sqreen 1.18.2-java → 1.18.3-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -0
- data/LICENSE +3 -0
- data/lib/sqreen/actions.rb +11 -337
- data/lib/sqreen/actions/base.rb +110 -0
- data/lib/sqreen/actions/block_ip.rb +32 -0
- data/lib/sqreen/actions/block_user.rb +44 -0
- data/lib/sqreen/actions/ip_range_indexed_action_class.rb +36 -0
- data/lib/sqreen/actions/ip_ranges_index.rb +36 -0
- data/lib/sqreen/actions/redirect_ip.rb +40 -0
- data/lib/sqreen/actions/redirect_user.rb +45 -0
- data/lib/sqreen/actions/repository.rb +24 -0
- data/lib/sqreen/actions/unknown_action_type.rb +16 -0
- data/lib/sqreen/actions/user_action_class.rb +41 -0
- data/lib/sqreen/agent.rb +4 -1
- data/lib/sqreen/attack_blocked.rb +17 -0
- data/lib/sqreen/binding_accessor.rb +9 -102
- data/lib/sqreen/binding_accessor/path_elem.rb +8 -0
- data/lib/sqreen/binding_accessor/transforms.rb +107 -0
- data/lib/sqreen/capped_queue.rb +2 -0
- data/lib/sqreen/{callbacks.rb → cb.rb} +1 -53
- data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +2 -2
- data/lib/sqreen/condition_evaluator.rb +22 -5
- data/lib/sqreen/configuration.rb +5 -0
- data/lib/sqreen/default_cb.rb +20 -0
- data/lib/sqreen/deferred_logger.rb +63 -0
- data/lib/sqreen/deliveries.rb +10 -0
- data/lib/sqreen/deliveries/batch.rb +7 -1
- data/lib/sqreen/deliveries/simple.rb +5 -0
- data/lib/sqreen/dependency/detector.rb +1 -1
- data/lib/sqreen/dependency/libsqreen.rb +28 -0
- data/lib/sqreen/dependency/rails.rb +4 -0
- data/lib/sqreen/dependency/sinatra.rb +47 -14
- data/lib/sqreen/error_handling_middleware.rb +30 -0
- data/lib/sqreen/event.rb +2 -0
- data/lib/sqreen/events/attack.rb +2 -0
- data/lib/sqreen/events/request_record.rb +11 -56
- data/lib/sqreen/exception.rb +9 -40
- data/lib/sqreen/formatter_with_tid.rb +45 -0
- data/lib/sqreen/framework_cb.rb +28 -0
- data/lib/sqreen/frameworks.rb +7 -0
- data/lib/sqreen/frameworks/generic.rb +20 -2
- data/lib/sqreen/frameworks/rails.rb +2 -0
- data/lib/sqreen/frameworks/request_recorder.rb +3 -0
- data/lib/sqreen/frameworks/sinatra.rb +2 -0
- data/lib/sqreen/frameworks/sqreen_test.rb +2 -0
- data/lib/sqreen/instrumentation.rb +5 -5
- data/lib/sqreen/invalid_signature_exception.rb +8 -0
- data/lib/{sqreen-alt.rb → sqreen/js.rb} +6 -1
- data/lib/sqreen/js/call_context.rb +10 -0
- data/lib/sqreen/js/context_pool.rb +60 -0
- data/lib/sqreen/js/exec_js_runnable.rb +20 -0
- data/lib/sqreen/js/execjs_adapter.rb +6 -47
- data/lib/sqreen/js/executable_js.rb +12 -0
- data/lib/sqreen/js/js_service.rb +2 -22
- data/lib/sqreen/js/js_service_adapter.rb +18 -0
- data/lib/sqreen/js/mini_racer_adapter.rb +6 -180
- data/lib/sqreen/js/mini_racer_executable_js.rb +142 -0
- data/lib/sqreen/js/thread_local_exec_js_runnable.rb +47 -0
- data/lib/sqreen/log.rb +8 -188
- data/lib/sqreen/logger.rb +83 -0
- data/lib/sqreen/metrics_store.rb +3 -11
- data/lib/sqreen/metrics_store/already_registered_metric.rb +11 -0
- data/lib/sqreen/metrics_store/unknown_metric.rb +11 -0
- data/lib/sqreen/metrics_store/unregistered_metric.rb +11 -0
- data/lib/sqreen/middleware.rb +0 -34
- data/lib/sqreen/mono_time.rb +2 -0
- data/lib/sqreen/node.rb +44 -0
- data/lib/sqreen/not_implemented_yet.rb +8 -0
- data/lib/sqreen/null_logger.rb +24 -0
- data/lib/sqreen/payload_creator.rb +2 -19
- data/lib/sqreen/payload_creator/header_section.rb +28 -0
- data/lib/sqreen/prefix.rb +33 -0
- data/lib/sqreen/rails_middleware.rb +14 -0
- data/lib/sqreen/remote_command.rb +1 -8
- data/lib/sqreen/remote_command/failure_output.rb +11 -0
- data/lib/sqreen/rules.rb +32 -2
- data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +0 -0
- data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +2 -2
- data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +4 -8
- data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +1 -1
- data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +3 -2
- data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +2 -2
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +1 -1
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +1 -1
- data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +1 -1
- data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +2 -2
- data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +2 -2
- data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +49 -50
- data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +1 -1
- data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +2 -2
- data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +2 -2
- data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +1 -1
- data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +1 -1
- data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +1 -1
- data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +2 -2
- data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +4 -2
- data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +1 -1
- data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +1 -1
- data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +2 -2
- data/lib/sqreen/rules/update_request_context.rb +20 -0
- data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +1 -1
- data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +1 -1
- data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +10 -14
- data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +10 -7
- data/lib/sqreen/run_when_called_cb.rb +21 -0
- data/lib/sqreen/runtime_infos.rb +2 -9
- data/lib/sqreen/sensitive_data_redactor.rb +111 -0
- data/lib/sqreen/signature_verifier.rb +20 -0
- data/lib/sqreen/sinatra_middleware.rb +14 -0
- data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +5 -17
- data/lib/sqreen/token_invalid_exception.rb +8 -0
- data/lib/sqreen/token_not_found_exception.rb +9 -0
- data/lib/sqreen/trie.rb +3 -64
- data/lib/sqreen/unauthorized.rb +8 -0
- data/lib/sqreen/util.rb +2 -0
- data/lib/sqreen/util/capped_array.rb +33 -0
- data/lib/sqreen/util/capped_hash.rb +39 -0
- data/lib/sqreen/util/capped_string.rb +24 -0
- data/lib/sqreen/util/capper.rb +65 -0
- data/lib/sqreen/version.rb +1 -1
- data/lib/sqreen/waf_error.rb +18 -0
- metadata +87 -35
- data/lib/sqreen/rules_callbacks.rb +0 -35
- data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25
|
@@ -2,8 +2,9 @@
|
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
4
|
require 'sqreen/trie'
|
|
5
|
+
require 'sqreen/prefix'
|
|
5
6
|
|
|
6
|
-
require 'sqreen/
|
|
7
|
+
require 'sqreen/rules/rule_cb'
|
|
7
8
|
|
|
8
9
|
module Sqreen
|
|
9
10
|
module Rules
|
|
@@ -46,7 +47,7 @@ module Sqreen
|
|
|
46
47
|
def find_blacklisted_ip(rip)
|
|
47
48
|
begin
|
|
48
49
|
ipa = IPAddr.new(rip)
|
|
49
|
-
rescue
|
|
50
|
+
rescue StandardError
|
|
50
51
|
Sqreen.log.info "invalid IP address given by framework: #{rip}"
|
|
51
52
|
return nil
|
|
52
53
|
end
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
5
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/rules/attrs'
|
|
5
|
+
require 'sqreen/rules/rule_cb'
|
|
6
6
|
require 'sqreen/safe_json'
|
|
7
7
|
|
|
8
8
|
module Sqreen
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/rules/matcher_rule'
|
|
5
5
|
require 'sqreen/frameworks'
|
|
6
6
|
|
|
7
7
|
module Sqreen
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/rules/matcher_rule'
|
|
5
5
|
require 'sqreen/frameworks'
|
|
6
6
|
|
|
7
7
|
module Sqreen
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
5
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/rules/attrs'
|
|
5
|
+
require 'sqreen/rules/rule_cb'
|
|
6
6
|
require 'sqreen/safe_json'
|
|
7
7
|
|
|
8
8
|
module Sqreen
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
5
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/rules/attrs'
|
|
5
|
+
require 'sqreen/rules/rule_cb'
|
|
6
6
|
require 'sqreen/safe_json'
|
|
7
7
|
|
|
8
8
|
module Sqreen
|
|
@@ -1,11 +1,10 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
|
|
5
4
|
require 'sqreen/js/js_service'
|
|
6
5
|
|
|
7
|
-
require 'sqreen/
|
|
8
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/attrs'
|
|
7
|
+
require 'sqreen/rules/rule_cb'
|
|
9
8
|
require 'sqreen/condition_evaluator'
|
|
10
9
|
require 'sqreen/binding_accessor'
|
|
11
10
|
require 'sqreen/events/remote_exception'
|
|
@@ -14,7 +13,6 @@ module Sqreen
|
|
|
14
13
|
module Rules
|
|
15
14
|
# Exec js callbacks
|
|
16
15
|
class ExecJSCB < RuleCB
|
|
17
|
-
|
|
18
16
|
class << self
|
|
19
17
|
# @return [Sqreen::Js::JsService]
|
|
20
18
|
def js_service
|
|
@@ -77,7 +75,7 @@ module Sqreen
|
|
|
77
75
|
when NilClass
|
|
78
76
|
false
|
|
79
77
|
when Hash
|
|
80
|
-
ret.keys.each do |k|
|
|
78
|
+
ret.keys.each do |k| # rubocop:disable Performance/HashEachMethods
|
|
81
79
|
ret[(begin
|
|
82
80
|
k.to_sym
|
|
83
81
|
rescue StandardError
|
|
@@ -119,7 +117,6 @@ module Sqreen
|
|
|
119
117
|
|
|
120
118
|
# XXX: budgets was not subtracted from
|
|
121
119
|
call_callback(name, budget, inst, new_ba_args, args, rv)
|
|
122
|
-
|
|
123
120
|
rescue StandardError => e
|
|
124
121
|
Sqreen.log.warn { "Caught JS callback exception: #{e.inspect}" }
|
|
125
122
|
Sqreen.log.debug e.backtrace
|
|
@@ -127,10 +124,11 @@ module Sqreen
|
|
|
127
124
|
nil
|
|
128
125
|
end
|
|
129
126
|
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
127
|
+
class << self
|
|
128
|
+
def build_accessors(reqs)
|
|
129
|
+
reqs.map do |req|
|
|
130
|
+
BindingAccessor.new(req, true)
|
|
131
|
+
end
|
|
134
132
|
end
|
|
135
133
|
end
|
|
136
134
|
|
|
@@ -176,10 +174,10 @@ module Sqreen
|
|
|
176
174
|
next unless haystack_idx
|
|
177
175
|
|
|
178
176
|
arguments[haystack_idx] = ArgumentFilter.hash_val_included(
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
177
|
+
arguments[needed_idx],
|
|
178
|
+
arguments[haystack_idx],
|
|
179
|
+
min_length.to_i,
|
|
180
|
+
MAX_DEPTH
|
|
183
181
|
)
|
|
184
182
|
end
|
|
185
183
|
|
|
@@ -193,7 +191,7 @@ module Sqreen
|
|
|
193
191
|
next unless args_or_func.is_a?(Array)
|
|
194
192
|
args_bas = args_or_func[0..-2] unless args_or_func.empty?
|
|
195
193
|
@ba_expressions[name] =
|
|
196
|
-
|
|
194
|
+
ExecJSCB.build_accessors(args_bas).map(&:expression)
|
|
197
195
|
end
|
|
198
196
|
end
|
|
199
197
|
|
|
@@ -212,47 +210,48 @@ module Sqreen
|
|
|
212
210
|
end
|
|
213
211
|
end
|
|
214
212
|
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
|
|
213
|
+
class << self
|
|
214
|
+
def hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
|
|
215
|
+
new_obj = {}
|
|
216
|
+
insert = []
|
|
217
|
+
to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
|
|
218
|
+
until to_do.empty?
|
|
219
|
+
where, key, value, deepness = to_do.pop
|
|
220
|
+
safe_key = key.is_a?(Integer) ? key : key.to_s
|
|
221
|
+
if value.is_a?(Hash) && deepness < max_depth
|
|
222
|
+
val = {}
|
|
223
|
+
insert << [where, safe_key, val]
|
|
224
|
+
to_do += value.map { |k, v| [val, k, v, deepness + 1] }
|
|
225
|
+
elsif value.is_a?(Array) && deepness < max_depth
|
|
226
|
+
val = []
|
|
227
|
+
insert << [where, safe_key, val]
|
|
228
|
+
i = -1
|
|
229
|
+
to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
|
|
230
|
+
elsif deepness >= max_depth # if we are after max_depth don't try to filter
|
|
231
|
+
insert << [where, safe_key, value]
|
|
232
|
+
else
|
|
233
|
+
v = value.to_s
|
|
234
|
+
if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
|
|
235
|
+
case where
|
|
236
|
+
when Array
|
|
237
|
+
where << value
|
|
238
|
+
else
|
|
239
|
+
where[safe_key] = value
|
|
240
|
+
end
|
|
241
241
|
end
|
|
242
242
|
end
|
|
243
243
|
end
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
244
|
+
insert.reverse.each do |wh, ikey, ival|
|
|
245
|
+
case wh
|
|
246
|
+
when Array
|
|
247
|
+
wh << ival unless ival.respond_to?(:empty?) && ival.empty?
|
|
248
|
+
else
|
|
249
|
+
wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
|
|
250
|
+
end
|
|
251
251
|
end
|
|
252
|
+
new_obj
|
|
252
253
|
end
|
|
253
|
-
new_obj
|
|
254
254
|
end
|
|
255
255
|
end
|
|
256
256
|
end
|
|
257
257
|
end
|
|
258
|
-
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/rules/rule_cb'
|
|
5
5
|
|
|
6
6
|
module Sqreen
|
|
7
7
|
module Rules
|
|
@@ -13,7 +13,7 @@ module Sqreen
|
|
|
13
13
|
res |= Regexp::MULTILINE if options.include?('multiline')
|
|
14
14
|
res |= Regexp::IGNORECASE unless case_sensitive
|
|
15
15
|
r = Regexp.compile(value, res)
|
|
16
|
-
r
|
|
16
|
+
r =~ ''
|
|
17
17
|
r
|
|
18
18
|
end
|
|
19
19
|
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/framework_cb'
|
|
5
5
|
require 'sqreen/context'
|
|
6
6
|
require 'sqreen/conditionable'
|
|
7
7
|
require 'sqreen/call_countable'
|
|
8
|
-
require 'sqreen/
|
|
8
|
+
require 'sqreen/rules/attrs'
|
|
9
9
|
require 'sqreen/events/attack'
|
|
10
10
|
require 'sqreen/events/remote_exception'
|
|
11
11
|
require 'sqreen/payload_creator'
|
|
@@ -1,9 +1,11 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/rules/rule_cb'
|
|
5
5
|
require 'sqreen/actions'
|
|
6
6
|
require 'sqreen/middleware'
|
|
7
|
+
require 'sqreen/rails_middleware'
|
|
8
|
+
require 'sqreen/sinatra_middleware'
|
|
7
9
|
|
|
8
10
|
module Sqreen
|
|
9
11
|
module Rules
|
|
@@ -14,7 +16,7 @@ module Sqreen
|
|
|
14
16
|
def initialize(framework)
|
|
15
17
|
if defined?(Sqreen::Frameworks::SinatraFramework) &&
|
|
16
18
|
framework.is_a?(Sqreen::Frameworks::SinatraFramework)
|
|
17
|
-
super(
|
|
19
|
+
super(Sqreen::SinatraMiddleware, :call)
|
|
18
20
|
elsif defined?(Sqreen::Frameworks::RailsFramework) &&
|
|
19
21
|
framework.is_a?(Sqreen::Frameworks::RailsFramework)
|
|
20
22
|
super(Sqreen::RailsMiddleware, :call)
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
|
-
require 'sqreen/
|
|
5
|
-
require 'sqreen/
|
|
4
|
+
require 'sqreen/rules/attrs'
|
|
5
|
+
require 'sqreen/rules/rule_cb'
|
|
6
6
|
require 'sqreen/safe_json'
|
|
7
7
|
|
|
8
8
|
module Sqreen
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
|
+
|
|
4
|
+
require 'sqreen/rules/rule_cb'
|
|
5
|
+
|
|
6
|
+
module Sqreen
|
|
7
|
+
module Rules
|
|
8
|
+
class UpdateRequestContext < RuleCB
|
|
9
|
+
def initialize(*args)
|
|
10
|
+
super(*args)
|
|
11
|
+
@overtimeable = false
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def pre(_inst, args, _budget = nil, &_block)
|
|
15
|
+
framework.store_request(args[0])
|
|
16
|
+
advise_action(nil)
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
@@ -2,28 +2,21 @@
|
|
|
2
2
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
3
|
|
|
4
4
|
require 'securerandom'
|
|
5
|
-
require 'sqreen/
|
|
5
|
+
require 'sqreen/rules/attrs'
|
|
6
6
|
require 'sqreen/binding_accessor'
|
|
7
|
-
require 'sqreen/
|
|
7
|
+
require 'sqreen/rules/rule_cb'
|
|
8
8
|
require 'sqreen/safe_json'
|
|
9
9
|
require 'sqreen/exception'
|
|
10
|
+
require 'sqreen/util/capper'
|
|
11
|
+
require 'sqreen/dependency/libsqreen'
|
|
10
12
|
|
|
11
13
|
module Sqreen
|
|
12
14
|
module Rules
|
|
13
15
|
class WAFCB < RuleCB
|
|
14
16
|
BUDGET_MAX = 5000
|
|
15
17
|
|
|
16
|
-
# TODO: move to Dependency
|
|
17
|
-
begin
|
|
18
|
-
require 'libsqreen'
|
|
19
|
-
@libsqreen = true
|
|
20
|
-
rescue LoadError
|
|
21
|
-
Sqreen.log.warn('libsqreen gem not found')
|
|
22
|
-
@libsqreen = false
|
|
23
|
-
end
|
|
24
|
-
|
|
25
18
|
def self.libsqreen?
|
|
26
|
-
|
|
19
|
+
Sqreen::Dependency::LibSqreen.required?
|
|
27
20
|
end
|
|
28
21
|
|
|
29
22
|
def self.waf?
|
|
@@ -37,7 +30,7 @@ module Sqreen
|
|
|
37
30
|
@overtimeable = false
|
|
38
31
|
|
|
39
32
|
unless WAFCB.libsqreen? && WAFCB.waf?
|
|
40
|
-
Sqreen.log.warn('libsqreen gem not found')
|
|
33
|
+
Sqreen.log.warn('libsqreen gem with waf not found')
|
|
41
34
|
return
|
|
42
35
|
end
|
|
43
36
|
|
|
@@ -72,7 +65,10 @@ module Sqreen
|
|
|
72
65
|
|
|
73
66
|
env = [binding, framework, instance, args]
|
|
74
67
|
|
|
75
|
-
|
|
68
|
+
capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
|
|
69
|
+
waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
|
|
70
|
+
h[e] = capper.call(b.resolve(*env))
|
|
71
|
+
end
|
|
76
72
|
waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
|
|
77
73
|
action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, budget)
|
|
78
74
|
|