sqreen 1.18.2-java → 1.18.3-java

data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb}

@@ -3,8 +3,8 @@
 
 require 'cgi'
 
-require 'sqreen/rule_callback'
-require 'sqreen/rules_callbacks/regexp_rule'
+require 'sqreen/rules/rule_cb'
+require 'sqreen/rules/regexp_rule_cb'
 
 # Sqreen module
 module Sqreen
@@ -21,6 +21,7 @@ module Sqreen
         return nil unless framework
         framework.xss_params(@union_pattern)
       end
+
       # The remaining code is only to find out if user entry was an attack,
       # and record it. Since we don't rely on it to respond to user, it would
       # be better to do it in background.
@@ -36,6 +37,7 @@ module Sqreen
         true
       end
     end
+
     class ReflectedUnsafeXSSCB < XSSCB
       def pre(_inst, args, _budget = nil, &_block)
         value = args[0]
@@ -52,13 +54,12 @@ module Sqreen
         return unless report_dangerous_xss?(saved_value)
 
         # potential XSS! let's escape
-        if block
-          args[0].replace(CGI.escape_html(value))
-        end
+        args[0].replace(CGI.escape_html(value)) if block
 
         advise_action(nil)
       end
     end
+
     # look for reflected XSS with erb template engine
     class ReflectedXSSCB < XSSCB
       def pre(_inst, args, _budget = nil, &_block)
@@ -84,6 +85,7 @@ module Sqreen
         advise_action(nil)
       end
     end
+
     # look for reflected XSS with haml template engine
     # hook function arguments of
     # Haml::Buffer.format_script(result, preserve_script, in_tag, preserve_tag,
@@ -145,7 +147,7 @@ module Sqreen
         if tag.value[:escape_html] == false &&
            tag.value[:value].respond_to?(:include?) &&
            !tag.value[:value].include?('html_escape') &&
-            tag.value[:parse] == true
+           tag.value[:parse] == true
           tag.value[:value] = "Sqreen.escape_haml((#{tag.value[:value]}))"
           return { :status => :override, :new_return_value => tag }
         end
@@ -172,7 +174,8 @@ module Sqreen
             res << '#{'
           else
             # Use eval to get rid of string escapes
-            content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"')
+            # TODO: look for eval removal
+            content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"') # rubocop:disable Security/Eval
             content = "Haml::Helpers.html_escape((#{content}))" if escape_html
             res << '#{Sqreen.escape_haml((' + content + '))}'
           end

data/lib/sqreen/run_when_called_cb.rb

@@ -0,0 +1,21 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/cb'
+
+module Sqreen
+  class RunWhenCalledCB < CB
+    def initialize(klass, method, &block)
+      super(klass, method)
+
+      raise 'missing block' unless block_given?
+      @block = block
+    end
+
+    def pre(_inst, _args, _budget = nil, &_block)
+      # FIXME: implement this removal
+      @remove_me = true
+      @block.call
+    end
+  end
+end

data/lib/sqreen/runtime_infos.rb

@@ -3,6 +3,7 @@
 
 require 'sqreen/version'
 require 'sqreen/frameworks'
+require 'sqreen/dependency/libsqreen'
 
 require 'socket'
 require 'digest/sha1'
@@ -71,15 +72,7 @@ module Sqreen
     end
 
     def libsqreen?
-      libsqreen_loaded? && !libsqreen_stub?
-    end
-
-    def libsqreen_loaded?
-      Kernel.const_defined?('LibSqreen')
-    end
-
-    def libsqreen_stub?
-      !::LibSqreen.respond_to?(:version)
+      Sqreen::Dependency::LibSqreen.required? && !Sqreen::Dependency::LibSqreen.stub?
     end
 
     def libsqreen_version

data/lib/sqreen/sensitive_data_redactor.rb

@@ -0,0 +1,111 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+# TODO: Sqreen.config_get
+
+require 'json'
+require 'sqreen/log'
+
+module Sqreen
+  # For redacting sensitive data and avoid having it sent to our servers
+  class SensitiveDataRedactor
+    DEFAULT_SENSITIVE_KEYS = Set.new(%w[password secret passwd authorization api_key apikey access_token]).freeze
+    DEFAULT_REGEX = /\A(?:\d[ -]*?){13,16}\z/
+    MASK = '<Redacted by Sqreen>'.freeze
+
+    def self.from_config
+      keys = Sqreen.config_get(:strip_sensitive_keys)
+      keys = keys.split(',') if keys && keys.is_a?(String)
+
+      regex = Sqreen.config_get(:strip_sensitive_regex)
+      if regex && regex.is_a?(String)
+        begin
+          regex = Regexp.compile(regex)
+        rescue RegexpError
+          Sqreen.log.warn("Invalid regular expression given in strip_sensitive_regex: #{regex}")
+          regex = nil
+        end
+      else
+        regex = nil
+      end
+
+      new(keys: keys, regex: regex)
+    end
+
+    def initialize(params = {})
+      @regex = params[:regex] || DEFAULT_REGEX
+      @keys = (params[:keys] || DEFAULT_SENSITIVE_KEYS).map(&:downcase)
+    end
+
+    def redact(obj)
+      result = obj
+      redacted = []
+
+      case obj
+      when String
+        if obj =~ @regex
+          result = MASK
+          redacted << obj
+        end
+      when Array
+        result = []
+        obj.each do |e|
+          e, r = redact(e)
+          result << e
+          redacted += r
+        end
+      when Hash
+        result = {}
+        obj.each do |k, v|
+          ck = k.is_a?(String) ? k.downcase : k
+          if @keys.include?(ck)
+            redacted << v
+            v = MASK
+          else
+            v, r = redact(v)
+            redacted += r
+          end
+          result[k] = v
+        end
+      end
+
+      [result, redacted]
+    end
+
+    def redact_attacks!(attacks, values)
+      return attacks if values.empty?
+
+      values = values.map { |v| v.downcase if v.is_a?(String) }
+
+      attacks.each do |e|
+        next(e) unless e[:infos]
+        next(e) unless e[:infos][:waf_data]
+
+        parsed = JSON.parse(e[:infos][:waf_data])
+        redacted = parsed.each do |w|
+          next unless (filters = w['filter'])
+
+          filters.each do |f|
+            next unless (v = f['resolved_value'])
+            next unless values.include?(v.downcase)
+
+            f['match_status'] = MASK
+            f['resolved_value'] = MASK
+          end
+        end
+        e[:infos][:waf_data] = JSON.dump(redacted)
+      end
+    end
+
+    def redact_exceptions!(exceptions, values)
+      return exceptions if values.empty?
+
+      exceptions.each do |e|
+        next(e) unless e[:infos]
+        next(e) unless e[:infos][:waf]
+
+        e[:infos][:waf].delete(:args)
+      end
+    end
+  end
+end

data/lib/sqreen/signature_verifier.rb

@@ -0,0 +1,20 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'openssl'
+
+## Rules signature
+module Sqreen
+  # Perform an EC + digest verification of a message.
+  class SignatureVerifier
+    def initialize(key, digest)
+      @pub_key              = OpenSSL::PKey.read(key)
+      @digest               = digest
+    end
+
+    def verify(sig, val)
+      hashed_val = @digest.digest(val)
+      @pub_key.dsa_verify_asn1(hashed_val, sig)
+    end
+  end
+end

data/lib/sqreen/sinatra_middleware.rb

@@ -0,0 +1,14 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+module Sqreen
+  class SinatraMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb}

@@ -1,8 +1,6 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/exception'
-
 require 'set'
 require 'openssl'
 require 'base64'
@@ -18,21 +16,11 @@ else
   end
 end
 
+require 'sqreen/exception'
+require 'sqreen/signature_verifier'
+
 ## Rules signature
 module Sqreen
-  # Perform an EC + digest verification of a message.
-  class SignatureVerifier
-    def initialize(key, digest)
-      @pub_key              = OpenSSL::PKey.read(key)
-      @digest               = digest
-    end
-
-    def verify(sig, val)
-      hashed_val = @digest.digest(val)
-      @pub_key.dsa_verify_asn1(hashed_val, sig)
-    end
-  end
-
   # Normalize and verify a rule
   class SqreenSignedVerifier
     REQUIRED_SIGNED_KEYS = %w[hookpoint name callbacks conditions].freeze
@@ -40,14 +28,14 @@ module Sqreen
     SIGNATURE_VALUE_KEY  = 'value'.freeze
     SIGNED_KEYS_KEY      = 'keys'.freeze
     SIGNATURE_VERSION    = 'v0_9'.freeze
-    PUBLIC_KEY           = <<-END.gsub(/^ */, '').freeze
+    PUBLIC_KEY           = <<-KEY.gsub(/^ */, '').freeze
     -----BEGIN PUBLIC KEY-----
     MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA39oWMHR8sxb9LRaM5evZ7mw03iwJ
     WNHuDeGqgPo1HmvuMfLnAyVLwaMXpGPuvbqhC1U65PG90bTJLpvNokQf0VMA5Tpi
     m+NXwl7bjqa03vO/HErLbq3zBRysrZnC4OhJOF1jazkAg0psQOea2r5HcMcPHgMK
     fnWXiKWnZX+uOWPuerE=
     -----END PUBLIC KEY-----
-    END
+    KEY
 
     attr_accessor :pub_key
     attr_accessor :required_signed_keys

data/lib/sqreen/token_invalid_exception.rb

@@ -0,0 +1,8 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/exception'
+
+module Sqreen
+  class TokenInvalidException < Sqreen::Exception; end
+end

data/lib/sqreen/token_not_found_exception.rb

@@ -0,0 +1,9 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/exception'
+
+module Sqreen
+  # When the token is not found
+  class TokenNotFoundException < Sqreen::Exception; end
+end

data/lib/sqreen/trie.rb

@@ -2,6 +2,9 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 require 'ipaddr'
+require 'sqreen/node'
+
+# TODO: move to Sqreen::IP
 
 module Sqreen
   Trie = Struct.new(:head, :num_active_nodes, :family) do
@@ -211,68 +214,4 @@ module Sqreen
       xstack
     end
   end
-
-  Prefix = Struct.new(:family, :bitlen, :address, :data) do # addr is integer
-    def initialize(*args)
-      super
-      raise ArgumentError, 'no family given' unless family
-      raise ArgumentError, 'no bitlen given' unless bitlen
-      raise ArgumentError, 'no address given' unless address
-    end
-
-    def matches?(addr, family)
-      raise 'family mismatch' unless family == self.family
-      shift_amount = (family == Socket::AF_INET ? 32 : 128) - self.bitlen
-      (addr ^ self.address) >> shift_amount == 0
-    end
-  end
-
-  def Prefix.from_str(str, data = nil)
-    ip_addr = IPAddr.new(str)
-    if str =~ /\/(\d+)$/
-      bitlen = $~[1].to_i
-    else
-      bitlen = ip_addr.family == Socket::AF_INET6 ? 128 : 32
-    end
-    Prefix.new(ip_addr.family, bitlen, ip_addr.to_i, data)
-  end
-
-  # bit starts at 0 (most significant)
-  Node = Struct.new(:bit, :prefix, :l, :r, :parent) do
-    def initialize(*args)
-      super
-      raise ArgumentError, 'no bit given' if bit.nil?
-    end
-
-    def empty?
-      prefix.nil?
-    end
-
-    # cover the whole tree
-    def walk(max_bits, empty_nodes = false)
-      xstack = Array.new(max_bits + 1)
-      sidx = 0 # stack index
-      xhead = self
-      xcur = xhead
-      while !xcur.nil?
-        yield xcur unless xcur.empty? && !empty_nodes
-
-        if xcur.l
-          if xcur.r
-            xstack[sidx] = xcur.r
-            sidx += 1
-          end
-          xcur = xcur.l
-        elsif xcur.r
-          xcur = xcur.r
-        elsif sidx.nonzero?
-          sidx -= 1
-          xcur = xstack[sidx]
-        else
-          xcur = nil
-        end
-      end
-    end
-  end
-
 end

data/lib/sqreen/unauthorized.rb

@@ -0,0 +1,8 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/exception'
+
+module Sqreen
+  class Unauthorized < Sqreen::Exception; end
+end

data/lib/sqreen/util.rb

@@ -0,0 +1,2 @@
+module Sqreen; end
+module Sqreen::Util; end

data/lib/sqreen/util/capped_array.rb

@@ -0,0 +1,33 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/util'
+
+class Sqreen::Util::CappedArray < Array
+  attr_reader :size_cap, :depth_cap
+
+  def initialize(*args, &block)
+    opts = args.last.is_a?(Hash) ? args.pop : {}
+    size_cap = opts[:size_cap] || 150
+    depth_cap = opts[:depth_cap] || 10
+    @size_cap = size_cap
+    @depth_cap = depth_cap
+
+    super(*args, &block)
+  end
+
+  def <<(value)
+    keep?(size, value) ? super : self
+  end
+  alias_method :append, :<<
+
+  def []=(index, value)
+    super if keep?(index, value)
+  end
+
+  private
+
+  def keep?(index, value)
+    index < size_cap && (depth_cap > 0 || !value.is_a?(Hash) && !value.is_a?(Array))
+  end
+end