sqreen 1.18.2-java → 1.19.0-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/LICENSE +3 -0
- data/lib/sqreen.rb +2 -0
- data/lib/sqreen/actions.rb +13 -337
- data/lib/sqreen/actions/actions_index.rb +16 -0
- data/lib/sqreen/actions/base.rb +104 -0
- data/lib/sqreen/actions/block_ip.rb +34 -0
- data/lib/sqreen/actions/block_user.rb +46 -0
- data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
- data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
- data/lib/sqreen/actions/redirect_ip.rb +42 -0
- data/lib/sqreen/actions/redirect_user.rb +47 -0
- data/lib/sqreen/actions/repository.rb +43 -0
- data/lib/sqreen/actions/unknown_action_type.rb +20 -0
- data/lib/sqreen/actions/user_action_class.rb +16 -0
- data/lib/sqreen/actions/users_index.rb +35 -0
- data/lib/sqreen/agent.rb +6 -2
- data/lib/sqreen/attack_blocked.rb +19 -0
- data/lib/sqreen/backport.rb +2 -0
- data/lib/sqreen/backport/clock_gettime.rb +74 -0
- data/lib/sqreen/backport/original_name.rb +2 -0
- data/lib/sqreen/binding_accessor.rb +11 -102
- data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
- data/lib/sqreen/binding_accessor/transforms.rb +114 -0
- data/lib/sqreen/call_countable.rb +2 -0
- data/lib/sqreen/capped_queue.rb +4 -0
- data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
- data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
- data/lib/sqreen/condition_evaluator.rb +24 -5
- data/lib/sqreen/conditionable.rb +2 -0
- data/lib/sqreen/configuration.rb +19 -0
- data/lib/sqreen/context.rb +2 -0
- data/lib/sqreen/default_cb.rb +22 -0
- data/lib/sqreen/deferred_logger.rb +65 -0
- data/lib/sqreen/deliveries.rb +12 -0
- data/lib/sqreen/deliveries/batch.rb +9 -1
- data/lib/sqreen/deliveries/simple.rb +7 -0
- data/lib/sqreen/dependency.rb +3 -1
- data/lib/sqreen/dependency/detector.rb +22 -14
- data/lib/sqreen/dependency/libsqreen.rb +32 -0
- data/lib/sqreen/dependency/new_relic.rb +2 -0
- data/lib/sqreen/dependency/rack.rb +10 -5
- data/lib/sqreen/dependency/rails.rb +8 -0
- data/lib/sqreen/dependency/sentry.rb +2 -0
- data/lib/sqreen/dependency/sinatra.rb +58 -14
- data/lib/sqreen/encoding_sanitizer.rb +2 -0
- data/lib/sqreen/error_handling_middleware.rb +32 -0
- data/lib/sqreen/event.rb +4 -0
- data/lib/sqreen/events/attack.rb +4 -0
- data/lib/sqreen/events/remote_exception.rb +2 -0
- data/lib/sqreen/events/request_record.rb +13 -56
- data/lib/sqreen/exception.rb +11 -40
- data/lib/sqreen/formatter_with_tid.rb +47 -0
- data/lib/sqreen/framework_cb.rb +30 -0
- data/lib/sqreen/frameworks.rb +9 -0
- data/lib/sqreen/frameworks/generic.rb +22 -2
- data/lib/sqreen/frameworks/rails.rb +3 -0
- data/lib/sqreen/frameworks/rails3.rb +2 -0
- data/lib/sqreen/frameworks/request_recorder.rb +5 -0
- data/lib/sqreen/frameworks/sinatra.rb +4 -0
- data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
- data/lib/sqreen/graft.rb +12 -0
- data/lib/sqreen/graft/call.rb +150 -0
- data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
- data/lib/sqreen/graft/hook.rb +316 -0
- data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
- data/lib/sqreen/graft/hook_point_error.rb +10 -0
- data/lib/sqreen/invalid_signature_exception.rb +10 -0
- data/lib/sqreen/js.rb +11 -0
- data/lib/sqreen/js/call_context.rb +12 -0
- data/lib/sqreen/js/context_pool.rb +62 -0
- data/lib/sqreen/js/exec_js_runnable.rb +22 -0
- data/lib/sqreen/js/execjs_adapter.rb +8 -47
- data/lib/sqreen/js/executable_js.rb +14 -0
- data/lib/sqreen/js/js_service.rb +4 -22
- data/lib/sqreen/js/js_service_adapter.rb +20 -0
- data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
- data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
- data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
- data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
- data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
- data/lib/sqreen/log.rb +10 -188
- data/lib/sqreen/log/loggable.rb +28 -0
- data/lib/sqreen/logger.rb +85 -0
- data/lib/sqreen/metrics.rb +2 -0
- data/lib/sqreen/metrics/average.rb +2 -0
- data/lib/sqreen/metrics/base.rb +2 -0
- data/lib/sqreen/metrics/binning.rb +2 -0
- data/lib/sqreen/metrics/collect.rb +2 -0
- data/lib/sqreen/metrics/sum.rb +2 -0
- data/lib/sqreen/metrics_store.rb +5 -11
- data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
- data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
- data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
- data/lib/sqreen/middleware.rb +2 -34
- data/lib/sqreen/mono_time.rb +4 -0
- data/lib/sqreen/node.rb +46 -0
- data/lib/sqreen/not_implemented_yet.rb +10 -0
- data/lib/sqreen/null_logger.rb +26 -0
- data/lib/sqreen/payload_creator.rb +4 -19
- data/lib/sqreen/payload_creator/header_section.rb +30 -0
- data/lib/sqreen/performance_notifications.rb +2 -0
- data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
- data/lib/sqreen/performance_notifications/log.rb +2 -0
- data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
- data/lib/sqreen/performance_notifications/metrics.rb +2 -0
- data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
- data/lib/sqreen/prefix.rb +35 -0
- data/lib/sqreen/rails_middleware.rb +16 -0
- data/lib/sqreen/remote_command.rb +3 -8
- data/lib/sqreen/remote_command/failure_output.rb +16 -0
- data/lib/sqreen/rules.rb +34 -2
- data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
- data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
- data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
- data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
- data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
- data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
- data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
- data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
- data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
- data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
- data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
- data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
- data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
- data/lib/sqreen/rules/update_request_context.rb +22 -0
- data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
- data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
- data/lib/sqreen/run_when_called_cb.rb +23 -0
- data/lib/sqreen/runner.rb +25 -7
- data/lib/sqreen/runtime_infos.rb +4 -9
- data/lib/sqreen/safe_json.rb +2 -0
- data/lib/sqreen/sdk.rb +4 -0
- data/lib/sqreen/sensitive_data_redactor.rb +113 -0
- data/lib/sqreen/serializer.rb +2 -0
- data/lib/sqreen/session.rb +2 -0
- data/lib/sqreen/shared_storage.rb +2 -0
- data/lib/sqreen/shared_storage23.rb +2 -0
- data/lib/sqreen/shrink_wrap.rb +16 -0
- data/lib/sqreen/signature_verifier.rb +22 -0
- data/lib/sqreen/sinatra_middleware.rb +16 -0
- data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
- data/lib/sqreen/token_invalid_exception.rb +10 -0
- data/lib/sqreen/token_not_found_exception.rb +11 -0
- data/lib/sqreen/trie.rb +5 -64
- data/lib/sqreen/unauthorized.rb +10 -0
- data/lib/sqreen/util.rb +7 -0
- data/lib/sqreen/util/capped_array.rb +35 -0
- data/lib/sqreen/util/capped_hash.rb +41 -0
- data/lib/sqreen/util/capped_string.rb +26 -0
- data/lib/sqreen/util/capper.rb +67 -0
- data/lib/sqreen/version.rb +3 -1
- data/lib/sqreen/waf_error.rb +20 -0
- data/lib/sqreen/weave.rb +12 -0
- data/lib/sqreen/weave/hardcoded.rb +19 -0
- data/lib/sqreen/weave/instrumentor.rb +48 -0
- data/lib/sqreen/weave/legacy.rb +12 -0
- data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
- data/lib/sqreen/web_server.rb +2 -0
- data/lib/sqreen/web_server/generic.rb +2 -0
- data/lib/sqreen/web_server/passenger.rb +2 -0
- data/lib/sqreen/web_server/puma.rb +2 -0
- data/lib/sqreen/web_server/rainbows.rb +2 -0
- data/lib/sqreen/web_server/thin.rb +2 -0
- data/lib/sqreen/web_server/unicorn.rb +2 -0
- data/lib/sqreen/web_server/webrick.rb +2 -0
- data/lib/sqreen/worker.rb +2 -0
- metadata +105 -39
- data/lib/sqreen/dependency/hook.rb +0 -102
- data/lib/sqreen/rules_callbacks.rb +0 -35
- data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# typed: false
|
|
2
|
+
|
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
5
|
+
|
|
6
|
+
require 'ipaddr'
|
|
7
|
+
|
|
8
|
+
# TODO: move to Sqreen::IP
|
|
9
|
+
|
|
10
|
+
module Sqreen
|
|
11
|
+
Prefix = Struct.new(:family, :bitlen, :address, :data) do # addr is integer
|
|
12
|
+
def initialize(*args)
|
|
13
|
+
super
|
|
14
|
+
raise ArgumentError, 'no family given' unless family
|
|
15
|
+
raise ArgumentError, 'no bitlen given' unless bitlen
|
|
16
|
+
raise ArgumentError, 'no address given' unless address
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def matches?(address, family)
|
|
20
|
+
raise 'family mismatch' unless family == self.family
|
|
21
|
+
shift_amount = (family == Socket::AF_INET ? 32 : 128) - bitlen
|
|
22
|
+
(address ^ self.address) >> shift_amount == 0
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def Prefix.from_str(str, data = nil)
|
|
27
|
+
ip_addr = IPAddr.new(str)
|
|
28
|
+
bitlen = if str =~ /\/(\d+)$/
|
|
29
|
+
$~[1].to_i
|
|
30
|
+
else
|
|
31
|
+
ip_addr.family == Socket::AF_INET6 ? 128 : 32
|
|
32
|
+
end
|
|
33
|
+
Prefix.new(ip_addr.family, bitlen, ip_addr.to_i, data)
|
|
34
|
+
end
|
|
35
|
+
end
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# typed: true
|
|
2
|
+
|
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
5
|
+
|
|
6
|
+
module Sqreen
|
|
7
|
+
class RailsMiddleware
|
|
8
|
+
def initialize(app)
|
|
9
|
+
@app = app
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def call(env)
|
|
13
|
+
@app.call(env)
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
end
|
|
@@ -1,8 +1,11 @@
|
|
|
1
|
+
# typed: false
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
6
|
require 'sqreen/log'
|
|
5
7
|
require 'sqreen/events/remote_exception'
|
|
8
|
+
require 'sqreen/remote_command/failure_output'
|
|
6
9
|
|
|
7
10
|
module Sqreen
|
|
8
11
|
# Execute and sanitize remote commands
|
|
@@ -21,14 +24,6 @@ module Sqreen
|
|
|
21
24
|
:performance_budget => :change_performance_budget,
|
|
22
25
|
}.freeze
|
|
23
26
|
|
|
24
|
-
# wraps output returned by a command that should also result in status: false
|
|
25
|
-
class FailureOutput
|
|
26
|
-
attr_reader :wrapped_output
|
|
27
|
-
def initialize(output)
|
|
28
|
-
@wrapped_output = output
|
|
29
|
-
end
|
|
30
|
-
end
|
|
31
|
-
|
|
32
27
|
attr_reader :uuid
|
|
33
28
|
|
|
34
29
|
def initialize(json_desc)
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# typed: true
|
|
2
|
+
|
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
5
|
+
|
|
6
|
+
module Sqreen
|
|
7
|
+
class RemoteCommand
|
|
8
|
+
# wraps output returned by a command that should also result in status: false
|
|
9
|
+
class FailureOutput
|
|
10
|
+
attr_reader :wrapped_output
|
|
11
|
+
def initialize(output)
|
|
12
|
+
@wrapped_output = output
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
end
|
data/lib/sqreen/rules.rb
CHANGED
|
@@ -1,10 +1,42 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
6
|
require 'sqreen/log'
|
|
5
|
-
require 'sqreen/
|
|
6
|
-
|
|
7
|
+
require 'sqreen/rules/attrs'
|
|
8
|
+
|
|
9
|
+
require 'sqreen/rules/regexp_rule_cb'
|
|
10
|
+
require 'sqreen/rules/matcher_rule'
|
|
11
|
+
|
|
12
|
+
require 'sqreen/rules/record_request_context'
|
|
13
|
+
require 'sqreen/rules/update_request_context'
|
|
14
|
+
require 'sqreen/rules/rails_parameters_cb'
|
|
15
|
+
|
|
16
|
+
require 'sqreen/rules/headers_insert_cb'
|
|
17
|
+
require 'sqreen/rules/blacklist_ips_cb'
|
|
18
|
+
|
|
19
|
+
require 'sqreen/rules/shell_env_cb'
|
|
20
|
+
|
|
21
|
+
require 'sqreen/rules/url_matches_cb'
|
|
22
|
+
require 'sqreen/rules/user_agent_matches_cb'
|
|
23
|
+
require 'sqreen/rules/crawler_user_agent_matches_cb'
|
|
24
|
+
|
|
25
|
+
require 'sqreen/rules/xss_cb'
|
|
26
|
+
require 'sqreen/rules/execjs_cb'
|
|
27
|
+
|
|
28
|
+
require 'sqreen/rules/binding_accessor_metrics'
|
|
29
|
+
require 'sqreen/rules/binding_accessor_matcher_cb'
|
|
30
|
+
require 'sqreen/rules/count_http_codes'
|
|
31
|
+
require 'sqreen/rules/not_found_cb'
|
|
32
|
+
require 'sqreen/rules/crawler_user_agent_matches_metrics_cb'
|
|
33
|
+
require 'sqreen/rules/auth_track_cb'
|
|
34
|
+
require 'sqreen/rules/signup_track_cb'
|
|
35
|
+
require 'sqreen/rules/devise_auth_track_cb'
|
|
36
|
+
require 'sqreen/rules/devise_signup_track_cb'
|
|
7
37
|
|
|
38
|
+
require 'sqreen/rules/custom_error_cb'
|
|
39
|
+
require 'sqreen/rules/waf_cb'
|
|
8
40
|
|
|
9
41
|
## Rules
|
|
10
42
|
#
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
5
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/attrs'
|
|
7
|
+
require 'sqreen/rules/rule_cb'
|
|
6
8
|
require 'sqreen/safe_json'
|
|
7
9
|
|
|
8
10
|
module Sqreen
|
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb}
RENAMED
|
@@ -1,10 +1,12 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/rule_cb'
|
|
5
7
|
require 'sqreen/binding_accessor'
|
|
6
8
|
require 'sqreen/mono_time'
|
|
7
|
-
require 'sqreen/
|
|
9
|
+
require 'sqreen/rules/matcher_rule'
|
|
8
10
|
|
|
9
11
|
module Sqreen
|
|
10
12
|
module Rules
|
|
@@ -49,9 +51,7 @@ module Sqreen
|
|
|
49
51
|
end
|
|
50
52
|
|
|
51
53
|
def pre(inst, args, budget = nil, &_block)
|
|
52
|
-
unless budget.nil?
|
|
53
|
-
finish = budget + Sqreen.time
|
|
54
|
-
end
|
|
54
|
+
finish = budget + Sqreen.time unless budget.nil?
|
|
55
55
|
resol_cache = Hash.new do |hash, accessor|
|
|
56
56
|
hash[accessor] = accessor.resolve(binding, framework, inst, args)
|
|
57
57
|
end
|
|
@@ -62,9 +62,7 @@ module Sqreen
|
|
|
62
62
|
next unless val.respond_to?(:each)
|
|
63
63
|
next if val.respond_to?(:seek)
|
|
64
64
|
val.each do |v|
|
|
65
|
-
if !budget.nil? && Sqreen.time > finish
|
|
66
|
-
return nil
|
|
67
|
-
end
|
|
65
|
+
return nil if !budget.nil? && Sqreen.time > finish
|
|
68
66
|
next if !v.is_a?(String) || (!matcher.min_size.nil? && v.size < matcher.min_size)
|
|
69
67
|
next if v.size > MAX_LENGTH
|
|
70
68
|
next if matcher.match(v).nil?
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/rule_cb'
|
|
5
7
|
require 'sqreen/binding_accessor'
|
|
6
8
|
require 'sqreen/events/remote_exception'
|
|
7
9
|
|
|
@@ -1,9 +1,12 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
6
|
require 'sqreen/trie'
|
|
7
|
+
require 'sqreen/prefix'
|
|
5
8
|
|
|
6
|
-
require 'sqreen/
|
|
9
|
+
require 'sqreen/rules/rule_cb'
|
|
7
10
|
|
|
8
11
|
module Sqreen
|
|
9
12
|
module Rules
|
|
@@ -46,7 +49,7 @@ module Sqreen
|
|
|
46
49
|
def find_blacklisted_ip(rip)
|
|
47
50
|
begin
|
|
48
51
|
ipa = IPAddr.new(rip)
|
|
49
|
-
rescue
|
|
52
|
+
rescue StandardError
|
|
50
53
|
Sqreen.log.info "invalid IP address given by framework: #{rip}"
|
|
51
54
|
return nil
|
|
52
55
|
end
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
5
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/attrs'
|
|
7
|
+
require 'sqreen/rules/rule_cb'
|
|
6
8
|
require 'sqreen/safe_json'
|
|
7
9
|
|
|
8
10
|
module Sqreen
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/matcher_rule'
|
|
5
7
|
require 'sqreen/frameworks'
|
|
6
8
|
|
|
7
9
|
module Sqreen
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/matcher_rule'
|
|
5
7
|
require 'sqreen/frameworks'
|
|
6
8
|
|
|
7
9
|
module Sqreen
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/rule_cb'
|
|
5
7
|
require 'sqreen/exception'
|
|
6
8
|
|
|
7
9
|
module Sqreen
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
5
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/attrs'
|
|
7
|
+
require 'sqreen/rules/rule_cb'
|
|
6
8
|
require 'sqreen/safe_json'
|
|
7
9
|
|
|
8
10
|
module Sqreen
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
require 'sqreen/
|
|
5
|
-
require 'sqreen/
|
|
6
|
+
require 'sqreen/rules/attrs'
|
|
7
|
+
require 'sqreen/rules/rule_cb'
|
|
6
8
|
require 'sqreen/safe_json'
|
|
7
9
|
|
|
8
10
|
module Sqreen
|
|
@@ -1,11 +1,12 @@
|
|
|
1
|
+
# typed: ignore
|
|
2
|
+
|
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
|
3
5
|
|
|
4
|
-
|
|
5
6
|
require 'sqreen/js/js_service'
|
|
6
7
|
|
|
7
|
-
require 'sqreen/
|
|
8
|
-
require 'sqreen/
|
|
8
|
+
require 'sqreen/rules/attrs'
|
|
9
|
+
require 'sqreen/rules/rule_cb'
|
|
9
10
|
require 'sqreen/condition_evaluator'
|
|
10
11
|
require 'sqreen/binding_accessor'
|
|
11
12
|
require 'sqreen/events/remote_exception'
|
|
@@ -14,7 +15,6 @@ module Sqreen
|
|
|
14
15
|
module Rules
|
|
15
16
|
# Exec js callbacks
|
|
16
17
|
class ExecJSCB < RuleCB
|
|
17
|
-
|
|
18
18
|
class << self
|
|
19
19
|
# @return [Sqreen::Js::JsService]
|
|
20
20
|
def js_service
|
|
@@ -77,7 +77,7 @@ module Sqreen
|
|
|
77
77
|
when NilClass
|
|
78
78
|
false
|
|
79
79
|
when Hash
|
|
80
|
-
ret.keys.each do |k|
|
|
80
|
+
ret.keys.each do |k| # rubocop:disable Performance/HashEachMethods
|
|
81
81
|
ret[(begin
|
|
82
82
|
k.to_sym
|
|
83
83
|
rescue StandardError
|
|
@@ -119,7 +119,6 @@ module Sqreen
|
|
|
119
119
|
|
|
120
120
|
# XXX: budgets was not subtracted from
|
|
121
121
|
call_callback(name, budget, inst, new_ba_args, args, rv)
|
|
122
|
-
|
|
123
122
|
rescue StandardError => e
|
|
124
123
|
Sqreen.log.warn { "Caught JS callback exception: #{e.inspect}" }
|
|
125
124
|
Sqreen.log.debug e.backtrace
|
|
@@ -127,10 +126,11 @@ module Sqreen
|
|
|
127
126
|
nil
|
|
128
127
|
end
|
|
129
128
|
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
129
|
+
class << self
|
|
130
|
+
def build_accessors(reqs)
|
|
131
|
+
reqs.map do |req|
|
|
132
|
+
BindingAccessor.new(req, true)
|
|
133
|
+
end
|
|
134
134
|
end
|
|
135
135
|
end
|
|
136
136
|
|
|
@@ -176,10 +176,10 @@ module Sqreen
|
|
|
176
176
|
next unless haystack_idx
|
|
177
177
|
|
|
178
178
|
arguments[haystack_idx] = ArgumentFilter.hash_val_included(
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
179
|
+
arguments[needed_idx],
|
|
180
|
+
arguments[haystack_idx],
|
|
181
|
+
min_length.to_i,
|
|
182
|
+
MAX_DEPTH
|
|
183
183
|
)
|
|
184
184
|
end
|
|
185
185
|
|
|
@@ -193,7 +193,7 @@ module Sqreen
|
|
|
193
193
|
next unless args_or_func.is_a?(Array)
|
|
194
194
|
args_bas = args_or_func[0..-2] unless args_or_func.empty?
|
|
195
195
|
@ba_expressions[name] =
|
|
196
|
-
|
|
196
|
+
ExecJSCB.build_accessors(args_bas).map(&:expression)
|
|
197
197
|
end
|
|
198
198
|
end
|
|
199
199
|
|
|
@@ -212,47 +212,48 @@ module Sqreen
|
|
|
212
212
|
end
|
|
213
213
|
end
|
|
214
214
|
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
|
|
215
|
+
class << self
|
|
216
|
+
def hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
|
|
217
|
+
new_obj = {}
|
|
218
|
+
insert = []
|
|
219
|
+
to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
|
|
220
|
+
until to_do.empty?
|
|
221
|
+
where, key, value, deepness = to_do.pop
|
|
222
|
+
safe_key = key.is_a?(Integer) ? key : key.to_s
|
|
223
|
+
if value.is_a?(Hash) && deepness < max_depth
|
|
224
|
+
val = {}
|
|
225
|
+
insert << [where, safe_key, val]
|
|
226
|
+
to_do += value.map { |k, v| [val, k, v, deepness + 1] }
|
|
227
|
+
elsif value.is_a?(Array) && deepness < max_depth
|
|
228
|
+
val = []
|
|
229
|
+
insert << [where, safe_key, val]
|
|
230
|
+
i = -1
|
|
231
|
+
to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
|
|
232
|
+
elsif deepness >= max_depth # if we are after max_depth don't try to filter
|
|
233
|
+
insert << [where, safe_key, value]
|
|
234
|
+
else
|
|
235
|
+
v = value.to_s
|
|
236
|
+
if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
|
|
237
|
+
case where
|
|
238
|
+
when Array
|
|
239
|
+
where << value
|
|
240
|
+
else
|
|
241
|
+
where[safe_key] = value
|
|
242
|
+
end
|
|
241
243
|
end
|
|
242
244
|
end
|
|
243
245
|
end
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
246
|
+
insert.reverse.each do |wh, ikey, ival|
|
|
247
|
+
case wh
|
|
248
|
+
when Array
|
|
249
|
+
wh << ival unless ival.respond_to?(:empty?) && ival.empty?
|
|
250
|
+
else
|
|
251
|
+
wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
|
|
252
|
+
end
|
|
251
253
|
end
|
|
254
|
+
new_obj
|
|
252
255
|
end
|
|
253
|
-
new_obj
|
|
254
256
|
end
|
|
255
257
|
end
|
|
256
258
|
end
|
|
257
259
|
end
|
|
258
|
-
|