sqreen 0.1.0.pre → 0.7.01461158029

data/lib/sqreen/rules_callbacks.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rules_callbacks/regexp_rule'
+require 'sqreen/rules_callbacks/matcher_rule'
+
+require 'sqreen/rules_callbacks/record_request_context'
+require 'sqreen/rules_callbacks/rails_parameters'
+
+require 'sqreen/rules_callbacks/headers_insert'
+
+require 'sqreen/rules_callbacks/inspect_rule'
+
+require 'sqreen/rules_callbacks/shell'
+require 'sqreen/rules_callbacks/system_shell'
+require 'sqreen/rules_callbacks/shell_env'
+
+require 'sqreen/rules_callbacks/sql'
+
+require 'sqreen/rules_callbacks/url_matches'
+require 'sqreen/rules_callbacks/user_agent_matches'
+require 'sqreen/rules_callbacks/crawler_user_agent_matches'
+
+require 'sqreen/rules_callbacks/reflected_xss'
+require 'sqreen/rules_callbacks/execjs'
+
+require 'sqreen/rules_callbacks/binding_accessor_metrics'
+require 'sqreen/rules_callbacks/count_http_codes'
+require 'sqreen/rules_callbacks/crawler_user_agent_matches_metrics'

data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb

@@ -0,0 +1,79 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+require 'sqreen/binding_accessor'
+require 'sqreen/events/remote_exception'
+
+module Sqreen
+  module Rules
+    # Publish metrics about data taken from the binding accessor
+    class BindingAccessorMetrics < RuleCB
+      # Exception thrown when no expression are present
+      class NoExpressions < Sqreen::Exception
+        def initialize(expr)
+          super("No valid expressions defined in #{expr.inspect}")
+        end
+      end
+
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        @expr = {}
+        build_expressions(rule_hash[Attrs::CALLBACKS])
+      end
+
+      PRE_CB = 'pre'.freeze
+      POST_CB = 'post'.freeze
+      FAILING_CB = 'failing'.freeze
+
+      def pre?
+        @expr[PRE_CB]
+      end
+
+      def post?
+        @expr[POST_CB]
+      end
+
+      def failing?
+        @expr[FAILING_CB]
+      end
+
+      def pre(inst, *args, &_block)
+        return unless pre?
+
+        add_metrics(PRE_CB, inst, args)
+      end
+
+      def post(rv, inst, *args, &_block)
+        return unless post?
+
+        add_metrics(POST_CB, inst, args, rv)
+      end
+
+      def failing(exception, inst, *args, &_block)
+        return unless failing?
+
+        add_metrics(FAILING_CB, inst, args, exception)
+      end
+
+      protected
+
+      def add_metrics(name, inst, args, rv = nil)
+        category, key, value, = @expr[name].map do |accessor|
+          accessor.resolve(binding, framework, inst, args, @data, rv)
+        end
+        record_observation(category, key, value)
+        nil
+      end
+
+      def build_expressions(callbacks)
+        raise NoExpressions, callbacks if callbacks.nil? || callbacks.empty?
+        [PRE_CB, POST_CB, FAILING_CB].each do |c|
+          next if callbacks[c].nil? || callbacks[c].size < 3
+          @expr[c] = callbacks[c].map { |req| BindingAccessor.new(req, true) }
+        end
+        raise NoExpressions, callbacks if @expr.empty?
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/count_http_codes.rb

@@ -0,0 +1,18 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+
+module Sqreen
+  module Rules
+    # Save request context for handling further down
+    class CountHTTPCodes < RuleCB
+      METRIC_CATEGORY = 'http_code'.freeze
+      def post(rv, _inst, *_args, &_block)
+        return unless rv.is_a?(Array) && !rv.empty?
+        record_observation(METRIC_CATEGORY, rv[0], 1)
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb

@@ -0,0 +1,24 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/frameworks'
+
+module Sqreen
+  module Rules
+    # FIXME: Factor with UserAgentMatchesCB
+    # Look for crawlers
+    class CrawlerUserAgentMatchesCB < MatcherRuleCB
+      def pre(_inst, *_args, &_block)
+        ua = framework.client_user_agent
+        return unless ua
+        found = match(ua)
+        return unless found
+        Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
+        infos = { :found => found }
+        record_event(infos)
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb

@@ -0,0 +1,25 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/frameworks'
+
+module Sqreen
+  module Rules
+    # Look for crawlers and post them in metrics
+    class CrawlerUserAgentMatchesMetricsCB < MatcherRuleCB
+      CRAWLER_CATEGORY = 'crawler'.freeze
+
+      def pre(_inst, *_args, &_block)
+        ua = framework.client_user_agent
+        return unless ua
+        ua = ua.freeze
+        found = match(ua)
+        return unless found
+        Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
+        record_observation(CRAWLER_CATEGORY, ua, 1)
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/execjs.rb

@@ -0,0 +1,136 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+if defined?(::JRUBY_VERSION)
+  require 'rhino'
+else
+  require 'therubyracer'
+end
+
+require 'execjs'
+
+require 'sqreen/rule_callback'
+require 'sqreen/binding_accessor'
+require 'sqreen/events/remote_exception'
+
+module Sqreen
+  module Rules
+    # Exec js callbacks
+    class ExecJSCB < RuleCB
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        callbacks = @rule['callbacks']
+
+        if callbacks['pre'].nil? &&
+           callbacks['post'].nil? &&
+           callbacks['failing'].nil?
+          raise(Sqreen::Exception, 'no JS CB provided')
+        end
+
+        build_runnable(callbacks)
+        @compiled = ExecJS.compile(@source)
+      end
+
+      def pre?
+        @js_pre
+      end
+
+      def post?
+        @js_post
+      end
+
+      def failing?
+        @js_failing
+      end
+
+      def pre(inst, *args, &_block)
+        return unless pre?
+
+        call_callback('pre', inst, args)
+      end
+
+      def post(rv, inst, *args, &_block)
+        return unless post?
+
+        call_callback('post', inst, args, rv)
+      end
+
+      def failing(rv, inst, *args, &_block)
+        return unless failing?
+
+        call_callback('failing', inst, args, rv)
+      end
+
+      protected
+
+      def record_and_continue?(ret)
+        case ret
+        when NilClass
+          return false
+        when Hash
+          ret.keys.each do |k|
+            ret[(begin
+                                     k.to_sym
+                                   rescue
+                                     k
+                                   end)] = ret[k] end
+          record_event(ret[:record]) unless ret[:record].nil?
+          return !ret[:call].nil?
+        else
+          raise Sqreen::Exception, "Invalid return type #{ret.inspect}"
+        end
+      end
+
+      def call_callback(name, inst, args, rv = nil)
+        ret = nil
+        args_override = nil
+        arguments = nil
+        loop do
+          arguments = (args_override || @argument_requirements[name]).map do |accessor|
+            accessor.resolve(binding, framework, inst, args, @data, rv)
+          end
+          Sqreen.log.debug { [name, arguments].inspect }
+          ret = @compiled.call("callbacks.#{name}", *arguments)
+          return ret unless record_and_continue?(ret)
+          name = ret[:call]
+          rv = ret[:data]
+          args_override = ret[:args]
+          args_override = build_accessor(args_override) if args_override
+        end
+      rescue => e
+        Sqreen.log.error "we catch a JScb exception: #{e.inspect}"
+        Sqreen.log.error e.backtrace
+        record_exception(e, :cb => name, :args => arguments)
+        nil
+      end
+
+      def build_accessor(reqs)
+        reqs.map do |req|
+          BindingAccessor.new(req, true)
+        end
+      end
+
+      def build_runnable(callbacks)
+        @argument_requirements = {}
+        @source = 'var callbacks = {'
+        @js_pre = !callbacks['pre'].nil?
+        @js_post = !callbacks['post'].nil?
+        @js_failing = !callbacks['failing'].nil?
+        callbacks.each do |name, args_or_func|
+          @source << name
+          @source << ': '
+          if args_or_func.is_a?(Array)
+            @source << args_or_func.pop
+            @argument_requirements[name] = build_accessor(args_or_func)
+          else
+            @source << args_or_func
+            @argument_requirements[name] = []
+          end
+          @source << ",\n"
+        end
+        @source << "\n"
+        @source << '}'
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/headers_insert.rb

@@ -0,0 +1,20 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+
+module Sqreen
+  module Rules
+    SQREEN_HEADER_NAME = 'X-Protected-By'.freeze
+    SQREEN_HEADER_VALUE = 'Sqreen'.freeze
+
+    # Display sqreen presence
+    class HeadersInsertCB < RuleCB
+      def post(rv, _inst, *_args, &_block)
+        return unless rv && rv.respond_to?(:[]) && rv[1].is_a?(Hash)
+        rv[1][SQREEN_HEADER_NAME] = SQREEN_HEADER_VALUE
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/inspect_rule.rb

@@ -0,0 +1,20 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+
+module Sqreen
+  module Rules
+    class InspectRuleCB < RuleCB
+      def pre(_inst, *args, &_block)
+        Sqreen.log.debug { "<< #{@klass} #{@method} #{Thread.current}" }
+        Sqreen.log.debug { args.join ' ' }
+      end
+
+      def post(_rv, _inst, *_args, &_block)
+        Sqreen.log.debug { ">> #{@klass} #{@method} #{Thread.current}" }
+        byebug if defined? byebug and @data.is_a?(Hash) and @data[:break] == 1
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/matcher_rule.rb

@@ -0,0 +1,103 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+
+module Sqreen
+  module Rules
+    # A configurable matcher rule
+    class MatcherRuleCB < RuleCB
+      def initialize(*args)
+        super(*args)
+        prepare
+      end
+
+      def self.prepare_re_pattern(value, options, case_sensitive)
+        res = 0
+        res |= Regexp::MULTILINE  if options.include?('multiline')
+        res |= Regexp::IGNORECASE unless case_sensitive
+        Regexp.compile(value, res)
+      end
+
+      def prepare
+        @string = {}
+        @regex_patterns = []
+
+        patterns = @data['values']
+        if patterns.nil?
+          msg = "no key 'values' in data (had #{@data.keys})"
+          raise Sqreen::Exception, msg
+        end
+
+        @funs = {
+          'anywhere'    => lambda { |value, str| str.include?(value)    },
+          'starts_with' => lambda { |value, str| str.start_with?(value) },
+          'ends_with'   => lambda { |value, str| str.end_with?(value)   },
+          'equals'      => lambda { |value, str| str == value           },
+        }
+
+        patterns.each do |entry|
+          next unless entry
+          type = entry['type']
+          val = entry['value']
+          opts = entry['options']
+          opt = (opts && opts.first && opts.first != '') ? opts.first : 'anywhere'
+          case_sensitive = entry['case_sensitive'] || false
+          case type
+          when 'string'
+            if case_sensitive
+              case_type = :cs
+            else
+              case_type = :ci
+              val = val.downcase
+            end
+
+            unless @funs.keys.include?(opt)
+              Sqreen.log.debug { "Error: unknown string option '#{opt}' " }
+              next
+            end
+            @string[opt] = { :ci => [], :cs => [] } unless @string.key?(opt)
+            @string[opt][case_type] << val
+
+          when 'regex'
+            pattern = MatcherRuleCB.prepare_re_pattern(val, opt, case_sensitive)
+            next unless pattern
+            @regex_patterns << pattern
+          end
+        end
+
+        if [@regex_patterns, @string].map { |s| s == 0 }.all?
+          msg = "no key 'regex' nor 'match' in data (had #{@data.keys})"
+          raise Sqreen::Exception, msg
+        end
+      end
+
+      def match(str)
+        return if str.nil? || str.empty?
+        istr = str.downcase
+
+        @string.each do |type, cases|
+          fun = @funs[type]
+          if fun.nil?
+            Sqreen.log.debug { "no matching function found for type #{type}" }
+          end
+          cases.each do |case_type, patterns|
+            input_str = if case_type == :ci
+                          istr
+                        else
+                          str
+                        end
+            patterns.each do |pat|
+              return pat if fun.call(pat, input_str)
+            end
+          end
+        end
+
+        @regex_patterns.each do |p|
+          return p if p.match(str)
+        end
+        nil
+      end
+    end
+  end
+end