paraxial 0.4.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce7c75f780f9b356d4a15b4fb834bb6f064a8f5a39ead6e629a4f42ff2768010
-  data.tar.gz: 929b701d0e47c7a12b1654c3426e515b37824f591b7a65b2c9a22630c72bc8cc
+  metadata.gz: 2ef49572c0555fdaea4bc13d94f4faa2d771a9919ee54304d832b5b97306cc09
+  data.tar.gz: 3bd3f48e2517d1c309e8c57ec8814a6bf9077506c461904c5f38f1ecc7e35dd3
 SHA512:
-  metadata.gz: b1d9decea112098e9c71cf36d071fe1fbe86028ac23b34d4b9a704771d7a007a42f56abbaea51dc65825067e0ac5d029781b7c344c82a3cd339716908f6d8451
-  data.tar.gz: 54bff15c7c351b7f3e74eae787d2858f12e4ded57be06cb3f5872147cdccae90819396837fa60e5ddeda6fff758eddeef0868fed4d02748c3873282c6c59306e
+  metadata.gz: 6ed1f565c95cffdc6e8940d2c92c1cee7c7cd6157fe5da9f304746a65c1687ca74141483add2ca13616cfe82371a27b396ae4fcb178dffb80cac014ace5ac152
+  data.tar.gz: aa3ab3d9ff75cd0ff804a859eebd847ca60d2be053dd004c963d7ed612296d7a574691accfdd26b2788126c94ad9d6311a0f77d9d4dc44d97cb169bd26f6d015

data/lib/paraxial/checker.rb

@@ -4,10 +4,13 @@ module Paraxial
     @allows = { 'v4' => Patricia.new, 'v6' => Patricia.new(:AF_INET6) }
     @bans = { 'v4' => Patricia.new, 'v6' => Patricia.new(:AF_INET6) }
 
-    @thread = Thread.new do
-      loop do
-        get_abr
-        sleep(10)
+
+    if Paraxial::Helpers.get_api_key
+      @thread = Thread.new do
+        loop do
+          get_abr
+          sleep(10)
+        end
       end
     end
 
@@ -15,11 +18,16 @@ module Paraxial
       uri = URI.parse(Paraxial::Helpers.get_paraxial_url + '/api/abr')
       headers = { 'Content-Type': 'application/json' }
 
-      body = { api_key: ENV['PARAXIAL_API_KEY'] }
-      r = Net::HTTP.post(uri, body.to_json, headers)
-      if r.code == '200'
-        put_abr(JSON.parse(r.body))
-      else
+      body = { api_key: Paraxial::Helpers.get_api_key }
+      begin
+        r = Net::HTTP.post(uri, body.to_json, headers)
+        if r.code == '200'
+          put_abr(JSON.parse(r.body))
+        else
+          'ab_failed'
+        end
+      rescue StandardError => e
+        puts '[Paraxial] HTTP connection to backend failed, check configuration'
         'ab_failed'
       end
     end
@@ -100,7 +108,7 @@ module Paraxial
       uri = URI.parse(Paraxial::Helpers.get_ban_url)
       headers = { 'Content-Type': 'application/json' }
 
-      body = { api_key: ENV['PARAXIAL_API_KEY'], ip_address: ip }
+      body = { api_key: Paraxial::Helpers.get_api_key, ip_address: ip }
       r = Net::HTTP.post(uri, body.to_json, headers)
       if r.code == '200'
         :ok

data/lib/paraxial/cli.rb

@@ -19,14 +19,16 @@ module Paraxial
     def scan
       puts '[Paraxial] Scan starting...'
       if check_rubocop_configuration
-        puts '[Paraxial] .rubocop.yml contains the required paraxial configuration.'
+        puts '[Paraxial] .rubocop.yml is valid.'
       else
-        puts '[Paraxial] .rubocop.yml does not contain the required paraxial configuration.'
-        puts '[Paraxial] How to configure: TODO_URL'
-        exit
+        puts '[Paraxial] .rubocop.yml is missing rubocop-erb. To scan embedded Ruby files for security problems, add:'
+        puts '.rubocop.yml'
+        puts 'require:'
+        puts '- rubocop-erb'
       end
 
-      if ENV['PARAXIAL_API_KEY'].nil?
+
+      if Paraxial::Helpers.get_api_key.nil?
         puts '[Paraxial] Environment variable PARAXIAL_API_KEY not found'
       else
         github_app = options[:github_app]
@@ -36,7 +38,7 @@ module Paraxial
         pr_number = options[:pr_number]
 
         cops = 'Paraxial,Security/Eval,Security/IoMethods,Security/JSONLoad,Security/MarshalLoad,Security/Open,Security/YAMLLoad'
-        rubocop = `rubocop --only #{cops} --format json`
+        rubocop = `rubocop --require paraxial --only #{cops} --disable-pending-cops --format json`
         lockfile = File.read('./Gemfile.lock')
         api_key = ENV['PARAXIAL_API_KEY']
         uri = URI.parse(Paraxial::Helpers.get_paraxial_url + '/api/ruby_scan')
@@ -47,7 +49,7 @@ module Paraxial
         m = JSON.parse(response.body)
         findings = m['ok']['findings']
         puts
-        puts "[Paraxial] Scan count #{findings.length}"
+        puts "[Paraxial] Scan count: #{findings.length}"
         puts
         findings.each do |finding|
           puts finding
@@ -107,7 +109,7 @@ module Paraxial
       required_key = 'require'
 
       if config.is_a?(Hash) && config[required_key].is_a?(Array)
-        config[required_key].include?('paraxial')
+        config[required_key].include?('rubocop-erb')
       else
         false
       end

data/lib/paraxial/helpers.rb

@@ -7,5 +7,13 @@ module Paraxial
     def self.get_ban_url
       get_paraxial_url + '/api/ban_ip'
     end
+
+    def self.get_exploit_url
+      get_paraxial_url + '/api/exploit'
+    end
+
+    def self.get_api_key
+      @paraxial_api_key ||= ENV['PARAXIAL_API_KEY']
+    end
   end
 end

data/lib/paraxial/initializers/marshal_patch.rb

@@ -0,0 +1,37 @@
+unless Rails.env.test? || File.basename($0) == 'rake' || defined?(Rails::Generators)
+  module Marshal
+    class << self
+      alias_method :original_load, :load
+
+      def load(source, proc = nil)
+        exg = Paraxial.configuration.exploit_guard
+        if [:monitor, :block].include?(exg)
+          if source.is_a?(String) && source.match?(/ActionView|Net::BufferedIO|ERB|ActiveSupport/)
+            puts "[Paraxial] Exploit Guard triggered, malicious input to Marshal.load"
+            puts source
+
+            m = {
+              "api_key" => Paraxial::Helpers.get_api_key,
+              "mode" => exg,
+              "message" =>  "Marshal.load exploit behavior detected: #{Base64.encode64(source)}"
+            }
+            headers = { 'Content-Type': 'application/json' }
+            uri = URI.parse(Paraxial::Helpers.get_exploit_url)
+            Thread.new do
+              Net::HTTP.post(uri, m.to_json, headers)
+            end
+            if exg == :monitor
+              original_load(source, proc)
+            else
+              :block
+            end
+          else
+            original_load(source, proc)
+          end
+        else
+          original_load(source, proc)
+        end
+      end
+    end
+  end
+end

data/lib/paraxial/initializers/startup.rb

@@ -8,16 +8,19 @@ Bundler.setup
 
 unless Rails.env.test? || File.basename($0) == 'rake' || defined?(Rails::Generators)
   Rails.application.config.to_prepare do
-    puts '[Paraxial] Init start'
-    api_key = ENV['PARAXIAL_API_KEY']
+    puts '[Paraxial] Agent starting...'
+    api_key = Paraxial::Helpers.get_api_key
 
     if api_key.nil?
-      puts '[Paraxial] Init PARAXIAL_API_KEY key not set, agent not started'
+      puts '[Paraxial] PARAXIAL_API_KEY key not set, agent not started'
     elsif Rails.env.test?
-      puts '[Paraxial] Init Test environment detected, agent not started'
+      puts '[Paraxial] Test environment detected, agent not started'
     else
       begin
-        puts '[Paraxial] Init config valid, agent starting'
+        puts '[Paraxial] API key detected, agent starting'
+
+        Paraxial.check_exploit_guard
+
         deps_and_licenses = []
         Bundler.load.specs.each do |spec|
           # Print the gem name and license
@@ -30,7 +33,7 @@ unless Rails.env.test? || File.basename($0) == 'rake' || defined?(Rails::Generat
         uri = URI.parse(Paraxial::Helpers.get_paraxial_url + '/api/ruby_app_lic')
         headers = { 'Content-Type': 'application/json' }
 
-        body = { app_lic: deps_and_licenses, api_key:, timestamp: Paraxial.get_timestamp }
+        body = { app_lic: deps_and_licenses, api_key: api_key, timestamp: Paraxial.get_timestamp }
         cloud_uri = URI.parse(Paraxial::Helpers.get_paraxial_url + '/api/cloud_ip_list')
         response = Net::HTTP.get(cloud_uri)
 

data/lib/paraxial/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Paraxial
-  VERSION = '0.4.0'
+  VERSION = '0.6.0'
 end

data/lib/paraxial.rb

@@ -8,11 +8,16 @@ require_relative 'rubocop/cop/paraxial/system'
 require_relative 'rubocop/cop/paraxial/send'
 require_relative 'rubocop/cop/paraxial/constantize'
 require_relative 'rubocop/cop/paraxial/html_safe'
+require_relative 'rubocop/cop/paraxial/raw'
 require_relative 'rubocop/cop/paraxial/sql'
 require_relative 'paraxial/version'
 require_relative 'paraxial/cli'
 
 module Paraxial
+  class << self
+    attr_accessor :configuration
+  end
+
   class Error < StandardError; end
   # Your code goes here...
 
@@ -40,7 +45,11 @@ module Paraxial
   end
 
   def self.cloud_ip?(ip)
-    !!(PARAXIAL_IPV4.search_best(ip) or PARAXIAL_IPV6.search_best(ip))
+    if ip.include?('.')
+      !!PARAXIAL_IPV4.search_best(ip)
+    else
+      !!PARAXIAL_IPV6.search_best(ip)
+    end
   end
 
   def self.ban_ip(ip)
@@ -66,4 +75,35 @@ module Paraxial
       cleaned_string
     end
   end
+
+  def self.configure
+    self.configuration ||= Configuration.new
+    yield(configuration) if block_given?
+  end
+
+  def self.check_exploit_guard
+    if configuration.nil?
+      puts "[Paraxial] Exploit Guard, no config exists, will not run"
+      return
+    end
+
+    case configuration.exploit_guard
+    when :monitor
+      puts "[Paraxial] Exploit Guard, running in monitor mode"
+    when :block
+      puts "[Paraxial] Exploit Guard, running in block mode"
+    when nil
+      puts "[Paraxial] Exploit Guard, not configured, will not run"
+    else
+      puts "[Paraxial] Exploit Guard, bad value"
+    end
+  end
+
+  class Configuration
+    attr_accessor :exploit_guard
+
+    def initialize
+      @exploit_guard = nil
+    end
+  end
 end

data/lib/rubocop/cop/paraxial/raw.rb

@@ -0,0 +1,22 @@
+module RuboCop
+  module Cop
+    module Paraxial
+      class Raw < Base
+        MSG = '`raw` leads to XSS when called on user input'
+
+        def on_send(node)
+          method_name = node.method_name
+          return unless send_methods.include?(method_name)
+
+          add_offense(node, message: format(MSG, method: method_name))
+        end
+
+        private
+
+        def send_methods
+          [:raw]
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: paraxial
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Michael Lubas
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-08-22 00:00:00.000000000 Z
+date: 2024-09-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -66,6 +66,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-erb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description:
 email:
 - michael@paraxial.io
@@ -84,11 +98,13 @@ files:
 - lib/paraxial/cli.rb
 - lib/paraxial/engine.rb
 - lib/paraxial/helpers.rb
+- lib/paraxial/initializers/marshal_patch.rb
 - lib/paraxial/initializers/startup.rb
 - lib/paraxial/version.rb
 - lib/rubocop/cop/paraxial/constantize.rb
 - lib/rubocop/cop/paraxial/csrf.rb
 - lib/rubocop/cop/paraxial/html_safe.rb
+- lib/rubocop/cop/paraxial/raw.rb
 - lib/rubocop/cop/paraxial/send.rb
 - lib/rubocop/cop/paraxial/sql.rb
 - lib/rubocop/cop/paraxial/system.rb