sqreen 0.1.0.pre → 0.7.01461158029

data/lib/sqreen/rules_callbacks/rails_parameters.rb

@@ -0,0 +1,14 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+
+module Sqreen
+  module Rules
+    class RailsParametersCB < RuleCB
+      def pre(_inst, *_args, &_block)
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/record_request_context.rb

@@ -0,0 +1,23 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+
+module Sqreen
+  module Rules
+    # Save request context for handling further down
+    class RecordRequestContext < RuleCB
+      def pre(_inst, *args, &_block)
+        framework.store_request(args[0])
+      end
+
+      def post(_rv, _inst, *_args, &_block)
+        framework.clean_request
+      end
+
+      def failing(_exception, _inst, *_args, &_block)
+        framework.clean_request
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/reflected_xss.rb

@@ -0,0 +1,40 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'cgi'
+
+require 'sqreen/rules_callbacks/regexp_rule'
+
+module Sqreen
+  module Rules
+    # look for reflected XSS
+    class ReflectedXSSCB < RegexpRuleCB
+      def pre(_inst, *args, &_block)
+        value = args[0]
+        return if value.nil?
+        # If the value is not marked as html_safe, it will be escaped later
+        return unless value.html_safe?
+
+        # Sqreen::log.debug value
+        # Sqreen::log.debug params
+
+        return unless framework.params_include?(value)
+
+        Sqreen.log.debug { format('Found unescaped user param: %s', value) }
+
+        saved_value = value.dup
+        # potential XSS! let's escape
+        args[0].replace(CGI.escape_html(value)) if block
+        # The remaining code is only to find out if user entry was an attack,
+        # and record it. Since we don't rely on it to respond to user, it would
+        # be better to do it in background.
+        found = match_regexp(saved_value)
+
+        return unless found
+        infos = { :found => found }
+        record_event(infos)
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/regexp_rule.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+
+module Sqreen
+  module Rules
+    # Generic regexp based matching
+    class RegexpRuleCB < RuleCB
+      def initialize(*args)
+        super(*args)
+        prepare
+      end
+
+      def prepare
+        @patterns = []
+        raw_patterns = @data['values']
+        if raw_patterns.nil?
+          msg = "no key 'values' in data (had #{@data.keys})"
+          raise Sqreen::Exception, msg
+        end
+
+        @patterns = raw_patterns.map do |pattern|
+          Regexp.compile(pattern, Regexp::IGNORECASE)
+        end
+      end
+
+      def match_regexp(str)
+        @patterns.each do |pattern|
+          return pattern if pattern.match(str)
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/shell.rb

@@ -0,0 +1,33 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+require 'sqreen/detect'
+
+module Sqreen
+  module Rules
+    # Look for Shell injections
+    class ShellCB < RuleCB
+      def pre(_inst, *args, &_block)
+        Sqreen.log.debug { "<< #{@klass} #{@method} #{Thread.current}" }
+        Sqreen.log.debug { args.inspect }
+
+        cmd = args[0]
+        params = framework.request_params
+        return if params.nil? || params == {}
+        Sqreen.log.debug { 'Searching injection in:' }
+        Sqreen.log.debug { 'command: ' + cmd }
+        Sqreen.log.debug { 'params: ' + params.inspect }
+
+        # FIXME: Handle IFS coming from spawn/exec/system ENV argument
+        inj = Sqreen::Detect::ShellInjection.new
+        shi = inj.user_escape?(cmd, params)
+        Sqreen.log.warn { "presence of a shell injection: #{shi}" }
+        return unless shi
+        infos = { :sh_cmd => cmd }
+        record_event(infos)
+        { :status => :raise }
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/shell_env.rb

@@ -0,0 +1,32 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rules_callbacks/regexp_rule'
+
+module Sqreen
+  module Rules
+    # Callback that detect nifty env in system calls
+    class ShellEnvCB < RegexpRuleCB
+      def pre(_inst, *args, &_block)
+        return if args.size == 0
+        env = args.first
+        return unless env.is_a?(Hash)
+        return if env.size == 0
+        found = nil
+        var, value = env.find do |_, val|
+          next unless val.is_a?(String)
+          found = match_regexp(val)
+        end
+        return unless var
+        infos = {
+          :variable_name => var,
+          :variable_value => value,
+          :found => found,
+        }
+        Sqreen.log.warn "presence of a shell env tampering: #{infos.inspect}"
+        record_event(infos)
+        { :status => :raise }
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/sql.rb

@@ -0,0 +1,41 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+require 'sqreen/detect'
+
+module Sqreen
+  module Rules
+    # Look for SQL injections
+    class SQLCB < RuleCB
+      def pre(inst, *args, &_block)
+        Sqreen.log.debug { "<< #{@klass} #{@method} #{Thread.current}" }
+        Sqreen.log.debug { args.inspect }
+
+        request = args[0]
+        params = framework.request_params
+        return if params.nil? || params == {}
+        Sqreen.log.debug { 'Searching injection in:' }
+        Sqreen.log.debug { 'request: ' + request }
+        Sqreen.log.debug { 'params: ' + params.inspect }
+
+        db_type, db_infos = framework.db_settings(:connection_adapter => inst)
+        if db_type.nil?
+          Sqreen.log.debug { "Database '#{db_infos[:name]}' not supported yet" }
+          return
+        end
+        inj = Sqreen::Detect::SQLInjection.new(db_type, db_infos)
+        sqli = inj.user_escape?(request, params)
+        Sqreen.log.info { "presence of an SQLi: #{sqli}" }
+        return unless sqli
+        infos = {
+          :db_request => request,
+          :db_type => db_type,
+          :db_infos => db_infos,
+        }
+        record_event(infos)
+        { :status => :raise }
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/system_shell.rb

@@ -0,0 +1,25 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rules_callbacks/shell'
+
+module Sqreen
+  module Rules
+    # Look for Shell injections in system like calls
+    class SystemShellCB < ShellCB
+      alias initial_pre pre
+      def pre(inst, *args, &block)
+        return if args.size == 0
+        cmd = args[0]
+        if cmd.is_a?(Hash)
+          # skip optional env arguments
+          return unless args.size > 1
+          cmd = args[1]
+        end
+        # skip [cmd, argv0] arguments
+        return if cmd.is_a?(Array)
+        initial_pre(inst, cmd, &block)
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/url_matches.rb

@@ -0,0 +1,25 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rules_callbacks/regexp_rule'
+
+module Sqreen
+  module Rules
+    # FIXME: Tune this as Rack capable callback?
+    # If:
+    #  - we have a 404
+    #  - the path is a typical bot scanning request
+    # Then we deny the ressource and record the attack.
+    class URLMatchesCB < RegexpRuleCB
+      def post(rv, _inst, *args, &_block)
+        return unless rv.is_a?(Array) && rv.size > 0 && rv[0] == 404
+        env = args[0]
+        path = env['SCRIPT_NAME'].to_s + env['PATH_INFO'].to_s
+        found = match_regexp(path)
+        infos = { :path => path, :found => found }
+        record_event(infos) if found
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/user_agent_matches.rb

@@ -0,0 +1,22 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rules_callbacks/regexp_rule'
+
+module Sqreen
+  module Rules
+    # Look for badly behaved clients
+    class UserAgentMatchesCB < RegexpRuleCB
+      def pre(_inst, *_args, &_block)
+        ua = framework.client_user_agent
+        return unless ua
+        found = match_regexp(ua)
+        return unless found
+        Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
+        infos = { :found => found }
+        record_event(infos)
+        { :status => :raise, :data => found }
+      end
+    end
+  end
+end

data/lib/sqreen/rules_signature.rb

@@ -0,0 +1,142 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rules_callbacks'
+require 'sqreen/exception'
+
+require 'set'
+require 'openssl'
+require 'base64'
+require 'json'
+
+## Rules signature
+module Sqreen
+  # Perform an EC + digest verification of a message.
+  class SignatureVerifier
+    def initialize(key, digest)
+      @pub_key              = OpenSSL::PKey.read(key)
+      @digest               = digest
+    end
+
+    def verify(sig, val)
+      hashed_val = @digest.digest(val)
+      @pub_key.dsa_verify_asn1(hashed_val, sig)
+    end
+  end
+
+  # Normalize and verify a rule
+  class SqreenSignedVerifier
+    REQUIRED_SIGNED_KEYS = %w(hookpoint name callbacks conditions).freeze
+    SIGNATURE_KEY        = 'signature'.freeze
+    SIGNATURE_VALUE_KEY  = 'value'.freeze
+    SIGNED_KEYS_KEY      = 'signed_keys'.freeze
+    SIGNATURE_VERSION    = 'v0_9'.freeze
+    PUBLIC_KEY           = <<-END.gsub(/^ */, '').freeze
+    -----BEGIN PUBLIC KEY-----
+    MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA39oWMHR8sxb9LRaM5evZ7mw03iwJ
+    WNHuDeGqgPo1HmvuMfLnAyVLwaMXpGPuvbqhC1U65PG90bTJLpvNokQf0VMA5Tpi
+    m+NXwl7bjqa03vO/HErLbq3zBRysrZnC4OhJOF1jazkAg0psQOea2r5HcMcPHgMK
+    fnWXiKWnZX+uOWPuerE=
+    -----END PUBLIC KEY-----
+    END
+
+    attr_accessor :pub_key
+    attr_accessor :required_signed_keys
+    attr_accessor :digest
+
+    def initialize(required_keys = REQUIRED_SIGNED_KEYS,
+                   public_key    = PUBLIC_KEY,
+                   digest        = OpenSSL::Digest::SHA512.new)
+      @required_signed_keys = required_keys
+      @signature_verifier   = SignatureVerifier.new(public_key, digest)
+    end
+
+    def normalize_val(val, level)
+      raise Sqreen::Exception, 'recursion level too deep' if level == 0
+
+      case val
+      when Hash
+        normalize(val, nil, level - 1)
+      when Array
+        ary = val.map do |i|
+          normalize_val(i, level - 1)
+        end
+        "[#{ary.join(',')}]"
+      when String, Integer
+        JSON.dump(val)
+      else
+        msg = "JSON hash parsing error (wrong value type: #{val.class})"
+        raise Sqreen::Exception.new, msg
+      end
+    end
+
+    def normalize_key(key)
+      case key
+      when String, Integer
+        JSON.dump(key)
+      else
+        msg = "JSON hash parsing error (wrong key type: #{key.class})"
+        raise Sqreen::Exception, msg
+      end
+    end
+
+    def normalize(hash_rule, signed_keys = nil, level = 20)
+      # Normalize the provided hash to a string:
+      #  - sort keys lexicographically, recursively
+      #  - convert each scalar to its JSON representation
+      #  - convert hash to '{key:value}'
+      #  - convert array [v1,v2] to '[v1,v2]' and [] to '[]'
+      # Two hash with different key ordering should have the same normalized
+      # value.
+
+      raise Sqreen::Exception, 'recursion level too deep' if level == 0
+      unless hash_rule.is_a?(Hash)
+        raise Sqreen::Exception, "wrong hash type #{hash_rule.class}"
+      end
+
+      res = []
+      hash_rule.sort.each do |k, v|
+        # Only keep signed keys
+        next if signed_keys && !signed_keys.include?(k)
+
+        k = normalize_key(k)
+        v = normalize_val(v, level - 1)
+
+        res << "#{k}:#{v}"
+      end
+      "{#{res.join(',')}}"
+    end
+
+    def get_sig_infos_or_fail(hash_rule)
+      raise Sqreen::Exception, 'non hash argument' unless hash_rule.is_a?(Hash)
+
+      sigs = hash_rule[SIGNATURE_KEY]
+      raise Sqreen::Exception, 'no signature found' unless sigs
+
+      sig = sigs[SIGNATURE_VERSION]
+      msg = "signature #{SIGNATURE_VERSION} not found"
+      raise Sqreen::Exception, msg unless sig
+
+      sig_value = sig[SIGNATURE_VALUE_KEY]
+      raise Sqreen::Exception, 'no signature value found' unless sig_value
+
+      signed_keys = sig[SIGNED_KEYS_KEY]
+      raise Sqreen::Exception, 'no signed keys found' unless signed_keys
+
+      inc = Set.new(signed_keys).superset?(Set.new(@required_signed_keys))
+      raise Sqreen::Exception, 'signed keys miss equired keys' unless inc
+
+      [signed_keys, sig_value]
+    end
+
+    def verify(hash_rule)
+      signed_keys, sig_value = get_sig_infos_or_fail(hash_rule)
+
+      norm_str = normalize(hash_rule, signed_keys)
+      bin_sig = Base64.decode64(sig_value)
+      @signature_verifier.verify(bin_sig, norm_str)
+    rescue OpenSSL::PKey::ECError
+      false
+    end
+  end
+end