sqreen 1.18.2-java → 1.19.0-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/LICENSE +3 -0
- data/lib/sqreen.rb +2 -0
- data/lib/sqreen/actions.rb +13 -337
- data/lib/sqreen/actions/actions_index.rb +16 -0
- data/lib/sqreen/actions/base.rb +104 -0
- data/lib/sqreen/actions/block_ip.rb +34 -0
- data/lib/sqreen/actions/block_user.rb +46 -0
- data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
- data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
- data/lib/sqreen/actions/redirect_ip.rb +42 -0
- data/lib/sqreen/actions/redirect_user.rb +47 -0
- data/lib/sqreen/actions/repository.rb +43 -0
- data/lib/sqreen/actions/unknown_action_type.rb +20 -0
- data/lib/sqreen/actions/user_action_class.rb +16 -0
- data/lib/sqreen/actions/users_index.rb +35 -0
- data/lib/sqreen/agent.rb +6 -2
- data/lib/sqreen/attack_blocked.rb +19 -0
- data/lib/sqreen/backport.rb +2 -0
- data/lib/sqreen/backport/clock_gettime.rb +74 -0
- data/lib/sqreen/backport/original_name.rb +2 -0
- data/lib/sqreen/binding_accessor.rb +11 -102
- data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
- data/lib/sqreen/binding_accessor/transforms.rb +114 -0
- data/lib/sqreen/call_countable.rb +2 -0
- data/lib/sqreen/capped_queue.rb +4 -0
- data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
- data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
- data/lib/sqreen/condition_evaluator.rb +24 -5
- data/lib/sqreen/conditionable.rb +2 -0
- data/lib/sqreen/configuration.rb +19 -0
- data/lib/sqreen/context.rb +2 -0
- data/lib/sqreen/default_cb.rb +22 -0
- data/lib/sqreen/deferred_logger.rb +65 -0
- data/lib/sqreen/deliveries.rb +12 -0
- data/lib/sqreen/deliveries/batch.rb +9 -1
- data/lib/sqreen/deliveries/simple.rb +7 -0
- data/lib/sqreen/dependency.rb +3 -1
- data/lib/sqreen/dependency/detector.rb +22 -14
- data/lib/sqreen/dependency/libsqreen.rb +32 -0
- data/lib/sqreen/dependency/new_relic.rb +2 -0
- data/lib/sqreen/dependency/rack.rb +10 -5
- data/lib/sqreen/dependency/rails.rb +8 -0
- data/lib/sqreen/dependency/sentry.rb +2 -0
- data/lib/sqreen/dependency/sinatra.rb +58 -14
- data/lib/sqreen/encoding_sanitizer.rb +2 -0
- data/lib/sqreen/error_handling_middleware.rb +32 -0
- data/lib/sqreen/event.rb +4 -0
- data/lib/sqreen/events/attack.rb +4 -0
- data/lib/sqreen/events/remote_exception.rb +2 -0
- data/lib/sqreen/events/request_record.rb +13 -56
- data/lib/sqreen/exception.rb +11 -40
- data/lib/sqreen/formatter_with_tid.rb +47 -0
- data/lib/sqreen/framework_cb.rb +30 -0
- data/lib/sqreen/frameworks.rb +9 -0
- data/lib/sqreen/frameworks/generic.rb +22 -2
- data/lib/sqreen/frameworks/rails.rb +3 -0
- data/lib/sqreen/frameworks/rails3.rb +2 -0
- data/lib/sqreen/frameworks/request_recorder.rb +5 -0
- data/lib/sqreen/frameworks/sinatra.rb +4 -0
- data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
- data/lib/sqreen/graft.rb +12 -0
- data/lib/sqreen/graft/call.rb +150 -0
- data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
- data/lib/sqreen/graft/hook.rb +316 -0
- data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
- data/lib/sqreen/graft/hook_point_error.rb +10 -0
- data/lib/sqreen/invalid_signature_exception.rb +10 -0
- data/lib/sqreen/js.rb +11 -0
- data/lib/sqreen/js/call_context.rb +12 -0
- data/lib/sqreen/js/context_pool.rb +62 -0
- data/lib/sqreen/js/exec_js_runnable.rb +22 -0
- data/lib/sqreen/js/execjs_adapter.rb +8 -47
- data/lib/sqreen/js/executable_js.rb +14 -0
- data/lib/sqreen/js/js_service.rb +4 -22
- data/lib/sqreen/js/js_service_adapter.rb +20 -0
- data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
- data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
- data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
- data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
- data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
- data/lib/sqreen/log.rb +10 -188
- data/lib/sqreen/log/loggable.rb +28 -0
- data/lib/sqreen/logger.rb +85 -0
- data/lib/sqreen/metrics.rb +2 -0
- data/lib/sqreen/metrics/average.rb +2 -0
- data/lib/sqreen/metrics/base.rb +2 -0
- data/lib/sqreen/metrics/binning.rb +2 -0
- data/lib/sqreen/metrics/collect.rb +2 -0
- data/lib/sqreen/metrics/sum.rb +2 -0
- data/lib/sqreen/metrics_store.rb +5 -11
- data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
- data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
- data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
- data/lib/sqreen/middleware.rb +2 -34
- data/lib/sqreen/mono_time.rb +4 -0
- data/lib/sqreen/node.rb +46 -0
- data/lib/sqreen/not_implemented_yet.rb +10 -0
- data/lib/sqreen/null_logger.rb +26 -0
- data/lib/sqreen/payload_creator.rb +4 -19
- data/lib/sqreen/payload_creator/header_section.rb +30 -0
- data/lib/sqreen/performance_notifications.rb +2 -0
- data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
- data/lib/sqreen/performance_notifications/log.rb +2 -0
- data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
- data/lib/sqreen/performance_notifications/metrics.rb +2 -0
- data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
- data/lib/sqreen/prefix.rb +35 -0
- data/lib/sqreen/rails_middleware.rb +16 -0
- data/lib/sqreen/remote_command.rb +3 -8
- data/lib/sqreen/remote_command/failure_output.rb +16 -0
- data/lib/sqreen/rules.rb +34 -2
- data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
- data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
- data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
- data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
- data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
- data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
- data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
- data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
- data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
- data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
- data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
- data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
- data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
- data/lib/sqreen/rules/update_request_context.rb +22 -0
- data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
- data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
- data/lib/sqreen/run_when_called_cb.rb +23 -0
- data/lib/sqreen/runner.rb +25 -7
- data/lib/sqreen/runtime_infos.rb +4 -9
- data/lib/sqreen/safe_json.rb +2 -0
- data/lib/sqreen/sdk.rb +4 -0
- data/lib/sqreen/sensitive_data_redactor.rb +113 -0
- data/lib/sqreen/serializer.rb +2 -0
- data/lib/sqreen/session.rb +2 -0
- data/lib/sqreen/shared_storage.rb +2 -0
- data/lib/sqreen/shared_storage23.rb +2 -0
- data/lib/sqreen/shrink_wrap.rb +16 -0
- data/lib/sqreen/signature_verifier.rb +22 -0
- data/lib/sqreen/sinatra_middleware.rb +16 -0
- data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
- data/lib/sqreen/token_invalid_exception.rb +10 -0
- data/lib/sqreen/token_not_found_exception.rb +11 -0
- data/lib/sqreen/trie.rb +5 -64
- data/lib/sqreen/unauthorized.rb +10 -0
- data/lib/sqreen/util.rb +7 -0
- data/lib/sqreen/util/capped_array.rb +35 -0
- data/lib/sqreen/util/capped_hash.rb +41 -0
- data/lib/sqreen/util/capped_string.rb +26 -0
- data/lib/sqreen/util/capper.rb +67 -0
- data/lib/sqreen/version.rb +3 -1
- data/lib/sqreen/waf_error.rb +20 -0
- data/lib/sqreen/weave.rb +12 -0
- data/lib/sqreen/weave/hardcoded.rb +19 -0
- data/lib/sqreen/weave/instrumentor.rb +48 -0
- data/lib/sqreen/weave/legacy.rb +12 -0
- data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
- data/lib/sqreen/web_server.rb +2 -0
- data/lib/sqreen/web_server/generic.rb +2 -0
- data/lib/sqreen/web_server/passenger.rb +2 -0
- data/lib/sqreen/web_server/puma.rb +2 -0
- data/lib/sqreen/web_server/rainbows.rb +2 -0
- data/lib/sqreen/web_server/thin.rb +2 -0
- data/lib/sqreen/web_server/unicorn.rb +2 -0
- data/lib/sqreen/web_server/webrick.rb +2 -0
- data/lib/sqreen/worker.rb +2 -0
- metadata +105 -39
- data/lib/sqreen/dependency/hook.rb +0 -102
- data/lib/sqreen/rules_callbacks.rb +0 -35
- data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5082d08022b3f107ae50c29fb9f0846ca7398bc3544dc5ee0594a5c0a4d74e72
|
4
|
+
data.tar.gz: a7b3e4d7ab8b5c504b9a460e0504eded5acf96a9dfa4dc9655708205540f00bd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 393969dbf38bf2ea63688500f4c1902454a0489238c00fd1d11bebfa21017b1d320936b4b2e2871e9477aaaaf23690042d594de1f2fdb1518a4bab8c2b283ee4
|
7
|
+
data.tar.gz: ee617d28aa7f4822dc5c0ad9afbc5562c4550a50aa32a4be937787ae3cef3b7e48acdbc278a9fe8a5ee9ee4bb31266075e92b5401e678024faf939115b734c43
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,38 @@
|
|
1
|
+
## 1.19.0
|
2
|
+
|
3
|
+
* Upgrade WAF features via libsqreen 0.6.1
|
4
|
+
* Improve time defensiveness in WAF
|
5
|
+
* Improve compatibility with APM agents via a new optional instrumentation engine
|
6
|
+
* Fix action reloading not being entirely cleared on reload
|
7
|
+
* Improve handling of hash symbol keys in some security rules
|
8
|
+
* Fix constant resolution scope on agent boot
|
9
|
+
|
10
|
+
## 1.18.6
|
11
|
+
|
12
|
+
* Improve default WAF time budget handling logic
|
13
|
+
|
14
|
+
## 1.18.5
|
15
|
+
|
16
|
+
* Fix type mismatch in WAF time budget handling
|
17
|
+
* Improve exception handling for non-WAF errors within WAF
|
18
|
+
|
19
|
+
## 1.18.4
|
20
|
+
|
21
|
+
* Fix instrumentation conflict when a class defines a send method
|
22
|
+
* Fix compatibility with Sorbet type checker
|
23
|
+
* Improve WAF time budget handling
|
24
|
+
|
25
|
+
## 1.18.3
|
26
|
+
|
27
|
+
* Improve PII protection
|
28
|
+
* Improve performance on sizeable request payloads
|
29
|
+
* Improve handling of Rails without a database
|
30
|
+
* Improve compatibility with Rack and Sinatra middlewares
|
31
|
+
* Support JSON payloads with rack-contrib PostBodyContentParser
|
32
|
+
* Add libsqreen toggle to configuration
|
33
|
+
* Prepare for Ruby 2.7 support
|
34
|
+
* Include license file in gem
|
35
|
+
|
1
36
|
## 1.18.2
|
2
37
|
|
3
38
|
* Improve internal WAF error reporting
|
data/LICENSE
ADDED
data/lib/sqreen.rb
CHANGED
data/lib/sqreen/actions.rb
CHANGED
@@ -1,51 +1,28 @@
|
|
1
|
+
# typed: true
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require '
|
5
|
-
require 'sqreen/
|
6
|
-
|
7
|
-
require 'sqreen/
|
8
|
-
require 'sqreen/
|
9
|
-
require 'sqreen/
|
10
|
-
require '
|
6
|
+
require 'sqreen/actions/unknown_action_type'
|
7
|
+
require 'sqreen/actions/base'
|
8
|
+
|
9
|
+
require 'sqreen/actions/block_user'
|
10
|
+
require 'sqreen/actions/redirect_user'
|
11
|
+
require 'sqreen/actions/block_ip'
|
12
|
+
require 'sqreen/actions/redirect_ip'
|
13
|
+
require 'sqreen/actions/repository'
|
14
|
+
require 'sqreen/actions/unknown_action_type'
|
11
15
|
|
12
16
|
module Sqreen
|
13
17
|
# Implements actions (behavior taken in response to agent signals)
|
14
18
|
module Actions
|
15
|
-
# Exception for when an unknown action type is gotten from the server
|
16
|
-
class UnknownActionType < ::Sqreen::Exception
|
17
|
-
attr_reader :action_type
|
18
|
-
def initialize(action_type)
|
19
|
-
super("no such action type: #{action_type}. Must be one of #{Base.known_types}")
|
20
|
-
@action_type = action_type
|
21
|
-
end
|
22
|
-
end
|
23
|
-
|
24
|
-
# Where the currently loaded actions are stored. Singleton
|
25
|
-
class Repository
|
26
|
-
include Singleton
|
27
|
-
|
28
|
-
def add(params, action)
|
29
|
-
action.class.index(params || {}, action)
|
30
|
-
end
|
31
|
-
|
32
|
-
def get(action_class, key)
|
33
|
-
action_class = Base.get_type_class(action_class) unless action_class.class == Class
|
34
|
-
action_class.actions_matching key
|
35
|
-
end
|
36
|
-
|
37
|
-
def clear
|
38
|
-
Base.known_subclasses.each(&:clear)
|
39
|
-
end
|
40
|
-
end
|
41
|
-
|
42
19
|
# @return [Sqreen::Actions::Base]
|
43
20
|
def self.deserialize_action(hash)
|
44
21
|
action_type = hash['action']
|
45
22
|
raise 'no action type available' unless action_type
|
46
23
|
|
47
|
-
subclass = Base.get_type_class(action_type)
|
48
|
-
raise UnknownActionType, action_type unless subclass
|
24
|
+
subclass = Sqreen::Actions::Base.get_type_class(action_type)
|
25
|
+
raise Sqreen::Actions::UnknownActionType, action_type unless subclass
|
49
26
|
|
50
27
|
id = hash['action_id']
|
51
28
|
raise 'no action id available' unless id
|
@@ -63,306 +40,5 @@ module Sqreen
|
|
63
40
|
|
64
41
|
subclass.new(id, opts, hash['parameters'] || {})
|
65
42
|
end
|
66
|
-
|
67
|
-
# Base class for actions
|
68
|
-
# subclasses must also implement some methods in their singleton classes
|
69
|
-
# (actions_matching, index and clear)
|
70
|
-
class Base
|
71
|
-
attr_reader :id, :expiry, :send_response
|
72
|
-
|
73
|
-
def initialize(id, opts)
|
74
|
-
@id = id
|
75
|
-
duration = opts[:duration]
|
76
|
-
@expiry = Time.new + duration unless duration.nil?
|
77
|
-
@send_response = if opts[:send_response].nil?
|
78
|
-
true
|
79
|
-
else
|
80
|
-
!!opts[:send_response]
|
81
|
-
end
|
82
|
-
end
|
83
|
-
|
84
|
-
# See Sqreen::CB for return values
|
85
|
-
def run(*args)
|
86
|
-
return if expiry && Time.new > expiry
|
87
|
-
ret = do_run *args
|
88
|
-
unless ret.nil? || !@send_response
|
89
|
-
Sqreen.internal_track(event_name,
|
90
|
-
'properties' => {
|
91
|
-
'output' => event_properties(*args),
|
92
|
-
'action_id' => id,
|
93
|
-
})
|
94
|
-
end
|
95
|
-
ret
|
96
|
-
end
|
97
|
-
|
98
|
-
protected
|
99
|
-
|
100
|
-
def do_run(*_args)
|
101
|
-
raise ::Sqreen::NotImplementedYet, "do_run not implemented in #{self.class}"
|
102
|
-
# implement in subclasses
|
103
|
-
end
|
104
|
-
|
105
|
-
def event_properties(*_run_args)
|
106
|
-
raise ::Sqreen::NotImplementedYet, "event_properties not implemented in #{self.class}"
|
107
|
-
# implement in subclasses
|
108
|
-
end
|
109
|
-
|
110
|
-
private
|
111
|
-
|
112
|
-
def event_name
|
113
|
-
"sq.action.#{self.class.type_name}"
|
114
|
-
end
|
115
|
-
|
116
|
-
@@subclasses = {}
|
117
|
-
class << self
|
118
|
-
private :new
|
119
|
-
|
120
|
-
attr_reader :type_name
|
121
|
-
|
122
|
-
def get_type_class(name)
|
123
|
-
@@subclasses[name]
|
124
|
-
end
|
125
|
-
|
126
|
-
def known_subclasses
|
127
|
-
@@subclasses.values
|
128
|
-
end
|
129
|
-
|
130
|
-
def known_types
|
131
|
-
@@subclasses.keys
|
132
|
-
end
|
133
|
-
|
134
|
-
# all actions matching, possibly already expired
|
135
|
-
def actions_matching(_key)
|
136
|
-
raise 'implement in singletons of subclasses'
|
137
|
-
end
|
138
|
-
|
139
|
-
def index(_params, _action)
|
140
|
-
raise 'implement in singletons of subclasses'
|
141
|
-
end
|
142
|
-
|
143
|
-
def clear
|
144
|
-
raise 'implement in singletons of subclasses'
|
145
|
-
end
|
146
|
-
|
147
|
-
def inherited(subclass)
|
148
|
-
class << subclass
|
149
|
-
public :new
|
150
|
-
end
|
151
|
-
end
|
152
|
-
|
153
|
-
protected
|
154
|
-
|
155
|
-
def type_name=(name)
|
156
|
-
@type_name = name
|
157
|
-
@@subclasses[name] = self
|
158
|
-
end
|
159
|
-
end
|
160
|
-
end
|
161
|
-
|
162
|
-
module IpRangesIndex
|
163
|
-
def add_prefix(prefix_str, data)
|
164
|
-
@trie_v4 ||= Sqreen::Trie.new
|
165
|
-
@trie_v6 ||= Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
|
166
|
-
prefix = Sqreen::Prefix.from_str(prefix_str, data)
|
167
|
-
trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
|
168
|
-
trie.insert prefix
|
169
|
-
end
|
170
|
-
|
171
|
-
def matching_actions(client_ip)
|
172
|
-
parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
|
173
|
-
trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
|
174
|
-
return [] unless trie
|
175
|
-
found = trie.search_matching(parsed_ip.to_i, parsed_ip.family)
|
176
|
-
return [] unless found.size > 0
|
177
|
-
|
178
|
-
Sqreen.log.debug("Client ip #{client_ip} matches #{found.inspect}")
|
179
|
-
found.map(&:data)
|
180
|
-
end
|
181
|
-
|
182
|
-
def clear
|
183
|
-
@trie_v4 = Sqreen::Trie.new
|
184
|
-
@trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
|
185
|
-
end
|
186
|
-
end
|
187
|
-
|
188
|
-
module IpRangeIndexedActionClass
|
189
|
-
include IpRangesIndex
|
190
|
-
|
191
|
-
def actions_matching(client_ip)
|
192
|
-
matching_actions client_ip
|
193
|
-
end
|
194
|
-
|
195
|
-
def index(params, action)
|
196
|
-
ranges = parse_ip_ranges params
|
197
|
-
|
198
|
-
ranges.each do |r|
|
199
|
-
add_prefix r, action
|
200
|
-
end
|
201
|
-
end
|
202
|
-
|
203
|
-
private
|
204
|
-
|
205
|
-
# returns array of prefixes in string form
|
206
|
-
def parse_ip_ranges(params)
|
207
|
-
ranges = params['ip_cidr']
|
208
|
-
unless ranges && ranges.is_a?(Array) && !ranges.empty?
|
209
|
-
raise 'no non-empty ip_cidr array present'
|
210
|
-
end
|
211
|
-
|
212
|
-
ranges
|
213
|
-
end
|
214
|
-
end
|
215
|
-
|
216
|
-
# Block a list of IP address ranges. Standard "raise" behavior.
|
217
|
-
class BlockIp < Base
|
218
|
-
extend IpRangeIndexedActionClass
|
219
|
-
|
220
|
-
self.type_name = 'block_ip'
|
221
|
-
|
222
|
-
def initialize(id, opts, params = {})
|
223
|
-
# no need to store the ranges for this action, the index filter the class
|
224
|
-
super(id, opts)
|
225
|
-
end
|
226
|
-
|
227
|
-
def do_run(client_ip)
|
228
|
-
e = Sqreen::AttackBlocked.new("Blocked client's IP #{client_ip} " \
|
229
|
-
"(action: #{id}). No action is required")
|
230
|
-
{ :status => :raise, :exception => e, :skip_rem_cbs => true }
|
231
|
-
end
|
232
|
-
|
233
|
-
def event_properties(client_ip)
|
234
|
-
{ 'ip_address' => client_ip }
|
235
|
-
end
|
236
|
-
end
|
237
|
-
|
238
|
-
# Block a list of IP address ranges by forcefully redirecting the user
|
239
|
-
# to a specific URL.
|
240
|
-
class RedirectIp < Base
|
241
|
-
extend IpRangeIndexedActionClass
|
242
|
-
|
243
|
-
self.type_name = 'redirect_ip'
|
244
|
-
|
245
|
-
attr_reader :redirect_url
|
246
|
-
|
247
|
-
def initialize(id, opts, params = {})
|
248
|
-
super(id, opts)
|
249
|
-
@redirect_url = params['url']
|
250
|
-
raise "no url provided for action #{id}" unless @redirect_url
|
251
|
-
end
|
252
|
-
|
253
|
-
def do_run(client_ip)
|
254
|
-
Sqreen.log.info "Will request redirect for client with IP #{client_ip} " \
|
255
|
-
"(action: #{id})."
|
256
|
-
{
|
257
|
-
:status => :skip,
|
258
|
-
:new_return_value => [303, { 'Location' => @redirect_url }, ['']],
|
259
|
-
:skip_rem_cbs => true,
|
260
|
-
}
|
261
|
-
end
|
262
|
-
|
263
|
-
def event_properties(client_ip)
|
264
|
-
{ 'ip_address' => client_ip, 'url' => @redirect_url }
|
265
|
-
end
|
266
|
-
end
|
267
|
-
|
268
|
-
module UserActionClass
|
269
|
-
def actions_matching(identity_params)
|
270
|
-
return [] unless @idx
|
271
|
-
key = stringify_keys(identity_params)
|
272
|
-
actions = @idx[key]
|
273
|
-
actions || []
|
274
|
-
end
|
275
|
-
|
276
|
-
def index(params, action)
|
277
|
-
@idx ||= {}
|
278
|
-
users = params['users']
|
279
|
-
raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
|
280
|
-
raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
|
281
|
-
|
282
|
-
users.each do |u|
|
283
|
-
@idx[u] ||= []
|
284
|
-
@idx[u] << action
|
285
|
-
end
|
286
|
-
end
|
287
|
-
|
288
|
-
def clear
|
289
|
-
@idx = {}
|
290
|
-
end
|
291
|
-
|
292
|
-
private
|
293
|
-
|
294
|
-
def stringify_keys(hash)
|
295
|
-
Hash[
|
296
|
-
hash.map { |k, v| [k.to_s, v] }
|
297
|
-
]
|
298
|
-
end
|
299
|
-
end
|
300
|
-
|
301
|
-
# Blocks a user at the point Sqreen::identify()
|
302
|
-
# or Sqreen::auth_track() are called
|
303
|
-
class BlockUser < Base
|
304
|
-
extend UserActionClass
|
305
|
-
|
306
|
-
self.type_name = 'block_user'
|
307
|
-
|
308
|
-
def initialize(id, opts, params = {})
|
309
|
-
super(id, opts)
|
310
|
-
end
|
311
|
-
|
312
|
-
def do_run(identity_params)
|
313
|
-
Sqreen.log.info(
|
314
|
-
"Will raise due to user being blocked by action #{id}. " \
|
315
|
-
"Blocked user identity: #{identity_params}"
|
316
|
-
)
|
317
|
-
|
318
|
-
e = Sqreen::AttackBlocked.new(
|
319
|
-
"Blocked user with identity #{identity_params} " \
|
320
|
-
'due to automatic security response. No action is required'
|
321
|
-
)
|
322
|
-
|
323
|
-
{
|
324
|
-
:status => :raise,
|
325
|
-
:exception => e,
|
326
|
-
}
|
327
|
-
end
|
328
|
-
|
329
|
-
def event_properties(identity_params)
|
330
|
-
{ 'user' => identity_params }
|
331
|
-
end
|
332
|
-
end
|
333
|
-
|
334
|
-
# Redirects a user at the point Sqreen::identify()
|
335
|
-
# or Sqreen::auth_track() are called
|
336
|
-
class RedirectUser < Base
|
337
|
-
extend UserActionClass
|
338
|
-
|
339
|
-
self.type_name = 'redirect_user'
|
340
|
-
|
341
|
-
def initialize(id, opts, params = {})
|
342
|
-
super(id, opts)
|
343
|
-
@redirect_url = params['url']
|
344
|
-
raise "no url provided for action #{id}" unless @redirect_url
|
345
|
-
end
|
346
|
-
|
347
|
-
def do_run(identity_params)
|
348
|
-
Sqreen.log.info 'Will request redirect for user with identity ' \
|
349
|
-
"#{identity_params} (action: #{id})."
|
350
|
-
|
351
|
-
e = Sqreen::AttackBlocked.new(
|
352
|
-
"Redirected user with identity #{identity_params} " \
|
353
|
-
'due to automatic security response. No action is required'
|
354
|
-
)
|
355
|
-
e.redirect_url = @redirect_url
|
356
|
-
|
357
|
-
{
|
358
|
-
:status => :raise,
|
359
|
-
:exception => e,
|
360
|
-
}
|
361
|
-
end
|
362
|
-
|
363
|
-
def event_properties(identity_params)
|
364
|
-
{ 'user' => identity_params }
|
365
|
-
end
|
366
|
-
end
|
367
43
|
end
|
368
44
|
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
# typed: true
|
2
|
+
module Sqreen
|
3
|
+
module Actions
|
4
|
+
# documents the operations an actions index should implement
|
5
|
+
class ActionsIndex
|
6
|
+
# all actions matching, possibly already expired
|
7
|
+
def actions_matching(_key)
|
8
|
+
raise 'implement in subclasses'
|
9
|
+
end
|
10
|
+
|
11
|
+
def index(_params, _action)
|
12
|
+
raise 'implement in subclasses'
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|