sqreen 1.18.2-java → 1.19.0-java

Sign up to get free protection for your applications and to get access to all the features.
Files changed (184) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +35 -0
  3. data/LICENSE +3 -0
  4. data/lib/sqreen.rb +2 -0
  5. data/lib/sqreen/actions.rb +13 -337
  6. data/lib/sqreen/actions/actions_index.rb +16 -0
  7. data/lib/sqreen/actions/base.rb +104 -0
  8. data/lib/sqreen/actions/block_ip.rb +34 -0
  9. data/lib/sqreen/actions/block_user.rb +46 -0
  10. data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
  11. data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
  12. data/lib/sqreen/actions/redirect_ip.rb +42 -0
  13. data/lib/sqreen/actions/redirect_user.rb +47 -0
  14. data/lib/sqreen/actions/repository.rb +43 -0
  15. data/lib/sqreen/actions/unknown_action_type.rb +20 -0
  16. data/lib/sqreen/actions/user_action_class.rb +16 -0
  17. data/lib/sqreen/actions/users_index.rb +35 -0
  18. data/lib/sqreen/agent.rb +6 -2
  19. data/lib/sqreen/attack_blocked.rb +19 -0
  20. data/lib/sqreen/backport.rb +2 -0
  21. data/lib/sqreen/backport/clock_gettime.rb +74 -0
  22. data/lib/sqreen/backport/original_name.rb +2 -0
  23. data/lib/sqreen/binding_accessor.rb +11 -102
  24. data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
  25. data/lib/sqreen/binding_accessor/transforms.rb +114 -0
  26. data/lib/sqreen/call_countable.rb +2 -0
  27. data/lib/sqreen/capped_queue.rb +4 -0
  28. data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
  29. data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
  30. data/lib/sqreen/condition_evaluator.rb +24 -5
  31. data/lib/sqreen/conditionable.rb +2 -0
  32. data/lib/sqreen/configuration.rb +19 -0
  33. data/lib/sqreen/context.rb +2 -0
  34. data/lib/sqreen/default_cb.rb +22 -0
  35. data/lib/sqreen/deferred_logger.rb +65 -0
  36. data/lib/sqreen/deliveries.rb +12 -0
  37. data/lib/sqreen/deliveries/batch.rb +9 -1
  38. data/lib/sqreen/deliveries/simple.rb +7 -0
  39. data/lib/sqreen/dependency.rb +3 -1
  40. data/lib/sqreen/dependency/detector.rb +22 -14
  41. data/lib/sqreen/dependency/libsqreen.rb +32 -0
  42. data/lib/sqreen/dependency/new_relic.rb +2 -0
  43. data/lib/sqreen/dependency/rack.rb +10 -5
  44. data/lib/sqreen/dependency/rails.rb +8 -0
  45. data/lib/sqreen/dependency/sentry.rb +2 -0
  46. data/lib/sqreen/dependency/sinatra.rb +58 -14
  47. data/lib/sqreen/encoding_sanitizer.rb +2 -0
  48. data/lib/sqreen/error_handling_middleware.rb +32 -0
  49. data/lib/sqreen/event.rb +4 -0
  50. data/lib/sqreen/events/attack.rb +4 -0
  51. data/lib/sqreen/events/remote_exception.rb +2 -0
  52. data/lib/sqreen/events/request_record.rb +13 -56
  53. data/lib/sqreen/exception.rb +11 -40
  54. data/lib/sqreen/formatter_with_tid.rb +47 -0
  55. data/lib/sqreen/framework_cb.rb +30 -0
  56. data/lib/sqreen/frameworks.rb +9 -0
  57. data/lib/sqreen/frameworks/generic.rb +22 -2
  58. data/lib/sqreen/frameworks/rails.rb +3 -0
  59. data/lib/sqreen/frameworks/rails3.rb +2 -0
  60. data/lib/sqreen/frameworks/request_recorder.rb +5 -0
  61. data/lib/sqreen/frameworks/sinatra.rb +4 -0
  62. data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
  63. data/lib/sqreen/graft.rb +12 -0
  64. data/lib/sqreen/graft/call.rb +150 -0
  65. data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
  66. data/lib/sqreen/graft/hook.rb +316 -0
  67. data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
  68. data/lib/sqreen/graft/hook_point_error.rb +10 -0
  69. data/lib/sqreen/invalid_signature_exception.rb +10 -0
  70. data/lib/sqreen/js.rb +11 -0
  71. data/lib/sqreen/js/call_context.rb +12 -0
  72. data/lib/sqreen/js/context_pool.rb +62 -0
  73. data/lib/sqreen/js/exec_js_runnable.rb +22 -0
  74. data/lib/sqreen/js/execjs_adapter.rb +8 -47
  75. data/lib/sqreen/js/executable_js.rb +14 -0
  76. data/lib/sqreen/js/js_service.rb +4 -22
  77. data/lib/sqreen/js/js_service_adapter.rb +20 -0
  78. data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
  79. data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
  80. data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
  81. data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
  82. data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
  83. data/lib/sqreen/log.rb +10 -188
  84. data/lib/sqreen/log/loggable.rb +28 -0
  85. data/lib/sqreen/logger.rb +85 -0
  86. data/lib/sqreen/metrics.rb +2 -0
  87. data/lib/sqreen/metrics/average.rb +2 -0
  88. data/lib/sqreen/metrics/base.rb +2 -0
  89. data/lib/sqreen/metrics/binning.rb +2 -0
  90. data/lib/sqreen/metrics/collect.rb +2 -0
  91. data/lib/sqreen/metrics/sum.rb +2 -0
  92. data/lib/sqreen/metrics_store.rb +5 -11
  93. data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
  94. data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
  95. data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
  96. data/lib/sqreen/middleware.rb +2 -34
  97. data/lib/sqreen/mono_time.rb +4 -0
  98. data/lib/sqreen/node.rb +46 -0
  99. data/lib/sqreen/not_implemented_yet.rb +10 -0
  100. data/lib/sqreen/null_logger.rb +26 -0
  101. data/lib/sqreen/payload_creator.rb +4 -19
  102. data/lib/sqreen/payload_creator/header_section.rb +30 -0
  103. data/lib/sqreen/performance_notifications.rb +2 -0
  104. data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
  105. data/lib/sqreen/performance_notifications/log.rb +2 -0
  106. data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
  107. data/lib/sqreen/performance_notifications/metrics.rb +2 -0
  108. data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
  109. data/lib/sqreen/prefix.rb +35 -0
  110. data/lib/sqreen/rails_middleware.rb +16 -0
  111. data/lib/sqreen/remote_command.rb +3 -8
  112. data/lib/sqreen/remote_command/failure_output.rb +16 -0
  113. data/lib/sqreen/rules.rb +34 -2
  114. data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
  115. data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
  116. data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
  117. data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
  118. data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
  119. data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
  120. data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
  121. data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
  122. data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
  123. data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
  124. data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
  125. data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
  126. data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
  127. data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
  128. data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
  129. data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
  130. data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
  131. data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
  132. data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
  133. data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
  134. data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
  135. data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
  136. data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
  137. data/lib/sqreen/rules/update_request_context.rb +22 -0
  138. data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
  139. data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
  140. data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
  141. data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
  142. data/lib/sqreen/run_when_called_cb.rb +23 -0
  143. data/lib/sqreen/runner.rb +25 -7
  144. data/lib/sqreen/runtime_infos.rb +4 -9
  145. data/lib/sqreen/safe_json.rb +2 -0
  146. data/lib/sqreen/sdk.rb +4 -0
  147. data/lib/sqreen/sensitive_data_redactor.rb +113 -0
  148. data/lib/sqreen/serializer.rb +2 -0
  149. data/lib/sqreen/session.rb +2 -0
  150. data/lib/sqreen/shared_storage.rb +2 -0
  151. data/lib/sqreen/shared_storage23.rb +2 -0
  152. data/lib/sqreen/shrink_wrap.rb +16 -0
  153. data/lib/sqreen/signature_verifier.rb +22 -0
  154. data/lib/sqreen/sinatra_middleware.rb +16 -0
  155. data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
  156. data/lib/sqreen/token_invalid_exception.rb +10 -0
  157. data/lib/sqreen/token_not_found_exception.rb +11 -0
  158. data/lib/sqreen/trie.rb +5 -64
  159. data/lib/sqreen/unauthorized.rb +10 -0
  160. data/lib/sqreen/util.rb +7 -0
  161. data/lib/sqreen/util/capped_array.rb +35 -0
  162. data/lib/sqreen/util/capped_hash.rb +41 -0
  163. data/lib/sqreen/util/capped_string.rb +26 -0
  164. data/lib/sqreen/util/capper.rb +67 -0
  165. data/lib/sqreen/version.rb +3 -1
  166. data/lib/sqreen/waf_error.rb +20 -0
  167. data/lib/sqreen/weave.rb +12 -0
  168. data/lib/sqreen/weave/hardcoded.rb +19 -0
  169. data/lib/sqreen/weave/instrumentor.rb +48 -0
  170. data/lib/sqreen/weave/legacy.rb +12 -0
  171. data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
  172. data/lib/sqreen/web_server.rb +2 -0
  173. data/lib/sqreen/web_server/generic.rb +2 -0
  174. data/lib/sqreen/web_server/passenger.rb +2 -0
  175. data/lib/sqreen/web_server/puma.rb +2 -0
  176. data/lib/sqreen/web_server/rainbows.rb +2 -0
  177. data/lib/sqreen/web_server/thin.rb +2 -0
  178. data/lib/sqreen/web_server/unicorn.rb +2 -0
  179. data/lib/sqreen/web_server/webrick.rb +2 -0
  180. data/lib/sqreen/worker.rb +2 -0
  181. metadata +105 -39
  182. data/lib/sqreen/dependency/hook.rb +0 -102
  183. data/lib/sqreen/rules_callbacks.rb +0 -35
  184. data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 06bc081efdb3dd498597a1d2a044b3ced504afd9f30d3eaf7924949fadbde242
4
- data.tar.gz: 6870982f1abd957f3f676533698d9d0e74aa5b367773622b37e15793982b5287
3
+ metadata.gz: 5082d08022b3f107ae50c29fb9f0846ca7398bc3544dc5ee0594a5c0a4d74e72
4
+ data.tar.gz: a7b3e4d7ab8b5c504b9a460e0504eded5acf96a9dfa4dc9655708205540f00bd
5
5
  SHA512:
6
- metadata.gz: 89323033681f35c0d1e99675d5a26dd439741b35a9a2a299c881e3e2cbc8c61fbaaf520af47e263f9dfcb6ae57c919b32573106bc3761a1c7268a90f2b930d30
7
- data.tar.gz: f2fb38415d5729ea35895997c92651fd0ce6a27865622d3d9ece3ca94c0b2dab33647afd1105aa865a03493f5e9bf78cf97c1f6acede67b775c7a8c7966ce7f7
6
+ metadata.gz: 393969dbf38bf2ea63688500f4c1902454a0489238c00fd1d11bebfa21017b1d320936b4b2e2871e9477aaaaf23690042d594de1f2fdb1518a4bab8c2b283ee4
7
+ data.tar.gz: ee617d28aa7f4822dc5c0ad9afbc5562c4550a50aa32a4be937787ae3cef3b7e48acdbc278a9fe8a5ee9ee4bb31266075e92b5401e678024faf939115b734c43
@@ -1,3 +1,38 @@
1
+ ## 1.19.0
2
+
3
+ * Upgrade WAF features via libsqreen 0.6.1
4
+ * Improve time defensiveness in WAF
5
+ * Improve compatibility with APM agents via a new optional instrumentation engine
6
+ * Fix action reloading not being entirely cleared on reload
7
+ * Improve handling of hash symbol keys in some security rules
8
+ * Fix constant resolution scope on agent boot
9
+
10
+ ## 1.18.6
11
+
12
+ * Improve default WAF time budget handling logic
13
+
14
+ ## 1.18.5
15
+
16
+ * Fix type mismatch in WAF time budget handling
17
+ * Improve exception handling for non-WAF errors within WAF
18
+
19
+ ## 1.18.4
20
+
21
+ * Fix instrumentation conflict when a class defines a send method
22
+ * Fix compatibility with Sorbet type checker
23
+ * Improve WAF time budget handling
24
+
25
+ ## 1.18.3
26
+
27
+ * Improve PII protection
28
+ * Improve performance on sizeable request payloads
29
+ * Improve handling of Rails without a database
30
+ * Improve compatibility with Rack and Sinatra middlewares
31
+ * Support JSON payloads with rack-contrib PostBodyContentParser
32
+ * Add libsqreen toggle to configuration
33
+ * Prepare for Ruby 2.7 support
34
+ * Include license file in gem
35
+
1
36
  ## 1.18.2
2
37
 
3
38
  * Improve internal WAF error reporting
data/LICENSE ADDED
@@ -0,0 +1,3 @@
1
+ Sqreen for Ruby is free-to-use, proprietary software.
2
+
3
+ Please refer to our terms for more information: https://www.sqreen.com/terms.html
@@ -1,3 +1,5 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
@@ -1,51 +1,28 @@
1
+ # typed: true
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'ipaddr'
5
- require 'sqreen/trie'
6
- require 'sqreen/log'
7
- require 'sqreen/exception'
8
- require 'sqreen/sdk'
9
- require 'sqreen/frameworks'
10
- require 'singleton'
6
+ require 'sqreen/actions/unknown_action_type'
7
+ require 'sqreen/actions/base'
8
+
9
+ require 'sqreen/actions/block_user'
10
+ require 'sqreen/actions/redirect_user'
11
+ require 'sqreen/actions/block_ip'
12
+ require 'sqreen/actions/redirect_ip'
13
+ require 'sqreen/actions/repository'
14
+ require 'sqreen/actions/unknown_action_type'
11
15
 
12
16
  module Sqreen
13
17
  # Implements actions (behavior taken in response to agent signals)
14
18
  module Actions
15
- # Exception for when an unknown action type is gotten from the server
16
- class UnknownActionType < ::Sqreen::Exception
17
- attr_reader :action_type
18
- def initialize(action_type)
19
- super("no such action type: #{action_type}. Must be one of #{Base.known_types}")
20
- @action_type = action_type
21
- end
22
- end
23
-
24
- # Where the currently loaded actions are stored. Singleton
25
- class Repository
26
- include Singleton
27
-
28
- def add(params, action)
29
- action.class.index(params || {}, action)
30
- end
31
-
32
- def get(action_class, key)
33
- action_class = Base.get_type_class(action_class) unless action_class.class == Class
34
- action_class.actions_matching key
35
- end
36
-
37
- def clear
38
- Base.known_subclasses.each(&:clear)
39
- end
40
- end
41
-
42
19
  # @return [Sqreen::Actions::Base]
43
20
  def self.deserialize_action(hash)
44
21
  action_type = hash['action']
45
22
  raise 'no action type available' unless action_type
46
23
 
47
- subclass = Base.get_type_class(action_type)
48
- raise UnknownActionType, action_type unless subclass
24
+ subclass = Sqreen::Actions::Base.get_type_class(action_type)
25
+ raise Sqreen::Actions::UnknownActionType, action_type unless subclass
49
26
 
50
27
  id = hash['action_id']
51
28
  raise 'no action id available' unless id
@@ -63,306 +40,5 @@ module Sqreen
63
40
 
64
41
  subclass.new(id, opts, hash['parameters'] || {})
65
42
  end
66
-
67
- # Base class for actions
68
- # subclasses must also implement some methods in their singleton classes
69
- # (actions_matching, index and clear)
70
- class Base
71
- attr_reader :id, :expiry, :send_response
72
-
73
- def initialize(id, opts)
74
- @id = id
75
- duration = opts[:duration]
76
- @expiry = Time.new + duration unless duration.nil?
77
- @send_response = if opts[:send_response].nil?
78
- true
79
- else
80
- !!opts[:send_response]
81
- end
82
- end
83
-
84
- # See Sqreen::CB for return values
85
- def run(*args)
86
- return if expiry && Time.new > expiry
87
- ret = do_run *args
88
- unless ret.nil? || !@send_response
89
- Sqreen.internal_track(event_name,
90
- 'properties' => {
91
- 'output' => event_properties(*args),
92
- 'action_id' => id,
93
- })
94
- end
95
- ret
96
- end
97
-
98
- protected
99
-
100
- def do_run(*_args)
101
- raise ::Sqreen::NotImplementedYet, "do_run not implemented in #{self.class}"
102
- # implement in subclasses
103
- end
104
-
105
- def event_properties(*_run_args)
106
- raise ::Sqreen::NotImplementedYet, "event_properties not implemented in #{self.class}"
107
- # implement in subclasses
108
- end
109
-
110
- private
111
-
112
- def event_name
113
- "sq.action.#{self.class.type_name}"
114
- end
115
-
116
- @@subclasses = {}
117
- class << self
118
- private :new
119
-
120
- attr_reader :type_name
121
-
122
- def get_type_class(name)
123
- @@subclasses[name]
124
- end
125
-
126
- def known_subclasses
127
- @@subclasses.values
128
- end
129
-
130
- def known_types
131
- @@subclasses.keys
132
- end
133
-
134
- # all actions matching, possibly already expired
135
- def actions_matching(_key)
136
- raise 'implement in singletons of subclasses'
137
- end
138
-
139
- def index(_params, _action)
140
- raise 'implement in singletons of subclasses'
141
- end
142
-
143
- def clear
144
- raise 'implement in singletons of subclasses'
145
- end
146
-
147
- def inherited(subclass)
148
- class << subclass
149
- public :new
150
- end
151
- end
152
-
153
- protected
154
-
155
- def type_name=(name)
156
- @type_name = name
157
- @@subclasses[name] = self
158
- end
159
- end
160
- end
161
-
162
- module IpRangesIndex
163
- def add_prefix(prefix_str, data)
164
- @trie_v4 ||= Sqreen::Trie.new
165
- @trie_v6 ||= Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
166
- prefix = Sqreen::Prefix.from_str(prefix_str, data)
167
- trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
168
- trie.insert prefix
169
- end
170
-
171
- def matching_actions(client_ip)
172
- parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
173
- trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
174
- return [] unless trie
175
- found = trie.search_matching(parsed_ip.to_i, parsed_ip.family)
176
- return [] unless found.size > 0
177
-
178
- Sqreen.log.debug("Client ip #{client_ip} matches #{found.inspect}")
179
- found.map(&:data)
180
- end
181
-
182
- def clear
183
- @trie_v4 = Sqreen::Trie.new
184
- @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
185
- end
186
- end
187
-
188
- module IpRangeIndexedActionClass
189
- include IpRangesIndex
190
-
191
- def actions_matching(client_ip)
192
- matching_actions client_ip
193
- end
194
-
195
- def index(params, action)
196
- ranges = parse_ip_ranges params
197
-
198
- ranges.each do |r|
199
- add_prefix r, action
200
- end
201
- end
202
-
203
- private
204
-
205
- # returns array of prefixes in string form
206
- def parse_ip_ranges(params)
207
- ranges = params['ip_cidr']
208
- unless ranges && ranges.is_a?(Array) && !ranges.empty?
209
- raise 'no non-empty ip_cidr array present'
210
- end
211
-
212
- ranges
213
- end
214
- end
215
-
216
- # Block a list of IP address ranges. Standard "raise" behavior.
217
- class BlockIp < Base
218
- extend IpRangeIndexedActionClass
219
-
220
- self.type_name = 'block_ip'
221
-
222
- def initialize(id, opts, params = {})
223
- # no need to store the ranges for this action, the index filter the class
224
- super(id, opts)
225
- end
226
-
227
- def do_run(client_ip)
228
- e = Sqreen::AttackBlocked.new("Blocked client's IP #{client_ip} " \
229
- "(action: #{id}). No action is required")
230
- { :status => :raise, :exception => e, :skip_rem_cbs => true }
231
- end
232
-
233
- def event_properties(client_ip)
234
- { 'ip_address' => client_ip }
235
- end
236
- end
237
-
238
- # Block a list of IP address ranges by forcefully redirecting the user
239
- # to a specific URL.
240
- class RedirectIp < Base
241
- extend IpRangeIndexedActionClass
242
-
243
- self.type_name = 'redirect_ip'
244
-
245
- attr_reader :redirect_url
246
-
247
- def initialize(id, opts, params = {})
248
- super(id, opts)
249
- @redirect_url = params['url']
250
- raise "no url provided for action #{id}" unless @redirect_url
251
- end
252
-
253
- def do_run(client_ip)
254
- Sqreen.log.info "Will request redirect for client with IP #{client_ip} " \
255
- "(action: #{id})."
256
- {
257
- :status => :skip,
258
- :new_return_value => [303, { 'Location' => @redirect_url }, ['']],
259
- :skip_rem_cbs => true,
260
- }
261
- end
262
-
263
- def event_properties(client_ip)
264
- { 'ip_address' => client_ip, 'url' => @redirect_url }
265
- end
266
- end
267
-
268
- module UserActionClass
269
- def actions_matching(identity_params)
270
- return [] unless @idx
271
- key = stringify_keys(identity_params)
272
- actions = @idx[key]
273
- actions || []
274
- end
275
-
276
- def index(params, action)
277
- @idx ||= {}
278
- users = params['users']
279
- raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
280
- raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
281
-
282
- users.each do |u|
283
- @idx[u] ||= []
284
- @idx[u] << action
285
- end
286
- end
287
-
288
- def clear
289
- @idx = {}
290
- end
291
-
292
- private
293
-
294
- def stringify_keys(hash)
295
- Hash[
296
- hash.map { |k, v| [k.to_s, v] }
297
- ]
298
- end
299
- end
300
-
301
- # Blocks a user at the point Sqreen::identify()
302
- # or Sqreen::auth_track() are called
303
- class BlockUser < Base
304
- extend UserActionClass
305
-
306
- self.type_name = 'block_user'
307
-
308
- def initialize(id, opts, params = {})
309
- super(id, opts)
310
- end
311
-
312
- def do_run(identity_params)
313
- Sqreen.log.info(
314
- "Will raise due to user being blocked by action #{id}. " \
315
- "Blocked user identity: #{identity_params}"
316
- )
317
-
318
- e = Sqreen::AttackBlocked.new(
319
- "Blocked user with identity #{identity_params} " \
320
- 'due to automatic security response. No action is required'
321
- )
322
-
323
- {
324
- :status => :raise,
325
- :exception => e,
326
- }
327
- end
328
-
329
- def event_properties(identity_params)
330
- { 'user' => identity_params }
331
- end
332
- end
333
-
334
- # Redirects a user at the point Sqreen::identify()
335
- # or Sqreen::auth_track() are called
336
- class RedirectUser < Base
337
- extend UserActionClass
338
-
339
- self.type_name = 'redirect_user'
340
-
341
- def initialize(id, opts, params = {})
342
- super(id, opts)
343
- @redirect_url = params['url']
344
- raise "no url provided for action #{id}" unless @redirect_url
345
- end
346
-
347
- def do_run(identity_params)
348
- Sqreen.log.info 'Will request redirect for user with identity ' \
349
- "#{identity_params} (action: #{id})."
350
-
351
- e = Sqreen::AttackBlocked.new(
352
- "Redirected user with identity #{identity_params} " \
353
- 'due to automatic security response. No action is required'
354
- )
355
- e.redirect_url = @redirect_url
356
-
357
- {
358
- :status => :raise,
359
- :exception => e,
360
- }
361
- end
362
-
363
- def event_properties(identity_params)
364
- { 'user' => identity_params }
365
- end
366
- end
367
43
  end
368
44
  end
@@ -0,0 +1,16 @@
1
+ # typed: true
2
+ module Sqreen
3
+ module Actions
4
+ # documents the operations an actions index should implement
5
+ class ActionsIndex
6
+ # all actions matching, possibly already expired
7
+ def actions_matching(_key)
8
+ raise 'implement in subclasses'
9
+ end
10
+
11
+ def index(_params, _action)
12
+ raise 'implement in subclasses'
13
+ end
14
+ end
15
+ end
16
+ end