Skip to content

Releases: basecamp/console1984

v0.1.8

05 Sep 21:37
@jorgemanrubia jorgemanrubia
v0.1.8
e0bd825
Compare
Choose a tag to compare
v0.1.8

This adds two new protections against tampering and some fixes and improvements [#27]:

  • [NEW] Circumvent existing controls using constant aliases. For example:
MyAlias = ActiveRecord

class MyAlias::Base
  def save!(*args)
    puts "ActiveRecord::Base#save! overridden!"
  end
end
  • [NEW] Invoke code dynamically with eval, instance_eval and class_eval. For example:
ActiveRecord::Base.class_eval do
  def save!(*args)
    puts "ActiveRecord::Base#save! overridden!"
  end
end
  • [FIX] Fix a bug where many classes were not being freezed despite of being marked with Console1984::Freezable.
  • [CHANGE] Some internal changes: add Refrigerator entity to deal with refrigeration logic; extracts ProtectionsConfig to deal with the protection options configurable via YAML.
  • [CHANGE] Extends YML configuration to separate: static validations and forbidden method invocations. This is used to prevent dynamic code evaluation as explained above.
Assets 2
Loading

v0.1.7

04 Sep 16:03
@jorgemanrubia jorgemanrubia
v0.1.7
8fcea30
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.1.7

This includes major improvements to protection controls against tampering [#26]:

  • NEW: Replaces the system to detect tampering attempts in commands to use a more sophisticated approach. Before, it was based on a simple regexp. It will now use the parser gem.
  • NEW: Protection mechanisms against using database drivers directly to tamper audit trails.
  • CHANGED: Major revamp of internals to accommodate new features and make future changes easier.
Assets 2
Loading

v0.1.6

29 Aug 22:06
@jorgemanrubia jorgemanrubia
v0.1.6
1b079a3
Compare
Choose a tag to compare
v0.1.6
  • FIX: Postgres not working due to kwargs error. [#21]
Assets 2
Loading

v0.1.5

28 Aug 19:15
@jorgemanrubia jorgemanrubia
v0.1.5
ef6171f
Compare
Choose a tag to compare
v0.1.5

This includes several improvements to prevent circumventing protection controls [ #20]:

  • NEW: Replace the system to prevent overriding methods in classes. The new one is based on .freeze and it also prevents changing class-level state. A big flaw in the previous approach, based on the method_added hook, is that, while it raised an error, it wouldn't prevent the command from executing (it was evaluated after).
  • NEW: Prevent using instance_variable set on core classes.
  • NEW: Prevent opening ActiveRecord classes for monkey patching them.
  • NEW: Prevent modifying config options once a console session has started.
  • NEW: Prevent load sensitive constants dynamically (Console1984, ActiveRecord).
  • NEW: Freeze Socket classes and database connection classes to prevent overrides. Also prevent instance-data manipulation for the later.

It also includes a new system for testing tampering cases that should be detected: just place the snippet test/tampering_cases. A test will run for each file and it will fail if it's not detected.

Assets 2
Loading