RubyGems - sqreen - Versions diffs - 1.18.2-java → 1.18.3-java - Mend

sqreen 1.18.2-java → 1.18.3-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/LICENSE +3 -0
data/lib/sqreen/actions.rb +11 -337
data/lib/sqreen/actions/base.rb +110 -0
data/lib/sqreen/actions/block_ip.rb +32 -0
data/lib/sqreen/actions/block_user.rb +44 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +36 -0
data/lib/sqreen/actions/ip_ranges_index.rb +36 -0
data/lib/sqreen/actions/redirect_ip.rb +40 -0
data/lib/sqreen/actions/redirect_user.rb +45 -0
data/lib/sqreen/actions/repository.rb +24 -0
data/lib/sqreen/actions/unknown_action_type.rb +16 -0
data/lib/sqreen/actions/user_action_class.rb +41 -0
data/lib/sqreen/agent.rb +4 -1
data/lib/sqreen/attack_blocked.rb +17 -0
data/lib/sqreen/binding_accessor.rb +9 -102
data/lib/sqreen/binding_accessor/path_elem.rb +8 -0
data/lib/sqreen/binding_accessor/transforms.rb +107 -0
data/lib/sqreen/capped_queue.rb +2 -0
data/lib/sqreen/{callbacks.rb → cb.rb} +1 -53
data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +2 -2
data/lib/sqreen/condition_evaluator.rb +22 -5
data/lib/sqreen/configuration.rb +5 -0
data/lib/sqreen/default_cb.rb +20 -0
data/lib/sqreen/deferred_logger.rb +63 -0
data/lib/sqreen/deliveries.rb +10 -0
data/lib/sqreen/deliveries/batch.rb +7 -1
data/lib/sqreen/deliveries/simple.rb +5 -0
data/lib/sqreen/dependency/detector.rb +1 -1
data/lib/sqreen/dependency/libsqreen.rb +28 -0
data/lib/sqreen/dependency/rails.rb +4 -0
data/lib/sqreen/dependency/sinatra.rb +47 -14
data/lib/sqreen/error_handling_middleware.rb +30 -0
data/lib/sqreen/event.rb +2 -0
data/lib/sqreen/events/attack.rb +2 -0
data/lib/sqreen/events/request_record.rb +11 -56
data/lib/sqreen/exception.rb +9 -40
data/lib/sqreen/formatter_with_tid.rb +45 -0
data/lib/sqreen/framework_cb.rb +28 -0
data/lib/sqreen/frameworks.rb +7 -0
data/lib/sqreen/frameworks/generic.rb +20 -2
data/lib/sqreen/frameworks/rails.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +3 -0
data/lib/sqreen/frameworks/sinatra.rb +2 -0
data/lib/sqreen/frameworks/sqreen_test.rb +2 -0
data/lib/sqreen/instrumentation.rb +5 -5
data/lib/sqreen/invalid_signature_exception.rb +8 -0
data/lib/{sqreen-alt.rb → sqreen/js.rb} +6 -1
data/lib/sqreen/js/call_context.rb +10 -0
data/lib/sqreen/js/context_pool.rb +60 -0
data/lib/sqreen/js/exec_js_runnable.rb +20 -0
data/lib/sqreen/js/execjs_adapter.rb +6 -47
data/lib/sqreen/js/executable_js.rb +12 -0
data/lib/sqreen/js/js_service.rb +2 -22
data/lib/sqreen/js/js_service_adapter.rb +18 -0
data/lib/sqreen/js/mini_racer_adapter.rb +6 -180
data/lib/sqreen/js/mini_racer_executable_js.rb +142 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +47 -0
data/lib/sqreen/log.rb +8 -188
data/lib/sqreen/logger.rb +83 -0
data/lib/sqreen/metrics_store.rb +3 -11
data/lib/sqreen/metrics_store/already_registered_metric.rb +11 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +11 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +11 -0
data/lib/sqreen/middleware.rb +0 -34
data/lib/sqreen/mono_time.rb +2 -0
data/lib/sqreen/node.rb +44 -0
data/lib/sqreen/not_implemented_yet.rb +8 -0
data/lib/sqreen/null_logger.rb +24 -0
data/lib/sqreen/payload_creator.rb +2 -19
data/lib/sqreen/payload_creator/header_section.rb +28 -0
data/lib/sqreen/prefix.rb +33 -0
data/lib/sqreen/rails_middleware.rb +14 -0
data/lib/sqreen/remote_command.rb +1 -8
data/lib/sqreen/remote_command/failure_output.rb +11 -0
data/lib/sqreen/rules.rb +32 -2
data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +0 -0
data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +4 -8
data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +1 -1
data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +3 -2
data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +2 -2
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +49 -50
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +2 -2
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +1 -1
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +1 -1
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +4 -2
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +1 -1
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +2 -2
data/lib/sqreen/rules/update_request_context.rb +20 -0
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +10 -14
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +10 -7
data/lib/sqreen/run_when_called_cb.rb +21 -0
data/lib/sqreen/runtime_infos.rb +2 -9
data/lib/sqreen/sensitive_data_redactor.rb +111 -0
data/lib/sqreen/signature_verifier.rb +20 -0
data/lib/sqreen/sinatra_middleware.rb +14 -0
data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +5 -17
data/lib/sqreen/token_invalid_exception.rb +8 -0
data/lib/sqreen/token_not_found_exception.rb +9 -0
data/lib/sqreen/trie.rb +3 -64
data/lib/sqreen/unauthorized.rb +8 -0
data/lib/sqreen/util.rb +2 -0
data/lib/sqreen/util/capped_array.rb +33 -0
data/lib/sqreen/util/capped_hash.rb +39 -0
data/lib/sqreen/util/capped_string.rb +24 -0
data/lib/sqreen/util/capper.rb +65 -0
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/waf_error.rb +18 -0
metadata +87 -35
data/lib/sqreen/rules_callbacks.rb +0 -35
data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25

data/lib/sqreen/metrics_store.rb CHANGED

@@ -1,23 +1,15 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/exception'
 require 'sqreen/metrics'
 require 'sqreen/mono_time'
+require 'sqreen/metrics_store/unknown_metric'
+require 'sqreen/metrics_store/unregistered_metric'
+require 'sqreen/metrics_store/already_registered_metric'
 module Sqreen
   # This store and register metrics
   class MetricsStore
-    # When a metric is not yet created
-    class UnregisteredMetric < Sqreen::Exception
-    end
-    # When the metric is unknown
-    class UnknownMetric < Sqreen::Exception
-    end
-    # When this name as already been declared with another kind
-    class AlreadyRegisteredMetric < Sqreen::Exception
-    end
     # definition keys
     NAME_KEY = 'name'.freeze
     KIND_KEY = 'kind'.freeze

data/lib/sqreen/metrics_store/already_registered_metric.rb ADDED

@@ -0,0 +1,11 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  class MetricsStore
+    class AlreadyRegisteredMetric < Sqreen::Exception
+    end
+  end
+end

data/lib/sqreen/metrics_store/unknown_metric.rb ADDED

@@ -0,0 +1,11 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  class MetricsStore
+    class UnknownMetric < Sqreen::Exception
+    end
+  end
+end

data/lib/sqreen/metrics_store/unregistered_metric.rb ADDED

@@ -0,0 +1,11 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  class MetricsStore
+    class UnregisteredMetric < Sqreen::Exception
+    end
+  end
+end

data/lib/sqreen/middleware.rb CHANGED

@@ -11,38 +11,4 @@ module Sqreen
       @app.call(env)
     end
   end
-  class ErrorHandlingMiddleware
-    def initialize(app)
-      @app = app
-    end
-    def call(env)
-      @app.call(env)
-    rescue => e
-      sqreen_attack = nil
-      if e.is_a?(Sqreen::AttackBlocked)
-        sqreen_attack = e
-      elsif e.respond_to?(:original_exception) &&
-                            e.original_exception.is_a?(Sqreen::AttackBlocked)
-        sqreen_attack = e.original_exception
-      end
-      if sqreen_attack && sqreen_attack.redirect_url
-        return [303, { 'Location' => sqreen_attack.redirect_url }, ['']]
-      else
-        raise
-      end
-    end
-  end
-  class RailsMiddleware
-    def initialize(app)
-      @app = app
-    end
-    def call(env)
-      @app.call(env)
-    end
-  end
 end

data/lib/sqreen/mono_time.rb CHANGED

@@ -1,6 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+# TODO: move to Sqreen::Time
 module Sqreen
   has_mono_time = begin
     Process.clock_gettime Process::CLOCK_MONOTONIC

data/lib/sqreen/node.rb ADDED

@@ -0,0 +1,44 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+# TODO: move to Sqreen::IP::Trie
+module Sqreen
+  # bit starts at 0 (most significant)
+  Node = Struct.new(:bit, :prefix, :l, :r, :parent) do
+    def initialize(*args)
+      super
+      raise ArgumentError, 'no bit given' if bit.nil?
+    end
+    def empty?
+      prefix.nil?
+    end
+    # cover the whole tree
+    def walk(max_bits, empty_nodes = false)
+      xstack = Array.new(max_bits + 1)
+      sidx = 0 # stack index
+      xhead = self
+      xcur = xhead
+      until xcur.nil?
+        yield xcur unless xcur.empty? && !empty_nodes
+        if xcur.l
+          if xcur.r
+            xstack[sidx] = xcur.r
+            sidx += 1
+          end
+          xcur = xcur.l
+        elsif xcur.r
+          xcur = xcur.r
+        elsif sidx.nonzero?
+          sidx -= 1
+          xcur = xstack[sidx]
+        else
+          xcur = nil
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/not_implemented_yet.rb ADDED

@@ -0,0 +1,8 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  class NotImplementedYet < Sqreen::Exception; end
+end

data/lib/sqreen/null_logger.rb ADDED

@@ -0,0 +1,24 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'singleton'
+module Sqreen
+  class NullLogger
+    include Singleton
+    def debug(_msg = nil); end
+    def info(_msg = nil); end
+    def warn(_msg = nil); end
+    def error(_msg = nil); end
+    def fatal(_msg = nil); end
+    def add(_severity, _msg = nil); end
+    def formatter=(_); end
+  end
+end

data/lib/sqreen/payload_creator.rb CHANGED

@@ -3,6 +3,7 @@
 require 'sqreen/runtime_infos'
 require 'sqreen/events/remote_exception'
+require 'sqreen/payload_creator/header_section'
 module Sqreen
   # Create a payload from a given query
@@ -116,26 +117,8 @@ module Sqreen
       Sqreen::RemoteException.record(e)
     end
-    # object that default to call on framework header
-    class HeaderSection
-      def initialize(framework)
-        @framework = framework
-      end
-      def [](value)
-        if %w[rack_client_ip rails_client_ip ip_headers].include?(value)
-          return @framework.send(value)
-        end
-        @framework.header(value)
-      end
-      def ip_headers
-        @framework.ip_headers
-      end
-    end
     def section_headers(framework)
-      HeaderSection.new(framework)
+      Sqreen::PayloadCreator::HeaderSection.new(framework)
     end
   end
 end

data/lib/sqreen/payload_creator/header_section.rb ADDED

@@ -0,0 +1,28 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/runtime_infos'
+require 'sqreen/events/remote_exception'
+require 'sqreen/payload_creator/header_section'
+module Sqreen
+  class PayloadCreator
+    # object that default to call on framework header
+    class HeaderSection
+      def initialize(framework)
+        @framework = framework
+      end
+      def [](value)
+        if %w[rack_client_ip rails_client_ip ip_headers].include?(value)
+          return @framework.send(value)
+        end
+        @framework.header(value)
+      end
+      def ip_headers
+        @framework.ip_headers
+      end
+    end
+  end
+end

data/lib/sqreen/prefix.rb ADDED

@@ -0,0 +1,33 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'ipaddr'
+# TODO: move to Sqreen::IP
+module Sqreen
+  Prefix = Struct.new(:family, :bitlen, :address, :data) do # addr is integer
+    def initialize(*args)
+      super
+      raise ArgumentError, 'no family given' unless family
+      raise ArgumentError, 'no bitlen given' unless bitlen
+      raise ArgumentError, 'no address given' unless address
+    end
+    def matches?(address, family)
+      raise 'family mismatch' unless family == self.family
+      shift_amount = (family == Socket::AF_INET ? 32 : 128) - bitlen
+      (address ^ self.address) >> shift_amount == 0
+    end
+  end
+  def Prefix.from_str(str, data = nil)
+    ip_addr = IPAddr.new(str)
+    bitlen = if str =~ /\/(\d+)$/
+               $~[1].to_i
+             else
+               ip_addr.family == Socket::AF_INET6 ? 128 : 32
+             end
+    Prefix.new(ip_addr.family, bitlen, ip_addr.to_i, data)
+  end
+end

data/lib/sqreen/rails_middleware.rb ADDED

@@ -0,0 +1,14 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+module Sqreen
+  class RailsMiddleware
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/sqreen/remote_command.rb CHANGED

@@ -3,6 +3,7 @@
 require 'sqreen/log'
 require 'sqreen/events/remote_exception'
+require 'sqreen/remote_command/failure_output'
 module Sqreen
   # Execute and sanitize remote commands
@@ -21,14 +22,6 @@ module Sqreen
       :performance_budget => :change_performance_budget,
     }.freeze
-    # wraps output returned by a command that should also result in status: false
-    class FailureOutput
-      attr_reader :wrapped_output
-      def initialize(output)
-        @wrapped_output = output
-      end
-    end
     attr_reader :uuid
     def initialize(json_desc)

data/lib/sqreen/remote_command/failure_output.rb ADDED

@@ -0,0 +1,11 @@
+module Sqreen
+  class RemoteCommand
+    # wraps output returned by a command that should also result in status: false
+    class FailureOutput
+      attr_reader :wrapped_output
+      def initialize(output)
+        @wrapped_output = output
+      end
+    end
+  end
+end

data/lib/sqreen/rules.rb CHANGED

@@ -2,9 +2,39 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 require 'sqreen/log'
-require 'sqreen/rule_attributes'
-require 'sqreen/rules_callbacks'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/regexp_rule_cb'
+require 'sqreen/rules/matcher_rule'
+require 'sqreen/rules/record_request_context'
+require 'sqreen/rules/update_request_context'
+require 'sqreen/rules/rails_parameters_cb'
+require 'sqreen/rules/headers_insert_cb'
+require 'sqreen/rules/blacklist_ips_cb'
+require 'sqreen/rules/shell_env_cb'
+require 'sqreen/rules/url_matches_cb'
+require 'sqreen/rules/user_agent_matches_cb'
+require 'sqreen/rules/crawler_user_agent_matches_cb'
+require 'sqreen/rules/xss_cb'
+require 'sqreen/rules/execjs_cb'
+require 'sqreen/rules/binding_accessor_metrics'
+require 'sqreen/rules/binding_accessor_matcher_cb'
+require 'sqreen/rules/count_http_codes'
+require 'sqreen/rules/not_found_cb'
+require 'sqreen/rules/crawler_user_agent_matches_metrics_cb'
+require 'sqreen/rules/auth_track_cb'
+require 'sqreen/rules/signup_track_cb'
+require 'sqreen/rules/devise_auth_track_cb'
+require 'sqreen/rules/devise_signup_track_cb'
+require 'sqreen/rules/custom_error_cb'
+require 'sqreen/rules/waf_cb'
 ## Rules
 #

data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} RENAMED

File without changes

data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} RENAMED

@@ -1,8 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/rule_attributes'
-require 'sqreen/rule_callback'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/safe_json'
 module Sqreen

data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} RENAMED

@@ -1,10 +1,10 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/rule_callback'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/binding_accessor'
 require 'sqreen/mono_time'
-require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/rules/matcher_rule'
 module Sqreen
   module Rules
@@ -49,9 +49,7 @@ module Sqreen
       end
       def pre(inst, args, budget = nil, &_block)
-        unless budget.nil?
-          finish = budget + Sqreen.time
-        end
+        finish = budget + Sqreen.time unless budget.nil?
         resol_cache = Hash.new do |hash, accessor|
           hash[accessor] = accessor.resolve(binding, framework, inst, args)
         end
@@ -62,9 +60,7 @@ module Sqreen
             next unless val.respond_to?(:each)
             next if val.respond_to?(:seek)
             val.each do |v|
-              if !budget.nil? && Sqreen.time > finish
-                return nil
-              end
+              return nil if !budget.nil? && Sqreen.time > finish
               next if !v.is_a?(String) || (!matcher.min_size.nil? && v.size < matcher.min_size)
               next if v.size > MAX_LENGTH
               next if matcher.match(v).nil?

data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb RENAMED

@@ -1,7 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/rule_callback'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/binding_accessor'
 require 'sqreen/events/remote_exception'