RubyGems - sqreen-alt - Versions diffs - 1.10.0 - Mend

sqreen-alt 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

checksums.yaml +7 -0
data/CODE_OF_CONDUCT.md +22 -0
data/README.md +77 -0
data/Rakefile +20 -0
data/lib/sqreen-alt.rb +1 -0
data/lib/sqreen.rb +68 -0
data/lib/sqreen/attack_detected.html +2 -0
data/lib/sqreen/binding_accessor.rb +288 -0
data/lib/sqreen/ca.crt +72 -0
data/lib/sqreen/call_countable.rb +67 -0
data/lib/sqreen/callback_tree.rb +78 -0
data/lib/sqreen/callbacks.rb +100 -0
data/lib/sqreen/capped_queue.rb +23 -0
data/lib/sqreen/condition_evaluator.rb +235 -0
data/lib/sqreen/conditionable.rb +50 -0
data/lib/sqreen/configuration.rb +168 -0
data/lib/sqreen/context.rb +26 -0
data/lib/sqreen/deliveries/batch.rb +84 -0
data/lib/sqreen/deliveries/simple.rb +39 -0
data/lib/sqreen/event.rb +16 -0
data/lib/sqreen/events/attack.rb +61 -0
data/lib/sqreen/events/remote_exception.rb +54 -0
data/lib/sqreen/events/request_record.rb +62 -0
data/lib/sqreen/exception.rb +34 -0
data/lib/sqreen/frameworks.rb +40 -0
data/lib/sqreen/frameworks/generic.rb +446 -0
data/lib/sqreen/frameworks/rails.rb +148 -0
data/lib/sqreen/frameworks/rails3.rb +36 -0
data/lib/sqreen/frameworks/request_recorder.rb +69 -0
data/lib/sqreen/frameworks/sinatra.rb +57 -0
data/lib/sqreen/frameworks/sqreen_test.rb +26 -0
data/lib/sqreen/instrumentation.rb +542 -0
data/lib/sqreen/log.rb +119 -0
data/lib/sqreen/metrics.rb +6 -0
data/lib/sqreen/metrics/average.rb +39 -0
data/lib/sqreen/metrics/base.rb +45 -0
data/lib/sqreen/metrics/collect.rb +22 -0
data/lib/sqreen/metrics/sum.rb +20 -0
data/lib/sqreen/metrics_store.rb +96 -0
data/lib/sqreen/middleware.rb +34 -0
data/lib/sqreen/payload_creator.rb +137 -0
data/lib/sqreen/performance_notifications.rb +86 -0
data/lib/sqreen/performance_notifications/log.rb +36 -0
data/lib/sqreen/performance_notifications/metrics.rb +36 -0
data/lib/sqreen/performance_notifications/newrelic.rb +36 -0
data/lib/sqreen/remote_command.rb +93 -0
data/lib/sqreen/rule_attributes.rb +26 -0
data/lib/sqreen/rule_callback.rb +108 -0
data/lib/sqreen/rules.rb +126 -0
data/lib/sqreen/rules_callbacks.rb +29 -0
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +77 -0
data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb +79 -0
data/lib/sqreen/rules_callbacks/blacklist_ips.rb +44 -0
data/lib/sqreen/rules_callbacks/count_http_codes.rb +40 -0
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb +24 -0
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb +24 -0
data/lib/sqreen/rules_callbacks/custom_error.rb +64 -0
data/lib/sqreen/rules_callbacks/execjs.rb +241 -0
data/lib/sqreen/rules_callbacks/headers_insert.rb +22 -0
data/lib/sqreen/rules_callbacks/inspect_rule.rb +25 -0
data/lib/sqreen/rules_callbacks/matcher_rule.rb +138 -0
data/lib/sqreen/rules_callbacks/rails_parameters.rb +14 -0
data/lib/sqreen/rules_callbacks/record_request_context.rb +39 -0
data/lib/sqreen/rules_callbacks/reflected_xss.rb +254 -0
data/lib/sqreen/rules_callbacks/regexp_rule.rb +36 -0
data/lib/sqreen/rules_callbacks/shell_env.rb +32 -0
data/lib/sqreen/rules_callbacks/url_matches.rb +25 -0
data/lib/sqreen/rules_callbacks/user_agent_matches.rb +22 -0
data/lib/sqreen/rules_signature.rb +151 -0
data/lib/sqreen/runner.rb +365 -0
data/lib/sqreen/runtime_infos.rb +138 -0
data/lib/sqreen/safe_json.rb +60 -0
data/lib/sqreen/sdk.rb +22 -0
data/lib/sqreen/serializer.rb +46 -0
data/lib/sqreen/session.rb +317 -0
data/lib/sqreen/shared_storage.rb +31 -0
data/lib/sqreen/stats.rb +18 -0
data/lib/sqreen/version.rb +5 -0
metadata +148 -0

data/lib/sqreen/ca.crt ADDED

@@ -0,0 +1,72 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
+RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
+PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
+xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
+Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
+hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
+EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
+FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
+nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
+eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
+hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
+Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
+vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
++OkuE6N36B9K
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgIQGKy1av1pthU6Y2yv2vrEoTANBgkqhkiG9w0BAQUFADBY
+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UEAxMo
+R2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEx
+MjcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQK
+Ew1HZW9UcnVzdCBJbmMuMTEwLwYDVQQDEyhHZW9UcnVzdCBQcmltYXJ5IENlcnRp
+ZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAvrgVe//UfH1nrYNke8hCUy3f9oQIIGHWAVlqnEQRr+92/ZV+zmEwu3qDXwK9
+AWbK7hWNb6EwnL2hhZ6UOvNWiAAxz9juapYC2e0DjPt1befquFUWBRaa9OBesYjA
+ZIVcFU2Ix7e64HXprQU9nceJSOC7KMgD4TCTZF5SwFlwIjVXiIrxlQqD17wxcwE0
+7e9GceBrAqg1cmuXm2bgyxx5X9gaBGgeRwLmnWDiNpcB3841kt++Z8dtd1k7j53W
+kBWUvEI0EME5+bEnPn7WinXFsq+W06Lem+SYvn3h6YGttm/81w7a4DSwDRp35+MI
+mO9Y+pyEtzavwt+s0vQQBnBxNQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G
+A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULNVQQZcVi/CPNmFbSvtr2ZnJM5IwDQYJ
+KoZIhvcNAQEFBQADggEBAFpwfyzdtzRP9YZRqSa+S7iq8XEN3GHHoOo0Hnp3DwQ1
+6CePbJC/kRYkRj5KTs4rFtULUh38H2eiAkUxT87z+gOneZ1TatnaYzr4gNfTmeGl
+4b7UVXGYNTq+k+qurUKykG/g/CFNNWMziUnWm07Kx+dOCQD32sfvmWKZd7aVIl6K
+oKv0uHiYyjgZmclynnjNS6yvGaBzEi38wkG6gZHaFloxt/m0cYASSJlyc1pZU8Fj
+UjPtp8nSOQJw+uCxQmYpqptR7TBUIhRf2asdweSU8Pj1K/fqynhG1riR/aYNKxoU
+AT6A8EKglQdebc3MS6RFjasS6LPeWuWgfOgPIh1a6Vk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
+ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
+biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
+U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
+nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
+t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
+SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
+BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
+NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
+BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
+aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
+MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
+p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
+5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
+WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
+4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
+hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
+-----END CERTIFICATE-----

data/lib/sqreen/call_countable.rb ADDED

@@ -0,0 +1,67 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+module Sqreen
+  # A module that will dynamically had call_counts to the pre/post/failing
+  # callbacks
+  module CallCountable
+    # Hook the necessary callback function
+    # The module being decorated is expected to have a
+    # record_observation & rulespack_id & rule_name method available (like RuleCallback)
+    #
+    # @param count [Hash] hash of callback names => count
+    def count_callback_calls(count)
+      base = self.class
+      @call_count_interval = 0
+      return if count.to_i == 0
+      @call_counts = {}
+      @call_count_interval = count
+      @call_count_names = {}
+      %w(pre post failing).each do |cb|
+        next unless base.method_defined?(cb)
+        @call_counts[cb] = 0
+        @call_count_names[cb] = "#{rulespack_id}/#{rule_name}/#{cb}".freeze
+        defd = base.instance_variable_defined?("@call_count_hooked_#{cb}")
+        next if defd && base.instance_variable_get("@call_count_hooked_#{cb}")
+        base.send(:alias_method, "#{cb}_without_count", cb)
+        base.send(:alias_method, cb, "#{cb}_with_count")
+        base.instance_variable_set("@call_count_hooked_#{cb}", true)
+      end
+    end
+    PRE = 'pre'.freeze
+    POST = 'post'.freeze
+    FAILING = 'failing'.freeze
+    COUNT_CALLS = 'sqreen_call_counts'.freeze
+    def pre_with_count(inst, *args, &block)
+      ret = pre_without_count(inst, *args, &block)
+      count_calls('pre')
+      ret
+    end
+    def post_with_count(rv, inst, *args, &block)
+      ret = post_without_count(rv, inst, *args, &block)
+      count_calls('post')
+      ret
+    end
+    def failing_with_count(rv, inst, *args, &block)
+      ret = failing_without_count(rv, inst, *args, &block)
+      count_calls('failing')
+      ret
+    end
+    attr_reader :call_counts
+    attr_reader :call_count_interval
+    protected
+    def count_calls(what)
+      return unless @call_count_interval > 0
+      new_value = (@call_counts[what] += 1)
+      return unless new_value % call_count_interval == 0
+      @call_counts[what] = 0
+      record_observation(COUNT_CALLS, @call_count_names[what], new_value)
+    end
+  end
+end

data/lib/sqreen/callback_tree.rb ADDED

@@ -0,0 +1,78 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/log'
+module Sqreen
+  class CBTree
+    include Enumerable
+    # Callbacks tree:
+    # class
+    # methods
+    # position
+    def initialize
+      @by_class = {}
+    end
+    def add(cb)
+      @by_class[cb.klass] = {} unless @by_class[cb.klass]
+      cb_klass = @by_class[cb.klass]
+      unless cb_klass[cb.method]
+        cb_klass[cb.method] = { :pre => [], :post => [], :failing => [] }
+      end
+      methods = cb_klass[cb.method]
+      methods[:pre] << cb if cb.pre?
+      methods[:post] << cb if cb.post?
+      methods[:failing] << cb if cb.failing?
+    end
+    def remove(cb)
+      types = @by_class[cb.klass][cb.method]
+      types[:pre].delete cb  if cb.pre?
+      types[:post].delete cb if cb.post?
+      types[:failing].delete cb if cb.failing?
+    end
+    def get(klass, method, type = nil)
+      k = @by_class[klass]
+      unless k
+        log(format('Error: no cb registered for class %s (%s)', klass.inspect, klass.class))
+        log(inspect)
+        return []
+      end
+      cbs = k[method]
+      unless cbs
+        log(format('Error: no cbs registered for method %s.%s', klass, method))
+        log(inspect)
+        return []
+      end
+      if type.nil?
+        res = Set.new
+        cbs.values.each do |v|
+          res += v
+        end
+        return res.to_a
+      else
+        return cbs[type]
+      end
+    end
+    def each
+      @by_class.each do |_klass, values|
+        values.each do |_method, cbs|
+          cbs.values.each do |cb_ary|
+            cb_ary.each do |cb|
+              yield cb
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/callbacks.rb ADDED

@@ -0,0 +1,100 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'set'
+require 'sqreen/shared_storage'
+module Sqreen
+  class CB
+    # Callback class.
+    #
+    # Three methods can be defined:
+    # - pre(*args, &block)
+    #   To be called prior to the hooked method.
+    # - post(return_value, *args, &block)
+    #   To be called after the hooked method. The return_value argument is
+    #   the value returned by the hooked method.
+    # - failing(exception, ...)
+    #   To be called when the method raise
+    # The method pre, post and exception may return nil or a Hash.
+    #  - nil: the original method is called and the callback has no further
+    #    effect
+    #  - { :status => :skip }: we skip the original method call
+    #  - { :status => :raise}:
+    #
+    #  - nil: the original return value is returned, as if coallback had no
+    #    effect
+    #  - { :status => :raise}:
+    #  - { :status => :override }:
+    #
+    #  - nil: reraise
+    #  - { :status => :reraise }: reraise
+    #  - { :status => :override }: eat exception
+    #  - { :retry => :retry }: try the block again
+    #
+    #  CB can also declare that they are whitelisted and should not be run at the moment.
+    attr_reader :klass, :method
+    def initialize(klass, method)
+      @method = method
+      @klass = klass
+      @has_pre  = respond_to? :pre
+      @has_post = respond_to? :post
+      @has_failing = respond_to? :failing
+      raise(Sqreen::Exception, 'No callback provided') unless @has_pre || @has_post || @has_failing
+    end
+    def whitelisted?
+      false
+    end
+    def pre?
+      @has_pre
+    end
+    def post?
+      @has_post
+    end
+    def failing?
+      @has_failing
+    end
+    def to_s
+      format('#<%s: %s.%s>', self.class, @klass, @method)
+    end
+  end
+  # target_method, position, callback, callback class
+  class DefaultCB < CB
+    def pre(_inst, *args, &_block)
+      Sqreen.log.debug "<< #{@klass} #{@method} #{Thread.current}"
+      Sqreen.log.debug args.join ' '
+      # log params
+    end
+    def post(_rv, _inst, *_args, &_block)
+      # log "#{rv}"
+      Sqreen.log.debug ">> #{@klass} #{@method} #{Thread.current}"
+    end
+  end
+  class RunWhenCalledCB < CB
+    def initialize(klass, method, &block)
+      super(klass, method)
+      raise 'missing block' unless block_given?
+      @block = block
+    end
+    def pre(_inst, *_args, &_block)
+      # FIXME: implement this removal
+      @remove_me = true
+      @block.call
+    end
+  end
+end

data/lib/sqreen/capped_queue.rb ADDED

@@ -0,0 +1,23 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+module Sqreen
+  # A simple size limited queue.
+  # When trying to enqueue more than the capacity
+  # the older elements will get thrown
+  class CappedQueue < Queue
+    attr_reader :capacity
+    def initialize(capacity)
+      @capacity = capacity
+      super()
+    end
+    alias original_push push
+    def push(value)
+      pop until size < @capacity
+      original_push(value)
+    end
+  end
+end

data/lib/sqreen/condition_evaluator.rb ADDED

@@ -0,0 +1,235 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/binding_accessor'
+require 'sqreen/exception'
+module Sqreen
+  # Evaluate a condition, resolving literals using BindingAccessor.
+  #
+  #  { "%and" => ["true", "true"] } -> true
+  #  { "%or"  => ["true", "false"] } -> true
+  #  { "%and" => ["false", "true"] } -> false
+  #
+  #  { "%equal" => ["coucou", "#.args[0]"] } -> "coucou" == args[0]
+  #  { "%hash_val_include" => ["toto is a small guy", "#.request_params"] } ->
+  #       true if one value of request params in included
+  #       in the sentence 'toto is a small guy'.
+  #
+  # Combine expressions:
+  #  { "%or" =>
+  #    [
+  #      { "%hash_val_include" => ["AAA", "#.request_params"] },
+  #      { "%hash_val_include" => ["BBB", "#.request_params"] },
+  #    ]
+  #  }
+  # will return true if one of the request_params include either AAA or BBB.
+  #
+  class ConditionEvaluator
+    # Predicate: Is value deeply included in hash
+    # @params value [Object] object to find
+    # @params hash [Hash] Hash to search into
+    # @params min_value_size [Fixnum] to compare against
+    def self.hash_val_include?(value, hash, min_value_size, rem = 20)
+      return true if rem <= 0
+      vals = hash
+      vals = hash.values if hash.is_a?(Hash)
+      vals.any? do |hval|
+        case hval
+        when Hash, Array
+          ConditionEvaluator.hash_val_include?(value, hval,
+                                               min_value_size, rem - 1)
+        when NilClass
+          false
+        else
+          if hval.respond_to?(:empty?) && hval.empty?
+            false
+          else
+            v = hval.to_s
+            if v.size < min_value_size
+              false
+            else
+              ConditionEvaluator.str_include?(value.to_s, v)
+            end
+          end
+        end
+      end
+    end
+    # Predicate: Is one of values deeply present in keys of hash
+    # @params value [Array] Array of objects to find
+    # @params hash [Hash] Hash to search into
+    # @params min_value_size [Fixnum] to compare against
+    def self.hash_key_include?(values, hash, min_value_size, rem = 10)
+      return true if rem <= 0
+      if hash.is_a?(Array)
+        return hash.any? do |v|
+          ConditionEvaluator.hash_key_include?(values, v, min_value_size, rem - 1)
+        end
+      end
+      return false unless hash.is_a?(Hash)
+      hash.any? do |hkey, hval|
+        case hkey
+        when NilClass
+          false
+        else
+          if hkey.respond_to?(:empty?) && hkey.empty?
+            false
+          else
+            values.include?(hkey.to_s) || ConditionEvaluator.hash_key_include?(values, hval, min_value_size, rem - 1)
+          end
+        end
+      end
+    end
+    # Test is a str contains what. Rencode if necessary
+    def self.str_include?(str, what)
+      str1 = if str.encoding != Encoding::UTF_8
+               str.encode(Encoding::UTF_8, :invalid => :replace,
+                                           :undef => :replace)
+             else
+               str
+             end
+      str2 = if what.encoding != Encoding::UTF_8
+               what.encode(Encoding::UTF_8, :invalid => :replace,
+                                            :undef => :replace)
+             else
+               what
+             end
+      str1.include?(str2)
+    end
+    # Initialize evaluator
+    # @param cond [Hash] condition Hash
+    def initialize(cond)
+      unless cond == true || cond == false
+        unless cond.respond_to? :each
+          raise(Sqreen::Exception, "cond should be a Hash (was #{cond.class})")
+        end
+      end
+      @raw = cond
+      @compiled = compile_expr(cond, 10)
+    end
+    # Evaluate the condition
+    # @params *args: BindingAccessor evaluate arguments
+    def evaluate(*args)
+      evaluate_expr(@compiled, 10, *args)
+    end
+    protected
+    def compile_expr(exp, rem)
+      return exp if exp == true || exp == false
+      return true if exp.empty?
+      raise(Sqreen::Exception, 'too deep call detected') if rem <= 0
+      h = {}
+      exp.each do |op, values|
+        unless op.is_a? String
+          raise Sqreen::Exception, "op should be a String (was #{op.class})"
+        end
+        unless values.is_a?(Array)
+          raise Sqreen::Exception, "values should be an Array (was #{values.class})"
+        end
+        h[op] = values.map do |v|
+          case v
+          when Hash
+            compile_expr(v, rem - 1)
+          when 'true'
+            true
+          when 'false'
+            false
+          else
+            BindingAccessor.new(v.to_s)
+          end
+        end
+      end
+      h
+    end
+    EQ_OPERATOR       = '%equal'.freeze
+    NEQ_OPERATOR      = '%not_equal'.freeze
+    GTE_OPERATOR      = '%gte'.freeze
+    LTE_OPERATOR      = '%lte'.freeze
+    GT_OPERATOR       = '%gt'.freeze
+    LT_OPERATOR       = '%lt'.freeze
+    HASH_INC_OPERATOR = '%hash_val_include'.freeze
+    HASH_KEY_OPERATOR = '%hash_key_include'.freeze
+    INC_OPERATOR      = '%include'.freeze
+    OR_OPERATOR       = '%or'.freeze
+    AND_OPERATOR      = '%and'.freeze
+    OPERATORS_ARITY = {
+      HASH_INC_OPERATOR => 3,
+      HASH_KEY_OPERATOR => 3,
+      EQ_OPERATOR       => 2,
+      NEQ_OPERATOR      => 2,
+      INC_OPERATOR      => 2,
+      GTE_OPERATOR      => 2,
+      LTE_OPERATOR      => 2,
+      GT_OPERATOR       => 2,
+      LT_OPERATOR       => 2,
+    }.freeze
+    def evaluate_expr(exp, rem, *args)
+      return exp if exp == true || exp == false
+      return true if exp.empty?
+      raise(Sqreen::Exception, 'too deep call detected') if rem <= 0
+      exp.all? do |op, values|
+        res = values.map do |v|
+          case v
+          when Hash
+            evaluate_expr(v, rem - 1, *args)
+          when true, false
+            v
+          else
+            v.resolve(*args)
+          end
+        end
+        arity = OPERATORS_ARITY[op]
+        if !arity.nil? && res.size != arity
+          raise(Sqreen::Exception, "bad res #{res} (op #{op} wanted #{arity})")
+        end
+        bool = case op
+               when OR_OPERATOR
+                 res.any?
+               when AND_OPERATOR
+                 res.all?
+               when EQ_OPERATOR
+                 res[0] == res[1]
+               when NEQ_OPERATOR
+                 res[0] != res[1]
+               when GT_OPERATOR
+                 res[0] > res[1]
+               when GTE_OPERATOR
+                 res[0] >= res[1]
+               when LT_OPERATOR
+                 res[0] < res[1]
+               when LTE_OPERATOR
+                 res[0] <= res[1]
+               when INC_OPERATOR
+                 unless res[0].respond_to?(:include?)
+                   raise(Sqreen::Exception, "no include on res #{res[0].inspect}")
+                 end
+                 if res[0].is_a?(String)
+                   ConditionEvaluator.str_include?(res[0], res[1])
+                 else
+                   res[0].include?(res[1])
+                 end
+               when HASH_INC_OPERATOR
+                 ConditionEvaluator.hash_val_include?(res[0], res[1], res[2])
+               when HASH_KEY_OPERATOR
+                 ConditionEvaluator.hash_key_include?(res[0], res[1], res[2])
+               else
+                 # FIXME: this should be check in compile
+                 raise(Sqreen::Exception, "unknown op #{op})")
+               end
+        bool
+      end
+    end
+  end
+end