RubyGems - sqreen - Versions diffs - 1.11.0-java → 1.11.1-java - Mend

sqreen 1.11.0-java → 1.11.1-java

Files changed (39) hide show

checksums.yaml +4 -4
data/lib/sqreen.rb +0 -1
data/lib/sqreen/callback_tree.rb +38 -20
data/lib/sqreen/callbacks.rb +6 -4
data/lib/sqreen/conditionable.rb +3 -3
data/lib/sqreen/frameworks/generic.rb +38 -18
data/lib/sqreen/frameworks/request_recorder.rb +0 -2
data/lib/sqreen/instrumentation.rb +217 -160
data/lib/sqreen/performance_notifications.rb +10 -36
data/lib/sqreen/performance_notifications/log.rb +1 -2
data/lib/sqreen/performance_notifications/log_performance.rb +1 -2
data/lib/sqreen/performance_notifications/metrics.rb +1 -2
data/lib/sqreen/performance_notifications/newrelic.rb +1 -2
data/lib/sqreen/remote_command.rb +7 -7
data/lib/sqreen/rule_callback.rb +4 -0
data/lib/sqreen/rules.rb +2 -2
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +7 -1
data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb +3 -3
data/lib/sqreen/rules_callbacks/blacklist_ips.rb +1 -1
data/lib/sqreen/rules_callbacks/count_http_codes.rb +7 -6
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb +1 -1
data/lib/sqreen/rules_callbacks/custom_error.rb +2 -5
data/lib/sqreen/rules_callbacks/execjs.rb +76 -37
data/lib/sqreen/rules_callbacks/headers_insert.rb +1 -1
data/lib/sqreen/rules_callbacks/inspect_rule.rb +3 -3
data/lib/sqreen/rules_callbacks/matcher_rule.rb +18 -17
data/lib/sqreen/rules_callbacks/rails_parameters.rb +1 -1
data/lib/sqreen/rules_callbacks/record_request_context.rb +9 -8
data/lib/sqreen/rules_callbacks/reflected_xss.rb +40 -34
data/lib/sqreen/rules_callbacks/regexp_rule.rb +13 -4
data/lib/sqreen/rules_callbacks/shell_env.rb +2 -2
data/lib/sqreen/rules_callbacks/url_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/user_agent_matches.rb +1 -1
data/lib/sqreen/session.rb +1 -1
data/lib/sqreen/shared_storage.rb +16 -12
data/lib/sqreen/{stats.rb → shared_storage23.rb} +3 -11
data/lib/sqreen/version.rb +1 -1
metadata +4 -4

data/lib/sqreen/rules_callbacks/headers_insert.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Sqreen
   module Rules
     # Display sqreen presence
     class HeadersInsertCB < RuleCB
-      def post(rv, _inst, *_args, &_block)
+      def post(rv, _inst, _args, _budget = nil, &_block)
         return unless rv && rv.respond_to?(:[]) && rv[1].is_a?(Hash)
         return nil unless @data
         headers = @data['values'] || []

data/lib/sqreen/rules_callbacks/inspect_rule.rb CHANGED Viewed

@@ -6,17 +6,17 @@ require 'sqreen/rule_callback'
 module Sqreen
   module Rules
     class InspectRuleCB < RuleCB
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         Sqreen.log.debug { "<< #{@klass} #{@method} #{Thread.current}" }
         Sqreen.log.debug { args.map(&:inspect).join(' ') }
       end
-      def post(rv, _inst, *_args, &_block)
+      def post(rv, _inst, _args, _budget = nil, &_block)
         Sqreen.log.debug { ">> #{rv.inspect} #{@klass} #{@method} #{Thread.current}" }
         byebug if defined? byebug && @data.is_a?(Hash) && @data[:break] == 1
       end
-      def failing(rv, _inst, *_args, &_block)
+      def failing(rv, _inst, _args, _budget = nil, &_block)
         Sqreen.log.debug { "># #{rv.inspect} #{@klass} #{@method} #{Thread.current}" }
         byebug if defined? byebug && @data.is_a?(Hash) && @data[:break] == 1
       end

data/lib/sqreen/rules_callbacks/matcher_rule.rb CHANGED Viewed

@@ -13,11 +13,12 @@ module Sqreen
         res |= Regexp::MULTILINE  if options.include?('multiline')
         res |= Regexp::IGNORECASE unless case_sensitive
         r = Regexp.compile(value, res)
-        r.match("")
+        r.match('')
         r
       end
       ANYWHERE_OPT = 'anywhere'.freeze
+      MATCH_PREDICATE = Regexp.new('').respond_to?(:match?)
       def prepare(patterns)
         @string = {}
         @regexp_patterns = []
@@ -52,12 +53,13 @@ module Sqreen
               val.downcase!
             end
-            unless @funs.keys.include?(opt)
+            way = @funs[opt]
+            unless way
               Sqreen.log.debug { "Error: unknown string option '#{opt}' " }
               next
             end
-            @string[opt] = { :ci => [], :cs => [] } unless @string.key?(opt)
-            @string[opt][case_type] << val
+            @string[way] = { :ci => [], :cs => [] } unless @string.key?(way)
+            @string[way][case_type] << val
             sizes << entry.fetch('min_length') { val.size }
           when 'regexp'
             pattern = Matcher.prepare_re_pattern(val, opt, case_sensitive)
@@ -81,17 +83,9 @@ module Sqreen
         str = enforce_encoding(str) unless str.ascii_only?
         istr = str.downcase unless @string.empty?
-        @string.each do |type, cases|
-          fun = @funs[type]
-          if fun.nil?
-            Sqreen.log.debug { "no matching function found for type #{type}" }
-          end
+        @string.each do |fun, cases|
           cases.each do |case_type, patterns|
-            input_str = if case_type == :ci
-                          istr
-                        else
-                          str
-                        end
+            input_str = case_type == :ci ? istr : str
             patterns.each do |pat|
               return pat if fun.call(pat, input_str)
             end
@@ -99,9 +93,16 @@ module Sqreen
         end
         if defined?(Encoding)
-          @regexp_patterns.each do |p|
-            next unless Encoding.compatible?(p, str)
-            return p if p.match(str)
+          if MATCH_PREDICATE
+            @regexp_patterns.each do |p|
+              next unless Encoding.compatible?(p, str)
+              return p if p.match?(str)
+            end
+          else
+            @regexp_patterns.each do |p|
+              next unless Encoding.compatible?(p, str)
+              return p if p.match(str)
+            end
           end
         else
           @regexp_patterns.each do |p|

data/lib/sqreen/rules_callbacks/rails_parameters.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require 'sqreen/rule_callback'
 module Sqreen
   module Rules
     class RailsParametersCB < RuleCB
-      def pre(_inst, *_args, &_block)
+      def pre(_inst, _args, _budget = nil, &_block)
         advise_action(nil)
       end
     end

data/lib/sqreen/rules_callbacks/record_request_context.rb CHANGED Viewed

@@ -2,39 +2,40 @@
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 require 'sqreen/rule_callback'
-require 'sqreen/instrumentation'
 module Sqreen
   module Rules
     # Save request context for handling further down
     class RecordRequestContext < RuleCB
-      def whitelisted?
-        false
+      WHITELISTED_METRIC = 'whitelisted'.freeze
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
       end
-      def overtime!
+      def whitelisted?
         false
       end
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         framework.store_request(args[0])
         wh = framework.whitelisted_match
         if wh
           unless Sqreen.features.key?('whitelisted_metric') &&
                  !Sqreen.features['whitelisted_metric']
-            record_observation(Instrumentation::WHITELISTED_METRIC, wh, 1)
+            record_observation(WHITELISTED_METRIC, wh, 1)
           end
           Sqreen.log.debug { "Request was whitelisted because of #{wh}" }
         end
         advise_action(nil)
       end
-      def post(_rv, _inst, *_args, &_block)
+      def post(_rv, _inst, _args, _budget = nil, &_block)
         framework.clean_request
         advise_action(nil)
       end
-      def failing(_exception, _inst, *_args, &_block)
+      def failing(_exception, _inst, _args, _budget = nil, &_block)
         framework.clean_request
         advise_action(nil)
       end

data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED Viewed

@@ -37,7 +37,7 @@ module Sqreen
       end
     end
     class ReflectedUnsafeXSSCB < XSSCB
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         value = args[0]
         return unless value.is_a?(String)
@@ -61,7 +61,7 @@ module Sqreen
     end
     # look for reflected XSS with erb template engine
     class ReflectedXSSCB < XSSCB
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         value = args[0]
         return unless value.is_a?(String)
@@ -90,7 +90,7 @@ module Sqreen
     #                            escape_html, nuke_inner_whitespace,
     #                            interpolated, ugly)
     class ReflectedXSSHamlCB < XSSCB
-      def post(ret, _inst, *_args, &_block)
+      def post(ret, _inst, _args, _budget = nil, &_block)
         value = ret
         return unless value.is_a?(String)
@@ -109,7 +109,12 @@ module Sqreen
     # Hook into haml4 script parser
     class Haml4ParserScriptHookCB < RuleCB
-      def pre(_inst, *args, &_block)
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+      end
+      def pre(_inst, args, _budget = nil, &_block)
         return unless args.size > 1
         return unless Haml::VERSION < '5'
         text = args[0]
@@ -121,15 +126,16 @@ module Sqreen
         end
         nil
       end
-      def overtime!
-        false
-      end
     end
     # Hook into haml4 tag parser
     class Haml4ParserTagHookCB < RuleCB
-      def post(ret, _inst, *_args, &_block)
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+      end
+      def post(ret, _inst, _args, _budget = nil, &_block)
         return unless Haml::VERSION < '5'
         tag = ret
         if tag.value[:escape_html] == false &&
@@ -140,14 +146,15 @@ module Sqreen
         end
         nil
       end
-      def overtime!
-        false
-      end
     end
     class Haml4UtilInterpolationHookCB < RuleCB
-      def pre(_inst, *args, &_block)
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+      end
+      def pre(_inst, args, _budget = nil, &_block)
         # Also work in haml5
         str = args[0]
         escape_html = args[1]
@@ -167,15 +174,16 @@ module Sqreen
         end
         { :status => :skip, :new_return_value => res + rest }
       end
-      def overtime!
-        false
-      end
     end
     # Hook build attributes
     class Haml4CompilerBuildAttributeCB < XSSCB
-      def pre(inst, *args, &_block)
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+      end
+      def pre(inst, args, _budget = nil, &_block)
         return unless Haml::VERSION < '5'
         attrs = args[-1]
         params = xss_params
@@ -217,38 +225,36 @@ module Sqreen
         end
         [new_h, has_xss]
       end
-      def overtime!
-        false
-      end
     end
     class Haml5EscapableHookCB < RuleCB
-      def pre(_inst, *args, &_block)
-        args[0] = "Sqreen.escape_haml((#{args[0]}))"
-        { :status => :modify_args, :args => args }
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
       end
-      def overtime!
-        false
+      def pre(_inst, args, _budget = nil, &_block)
+        args[0] = "Sqreen.escape_haml((#{args[0]}))"
+        { :status => :modify_args, :args => args }
       end
     end
     # Hook into temple template rendering
     class TempleEscapableHookCB < RuleCB
-      def post(ret, _inst, *_args, &_block)
-        ret[1] = "Sqreen.escape_temple((#{ret[1]}))"
-        { :status => :override, :new_return_value => ret }
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
       end
-      def overtime!
-        false
+      def post(ret, _inst, _args, _budget = nil, &_block)
+        ret[1] = "Sqreen.escape_temple((#{ret[1]}))"
+        { :status => :override, :new_return_value => ret }
       end
     end
     # Hook into temple template rendering
     class SlimSplatBuilderCB < XSSCB
-      def pre(inst, *args, &_block)
+      def pre(inst, args, _budget = nil, &_block)
         value = args[0]
         return if value.nil?

data/lib/sqreen/rules_callbacks/regexp_rule.rb CHANGED Viewed

@@ -25,11 +25,20 @@ module Sqreen
         end
       end
-      def match_regexp(str)
-        @patterns.each do |pattern|
-          return pattern if pattern.match(str)
+      if Regexp.new('').respond_to?(:match?)
+        def match_regexp(str)
+          @patterns.each do |pattern|
+            return pattern if pattern.match?(str)
+          end
+          nil
+        end
+      else
+        def match_regexp(str)
+          @patterns.each do |pattern|
+            return pattern if pattern.match(str)
+          end
+          nil
         end
-        nil
       end
     end
   end

data/lib/sqreen/rules_callbacks/shell_env.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Sqreen
   module Rules
     # Callback that detect nifty env in system calls
     class ShellEnvCB < RegexpRuleCB
-      def pre(_inst, *args, &_block)
+      def pre(_inst, args, _budget = nil, &_block)
         return if args.size == 0
         env = args.first
         return unless env.is_a?(Hash)
@@ -23,7 +23,7 @@ module Sqreen
           :variable_value => value,
           :found => found,
         }
-        Sqreen.log.warn "presence of a shell env tampering: #{infos.inspect}"
+        Sqreen.log.warn { "presence of a shell env tampering: #{infos.inspect}" }
         record_event(infos)
         advise_action(:raise)
       end

data/lib/sqreen/rules_callbacks/url_matches.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Sqreen
     #  - the path is a typical bot scanning request
     # Then we deny the ressource and record the attack.
     class URLMatchesCB < RegexpRuleCB
-      def post(rv, _inst, *args, &_block)
+      def post(rv, _inst, args, _budget = nil, &_block)
         return unless rv.is_a?(Array) && rv.size > 0 && rv[0] == 404
         env = args[0]
         path = env['SCRIPT_NAME'].to_s + env['PATH_INFO'].to_s

data/lib/sqreen/rules_callbacks/user_agent_matches.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Sqreen
   module Rules
     # Look for badly behaved clients
     class UserAgentMatchesCB < RegexpRuleCB
-      def pre(_inst, *_args, &_block)
+      def pre(_inst, _args, _budget = nil, &_block)
         ua = framework.client_user_agent
         return unless ua
         found = match_regexp(ua)

data/lib/sqreen/session.rb CHANGED Viewed

@@ -134,7 +134,7 @@ module Sqreen
     def resiliently(retry_request_seconds, max_retry, current_retry = 0)
       return yield
     rescue => e
-      Sqreen.log.debug(e.inspect)
+      Sqreen.log.debug { e.inspect }
       current_retry += 1

data/lib/sqreen/shared_storage.rb CHANGED Viewed

@@ -2,30 +2,34 @@
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
+  # dedicated local storage
   module SharedStorage
-    def self::get(key, default = nil)
-      h = Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"]
-      return h.fetch(key, default) if h
-      default
+    unless RUBY_VERSION >= '2.3.0'
+      def self.get(key)
+        h = Thread.current[:sqreen_shared_storage]
+        h[key] if h
+      end
     end
-    def self::set(key, obj)
-      Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"] ||= {}
-      Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"][key] = obj
+    def self.set(key, obj)
+      Thread.current[:sqreen_shared_storage] ||= {}
+      Thread.current[:sqreen_shared_storage][key] = obj
     end
     def self.clear
-      return unless Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"].is_a?(Hash)
-      Thread.current["SQREEN_SHARED_STORAGE_#{self.object_id}"].clear
+      return unless Thread.current[:sqreen_shared_storage].is_a?(Hash)
+      Thread.current[:sqreen_shared_storage].clear
     end
     def self.inc(value)
-      set(value, get(value, 0) + 1)
+      set(value, (get(value) || 0) + 1)
     end
     def self.dec(value)
-      set(value, get(value, 0) - 1)
+      set(value, (get(value) || 0) - 1)
     end
   end
 end
+# Change SharedStorage.get if ruby is actually newer
+require 'sqreen/shared_storage23' if RUBY_VERSION >= '2.3.0'

data/lib/sqreen/{stats.rb → shared_storage23.rb} RENAMED Viewed

@@ -2,17 +2,9 @@
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  @@stats = nil
-  def self::stats
-    @@stats ||= Stats.new
-  end
-  class Stats
-    attr_accessor :callbacks_calls
-    def initialize
-      @callbacks_calls = 0
+  module SharedStorage
+    def self.get(key)
+      Thread.current[:sqreen_shared_storage]&.[](key)
     end
   end
 end