RubyGems - sqreen - Versions diffs - 1.17.2 → 1.18.0 - Mend

sqreen 1.17.2 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/lib/sqreen/encoding_sanitizer.rb +22 -0
data/lib/sqreen/events/request_record.rb +1 -21
data/lib/sqreen/log.rb +20 -0
data/lib/sqreen/rules_callbacks.rb +1 -0
data/lib/sqreen/rules_callbacks/waf.rb +102 -0
data/lib/sqreen/runtime_infos.rb +26 -1
data/lib/sqreen/session.rb +10 -10
data/lib/sqreen/version.rb +1 -1
metadata +18 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a76d5247720780e68021b3bf5b252d5ce95bb141bec396eb4dfbd32858c4cbc3
-  data.tar.gz: 84a2aa50afcff20f86a4232bf62a9a90c468d71c5eff8caf8028554721bcd965
+  metadata.gz: a588437667070c3e175082755b4f63a1bcc2a1c1f599142fc56ac2348d05a1bf
+  data.tar.gz: 1dd5d9a28a0d4285c807587d1a0740342561950c85c4fc84e273ced99b90a6c7
 SHA512:
-  metadata.gz: 0de1fbb01aadba0da7fe66a12aba82b5e388fd0d1a2a1c66da27d5ed4a09e1f211218a65c84718d0406215a70a8448dd1cf26e524d3920593e911e6a9417faef
-  data.tar.gz: 8fe62157f44cd084bcaf090782f1e28f70b3d274af2498d2625e25eba9c82b56986be087ab600be70b22730247dc15c964a6a784d16117d51a3aaf76464aa87f
+  metadata.gz: 4e2d876f635ceadf46df13484f50ec6dfd418ebece431916330d2319be79f6a0f38c27a73f2a4261809af30fc3d32e6024a68c415b372ad7214b245f2e2443f6
+  data.tar.gz: 38a0ee125e1ded9a6bbddd440f30a3011b7c36051ac7393f5cd8294a128952fd9f7a93735b20496394e77a042a14c95199817fad6598625d5583030f8c50aace

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 1.18.0
+* Support In-App WAF
 ## 1.17.2
 * Support Rails 6.0 (single database)

data/lib/sqreen/encoding_sanitizer.rb ADDED

@@ -0,0 +1,22 @@
+module Sqreen
+  class EncodingSanitizer
+    def self.sanitize(obj)
+      case obj
+      when String
+        sanitize_string(obj)
+      when Array
+        obj.map { |e| sanitize(e) }
+      when Hash
+        obj.each_with_object({}) { |(k, v), h| h[k] = sanitize(v) }
+      else
+        obj
+      end
+    end
+    def self.sanitize_string(s)
+      return s if s.encoding.name == 'UTF-8' && s.valid_encoding?
+      s.encode('UTF-16', :invalid => :replace, :undef => :replace).encode('UTF-8')
+    end
+  end
+end

data/lib/sqreen/events/request_record.rb CHANGED

@@ -3,6 +3,7 @@
 require 'json'
 require 'sqreen/event'
+require 'sqreen/encoding_sanitizer'
 module Sqreen
   # When a request is deeemed worthy of being sent to the backend
@@ -115,27 +116,6 @@ module Sqreen
     end
   end
-  class EncodingSanitizer
-    def self.sanitize(obj)
-      case obj
-      when String
-        sanitize_string(obj)
-      when Array
-        obj.map { |e| sanitize(e) }
-      when Hash
-        obj.each_with_object({}) { |(k, v), h| h[k] = sanitize(v) }
-      else
-        obj
-      end
-    end
-    def self.sanitize_string(s)
-      return s if s.encoding.name == 'UTF-8' && s.valid_encoding?
-      s.encode('UTF-16', :invalid => :replace, :undef => :replace).encode('UTF-8')
-    end
-  end
   # For redacting sensitive data and avoid having it sent to our servers
   class SensitiveDataRedactor
     DEFAULT_SENSITIVE_KEYS = Set.new(%w[password secret passwd authorization api_key apikey access_token]).freeze

data/lib/sqreen/log.rb CHANGED

@@ -62,6 +62,10 @@ module Sqreen
   # Wrapper class for sqreen logging
   class Logger
+    SEVERITY_TO_METHOD = ::Logger::Severity.constants.each_with_object({}) do |s, h|
+      h[::Logger::Severity.const_get(s)] = s.downcase
+    end
     def initialize(desired_level, log_location, force_logger = nil)
       if force_logger
         @logger = force_logger
@@ -90,6 +94,10 @@ module Sqreen
       @logger.error(msg, &block)
     end
+    def add(severity, msg = nil, &block)
+      send(SEVERITY_TO_METHOD[severity], msg, &block)
+    end
     protected
     def init_logger_output(path)
@@ -135,6 +143,10 @@ module Sqreen
     def error(_msg = nil); end
+    def fatal(_msg = nil); end
+    def add(_severity, _msg = nil); end
     def formatter=(_); end
   end
@@ -162,6 +174,14 @@ module Sqreen
       @logger.error(msg, &block)
     end
+    def fatal(msg = nil, &block)
+      @logger.error(msg, &block)
+    end
+    def add(severity, msg = nil, &block)
+      send(Sqreen::Logger::SEVERITY_TO_METHOD[severity], msg, &block)
+    end
     def formatter=(value)
       @logger.formatter = value
     end

data/lib/sqreen/rules_callbacks.rb CHANGED

@@ -31,3 +31,4 @@ require 'sqreen/rules_callbacks/devise_auth_track'
 require 'sqreen/rules_callbacks/devise_signup_track'
 require 'sqreen/rules_callbacks/custom_error'
+require 'sqreen/rules_callbacks/waf'

data/lib/sqreen/rules_callbacks/waf.rb ADDED

@@ -0,0 +1,102 @@
+require 'securerandom'
+require 'sqreen/rule_attributes'
+require 'sqreen/binding_accessor'
+require 'sqreen/rule_callback'
+require 'sqreen/safe_json'
+module Sqreen
+  module Rules
+    class WAFCB < RuleCB
+      BUDGET_MAX = 5000
+      # TODO: move to Dependency
+      begin
+        require 'libsqreen'
+        @libsqreen = true
+      rescue LoadError
+        Sqreen.log.warn('libsqreen gem not found')
+        @libsqreen = false
+      end
+      def self.libsqreen?
+        @libsqreen
+      end
+      attr_reader :binding_accessors, :budget, :waf_rule_name
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+        unless WAFCB.libsqreen?
+          Sqreen.log.warn('libsqreen gem not found')
+          return
+        end
+        unless @data['values']
+          Sqreen.log.warn('no values in data')
+          return
+        end
+        ::LibSqreen::WAF.logger = Sqreen.log
+        name = format("%s_%s", SecureRandom.uuid, rule_name)
+        unless @data['values']['waf_rules'] && (::LibSqreen::WAF[name] = @data['values']['waf_rules'])
+          Sqreen.log.error("WAF rule #{name} failed to be set, from #<#{self.class.name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+          return
+        end
+        @waf_rule_name = name
+        Sqreen.log.debug("WAF rule #{name} set, from #<#{self.class.name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+        @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
+          h[e] = BindingAccessor.new(e)
+        end
+        @budget = @data['values'].fetch('budget', BUDGET_MAX)
+        ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
+      end
+      def pre(instance, args, _budget)
+        unless WAFCB.libsqreen?
+          Sqreen.log.warn('libsqreen not required')
+          return
+        end
+        request = framework.request
+        return if !waf_rule_name || !request
+        env = [binding, framework, instance, args]
+        waf_args = Hash[binding_accessors.map { |e, b| [e, b.resolve(*env)] }]
+        waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
+        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, budget)
+        case action
+        when :monitor
+          record_event({ 'waf_data' => data })
+          advise_action(nil)
+        when :block
+          record_event({ 'waf_data' => data })
+          advise_action(:raise)
+        when :good
+          advise_action(nil)
+        when :timeout, :invalid_call, :invalid_rule, :invalid_flow, :no_rule
+          Sqreen.log.warn("error from waf: #{action}")
+          advise_action(nil)
+        else
+          Sqreen.log.warn("unexpected action returned from waf")
+          advise_action(nil)
+        end
+      end
+      def self.finalizer(rule_name)
+        lambda do |object_id|
+          return unless WAFCB.libsqreen?
+          ::LibSqreen::WAF.delete(waf_rule_name, waf_args, budget)
+          Sqreen.log.debug("WAF rule #{rule_name} deleted, from #<#{name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/runtime_infos.rb CHANGED

@@ -65,7 +65,32 @@ module Sqreen
       {
         :agent_type => :ruby,
         :agent_version => ::Sqreen::VERSION,
-      }
+      }.tap do |h|
+        h[:libsqreen_version] = libsqreen_version if libsqreen?
+      end
+    end
+    def libsqreen?
+      libsqreen_loaded? && !libsqreen_stub?
+    end
+    def libsqreen_loaded?
+      Kernel.const_defined?('LibSqreen')
+    end
+    def libsqreen_stub?
+      !::LibSqreen.respond_to?(:version)
+    end
+    def libsqreen_version
+      return unless libsqreen?
+      @libsqreen_version ||= case (version = ::LibSqreen.version)
+                             when Array
+                               version.map(&:to_s).join('.')
+                             else
+                               version
+                             end
     end
     def os

data/lib/sqreen/session.rb CHANGED

@@ -100,7 +100,7 @@ module Sqreen
       rescue StandardError => e
         Sqreen.log.debug { "Caught exception during request: #{e.inspect}" }
         Sqreen.log.debug { e.backtrace }
-        Sqreen.log.debug "Cannot connect, retry in #{RETRY_CONNECT_SECONDS} seconds"
+        Sqreen.log.debug { "Cannot connect, retry in #{RETRY_CONNECT_SECONDS} seconds" }
         sleep RETRY_CONNECT_SECONDS
         @conn_retry += 1
         retry
@@ -129,7 +129,7 @@ module Sqreen
       raise e if max_retry != RETRY_FOREVER && current_retry >= max_retry || e.is_a?(Sqreen::NotImplementedYet) || e.is_a?(Sqreen::Unauthorized)
       sleep_delay = [MAX_DELAY, retry_request_seconds * current_retry].min
-      Sqreen.log.debug format("Sleeping %ds before retry #{current_retry}/#{max_retry}", sleep_delay)
+      Sqreen.log.debug { format("Sleeping %ds before retry #{current_retry}/#{max_retry}", sleep_delay) }
       sleep(sleep_delay)
       retry
@@ -164,10 +164,10 @@ module Sqreen
       @req_nb += 1
       path = prefix_path(path)
-      Sqreen.log.debug format('%s %s (%s)', method, path, @token)
       payload = {}
       resiliently(RETRY_REQUEST_SECONDS, max_retry) do
+        Sqreen.log.debug { format('%s %s %s %s (%s)', method, path, JSON.dump(data), headers.inspect, @token) }
         res = nil
         MUTEX.synchronize do
           res = case method.upcase
@@ -181,7 +181,7 @@ module Sqreen
                   end
                   @con.post(path, json_data, headers)
                 else
-                  Sqreen.log.debug format('unknown method %s', method)
+                  Sqreen.log.debug { format('unknown method %s', method) }
                   raise Sqreen::NotImplementedYet
                 end
         end
@@ -192,17 +192,17 @@ module Sqreen
           if res['Content-Type'] && res['Content-Type'].start_with?('application/json')
             payload = JSON.parse(res.body)
             unless payload['status']
-              Sqreen.log.debug(format('Cannot %s %s. Parsed response body was: %s', method, path, payload.inspect))
+              Sqreen.log.debug { format('Cannot %s %s. Parsed response body was: %s', method, path, payload.inspect) }
             end
           else
-            Sqreen.log.debug "Unexpected response Content-Type: #{res['Content-Type']}"
-            Sqreen.log.debug "Unexpected response body: #{res.body.inspect}"
+            Sqreen.log.debug { "Unexpected response Content-Type: #{res['Content-Type']}" }
+            Sqreen.log.debug { "Unexpected response body: #{res.body.inspect}" }
           end
         else
-          Sqreen.log.debug 'warning: empty return value'
+          Sqreen.log.debug { 'warning: empty return value' }
         end
+        Sqreen.log.debug { format('%s %s (DONE: %s in %f ms)', method, path, res && res.code, (Time.now.utc - now) * 1000) }
       end
-      Sqreen.log.debug format('%s %s (DONE in %f ms)', method, path, (Time.now.utc - now) * 1000)
       payload
     end
@@ -233,7 +233,7 @@ module Sqreen
       end
       Sqreen.log.info 'Login success.'
       @session_id = res['session_id']
-      Sqreen.log.debug "received session_id #{@session_id}"
+      Sqreen.log.debug { "received session_id #{@session_id}" }
       Sqreen.logged_in = true
       res
     end

data/lib/sqreen/version.rb CHANGED

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.17.2'.freeze
+  VERSION = '1.18.0'.freeze
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.17.2
+  version: 1.18.0
 platform: ruby
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-08-30 00:00:00.000000000 Z
+date: 2019-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sq_mini_racer
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.2.4.sqreen2
+- !ruby/object:Gem::Dependency
+  name: libsqreen
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0.0
 description: Sqreen is a SaaS based Application protection and monitoring platform
   that integrates directly into your Ruby applications. Learn more at https://sqreen.io.
 email: contact@sqreen.io
@@ -64,6 +78,7 @@ files:
 - lib/sqreen/dependency/rails.rb
 - lib/sqreen/dependency/sentry.rb
 - lib/sqreen/dependency/sinatra.rb
+- lib/sqreen/encoding_sanitizer.rb
 - lib/sqreen/event.rb
 - lib/sqreen/events/attack.rb
 - lib/sqreen/events/remote_exception.rb
@@ -126,6 +141,7 @@ files:
 - lib/sqreen/rules_callbacks/shell_env.rb
 - lib/sqreen/rules_callbacks/url_matches.rb
 - lib/sqreen/rules_callbacks/user_agent_matches.rb
+- lib/sqreen/rules_callbacks/waf.rb
 - lib/sqreen/rules_signature.rb
 - lib/sqreen/runner.rb
 - lib/sqreen/runtime_infos.rb