Skip to content

Commit

Permalink
Merge pull request #4108 from DataDog/lloeki/deny-rubygems-update-inj…
Browse files Browse the repository at this point in the history
…ection

Deny `rubygems-update` injection
  • Loading branch information
TonyCTHsu authored Nov 13, 2024
2 parents 48e5f09 + 20f2fa5 commit 494abac
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 0 deletions.
34 changes: 34 additions & 0 deletions lib-injection/requirements.json
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,40 @@
],
"envars": null
},
{
"id": "ruby_disable_gems",
"description": "Rubygems is required for injection to function",
"os": null,
"cmds": [
"**/ruby"
],
"args": [
{
"args": [
"--disable-gems"
],
"position": null
}
],
"envars": null
},
{
"id": "gem_update_system",
"description": "Ignore the rubygems update setup.rb",
"os": null,
"cmds": [
"**/ruby"
],
"args": [
{
"args": [
"setup.rb"
],
"position": null
}
],
"envars": null
},
{
"id": "bundle_install",
"description": "Ignore bundle install",
Expand Down
25 changes: 25 additions & 0 deletions lib-injection/requirements.rb
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,31 @@ def requirements
'envars' => nil,
}

reqs['deny'] << {
'id' => 'ruby_disable_gems',
'description' => 'Rubygems is required for injection to function',
'os' => nil,
'cmds' => [
'**/ruby'
],
'args' => [{ 'args' => ['--disable-gems'], 'position' => nil }],
'envars' => nil,
}

# Prevent endless reexecution when RUBYOPTS is forcefully set
# Command: {"Path":"/usr/local/bin/ruby","Args":["/usr/local/bin/ruby","--disable-gems","setup.rb","--no-document","--previous-version","3.3.26"]}
# See: https://github.com/rubygems/rubygems/blob/90c90addee4bda3130cf44f1321eebf162367d1b/setup.rb#L13-L20
reqs['deny'] << {
'id' => 'gem_update_system',
'description' => 'Ignore the rubygems update setup.rb',
'os' => nil,
'cmds' => [
'**/ruby'
],
'args' => [{ 'args' => ['setup.rb'], 'position' => nil }],
'envars' => nil,
}

# `bundle exec` is the only command we want to inject into.
# there is no `allow` overriding `deny` so we're left to exclude all of the
# possible others.
Expand Down
8 changes: 8 additions & 0 deletions lib-injection/test_block.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@
{"name": "❌ gem", "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/gem" ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
{"name": "❌ gem install", "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/gem", "install" ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},

{"name": "❌ ruby disable gems", "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
{"name": "❌ ruby disable gems", "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "-w", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
{"name": "❌ ruby disable gems", "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "-w", "-w", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
{"name": "❌ ruby disable gems", "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "-w", "-w", "-w", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
{"name": "❌ ruby disable gems", "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "-w", "-w", "-w", "-w", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},

{"name": "❌ ruby rubygems-update setup.rb", "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "--disable-gems", "setup.rb", "--no-document", "--previous-version", "3.3.26"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},

{"name": "❌ bundle" , "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/bundle", "install" ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
{"name": "❌ bundle" , "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/bundle", "_2.4.0_", "install" ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
{"name": "❌ bundle" , "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/bundle", "--verbose", "install" ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
Expand Down

0 comments on commit 494abac

Please sign in to comment.