RubyGems - sqreen - Versions diffs - 0.7.01461158029-java - Mend

sqreen 0.7.01461158029-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

checksums.yaml +7 -0
data/CODE_OF_CONDUCT.md +22 -0
data/README.md +77 -0
data/Rakefile +40 -0
data/lib/sqreen.rb +67 -0
data/lib/sqreen/binding_accessor.rb +184 -0
data/lib/sqreen/ca.crt +72 -0
data/lib/sqreen/callback_tree.rb +78 -0
data/lib/sqreen/callbacks.rb +120 -0
data/lib/sqreen/capped_queue.rb +23 -0
data/lib/sqreen/condition_evaluator.rb +169 -0
data/lib/sqreen/conditionable.rb +50 -0
data/lib/sqreen/configuration.rb +151 -0
data/lib/sqreen/context.rb +22 -0
data/lib/sqreen/deliveries/batch.rb +80 -0
data/lib/sqreen/deliveries/simple.rb +36 -0
data/lib/sqreen/detect.rb +14 -0
data/lib/sqreen/detect/shell_injection.rb +61 -0
data/lib/sqreen/detect/sql_injection.rb +115 -0
data/lib/sqreen/event.rb +16 -0
data/lib/sqreen/events/attack.rb +60 -0
data/lib/sqreen/events/remote_exception.rb +53 -0
data/lib/sqreen/exception.rb +31 -0
data/lib/sqreen/frameworks.rb +40 -0
data/lib/sqreen/frameworks/generic.rb +243 -0
data/lib/sqreen/frameworks/rails.rb +155 -0
data/lib/sqreen/frameworks/rails3.rb +36 -0
data/lib/sqreen/frameworks/sinatra.rb +34 -0
data/lib/sqreen/frameworks/sqreen_test.rb +26 -0
data/lib/sqreen/instrumentation.rb +504 -0
data/lib/sqreen/log.rb +116 -0
data/lib/sqreen/metrics.rb +6 -0
data/lib/sqreen/metrics/average.rb +39 -0
data/lib/sqreen/metrics/base.rb +41 -0
data/lib/sqreen/metrics/collect.rb +22 -0
data/lib/sqreen/metrics/sum.rb +20 -0
data/lib/sqreen/metrics_store.rb +94 -0
data/lib/sqreen/parsers/sql.rb +98 -0
data/lib/sqreen/parsers/sql_tokenizer.rb +266 -0
data/lib/sqreen/parsers/unix.rb +110 -0
data/lib/sqreen/payload_creator.rb +132 -0
data/lib/sqreen/performance_notifications.rb +86 -0
data/lib/sqreen/performance_notifications/log.rb +36 -0
data/lib/sqreen/performance_notifications/metrics.rb +36 -0
data/lib/sqreen/performance_notifications/newrelic.rb +36 -0
data/lib/sqreen/remote_command.rb +82 -0
data/lib/sqreen/rule_attributes.rb +25 -0
data/lib/sqreen/rule_callback.rb +97 -0
data/lib/sqreen/rules.rb +116 -0
data/lib/sqreen/rules_callbacks.rb +29 -0
data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb +79 -0
data/lib/sqreen/rules_callbacks/count_http_codes.rb +18 -0
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb +24 -0
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb +25 -0
data/lib/sqreen/rules_callbacks/execjs.rb +136 -0
data/lib/sqreen/rules_callbacks/headers_insert.rb +20 -0
data/lib/sqreen/rules_callbacks/inspect_rule.rb +20 -0
data/lib/sqreen/rules_callbacks/matcher_rule.rb +103 -0
data/lib/sqreen/rules_callbacks/rails_parameters.rb +14 -0
data/lib/sqreen/rules_callbacks/record_request_context.rb +23 -0
data/lib/sqreen/rules_callbacks/reflected_xss.rb +40 -0
data/lib/sqreen/rules_callbacks/regexp_rule.rb +36 -0
data/lib/sqreen/rules_callbacks/shell.rb +33 -0
data/lib/sqreen/rules_callbacks/shell_env.rb +32 -0
data/lib/sqreen/rules_callbacks/sql.rb +41 -0
data/lib/sqreen/rules_callbacks/system_shell.rb +25 -0
data/lib/sqreen/rules_callbacks/url_matches.rb +25 -0
data/lib/sqreen/rules_callbacks/user_agent_matches.rb +22 -0
data/lib/sqreen/rules_signature.rb +142 -0
data/lib/sqreen/runner.rb +312 -0
data/lib/sqreen/runtime_infos.rb +127 -0
data/lib/sqreen/session.rb +340 -0
data/lib/sqreen/stats.rb +18 -0
data/lib/sqreen/version.rb +6 -0
metadata +143 -0

data/lib/sqreen/rules_callbacks.rb ADDED Viewed

@@ -0,0 +1,29 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rules_callbacks/regexp_rule'
+require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/rules_callbacks/record_request_context'
+require 'sqreen/rules_callbacks/rails_parameters'
+require 'sqreen/rules_callbacks/headers_insert'
+require 'sqreen/rules_callbacks/inspect_rule'
+require 'sqreen/rules_callbacks/shell'
+require 'sqreen/rules_callbacks/system_shell'
+require 'sqreen/rules_callbacks/shell_env'
+require 'sqreen/rules_callbacks/sql'
+require 'sqreen/rules_callbacks/url_matches'
+require 'sqreen/rules_callbacks/user_agent_matches'
+require 'sqreen/rules_callbacks/crawler_user_agent_matches'
+require 'sqreen/rules_callbacks/reflected_xss'
+require 'sqreen/rules_callbacks/execjs'
+require 'sqreen/rules_callbacks/binding_accessor_metrics'
+require 'sqreen/rules_callbacks/count_http_codes'
+require 'sqreen/rules_callbacks/crawler_user_agent_matches_metrics'

data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb ADDED Viewed

@@ -0,0 +1,79 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rule_callback'
+require 'sqreen/binding_accessor'
+require 'sqreen/events/remote_exception'
+module Sqreen
+  module Rules
+    # Publish metrics about data taken from the binding accessor
+    class BindingAccessorMetrics < RuleCB
+      # Exception thrown when no expression are present
+      class NoExpressions < Sqreen::Exception
+        def initialize(expr)
+          super("No valid expressions defined in #{expr.inspect}")
+        end
+      end
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        @expr = {}
+        build_expressions(rule_hash[Attrs::CALLBACKS])
+      end
+      PRE_CB = 'pre'.freeze
+      POST_CB = 'post'.freeze
+      FAILING_CB = 'failing'.freeze
+      def pre?
+        @expr[PRE_CB]
+      end
+      def post?
+        @expr[POST_CB]
+      end
+      def failing?
+        @expr[FAILING_CB]
+      end
+      def pre(inst, *args, &_block)
+        return unless pre?
+        add_metrics(PRE_CB, inst, args)
+      end
+      def post(rv, inst, *args, &_block)
+        return unless post?
+        add_metrics(POST_CB, inst, args, rv)
+      end
+      def failing(exception, inst, *args, &_block)
+        return unless failing?
+        add_metrics(FAILING_CB, inst, args, exception)
+      end
+      protected
+      def add_metrics(name, inst, args, rv = nil)
+        category, key, value, = @expr[name].map do |accessor|
+          accessor.resolve(binding, framework, inst, args, @data, rv)
+        end
+        record_observation(category, key, value)
+        nil
+      end
+      def build_expressions(callbacks)
+        raise NoExpressions, callbacks if callbacks.nil? || callbacks.empty?
+        [PRE_CB, POST_CB, FAILING_CB].each do |c|
+          next if callbacks[c].nil? || callbacks[c].size < 3
+          @expr[c] = callbacks[c].map { |req| BindingAccessor.new(req, true) }
+        end
+        raise NoExpressions, callbacks if @expr.empty?
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/count_http_codes.rb ADDED Viewed

@@ -0,0 +1,18 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rule_callback'
+module Sqreen
+  module Rules
+    # Save request context for handling further down
+    class CountHTTPCodes < RuleCB
+      METRIC_CATEGORY = 'http_code'.freeze
+      def post(rv, _inst, *_args, &_block)
+        return unless rv.is_a?(Array) && !rv.empty?
+        record_observation(METRIC_CATEGORY, rv[0], 1)
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/frameworks'
+module Sqreen
+  module Rules
+    # FIXME: Factor with UserAgentMatchesCB
+    # Look for crawlers
+    class CrawlerUserAgentMatchesCB < MatcherRuleCB
+      def pre(_inst, *_args, &_block)
+        ua = framework.client_user_agent
+        return unless ua
+        found = match(ua)
+        return unless found
+        Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
+        infos = { :found => found }
+        record_event(infos)
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/frameworks'
+module Sqreen
+  module Rules
+    # Look for crawlers and post them in metrics
+    class CrawlerUserAgentMatchesMetricsCB < MatcherRuleCB
+      CRAWLER_CATEGORY = 'crawler'.freeze
+      def pre(_inst, *_args, &_block)
+        ua = framework.client_user_agent
+        return unless ua
+        ua = ua.freeze
+        found = match(ua)
+        return unless found
+        Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
+        record_observation(CRAWLER_CATEGORY, ua, 1)
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/execjs.rb ADDED Viewed

@@ -0,0 +1,136 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+if defined?(::JRUBY_VERSION)
+  require 'rhino'
+else
+  require 'therubyracer'
+end
+require 'execjs'
+require 'sqreen/rule_callback'
+require 'sqreen/binding_accessor'
+require 'sqreen/events/remote_exception'
+module Sqreen
+  module Rules
+    # Exec js callbacks
+    class ExecJSCB < RuleCB
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        callbacks = @rule['callbacks']
+        if callbacks['pre'].nil? &&
+           callbacks['post'].nil? &&
+           callbacks['failing'].nil?
+          raise(Sqreen::Exception, 'no JS CB provided')
+        end
+        build_runnable(callbacks)
+        @compiled = ExecJS.compile(@source)
+      end
+      def pre?
+        @js_pre
+      end
+      def post?
+        @js_post
+      end
+      def failing?
+        @js_failing
+      end
+      def pre(inst, *args, &_block)
+        return unless pre?
+        call_callback('pre', inst, args)
+      end
+      def post(rv, inst, *args, &_block)
+        return unless post?
+        call_callback('post', inst, args, rv)
+      end
+      def failing(rv, inst, *args, &_block)
+        return unless failing?
+        call_callback('failing', inst, args, rv)
+      end
+      protected
+      def record_and_continue?(ret)
+        case ret
+        when NilClass
+          return false
+        when Hash
+          ret.keys.each do |k|
+            ret[(begin
+                                     k.to_sym
+                                   rescue
+                                     k
+                                   end)] = ret[k] end
+          record_event(ret[:record]) unless ret[:record].nil?
+          return !ret[:call].nil?
+        else
+          raise Sqreen::Exception, "Invalid return type #{ret.inspect}"
+        end
+      end
+      def call_callback(name, inst, args, rv = nil)
+        ret = nil
+        args_override = nil
+        arguments = nil
+        loop do
+          arguments = (args_override || @argument_requirements[name]).map do |accessor|
+            accessor.resolve(binding, framework, inst, args, @data, rv)
+          end
+          Sqreen.log.debug { [name, arguments].inspect }
+          ret = @compiled.call("callbacks.#{name}", *arguments)
+          return ret unless record_and_continue?(ret)
+          name = ret[:call]
+          rv = ret[:data]
+          args_override = ret[:args]
+          args_override = build_accessor(args_override) if args_override
+        end
+      rescue => e
+        Sqreen.log.error "we catch a JScb exception: #{e.inspect}"
+        Sqreen.log.error e.backtrace
+        record_exception(e, :cb => name, :args => arguments)
+        nil
+      end
+      def build_accessor(reqs)
+        reqs.map do |req|
+          BindingAccessor.new(req, true)
+        end
+      end
+      def build_runnable(callbacks)
+        @argument_requirements = {}
+        @source = 'var callbacks = {'
+        @js_pre = !callbacks['pre'].nil?
+        @js_post = !callbacks['post'].nil?
+        @js_failing = !callbacks['failing'].nil?
+        callbacks.each do |name, args_or_func|
+          @source << name
+          @source << ': '
+          if args_or_func.is_a?(Array)
+            @source << args_or_func.pop
+            @argument_requirements[name] = build_accessor(args_or_func)
+          else
+            @source << args_or_func
+            @argument_requirements[name] = []
+          end
+          @source << ",\n"
+        end
+        @source << "\n"
+        @source << '}'
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/headers_insert.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rule_callback'
+module Sqreen
+  module Rules
+    SQREEN_HEADER_NAME = 'X-Protected-By'.freeze
+    SQREEN_HEADER_VALUE = 'Sqreen'.freeze
+    # Display sqreen presence
+    class HeadersInsertCB < RuleCB
+      def post(rv, _inst, *_args, &_block)
+        return unless rv && rv.respond_to?(:[]) && rv[1].is_a?(Hash)
+        rv[1][SQREEN_HEADER_NAME] = SQREEN_HEADER_VALUE
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/inspect_rule.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rule_callback'
+module Sqreen
+  module Rules
+    class InspectRuleCB < RuleCB
+      def pre(_inst, *args, &_block)
+        Sqreen.log.debug { "<< #{@klass} #{@method} #{Thread.current}" }
+        Sqreen.log.debug { args.join ' ' }
+      end
+      def post(_rv, _inst, *_args, &_block)
+        Sqreen.log.debug { ">> #{@klass} #{@method} #{Thread.current}" }
+        byebug if defined? byebug and @data.is_a?(Hash) and @data[:break] == 1
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/matcher_rule.rb ADDED Viewed

@@ -0,0 +1,103 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rule_callback'
+module Sqreen
+  module Rules
+    # A configurable matcher rule
+    class MatcherRuleCB < RuleCB
+      def initialize(*args)
+        super(*args)
+        prepare
+      end
+      def self.prepare_re_pattern(value, options, case_sensitive)
+        res = 0
+        res |= Regexp::MULTILINE  if options.include?('multiline')
+        res |= Regexp::IGNORECASE unless case_sensitive
+        Regexp.compile(value, res)
+      end
+      def prepare
+        @string = {}
+        @regex_patterns = []
+        patterns = @data['values']
+        if patterns.nil?
+          msg = "no key 'values' in data (had #{@data.keys})"
+          raise Sqreen::Exception, msg
+        end
+        @funs = {
+          'anywhere'    => lambda { |value, str| str.include?(value)    },
+          'starts_with' => lambda { |value, str| str.start_with?(value) },
+          'ends_with'   => lambda { |value, str| str.end_with?(value)   },
+          'equals'      => lambda { |value, str| str == value           },
+        }
+        patterns.each do |entry|
+          next unless entry
+          type = entry['type']
+          val = entry['value']
+          opts = entry['options']
+          opt = (opts && opts.first && opts.first != '') ? opts.first : 'anywhere'
+          case_sensitive = entry['case_sensitive'] || false
+          case type
+          when 'string'
+            if case_sensitive
+              case_type = :cs
+            else
+              case_type = :ci
+              val = val.downcase
+            end
+            unless @funs.keys.include?(opt)
+              Sqreen.log.debug { "Error: unknown string option '#{opt}' " }
+              next
+            end
+            @string[opt] = { :ci => [], :cs => [] } unless @string.key?(opt)
+            @string[opt][case_type] << val
+          when 'regex'
+            pattern = MatcherRuleCB.prepare_re_pattern(val, opt, case_sensitive)
+            next unless pattern
+            @regex_patterns << pattern
+          end
+        end
+        if [@regex_patterns, @string].map { |s| s == 0 }.all?
+          msg = "no key 'regex' nor 'match' in data (had #{@data.keys})"
+          raise Sqreen::Exception, msg
+        end
+      end
+      def match(str)
+        return if str.nil? || str.empty?
+        istr = str.downcase
+        @string.each do |type, cases|
+          fun = @funs[type]
+          if fun.nil?
+            Sqreen.log.debug { "no matching function found for type #{type}" }
+          end
+          cases.each do |case_type, patterns|
+            input_str = if case_type == :ci
+                          istr
+                        else
+                          str
+                        end
+            patterns.each do |pat|
+              return pat if fun.call(pat, input_str)
+            end
+          end
+        end
+        @regex_patterns.each do |p|
+          return p if p.match(str)
+        end
+        nil
+      end
+    end
+  end
+end