RubyGems - sqreen-alt - Versions diffs - 1.11.0 → 1.11.1 - Mend

sqreen-alt 1.11.0 → 1.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

checksums.yaml +4 -4
data/lib/sqreen.rb +0 -1
data/lib/sqreen/callback_tree.rb +38 -20
data/lib/sqreen/callbacks.rb +6 -4
data/lib/sqreen/conditionable.rb +3 -3
data/lib/sqreen/frameworks/generic.rb +38 -18
data/lib/sqreen/frameworks/request_recorder.rb +0 -2
data/lib/sqreen/instrumentation.rb +217 -160
data/lib/sqreen/performance_notifications.rb +10 -36
data/lib/sqreen/performance_notifications/log.rb +1 -2
data/lib/sqreen/performance_notifications/log_performance.rb +1 -2
data/lib/sqreen/performance_notifications/metrics.rb +1 -2
data/lib/sqreen/performance_notifications/newrelic.rb +1 -2
data/lib/sqreen/remote_command.rb +7 -7
data/lib/sqreen/rule_callback.rb +4 -0
data/lib/sqreen/rules.rb +2 -2
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +7 -1
data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb +3 -3
data/lib/sqreen/rules_callbacks/blacklist_ips.rb +1 -1
data/lib/sqreen/rules_callbacks/count_http_codes.rb +7 -6
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb +1 -1
data/lib/sqreen/rules_callbacks/custom_error.rb +2 -5
data/lib/sqreen/rules_callbacks/execjs.rb +76 -37
data/lib/sqreen/rules_callbacks/headers_insert.rb +1 -1
data/lib/sqreen/rules_callbacks/inspect_rule.rb +3 -3
data/lib/sqreen/rules_callbacks/matcher_rule.rb +18 -17
data/lib/sqreen/rules_callbacks/rails_parameters.rb +1 -1
data/lib/sqreen/rules_callbacks/record_request_context.rb +9 -8
data/lib/sqreen/rules_callbacks/reflected_xss.rb +40 -34
data/lib/sqreen/rules_callbacks/regexp_rule.rb +13 -4
data/lib/sqreen/rules_callbacks/shell_env.rb +2 -2
data/lib/sqreen/rules_callbacks/url_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/user_agent_matches.rb +1 -1
data/lib/sqreen/session.rb +1 -1
data/lib/sqreen/shared_storage.rb +16 -12
data/lib/sqreen/{stats.rb → shared_storage23.rb} +3 -11
data/lib/sqreen/version.rb +1 -1
metadata +4 -4

data/lib/sqreen/rules_callbacks/headers_insert.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Sqreen
   module Rules
     # Display sqreen presence
     class HeadersInsertCB < RuleCB
-      def post(rv, _inst, *_args, &_block)
+      def post(rv, _inst, _args, _budget = nil, &_block)
         return unless rv && rv.respond_to?(:[]) && rv[1].is_a?(Hash)
         return nil unless @data
         headers = @data['values'] || []

data/lib/sqreen/rules_callbacks/inspect_rule.rb CHANGED Viewed

@@ -6,17 +6,17 @@ require 'sqreen/rule_callback'
 module Sqreen
   module Rules
     class InspectRuleCB < RuleCB
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         Sqreen.log.debug { "<< #{@klass} #{@method} #{Thread.current}" }
         Sqreen.log.debug { args.map(&:inspect).join(' ') }
       end
-      def post(rv, _inst, *_args, &_block)
+      def post(rv, _inst, _args, _budget = nil, &_block)
         Sqreen.log.debug { ">> #{rv.inspect} #{@klass} #{@method} #{Thread.current}" }
         byebug if defined? byebug && @data.is_a?(Hash) && @data[:break] == 1
       end
-      def failing(rv, _inst, *_args, &_block)
+      def failing(rv, _inst, _args, _budget = nil, &_block)
         Sqreen.log.debug { "># #{rv.inspect} #{@klass} #{@method} #{Thread.current}" }
         byebug if defined? byebug && @data.is_a?(Hash) && @data[:break] == 1
       end

data/lib/sqreen/rules_callbacks/matcher_rule.rb CHANGED Viewed

@@ -13,11 +13,12 @@ module Sqreen
         res |= Regexp::MULTILINE  if options.include?('multiline')
         res |= Regexp::IGNORECASE unless case_sensitive
         r = Regexp.compile(value, res)
-        r.match("")
+        r.match('')
         r
       end
       ANYWHERE_OPT = 'anywhere'.freeze
+      MATCH_PREDICATE = Regexp.new('').respond_to?(:match?)
       def prepare(patterns)
         @string = {}
         @regexp_patterns = []
@@ -52,12 +53,13 @@ module Sqreen
               val.downcase!
             end
-            unless @funs.keys.include?(opt)
+            way = @funs[opt]
+            unless way
               Sqreen.log.debug { "Error: unknown string option '#{opt}' " }
               next
             end
-            @string[opt] = { :ci => [], :cs => [] } unless @string.key?(opt)
-            @string[opt][case_type] << val
+            @string[way] = { :ci => [], :cs => [] } unless @string.key?(way)
+            @string[way][case_type] << val
             sizes << entry.fetch('min_length') { val.size }
           when 'regexp'
             pattern = Matcher.prepare_re_pattern(val, opt, case_sensitive)
@@ -81,17 +83,9 @@ module Sqreen
         str = enforce_encoding(str) unless str.ascii_only?
         istr = str.downcase unless @string.empty?
-        @string.each do |type, cases|
-          fun = @funs[type]
-          if fun.nil?
-            Sqreen.log.debug { "no matching function found for type #{type}" }
-          end
+        @string.each do |fun, cases|
           cases.each do |case_type, patterns|
-            input_str = if case_type == :ci
-                          istr
-                        else
-                          str
-                        end
+            input_str = case_type == :ci ? istr : str
             patterns.each do |pat|
               return pat if fun.call(pat, input_str)
             end
@@ -99,9 +93,16 @@ module Sqreen
         end
         if defined?(Encoding)
-          @regexp_patterns.each do |p|
-            next unless Encoding.compatible?(p, str)
-            return p if p.match(str)
+          if MATCH_PREDICATE
+            @regexp_patterns.each do |p|
+              next unless Encoding.compatible?(p, str)
+              return p if p.match?(str)
+            end
+          else
+            @regexp_patterns.each do |p|
+              next unless Encoding.compatible?(p, str)
+              return p if p.match(str)
+            end
           end
         else
           @regexp_patterns.each do |p|

data/lib/sqreen/rules_callbacks/rails_parameters.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require 'sqreen/rule_callback'
 module Sqreen
   module Rules
     class RailsParametersCB < RuleCB
-      def pre(_inst, *_args, &_block)
+      def pre(_inst, _args, _budget = nil, &_block)
         advise_action(nil)
       end
     end

data/lib/sqreen/rules_callbacks/record_request_context.rb CHANGED Viewed

@@ -2,39 +2,40 @@
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 require 'sqreen/rule_callback'
-require 'sqreen/instrumentation'
 module Sqreen
   module Rules
     # Save request context for handling further down
     class RecordRequestContext < RuleCB
-      def whitelisted?
-        false
+      WHITELISTED_METRIC = 'whitelisted'.freeze
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
       end
-      def overtime!
+      def whitelisted?
         false
       end
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         framework.store_request(args[0])
         wh = framework.whitelisted_match
         if wh
           unless Sqreen.features.key?('whitelisted_metric') &&
                  !Sqreen.features['whitelisted_metric']
-            record_observation(Instrumentation::WHITELISTED_METRIC, wh, 1)
+            record_observation(WHITELISTED_METRIC, wh, 1)
           end
           Sqreen.log.debug { "Request was whitelisted because of #{wh}" }
         end
         advise_action(nil)
       end
-      def post(_rv, _inst, *_args, &_block)
+      def post(_rv, _inst, _args, _budget = nil, &_block)
         framework.clean_request
         advise_action(nil)
       end
-      def failing(_exception, _inst, *_args, &_block)
+      def failing(_exception, _inst, _args, _budget = nil, &_block)
         framework.clean_request
         advise_action(nil)
       end

data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED Viewed

@@ -37,7 +37,7 @@ module Sqreen
       end
     end
     class ReflectedUnsafeXSSCB < XSSCB
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         value = args[0]
         return unless value.is_a?(String)
@@ -61,7 +61,7 @@ module Sqreen
     end
     # look for reflected XSS with erb template engine
     class ReflectedXSSCB < XSSCB
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         value = args[0]
         return unless value.is_a?(String)
@@ -90,7 +90,7 @@ module Sqreen
     #                            escape_html, nuke_inner_whitespace,
     #                            interpolated, ugly)
     class ReflectedXSSHamlCB < XSSCB
-      def post(ret, _inst, *_args, &_block)
+      def post(ret, _inst, _args, _budget = nil, &_block)
         value = ret
         return unless value.is_a?(String)
@@ -109,7 +109,12 @@ module Sqreen
     # Hook into haml4 script parser
     class Haml4ParserScriptHookCB < RuleCB
-      def pre(_inst, *args, &_block)
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+      end
+      def pre(_inst, args, _budget = nil, &_block)
         return unless args.size > 1
         return unless Haml::VERSION < '5'
         text = args[0]
@@ -121,15 +126,16 @@ module Sqreen
         end
         nil
       end
-      def overtime!
-        false
-      end
     end
     # Hook into haml4 tag parser
     class Haml4ParserTagHookCB < RuleCB
-      def post(ret, _inst, *_args, &_block)
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+      end
+      def post(ret, _inst, _args, _budget = nil, &_block)
         return unless Haml::VERSION < '5'
         tag = ret
         if tag.value[:escape_html] == false &&
@@ -140,14 +146,15 @@ module Sqreen
         end
         nil
       end
-      def overtime!
-        false
-      end
     end
     class Haml4UtilInterpolationHookCB < RuleCB
-      def pre(_inst, *args, &_block)
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+      end
+      def pre(_inst, args, _budget = nil, &_block)
         # Also work in haml5
         str = args[0]
         escape_html = args[1]
@@ -167,15 +174,16 @@ module Sqreen
         end
         { :status => :skip, :new_return_value => res + rest }
       end
-      def overtime!
-        false
-      end
     end
     # Hook build attributes
     class Haml4CompilerBuildAttributeCB < XSSCB
-      def pre(inst, *args, &_block)
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+      end
+      def pre(inst, args, _budget = nil, &_block)
         return unless Haml::VERSION < '5'
         attrs = args[-1]
         params = xss_params
@@ -217,38 +225,36 @@ module Sqreen
         end
         [new_h, has_xss]
       end
-      def overtime!
-        false
-      end
     end
     class Haml5EscapableHookCB < RuleCB
-      def pre(_inst, *args, &_block)
-        args[0] = "Sqreen.escape_haml((#{args[0]}))"
-        { :status => :modify_args, :args => args }
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
       end
-      def overtime!
-        false
+      def pre(_inst, args, _budget = nil, &_block)
+        args[0] = "Sqreen.escape_haml((#{args[0]}))"
+        { :status => :modify_args, :args => args }
       end
     end
     # Hook into temple template rendering
     class TempleEscapableHookCB < RuleCB
-      def post(ret, _inst, *_args, &_block)
-        ret[1] = "Sqreen.escape_temple((#{ret[1]}))"
-        { :status => :override, :new_return_value => ret }
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
       end
-      def overtime!
-        false
+      def post(ret, _inst, _args, _budget = nil, &_block)
+        ret[1] = "Sqreen.escape_temple((#{ret[1]}))"
+        { :status => :override, :new_return_value => ret }
       end
     end
     # Hook into temple template rendering
     class SlimSplatBuilderCB < XSSCB
-      def pre(inst, *args, &_block)
+      def pre(inst, args, _budget = nil, &_block)
         value = args[0]
         return if value.nil?

data/lib/sqreen/rules_callbacks/regexp_rule.rb CHANGED Viewed

@@ -25,11 +25,20 @@ module Sqreen
         end
       end
-      def match_regexp(str)
-        @patterns.each do |pattern|
-          return pattern if pattern.match(str)
+      if Regexp.new('').respond_to?(:match?)
+        def match_regexp(str)
+          @patterns.each do |pattern|
+            return pattern if pattern.match?(str)
+          end
+          nil
+        end
+      else
+        def match_regexp(str)
+          @patterns.each do |pattern|
+            return pattern if pattern.match(str)
+          end
+          nil
         end
-        nil
       end
     end
   end

data/lib/sqreen/rules_callbacks/shell_env.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Sqreen
   module Rules
     # Callback that detect nifty env in system calls
     class ShellEnvCB < RegexpRuleCB
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         return if args.size == 0
         env = args.first
         return unless env.is_a?(Hash)
@@ -23,7 +23,7 @@ module Sqreen
           :variable_value => value,
           :found => found,
         }
-        Sqreen.log.warn "presence of a shell env tampering: #{infos.inspect}"
+        Sqreen.log.warn { "presence of a shell env tampering: #{infos.inspect}" }
         record_event(infos)
         advise_action(:raise)
       end

data/lib/sqreen/rules_callbacks/url_matches.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Sqreen
     #  - the path is a typical bot scanning request
     # Then we deny the ressource and record the attack.
     class URLMatchesCB < RegexpRuleCB
-      def post(rv, _inst, *args, &_block)
+      def post(rv, _inst, args, _budget = nil, &_block)
         return unless rv.is_a?(Array) && rv.size > 0 && rv[0] == 404
         env = args[0]
         path = env['SCRIPT_NAME'].to_s + env['PATH_INFO'].to_s

data/lib/sqreen/rules_callbacks/user_agent_matches.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Sqreen
   module Rules
     # Look for badly behaved clients
     class UserAgentMatchesCB < RegexpRuleCB
-      def pre(_inst, *_args, &_block)
+      def pre(_inst, _args, _budget = nil, &_block)
         ua = framework.client_user_agent
         return unless ua
         found = match_regexp(ua)

data/lib/sqreen/session.rb CHANGED Viewed

@@ -134,7 +134,7 @@ module Sqreen
     def resiliently(retry_request_seconds, max_retry, current_retry = 0)
       return yield
     rescue => e
-      Sqreen.log.debug(e.inspect)
+      Sqreen.log.debug { e.inspect }
       current_retry += 1

data/lib/sqreen/shared_storage.rb CHANGED Viewed

@@ -2,30 +2,34 @@
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
+  # dedicated local storage
   module SharedStorage
-    def self::get(key, default = nil)
-      h = Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"]
-      return h.fetch(key, default) if h
-      default
+    unless RUBY_VERSION >= '2.3.0'
+      def self.get(key)
+        h = Thread.current[:sqreen_shared_storage]
+        h[key] if h
+      end
     end
-    def self::set(key, obj)
-      Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"] ||= {}
-      Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"][key] = obj
+    def self.set(key, obj)
+      Thread.current[:sqreen_shared_storage] ||= {}
+      Thread.current[:sqreen_shared_storage][key] = obj
     end
     def self.clear
-      return unless Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"].is_a?(Hash)
-      Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"].clear
+      return unless Thread.current[:sqreen_shared_storage].is_a?(Hash)
+      Thread.current[:sqreen_shared_storage].clear
     end
     def self.inc(value)
-      set(value, get(value, 0) + 1)
+      set(value, (get(value) || 0) + 1)
     end
     def self.dec(value)
-      set(value, get(value, 0) - 1)
+      set(value, (get(value) || 0) - 1)
     end
   end
 end
+# Change SharedStorage.get if ruby is actually newer
+require 'sqreen/shared_storage23' if RUBY_VERSION >= '2.3.0'

data/lib/sqreen/{stats.rb → shared_storage23.rb} RENAMED Viewed

@@ -2,17 +2,9 @@
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  @@stats = nil
-  def self::stats
-    @@stats ||= Stats.new
-  end
-  class Stats
-    attr_accessor :callbacks_calls
-    def initialize
-      @callbacks_calls = 0
+  module SharedStorage
+    def self.get(key)
+      Thread.current[:sqreen_shared_storage]&.[](key)
     end
   end
 end