RubyGems - sqreen - Versions diffs - 1.18.2-java → 1.18.3-java - Mend

sqreen 1.18.2-java → 1.18.3-java

Files changed (125) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/LICENSE +3 -0
data/lib/sqreen/actions.rb +11 -337
data/lib/sqreen/actions/base.rb +110 -0
data/lib/sqreen/actions/block_ip.rb +32 -0
data/lib/sqreen/actions/block_user.rb +44 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +36 -0
data/lib/sqreen/actions/ip_ranges_index.rb +36 -0
data/lib/sqreen/actions/redirect_ip.rb +40 -0
data/lib/sqreen/actions/redirect_user.rb +45 -0
data/lib/sqreen/actions/repository.rb +24 -0
data/lib/sqreen/actions/unknown_action_type.rb +16 -0
data/lib/sqreen/actions/user_action_class.rb +41 -0
data/lib/sqreen/agent.rb +4 -1
data/lib/sqreen/attack_blocked.rb +17 -0
data/lib/sqreen/binding_accessor.rb +9 -102
data/lib/sqreen/binding_accessor/path_elem.rb +8 -0
data/lib/sqreen/binding_accessor/transforms.rb +107 -0
data/lib/sqreen/capped_queue.rb +2 -0
data/lib/sqreen/{callbacks.rb → cb.rb} +1 -53
data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +2 -2
data/lib/sqreen/condition_evaluator.rb +22 -5
data/lib/sqreen/configuration.rb +5 -0
data/lib/sqreen/default_cb.rb +20 -0
data/lib/sqreen/deferred_logger.rb +63 -0
data/lib/sqreen/deliveries.rb +10 -0
data/lib/sqreen/deliveries/batch.rb +7 -1
data/lib/sqreen/deliveries/simple.rb +5 -0
data/lib/sqreen/dependency/detector.rb +1 -1
data/lib/sqreen/dependency/libsqreen.rb +28 -0
data/lib/sqreen/dependency/rails.rb +4 -0
data/lib/sqreen/dependency/sinatra.rb +47 -14
data/lib/sqreen/error_handling_middleware.rb +30 -0
data/lib/sqreen/event.rb +2 -0
data/lib/sqreen/events/attack.rb +2 -0
data/lib/sqreen/events/request_record.rb +11 -56
data/lib/sqreen/exception.rb +9 -40
data/lib/sqreen/formatter_with_tid.rb +45 -0
data/lib/sqreen/framework_cb.rb +28 -0
data/lib/sqreen/frameworks.rb +7 -0
data/lib/sqreen/frameworks/generic.rb +20 -2
data/lib/sqreen/frameworks/rails.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +3 -0
data/lib/sqreen/frameworks/sinatra.rb +2 -0
data/lib/sqreen/frameworks/sqreen_test.rb +2 -0
data/lib/sqreen/instrumentation.rb +5 -5
data/lib/sqreen/invalid_signature_exception.rb +8 -0
data/lib/{sqreen-alt.rb → sqreen/js.rb} +6 -1
data/lib/sqreen/js/call_context.rb +10 -0
data/lib/sqreen/js/context_pool.rb +60 -0
data/lib/sqreen/js/exec_js_runnable.rb +20 -0
data/lib/sqreen/js/execjs_adapter.rb +6 -47
data/lib/sqreen/js/executable_js.rb +12 -0
data/lib/sqreen/js/js_service.rb +2 -22
data/lib/sqreen/js/js_service_adapter.rb +18 -0
data/lib/sqreen/js/mini_racer_adapter.rb +6 -180
data/lib/sqreen/js/mini_racer_executable_js.rb +142 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +47 -0
data/lib/sqreen/log.rb +8 -188
data/lib/sqreen/logger.rb +83 -0
data/lib/sqreen/metrics_store.rb +3 -11
data/lib/sqreen/metrics_store/already_registered_metric.rb +11 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +11 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +11 -0
data/lib/sqreen/middleware.rb +0 -34
data/lib/sqreen/mono_time.rb +2 -0
data/lib/sqreen/node.rb +44 -0
data/lib/sqreen/not_implemented_yet.rb +8 -0
data/lib/sqreen/null_logger.rb +24 -0
data/lib/sqreen/payload_creator.rb +2 -19
data/lib/sqreen/payload_creator/header_section.rb +28 -0
data/lib/sqreen/prefix.rb +33 -0
data/lib/sqreen/rails_middleware.rb +14 -0
data/lib/sqreen/remote_command.rb +1 -8
data/lib/sqreen/remote_command/failure_output.rb +11 -0
data/lib/sqreen/rules.rb +32 -2
data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +0 -0
data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +4 -8
data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +1 -1
data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +3 -2
data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +2 -2
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +49 -50
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +2 -2
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +1 -1
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +1 -1
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +4 -2
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +1 -1
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +2 -2
data/lib/sqreen/rules/update_request_context.rb +20 -0
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +10 -14
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +10 -7
data/lib/sqreen/run_when_called_cb.rb +21 -0
data/lib/sqreen/runtime_infos.rb +2 -9
data/lib/sqreen/sensitive_data_redactor.rb +111 -0
data/lib/sqreen/signature_verifier.rb +20 -0
data/lib/sqreen/sinatra_middleware.rb +14 -0
data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +5 -17
data/lib/sqreen/token_invalid_exception.rb +8 -0
data/lib/sqreen/token_not_found_exception.rb +9 -0
data/lib/sqreen/trie.rb +3 -64
data/lib/sqreen/unauthorized.rb +8 -0
data/lib/sqreen/util.rb +2 -0
data/lib/sqreen/util/capped_array.rb +33 -0
data/lib/sqreen/util/capped_hash.rb +39 -0
data/lib/sqreen/util/capped_string.rb +24 -0
data/lib/sqreen/util/capper.rb +65 -0
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/waf_error.rb +18 -0
metadata +87 -35
data/lib/sqreen/rules_callbacks.rb +0 -35
data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25

data/lib/sqreen/metrics_store.rb CHANGED

@@ -1,23 +1,15 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/exception'
 require 'sqreen/metrics'
 require 'sqreen/mono_time'
+require 'sqreen/metrics_store/unknown_metric'
+require 'sqreen/metrics_store/unregistered_metric'
+require 'sqreen/metrics_store/already_registered_metric'
 module Sqreen
   # This store and register metrics
   class MetricsStore
-    # When a metric is not yet created
-    class UnregisteredMetric < Sqreen::Exception
-    end
-    # When the metric is unknown
-    class UnknownMetric < Sqreen::Exception
-    end
-    # When this name as already been declared with another kind
-    class AlreadyRegisteredMetric < Sqreen::Exception
-    end
     # definition keys
     NAME_KEY = 'name'.freeze
     KIND_KEY = 'kind'.freeze

data/lib/sqreen/metrics_store/already_registered_metric.rb ADDED

@@ -0,0 +1,11 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  class MetricsStore
+    class AlreadyRegisteredMetric < Sqreen::Exception
+    end
+  end
+end

data/lib/sqreen/metrics_store/unknown_metric.rb ADDED

@@ -0,0 +1,11 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  class MetricsStore
+    class UnknownMetric < Sqreen::Exception
+    end
+  end
+end

data/lib/sqreen/metrics_store/unregistered_metric.rb ADDED

@@ -0,0 +1,11 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  class MetricsStore
+    class UnregisteredMetric < Sqreen::Exception
+    end
+  end
+end

data/lib/sqreen/middleware.rb CHANGED

@@ -11,38 +11,4 @@ module Sqreen
       @app.call(env)
     end
   end
-  class ErrorHandlingMiddleware
-    def initialize(app)
-      @app = app
-    end
-    def call(env)
-      @app.call(env)
-    rescue => e
-      sqreen_attack = nil
-      if e.is_a?(Sqreen::AttackBlocked)
-        sqreen_attack = e
-      elsif e.respond_to?(:original_exception) &&
-                            e.original_exception.is_a?(Sqreen::AttackBlocked)
-        sqreen_attack = e.original_exception
-      end
-      if sqreen_attack && sqreen_attack.redirect_url
-        return [303, { 'Location' => sqreen_attack.redirect_url }, ['']]
-      else
-        raise
-      end
-    end
-  end
-  class RailsMiddleware
-    def initialize(app)
-      @app = app
-    end
-    def call(env)
-      @app.call(env)
-    end
-  end
 end

data/lib/sqreen/mono_time.rb CHANGED

@@ -1,6 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+# TODO: move to Sqreen::Time
 module Sqreen
   has_mono_time = begin
     Process.clock_gettime Process::CLOCK_MONOTONIC

data/lib/sqreen/node.rb ADDED

@@ -0,0 +1,44 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+# TODO: move to Sqreen::IP::Trie
+module Sqreen
+  # bit starts at 0 (most significant)
+  Node = Struct.new(:bit, :prefix, :l, :r, :parent) do
+    def initialize(*args)
+      super
+      raise ArgumentError, 'no bit given' if bit.nil?
+    end
+    def empty?
+      prefix.nil?
+    end
+    # cover the whole tree
+    def walk(max_bits, empty_nodes = false)
+      xstack = Array.new(max_bits + 1)
+      sidx = 0 # stack index
+      xhead = self
+      xcur = xhead
+      until xcur.nil?
+        yield xcur unless xcur.empty? && !empty_nodes
+        if xcur.l
+          if xcur.r
+            xstack[sidx] = xcur.r
+            sidx += 1
+          end
+          xcur = xcur.l
+        elsif xcur.r
+          xcur = xcur.r
+        elsif sidx.nonzero?
+          sidx -= 1
+          xcur = xstack[sidx]
+        else
+          xcur = nil
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/not_implemented_yet.rb ADDED

@@ -0,0 +1,8 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  class NotImplementedYet < Sqreen::Exception; end
+end

data/lib/sqreen/null_logger.rb ADDED

@@ -0,0 +1,24 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'singleton'
+module Sqreen
+  class NullLogger
+    include Singleton
+    def debug(_msg = nil); end
+    def info(_msg = nil); end
+    def warn(_msg = nil); end
+    def error(_msg = nil); end
+    def fatal(_msg = nil); end
+    def add(_severity, _msg = nil); end
+    def formatter=(_); end
+  end
+end

data/lib/sqreen/payload_creator.rb CHANGED

@@ -3,6 +3,7 @@
 require 'sqreen/runtime_infos'
 require 'sqreen/events/remote_exception'
+require 'sqreen/payload_creator/header_section'
 module Sqreen
   # Create a payload from a given query
@@ -116,26 +117,8 @@ module Sqreen
       Sqreen::RemoteException.record(e)
     end
-    # object that default to call on framework header
-    class HeaderSection
-      def initialize(framework)
-        @framework = framework
-      end
-      def [](value)
-        if %w[rack_client_ip rails_client_ip ip_headers].include?(value)
-          return @framework.send(value)
-        end
-        @framework.header(value)
-      end
-      def ip_headers
-        @framework.ip_headers
-      end
-    end
     def section_headers(framework)
-      HeaderSection.new(framework)
+      Sqreen::PayloadCreator::HeaderSection.new(framework)
     end
   end
 end

data/lib/sqreen/payload_creator/header_section.rb ADDED

@@ -0,0 +1,28 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/runtime_infos'
+require 'sqreen/events/remote_exception'
+require 'sqreen/payload_creator/header_section'
+module Sqreen
+  class PayloadCreator
+    # object that default to call on framework header
+    class HeaderSection
+      def initialize(framework)
+        @framework = framework
+      end
+      def [](value)
+        if %w[rack_client_ip rails_client_ip ip_headers].include?(value)
+          return @framework.send(value)
+        end
+        @framework.header(value)
+      end
+      def ip_headers
+        @framework.ip_headers
+      end
+    end
+  end
+end

data/lib/sqreen/prefix.rb ADDED

@@ -0,0 +1,33 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'ipaddr'
+# TODO: move to Sqreen::IP
+module Sqreen
+  Prefix = Struct.new(:family, :bitlen, :address, :data) do # addr is integer
+    def initialize(*args)
+      super
+      raise ArgumentError, 'no family given' unless family
+      raise ArgumentError, 'no bitlen given' unless bitlen
+      raise ArgumentError, 'no address given' unless address
+    end
+    def matches?(address, family)
+      raise 'family mismatch' unless family == self.family
+      shift_amount = (family == Socket::AF_INET ? 32 : 128) - bitlen
+      (address ^ self.address) >> shift_amount == 0
+    end
+  end
+  def Prefix.from_str(str, data = nil)
+    ip_addr = IPAddr.new(str)
+    bitlen = if str =~ /\/(\d+)$/
+               $~[1].to_i
+             else
+               ip_addr.family == Socket::AF_INET6 ? 128 : 32
+             end
+    Prefix.new(ip_addr.family, bitlen, ip_addr.to_i, data)
+  end
+end

data/lib/sqreen/rails_middleware.rb ADDED

@@ -0,0 +1,14 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+module Sqreen
+  class RailsMiddleware
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/sqreen/remote_command.rb CHANGED

@@ -3,6 +3,7 @@
 require 'sqreen/log'
 require 'sqreen/events/remote_exception'
+require 'sqreen/remote_command/failure_output'
 module Sqreen
   # Execute and sanitize remote commands
@@ -21,14 +22,6 @@ module Sqreen
       :performance_budget => :change_performance_budget,
     }.freeze
-    # wraps output returned by a command that should also result in status: false
-    class FailureOutput
-      attr_reader :wrapped_output
-      def initialize(output)
-        @wrapped_output = output
-      end
-    end
     attr_reader :uuid
     def initialize(json_desc)

data/lib/sqreen/remote_command/failure_output.rb ADDED

@@ -0,0 +1,11 @@
+module Sqreen
+  class RemoteCommand
+    # wraps output returned by a command that should also result in status: false
+    class FailureOutput
+      attr_reader :wrapped_output
+      def initialize(output)
+        @wrapped_output = output
+      end
+    end
+  end
+end

data/lib/sqreen/rules.rb CHANGED

@@ -2,9 +2,39 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 require 'sqreen/log'
-require 'sqreen/rule_attributes'
-require 'sqreen/rules_callbacks'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/regexp_rule_cb'
+require 'sqreen/rules/matcher_rule'
+require 'sqreen/rules/record_request_context'
+require 'sqreen/rules/update_request_context'
+require 'sqreen/rules/rails_parameters_cb'
+require 'sqreen/rules/headers_insert_cb'
+require 'sqreen/rules/blacklist_ips_cb'
+require 'sqreen/rules/shell_env_cb'
+require 'sqreen/rules/url_matches_cb'
+require 'sqreen/rules/user_agent_matches_cb'
+require 'sqreen/rules/crawler_user_agent_matches_cb'
+require 'sqreen/rules/xss_cb'
+require 'sqreen/rules/execjs_cb'
+require 'sqreen/rules/binding_accessor_metrics'
+require 'sqreen/rules/binding_accessor_matcher_cb'
+require 'sqreen/rules/count_http_codes'
+require 'sqreen/rules/not_found_cb'
+require 'sqreen/rules/crawler_user_agent_matches_metrics_cb'
+require 'sqreen/rules/auth_track_cb'
+require 'sqreen/rules/signup_track_cb'
+require 'sqreen/rules/devise_auth_track_cb'
+require 'sqreen/rules/devise_signup_track_cb'
+require 'sqreen/rules/custom_error_cb'
+require 'sqreen/rules/waf_cb'
 ## Rules
 #

data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} RENAMED

File without changes

data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} RENAMED

@@ -1,8 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/rule_attributes'
-require 'sqreen/rule_callback'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/safe_json'
 module Sqreen

data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} RENAMED

@@ -1,10 +1,10 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/rule_callback'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/binding_accessor'
 require 'sqreen/mono_time'
-require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/rules/matcher_rule'
 module Sqreen
   module Rules
@@ -49,9 +49,7 @@ module Sqreen
       end
       def pre(inst, args, budget = nil, &_block)
-        unless budget.nil?
-          finish = budget + Sqreen.time
-        end
+        finish = budget + Sqreen.time unless budget.nil?
         resol_cache = Hash.new do |hash, accessor|
           hash[accessor] = accessor.resolve(binding, framework, inst, args)
         end
@@ -62,9 +60,7 @@ module Sqreen
             next unless val.respond_to?(:each)
             next if val.respond_to?(:seek)
             val.each do |v|
-              if !budget.nil? && Sqreen.time > finish
-                return nil
-              end
+              return nil if !budget.nil? && Sqreen.time > finish
               next if !v.is_a?(String) || (!matcher.min_size.nil? && v.size < matcher.min_size)
               next if v.size > MAX_LENGTH
               next if matcher.match(v).nil?

data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb RENAMED

@@ -1,7 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/rule_callback'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/binding_accessor'
 require 'sqreen/events/remote_exception'