sqreen 1.17.2.rc1-java → 1.18.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f062d7ef72850413e24e2af4a34475c0af5a11c85ae21757e8d220cdd5569ee8
-  data.tar.gz: d6da283f4041d0c1d72bb2ebeb3517ef9b27d3988c49907765f35416a11c7976
+  metadata.gz: 922051da24f2022f3a83abf7f948dc5736755b1470e3c07e51ea620b4ad79d38
+  data.tar.gz: 286a940f0c898061965af56bc612cff127123743c81f29460bdb50b74f336cac
 SHA512:
-  metadata.gz: 94b0d8203e361dc77843055305250b14ebd084949be572baf7b581c478b4ed2a0af7e8eba06459aa2b1fda16e053ae7b9836b7fc5fbda04f81c55106b814d05f
-  data.tar.gz: 954ba804f9105405a31405cb54caec93ed2f96232d313cfa475fe35aec7e681027d72497920e886205a667a63fb2742a5847c2d3227f25038cf9f59c7f94a368
+  metadata.gz: 366be041f989a6668942f1e7f41be437572a9b128ff8622f916b5482aaf21b5f45f0ecdd7df11c44f1fa69b4823abc518e8c200fcc6b421d394f98e2b942c426
+  data.tar.gz: aec4842b37b82db5d7603a225fd1b14ece321793cf5d0f9e52f96be4acfc335427ea8056144bd3a8f0bfe960a8709b990e407c6329f746fe7a3aa03ebc30957e

data/CHANGELOG.md

@@ -1,23 +1,15 @@
-## 1.17.2.beta4
+## 1.18.0
 
-* Improve output of logging
-* Fix user signup tracking issue
+* Support In-App WAF
 
-## 1.17.2.beta3
+## 1.17.2
 
+* Support Rails 6.0 (single database)
+* Improve output of logging
+* Fix user signup tracking issue
 * Improve performance of user tracking
 * Improve reliability of user tracking against performance budget
-* Restore compatibility with Ruby 1.9.3, 2.0, and 2.1 and JRuby 9.2
-
-## 1.17.2.beta2
-
-* Important note: this beta release supports Ruby 2.2 or above only
 * Add support for Sinatra 2.0
-
-## 1.17.2.beta1
-
-* Important note: this beta release supports Rails only, and notably excludes Sinatra support
-* Important note: this beta release supports Ruby 2.2 or above only
 * Improve Sqreen thread boot when using Unicorn, Rainbows, Puma, Passenger, Thin, Webrick
 * Improve performance cap consistency with specification
 * Improve consistency of rule precondition argument passing

data/lib/sqreen/encoding_sanitizer.rb

@@ -0,0 +1,22 @@
+module Sqreen
+  class EncodingSanitizer
+    def self.sanitize(obj)
+      case obj
+      when String
+        sanitize_string(obj)
+      when Array
+        obj.map { |e| sanitize(e) }
+      when Hash
+        obj.each_with_object({}) { |(k, v), h| h[k] = sanitize(v) }
+      else
+        obj
+      end
+    end
+
+    def self.sanitize_string(s)
+      return s if s.encoding.name == 'UTF-8' && s.valid_encoding?
+
+      s.encode('UTF-16', :invalid => :replace, :undef => :replace).encode('UTF-8')
+    end
+  end
+end

data/lib/sqreen/events/request_record.rb

@@ -3,6 +3,7 @@
 
 require 'json'
 require 'sqreen/event'
+require 'sqreen/encoding_sanitizer'
 
 module Sqreen
   # When a request is deeemed worthy of being sent to the backend
@@ -115,27 +116,6 @@ module Sqreen
     end
   end
 
-  class EncodingSanitizer
-    def self.sanitize(obj)
-      case obj
-      when String
-        sanitize_string(obj)
-      when Array
-        obj.map { |e| sanitize(e) }
-      when Hash
-        obj.each_with_object({}) { |(k, v), h| h[k] = sanitize(v) }
-      else
-        obj
-      end
-    end
-
-    def self.sanitize_string(s)
-      return s if s.encoding.name == 'UTF-8' && s.valid_encoding?
-
-      s.encode('UTF-16', :invalid => :replace, :undef => :replace).encode('UTF-8')
-    end
-  end
-
   # For redacting sensitive data and avoid having it sent to our servers
   class SensitiveDataRedactor
     DEFAULT_SENSITIVE_KEYS = Set.new(%w[password secret passwd authorization api_key apikey access_token]).freeze

data/lib/sqreen/log.rb

@@ -62,6 +62,10 @@ module Sqreen
 
   # Wrapper class for sqreen logging
   class Logger
+    SEVERITY_TO_METHOD = ::Logger::Severity.constants.each_with_object({}) do |s, h|
+      h[::Logger::Severity.const_get(s)] = s.downcase
+    end
+
     def initialize(desired_level, log_location, force_logger = nil)
       if force_logger
         @logger = force_logger
@@ -90,6 +94,10 @@ module Sqreen
       @logger.error(msg, &block)
     end
 
+    def add(severity, msg = nil, &block)
+      send(SEVERITY_TO_METHOD[severity], msg, &block)
+    end
+
     protected
 
     def init_logger_output(path)
@@ -135,6 +143,10 @@ module Sqreen
 
     def error(_msg = nil); end
 
+    def fatal(_msg = nil); end
+
+    def add(_severity, _msg = nil); end
+
     def formatter=(_); end
   end
 
@@ -162,6 +174,14 @@ module Sqreen
       @logger.error(msg, &block)
     end
 
+    def fatal(msg = nil, &block)
+      @logger.error(msg, &block)
+    end
+
+    def add(severity, msg = nil, &block)
+      send(Sqreen::Logger::SEVERITY_TO_METHOD[severity], msg, &block)
+    end
+
     def formatter=(value)
       @logger.formatter = value
     end

data/lib/sqreen/rules_callbacks.rb

@@ -31,3 +31,4 @@ require 'sqreen/rules_callbacks/devise_auth_track'
 require 'sqreen/rules_callbacks/devise_signup_track'
 
 require 'sqreen/rules_callbacks/custom_error'
+require 'sqreen/rules_callbacks/waf'

data/lib/sqreen/rules_callbacks/waf.rb

@@ -0,0 +1,102 @@
+require 'securerandom'
+require 'sqreen/rule_attributes'
+require 'sqreen/binding_accessor'
+require 'sqreen/rule_callback'
+require 'sqreen/safe_json'
+
+module Sqreen
+  module Rules
+    class WAFCB < RuleCB
+      BUDGET_MAX = 5000
+
+      # TODO: move to Dependency
+      begin
+        require 'libsqreen'
+        @libsqreen = true
+      rescue LoadError
+        Sqreen.log.warn('libsqreen gem not found')
+        @libsqreen = false
+      end
+
+      def self.libsqreen?
+        @libsqreen
+      end
+
+      attr_reader :binding_accessors, :budget, :waf_rule_name
+
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+
+        unless WAFCB.libsqreen?
+          Sqreen.log.warn('libsqreen gem not found')
+          return
+        end
+
+        unless @data['values']
+          Sqreen.log.warn('no values in data')
+          return
+        end
+
+        ::LibSqreen::WAF.logger = Sqreen.log
+
+        name = format("%s_%s", SecureRandom.uuid, rule_name)
+        unless @data['values']['waf_rules'] && (::LibSqreen::WAF[name] = @data['values']['waf_rules'])
+          Sqreen.log.error("WAF rule #{name} failed to be set, from #<#{self.class.name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+          return
+        end
+        @waf_rule_name = name
+        Sqreen.log.debug("WAF rule #{name} set, from #<#{self.class.name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+
+        @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
+          h[e] = BindingAccessor.new(e)
+        end
+        @budget = @data['values'].fetch('budget', BUDGET_MAX)
+
+        ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
+      end
+
+      def pre(instance, args, _budget)
+        unless WAFCB.libsqreen?
+          Sqreen.log.warn('libsqreen not required')
+          return
+        end
+
+        request = framework.request
+        return if !waf_rule_name || !request
+
+        env = [binding, framework, instance, args]
+
+        waf_args = Hash[binding_accessors.map { |e, b| [e, b.resolve(*env)] }]
+        waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
+        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, budget)
+
+        case action
+        when :monitor
+          record_event({ 'waf_data' => data })
+          advise_action(nil)
+        when :block
+          record_event({ 'waf_data' => data })
+          advise_action(:raise)
+        when :good
+          advise_action(nil)
+        when :timeout, :invalid_call, :invalid_rule, :invalid_flow, :no_rule
+          Sqreen.log.warn("error from waf: #{action}")
+          advise_action(nil)
+        else
+          Sqreen.log.warn("unexpected action returned from waf")
+          advise_action(nil)
+        end
+      end
+
+      def self.finalizer(rule_name)
+        lambda do |object_id|
+          return unless WAFCB.libsqreen?
+
+          ::LibSqreen::WAF.delete(waf_rule_name, waf_args, budget)
+          Sqreen.log.debug("WAF rule #{rule_name} deleted, from #<#{name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/runtime_infos.rb

@@ -65,7 +65,32 @@ module Sqreen
       {
         :agent_type => :ruby,
         :agent_version => ::Sqreen::VERSION,
-      }
+      }.tap do |h|
+        h[:libsqreen_version] = libsqreen_version if libsqreen?
+      end
+    end
+
+    def libsqreen?
+      libsqreen_loaded? && !libsqreen_stub?
+    end
+
+    def libsqreen_loaded?
+      Kernel.const_defined?('LibSqreen')
+    end
+
+    def libsqreen_stub?
+      !::LibSqreen.respond_to?(:version)
+    end
+
+    def libsqreen_version
+      return unless libsqreen?
+
+      @libsqreen_version ||= case (version = ::LibSqreen.version)
+                             when Array
+                               version.map(&:to_s).join('.')
+                             else
+                               version
+                             end
     end
 
     def os

data/lib/sqreen/session.rb

@@ -100,7 +100,7 @@ module Sqreen
       rescue StandardError => e
         Sqreen.log.debug { "Caught exception during request: #{e.inspect}" }
         Sqreen.log.debug { e.backtrace }
-        Sqreen.log.debug "Cannot connect, retry in #{RETRY_CONNECT_SECONDS} seconds"
+        Sqreen.log.debug { "Cannot connect, retry in #{RETRY_CONNECT_SECONDS} seconds" }
         sleep RETRY_CONNECT_SECONDS
         @conn_retry += 1
         retry
@@ -129,7 +129,7 @@ module Sqreen
       raise e if max_retry != RETRY_FOREVER && current_retry >= max_retry || e.is_a?(Sqreen::NotImplementedYet) || e.is_a?(Sqreen::Unauthorized)
 
       sleep_delay = [MAX_DELAY, retry_request_seconds * current_retry].min
-      Sqreen.log.debug format("Sleeping %ds before retry #{current_retry}/#{max_retry}", sleep_delay)
+      Sqreen.log.debug { format("Sleeping %ds before retry #{current_retry}/#{max_retry}", sleep_delay) }
       sleep(sleep_delay)
 
       retry
@@ -164,10 +164,10 @@ module Sqreen
       @req_nb += 1
 
       path = prefix_path(path)
-      Sqreen.log.debug format('%s %s (%s)', method, path, @token)
 
       payload = {}
       resiliently(RETRY_REQUEST_SECONDS, max_retry) do
+        Sqreen.log.debug { format('%s %s %s %s (%s)', method, path, JSON.dump(data), headers.inspect, @token) }
         res = nil
         MUTEX.synchronize do
           res = case method.upcase
@@ -181,7 +181,7 @@ module Sqreen
                   end
                   @con.post(path, json_data, headers)
                 else
-                  Sqreen.log.debug format('unknown method %s', method)
+                  Sqreen.log.debug { format('unknown method %s', method) }
                   raise Sqreen::NotImplementedYet
                 end
         end
@@ -192,17 +192,17 @@ module Sqreen
           if res['Content-Type'] && res['Content-Type'].start_with?('application/json')
             payload = JSON.parse(res.body)
             unless payload['status']
-              Sqreen.log.debug(format('Cannot %s %s. Parsed response body was: %s', method, path, payload.inspect))
+              Sqreen.log.debug { format('Cannot %s %s. Parsed response body was: %s', method, path, payload.inspect) }
             end
           else
-            Sqreen.log.debug "Unexpected response Content-Type: #{res['Content-Type']}"
-            Sqreen.log.debug "Unexpected response body: #{res.body.inspect}"
+            Sqreen.log.debug { "Unexpected response Content-Type: #{res['Content-Type']}" }
+            Sqreen.log.debug { "Unexpected response body: #{res.body.inspect}" }
           end
         else
-          Sqreen.log.debug 'warning: empty return value'
+          Sqreen.log.debug { 'warning: empty return value' }
         end
+        Sqreen.log.debug { format('%s %s (DONE: %s in %f ms)', method, path, res && res.code, (Time.now.utc - now) * 1000) }
       end
-      Sqreen.log.debug format('%s %s (DONE in %f ms)', method, path, (Time.now.utc - now) * 1000)
       payload
     end
 
@@ -233,7 +233,7 @@ module Sqreen
       end
       Sqreen.log.info 'Login success.'
       @session_id = res['session_id']
-      Sqreen.log.debug "received session_id #{@session_id}"
+      Sqreen.log.debug { "received session_id #{@session_id}" }
       Sqreen.logged_in = true
       res
     end

data/lib/sqreen/version.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.17.2.rc1'.freeze
+  VERSION = '1.18.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.17.2.rc1
+  version: 1.18.0
 platform: java
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-08-29 00:00:00.000000000 Z
+date: 2019-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -78,6 +78,7 @@ files:
 - lib/sqreen/dependency/rails.rb
 - lib/sqreen/dependency/sentry.rb
 - lib/sqreen/dependency/sinatra.rb
+- lib/sqreen/encoding_sanitizer.rb
 - lib/sqreen/event.rb
 - lib/sqreen/events/attack.rb
 - lib/sqreen/events/remote_exception.rb
@@ -140,6 +141,7 @@ files:
 - lib/sqreen/rules_callbacks/shell_env.rb
 - lib/sqreen/rules_callbacks/url_matches.rb
 - lib/sqreen/rules_callbacks/user_agent_matches.rb
+- lib/sqreen/rules_callbacks/waf.rb
 - lib/sqreen/rules_signature.rb
 - lib/sqreen/runner.rb
 - lib/sqreen/runtime_infos.rb
@@ -163,9 +165,7 @@ files:
 homepage: https://www.sqreen.io/
 licenses: []
 metadata: {}
-post_install_message: |2
-      This is a Sqreen rc release and may not work in all situations.
-      Make sure to review CHANGELOG.md for important details.
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -176,9 +176,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project:
 rubygems_version: 2.7.7