|
# Log and discard VM errors
|
|
216
|
+
Immunio.logger.debug { request.inspect }
|
|
216
217
|
|
|
217
218
|
log_and_send_error e, "Error running hook #{hook}",
|
|
218
219
|
request_id: request.id,
|
data/lib/immunio/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: immunio
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.1
|
|
4
|
+
version: 1.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Immunio
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-08-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -438,10 +438,6 @@ files:
|
|
|
438
438
|
- lua-hooks/ext/sysutils/lua_utils.c
|
|
439
439
|
- lua-hooks/ext/sysutils/module.mk
|
|
440
440
|
- lua-hooks/lib/boot.lua
|
|
441
|
-
- lua-hooks/lib/hooks/module.mk
|
|
442
|
-
- lua-hooks/lib/hooks/xss/module.mk
|
|
443
|
-
- lua-hooks/lib/lexers/module.mk
|
|
444
|
-
- lua-hooks/lib/module.mk
|
|
445
441
|
- lua-hooks/options.mk
|
|
446
442
|
homepage: http://immun.io/
|
|
447
443
|
licenses:
|
|
@@ -1,36 +0,0 @@
|
|
|
1
|
-
MODULES := lib/hooks/xss
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
LUA_PROTECT_SRC += \
|
|
5
|
-
lib/hooks/file_io.lua \
|
|
6
|
-
lib/hooks/framework_redirect.lua \
|
|
7
|
-
lib/hooks/template_render_done.lua \
|
|
8
|
-
lib/hooks/sql_execute.lua \
|
|
9
|
-
|
|
10
|
-
LUA_BASE_SRC += \
|
|
11
|
-
lib/hooks/authenticate.lua \
|
|
12
|
-
lib/hooks/bad_cookie.lua \
|
|
13
|
-
lib/hooks/custom_event.lua \
|
|
14
|
-
lib/hooks/custom_threat.lua \
|
|
15
|
-
lib/hooks/encode.lua \
|
|
16
|
-
lib/hooks/eval.lua \
|
|
17
|
-
lib/hooks/exception.lua \
|
|
18
|
-
lib/hooks/framework_csrf_check.lua \
|
|
19
|
-
lib/hooks/framework_login.lua \
|
|
20
|
-
lib/hooks/framework_password_reset.lua \
|
|
21
|
-
lib/hooks/framework_account_created.lua \
|
|
22
|
-
lib/hooks/framework_session.lua \
|
|
23
|
-
lib/hooks/framework_user.lua \
|
|
24
|
-
lib/hooks/framework_route.lua \
|
|
25
|
-
lib/hooks/framework_bad_response_header.lua \
|
|
26
|
-
lib/hooks/framework_input_params.lua \
|
|
27
|
-
lib/hooks/get_telemetry_config.lua \
|
|
28
|
-
lib/hooks/headers/header_validation.lua \
|
|
29
|
-
lib/hooks/headers/useragent.lua \
|
|
30
|
-
lib/hooks/http_request_finish.lua \
|
|
31
|
-
lib/hooks/http_request_start.lua \
|
|
32
|
-
lib/hooks/http_response_start.lua \
|
|
33
|
-
lib/hooks/mongodb_execute.lua \
|
|
34
|
-
lib/hooks/should_report.lua \
|
|
35
|
-
|
|
36
|
-
include $(patsubst %, %/module.mk,$(MODULES))
|
data/lua-hooks/lib/module.mk
DELETED
|
@@ -1,42 +0,0 @@
|
|
|
1
|
-
MODULES := lib/hooks lib/lexers
|
|
2
|
-
|
|
3
|
-
LUA_BASE_SRC += \
|
|
4
|
-
lib/base64.lua \
|
|
5
|
-
lib/bit.lua \
|
|
6
|
-
lib/cookie.lua \
|
|
7
|
-
lib/counters.lua \
|
|
8
|
-
lib/DataDumper.lua \
|
|
9
|
-
lib/date.lua \
|
|
10
|
-
lib/defence.lua \
|
|
11
|
-
lib/diag.lua \
|
|
12
|
-
lib/dkjson.lua \
|
|
13
|
-
lib/extensions.lua \
|
|
14
|
-
lib/globtopattern.lua \
|
|
15
|
-
lib/hkdf.lua \
|
|
16
|
-
lib/hmac.lua \
|
|
17
|
-
lib/hooks.lua \
|
|
18
|
-
lib/idn.lua \
|
|
19
|
-
lib/immunio-schemas/immunio_schemas/schemas/request_schema.lua \
|
|
20
|
-
lib/immunio-schemas/immunio_schemas/schemas/validation.lua \
|
|
21
|
-
lib/ip.lua \
|
|
22
|
-
lib/learn.lua \
|
|
23
|
-
lib/lexgraph.lua \
|
|
24
|
-
lib/lexer.lua \
|
|
25
|
-
lib/lru.lua \
|
|
26
|
-
lib/neturl.lua \
|
|
27
|
-
lib/pathname.lua \
|
|
28
|
-
lib/perf.lua \
|
|
29
|
-
lib/permit.lua \
|
|
30
|
-
lib/profiler.lua \
|
|
31
|
-
lib/real_ip.lua \
|
|
32
|
-
lib/sanitize_sql.lua \
|
|
33
|
-
lib/sanitize_command.lua \
|
|
34
|
-
lib/semver.lua \
|
|
35
|
-
lib/sha1.lua \
|
|
36
|
-
lib/snap.lua \
|
|
37
|
-
lib/term.lua \
|
|
38
|
-
lib/tracking.lua \
|
|
39
|
-
lib/utils.lua \
|
|
40
|
-
lib/verb_tamper.lua
|
|
41
|
-
|
|
42
|
-
include $(patsubst %, %/module.mk,$(MODULES))
|