rodsec 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3477d1c971df8c9705a43c33d749da2bcf32957b
+  data.tar.gz: 7a4533d4fbd215efaab0bad3c880c13765dcd77a
+SHA512:
+  metadata.gz: eaa19ddd357c6b7689c4a73e33fe7293f31f4a054f1459784f14b5dcce1a8ef5fb1f9afdcb5cbab0fdb4868e1f85a08d724a1f52c0dcce133ac414d3c253df83
+  data.tar.gz: 9fe83d648ab87829346874ac39dd37a2d1b9a795e152e5b35914af6e05e6eb31a49a0a3c223461ed22a38f4b2b3fff9bcc2bb64f93b5289a8447c21447874de7

data/.gitignore

@@ -0,0 +1,15 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+
+# local c extensions
+lib/rodsec/*.so

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rvmrc

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+# This is an RVM Project .rvmrc file, used to automatically load the ruby
+# development environment upon cd'ing into the directory
+
+# First we specify our desired <ruby>[@<gemset>], the @gemset name is optional,
+# Only full ruby name is supported here, for short names use:
+#     echo "rvm use 2.5.1@rodsec" > .rvmrc
+environment_id="ruby-2.3.6@rodsec"
+
+# Uncomment the following lines if you want to verify rvm version per project
+# rvmrc_rvm_version="1.29.4 (latest)" # 1.10.1 seems like a safe start
+# eval "$(echo ${rvm_version}.${rvmrc_rvm_version} | __rvm_awk -F. '{print "[[ "$1*65536+$2*256+$3" -ge "$4*65536+$5*256+$6" ]]"}' )" || {
+#   echo "This .rvmrc file requires at least RVM ${rvmrc_rvm_version}, aborting loading."
+#   return 1
+# }
+
+# First we attempt to load the desired environment directly from the environment
+# file. This is very fast and efficient compared to running through the entire
+# CLI and selector. If you want feedback on which environment was used then
+# insert the word 'use' after --create as this triggers verbose mode.
+if [[ -d "${rvm_path:-$HOME/.rvm}/environments"
+  && -s "${rvm_path:-$HOME/.rvm}/environments/$environment_id" ]]
+then
+  \. "${rvm_path:-$HOME/.rvm}/environments/$environment_id"
+  for __hook in "${rvm_path:-$HOME/.rvm}/hooks/after_use"*
+  do
+    if [[ -f "${__hook}" && -x "${__hook}" && -s "${__hook}" ]]
+    then \. "${__hook}" || true
+    fi
+  done
+  unset __hook
+  if (( ${rvm_use_flag:=1} >= 2 )) # display only when forced
+  then
+    if [[ $- == *i* ]] # check for interactive shells
+    then printf "%b" "Using: $(tput setaf 2 2>/dev/null)$GEM_HOME$(tput sgr0 2>/dev/null)\n" # show the user the ruby and gemset they are using in green
+    else printf "%b" "Using: $GEM_HOME\n" # don't use colors in non-interactive shells
+    fi
+  fi
+else
+  # If the environment file has not yet been created, use the RVM CLI to select.
+  rvm --create  "$environment_id" || {
+    echo "Failed to create RVM environment '${environment_id}'."
+    return 1
+  }
+fi
+
+# If you use bundler, this might be useful to you:
+# if [[ -s Gemfile ]] && {
+#   ! builtin command -v bundle >/dev/null ||
+#   builtin command -v bundle | GREP_OPTIONS="" \command \grep $rvm_path/bin/bundle >/dev/null
+# }
+# then
+#   printf "%b" "The rubygem 'bundler' is not installed. Installing it now.\n"
+#   gem install bundler
+# fi
+# if [[ -s Gemfile ]] && builtin command -v bundle >/dev/null
+# then
+#   bundle install | GREP_OPTIONS="" \command \grep -vE '^Using|Your bundle is complete'
+# fi

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.5.0
+before_install: gem install bundler -v 1.15.1

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in rodsec.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 John Anderson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,147 @@
+# Rodsec
+
+An ffi wrapper for [ModSecurity](https://www.modsecurity.org/) Web Application
+Firewall. It will need a ruleset, most likely you'll want to use
+[OWASP ModSecurity Core Rule Set (CRS)](https://coreruleset.org/).
+
+This gem also provides a Rack middleware which can return a 403 Forbidden
+response to bad requests, in many cases before your application code runs.
+
+## Installation
+
+Install [ModSecurity >= 3.0.0](https://www.modsecurity.org/download.html). This
+gem's native extensions will not compile without it. As of 23-Sep-2018, you may
+have to compile ModSecurity yourself, seems that distro packages of 3.0.0
+versions are not available.
+
+And now back to your scheduled gem installation dance. Add this line to your
+application's Gemfile:
+
+```ruby
+gem 'rodsec'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rodsec
+
+
+## Usage
+
+### ModSecurity config
+
+Copy ```spec/config/modsecurity.conf``` and ```spec/config/crs-setup.conf``` into a config directory
+in your app somewhere. These are pre-configured to signal an intervention on dodgy requests or
+responses - the rack middleware in this gem returns a 403 "Forbidden" in those cases.
+
+You should be able to use the config files as-is. Possibly decrease the paranoia
+level in ```crs-setup.conf``` from 3 to 1 or 2.
+
+Then you'll need a ruleset - start with the
+[OWASP CRS](https://github.com/SpiderLabs/owasp-modsecurity-crs/).
+
+Easiest is a directory structure like this:
+
+```
+config/
+  modsecurity.conf
+  crs-setup.conf
+  rules/
+    # copy files from OWASP CRS rules/*
+    REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+    ...
+    RESPONSE-980-CORRELATION.conf
+    ...
+    scanners-headers.data
+    ...
+```
+
+The location of your ```rules``` directory is configurable if you
+really need to - see comments in ```Rodsec::Rack``` source.
+
+Take a look at the ```*.example``` files in ```rules/```.
+
+Copying the rules files is a manual step because you really want to have at
+least some idea of what rules you've activated, and how to handle false
+positives. Search for ModSecurity and apache or nginx and you'll get lots to
+read.
+
+### Rack/Rails
+
+Now you can add a ```use``` line to your rack config. In plain rack this would
+be something like
+
+``` ruby
+use Rodsec::Rack, config: config_dir, log_blk: -> tag, str { p tag: tag, str: str }
+```
+
+See
+[official Rails docs](https://guides.rubyonrails.org/rails_on_rack.html#configuring-middleware-stack)
+on adding rack middleware to rails.
+
+You'll know it worked when you see "loading rules file" log messages showing up
+in your ```log_blk:``` lambda on application startup.
+
+### Standalone
+
+You can also use this gem without rack.
+
+``` ruby
+msc = Rodsec::Modsec.new do |tag, str|
+  # this block will be called with log strings from ModSecurity
+  puts tag, str
+end
+
+# load config files
+rule_set = Rodsec::ReadConfig.read_config config_dir, rules_dir do |tag, str|
+  p tag => str
+end
+
+# Now check one, or several, request/response cycles.
+# You'll need a new Transaction instance for each cycle.
+txn = Rodsec::Transaction.new msc, rule_set, txn_log_tag: 'my_first_transaction'
+begin
+  # method calls MUST be in this order
+  txn.connection! ...
+  txn.uri! ...
+  txn.request_headers! ...
+  txn.request_body! ...
+  txn.response_headers! ...
+  txn.response_body! ...
+
+  txn.logging
+rescue Rodsec::Intervention => iex
+  # a good place to do some logging...
+  puts iex.msi.to_h # so you can see what fields are available
+  puts "http_status: #{iex.msi.status}"
+end
+```
+
+## Acknowledgements
+
+Thanks to [NETSTOCK](https://www.netstock.co/) for funding development.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run
+`rake spec` to run the tests. You can also run `bin/console` for an interactive
+prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To
+release a new version, update the version number in `version.rb`, and then run
+`bundle exec rake release`, which will create a git tag for the version, push
+git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/djellemah/rodsec.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,15 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+# from rake-compiler gem https://github.com/rake-compiler/rake-compiler
+require 'rake/extensiontask'
+gs = Gem::Specification.load 'rodsec.gemspec'
+Rake::ExtensionTask.new 'msc_intervention', gs do |ext|
+  ext.lib_dir = 'lib/rodsec'
+end
+
+task :spec => :compile
+task :default => :spec
+task :build => :compile

data/bin/console

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+# require "bundler/setup"
+$: << "#{__dir__}/../lib"
+require "rodsec"
+
+# You can add fixtures and/or initialization code here to make experimenting easier
+
+require 'pry'
+Pry.start Object.new.extend(Rodsec)

data/bin/setup

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here
+rake compile

data/examples/body.yml

@@ -0,0 +1,5 @@
+# this will trigger the rules
+- java.sql.SQLException
+# this won't
+- wp-config.temp
+- He walked away from the confrontation feeling angry and roiled, but at least somewhat vindicated.

data/examples/modsec.ru

@@ -0,0 +1,40 @@
+#!/usr/bin/env rackup
+
+require 'pathname'
+require 'yaml'
+require 'rack/session/cookie.rb'
+
+$: << (Pathname(__dir__).parent + 'lib').realpath.to_s
+
+require 'rack'
+require 'rodsec/rack'
+
+rules_dir = (Pathname __dir__).parent.parent + 'owasp-modsecurity-crs/rules'
+config_dir = (Pathname __dir__).parent + 'spec/config'
+
+log_blk = lambda do |tag, str |
+  p tag: tag, str: str
+end
+
+use Rodsec::Rack, config: config_dir, rules: rules_dir, log_blk: log_blk
+use Rack::Session::Cookie, secret: 'fairy sikrit'
+
+fn = Proc.new do |env|
+  if (session = env['rack.session'])&.any?
+    log_blk.call __FILE__, session.to_h
+  end
+
+  case env['REQUEST_METHOD']
+  when 'POST'
+    body = env['rack.input'].read
+    ['200', {'Content-Type' => 'text/plain'}, [body]]
+
+  when 'GET'
+    body = YAML.load_file Pathname(__dir__) + 'body.yml'
+    ['200', {'Content-Type' => 'text/plain'}, body]
+  else
+    ['200', {}, []]
+  end
+end
+
+run fn

data/ext/msc_intervention/extconf.rb

@@ -0,0 +1,8 @@
+require 'mkmf'
+pkg_config 'modsecurity'
+
+# don't need piles of debug info. Or maybe we do. Dunno.
+CONFIG['debugflags'] = ''
+
+# argument is the directory in which the .so file will be put
+create_makefile 'rodsec/msc_intervention'

data/ext/msc_intervention/msc_intervention.cc

@@ -0,0 +1,48 @@
+#include <stdlib.h>
+#include <new>
+
+#include "modsecurity/intervention.h"
+
+namespace modsecurity {
+
+/**
+ * @name    msc_new_intervention
+ * @brief   allocate a new ModSecurityIntervention
+ *
+
+ * For languages that need to access interventions via ffi. So no need to put it
+ * in a header file.
+
+ *
+ * @returns a pointer to a clean ModSecurityIntervention,
+ * or NULL if the allocation failed.
+ *
+ */
+extern "C" ModSecurityIntervention * msc_new_intervention() {
+	try {
+		ModSecurityIntervention * rv = new ModSecurityIntervention();
+		// It's actually just a struct, so initialize it to zero values,
+		// although status is set to 200 ¯\_(ツ)_/¯
+		modsecurity::intervention::clean(rv);
+		return rv;
+	}
+	catch (const std::bad_alloc&) {
+		return NULL;
+	}
+}
+
+/**
+ * @name    msc_free_intervention
+ * @brief   free a ModSecurityIntervention pointer
+ *
+ * For languages that need to access interventions via ffi. So no need to put it
+ * in a header file.
+ *
+ */
+extern "C" void msc_free_intervention(ModSecurityIntervention *it) {
+	// free the url and log pointers if they're assigned
+	modsecurity::intervention::free(it);
+	delete it;
+}
+
+} // namespace modsecurity

data/lib/rodsec.rb

@@ -0,0 +1,18 @@
+require "rodsec/version"
+require 'rodsec/modsec'
+require 'rodsec/rule_set'
+require 'rodsec/transaction'
+require 'rodsec/read_config'
+
+module Rodsec
+  class Error < StandardError; end
+
+  class Intervention < StandardError
+    def initialize msi
+      @msi = msi
+      super()
+    end
+
+    attr_reader :msi
+  end
+end

data/lib/rodsec/modsec.rb

@@ -0,0 +1,60 @@
+require_relative 'wrapper'
+require_relative 'version'
+require_relative 'string_pointers'
+
+module Rodsec
+  class Modsec
+    def initialize &log_blk
+      @msc_ptr = Wrapper.msc_init
+      @msc_ptr.free = Wrapper['msc_cleanup']
+
+      Wrapper.msc_set_connector_info @msc_ptr, (strptr info_string)
+
+      logger_fn &log_blk
+    end
+
+    include StringPointers
+
+    attr_reader :msc_ptr
+
+    # Given a block, this will set the logger callback.
+    # With no block, it will return the current logger callback, which may be nil.
+    # 'ModSecLogCb', 'void (*) (void *, const void *)'
+    # msc_set_log_cb(ModSecurity *msc, ModSecLogCb cb)
+    def logger_fn &log_blk
+      if block_given?
+        # set the logger callback
+        #
+        # NOTENOTE logger_fn and logger_closure must NOT be garbage-collected,
+        # otherwise callbacks from C to logger_fn will segfault. Also,
+        # Fiddle::Function seems to not keep a reference its closure argument,
+        # so hang on to that too.
+
+        return_type = Fiddle::TYPE_VOID
+        arg_types = Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP
+
+        # txn_log_tag is set in the contructor of Transaction.
+        @logger_closure = Fiddle::Closure::BlockCaller.new return_type, arg_types do |txn_log_tag, log_str_ptr|
+          log_blk.call txn_log_tag.to_s, log_str_ptr.to_s
+        end
+
+        @logger_fn = Fiddle::Function.new @logger_closure, arg_types, return_type
+        Wrapper.msc_set_log_cb @msc_ptr, @logger_fn
+      else
+        # return the logger callback, might be nil
+        @logger_fn
+      end
+    end
+
+    # given to ModSecurity.
+    # should be in the form ConnectorName vX.Y.Z-tag (something else)
+    def info_string
+      "Rodsec v#{VERSION}"
+    end
+
+    # information about the version of libmodsecurity
+    def version_info
+      (Wrapper.msc_who_am_i @msc_ptr).to_s
+    end
+  end
+end