sqreen 1.15.8 → 1.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5c3b1883dab046bead45a9f4918b23fd8c645c63d9e8526f2659a4864148f6f6
-  data.tar.gz: be1317fecaa1476cabb5994ed25d8ba6852de00251004d43ca856aaed25dd225
+  metadata.gz: 88700ab65a0ac3080eb109fff2ab757f69da29f2a875bfa054a6ac89f6068ad4
+  data.tar.gz: 01f4d1e68fce364d10c4e54f37ef32e1b8490d36118d9cbe74488743ec3f6a31
 SHA512:
-  metadata.gz: 40e08b9bdfe5fb86820ff3dae712c180637fdfe488233505dcfcd4b45b2ea465ba3658d5c9b63a2214c45309b8a975a9a4f66dc47e6a560f01d96d8b855693f8
-  data.tar.gz: 04d801be1033efcd75e3b353ff7a9ffa44210fe0dd38fe04870bc7b7aa58509a6f09fc6ef23e2edb2967ed3f7e933bc8cd5948c5dc83259ffdef79ac55522759
+  metadata.gz: dcba32ae629498dce1051f3d9878ce974244622f967a7dd51fe9a5208c770fb4aef27f3aa502fe2033cc0ba1e8e94a2d28550777a1293184f7c86bc1bb0e266e
+  data.tar.gz: e8753a65ad853c63f6a0d18de2f453b7840db8a2b2fb24add9616cadf4e9e495d3d97dc33bc6c7b8d0d2d0460e2f48a98ef4216e984fd91c4c0b8d5db5fa7e63

data/Rakefile

@@ -13,6 +13,7 @@ end
 
 Rake::TestTask.new do |t|
   t.pattern = 'test/**/*.rb'
+  t.warning = false
   t.libs << 'test'
 end
 

data/lib/sqreen.rb

@@ -17,7 +17,7 @@ require 'thread'
 # Auto start the instrumentation.
 
 Sqreen.framework.on_start do |framework|
-  if RUBY_VERSION =~ /\A2\.5\.[01]\z/ && Sqreen.framework.on_pre_fork_preload?
+  if Sqreen.framework.on_pre_fork_preload?
     STDERR.puts("Avoiding launching sqreen thread pre-fork") # sqreen log unavailable
     next
   end

data/lib/sqreen/actions.rb

@@ -265,45 +265,45 @@ module Sqreen
       end
     end
 
-    # Blocks a user at the point Sqreen::identify()
-    # or Sqreen::auth_track() are called
-    class BlockUser < Base
-      self.type_name = 'block_user'
-
-      class << self
-        def actions_matching(identity_params)
-          return [] unless @idx
-          key = stringify_keys(identity_params)
-          actions = @idx[key]
-          actions || []
-        end
-
-        def index(params, action)
-          @idx ||= {}
-          users = params['users']
-          raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
-          raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
+    module UserActionClass
+      def actions_matching(identity_params)
+        return [] unless @idx
+        key = stringify_keys(identity_params)
+        actions = @idx[key]
+        actions || []
+      end
 
-          users.each do |u|
-            @idx[u] ||= []
-            @idx[u] << action
-          end
+      def index(params, action)
+        @idx ||= {}
+        users = params['users']
+        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
+        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
+
+        users.each do |u|
+          @idx[u] ||= []
+          @idx[u] << action
         end
+      end
 
-        def clear
-          @idx = {}
-        end
+      def clear
+        @idx = {}
+      end
 
-        private
+      private
 
-        def stringify_keys(hash)
-          Hash[
-            hash.map { |k, v| [k.to_s, v] }
-          ]
-        end
+      def stringify_keys(hash)
+        Hash[
+          hash.map { |k, v| [k.to_s, v] }
+        ]
       end
+    end
 
-      # BlockUser proper definition continues
+    # Blocks a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class BlockUser < Base
+      extend UserActionClass
+
+      self.type_name = 'block_user'
 
       def initialize(id, opts, params = {})
         super(id, opts)
@@ -330,5 +330,39 @@ module Sqreen
         { 'user' => identity_params }
       end
     end
+
+    # Redirects a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class RedirectUser < Base
+      extend UserActionClass
+
+      self.type_name = 'redirect_user'
+
+      def initialize(id, opts, params = {})
+        super(id, opts)
+        @redirect_url = params['url']
+        raise "no url provided for action #{id}" unless @redirect_url
+      end
+
+      def do_run(identity_params)
+        Sqreen.log.info 'Will request redirect for user with identity ' \
+          "#{identity_params} (action: #{id})."
+
+        e = Sqreen::AttackBlocked.new(
+          "Redirected user with identity #{identity_params} " \
+          'due to automatic security response. No action is required'
+        )
+        e.redirect_url = @redirect_url
+
+        {
+          :status => :raise,
+          :exception => e,
+        }
+      end
+
+      def event_properties(identity_params)
+        { 'user' => identity_params }
+      end
+    end
   end
 end

data/lib/sqreen/configuration.rb

@@ -35,6 +35,8 @@ module Sqreen
       :default => 'https://back.sqreen.io' },
     { :env => :SQREEN_TOKEN,     :name => :token,
       :default => nil },
+    { :env => :SQREEN_APP_NAME,  :name => :app_name,
+      :default => nil },
     { :env => :SQREEN_RULES,     :name => :local_rules,
       :default => nil },
     { :env => :SQREEN_RULES_SIGNATURE, :name => :rules_verify_signature,

data/lib/sqreen/exception.rb

@@ -28,6 +28,8 @@ module Sqreen
   # Sqreen users when watching their logs. It should not raise any concern to
   # them.
   class AttackBlocked < Exception
+    attr_accessor :redirect_url
+
     def log_message(msg)
       Sqreen.log.warn(msg)
     end

data/lib/sqreen/frameworks/generic.rb

@@ -178,6 +178,10 @@ module Sqreen
         nil
       end
 
+      def application_name
+        nil
+      end
+
       # Main entry point for sqreen.
       # launch whenever we are ready
       def on_start

data/lib/sqreen/frameworks/rails.rb

@@ -70,8 +70,11 @@ module Sqreen
       end
 
       def root
-        return nil unless @application
-        @application.root
+        Rails.application.root
+      end
+
+      def application_name
+        Rails.application.class.name.deconstantize.underscore
       end
 
       # Register a new initializer in rails to ba called when we are starting up

data/lib/sqreen/instrumentation.rb

@@ -11,7 +11,7 @@ require 'sqreen/rules_signature'
 require 'sqreen/shared_storage'
 require 'sqreen/rules_callbacks/record_request_context'
 require 'sqreen/rules_callbacks/run_req_start_actions'
-require 'sqreen/rules_callbacks/run_block_user_actions'
+require 'sqreen/rules_callbacks/run_user_actions'
 require 'sqreen/mono_time'
 require 'set'
 
@@ -706,8 +706,8 @@ module Sqreen
     def hardcoded_callbacks(framework)
       [
         Sqreen::Rules::RunReqStartActions.new(framework),
-        Sqreen::Rules::RunBlockUserActions.new(Sqreen, :identify, 0),
-        Sqreen::Rules::RunBlockUserActions.new(Sqreen, :auth_track, 1),
+        Sqreen::Rules::RunUserActions.new(Sqreen, :identify, 0),
+        Sqreen::Rules::RunUserActions.new(Sqreen, :auth_track, 1),
       ]
     end
 

data/lib/sqreen/js/mini_racer_adapter.rb

@@ -81,89 +81,6 @@ module Sqreen
       end
     end
 
-    class JsonConversion
-      class << self
-        if defined?(::JSON::Ext::Generator::State)
-          def convert_arguments(_args)
-            args = purge_dangerous_objs(_args)
-            new_state.generate(args)
-          rescue ::JSON::GeneratorError, ::Encoding::UndefinedConversionError
-            fixed_args = fixup_bad_encoding(args)
-            new_state.generate(fixed_args)
-          end
-        else
-          def convert_arguments(_args)
-            args = purge_dangerous_objs(_args)
-            args.to_json(new_state)
-          rescue ::EncodingError
-            fixed_args = fixup_bad_encoding(args)
-            fixed_args.to_json(new_state)
-          end
-        end
-
-        private
-
-        def new_state
-          ::JSON::SAFE_STATE_PROTOTYPE.dup
-        end
-
-        def fixup_bad_encoding(arg, max_depth = 100)
-          return nil if max_depth <= 0
-
-          if arg.is_a?(::Array)
-            return arg.map { |it| fixup_bad_encoding(it, max_depth - 1) }
-          end
-
-          if arg.is_a?(::Hash)
-            return ::Hash[
-              arg.map do |k, v|
-                [fixup_bad_encoding(k, max_depth - 1),
-                 fixup_bad_encoding(v, max_depth - 1)]
-              end
-            ]
-          end
-
-          return arg unless arg.is_a?(::String)
-
-          unless arg.valid_encoding?
-            return arg.dup.force_encoding(::Encoding::ISO_8859_1)
-          end
-
-          # encoding is valid if it reaches this point
-          return arg if arg.encoding == ::Encoding::UTF_8
-
-          begin
-            arg.encode(::Encoding::UTF_8)
-          rescue ::Encoding::UndefinedConversionError
-            arg.dup.force_encoding(::Encoding::ISO_8859_1)
-          end
-        end
-
-        def purge_dangerous_objs(arg, max_depth = 100)
-          return nil if max_depth <= 0
-
-          if arg.is_a?(::Array)
-            arg.map { |it| purge_dangerous_objs(it, max_depth - 1) }
-          elsif arg.is_a?(::Hash)
-            Hash[
-              arg.map do |k, v|
-                [purge_dangerous_objs(k, max_depth - 1),
-                 purge_dangerous_objs(v, max_depth - 1)]
-              end
-            ]
-          elsif arg.is_a?(::String) || arg.nil? || arg == false ||
-            arg == true || arg.is_a?(::Fixnum) || arg.is_a?(::Bignum) ||
-            arg.is_a?(::Float)
-            arg
-          elsif arg.respond_to?(:to_json)
-            arg.to_s
-          else
-            arg
-          end
-        end
-      end
-    end
-
     class MiniRacerExecutableJs < ExecutableJs
       @@ctx_defined = false
 
@@ -194,9 +111,7 @@ module Sqreen
           ctx.add_code(@code_id, @code) unless ctx.has_code?(@code_id)
 
           begin
-            json_args = JsonConversion.convert_arguments(arguments)
-            ctx.eval_unsafe(
-              "sqreen_data['#{@code_id}']['#{cb_name}'].apply(this, #{json_args})", nil, budget)
+            ctx.call("sqreen_#{@code_id}_#{cb_name}", *arguments)
           rescue @module::ScriptTerminatedError
             Sqreen.log.debug "ScriptTerminatedError/#{cb_name}"
             nil
@@ -205,7 +120,7 @@ module Sqreen
       end
 
       def self.code_id(code)
-        Digest::MD5.base64digest(code)
+        Digest::MD5.hexdigest(code)
       end
 
       private
@@ -231,6 +146,9 @@ module Sqreen
             end
 
             def add_code(code_id, code)
+              # It's important that the definition is run in its own scope (by executing it inside an anonymous function)
+              # Otherwise some auxiliary functions that the backend server sends will collide the name
+              # Because they're defined with `var`, running the definitions inside a function is enough
               eval_unsafe "(function() { #{code} })()"
               transf_global_funcs code_id
               @code_ids ||= Set.new
@@ -271,20 +189,14 @@ module Sqreen
             private
 
             def transf_global_funcs(code_id)
+              # Multiple callbacks may share the same name. In order to avoid collisions, we rename them here.
               eval_unsafe <<EOD
-                if (typeof sqreen_data === 'undefined') {
-                  sqreen_data = {};
-                }
-
-                group = {};
                 Object.keys(this).forEach(name => {
-                  if (typeof this[name] === "function") {
-                    group[name] = this[name];
+                  if (typeof this[name] === "function" && !name.startsWith("sqreen_")) {
+                    this['sqreen_#{code_id}_' + name] = this[name];
                     this[name] = undefined;
                   }
                 });
-                sqreen_data['#{code_id}'] = group
-                delete group;
 EOD
 
             end

data/lib/sqreen/middleware.rb

@@ -19,6 +19,20 @@ module Sqreen
 
     def call(env)
       @app.call(env)
+    rescue => e
+      sqreen_attack = nil
+      if e.is_a?(Sqreen::AttackBlocked)
+        sqreen_attack = e
+      elsif e.respond_to?(:original_exception) &&
+                            e.original_exception.is_a?(Sqreen::AttackBlocked)
+        sqreen_attack = e.original_exception
+      end
+
+      if sqreen_attack && sqreen_attack.redirect_url
+        return [303, { 'Location' => sqreen_attack.redirect_url }, ['']]
+      else
+        raise
+      end
     end
   end
 

data/lib/sqreen/mono_time.rb

@@ -6,6 +6,19 @@ module Sqreen
     false
   end
 
+  @has_thread_cpu_time = begin
+    Process.clock_gettime Process::CLOCK_THREAD_CPUTIME_ID
+    true
+  rescue StandardError
+    false
+  end
+
+  class << self
+    def thread_cpu_time?
+      @has_thread_cpu_time
+    end
+  end
+
   if has_mono_time
     def self.time
       Process.clock_gettime Process::CLOCK_MONOTONIC
@@ -15,4 +28,14 @@ module Sqreen
       Time.now.to_f
     end
   end
+
+  if @has_thread_cpu_time
+    def self.thread_cpu_time
+      Process.clock_gettime Process::CLOCK_THREAD_CPUTIME_ID
+    end
+  else
+    def self.thread_cpu_time
+      0
+    end
+  end
 end

data/lib/sqreen/performance_notifications/binned_metrics.rb

@@ -15,6 +15,7 @@ module Sqreen
       EVENT_REQ = 'req'.freeze # request total time
       EVENT_TOTAL_TIME = 'sq'.freeze # sqreen total overhead callback time
       EVENT_PERCENT = 'pct'.freeze # sqreen total overhead percent of time
+      EVENT_SQ_THREAD_CPU_PCT = 'sq_thread_cpu_pct'.freeze # sqreen thread cpu time
 
       # @param metrics_store [Sqreen::MetricsStore]
       def initialize(metrics_store, period, perf_metric_opts, perf_metric_percent_opts)
@@ -23,6 +24,8 @@ module Sqreen
         @subid = nil
         @perf_metric_opts = perf_metric_opts
         @perf_metric_percent_opts = perf_metric_percent_opts
+        @clock_time = Sqreen.time
+        @watcher_cpu_time = 0
       end
 
       def enable
@@ -38,6 +41,12 @@ module Sqreen
           'name' => EVENT_PERCENT, 'period' => period, 'kind' => 'Binning', 'options' => @perf_metric_percent_opts
         )
 
+        if Sqreen.thread_cpu_time?
+          metrics_store.create_metric('name' => EVENT_SQ_THREAD_CPU_PCT,
+                                      'period' => period, 'kind' => 'Binning',
+                                      'options' => @perf_metric_percent_opts)
+        end
+
         @subid = Sqreen::PerformanceNotifications.subscribe(&method(:log))
       end
 
@@ -85,6 +94,26 @@ module Sqreen
         )
       end
 
+      def finish_watcher_run
+        return unless Sqreen.thread_cpu_time?
+        new_clock_time = Sqreen.time
+        # collect observation at min 30 second intervals so it's nicely averaged
+        return if new_clock_time - @clock_time < 30.0
+
+        clock_time_before = @clock_time
+        watcher_cpu_time_before = @watcher_cpu_time
+        @clock_time = new_clock_time
+        @watcher_cpu_time = Sqreen.thread_cpu_time
+
+        clock_time_diff = @clock_time - clock_time_before
+        watcher_cpu_diff = @watcher_cpu_time - watcher_cpu_time_before
+
+        Sqreen.observations_queue.push(
+          [EVENT_SQ_THREAD_CPU_PCT, nil,
+           (watcher_cpu_diff * 100.0) / clock_time_diff, Time.now.utc]
+        )
+      end
+
       private
 
       # @return [Sqreen::MetricsStore]
@@ -111,7 +140,7 @@ module Sqreen
           @instance = new(metrics_store, period,
                           {'base'=> base, 'factor' => factor},
                           {'base' => base_pct, 'factor' => factor_pct}
-                      ).tap(&:enable)
+                         ).tap(&:enable)
         end
 
         def disable
@@ -129,6 +158,11 @@ module Sqreen
           return unless instance
           instance.finish_request
         end
+
+        def finish_watcher_run
+          return unless instance
+          instance.finish_watcher_run
+        end
       end
     end
   end

data/lib/sqreen/rules_callbacks/{run_block_user_actions.rb → run_user_actions.rb}

@@ -7,14 +7,15 @@ require 'sqreen/actions'
 module Sqreen
   module Rules
     # Runs the block_user actions (for hooking Sqreen.{identify,auth_user})
-    class RunBlockUserActions < CB
+    class RunUserActions < CB
       def initialize(klass, method, auth_keys_idx)
         super(klass, method)
         @auth_keys_idx = auth_keys_idx
       end
 
       def post(_retval, _inst, args, _budget = nil)
-        actions = actions_repo.get('block_user', args[@auth_keys_idx])
+        actions = actions_repo.get('block_user', args[@auth_keys_idx]) +
+                  actions_repo.get('redirect_user', args[@auth_keys_idx])
 
         actions.each do |action|
           res = action.run args[@auth_keys_idx]

data/lib/sqreen/runner.rb

@@ -109,6 +109,7 @@ module Sqreen
       @running = true
 
       @token = @configuration.get(:token)
+      @app_name = @configuration.get(:app_name)
       @url = @configuration.get(:url)
       Sqreen.update_whitelisted_paths([])
       Sqreen.update_whitelisted_ips({})
@@ -121,7 +122,7 @@ module Sqreen
       self.metrics_engine = MetricsStore.new
       @instrumenter = Instrumentation.new(metrics_engine)
 
-      Sqreen.log.warn "using token #{@token}"
+      Sqreen.log.warn "Using token #{@token}"
       response = create_session(session_class)
       wanted_features = response.fetch('features', {})
       conf_initial_features = configuration.get(:initial_features)
@@ -151,7 +152,7 @@ module Sqreen
     end
 
     def create_session(session_class)
-      @session = session_class.new(@url, @token)
+      @session = session_class.new(@url, @token, @app_name)
       session.login(@framework)
     end
 
@@ -378,6 +379,8 @@ module Sqreen
         Sqreen.log.debug 'Forced an heartbeat'
         periodic_cleanup # will trigger do_heartbeat since it's time
       end
+    ensure
+      PerformanceNotifications::BinnedMetrics.finish_watcher_run
     end
 
     def periodic_cleanup

data/lib/sqreen/session.rb

@@ -44,8 +44,9 @@ module Sqreen
 
     attr_accessor :request_compression
 
-    def initialize(server_url, token)
+    def initialize(server_url, token, app_name = nil)
       @token = token
+      @app_name = app_name
       @session_id = nil
       @server_url = server_url
       @request_compression = false
@@ -221,7 +222,12 @@ module Sqreen
     end
 
     def login(framework)
-      headers = { 'x-api-key' => @token }
+      headers = {
+        'x-api-key'  => @token,
+        'x-app-name' => @app_name || framework.application_name,
+      }.reject { |k, v| v ==  nil }
+
+      Sqreen.log.warn "Using app name: #{headers['x-app-name']}"
 
       res = resilient_post('app-login', RuntimeInfos.all(framework), headers)
 

data/lib/sqreen/version.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.15.8'.freeze
+  VERSION = '1.16.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.15.8
+  version: 1.16.0
 platform: ruby
 authors:
 - Sqreen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-07 00:00:00.000000000 Z
+date: 2019-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sq_mini_racer
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.4.sqreen1
+        version: 0.2.4.sqreen2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.4.sqreen1
+        version: 0.2.4.sqreen2
 description: Sqreen is a SaaS based Application protection and monitoring platform
   that integrates directly into your Ruby applications. Learn more at https://sqreen.io.
 email: contact@sqreen.io
@@ -104,8 +104,8 @@ files:
 - lib/sqreen/rules_callbacks/record_request_context.rb
 - lib/sqreen/rules_callbacks/reflected_xss.rb
 - lib/sqreen/rules_callbacks/regexp_rule.rb
-- lib/sqreen/rules_callbacks/run_block_user_actions.rb
 - lib/sqreen/rules_callbacks/run_req_start_actions.rb
+- lib/sqreen/rules_callbacks/run_user_actions.rb
 - lib/sqreen/rules_callbacks/shell_env.rb
 - lib/sqreen/rules_callbacks/url_matches.rb
 - lib/sqreen/rules_callbacks/user_agent_matches.rb