RubyGems - sqreen - Versions diffs - 0.1.0.pre → 0.7.01461158029 - Mend

sqreen 0.1.0.pre → 0.7.01461158029

Files changed (75) hide show

checksums.yaml +4 -4
data/CODE_OF_CONDUCT.md +22 -0
data/README.md +77 -0
data/Rakefile +40 -0
data/lib/sqreen.rb +67 -0
data/lib/sqreen/binding_accessor.rb +184 -0
data/lib/sqreen/ca.crt +72 -0
data/lib/sqreen/callback_tree.rb +78 -0
data/lib/sqreen/callbacks.rb +120 -0
data/lib/sqreen/capped_queue.rb +23 -0
data/lib/sqreen/condition_evaluator.rb +169 -0
data/lib/sqreen/conditionable.rb +50 -0
data/lib/sqreen/configuration.rb +151 -0
data/lib/sqreen/context.rb +22 -0
data/lib/sqreen/deliveries/batch.rb +80 -0
data/lib/sqreen/deliveries/simple.rb +36 -0
data/lib/sqreen/detect.rb +14 -0
data/lib/sqreen/detect/shell_injection.rb +61 -0
data/lib/sqreen/detect/sql_injection.rb +115 -0
data/lib/sqreen/event.rb +16 -0
data/lib/sqreen/events/attack.rb +60 -0
data/lib/sqreen/events/remote_exception.rb +53 -0
data/lib/sqreen/exception.rb +31 -0
data/lib/sqreen/frameworks.rb +40 -0
data/lib/sqreen/frameworks/generic.rb +243 -0
data/lib/sqreen/frameworks/rails.rb +155 -0
data/lib/sqreen/frameworks/rails3.rb +36 -0
data/lib/sqreen/frameworks/sinatra.rb +34 -0
data/lib/sqreen/frameworks/sqreen_test.rb +26 -0
data/lib/sqreen/instrumentation.rb +504 -0
data/lib/sqreen/log.rb +116 -0
data/lib/sqreen/metrics.rb +6 -0
data/lib/sqreen/metrics/average.rb +39 -0
data/lib/sqreen/metrics/base.rb +41 -0
data/lib/sqreen/metrics/collect.rb +22 -0
data/lib/sqreen/metrics/sum.rb +20 -0
data/lib/sqreen/metrics_store.rb +94 -0
data/lib/sqreen/parsers/sql.rb +98 -0
data/lib/sqreen/parsers/sql_tokenizer.rb +266 -0
data/lib/sqreen/parsers/unix.rb +110 -0
data/lib/sqreen/payload_creator.rb +132 -0
data/lib/sqreen/performance_notifications.rb +86 -0
data/lib/sqreen/performance_notifications/log.rb +36 -0
data/lib/sqreen/performance_notifications/metrics.rb +36 -0
data/lib/sqreen/performance_notifications/newrelic.rb +36 -0
data/lib/sqreen/remote_command.rb +82 -0
data/lib/sqreen/rule_attributes.rb +25 -0
data/lib/sqreen/rule_callback.rb +97 -0
data/lib/sqreen/rules.rb +116 -0
data/lib/sqreen/rules_callbacks.rb +29 -0
data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb +79 -0
data/lib/sqreen/rules_callbacks/count_http_codes.rb +18 -0
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb +24 -0
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb +25 -0
data/lib/sqreen/rules_callbacks/execjs.rb +136 -0
data/lib/sqreen/rules_callbacks/headers_insert.rb +20 -0
data/lib/sqreen/rules_callbacks/inspect_rule.rb +20 -0
data/lib/sqreen/rules_callbacks/matcher_rule.rb +103 -0
data/lib/sqreen/rules_callbacks/rails_parameters.rb +14 -0
data/lib/sqreen/rules_callbacks/record_request_context.rb +23 -0
data/lib/sqreen/rules_callbacks/reflected_xss.rb +40 -0
data/lib/sqreen/rules_callbacks/regexp_rule.rb +36 -0
data/lib/sqreen/rules_callbacks/shell.rb +33 -0
data/lib/sqreen/rules_callbacks/shell_env.rb +32 -0
data/lib/sqreen/rules_callbacks/sql.rb +41 -0
data/lib/sqreen/rules_callbacks/system_shell.rb +25 -0
data/lib/sqreen/rules_callbacks/url_matches.rb +25 -0
data/lib/sqreen/rules_callbacks/user_agent_matches.rb +22 -0
data/lib/sqreen/rules_signature.rb +142 -0
data/lib/sqreen/runner.rb +312 -0
data/lib/sqreen/runtime_infos.rb +127 -0
data/lib/sqreen/session.rb +340 -0
data/lib/sqreen/stats.rb +18 -0
data/lib/sqreen/version.rb +6 -0
metadata +95 -34

data/lib/sqreen/context.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+module Sqreen
+  # Context
+  class Context
+    attr_accessor :bt
+    def initialize
+      @bt = get_current_backtrace
+    end
+    def get_current_backtrace
+      # Force caller to be resolved now
+      caller.map(&:to_s)
+    end
+    def ==(other)
+      other.bt == @bt
+    end
+  end
+end

data/lib/sqreen/deliveries/batch.rb ADDED Viewed

@@ -0,0 +1,80 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/deliveries/simple'
+require 'sqreen/events/remote_exception'
+module Sqreen
+  module Deliveries
+    # Simple delivery method that batch event already seen in a batch
+    class Batch < Simple
+      attr_accessor :max_batch, :max_staleness
+      attr_accessor :current_batch
+      def initialize(session,
+                     max_batch,
+                     max_staleness,
+                     randomize_staleness = true)
+        super(session)
+        self.max_batch = max_batch
+        self.max_staleness = max_staleness
+        @original_max_staleness = max_staleness
+        self.current_batch = []
+        @first_seen = {}
+        @randomize_staleness = randomize_staleness
+      end
+      def post_event(event)
+        current_batch.push(event)
+        post_batch if post_batch_needed?(event)
+      end
+      def drain
+        post_batch
+      end
+      def tick
+        post_batch if current_batch.size > 0 && stale?
+      end
+      protected
+      def stale?
+        min = @first_seen.values.min
+        (min + max_staleness) < Time.now
+      end
+      def post_batch_needed?(event)
+        key = event_key(event)
+        was = @first_seen[key]
+        now = Time.now
+        @first_seen[key] ||= now
+        return true if was.nil?
+        return true if current_batch.size > max_batch
+        return true if (was + max_staleness) < now
+        false
+      end
+      def post_batch
+        session.post_batch(current_batch)
+        current_batch.clear
+        now = Time.now
+        @first_seen.each_key do |key|
+          @first_seen[key] = now
+        end
+        return unless @randomize_staleness
+        self.max_staleness = @original_max_staleness
+        # Adds up to 10% of lateness
+        self.max_staleness += rand(@original_max_staleness / 10)
+      end
+      def event_key(event)
+        case event
+        when Sqreen::Attack
+          return "att-#{event.type}"
+        when Sqreen::RemoteException
+          return "rex-#{event.klass}"
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/deliveries/simple.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/events/remote_exception'
+module Sqreen
+  module Deliveries
+    # Simple delivery method that directly call session on event
+    class Simple
+      attr_accessor :session
+      def initialize(session)
+        self.session = session
+      end
+      def post_event(event)
+        case event
+        when Sqreen::Attack
+          session.post_attack(event)
+        when Sqreen::RemoteException
+          session.post_sqreen_exception(event)
+        else
+          session.post_event(event)
+        end
+      end
+      def drain
+        # Since everything is posted at once nothing needs to be done here
+      end
+      def tick
+        # Since everything is posted at once nothing needs to be done here
+      end
+    end
+  end
+end

data/lib/sqreen/detect.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/detect/sql_injection'
+require 'sqreen/detect/shell_injection'
+module Sqreen
+  module Detect
+    def sql_injection?(request, params, db_type, db_infos = {})
+      inj = SQLInjection.new(db_type, db_infos)
+      inj.user_escape?(request, params)
+    end
+  end
+end

data/lib/sqreen/detect/shell_injection.rb ADDED Viewed

@@ -0,0 +1,61 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/parsers/unix'
+module Sqreen
+  module Detect
+    # Detector class for shell injections
+    # Find instance of user parameters injections into executable commands
+    # It work by:
+    #  1 - Highlighting the cmd for executable sections
+    #  2 - Highlighting the cmd for traces of user parameters
+    #  3 - Comparing if there is any intersection
+    class ShellInjection
+      def initialize
+        @parser = Sqreen::Parsers::Unix.new
+      end
+      # Is there a user injection in cmd
+      # @param cmd [String] command to analyze
+      # @param params [Hash] Hash of user parameters
+      def user_escape?(cmd, params)
+        Sqreen.log.info format('escape? %s', [cmd, params].inspect)
+        # We found the user query inside the cmd. A risk exists.
+        @parser.parse(cmd)
+        execs = @parser.atoms.select(&:executable?)
+        each_param_scalar(params) do |v|
+          next unless v
+          value = v.to_s
+          next unless value.size > 0
+          offset = 0
+          loop do
+            match_start = cmd.index(value, offset)
+            break if match_start.nil?
+            match_end = match_start + value.size
+            offset = match_end
+            covered = execs.any? do |exec|
+              match_end >= exec.start && match_start < exec.end
+            end
+            next unless covered
+            Sqreen.log.info format('injection for parameter %s', value.inspect)
+            return true
+          end
+        end
+        false
+      end
+      # FIXME: deduplicate code
+      def each_param_scalar(params, &block)
+        case params
+        when Hash  then params.each { |_k, v| each_param_scalar(v, &block) }
+        when Array then params.each { |v| each_param_scalar(v, &block) }
+        else
+          yield params
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/detect/sql_injection.rb ADDED Viewed

@@ -0,0 +1,115 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/parsers/sql'
+require 'strscan'
+module Sqreen
+  module Detect
+    class SQLInjection
+      PARAM_SIZE_LIMIT = 0
+      def self.parser(db_type, db_infos)
+        @parsers ||= {}
+        res = nil
+        results = @parsers[db_type]
+        res = results.find { |infos, _| infos == db_infos } unless results.nil?
+        return res.last unless res.nil?
+        @parsers[db_type] ||= []
+        parser = Sqreen::Parsers::SQL.new(db_type, db_infos)
+        @parsers[db_type] << [db_infos, parser]
+        parser
+      end
+      attr_accessor :db_type, :db_infos
+      def initialize(db_type, db_infos)
+        @db_type = db_type
+        @db_infos = db_infos
+        @parser = SQLInjection.parser(db_type, db_infos)
+      end
+      # FIXME: we are likely to find false postive
+      # As is, high risk of false positive with extremely short parameters.
+      # E.g. if parameter value is 'e', it will be found in request, (e in
+      # select) but not in literals.
+      #
+      # We may want to skip:
+      #  - too short parameters (e.g. < 10 letters?)
+      #  - non suspicious parameters (e.g. without blanks or comments?)
+      def user_escape?(request, params)
+        included = count_user_params_in_request(request, params)
+        return false if included == {}
+        escape_found = false
+        # We found the user query inside the request. A risk exists.
+        @parser.parse(request)
+        literals = @parser.atoms.select(&:is_literal?)
+        included.each do |param, expected_count|
+          param_count = 0
+          literals.each do |literal|
+            # Count number of literals that fully include the user query
+            param_count += count_substring_nb(literal.val, param)
+          end
+          # puts "%s in raw request: %d, in atoms: %d" % [param, expected_count, param_count]
+          next unless param_count != expected_count
+          Sqreen.log.info format('injection for parameter %s', param.inspect)
+          # require request aborption
+          # log attack
+          escape_found = true
+        end
+        escape_found
+      end
+      # What if a string can be prefixed itself?
+      # E.g. substr = 'a b c a b c'
+      # If str = 'a b c a b c a b c' we will return 2:
+      #           \----1----/
+      #                 \----2----/
+      def count_substring_nb(str, substr)
+        s = StringScanner.new(str)
+        nb = 0
+        quote = Regexp.quote(substr)
+        re = Regexp.new(quote)
+        nb += 1 while s.search_full(re, true, false)
+        nb
+      end
+      def each_param_scalar(params, &block)
+        case params
+        when Hash  then params.each { |_k, v| each_param_scalar(v, &block) }
+        when Array then params.each { |v| each_param_scalar(v, &block) }
+        else
+          yield params
+        end
+      end
+      # FIXME: this work on params values. We might wnat to work on parameters
+      # names? High risk of false positive since a parameter name is often the
+      # database column name.
+      def count_user_params_in_request(request, params_hash)
+        res = {}
+        params_hash.each do |_type, params|
+          next if params.nil?
+          each_param_scalar(params) do |value|
+            next unless value
+            v = value.to_s
+            next if v.size <= PARAM_SIZE_LIMIT
+            next if v =~ /\A\.+\z/
+            next if v =~ /\A\s+\z/
+            next if v =~ /\A(\w+|\w[\w\.]+\w)\z/i
+            # We need to overwrite the count of equal parameters that
+            # came from different ways (e.g. Cookie and query).
+            next if res.key? v
+            nb = count_substring_nb(request, v)
+            res[v] = nb if nb > 0
+          end
+        end
+        res
+      end
+    end
+  end
+end

data/lib/sqreen/event.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+module Sqreen
+  # Master interface for point in time events (e.g. Attack, RemoteException)
+  class Event
+    attr_reader :payload
+    def initialize(payload)
+      @payload = payload
+    end
+    def to_hash
+      payload.to_hash
+    end
+  end
+end

data/lib/sqreen/events/attack.rb ADDED Viewed

@@ -0,0 +1,60 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/event'
+module Sqreen
+  # Attack
+  # When creating a new attack, it gets automatically pushed to the event's
+  # queue.
+  class Attack < Event
+    def self.record(payload)
+      attack = Attack.new(payload)
+      attack.enqueue
+    end
+    def infos
+      payload['infos']
+    end
+    def rulespack_id
+      return nil unless payload['rule']
+      payload['rule']['rulespack_id']
+    end
+    def type
+      return nil unless payload['rule']
+      payload['rule']['name']
+    end
+    def time
+      return nil unless payload['local']
+      payload['local']['time'].to_s
+    end
+    def backtrace
+      return nil unless payload['context']
+      payload['context']['backtrace']
+    end
+    def enqueue
+      Sqreen.queue.push(self)
+    end
+    def to_hash
+      res = {}
+      rule_p = payload['rule']
+      request_p = payload['request']
+      res[:rule_name]    = rule_p['name']         if rule_p && rule_p['name']
+      res[:rulespack_id] = rule_p['rulespack_id'] if rule_p && rule_p['rulespack_id']
+      res[:test]         = rule_p['test']         if rule_p && rule_p['test']
+      res[:infos]        = payload['infos']       if payload['infos']
+      res[:time]         = time                   if time
+      res[:client_ip]    = request_p[:addr]       if request_p && request_p[:addr]
+      res[:request]      = request_p              if request_p
+      res[:params]       = payload['params']      if payload['params']
+      res[:context]      = payload['context']     if payload['context']
+      res
+    end
+  end
+end

data/lib/sqreen/events/remote_exception.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'json'
+require 'sqreen/event'
+module Sqreen
+  # When an exception arise it is automatically pushed to the event queue
+  class RemoteException < Sqreen::Event
+    def self.record(payload_or_exception)
+      exception = RemoteException.new(payload_or_exception)
+      exception.enqueue
+    end
+    def initialize(payload_or_exception)
+      payload = if payload_or_exception.is_a?(Hash)
+                  payload_or_exception
+                else
+                  { 'exception' => payload_or_exception }
+                end
+      super(payload)
+    end
+    def enqueue
+      Sqreen.queue.push(self)
+    end
+    def klass
+      payload['exception'].class.name
+    end
+    def to_hash
+      exception = payload['exception']
+      ev = {
+        :klass => exception.class.name,
+        :message => exception.message,
+        :params => payload['request_params'],
+        :time => payload['time'],
+        :infos => {
+          :client_ip => payload['client_ip'],
+        },
+        :request => payload['request_infos'],
+        :rule_name => payload['rule_name'],
+        :rulespack_id => payload['rulespack_id'],
+      }
+      ev[:infos].merge!(payload['infos']) if payload['infos']
+      return ev unless exception.backtrace
+      ev[:context] = { :backtrace => exception.backtrace.map(&:to_s) }
+      ev
+    end
+  end
+end