prevoty-rails 0.6.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 48d11a869e27de35006a6d786687f2fa71e7c06b
+  data.tar.gz: dde0330df03439b25e19366c398c197613cac55d
+SHA512:
+  metadata.gz: e331e0d3dafb950a791a0fbee556d814a586d376d78e2cfd9b1ea8fb3b719e09c267fc9b3dd88b48456e5244b1dc54a81909ea134668ea28d8f8142d035b599c
+  data.tar.gz: a16b402f892a9fd125505446805600b63000024a6470fd7c6f00b5e19f8835d3d10933dd54412fe4d3255579f06c61f6f726f6d88cf17b0363008cd90fb1d20e

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/Gemfile.lock

@@ -0,0 +1,45 @@
+PATH
+  remote: .
+  specs:
+    prevoty-rails (0.1.0)
+      prevoty (~> 1.0)
+      rack (~> 1.4)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    byebug (3.5.1)
+      columnize (~> 0.8)
+      debugger-linecache (~> 1.2)
+      slop (~> 3.6)
+    coderay (1.1.0)
+    columnize (0.9.0)
+    debugger-linecache (1.2.0)
+    httparty (0.13.3)
+      json (~> 1.8)
+      multi_xml (>= 0.5.2)
+    json (1.8.2)
+    method_source (0.8.2)
+    multi_xml (0.5.5)
+    prevoty (1.0.1)
+      httparty (~> 0.13)
+    pry (0.10.1)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    pry-byebug (3.0.1)
+      byebug (~> 3.4)
+      pry (~> 0.10)
+    rack (1.6.0)
+    rake (10.4.2)
+    slop (3.6.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.7)
+  prevoty-rails!
+  pry (~> 0.10)
+  pry-byebug (~> 3.0)
+  rake (~> 10.0)

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Prevoty
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,67 @@
+# prevoty-rails
+
+prevoty-rails is a plugin to automatically integrate Prevoty's content filtering and SQL anlysis engine into a Rails application. The content filter is distributed as a Rack middleware that can be added into the request chain and the SQL analysis is handled using the ActiveSupport notification system to inspect SQL queries before they are sent to the database.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'prevoty-rails'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install prevoty-rails
+
+### Content Filter
+Add the following line into your config/application.rb file to use the Prevoty content filter in all environments or add it to the specific environment (eg. testing/production) that you would like to use it with.
+
+```ruby
+config.middleware.use Rack::Prevoty::ContentMiddleware, {api_key: '', configuration_key: ''}
+```
+
+### SQL Analysis
+First use the generator to install the initializer needed for SQL.
+
+```shell
+rails generate prevoty:rails:install
+```
+
+This will create a new file at config/initializers/prevoty_rails.rb. Fill in the configuration key for the query config created in the Prevoty console and the API key to use with it.
+
+## Configuration
+
+### Common
+- `api_key`: Prevoty v1 API key (shown at the bottom of the API Keys page in Prevoty Manager Console)
+- `api_base`: Base api url (default: 'https://api.prevoty.com')
+- `api_timeout_milliseconds`: Timeout for api requests (default: 1000)
+
+### Content Filter
+- `mode`: ['monitor' | 'protect'] Content mode (default: monitor)
+- `paths`: Array of uris that the content filter should be applied to. These MAY be partial uris but MUST be defined from the beginning of the uri (default: [])
+- `blacklist`: Array of uris that the content filter should ignore that are within the paths. These MAY be partial uris but MUST be defined from the beginning of the uri (default: [])
+- `minimal_logging`: [true | false] Log minimal events (default: false)
+- `destination`: ['log' | 'callback' | 'none'] Logging destination (default: log)
+- `callback`: Proc object to call when log_destination is set to callback
+- `configuration_key`: Configuration Policy Key for content filtering (from the Security Policies page in Prevoty Manager Console, not to be confused with the keys from the Plugin Configurations page)
+- `reporting_milliseconds`: Interval data will have monitoring analysis performed when the mode is set to monitor and the queue is not filled (default: 10000)
+- `reporting_count`: Maximum queue size for data to be sent for monitoring analysis (default: 50)
+
+### SQL Analysis
+- `mode`: ['monitor' | 'protect'] query analysis mode (default: monitor)
+- `minimal_logging`: [true | false] Log minimal events (default: false)
+- `log_destination`: ['log' | 'callback' | 'none'] Logging destination (default: log)
+- `configuration_key`: Configuration key for sql analysis (from the Security Policies page in Prevoty Manager Console, not to be confused with the keys from the Plugin Configurations page)
+- `reporting_milliseconds`: Interval data will have monitoring analysis performed when the query_mode is set to monitor and the queue is not filled (default: 10000)
+- `reporting_count`: Maximum queue size for data to be sent for monitoring analysis (default: 50)
+- `db_vendor`: ['mysql' | 'mssql' | 'oracle'] The database vendor the application is using for monitoring
+- `db_version`: The version of the database being used for monitoring
+- `db_name`: The default database to use for monitoring
+- `violation_mode`: ['block' | 'continue'] Determines whether to stop the request or let it continue if there is a violation when sql analysis is in 'protect' mode (default: 'continue')
+- `failure_mode`: ['block' | 'continue'] Determines whether to stop the request or let it continue if there is an error when sql analysis is in 'protect' mode (default: 'continue')
+- `callback`: Proc object to call when log_destination is set to callback

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/lib/action_controller/request_forgery_protection.rb

@@ -0,0 +1,36 @@
+module ActionController
+  module RequestForgeryProtection
+    # NOTE: This implementation currently doesn't support the BREACH
+    # mitigation that Rails introduces with masking. The Prevoty
+    # implementation possibly makes this unnecessary because it scopes CSRF
+    # tokens by action and not just the session id. This allows for each form
+    # to have a unique token and can be re-generated for each request. However
+    # because of how the plugin works there isn't a clear way to set the action
+    # so all forms will share a token. We should either introduce masking or
+    # find a solution to setting the action correctly.
+    protected
+    def form_authenticity_token
+      begin
+        resp = PREVOTY_CLIENT.generate_timed_token(session[:session_id], "action", 86400)
+        session[:_csrf_token] = resp.token
+      rescue Exception => e
+        Rails.logger.debug e.message
+      end
+    end
+
+    def verified_request?
+      return true if !protect_against_forgery? || request.get? || request.head?
+      begin
+        resp = PREVOTY_CLIENT.validate_timed_token(session[:session_id], "action", session[:_csrf_token])
+        return true if resp.valid
+        resp = PREVOTY_CLIENT.validate_timed_token(session[:session_id], "action", request.headers['X-CSRF-Token'])
+        return true if resp.valid
+      rescue
+        Rails.logger.debug e.message
+        return false
+      end
+
+      false
+    end
+  end
+end

data/lib/generators/prevoty/rails/USAGE

@@ -0,0 +1,9 @@
+Description:
+  Generates the base initializer for the CSRF and SQL query support of
+  Prevoty's Ruby plugin.
+
+Examples:
+  rails generate prevoty:rails:install
+
+  This will generate the base initializer for the Prevoty ruby plugin for
+  your rails app.

data/lib/generators/prevoty/rails/install_generator.rb

@@ -0,0 +1,13 @@
+require 'rails/generators'
+
+module Prevoty
+  module Rails
+    class InstallGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      def copy_initializer_file
+        template "prevoty_rails.rb", "config/initializers/prevoty_rails.rb"
+      end
+    end
+  end
+end

data/lib/generators/prevoty/rails/templates/prevoty_rails.rb

@@ -0,0 +1,86 @@
+require 'prevoty/query_violation'
+require 'prevoty/query_failure'
+require 'prevoty/query_payload'
+require 'prevoty/build_query_result'
+require 'prevoty/logger'
+
+options = {
+  api_base: 'https://api.prevoty.com',
+  api_key: '',
+  mode: 'monitor',
+  minimal_logging: false,
+  log_destination: 'log',
+  # configuration_key: '', # uncomment for protect
+  reporting_milliseconds: 10000,
+  reporting_count: 50,
+  db_vendor: '', # unused for protect
+  db_version: '', # unused for protect
+  db_name: '', # unused for protect
+  violation_mode: 'block',
+  failure_mode: 'continue',
+  before_callback: ->() {}, # fired before a query is analyzed
+  after_callback: ->() {}, # fired after a query is analyzed
+  error_callback: ->() {} # fired after an error
+}
+
+case options[:mode]
+when 'monitor'
+  client = ::Prevoty::Client.new(options[:api_key], options[:api_base])
+  QUERY_MONITOR = ::Prevoty::QueryMonitor.new client, options
+when 'protect'
+  PREVOTY_CLIENT = ::Prevoty::Client.new(options[:api_key], options[:api_base])
+end
+
+query_handler = ->(name, start, finish, id, payload) do
+  include Prevoty::BuildQueryResult
+
+  unless payload[:name] =~ /SQL|Load/
+    return
+  end
+
+  case options[:mode]
+  when 'monitor'
+    package = {vendor: options[:db_vendor], database: options[:db_name], version: options[:db_version], query: payload[:sql]}
+    QUERY_MONITOR.process(package)
+  when 'protect'
+    begin
+      options[:before_callback].call(payload[:sql]) if options[:log_destination] === 'callback' and options[:before_callback].respond_to? :call
+      res = PREVOTY_CLIENT.analyze_query(payload[:sql], options[:configuration_key])
+      if res.processed and not res.compliant
+        case options[:log_destination]
+        when 'log'
+          ::Prevoty::LOGGER << build_result(options[:mode], payload[:sql], res).to_json
+        when 'callback'
+          options[:after_callback].call(build_result(options[:mode], payload[:sql], res).to_json) if options[:after_callback].respond_to? :call
+        end
+        raise ::Prevoty::QueryViolation.new if options[:violation_mode] === 'block'
+      elsif res.processed and res.compliant
+        case options[:log_destination]
+        when 'log'
+          ::Prevoty::LOGGER << build_result(options[:mode], payload[:sql], res).to_json
+        when 'callback'
+          options[:after_callback].call(build_result(options[:mode], payload[:sql], res).to_json) if options[:after_callback].respond_to? :call
+        end
+      elsif not res.processed and not res.compliant
+        raise ::Prevoty::QueryFailure.new
+      end
+    rescue ::Prevoty::QueryViolation => e
+      # need to catch and rethrow to catch other exceptions
+      raise e
+    rescue ::Prevoty::QueryFailure => e
+      # need to catch and rethrow to catch other exceptions
+      raise e
+    rescue Exception => e
+      case options[:log_destination]
+      when 'log'
+        Rails.logger.error e.message
+      when 'callback'
+        options[:error_callback].call(e) if options[:error_callback].response_to_? :call
+      end
+
+      raise e if options[:failure_mode] === 'block'
+    end
+  end
+end
+
+ActiveSupport::Notifications.subscribe 'sql.active_record', query_handler

data/lib/prevoty-rails.rb

@@ -0,0 +1,21 @@
+require 'prevoty/adapters'
+require 'prevoty/monitor'
+require 'prevoty/content_monitor'
+require 'prevoty/query_monitor'
+require 'prevoty/query_payload'
+require 'prevoty/query_violation'
+require 'prevoty/query_failure'
+require 'prevoty/build_query_result'
+require 'prevoty/rails/version'
+require 'prevoty/logger'
+require 'rack/content_middleware'
+
+# Uncommenting this enables Prevoty CSRF protection that overloads the
+# built-in Rails implementation. There isn't a good way to specify the action
+# since we don't know where the form will POST to at the point we're hooking
+# so it makes the token less secure given that they all share a common action.
+# Rails generates a token and uses it session wide then masks it using a one
+# time pad and xor so that each time it's on the page it appears different to
+# mitigate against the BREACH SSL attack. This essentially creates a unique
+# token for each request which is the approach Prevoty takes.
+# require 'action_controller/request_forgery_protection'

data/lib/prevoty/adapters.rb

@@ -0,0 +1,8 @@
+module Prevoty
+  ADAPTERS = {
+    "mysql" => "mysql",
+    "mysql2" => "mysql",
+    "oracle" => "oracle",
+    "mssql" => "mssql"
+  }
+end

data/lib/prevoty/build_query_result.rb

@@ -0,0 +1,20 @@
+require 'prevoty/query_payload'
+
+module Prevoty
+  module BuildQueryResult
+    def build_result(mode, input, result)
+      data = {
+        timestamp: Time.now.utc.strftime('%b %d %Y %H:%M:%S %Z'),
+        product: 'query',
+        mode: mode,
+        version: 1,
+        runtime_version: result.engine_version,
+        processed: result.processed,
+        input: input,
+        result: result
+      }
+
+      Prevoty::QueryPayload.new(data)
+    end
+  end
+end

data/lib/prevoty/content_monitor.rb

@@ -0,0 +1,29 @@
+require 'thread'
+
+module Prevoty
+  class ContentMonitor < Monitor
+    private
+    def process_queue
+      cloned = @queue.clone
+      @queue = []
+      Thread.new do
+        data = cloned.inject([]) {|arr, i| arr.push i[:input]; arr}
+        begin
+          Timeout::timeout(@timeout) do
+            res = @client.monitor_content(data)
+            res.each_with_index do |r, i|
+              case @log_destination
+              when 'log'
+                ::Prevoty::LOGGER << ::Rack::Prevoty::Interceptor.build_result(cloned[i][:mode], cloned[i][:request], cloned[i][:input], r).to_json if r.javascript_attributes > 0 || r.javascript_protocols > 0 || r.javascript_tags > 0
+              when 'callback'
+                @callback.call(::Rack::Prevoty::Interceptor.build_result(cloned[i][:mode], cloned[i][:request], cloned[i][:input], r).to_json) if !@callback.nil? && (r.javascript_attributes > 0 || r.javascript_protocols > 0 || r.javascript_tags > 0)
+              end
+            end
+          end
+        rescue Exception => e
+          ::Rails.logger.warn e.message
+        end
+      end
+    end
+  end
+end

data/lib/prevoty/content_payload.rb

@@ -0,0 +1,48 @@
+require 'json'
+
+module Prevoty
+  class ContentPayload
+    attr_accessor :timestamp, :product, :mode, :version, :input, :output,
+                  :statistics, :request_url, :session_id, :cookies,
+                  :http_method, :src_ip, :dest_host, :dest_port
+
+    def initialize(data)
+      @timestamp = data[:timestamp]
+      @product = data[:product]
+      @mode = data[:mode]
+      @version = data[:version]
+      @input = data[:input]
+      @output = data[:output]
+      @statistics = data[:statistics]
+      @request_url = data[:request_url]
+      @session_id = data[:session_id]
+      @cookies = data[:cookies]
+      @http_method = data[:http_method]
+      @src_ip = data[:src_ip]
+      @dest_host = data[:dest_host]
+      @dest_port = data[:dest_port]
+    end
+
+    def to_json
+      case @mode
+      when 'monitor'
+        return {
+          timestamp: @timestamp, product: @product, mode: @mode,
+          version: @version, input: @input, statistics: @statistics,
+          url: @request_url, session_id: @session_id, cookies: @cookies,
+          http_method: @http_method, src_ip: @src_ip,
+          dest_host: @dest_host, dest_port: @dest_port
+        }.to_json
+      when 'protect'
+        return {
+          timestamp: @timestamp, product: @product, mode: @mode,
+          version: @version, input: @input, output: @output,
+          statistics: @statistics, url: @request_url,
+          session_id: @session_id, cookies: @cookies,
+          http_method: @http_method, src_ip: @src_ip,
+          dest_host: @dest_host, dest_port: @dest_port
+        }.to_json
+      end
+    end
+  end
+end

data/lib/prevoty/logger.rb

@@ -0,0 +1,5 @@
+require 'logger'
+
+module Prevoty
+  LOGGER = Logger.new(File.join(Dir.pwd, 'log', 'prevoty_splunk.log'))
+end

data/lib/prevoty/monitor.rb

@@ -0,0 +1,53 @@
+require 'timeout'
+require 'thread'
+
+module Prevoty
+  class Monitor
+    DEFAULT_TIMEOUT = 10000
+    DEFAULT_MAX_SIZE = 50
+    DEFAULT_LOG_DESTINATION = 'log'
+
+    def initialize(client, options = {})
+      options[:reporting_milliseconds] ||= DEFAULT_TIMEOUT
+
+      @client = client
+      @before_callback = options[:before_callback]
+      @after_callback = options[:after_callback]
+      @max_size = options[:max_size] || DEFAULT_MAX_SIZE
+      @log_destination = options[:log_destination] || DEFAULT_LOG_DESTINATION
+      @timeout = options[:reporting_milliseconds] / 1000
+      @mutex = Mutex.new
+      @queue = []
+      @rd, @wr = IO.pipe
+      @thread = Thread.new do
+        loop do
+          begin
+            Timeout::timeout(@timeout) { @rd.read }
+            redo
+          rescue Timeout::Error
+            @mutex.lock()
+            if @queue.size > 0
+              process_queue
+            end
+            @mutex.unlock()
+          end
+        end
+      end
+    end
+
+    def process(data)
+      @mutex.lock
+      @queue.push(data)
+      if @queue.size >= @max_size
+        process_queue
+        @wr.write 1
+      end
+      @mutex.unlock
+    end
+
+    private
+    def process_queue
+      raise 'this is an abstract base method. You should use the ContentMonitor or QueryMonitor class instead'
+    end
+  end
+end

data/lib/prevoty/query_failure.rb

@@ -0,0 +1,4 @@
+module Prevoty
+  class QueryFailure < Exception
+  end
+end

data/lib/prevoty/query_monitor.rb

@@ -0,0 +1,37 @@
+require 'thread'
+require 'prevoty/build_query_result'
+
+module Prevoty
+  class QueryMonitor < Monitor
+    include Prevoty::BuildQueryResult
+
+    private
+    def process_queue
+      cloned = @queue.clone
+      @queue = []
+      Thread.new do
+        begin
+          @before_callback.call(cloned) if @log_destination === 'callback' and @before_callback.respond_to? :call
+          Timeout::timeout(@timeout) do
+            res = @client.monitor_query(cloned)
+            res.each_with_index do |r, i|
+              case @log_destination
+              when 'log'
+                Prevoty::LOGGER << build_result('monitor', cloned[i][:query], r).to_json if r.processed
+              when 'callback'
+                @after_callback.call(build_result('monitor', cloned[i][:query], r).to_json) if @after_callback.respond_to?(:call) && r.processed
+              end
+            end
+          end
+        rescue Exception => e
+          case @log_destination
+          when 'log'
+            ::Rails.logger.error e.message
+          when 'callback'
+            @error_callback.call(e.message) if @error_callback.respond_to? :call
+          end
+        end
+      end
+    end
+  end
+end

data/lib/prevoty/query_payload.rb

@@ -0,0 +1,26 @@
+require 'json'
+
+module Prevoty
+  class QueryPayload
+    attr_accessor :product, :mode, :version, :runtime_version, :processed,
+                  :input, :result, :timestamp
+
+    def initialize(data)
+      @product = data[:product]
+      @mode = data[:mode]
+      @version = data[:version]
+      @runtime_version = data[:runtime_version]
+      @processed = data[:processed]
+      @input = data[:input]
+      @result = data[:result]
+      @timestamp = data[:timestamp]
+    end
+
+    def to_json
+      return {
+        product: @product, mode: @mode, version: @version,
+        input: @input, result: @result, timestamp: @timestamp
+      }.to_json
+    end
+  end
+end

data/lib/prevoty/query_violation.rb

@@ -0,0 +1,4 @@
+module Prevoty
+  class QueryViolation < Exception
+  end
+end

data/lib/prevoty/rails/version.rb

@@ -0,0 +1,5 @@
+module Prevoty
+  module Rails
+    VERSION = '0.6.1'
+  end
+end

data/lib/rack/content_middleware.rb

@@ -0,0 +1,22 @@
+require 'rack/monitor_interceptor'
+require 'rack/protect_interceptor'
+
+module Rack
+  module Prevoty
+    class ContentMiddleware
+      def initialize(app, opts)
+        case opts[:mode]
+        when 'protect' then @interceptor = Rack::Prevoty::ProtectInterceptor.new(app, opts)
+        when 'monitor' then @interceptor = Rack::Prevoty::MonitorInterceptor.new(app, opts)
+        else
+          @interceptor = MonitorInterceptor.new(app, opts)
+          Rails.logger.warn "invalid mode #{opts[:mode]} specified; using default: monitor"
+        end
+      end
+
+      def call(env)
+        @interceptor.call(env)
+      end
+    end
+  end
+end

data/lib/rack/interceptor.rb

@@ -0,0 +1,61 @@
+require 'prevoty'
+require 'prevoty/content_payload'
+
+module Rack
+  module Prevoty
+    class Interceptor
+      def initialize(app, opts)
+        @app = app
+        @base = opts[:api_base] ||= 'https://api.prevoty.com'
+        @client = ::Prevoty::Client.new(opts[:api_key], @base)
+        @configuration_key = opts[:configuration_key]
+        @mode = opts[:mode] ||= 'monitor'
+        @callback = opts[:callback] ||= nil
+        @minimal_logging = opts[:minimal_logging] ||= false
+        @log_destination = opts[:log_destination] ||= 'log'
+        @paths = opts[:paths] ||= ['/']
+        @blacklist = opts[:blacklist] ||= []
+      end
+
+      def call(env)
+        raise 'this is an abstract class...instantiate one of the child rack middlewares'
+      end
+
+      def self.build_result(mode, request, input, result)
+        data = {
+          product: 'content',
+          mode: mode,
+          version: '1',
+          input: input,
+          timestamp: Time.now.utc.strftime('%b %d %Y %H:%M:%S %Z'),
+          request_url: request.path,
+          session_id: request.session["session_id"],
+          cookies: request.cookies,
+          http_method: request.request_method,
+          src_ip: request.ip,
+          dest_host: request.host,
+          dest_port: request.port
+        }
+
+        # these are hacks due to differences between protect and monitor
+        if mode === 'protect'
+          data[:statistics] = result.statistics
+          data[:output] = CGI::unescape(result.output)
+        else
+          data[:statistics] = result
+        end
+
+        ::Prevoty::ContentPayload.new(data)
+      end
+
+      protected
+      def escape_query(params)
+        params.map do |name,values|
+          values.map do |value|
+            "#{CGI.escape name}=#{CGI.escape CGI.escapeHTML value}"
+          end
+        end.flatten.join("&")
+      end
+    end
+  end
+end

data/lib/rack/monitor_interceptor.rb

@@ -0,0 +1,51 @@
+require 'rack/interceptor'
+
+module Rack
+  module Prevoty
+    class MonitorInterceptor < Interceptor
+      def initialize(app, opts)
+        super(app, opts)
+
+        @monitor = ::Prevoty::ContentMonitor.new(@client, opts)
+      end
+
+      def call(env)
+        req = Rack::Request.new(env)
+
+        # passthru if not listed in paths
+        return @app.call(env) if @paths.detect {|p| req.path.start_with?(p)}.nil?
+
+        # passthru if blacklisted
+        return @app.call(env) unless @blacklist.detect {|p| req.path.start_with?(p)}.nil?
+
+        case req.request_method
+        when "GET", "DELETE"
+          unless env['QUERY_STRING'] === ''
+            querystring = URI.unescape(env['QUERY_STRING'])
+            @monitor.process({mode: @mode, input: querystring, request: req})
+          end
+        when "POST", "PUT"
+          if req.media_type === 'multipart/form-data'
+            # TODO: implement support for multipart. The Rack multipart
+            # implementation doesn't support parsing and re-creating the
+            # mutlipart data so a custom implementation needs to be written
+          else
+            body = URI.unescape(req.body.read.encode('utf-8'))
+            unless body === ''
+              @monitor.process({mode: @mode, input: body, request: req})
+            end
+          end
+
+          # clean any GET data passed
+          unless env['QUERY_STRING'] === ''
+            querystring = URI.unescape(env['QUERY_STRING'])
+            @monitor.process({mode: @mode, input: querystring, request: req})
+          end
+        else Rails.logger.warn "unknown method #{req.request_method}"
+        end
+
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/rack/protect_interceptor.rb

@@ -0,0 +1,93 @@
+require 'timeout'
+require 'cgi'
+require 'rack/interceptor'
+
+module Rack
+  module Prevoty
+    class ProtectInterceptor < Interceptor
+      def initialize(app, opts)
+        super(app, opts)
+      end
+
+      def call(env)
+        req = Rack::Request.new(env)
+
+        # passthru if not listed in paths
+        return @app.call(env) if @paths.detect {|p| req.path.start_with?(p)}.nil?
+
+        # passthru if blacklisted
+        return @app.call(env) unless @blacklist.detect {|p| req.path.start_with?(p)}.nil?
+
+        case req.request_method
+        when "GET", "DELETE"
+          unless env['QUERY_STRING'] === ''
+            querystring = URI.unescape(env['QUERY_STRING'])
+            begin
+              Timeout::timeout(@timeout) do
+                resp = @client.bulk_filter(querystring, @configuration_key)
+                env['QUERY_STRING'] = URI.escape(resp.output)
+                case @log_destination
+                when 'log'
+                  ::Prevoty::LOGGER << self.class.build_result(@mode, req, querystring, resp).to_json if resp.statistics.javascript_attributes > 0 || resp.statistics.javascript_protocols > 0 || resp.statistics.javascript_tags > 0
+                when 'callback'
+                  @callback.call(self.class.build_result(@mode, req, querystring, resp).to_json) if !@callback.nil? && (resp.statistics.javascript_attributes > 0 || resp.statistics.javascript_protocols > 0 || resp.statistics.javascript_tags > 0)
+                end
+              end
+            rescue Exception => e
+              env['QUERY_STRING'] = escape_query(CGI::parse(querystring))
+              Rails.logger.warn e.message
+            end
+          end
+        when "POST", "PUT"
+          if req.media_type === 'multipart/form-data'
+            # TODO: implement support for multipart. The Rack multipart
+            # implementation doesn't support parsing and re-creating the
+            # mutlipart data so a custom implementation needs to be written
+          else
+            body = URI.unescape(req.body.read.encode('utf-8'))
+            unless body === ''
+              begin
+                Timeout::timeout(@timeout) do
+                  resp = @client.bulk_filter(body, @configuration_key)
+                  env['rack.input'] = StringIO.new(resp.output)
+                  case @log_destination
+                  when 'log'
+                    ::Prevoty::LOGGER << self.class.build_result(@mode, req, body, resp).to_json if resp.statistics.javascript_attributes > 0 || resp.statistics.javascript_protocols > 0 || resp.statistics.javascript_tags > 0
+                  when 'callback'
+                    @callback.call(self.class.build_result(@mode, req, body, resp).to_json) if !@callback.nil? && (resp.statistics.javascript_attributes > 0 || resp.statistics.javascript_protocols > 0 || resp.statistics.javascript_tags > 0)
+                  end
+                end
+              rescue Exception => e
+                env['rack.input'] = StringIO.new(escape_query(CGI::parse(body)))
+                Rails.logger.warn e.message
+              end
+            end
+          end
+
+          # clean any GET data passed
+          unless env['QUERY_STRING'] === ''
+            querystring = URI.unescape(env['QUERY_STRING'])
+            begin
+              Timeout::timeout(@timeout) do
+                resp = @client.bulk_filter(querystring, @configuration_key)
+                env['QUERY_STRING'] = URI.escape(resp.output)
+                case @log_destination
+                when 'log'
+                  ::Prevoty::LOGGER << self.class.build_result(@mode, req, querystring, resp).to_json if resp.statistics.javascript_attributes > 0 || resp.statistics.javascript_protocols > 0 || resp.statistics.javascript_tags > 0
+                when 'callback'
+                  @callback.call(self.class.build_result(@mode, req, querystring, resp).to_json) if !@callback.nil? && (resp.statistics.javascript_attributes > 0 || resp.statistics.javascript_protocols > 0 || resp.statistics.javascript_tags > 0)
+                end
+              end
+            rescue Exception => e
+              env['QUERY_STRING'] = escape_query(CGI::parse(querystring))
+              Rails.logger.warn e.message
+            end
+          end
+        else Rails.logger.warn "unknown method #{req.request_method}"
+        end
+
+        @app.call(env)
+      end
+    end
+  end
+end

data/prevoty-rails.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'prevoty/rails/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "prevoty-rails"
+  spec.version       = Prevoty::Rails::VERSION
+  spec.authors       = ["Joe Rozner"]
+  spec.email         = ["joe@deadbytes.net"]
+  spec.summary       = %q{Prevoty rails plugin.}
+  spec.description   = %q{Plugin to add dropin support for Prevoty's content filter and SQL analysis.}
+  spec.homepage      = "https://www.prevoty.com"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "prevoty", "~> 1.2"
+  spec.add_dependency "rack", "~> 1.4"
+  # spec.add_dependency "actionpack" only for CSRF
+
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "pry", "~> 0.10"
+  spec.add_development_dependency "pry-byebug", "~> 3.0"
+end

metadata

@@ -0,0 +1,155 @@
+--- !ruby/object:Gem::Specification
+name: prevoty-rails
+version: !ruby/object:Gem::Version
+  version: 0.6.1
+platform: ruby
+authors:
+- Joe Rozner
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-08-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: prevoty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Plugin to add dropin support for Prevoty's content filter and SQL analysis.
+email:
+- joe@deadbytes.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/action_controller/request_forgery_protection.rb
+- lib/generators/prevoty/rails/USAGE
+- lib/generators/prevoty/rails/install_generator.rb
+- lib/generators/prevoty/rails/templates/prevoty_rails.rb
+- lib/prevoty-rails.rb
+- lib/prevoty/adapters.rb
+- lib/prevoty/build_query_result.rb
+- lib/prevoty/content_monitor.rb
+- lib/prevoty/content_payload.rb
+- lib/prevoty/logger.rb
+- lib/prevoty/monitor.rb
+- lib/prevoty/query_failure.rb
+- lib/prevoty/query_monitor.rb
+- lib/prevoty/query_payload.rb
+- lib/prevoty/query_violation.rb
+- lib/prevoty/rails/version.rb
+- lib/rack/content_middleware.rb
+- lib/rack/interceptor.rb
+- lib/rack/monitor_interceptor.rb
+- lib/rack/protect_interceptor.rb
+- prevoty-rails.gemspec
+homepage: https://www.prevoty.com
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Prevoty rails plugin.
+test_files: []
+has_rdoc: