RubyGems - sqreen - Versions diffs - 1.13.4-java → 1.14.0.beta3-java - Mend

sqreen 1.13.4-java → 1.14.0.beta3-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +5 -5
data/lib/sqreen/js/execjs_adapter.rb +25 -0
data/lib/sqreen/js/js_service.rb +87 -0
data/lib/sqreen/js/mini_racer_adapter.rb +125 -0
data/lib/sqreen/rules.rb +11 -0
data/lib/sqreen/rules_callbacks/execjs.rb +144 -204
data/lib/sqreen/rules_callbacks/execjs_old.rb +315 -0
data/lib/sqreen/rules_callbacks/reflected_xss.rb +5 -1
data/lib/sqreen/version.rb +1 -1
metadata +15 -11

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 2d9abe0c770383b57205c2eb661c33ed286ed18a
-  data.tar.gz: d802f183cc3fe90149eb1e1ccce5faba70be653d
+SHA256:
+  metadata.gz: c4e8efa6908940531662b925941a3bc59413670b80a48c9e758932abd7647b5e
+  data.tar.gz: bd56cf6968cd82cc05bee7294b3de887064203b352abcc84e15c0945792fd6e0
 SHA512:
-  metadata.gz: c4f72bc138efcde980f98924266e8dd861a46aadf2221a0e17a8520c6066bfa921c8cfdf5407143b8c8a20fa0340ced7dd02a784ea62fc86fd3079902b9de909
-  data.tar.gz: cbb3d0a5123068c0e23739d4261b731917d4ce77c9c8ceac854610b9df39b994bfe69ca23a23148a2346f7644fa4452cea468ae8737d1ff27213afe991f625bd
+  metadata.gz: e6ca675f7878bf9484867e90313b0a058599413b7f29c4f1d502dc103d70d6f90a1a084d0c8c547d74a3a80019b0fd2770d1aca7c2f9668fad90d2da6cf29ff1
+  data.tar.gz: 11c11c046eb0f92b3c4a15c6b95c2d33d73aba144ec9dd43f11693849e63c9e94c5e8aeae2139e7b8d1e6e274da6d674000a0efd66f4560a36f536bdce0b1c55

data/lib/sqreen/js/execjs_adapter.rb ADDED

@@ -0,0 +1,25 @@
+require 'execjs'
+module Sqreen
+  module Js
+    class ExecjsAdapter < JsServiceAdapter
+      def preprocess(_rule_name, code)
+        ExecJsRunnable.new(ExecJS.compile(code))
+      end
+      def variant_name
+        ExecJS.runtime.name + ' (ExecJS)'
+      end
+    end
+    class ExecJsRunnable < ExecutableJs
+      def initialize(compiled)
+        @compiled = compiled
+      end
+      def run_js_cb(cbname, _budget, arguments)
+        @compiled.call(cbname, *arguments)
+      end
+    end
+  end
+end

data/lib/sqreen/js/js_service.rb ADDED

@@ -0,0 +1,87 @@
+require 'sqreen/exception'
+module Sqreen
+  module Js
+    # start public interface
+    class JsService
+      include Singleton
+      def initialize
+        detect_adapter
+      end
+      # @return [Sqreen::Js::ExecutableJs]
+      def prepare(rule_name, code)
+        raise 'Not online' unless online?
+        @adapter.preprocess(rule_name, code)
+      end
+      def online?
+        @online
+      end
+      def variant
+        @adapter.variant_name
+      end
+      private
+      def detect_adapter
+        @online = try_sq_mini_racer || try_rhino
+        Sqreen.log.info "JS engine online: #{variant}" if @online
+      end
+      def try_sq_mini_racer
+        gem = Gem.loaded_specs['sq_mini_racer']
+        unless gem
+          Sqreen.log.info "sq_mini_racer gem not detected"
+          return false
+        end
+        require 'sqreen/mini_racer'
+        require 'sqreen/js/mini_racer_adapter'
+        @adapter = MiniRacerAdapter.new(true)
+      rescue LoadError => e
+        Sqreen.log.warn "Failed loading sq_mini_racer: #{e}"
+        false
+      end
+      def try_rhino
+        gem = Gem.loaded_specs['therubyrhino']
+        unless gem
+          Sqreen.log.info "therubyrhino gem not detected"
+          return false
+        end
+        require 'rhino'
+        require 'sqreen/js/execjs_adapter'
+        @adapter = ExecjsAdapter.new
+      rescue LoadError => e
+        Sqreen.log.warn "Failed loading rhino: #{e}"
+        false
+      end
+    end
+    CallContext = Struct.new(:inst, :args, :rv)
+    class ExecutableJs
+      def run_js_cb(_cb_name, _budget, _arguments)
+        raise Sqreen::NotImplementedYet
+      end
+    end
+    # end public interface
+    class JsServiceAdapter
+      def preprocess(code)
+        raise Sqreen::NotImplementedYet
+      end
+      def variant_name
+        'unspecified'
+      end
+    end
+  end
+end

data/lib/sqreen/js/mini_racer_adapter.rb ADDED

@@ -0,0 +1,125 @@
+require 'weakref'
+module Sqreen
+  module Js
+    GC_MINI_RACER = 10_000
+    class MiniRacerAdapter < JsServiceAdapter
+      def initialize(vendored = false)
+        @vendored = vendored
+        self.class.static_init
+      end
+      def preprocess(_rule_name, code)
+        MiniRacerExecutableJs.new(code, @vendored)
+      end
+      def variant_name
+        @vendored ? 'sq_mini_racer' : 'mini_racer'
+      end
+      def self.static_init
+        return if @done_static_init
+        Sqreen::MiniRacer::Platform.set_flags! :noconcurrent_recompilation
+        @done_static_init = true
+      end
+    end
+    # Auxiliary classes
+    class MiniRacerExecutableJs < ExecutableJs
+      @@ctx_defined = false
+      def initialize(source, vendored)
+        @module = vendored ? Sqreen::MiniRacer : MiniRacer
+        @source = source
+        @recycle_runtime_every = GC_MINI_RACER
+        @snapshot = @module::Snapshot.new(source)
+        @runtimes = []
+        @tl_key = "SQREEN_MINI_RACER_CONTEXT_#{object_id}".freeze
+        unless @@ctx_defined
+          self.class.define_sqreen_context(@module)
+          @@ctx_defined = true
+        end
+      end
+      def run_js_cb(cb_name, budget, arguments)
+        mini_racer_context = Thread.current[@tl_key]
+        dead_runtime = !mini_racer_context ||
+            !mini_racer_context[:r] || !mini_racer_context[:r].weakref_alive?
+        if !dead_runtime && mini_racer_context[:c] >= @recycle_runtime_every
+          dispose_runtime(mini_racer_context[:r])
+          dead_runtime = true
+        end
+        if dead_runtime
+          new_runtime = SqreenContext.new(:snapshot => @snapshot)
+          push_runtime new_runtime
+          mini_racer_context = {
+              :c => 0,
+              :r => WeakCtx.new(new_runtime),
+          }
+          Thread.current[@tl_key] = mini_racer_context
+        end
+        mini_racer_context[:c] += 1
+        begin
+          mini_racer_context[:r].eval_unsafe(
+              "#{cb_name}.apply(this, #{::JSON.generate(arguments)})", nil, budget)
+        rescue @module::ScriptTerminatedError
+          nil
+        end
+      end
+      private
+      def push_runtime(runtime)
+        @runtimes.delete_if do |th, runt, _thid|
+          del = th.nil? || !th.weakref_alive? || !th.alive?
+          runt.dispose if del
+          del
+        end
+        @runtimes.push [WeakRef.new(Thread.current), runtime, Thread.current.object_id]
+      end
+      def dispose_runtime(runtime)
+        @runtimes.delete_if { |_th, _runt, thid| thid == Thread.current.object_id }
+        runtime.dispose
+      end
+      class << self
+        def define_sqreen_context(modoole)
+          # Context specialized for Sqreen usage
+          Sqreen::Js.const_set 'SqreenContext', Class.new(modoole.const_get('Context'))
+          SqreenContext.class_eval do
+            def eval_unsafe(str, filename = nil, timeoutv = nil)
+              # Beware, timeout could be kept in the context
+              # if perf cap is removed after having been activated
+              # As it's unused by execjscb we are not cleaning it
+              return super(str, filename) if timeoutv.nil?
+              return if timeoutv <= 0.0
+              timeoutv *= 1000 # Timeout are currently expressed in seconds
+              @timeout = timeoutv
+              @eval_thread = Thread.current
+              timeout do
+                super(str, filename)
+              end
+            end
+          end
+        end
+      end
+    end
+    # Weak ref to a context
+    # enables us to skip a method missing call
+    class WeakCtx < WeakRef
+      def initialize(*args)
+        super(*args)
+      end
+      def eval_unsafe(str, filename, timeoutv)
+        __getobj__.eval_unsafe(str, filename, timeoutv)
+      end
+    end
+  end
+end

data/lib/sqreen/rules.rb CHANGED

@@ -75,6 +75,17 @@ module Sqreen
       cb_class = nil
       js = hash_rule[Attrs::CALLBACKS]
+      if js && !Sqreen::Js::JsService.instance.online?
+        unless @@issue_nojs_warn
+          @@issue_nojs_warn = true
+          Sqreen.log.warn('No JavaScript engine is available. ' \
+              'JavaScript callbacks will be ignored')
+        end
+        Sqreen.log.info("Ignoring JS callback #{rule_name}")
+        return nil
+      end
       cb_class = ExecJSCB if js
       if cbname && Rules.const_defined?(cbname)

data/lib/sqreen/rules_callbacks/execjs.rb CHANGED

@@ -1,22 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
-if defined?(::JRUBY_VERSION)
-  require 'rhino'
-  SQREEN_MINI_RACER = false
-else
-  begin
-    require 'mini_racer'
-    SQREEN_MINI_RACER = true
-    GC_MINI_RACER = 10_000
-  rescue LoadError
-    require 'therubyracer'
-    SQREEN_MINI_RACER = false
-  end
-end
-require 'weakref'
-require 'execjs'
+require 'sqreen/js/js_service'
 require 'sqreen/rule_attributes'
 require 'sqreen/rule_callback'
@@ -25,64 +11,30 @@ require 'sqreen/binding_accessor'
 require 'sqreen/events/remote_exception'
 module Sqreen
-  if SQREEN_MINI_RACER
-    # Context specialized for Sqreen usage
-    class SqreenContext < MiniRacer::Context
-      def eval_unsafe(str, filename = nil, timeoutv = nil)
-        # Beware, timeout could be kept in the context
-        # if perf cap is removed after having been activated
-        # As it's unused by execjscb we are not cleaning it
-        return super(str, filename) if timeoutv.nil?
-        return if timeoutv <= 0.0
-        timeoutv *= 1000 # Timeout are currently expressed in seconds
-        @timeout = timeoutv
-        @eval_thread = Thread.current
-        timeout do
-          super(str, filename)
-        end
-      end
-    end
-    # Weak ref to a context
-    # enables us to skip a method missing call
-    class WeakCtx < WeakRef
-      def initialize(*args)
-        super(*args)
-      end
-      def eval_unsafe(str, filename, timeoutv)
-        __getobj__.eval_unsafe(str, filename, timeoutv)
-      end
-    end
-  end
   module Rules
     # Exec js callbacks
     class ExecJSCB < RuleCB
-      attr_accessor :restrict_max_depth
-      attr_reader :runtimes
-      attr_accessor :recycle_runtime_every
+      class << self
+        # @return [Sqreen::Js::JsService]
+        def js_service
+          Sqreen::Js::JsService.instance
+        end
+      end
       def initialize(klass, method, rule_hash)
         super(klass, method, rule_hash)
         callbacks = @rule[Attrs::CALLBACKS]
         @conditions = @rule.fetch(Attrs::CONDITIONS, {})
-        if callbacks['pre'].nil? &&
-           callbacks['post'].nil? &&
-           callbacks['failing'].nil?
-          raise(Sqreen::Exception, 'no JS CB provided')
-        end
         build_runnable(callbacks)
-        @restrict_max_depth = 20
-        unless SQREEN_MINI_RACER
-          @compiled = ExecJS.compile(@source)
-          return
+        unless pre? || post? || failing?
+          raise Sqreen::Exception, 'no JS CB provided'
         end
-        @recycle_runtime_every = GC_MINI_RACER
-        @snapshot = MiniRacer::Snapshot.new(@source)
-        @runtimes = []
-        @key = "SQREEN_MINI_RACER_CONTEXT_#{object_id}".freeze
+        @executable = ExecJSCB.js_service.prepare(rule_name, @source)
+        @argument_filter = ArgumentFilter.new(rule_hash)
       end
       def pre?
@@ -100,63 +52,22 @@ module Sqreen
       def pre(inst, args, budget = nil, &_block)
         return unless pre?
-        call_callback('pre', inst, budget, args)
+        call_callback('pre', budget, inst, @cb_bas['pre'], args)
       end
       def post(rv, inst, args, budget = nil, &_block)
         return unless post?
-        call_callback('post', inst, budget, args, rv)
+        call_callback('post', budget, inst, @cb_bas['post'], args, rv)
       end
       def failing(rv, inst, args, budget = nil, &_block)
         return unless failing?
-        call_callback('failing', inst, budget, args, rv)
-      end
-      def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
-        new_obj = {}
-        insert = []
-        to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
-        until to_do.empty?
-          where, key, value, deepness = to_do.pop
-          safe_key = key.is_a?(Integer) ? key : key.to_s
-          if value.is_a?(Hash) && deepness < max_depth
-            val = {}
-            insert << [where, safe_key, val]
-            to_do += value.map { |k, v| [val, k, v, deepness + 1] }
-          elsif value.is_a?(Array) && deepness < max_depth
-            val = []
-            insert << [where, safe_key, val]
-            i = -1
-            to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
-          elsif deepness >= max_depth # if we are after max_depth don't try to filter
-            insert << [where, safe_key, value]
-          else
-            v = value.to_s
-            if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
-              case where
-              when Array
-                where << value
-              else
-                where[safe_key] = value
-              end
-            end
-          end
-        end
-        insert.reverse.each do |wh, ikey, ival|
-          case wh
-          when Array
-            wh << ival unless ival.respond_to?(:empty?) && ival.empty?
-          else
-            wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
-          end
-        end
-        new_obj
+        call_callback('failing', budget, inst, @cb_bas['failing'], args, rv)
       end
-      protected
+      private
       def record_and_continue?(ret)
         case ret
@@ -165,10 +76,10 @@ module Sqreen
         when Hash
           ret.keys.each do |k|
             ret[(begin
-                                     k.to_sym
-                                   rescue StandardError
-                                     k
-                                   end)] = ret[k] end
+              k.to_sym
+            rescue StandardError
+              k
+            end)] = ret[k] end
           record_event(ret[:record]) unless ret[:record].nil?
           unless ret['observations'].nil?
             ret['observations'].each do |obs|
@@ -182,134 +93,163 @@ module Sqreen
         end
       end
-      def push_runtime(runtime)
-        @runtimes.delete_if do |th, runt, _thid|
-          del = th.nil? || !th.weakref_alive? || !th.alive?
-          runt.dispose if del
-          del
+      def call_callback(cb_name, budget, inst, cb_ba_args, args, rv = nil)
+        arguments = cb_ba_args.map do |ba|
+           ba.resolve(binding, framework, inst, args, @data, rv)
         end
-        @runtimes.push [WeakRef.new(Thread.current), runtime, Thread.current.object_id]
-      end
+        arguments = @argument_filter.filter(cb_name, arguments)
-      def dispose_runtime(runtime)
-        @runtimes.delete_if { |_th, _runt, thid| thid == Thread.current.object_id }
-        runtime.dispose
-      end
+        ret = @executable.run_js_cb(cb_name, budget, arguments)
-      def call_callback(name, inst, budget, args, rv = nil)
-        mini_racer_context = nil
-        if SQREEN_MINI_RACER
-          mini_racer_context = Thread.current[@key]
-          dead_runtime = !mini_racer_context || !mini_racer_context[:r] || !mini_racer_context[:r].weakref_alive?
-          if !dead_runtime && mini_racer_context[:c] >= @recycle_runtime_every
-            dispose_runtime(mini_racer_context[:r])
-            dead_runtime = true
-          end
-          if dead_runtime
-            new_runtime = SqreenContext.new(:snapshot => @snapshot)
-            push_runtime new_runtime
-            mini_racer_context = {
-              :c => 0,
-              :r => WeakCtx.new(new_runtime),
-            }
-            Thread.current[@key] = mini_racer_context
-          end
-        end
-        ret = nil
-        args_override = nil
-        arguments = nil
-        while true
-          arguments = (args_override || @argument_requirements[name]).map do |accessor|
-            accessor.resolve(binding, framework, inst, args, @data, rv)
-          end
-          arguments = restrict(name, arguments) if @conditions.key?(name)
-          Sqreen.log.debug { [name, arguments].inspect }
-          if SQREEN_MINI_RACER
-            mini_racer_context[:c] += 1
-            begin
-              ret = mini_racer_context[:r].eval_unsafe("#{name}.apply(this, #{::JSON.generate(arguments)})", nil, budget)
-            rescue MiniRacer::ScriptTerminatedError
-              ret = nil
-            end
-          else
-            ret = @compiled.call(name, *arguments)
-          end
-          unless record_and_continue?(ret)
-            return nil if ret.nil?
-            return advise_action(ret[:status], ret)
-          end
-          name = ret[:call]
-          rv = ret[:data]
-          args_override = ret[:args]
-          args_override = build_accessor(args_override) if args_override
+        unless record_and_continue?(ret)
+          return nil if ret.nil?
+          return advise_action(ret[:status], ret)
         end
+        name = ret[:call]
+        rv = ret[:data]
+        new_ba_args = if ret[:args]
+                        self.class.build_accessors(ret[:args])
+                      else
+                        @cb_bas[name] || []
+                      end
+        # XXX: budgets was not subtracted from
+        call_callback(name, budget, inst, new_ba_args, args, rv)
       rescue StandardError => e
-        Sqreen.log.warn { "we catch a JScb exception: #{e.inspect}" }
+        Sqreen.log.warn { "Caught JS callback exception: #{e.inspect}" }
         Sqreen.log.debug e.backtrace
-        record_exception(e, :cb => name, :args => arguments)
+        record_exception(e, :cb => cb_name, :args => arguments)
         nil
       end
-      def each_hash_val_include(condition, depth = 10)
-        return if depth <= 0
-        condition.each do |key, values|
-          if key == ConditionEvaluator::HASH_INC_OPERATOR
-            yield values
+      def self.build_accessors(reqs)
+        reqs.map do |req|
+          BindingAccessor.new(req, true)
+        end
+      end
+      def build_runnable(callbacks)
+        @cb_bas = {}
+        @source = ''
+        @js_pre = !callbacks['pre'].nil?
+        @js_post = !callbacks['post'].nil?
+        @js_failing = !callbacks['failing'].nil?
+        callbacks.each do |name, args_or_func|
+          @source << "this['#{name.tr("'", "\\'")}'] = "
+          if args_or_func.is_a?(Array)
+            args_or_func = args_or_func.dup
+            @source << args_or_func.pop
+            @cb_bas[name] = self.class.build_accessors(args_or_func)
           else
-            values.map do |v|
-              each_hash_val_include(v, depth - 1) { |vals| yield vals } if v.is_a?(Hash)
-            end
+            @source << args_or_func
+            @cb_bas[name] = []
           end
+          @source << ";\n"
         end
       end
+    end
+    class ArgumentFilter
+      MAX_DEPTH = 2
+      def initialize(rule)
+        @conditions = rule.fetch(Attrs::CONDITIONS, {})
+        build_arg_requirements rule
+      end
-      def restrict(cbname, arguments)
+      def filter(cbname, arguments)
         condition = @conditions[cbname]
-        return arguments if condition.nil? || @argument_requirements[cbname].nil?
+        return arguments if condition.nil? || @ba_expressions[cbname].nil?
         each_hash_val_include(condition) do |needle, haystack, min_length|
           # We could actually run the binding accessor expression here.
-          needed_idx = @argument_requirements[cbname].map(&:expression).index(needle)
+          needed_idx = @ba_expressions[cbname].index(needle)
           next unless needed_idx
-          haystack_idx = @argument_requirements[cbname].map(&:expression).index(haystack)
+          haystack_idx = @ba_expressions[cbname].index(haystack)
           next unless haystack_idx
-          arguments[haystack_idx] = ExecJSCB.hash_val_included(
-            arguments[needed_idx],
-            arguments[haystack_idx],
-            min_length.to_i,
-            @restrict_max_depth
+          arguments[haystack_idx] = ArgumentFilter.hash_val_included(
+              arguments[needed_idx],
+              arguments[haystack_idx],
+              min_length.to_i,
+              MAX_DEPTH
           )
         end
         arguments
       end
-      def build_accessor(reqs)
-        reqs.map do |req|
-          BindingAccessor.new(req, true)
+      def build_arg_requirements(rule)
+        @ba_expressions = {}
+        callbacks = rule[Attrs::CALLBACKS]
+        callbacks.each do |name, args_or_func|
+          next unless args_or_func.is_a?(Array)
+          args_bas = args_or_func[0..-2] unless args_or_func.empty?
+          @ba_expressions[name] =
+              ExecJSCB.build_accessors(args_bas).map(&:expression)
         end
       end
-      def build_runnable(callbacks)
-        @argument_requirements = {}
-        @source = ''
-        @js_pre = !callbacks['pre'].nil?
-        @js_post = !callbacks['post'].nil?
-        @js_failing = !callbacks['failing'].nil?
-        callbacks.each do |name, args_or_func|
-          @source << "var #{name} = "
-          if args_or_func.is_a?(Array)
-            @source << args_or_func.pop
-            @argument_requirements[name] = build_accessor(args_or_func)
+      private
+      def each_hash_val_include(condition, depth = 10)
+        return if depth <= 0
+        condition.each do |key, values|
+          if key == ConditionEvaluator::HASH_INC_OPERATOR
+            yield values
           else
-            @source << args_or_func
-            @argument_requirements[name] = []
+            values.map do |v|
+              each_hash_val_include(v, depth - 1) { |vals| yield vals } if v.is_a?(Hash)
+            end
+          end
+        end
+      end
+      def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
+        new_obj = {}
+        insert = []
+        to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
+        until to_do.empty?
+          where, key, value, deepness = to_do.pop
+          safe_key = key.is_a?(Integer) ? key : key.to_s
+          if value.is_a?(Hash) && deepness < max_depth
+            val = {}
+            insert << [where, safe_key, val]
+            to_do += value.map { |k, v| [val, k, v, deepness + 1] }
+          elsif value.is_a?(Array) && deepness < max_depth
+            val = []
+            insert << [where, safe_key, val]
+            i = -1
+            to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
+          elsif deepness >= max_depth # if we are after max_depth don't try to filter
+            insert << [where, safe_key, value]
+          else
+            v = value.to_s
+            if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
+              case where
+              when Array
+                where << value
+              else
+                where[safe_key] = value
+              end
+            end
           end
-          @source << ";\n"
         end
+        insert.reverse.each do |wh, ikey, ival|
+          case wh
+          when Array
+            wh << ival unless ival.respond_to?(:empty?) && ival.empty?
+          else
+            wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
+          end
+        end
+        new_obj
       end
     end
   end
 end

data/lib/sqreen/rules_callbacks/execjs_old.rb ADDED

@@ -0,0 +1,315 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+if defined?(::JRUBY_VERSION)
+  require 'rhino'
+  SQREEN_MINI_RACER = false
+else
+  begin
+    require 'mini_racer'
+    SQREEN_MINI_RACER = true
+    GC_MINI_RACER = 10_000
+  rescue LoadError
+    require 'therubyracer'
+    SQREEN_MINI_RACER = false
+  end
+end
+require 'weakref'
+require 'execjs'
+require 'sqreen/rule_attributes'
+require 'sqreen/rule_callback'
+require 'sqreen/condition_evaluator'
+require 'sqreen/binding_accessor'
+require 'sqreen/events/remote_exception'
+module Sqreen
+  if SQREEN_MINI_RACER
+    # Context specialized for Sqreen usage
+    class SqreenContext < MiniRacer::Context
+      def eval_unsafe(str, filename = nil, timeoutv = nil)
+        # Beware, timeout could be kept in the context
+        # if perf cap is removed after having been activated
+        # As it's unused by execjscb we are not cleaning it
+        return super(str, filename) if timeoutv.nil?
+        return if timeoutv <= 0.0
+        timeoutv *= 1000 # Timeout are currently expressed in seconds
+        @timeout = timeoutv
+        @eval_thread = Thread.current
+        timeout do
+          super(str, filename)
+        end
+      end
+    end
+    # Weak ref to a context
+    # enables us to skip a method missing call
+    class WeakCtx < WeakRef
+      def initialize(*args)
+        super(*args)
+      end
+      def eval_unsafe(str, filename, timeoutv)
+        __getobj__.eval_unsafe(str, filename, timeoutv)
+      end
+    end
+  end
+  module Rules
+    # Exec js callbacks
+    class ExecJSCBOld < RuleCB
+      attr_accessor :restrict_max_depth
+      attr_reader :runtimes
+      attr_accessor :recycle_runtime_every
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        callbacks = @rule[Attrs::CALLBACKS]
+        @conditions = @rule.fetch(Attrs::CONDITIONS, {})
+        if callbacks['pre'].nil? &&
+           callbacks['post'].nil? &&
+           callbacks['failing'].nil?
+          raise(Sqreen::Exception, 'no JS CB provided')
+        end
+        build_runnable(callbacks)
+        @restrict_max_depth = 20
+        unless SQREEN_MINI_RACER
+          @compiled = ExecJS.compile(@source)
+          return
+        end
+        @recycle_runtime_every = GC_MINI_RACER
+        @snapshot = MiniRacer::Snapshot.new(@source)
+        @runtimes = []
+        @key = "SQREEN_MINI_RACER_CONTEXT_#{object_id}".freeze
+      end
+      def pre?
+        @js_pre
+      end
+      def post?
+        @js_post
+      end
+      def failing?
+        @js_failing
+      end
+      def pre(inst, args, budget = nil, &_block)
+        return unless pre?
+        call_callback('pre', inst, budget, args)
+      end
+      def post(rv, inst, args, budget = nil, &_block)
+        return unless post?
+        call_callback('post', inst, budget, args, rv)
+      end
+      def failing(rv, inst, args, budget = nil, &_block)
+        return unless failing?
+        call_callback('failing', inst, budget, args, rv)
+      end
+      def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
+        new_obj = {}
+        insert = []
+        to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
+        until to_do.empty?
+          where, key, value, deepness = to_do.pop
+          safe_key = key.is_a?(Integer) ? key : key.to_s
+          if value.is_a?(Hash) && deepness < max_depth
+            val = {}
+            insert << [where, safe_key, val]
+            to_do += value.map { |k, v| [val, k, v, deepness + 1] }
+          elsif value.is_a?(Array) && deepness < max_depth
+            val = []
+            insert << [where, safe_key, val]
+            i = -1
+            to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
+          elsif deepness >= max_depth # if we are after max_depth don't try to filter
+            insert << [where, safe_key, value]
+          else
+            v = value.to_s
+            if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
+              case where
+              when Array
+                where << value
+              else
+                where[safe_key] = value
+              end
+            end
+          end
+        end
+        insert.reverse.each do |wh, ikey, ival|
+          case wh
+          when Array
+            wh << ival unless ival.respond_to?(:empty?) && ival.empty?
+          else
+            wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
+          end
+        end
+        new_obj
+      end
+      protected
+      def record_and_continue?(ret)
+        case ret
+        when NilClass
+          false
+        when Hash
+          ret.keys.each do |k|
+            ret[(begin
+                                     k.to_sym
+                                   rescue StandardError
+                                     k
+                                   end)] = ret[k] end
+          record_event(ret[:record]) unless ret[:record].nil?
+          unless ret['observations'].nil?
+            ret['observations'].each do |obs|
+              obs[3] = Time.parse(obs[3]) if obs.size >= 3 && obs[3].is_a?(String)
+              record_observation(*obs)
+            end
+          end
+          !ret[:call].nil?
+        else
+          raise Sqreen::Exception, "Invalid return type #{ret.inspect}"
+        end
+      end
+      def push_runtime(runtime)
+        @runtimes.delete_if do |th, runt, _thid|
+          del = th.nil? || !th.weakref_alive? || !th.alive?
+          runt.dispose if del
+          del
+        end
+        @runtimes.push [WeakRef.new(Thread.current), runtime, Thread.current.object_id]
+      end
+      def dispose_runtime(runtime)
+        @runtimes.delete_if { |_th, _runt, thid| thid == Thread.current.object_id }
+        runtime.dispose
+      end
+      def call_callback(name, inst, budget, args, rv = nil)
+        mini_racer_context = nil
+        if SQREEN_MINI_RACER
+          mini_racer_context = Thread.current[@key]
+          dead_runtime = !mini_racer_context || !mini_racer_context[:r] || !mini_racer_context[:r].weakref_alive?
+          if !dead_runtime && mini_racer_context[:c] >= @recycle_runtime_every
+            dispose_runtime(mini_racer_context[:r])
+            dead_runtime = true
+          end
+          if dead_runtime
+            new_runtime = SqreenContext.new(:snapshot => @snapshot)
+            push_runtime new_runtime
+            mini_racer_context = {
+              :c => 0,
+              :r => WeakCtx.new(new_runtime),
+            }
+            Thread.current[@key] = mini_racer_context
+          end
+        end
+        ret = nil
+        args_override = nil
+        arguments = nil
+        while true
+          arguments = (args_override || @argument_requirements[name]).map do |accessor|
+            accessor.resolve(binding, framework, inst, args, @data, rv)
+          end
+          arguments = restrict(name, arguments) if @conditions.key?(name)
+          Sqreen.log.debug { [name, arguments].inspect }
+          if SQREEN_MINI_RACER
+            mini_racer_context[:c] += 1
+            begin
+              ret = mini_racer_context[:r].eval_unsafe("#{name}.apply(this, #{::JSON.generate(arguments)})", nil, budget)
+            rescue MiniRacer::ScriptTerminatedError
+              ret = nil
+            end
+          else
+            ret = @compiled.call(name, *arguments)
+          end
+          unless record_and_continue?(ret)
+            return nil if ret.nil?
+            return advise_action(ret[:status], ret)
+          end
+          name = ret[:call]
+          rv = ret[:data]
+          args_override = ret[:args]
+          args_override = build_accessor(args_override) if args_override
+        end
+      rescue StandardError => e
+        Sqreen.log.warn { "we catch a JScb exception: #{e.inspect}" }
+        Sqreen.log.debug e.backtrace
+        record_exception(e, :cb => name, :args => arguments)
+        nil
+      end
+      def each_hash_val_include(condition, depth = 10)
+        return if depth <= 0
+        condition.each do |key, values|
+          if key == ConditionEvaluator::HASH_INC_OPERATOR
+            yield values
+          else
+            values.map do |v|
+              each_hash_val_include(v, depth - 1) { |vals| yield vals } if v.is_a?(Hash)
+            end
+          end
+        end
+      end
+      def restrict(cbname, arguments)
+        condition = @conditions[cbname]
+        return arguments if condition.nil? || @argument_requirements[cbname].nil?
+        each_hash_val_include(condition) do |needle, haystack, min_length|
+          # We could actually run the binding accessor expression here.
+          needed_idx = @argument_requirements[cbname].map(&:expression).index(needle)
+          next unless needed_idx
+          haystack_idx = @argument_requirements[cbname].map(&:expression).index(haystack)
+          next unless haystack_idx
+          arguments[haystack_idx] = ExecJSCB.hash_val_included(
+            arguments[needed_idx],
+            arguments[haystack_idx],
+            min_length.to_i,
+            @restrict_max_depth
+          )
+        end
+        arguments
+      end
+      def build_accessor(reqs)
+        reqs.map do |req|
+          BindingAccessor.new(req, true)
+        end
+      end
+      def build_runnable(callbacks)
+        @argument_requirements = {}
+        @source = ''
+        @js_pre = !callbacks['pre'].nil?
+        @js_post = !callbacks['post'].nil?
+        @js_failing = !callbacks['failing'].nil?
+        callbacks.each do |name, args_or_func|
+          @source << "var #{name} = "
+          if args_or_func.is_a?(Array)
+            @source << args_or_func.pop
+            @argument_requirements[name] = build_accessor(args_or_func)
+          else
+            @source << args_or_func
+            @argument_requirements[name] = []
+          end
+          @source << ";\n"
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED

@@ -122,7 +122,11 @@ module Sqreen
         if escape_html == false &&
            text.respond_to?(:include?) &&
            !text.include?('html_escape')
-          args[0].replace("Sqreen.escape_haml((#{args[0]}))")
+          if text.respond_to? :text=
+            args[0].text = "Sqreen.escape_haml((#{args[0].text}))"
+          else
+            args[0].replace("Sqreen.escape_haml((#{args[0]}))")
+          end
         end
         nil
       end

data/lib/sqreen/version.rb CHANGED

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.13.4'.freeze
+  VERSION = '1.14.0.beta3'.freeze
 end

metadata CHANGED

@@ -1,43 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.13.4
+  version: 1.14.0.beta3
 platform: java
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-08-16 00:00:00.000000000 Z
+date: 2018-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.3.0
-  name: execjs
+        version: '0'
+  name: therubyrhino
   prerelease: false
   type: :runtime
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  name: therubyrhino
+        version: 0.3.0
+  name: execjs
   prerelease: false
   type: :runtime
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.3.0
 description: Sqreen is a SaaS based Application protection and monitoring platform
   that integrates directly into your Ruby applications. Learn more at https://sqreen.io.
 email: contact@sqreen.io
@@ -77,6 +77,9 @@ files:
 - lib/sqreen/frameworks/sinatra.rb
 - lib/sqreen/frameworks/sqreen_test.rb
 - lib/sqreen/instrumentation.rb
+- lib/sqreen/js/execjs_adapter.rb
+- lib/sqreen/js/js_service.rb
+- lib/sqreen/js/mini_racer_adapter.rb
 - lib/sqreen/log.rb
 - lib/sqreen/metrics.rb
 - lib/sqreen/metrics/average.rb
@@ -106,6 +109,7 @@ files:
 - lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb
 - lib/sqreen/rules_callbacks/custom_error.rb
 - lib/sqreen/rules_callbacks/execjs.rb
+- lib/sqreen/rules_callbacks/execjs_old.rb
 - lib/sqreen/rules_callbacks/headers_insert.rb
 - lib/sqreen/rules_callbacks/inspect_rule.rb
 - lib/sqreen/rules_callbacks/matcher_rule.rb
@@ -142,12 +146,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.14.1
+rubygems_version: 2.7.7
 signing_key:
 specification_version: 4
 summary: Sqreen Ruby agent