RubyGems - sqreen - Versions diffs - 1.11.0-java → 1.11.1-java - Mend

sqreen 1.11.0-java → 1.11.1-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

checksums.yaml +4 -4
data/lib/sqreen.rb +0 -1
data/lib/sqreen/callback_tree.rb +38 -20
data/lib/sqreen/callbacks.rb +6 -4
data/lib/sqreen/conditionable.rb +3 -3
data/lib/sqreen/frameworks/generic.rb +38 -18
data/lib/sqreen/frameworks/request_recorder.rb +0 -2
data/lib/sqreen/instrumentation.rb +217 -160
data/lib/sqreen/performance_notifications.rb +10 -36
data/lib/sqreen/performance_notifications/log.rb +1 -2
data/lib/sqreen/performance_notifications/log_performance.rb +1 -2
data/lib/sqreen/performance_notifications/metrics.rb +1 -2
data/lib/sqreen/performance_notifications/newrelic.rb +1 -2
data/lib/sqreen/remote_command.rb +7 -7
data/lib/sqreen/rule_callback.rb +4 -0
data/lib/sqreen/rules.rb +2 -2
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +7 -1
data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb +3 -3
data/lib/sqreen/rules_callbacks/blacklist_ips.rb +1 -1
data/lib/sqreen/rules_callbacks/count_http_codes.rb +7 -6
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb +1 -1
data/lib/sqreen/rules_callbacks/custom_error.rb +2 -5
data/lib/sqreen/rules_callbacks/execjs.rb +76 -37
data/lib/sqreen/rules_callbacks/headers_insert.rb +1 -1
data/lib/sqreen/rules_callbacks/inspect_rule.rb +3 -3
data/lib/sqreen/rules_callbacks/matcher_rule.rb +18 -17
data/lib/sqreen/rules_callbacks/rails_parameters.rb +1 -1
data/lib/sqreen/rules_callbacks/record_request_context.rb +9 -8
data/lib/sqreen/rules_callbacks/reflected_xss.rb +40 -34
data/lib/sqreen/rules_callbacks/regexp_rule.rb +13 -4
data/lib/sqreen/rules_callbacks/shell_env.rb +2 -2
data/lib/sqreen/rules_callbacks/url_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/user_agent_matches.rb +1 -1
data/lib/sqreen/session.rb +1 -1
data/lib/sqreen/shared_storage.rb +16 -12
data/lib/sqreen/{stats.rb → shared_storage23.rb} +3 -11
data/lib/sqreen/version.rb +1 -1
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 53669623f0ae28ec6d69e5811956073c925f977a0beceda24756f4c2dc0b1bf5
-  data.tar.gz: dd62e44b9461fc8fac1bd11a511d1c4023fc152ced31afdaf17934ed82824e85
+  metadata.gz: a70bef09cb6da963c38ee03d9caf758d66456afb1ba1943f6eb084a6a826ccb2
+  data.tar.gz: f34e57917ed3dac5ab54ae517d5302f49037a57e85b183d566fa6f93b74cec66
 SHA512:
-  metadata.gz: 23dd698494d6913be0cf911d034ae7c51fa2969959f3758eed165958d390e6b80860f1c20d40298a3b1acf42456c0ca276dc65b0ab161cae917cf18ede700fb7
-  data.tar.gz: c9567b90cdeb4cf836cf8f20a0781e584d3cf3dddf09b83434ad70b91d3f17122660dfac4766cf818b08c77f22fcf6fbc13d84bfc2668e2257d26fcc2ad77e42
+  metadata.gz: dfb6563fed2fd99cf7f314b14b98be08af1e2877d9f2552e3ae76d81291ee636ee2c2fcaf80433cc8570f409be4aeceb08bbd96382d751e569d2a9d37d6872b3
+  data.tar.gz: 74fdd37d02a93e642f6de235ad1b85d6015f8058df05bd16689c5ad687e345e3e4fdc5e2b4d686229ce48f0a76a81ede7f5abdc5cae5287f7041aa88b287f8ae

data/lib/sqreen.rb CHANGED Viewed

@@ -7,7 +7,6 @@ require 'sqreen/runner'
 require 'sqreen/callbacks'
 require 'sqreen/version'
 require 'sqreen/log'
-require 'sqreen/stats'
 require 'sqreen/exception'
 require 'sqreen/configuration'
 require 'sqreen/events/attack'

data/lib/sqreen/callback_tree.rb CHANGED Viewed

@@ -19,50 +19,68 @@ module Sqreen
       @by_class[cb.klass] = {} unless @by_class[cb.klass]
       cb_klass = @by_class[cb.klass]
-      unless cb_klass[cb.method]
-        cb_klass[cb.method] = { :pre => [], :post => [], :failing => [] }
-      end
+      cb_klass[cb.method] ||= [nil, nil, nil]
       methods = cb_klass[cb.method]
-      methods[:pre] << cb if cb.pre?
-      methods[:post] << cb if cb.post?
-      methods[:failing] << cb if cb.failing?
+      if cb.pre?
+        methods[0] ||= []
+        methods[0] << cb
+      end
+      if cb.post?
+        methods[1] ||= []
+        methods[1] << cb
+      end
+      if cb.failing?
+        methods[2] ||= []
+        methods[2] << cb
+      end
     end
     def remove(cb)
-      types = @by_class[cb.klass][cb.method]
+      by_meth = @by_class[cb.klass]
+      return unless by_meth
+      types = by_meth[cb.method]
-      types[:pre].delete cb  if cb.pre?
-      types[:post].delete cb if cb.post?
-      types[:failing].delete cb if cb.failing?
+      if cb.pre? && types[0]
+        types[0].delete(cb)
+        types[0] = nil if types[0].empty?
+      end
+      if cb.post? && types[1]
+        types[1].delete(cb)
+        types[1] = nil if types[1].empty?
+      end
+      if cb.failing? && types[2]
+        types[2].delete(cb)
+        types[2] = nil if types[2].empty?
+      end
     end
-    def get(klass, method, type = nil)
+    def get(klass, method)
       k = @by_class[klass]
       unless k
         Sqreen.log.debug { format('Error: no cb registered for class %s (%s)', klass.inspect, klass.class) }
         Sqreen.log.debug { inspect }
-        return []
+        return [nil, nil, nil]
       end
       cbs = k[method]
       unless cbs
         Sqreen.log.debug { format('Error: no cbs registered for method %s.%s', klass, method) }
         Sqreen.log.debug { inspect }
-        return []
+        return [nil, nil, nil]
       end
-      return cbs[type] unless type.nil?
-      res = Set.new
-      cbs.each_value { |v| res += v }
-      res.to_a
+      cbs
+    rescue StandardError => e
+      Sqreen.log.warn "we catched an exception getting cbs: #{e.inspect}"
+      Sqreen::RemoteException.record(e)
+      [nil, nil, nil]
     end
     def each
       @by_class.each_value do |values|
         values.each_value do |cbs|
-          cbs.each_value do |cb_ary|
+          cbs.each do |cb_ary|
+            next unless cb_ary
             cb_ary.each do |cb|
               yield cb
             end

data/lib/sqreen/callbacks.rb CHANGED Viewed

@@ -37,6 +37,7 @@ module Sqreen
     #  CB can also declare that they are whitelisted and should not be run at the moment.
     attr_reader :klass, :method
+    attr_reader :overtimeable
     def initialize(klass, method)
       @method = method
@@ -45,6 +46,7 @@ module Sqreen
       @has_pre  = respond_to? :pre
       @has_post = respond_to? :post
       @has_failing = respond_to? :failing
+      @overtimeable = false
       raise(Sqreen::Exception, 'No callback provided') unless @has_pre || @has_post || @has_failing
     end
@@ -71,7 +73,7 @@ module Sqreen
     def overtime!
       Sqreen.log.debug { "#{self} is overtime!" }
-      false
+      @overtimeable
     end
     def framework
@@ -81,13 +83,13 @@ module Sqreen
   # target_method, position, callback, callback class
   class DefaultCB < CB
-    def pre(_inst, *args, &_block)
+    def pre(_inst, args, _budget = nil, &_block)
       Sqreen.log.debug "<< #{@klass} #{@method} #{Thread.current}"
       Sqreen.log.debug args.join ' '
       # log params
     end
-    def post(_rv, _inst, *_args, &_block)
+    def post(_rv, _inst, _args, _budget = nil, &_block)
       # log "#{rv}"
       Sqreen.log.debug ">> #{@klass} #{@method} #{Thread.current}"
     end
@@ -101,7 +103,7 @@ module Sqreen
       @block = block
     end
-    def pre(_inst, *_args, &_block)
+    def pre(_inst, _args, _budget = nil, &_block)
       # FIXME: implement this removal
       @remove_me = true
       @block.call

data/lib/sqreen/conditionable.rb CHANGED Viewed

@@ -26,19 +26,19 @@ module Sqreen
     end
     def pre_with_conditions(inst, *args, &block)
-      eargs = [binding, framework, inst, args, @data, nil]
+      eargs = [nil, framework, inst, args, @data, nil]
       return nil if !pre_conditions.nil? && !pre_conditions.evaluate(*eargs)
       pre_without_conditions(inst, *args, &block)
     end
     def post_with_conditions(rv, inst, *args, &block)
-      eargs = [binding, framework, inst, args, @data, rv]
+      eargs = [nil, framework, inst, args, @data, rv]
       return nil if !post_conditions.nil? && !post_conditions.evaluate(*eargs)
       post_without_conditions(rv, inst, *args, &block)
     end
     def failing_with_conditions(rv, inst, *args, &block)
-      eargs = [binding, framework, inst, args, @data, rv]
+      eargs = [nil, framework, inst, args, @data, rv]
       return nil if !failing_conditions.nil? && !failing_conditions.evaluate(*eargs)
       failing_without_conditions(rv, inst, *args, &block)
     end

data/lib/sqreen/frameworks/generic.rb CHANGED Viewed

@@ -234,6 +234,7 @@ module Sqreen
         SharedStorage.set(:request, Rack::Request.new(object))
         SharedStorage.inc(:stored_requests)
         SharedStorage.set(:xss_params, nil)
+        SharedStorage.set(:whitelisted, nil)
         SharedStorage.set(:request_overtime, nil)
       end
@@ -250,6 +251,7 @@ module Sqreen
         self.remaining_perf_budget = nil
         SharedStorage.set(:request, nil)
         SharedStorage.set(:xss_params, nil)
+        SharedStorage.set(:whitelisted, nil)
         SharedStorage.set(:request_overtime, nil)
       end
@@ -338,14 +340,13 @@ module Sqreen
         Dir.getwd
       end
-      WHITELIST_KEY = 'sqreen.whitelisted_request'.freeze
       # Return the current item that whitelist this request
       # returns nil if request is not whitelisted
       def whitelisted_match
         return nil unless request
-        return request.env[WHITELIST_KEY] if request.env.key?(WHITELIST_KEY)
-        request.env[WHITELIST_KEY] = whitelisted_ip || whitelisted_path
+        whitelisted = whitelisted_ip || whitelisted_path
+        SharedStorage.set(:whitelisted, !whitelisted.nil?)
+        whitelisted
       end
       # Returns the current path that whitelist the request
@@ -369,21 +370,40 @@ module Sqreen
         request.env['REMOTE_ADDR']
       end
-      def xss_params(regexp = nil)
-        p = SharedStorage.get(:xss_params)
-        return p unless p.nil?
-        p = request_params
-        parm = Set.new
-        each_key_value_for_hash(p) do |value|
-          next unless value.is_a?(String)
-          next if value.size < 5
-          next if regexp && !regexp.match(value)
-          parm << value
+      if Regexp.new('').respond_to?(:match?)
+        def xss_params(regexp = nil)
+          p = SharedStorage.get(:xss_params)
+          return p unless p.nil?
+          p = request_params
+          parm = Set.new
+          each_key_value_for_hash(p) do |value|
+            next unless value.is_a?(String)
+            next if value.size < 5
+            next if regexp && !regexp.match?(value)
+            parm << value
+          end
+          p = parm.to_a
+          Sqreen.log.debug { "Filtered XSS params: #{p.inspect}" }
+          SharedStorage.set(:xss_params, p)
+          p
+        end
+      else
+        def xss_params(regexp = nil)
+          p = SharedStorage.get(:xss_params)
+          return p unless p.nil?
+          p = request_params
+          parm = Set.new
+          each_key_value_for_hash(p) do |value|
+            next unless value.is_a?(String)
+            next if value.size < 5
+            next if regexp && !regexp.match(value)
+            parm << value
+          end
+          p = parm.to_a
+          Sqreen.log.debug { "Filtered XSS params: #{p.inspect}" }
+          SharedStorage.set(:xss_params, p)
+          p
         end
-        p = parm.to_a
-        Sqreen.log.debug { "Filtered XSS params: #{p.inspect}" }
-        SharedStorage.set(:xss_params, p)
-        p
       end
       protected

data/lib/sqreen/frameworks/request_recorder.rb CHANGED Viewed

@@ -47,8 +47,6 @@ module Sqreen
     end
     def close_request_record(queue, observations_queue, payload_creator)
-      Sqreen::PerformanceNotifications::LogPerformance.next_request
-      Sqreen::PerformanceNotifications::NewRelic.next_request
       clean_request_record if observed_items.nil?
       if only_metric_observation
         push_metrics(observations_queue, queue)

data/lib/sqreen/instrumentation.rb CHANGED Viewed

@@ -3,12 +3,13 @@
 require 'sqreen/callback_tree'
 require 'sqreen/log'
-require 'sqreen/stats'
 require 'sqreen/exception'
 require 'sqreen/performance_notifications'
 require 'sqreen/call_countable'
 require 'sqreen/events/remote_exception'
 require 'sqreen/rules_signature'
+require 'sqreen/shared_storage'
+require 'sqreen/rules_callbacks/record_request_context'
 require 'set'
 # How to override a class method:
@@ -33,13 +34,16 @@ require 'set'
 module Sqreen
   class Instrumentation
-    WHITELISTED_METRIC='whitelisted'.freeze
-    OVERTIME_METRIC='request_overtime'.freeze
+    OVERTIME_METRIC = 'request_overtime'.freeze
+    MGMT_COST = 0.000025
     @@override_semaphore = Mutex.new
+    @@overriden_singleton_methods = false
     ## Overriden methods and callbacks globals
     @@overriden_methods = []
     @@registered_callbacks = CBTree.new
+    @@unovertimable_hookpoints = Set.new
+    @@record_request_hookpoints = Set.new
     @@instrumented_pid = nil
     def self.semaphore
@@ -57,33 +61,29 @@ module Sqreen
     def self.overriden
       @@overriden_methods
     end
-    def self.callback_wrapper_pre(klass, method, instance, *args, &block)
-      Instrumentation.guard_call(method, []) do
-        callbacks = @@registered_callbacks.get(klass, method, :pre)
-        if callbacks.any?(&:whitelisted?)
-          callbacks = callbacks.reject(&:whitelisted?)
-        end
-        cb_with_framework = callbacks.find(&:framework)
-        budget = nil
-        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
+    def self.callback_wrapper_pre(callbacks, framework, budget, _klass, method, instance, args, &block)
+      all_start = Sqreen::PerformanceNotifications.time
+      #Instrumentation.guard_call(method, []) do
         returns = []
         callbacks.each do |cb|
           # If record_request is part of callbacks we should filter after it ran
           next if cb.whitelisted?
           rule = cb.rule_name if cb.respond_to?(:rule_name)
-          if !budget.nil? && budget <= 0
-            next if cb.overtime!
+          if budget && budget <= 0.0
+            next if cb.overtimeable
           end
           Sqreen.log.debug { "running pre cb #{cb}" }
           begin
             start = Sqreen::PerformanceNotifications.time
-            res = cb.send(:pre, instance, *args, &block)
+            res = cb.pre(instance, args, budget, &block)
             stop = Sqreen::PerformanceNotifications.time
             # The first few pre callbacks could not have a request & hence a budget just yet so we try harder to find it
-            budget = cb_with_framework.framework.remaining_perf_budget if budget.nil? && !Sqreen.performance_budget.nil? && cb.framework
-            budget -= (stop - start) unless budget.nil?
+            budget = framework.remaining_perf_budget if framework && !budget && Sqreen.performance_budget
+            if budget
+              budget -= (stop - start)
+              cb.overtime! if budget <= 0.0
+            end
+            all_start += (stop - start)
             if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
               Sqreen.log.debug do
                 "#{cb} cannot block, overriding return value"
@@ -94,7 +94,7 @@ module Sqreen
             end
             returns << res
           rescue StandardError => e
-            Sqreen.log.warn "we catch an exception: #{e.inspect}"
+            Sqreen.log.warn { "we catch an exception: #{e.inspect}" }
             Sqreen.log.debug e.backtrace
             if cb.respond_to?(:record_exception)
               cb.record_exception(e)
@@ -105,36 +105,37 @@ module Sqreen
           end
           Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/pre", start, stop)
         end
-        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil?
+        all_stop = Sqreen::PerformanceNotifications.time
+        framework.remaining_perf_budget = budget - (all_stop - all_start) - MGMT_COST * callbacks.size if framework && budget
+        Sqreen::PerformanceNotifications.notify('Callbacks/hooks_pre/pre', all_start, all_stop)
         returns
-      end
+      #end
     rescue StandardError => e
-      Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
+      Sqreen.log.warn { "we catched an exception between cbs: #{e.inspect}" }
       Sqreen::RemoteException.record(e)
+      []
     end
-    def self.callback_wrapper_post(klass, method, return_val, instance, *args, &block)
-      Instrumentation.guard_call(method, []) do
-        callbacks = @@registered_callbacks.get(klass, method, :post)
-        if callbacks.any?(&:whitelisted?)
-          callbacks = callbacks.reject(&:whitelisted?)
-        end
-        cb_with_framework = callbacks.find(&:framework)
-        budget = nil
-        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
+    def self.callback_wrapper_post(callbacks, framework, budget, _klass, method, return_val, instance, args, &block)
+      all_start = Sqreen::PerformanceNotifications.time
+      #Instrumentation.guard_call(method, []) do
         returns = []
         callbacks.reverse_each do |cb|
+          next if cb.whitelisted?
           rule = cb.rule_name if cb.respond_to?(:rule_name)
-          if !budget.nil? && budget <= 0
-            next if cb.overtime!
+          if budget && budget <= 0.0
+            next if cb.overtimeable
           end
           Sqreen.log.debug { "running post cb #{cb}" }
           begin
             start = Sqreen::PerformanceNotifications.time
-            res = cb.send(:post, return_val, instance, *args, &block)
+            res = cb.post(return_val, instance, args, budget, &block)
             stop = Sqreen::PerformanceNotifications.time
-            budget -= (stop - start) unless budget.nil?
+            if budget
+              budget -= (stop - start)
+              cb.overtime! if budget <= 0.0
+            end
+            all_start += (stop - start)
             if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
               Sqreen.log.debug do
                 "#{cb} cannot block, overriding return value"
@@ -144,8 +145,8 @@ module Sqreen
               res[:rule_name] = rule
             end
             returns << res
-          rescue => e
-            Sqreen.log.warn "we catch an exception: #{e.inspect}"
+          rescue StandardError => e
+            Sqreen.log.warn { "we catch an exception: #{e.inspect}" }
             Sqreen.log.debug e.backtrace
             if cb.respond_to?(:record_exception)
               cb.record_exception(e)
@@ -156,36 +157,39 @@ module Sqreen
           end
           Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/post", start, stop)
         end
-        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil? && !cb_with_framework.framework.remaining_perf_budget.nil?
+        all_stop = Sqreen::PerformanceNotifications.time
+        if framework && budget && framework.remaining_perf_budget
+          framework.remaining_perf_budget = budget - (all_stop - all_start) - MGMT_COST * callbacks.size
+        end
+        Sqreen::PerformanceNotifications.notify('Callbacks/hooks_post/post', all_start, all_stop)
         returns
-      end
+      #end
     rescue StandardError => e
-      Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
+      Sqreen.log.warn { "we catched an exception between cbs: #{e.inspect}" }
       Sqreen::RemoteException.record(e)
+      []
     end
-    def self.callback_wrapper_failing(exception, klass, method, instance, *args, &block)
-      Instrumentation.guard_call(method, []) do
-        callbacks = @@registered_callbacks.get(klass, method, :failing)
-        if callbacks.any?(&:whitelisted?)
-          callbacks = callbacks.reject(&:whitelisted?)
-        end
-        cb_with_framework = callbacks.find(&:framework)
-        budget = nil
-        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
+    def self.callback_wrapper_failing(callbacks, framework, budget, exception, _klass, method, instance, args, &block)
+      all_start = Sqreen::PerformanceNotifications.time
+      #Instrumentation.guard_call(method, []) do
         returns = []
         callbacks.each do |cb|
+          next if cb.whitelisted?
           rule = cb.rule_name if cb.respond_to?(:rule_name)
-          if !budget.nil? && budget <= 0
-            next if cb.overtime!
+          if budget && budget <= 0.0
+            next if cb.overtimeable
           end
           Sqreen.log.debug { "running failing cb #{cb}" }
           begin
             start = Sqreen::PerformanceNotifications.time
-            res = cb.send(:failing, exception, instance, *args, &block)
+            res = cb.failing(exception, instance, args, budget, &block)
             stop = Sqreen::PerformanceNotifications.time
-            budget -= (stop - start) unless budget.nil?
+            if budget
+              budget -= (stop - start)
+              cb.overtime! if budget <= 0.0
+            end
+            all_start += (stop - start)
             if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
               Sqreen.log.debug do
                 "#{cb} cannot block, overriding return value"
@@ -195,9 +199,9 @@ module Sqreen
               res[:rule_name] = rule
             end
             returns << res
-          rescue => e
-            Sqreen.log.warn "we catch an exception: #{e.inspect}"
-            Sqreen.log.debug e.backtrace
+          rescue StandardError => e
+            Sqreen.log.warn { "we catch an exception: #{e.inspect}" }
+            Sqreen.log.debug { e.backtrace }
             if cb.respond_to?(:record_exception)
               cb.record_exception(e)
             else
@@ -207,24 +211,27 @@ module Sqreen
           end
           Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/failing", start, stop)
         end
-        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil? && !cb_with_framework.framework.remaining_perf_budget.nil?
+        all_stop = Sqreen::PerformanceNotifications.time
+        if framework && budget && framework.remaining_perf_budget
+          framework.remaining_perf_budget = budget - (all_stop - all_start) - MGMT_COST * callbacks.size
+        end
+        Sqreen::PerformanceNotifications.notify('Callbacks/hooks_failing/failing', all_start, all_stop)
         returns
-      end
+     # end
     rescue StandardError => e
       Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
       Sqreen::RemoteException.record(e)
+      []
     end
     def self.guard_multi_call(instance, method, original_method, args, block)
-      @sqreen_multi_instr ||= nil
+      return yield unless @@overriden_singleton_methods
       key = [method]
-      Instrumentation.guard_call(nil, :guard_multi_call) do
-        args.each{|e| key.push(e.object_id)}
-      end
+      args.each { |e| key.push(e.object_id) }
       if key && @sqreen_multi_instr && @sqreen_multi_instr[instance.object_id].member?(key)
         return instance.send(original_method, *args, &block)
       end
-      @sqreen_multi_instr ||= Hash.new {|h, k| h[k]=Set.new } # TODO this should probably be a thread local
+      @sqreen_multi_instr ||= Hash.new { |h, k| h[k] = Set.new } # TODO: this should probably be a thread local
       @sqreen_multi_instr[instance.object_id].add(key)
       r = yield
       return r
@@ -234,103 +241,152 @@ module Sqreen
       end
     end
-    def self.guard_call(method, retval)
-      @sqreen_in_instr ||= nil
-      return retval if @sqreen_in_instr && @sqreen_in_instr.member?(method)
-      @sqreen_in_instr ||= Set.new # TODO this should probably be a thread local
-      @sqreen_in_instr.add(method)
-      r = yield
-      @sqreen_in_instr.delete(method)
-      return r
-    rescue Exception => e
-      @sqreen_in_instr.delete(method)
-      raise e
-    end
     def self.define_callback_method(meth, original_meth, klass_name)
+      @sqreen_multi_instr ||= nil
       proc do |*args, &block|
-        if Process.pid != Instrumentation.instrumented_pid
+        budget = nil
+        skip_call = Thread.current[:sqreen_in_use]
+        begin
+          if !skip_call && Sqreen.performance_budget
+            # Not using framework here to try to get a bit more perf by not loading cbs
+            budget = Sqreen::SharedStorage.get(:performance_budget)
+            skip_call = budget && budget <= 0.0 && !@@unovertimable_hookpoints.include?([klass_name, meth])
+          end
+        rescue StandardError => e
+          Sqreen.log.warn "we catched an exception looking for overtime: #{e.inspect}"
+          Sqreen::RemoteException.record(e)
+        end
+        if !skip_call && Process.pid != Instrumentation.instrumented_pid
           Sqreen.log.debug do
             "Instrumented #{Instrumentation.instrumented_pid} != PID #{Process.pid}"
           end
-          return send(original_meth, *args, &block)
+          skip_call = true
         end
+        # If we are already overbudget let's not work at all
+        return send(original_meth, *args, &block) if skip_call
         Instrumentation.guard_multi_call(self, meth, original_meth, args, block) do
-        Sqreen.stats.callbacks_calls += 1
-        skip = false
-        result = nil
-        # pre callback
-        returns = Instrumentation.callback_wrapper_pre(klass_name,
-                                                       meth,
-                                                       self,
-                                                       *args,
-                                                       &block)
-        returns.each do |ret|
-          next unless ret.is_a? Hash
-          case ret[:status]
-          when :skip, 'skip'
-            skip = true
-            result = ret[:new_return_value] if ret.key? :new_return_value
-            next
-          when :modify_args, 'modify_args'
-            args = ret[:args]
-          when :raise, 'raise'
-            fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
+          precbs, postcbs, failcbs = Instrumentation.callbacks.get(klass_name, meth)
+          Thread.current[:sqreen_in_use] = true
+          begin
+            if budget && budget <= 0.0
+              precbs = precbs.reject(&:overtimeable) if precbs
+            end
+            # We need the framework to set budget remaining time else don't look for it
+            if budget
+              cb_with_framework = nil
+              cb_with_framework = precbs.find(&:framework) if precbs
+              cb_with_framework = postcbs.find(&:framework) unless cb_with_framework || !postcbs
+              cb_with_framework = failcbs.find(&:framework) unless cb_with_framework || !failcbs
+              framework = cb_with_framework ? cb_with_framework.framework : nil
+            else
+              framework = nil
+            end
+          rescue StandardError => e
+            Sqreen.log.warn "we catched an exception looking for framework: #{e.inspect}"
+            Sqreen::RemoteException.record(e)
+            framework = nil
           end
-        end
-        return result if skip
-        begin
-          result = send(original_meth, *args, &block)
-        rescue => e
-          returns = Instrumentation.callback_wrapper_failing(e, klass_name,
-                                                             meth,
-                                                             self,
-                                                             *args,
-                                                             &block)
-          will_retry = false
-          will_raise = returns.empty?
-          returns.each do |ret|
-            will_raise = true if ret.nil?
-            next unless ret.is_a? Hash
-            case ret[:status]
-            when :override, 'override'
-              result = ret[:new_return_value] if ret.key? :new_return_value
-            when :retry, 'retry'
-              will_retry = true
-            else # :reraise, 'reraise'
-              will_raise = true
+          skip = false
+          result = nil
+          if precbs && !precbs.empty?
+            # pre callback
+            returns = Instrumentation.callback_wrapper_pre(precbs, framework,
+                                                           budget,
+                                                           klass_name,
+                                                           meth,
+                                                           self,
+                                                           args,
+                                                           &block)
+            returns.each do |ret|
+              next unless ret.is_a? Hash
+              case ret[:status]
+              when :skip, 'skip'
+                skip = true
+                result = ret[:new_return_value] if ret.key? :new_return_value
+                next
+              when :modify_args, 'modify_args'
+                args = ret[:args]
+              when :raise, 'raise'
+                Thread.current[:sqreen_in_use] = false
+                raise Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
+              end
             end
           end
-          raise e if will_raise
-          retry if will_retry
-          result
-        else
-          # post callback
-          returns = Instrumentation.callback_wrapper_post(klass_name,
-                                                          meth,
-                                                          result,
-                                                          self,
-                                                          *args,
-                                                          &block)
-          returns.each do |ret|
-            next unless ret.is_a? Hash
-            case ret[:status]
-            when :raise, 'raise'
-              fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
-            when :override, 'override'
-              result = ret[:new_return_value]
-            else
-              next
+          Thread.current[:sqreen_in_use] = false
+          return result if skip
+          begin
+            result = send(original_meth, *args, &block)
+          rescue StandardError => e
+            Thread.current[:sqreen_in_use] = true
+            budget = Sqreen.performance_budget && framework && framework.remaining_perf_budget
+            failcbs = failcbs.reject(&:overtimeable) if failcbs && budget && budget <= 0.0
+            raise e unless failcbs && !failcbs.empty?
+            returns = Instrumentation.callback_wrapper_failing(failcbs,
+                                                               framework,
+                                                               budget,
+                                                               e,
+                                                               klass_name,
+                                                               meth,
+                                                               self,
+                                                               args,
+                                                               &block)
+            will_retry = false
+            will_raise = returns.empty?
+            returns.each do |ret|
+              will_raise = true if ret.nil?
+              next unless ret.is_a? Hash
+              case ret[:status]
+              when :override, 'override'
+                result = ret[:new_return_value] if ret.key? :new_return_value
+              when :retry, 'retry'
+                will_retry = true
+              else # :reraise, 'reraise'
+                will_raise = true
+              end
+            end
+            raise e if will_raise
+            retry if will_retry
+            result
+          else
+            Thread.current[:sqreen_in_use] = true
+            budget = Sqreen.performance_budget && framework && framework.remaining_perf_budget
+            postcbs = postcbs.reject(&:overtimeable) if postcbs && budget && budget <= 0.0
+            return result unless postcbs && !postcbs.empty?
+            # post callback
+            returns = Instrumentation.callback_wrapper_post(postcbs,
+                                                            framework,
+                                                            budget,
+                                                            klass_name,
+                                                            meth,
+                                                            result,
+                                                            self,
+                                                            args,
+                                                            &block)
+            returns.each do |ret|
+              next unless ret.is_a? Hash
+              case ret[:status]
+              when :raise, 'raise'
+                raise Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
+              when :override, 'override'
+                result = ret[:new_return_value]
+              else
+                next
+              end
             end
+            result
+          ensure
+            if @@record_request_hookpoints.include?([klass_name, meth]) && Sqreen::PerformanceNotifications.listen_for?
+              Sqreen::PerformanceNotifications.instrument('Callbacks/hooks_reporting/pre') do
+                Sqreen::PerformanceNotifications::LogPerformance.next_request
+                Sqreen::PerformanceNotifications::NewRelic.next_request
+              end
+            end
+            Thread.current[:sqreen_in_use] = false
           end
-          result
         end
       end
-      end
     end
     def override_class_method(klass, meth)
@@ -372,12 +428,11 @@ module Sqreen
       method_kind = nil
       obj.class_eval do
         # Note: As a lambda the following will crash ruby 2.2.3p173
-        case
-        when public_method_defined?(meth)
+        if public_method_defined?(meth)
           method_kind = :public
-        when protected_method_defined?(meth)
+        elsif protected_method_defined?(meth)
           method_kind = :protected
-        when private_method_defined?(meth)
+        elsif private_method_defined?(meth)
           method_kind = :private
         end
         alias_method meth, saved_meth_name
@@ -385,7 +440,7 @@ module Sqreen
       end
     end
-    def get_saved_method_name(meth, suffix=nil)
+    def get_saved_method_name(meth, suffix = nil)
       "#{meth}_sq#{suffix}_not_modified".to_sym
     end
@@ -401,12 +456,11 @@ module Sqreen
         define_method(new_method, p)
-        case
-        when public_method_defined?(meth)
+        if public_method_defined?(meth)
           method_kind = :public
-        when protected_method_defined?(meth)
+        elsif protected_method_defined?(meth)
           method_kind = :protected
-        when private_method_defined?(meth)
+        elsif private_method_defined?(meth)
           method_kind = :private
         end
         alias_method meth, new_method
@@ -465,6 +519,7 @@ module Sqreen
     # Override a singleton method on an instance
     def override_singleton_method(instance, klass_name, meth)
+      @@overriden_singleton_methods = true
       saved_meth_name = get_saved_method_name(meth, 'singleton')
       if instance.respond_to?(saved_meth_name, true)
         Sqreen.log.debug { "#{saved_meth_name} found #{instance.class}##{instance.object_id} already instrumented" }
@@ -533,6 +588,8 @@ module Sqreen
         end
         @@registered_callbacks.add(cb)
+        @@unovertimable_hookpoints << key unless cb.overtimeable
+        @@record_request_hookpoints << key if cb.is_a?(Sqreen::Rules::RecordRequestContext)
         @@instrumented_pid = Process.pid
       end
     end
@@ -555,7 +612,7 @@ module Sqreen
         return
       end
-      defined_cbs = @@registered_callbacks.get(klass, method)
+      defined_cbs = @@registered_callbacks.get(klass, method).flatten
       nb_removed = 0
       defined_cbs.each do |found_cb|
@@ -607,7 +664,7 @@ module Sqreen
     # @param metrics_engine [MetricsStore] Metric storage facility
     def instrument!(rules, framework)
       verifier = nil
-      if Sqreen.features['rules_signature']         &&
+      if Sqreen.features['rules_signature'] &&
          Sqreen.config_get(:rules_verify_signature) == true &&
          !defined?(::JRUBY_VERSION)
         verifier = Sqreen::SqreenSignedVerifier.new
@@ -630,7 +687,7 @@ module Sqreen
       metrics_engine.create_metric('name' => CallCountable::COUNT_CALLS,
                                    'period' => 60,
                                    'kind' => 'Sum')
-      metrics_engine.create_metric('name' => WHITELISTED_METRIC,
+      metrics_engine.create_metric('name' => Sqreen::Rules::RecordRequestContext::WHITELISTED_METRIC,
                                    'period' => 60,
                                    'kind' => 'Sum')
       metrics_engine.create_metric('name' => OVERTIME_METRIC,