sqreen 0.8.11465220943 → 1.0.0.pre1480953244

data/lib/sqreen/parsers/sql_tokenizer.rb

@@ -1,266 +0,0 @@
-# Copyright (c) 2015 Sqreen. All Rights Reserved.
-# Please refer to our terms for more information: https://www.sqreen.io/terms.html
-
-# Inspired by
-# https://practicingruby.com/articles/parsing-json-the-hard-way
-
-require 'strscan'
-require 'sqreen/exception'
-
-module Sqreen
-  module Parsers
-    class ParsingException < ::Sqreen::Exception
-    end
-
-    # Forward declaration
-    class SQLTokenizer; end
-
-    # https://www.sqlite.org/lang_select.html
-    # https://www.sqlite.org/lang_expr.html
-    class SQLiteTokenizer < SQLTokenizer
-      def initialize(_db_infos,
-                     _backslash_escape = false,
-                     _has_hex          = false)
-        @name = 'SQLite'
-      end
-    end
-
-    # How string litterals work in MySQL
-    # https://dev.mysql.com/doc/refman/5.0/en/string-literals.html
-    # https://dev.mysql.com/doc/refman/5.0/en/number-literals.html
-    #
-    # Configuration modifiers:
-    # sqlmode: The backslash charcter does not perform escapes
-    # https://dev.mysql.com/doc/refman/5.0/en/sql-mode.html#sqlmode_ansi_quotes
-    # sqlmode: No backslash escapes
-    # https://dev.mysql.com/doc/refman/5.0/en/sql-mode.html#sqlmode_no_backslash_escapes
-
-    # The double quote cannot be a string delimiter
-    #
-    # Double quote strangeness:
-    #
-    # mysql> SELECT 'hello', '"hello"', '""hello""', 'hel''lo', '\'hello';
-    # +-------+---------+-----------+--------+--------+
-    # | hello | "hello" | ""hello"" | hel'lo | 'hello |
-    # +-------+---------+-----------+--------+--------+
-    #
-    # mysql> SELECT "hello", "'hello'", "''hello''", "hel""lo", "\"hello";
-    # +-------+---------+-----------+--------+--------+
-    # | hello | 'hello' | ''hello'' | hel"lo | "hello |
-    # +-------+---------+-----------+--------+--------+
-    class MySQLTokenizer < SQLTokenizer
-      def initialize(db_infos,
-                     backslash_escape = true,
-                     has_hex          = true)
-        super
-        @name = 'MySQL'
-      end
-    end
-
-    class SQLTokenizer
-      NUMBER = /[-+]*(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?/
-      COMMAND = /[a-zA-Z_][a-zA-Z_0-9]*/
-      HEX = /0x[0-9a-fA-F]+/
-
-      binary_operators_list = %w(\+ - ~ \! <=> <> != <= = >= < > := % NOT OR \|\| AND IS IN BETWEEN LIKE REGEXP)
-      binary_operators_list << 'SOUNDS LIKE' << 'IS NULL' << 'IS NOT NULL'
-      BINARY_OPERATORS_LIST = binary_operators_list.freeze
-
-      BITS_OPERATORS_LIST = %w(\| & << >> \+ - \* / DIV MOD % ^).freeze
-
-      BINARY_OPERATORS = Regexp.new(BINARY_OPERATORS_LIST.join('|'))
-      BITS_OPERATORS = Regexp.new(BITS_OPERATORS_LIST.join('|'))
-
-      SQ = "'".freeze
-      DQ = '"'.freeze
-      BQ = '`'.freeze
-
-      attr_reader :ss
-
-      def initialize(db_infos,
-                     backslash_escape = true,
-                     has_hex          = true)
-
-        @db_infos = db_infos
-        @ss = nil
-        @backslash_escape = backslash_escape
-        @has_hex = has_hex
-      end
-
-      def tokenize(str)
-        @ss = StringScanner.new(str)
-      end
-
-      def each_token
-        while token = next_token
-          type = get_type(token[0])
-          puts token.inspect       if $DEBUG
-          puts 'After: ' + ss.rest if $DEBUG
-          yield(token, type)
-        end
-      end
-
-      # Can raise a ParsingException.
-      def next_token
-        @ss.skip(/^[ \t\n]+/)
-
-        return if @ss.eos?
-
-        # FIXME: multiple commands (; separated)
-        # FIXME endline comments (-- )
-
-        res = if text = @ss.scan(COMMAND)
-                [:COMMAND, text]
-              elsif @has_hex && text = @ss.scan(HEX)
-                [:HEX_STRING, text]
-              elsif text = @ss.scan(NUMBER)
-                [:NUMBER, text]
-              elsif text = extract_string(SQ)
-                [:SINGLE_QUOTED_STRING, SQ + text + SQ]
-              elsif text = extract_string(DQ)
-                [:DOUBLE_QUOTED_STRING, DQ + text + DQ]
-              elsif text = extract_string(BQ)
-                [:BACK_QUOTED_STRING, BQ + text + BQ]
-              elsif @ss.peek(1) == '*' && @ss.pos += 1
-                [:ASTERISK, '*']
-              elsif @ss.peek(3) == '/*!' && @ss.pos += 3 and text = @ss.search_full(/\*\//, true, true)
-                [:INLINE_COMMENT, '/*!' + text]
-              elsif @ss.peek(2) == '/*' && @ss.pos += 2 and text = @ss.search_full(/\*\//, true, true)
-                [:INLINE_COMMENT, '/*' + text]
-              elsif text = @ss.scan(/\)/)
-                [:PAR_CLOSE, text]
-              elsif text = @ss.scan(/\(/)
-                [:PAR_OPEN, text]
-              elsif text = @ss.scan(/,/)
-                [:COMA, text]
-              elsif @ss.peek(1) == '?' && @ss.pos += 1
-                [:QUESTION_MARK, '?']
-              elsif text = @ss.scan(/;/)
-                [:QUERY_END, text]
-              elsif @ss.peek(1) == ':' && @ss.pos += 1
-                [:LABEL_MARK, ':']
-              elsif @ss.peek(1) == '.' && @ss.pos += 1
-                [:DOT, '.']
-              elsif text = @ss.scan(BINARY_OPERATORS)
-                [:BINARY_OPERATOR, text]
-              # elsif text = @ss.scan(BITS_OPERATORS) then
-              #     [:BITS_OPERATOR, text]
-              else
-                pos = @ss.pos
-                @ss.reset
-                request = @ss.rest
-                @ss.pos = pos
-                raise ParsingException, format('could not find anything %s', request.inspect)
-              end
-
-        res
-      end
-
-      TYPES_MAPPING = {
-        :literal_string => [
-          :SINGLE_QUOTED_STRING,
-          :DOUBLE_QUOTED_STRING,
-          :HEX_STRING,
-        ],
-        :literal_number => [
-          :NUMBER,
-        ],
-        :object => [
-          :BACK_QUOTED_STRING,
-        ],
-        :command => [
-          :COMMAND,
-        ],
-      }.freeze
-
-      INVERT_TYPE_MAPPING = TYPES_MAPPING.inject({}) do |new, types_h|
-        meta_type, types = types_h
-        for type in types
-          new[type] = meta_type
-        end
-        new
-      end
-
-      def get_type(token_type)
-        INVERT_TYPE_MAPPING[token_type]
-      end
-
-      def extract_string(delim)
-        return unless @ss.peek(1) == delim
-        @ss.pos += 1
-        find_string(delim)
-      end
-
-      def find_dq_str
-        find_string('"')
-      end
-
-      def find_sq_str(_string_scanner)
-        find_string("'")
-      end
-
-      def find_string(delim)
-        remain = @ss.rest
-        end_idx = find_impair_delim_pos(remain, delim)
-        raise ParsingException, format('no end for string %s', remain.inspect) if end_idx.nil?
-
-        # So we point on the last internal char of string
-        res = remain[0...end_idx]
-
-        # Ruby 1.9.3: String.bytes = Enumerator has no size method
-        bytes_size = 0
-        res.bytes.each { bytes_size += 1 }
-
-        # Remain is a unicode string. @ss the StringScanner works with
-        # bytes, so we need to move it forward by numbre of bytes in remain.
-        @ss.pos += bytes_size + 1
-        res
-      end
-
-      # MySQL string exctraction is a pain since:
-      #  - a string may hold antislashes, which escapes the next char
-      #  - a string may hold their delimiter (' or ") twice: '' or "", which
-      #    translates \' or \"
-      # Hence we browse the string. We skip \*, and if we find delimiters, we
-      # count how many there are.
-      #  - If its an odd number, (1, 3...) this is the end of the string.
-      #  - Else, they have all been escaped, we can ignore them.
-      def find_impair_delim_pos(str, delim)
-        skip = false
-        first = nil
-        str.chars.each_with_index do |char, i|
-          if skip
-            skip = false
-            next
-          end
-          if @backslash_escape && char == '\\'
-            # if we have an escape, let's skip it
-            skip = true
-            next
-          end
-          if char == delim
-            first = i unless first
-          else
-            if first
-              # first time we reach the end of a `delim` sequence
-              nb = i - first
-              if nb.odd?
-                # we had an odd number of delim
-                return i - 1
-              else
-                # we had an even number of delim, keep searching
-                first = nil
-              end
-            end
-          end
-        end
-        i = str.size - 1
-        if first
-          nb = i - first + 1
-          return i if nb.odd?
-        end
-        nil
-      end
-    end
-  end
-end

data/lib/sqreen/parsers/unix.rb

@@ -1,110 +0,0 @@
-# Copyright (c) 2015 Sqreen. All Rights Reserved.
-# Please refer to our terms for more information: https://www.sqreen.io/terms.html
-
-require 'strscan'
-require 'sqreen/exception'
-
-module Sqreen
-  module Parsers
-    # A command fragment
-    class UnixAtom
-      attr_accessor :kind, :val, :start, :end
-
-      def initialize(kind, value, start)
-        self.kind = kind
-        self.val = value
-        self.start = start
-        self.end = start + value.size
-      end
-
-      def executable?
-        kind == :exec
-      end
-    end
-
-    # A basic Shell command parser
-    class Unix
-      attr_reader :atoms
-
-      def initialize
-        @ifs = ENV.fetch('IFS', " \t\n")
-        @white = Regexp.new("[#{@ifs}]+")
-        @nonwhite = Regexp.new("[^#{@ifs}]+")
-        @control = ';&|'
-        @nonwhite_and_control = Regexp.new("[^#{@ifs}#{@control}]+")
-      end
-
-      # Parse a shell command.
-      #
-      # fills atoms with parsing results
-      # @param cmd [String] Command to be parsed
-      # @return [Boolean] true if successful
-      def parse(cmd)
-        @atoms = []
-        each_token(cmd) do |atom|
-          @atoms << atom
-        end
-
-        true
-      end
-
-      protected
-
-      def each_token(cmd)
-        scan = StringScanner.new(cmd)
-
-        @first = true
-        loop do
-          token = next_token(scan)
-          break if token.nil?
-          yield token
-        end
-      end
-
-      def next_token(scan)
-        scan.skip(@white)
-
-        return nil if scan.eos?
-
-        pos = scan.pos
-        text = scan.scan(Regexp.new("#{@nonwhite}="))
-        return UnixAtom.new(:param, text + find_word(scan), pos) if text
-        next_ch = scan.peek(1)
-        if @control.include?(next_ch)
-          @first = true
-          return UnixAtom.new(:control, scan.scan(Regexp.new("[#{@control}]+")), pos)
-        end
-        word = find_word(scan)
-        return nil unless word
-        if @first
-          @first = false
-          return UnixAtom.new(:exec, word, pos)
-        else
-          return UnixAtom.new(:field, word, pos)
-        end
-      end
-
-      def find_word(scan)
-        first = scan.peek(1)
-        return '' if first.match(@white)
-
-        if first == "'"
-          scan.getch
-          "'" + scan.scan_until(/'|\z/)
-        elsif first == '"'
-          txt = ['"']
-          scan.getch
-          until scan.eos?
-            txt << scan.scan_until(/"|\z/)
-            escaped = txt[-1].match(/\\+"\z/)
-            break unless escaped
-            break if escaped.size.even?
-          end
-          txt.join
-        else
-          scan.scan(@nonwhite_and_control)
-        end
-      end
-    end
-  end
-end

data/lib/sqreen/rules_callbacks/shell.rb

@@ -1,33 +0,0 @@
-# Copyright (c) 2015 Sqreen. All Rights Reserved.
-# Please refer to our terms for more information: https://www.sqreen.io/terms.html
-
-require 'sqreen/rule_callback'
-require 'sqreen/detect'
-
-module Sqreen
-  module Rules
-    # Look for Shell injections
-    class ShellCB < RuleCB
-      def pre(_inst, *args, &_block)
-        Sqreen.log.debug { "<< #{@klass} #{@method} #{Thread.current}" }
-        Sqreen.log.debug { args.inspect }
-
-        cmd = args[0]
-        params = framework.request_params
-        return if params.nil? || params == {}
-        Sqreen.log.debug { 'Searching injection in:' }
-        Sqreen.log.debug { 'command: ' + cmd }
-        Sqreen.log.debug { 'params: ' + params.inspect }
-
-        # FIXME: Handle IFS coming from spawn/exec/system ENV argument
-        inj = Sqreen::Detect::ShellInjection.new
-        shi = inj.user_escape?(cmd, params)
-        Sqreen.log.warn { "presence of a shell injection: #{shi}" }
-        return unless shi
-        infos = { :sh_cmd => cmd }
-        record_event(infos)
-        { :status => :raise }
-      end
-    end
-  end
-end

data/lib/sqreen/rules_callbacks/sql.rb

@@ -1,41 +0,0 @@
-# Copyright (c) 2015 Sqreen. All Rights Reserved.
-# Please refer to our terms for more information: https://www.sqreen.io/terms.html
-
-require 'sqreen/rule_callback'
-require 'sqreen/detect'
-
-module Sqreen
-  module Rules
-    # Look for SQL injections
-    class SQLCB < RuleCB
-      def pre(inst, *args, &_block)
-        Sqreen.log.debug { "<< #{@klass} #{@method} #{Thread.current}" }
-        Sqreen.log.debug { args.inspect }
-
-        request = args[0]
-        params = framework.request_params
-        return if params.nil? || params == {}
-        Sqreen.log.debug { 'Searching injection in:' }
-        Sqreen.log.debug { 'request: ' + request }
-        Sqreen.log.debug { 'params: ' + params.inspect }
-
-        db_type, db_infos = framework.db_settings(:connection_adapter => inst)
-        if db_type.nil?
-          Sqreen.log.debug { "Database '#{db_infos[:name]}' not supported yet" }
-          return
-        end
-        inj = Sqreen::Detect::SQLInjection.new(db_type, db_infos)
-        sqli = inj.user_escape?(request, params)
-        Sqreen.log.info { "presence of an SQLi: #{sqli}" }
-        return unless sqli
-        infos = {
-          :db_request => request,
-          :db_type => db_type,
-          :db_infos => db_infos,
-        }
-        record_event(infos)
-        { :status => :raise }
-      end
-    end
-  end
-end