sqreen 1.18.2-java → 1.19.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (184) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +35 -0
  3. data/LICENSE +3 -0
  4. data/lib/sqreen.rb +2 -0
  5. data/lib/sqreen/actions.rb +13 -337
  6. data/lib/sqreen/actions/actions_index.rb +16 -0
  7. data/lib/sqreen/actions/base.rb +104 -0
  8. data/lib/sqreen/actions/block_ip.rb +34 -0
  9. data/lib/sqreen/actions/block_user.rb +46 -0
  10. data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
  11. data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
  12. data/lib/sqreen/actions/redirect_ip.rb +42 -0
  13. data/lib/sqreen/actions/redirect_user.rb +47 -0
  14. data/lib/sqreen/actions/repository.rb +43 -0
  15. data/lib/sqreen/actions/unknown_action_type.rb +20 -0
  16. data/lib/sqreen/actions/user_action_class.rb +16 -0
  17. data/lib/sqreen/actions/users_index.rb +35 -0
  18. data/lib/sqreen/agent.rb +6 -2
  19. data/lib/sqreen/attack_blocked.rb +19 -0
  20. data/lib/sqreen/backport.rb +2 -0
  21. data/lib/sqreen/backport/clock_gettime.rb +74 -0
  22. data/lib/sqreen/backport/original_name.rb +2 -0
  23. data/lib/sqreen/binding_accessor.rb +11 -102
  24. data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
  25. data/lib/sqreen/binding_accessor/transforms.rb +114 -0
  26. data/lib/sqreen/call_countable.rb +2 -0
  27. data/lib/sqreen/capped_queue.rb +4 -0
  28. data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
  29. data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
  30. data/lib/sqreen/condition_evaluator.rb +24 -5
  31. data/lib/sqreen/conditionable.rb +2 -0
  32. data/lib/sqreen/configuration.rb +19 -0
  33. data/lib/sqreen/context.rb +2 -0
  34. data/lib/sqreen/default_cb.rb +22 -0
  35. data/lib/sqreen/deferred_logger.rb +65 -0
  36. data/lib/sqreen/deliveries.rb +12 -0
  37. data/lib/sqreen/deliveries/batch.rb +9 -1
  38. data/lib/sqreen/deliveries/simple.rb +7 -0
  39. data/lib/sqreen/dependency.rb +3 -1
  40. data/lib/sqreen/dependency/detector.rb +22 -14
  41. data/lib/sqreen/dependency/libsqreen.rb +32 -0
  42. data/lib/sqreen/dependency/new_relic.rb +2 -0
  43. data/lib/sqreen/dependency/rack.rb +10 -5
  44. data/lib/sqreen/dependency/rails.rb +8 -0
  45. data/lib/sqreen/dependency/sentry.rb +2 -0
  46. data/lib/sqreen/dependency/sinatra.rb +58 -14
  47. data/lib/sqreen/encoding_sanitizer.rb +2 -0
  48. data/lib/sqreen/error_handling_middleware.rb +32 -0
  49. data/lib/sqreen/event.rb +4 -0
  50. data/lib/sqreen/events/attack.rb +4 -0
  51. data/lib/sqreen/events/remote_exception.rb +2 -0
  52. data/lib/sqreen/events/request_record.rb +13 -56
  53. data/lib/sqreen/exception.rb +11 -40
  54. data/lib/sqreen/formatter_with_tid.rb +47 -0
  55. data/lib/sqreen/framework_cb.rb +30 -0
  56. data/lib/sqreen/frameworks.rb +9 -0
  57. data/lib/sqreen/frameworks/generic.rb +22 -2
  58. data/lib/sqreen/frameworks/rails.rb +3 -0
  59. data/lib/sqreen/frameworks/rails3.rb +2 -0
  60. data/lib/sqreen/frameworks/request_recorder.rb +5 -0
  61. data/lib/sqreen/frameworks/sinatra.rb +4 -0
  62. data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
  63. data/lib/sqreen/graft.rb +12 -0
  64. data/lib/sqreen/graft/call.rb +150 -0
  65. data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
  66. data/lib/sqreen/graft/hook.rb +316 -0
  67. data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
  68. data/lib/sqreen/graft/hook_point_error.rb +10 -0
  69. data/lib/sqreen/invalid_signature_exception.rb +10 -0
  70. data/lib/sqreen/js.rb +11 -0
  71. data/lib/sqreen/js/call_context.rb +12 -0
  72. data/lib/sqreen/js/context_pool.rb +62 -0
  73. data/lib/sqreen/js/exec_js_runnable.rb +22 -0
  74. data/lib/sqreen/js/execjs_adapter.rb +8 -47
  75. data/lib/sqreen/js/executable_js.rb +14 -0
  76. data/lib/sqreen/js/js_service.rb +4 -22
  77. data/lib/sqreen/js/js_service_adapter.rb +20 -0
  78. data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
  79. data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
  80. data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
  81. data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
  82. data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
  83. data/lib/sqreen/log.rb +10 -188
  84. data/lib/sqreen/log/loggable.rb +28 -0
  85. data/lib/sqreen/logger.rb +85 -0
  86. data/lib/sqreen/metrics.rb +2 -0
  87. data/lib/sqreen/metrics/average.rb +2 -0
  88. data/lib/sqreen/metrics/base.rb +2 -0
  89. data/lib/sqreen/metrics/binning.rb +2 -0
  90. data/lib/sqreen/metrics/collect.rb +2 -0
  91. data/lib/sqreen/metrics/sum.rb +2 -0
  92. data/lib/sqreen/metrics_store.rb +5 -11
  93. data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
  94. data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
  95. data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
  96. data/lib/sqreen/middleware.rb +2 -34
  97. data/lib/sqreen/mono_time.rb +4 -0
  98. data/lib/sqreen/node.rb +46 -0
  99. data/lib/sqreen/not_implemented_yet.rb +10 -0
  100. data/lib/sqreen/null_logger.rb +26 -0
  101. data/lib/sqreen/payload_creator.rb +4 -19
  102. data/lib/sqreen/payload_creator/header_section.rb +30 -0
  103. data/lib/sqreen/performance_notifications.rb +2 -0
  104. data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
  105. data/lib/sqreen/performance_notifications/log.rb +2 -0
  106. data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
  107. data/lib/sqreen/performance_notifications/metrics.rb +2 -0
  108. data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
  109. data/lib/sqreen/prefix.rb +35 -0
  110. data/lib/sqreen/rails_middleware.rb +16 -0
  111. data/lib/sqreen/remote_command.rb +3 -8
  112. data/lib/sqreen/remote_command/failure_output.rb +16 -0
  113. data/lib/sqreen/rules.rb +34 -2
  114. data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
  115. data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
  116. data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
  117. data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
  118. data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
  119. data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
  120. data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
  121. data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
  122. data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
  123. data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
  124. data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
  125. data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
  126. data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
  127. data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
  128. data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
  129. data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
  130. data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
  131. data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
  132. data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
  133. data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
  134. data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
  135. data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
  136. data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
  137. data/lib/sqreen/rules/update_request_context.rb +22 -0
  138. data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
  139. data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
  140. data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
  141. data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
  142. data/lib/sqreen/run_when_called_cb.rb +23 -0
  143. data/lib/sqreen/runner.rb +25 -7
  144. data/lib/sqreen/runtime_infos.rb +4 -9
  145. data/lib/sqreen/safe_json.rb +2 -0
  146. data/lib/sqreen/sdk.rb +4 -0
  147. data/lib/sqreen/sensitive_data_redactor.rb +113 -0
  148. data/lib/sqreen/serializer.rb +2 -0
  149. data/lib/sqreen/session.rb +2 -0
  150. data/lib/sqreen/shared_storage.rb +2 -0
  151. data/lib/sqreen/shared_storage23.rb +2 -0
  152. data/lib/sqreen/shrink_wrap.rb +16 -0
  153. data/lib/sqreen/signature_verifier.rb +22 -0
  154. data/lib/sqreen/sinatra_middleware.rb +16 -0
  155. data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
  156. data/lib/sqreen/token_invalid_exception.rb +10 -0
  157. data/lib/sqreen/token_not_found_exception.rb +11 -0
  158. data/lib/sqreen/trie.rb +5 -64
  159. data/lib/sqreen/unauthorized.rb +10 -0
  160. data/lib/sqreen/util.rb +7 -0
  161. data/lib/sqreen/util/capped_array.rb +35 -0
  162. data/lib/sqreen/util/capped_hash.rb +41 -0
  163. data/lib/sqreen/util/capped_string.rb +26 -0
  164. data/lib/sqreen/util/capper.rb +67 -0
  165. data/lib/sqreen/version.rb +3 -1
  166. data/lib/sqreen/waf_error.rb +20 -0
  167. data/lib/sqreen/weave.rb +12 -0
  168. data/lib/sqreen/weave/hardcoded.rb +19 -0
  169. data/lib/sqreen/weave/instrumentor.rb +48 -0
  170. data/lib/sqreen/weave/legacy.rb +12 -0
  171. data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
  172. data/lib/sqreen/web_server.rb +2 -0
  173. data/lib/sqreen/web_server/generic.rb +2 -0
  174. data/lib/sqreen/web_server/passenger.rb +2 -0
  175. data/lib/sqreen/web_server/puma.rb +2 -0
  176. data/lib/sqreen/web_server/rainbows.rb +2 -0
  177. data/lib/sqreen/web_server/thin.rb +2 -0
  178. data/lib/sqreen/web_server/unicorn.rb +2 -0
  179. data/lib/sqreen/web_server/webrick.rb +2 -0
  180. data/lib/sqreen/worker.rb +2 -0
  181. metadata +105 -39
  182. data/lib/sqreen/dependency/hook.rb +0 -102
  183. data/lib/sqreen/rules_callbacks.rb +0 -35
  184. data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} RENAMED
@@ -1,12 +1,19 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
8
10
  # Display sqreen presence
9
11
  class HeadersInsertCB < RuleCB
12
+ def initialize(*args)
13
+ super
14
+ @overtimeable = false
15
+ end
16
+
10
17
  def post(rv, _inst, _args, _budget = nil, &_block)
11
18
  return unless rv && rv.respond_to?(:[]) && rv[1].is_a?(Hash)
12
19
  return nil unless @data
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
@@ -13,7 +15,7 @@ module Sqreen
13
15
  res |= Regexp::MULTILINE if options.include?('multiline')
14
16
  res |= Regexp::IGNORECASE unless case_sensitive
15
17
  r = Regexp.compile(value, res)
16
- r.match('')
18
+ r =~ ''
17
19
  r
18
20
  end
19
21
 
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} RENAMED
@@ -1,5 +1,10 @@
1
- require 'sqreen/rule_attributes'
2
- require 'sqreen/rule_callback'
1
+ # typed: ignore
2
+
3
+ # Copyright (c) 2015 Sqreen. All Rights Reserved.
4
+ # Please refer to our terms for more information: https://www.sqreen.com/terms.html
5
+
6
+ require 'sqreen/rules/attrs'
7
+ require 'sqreen/rules/rule_cb'
3
8
 
4
9
  module Sqreen
5
10
  module Rules
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} RENAMED
@@ -1,11 +1,13 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/callbacks'
6
+ require 'sqreen/framework_cb'
5
7
  require 'sqreen/context'
6
8
  require 'sqreen/conditionable'
7
9
  require 'sqreen/call_countable'
8
- require 'sqreen/rule_attributes'
10
+ require 'sqreen/rules/attrs'
9
11
  require 'sqreen/events/attack'
10
12
  require 'sqreen/events/remote_exception'
11
13
  require 'sqreen/payload_creator'
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb RENAMED
@@ -1,9 +1,13 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
  require 'sqreen/actions'
6
8
  require 'sqreen/middleware'
9
+ require 'sqreen/rails_middleware'
10
+ require 'sqreen/sinatra_middleware'
7
11
 
8
12
  module Sqreen
9
13
  module Rules
@@ -14,7 +18,7 @@ module Sqreen
14
18
  def initialize(framework)
15
19
  if defined?(Sqreen::Frameworks::SinatraFramework) &&
16
20
  framework.is_a?(Sqreen::Frameworks::SinatraFramework)
17
- super(Sinatra::ExtendedRack, :call)
21
+ super(Sqreen::SinatraMiddleware, :call)
18
22
  elsif defined?(Sqreen::Frameworks::RailsFramework) &&
19
23
  framework.is_a?(Sqreen::Frameworks::RailsFramework)
20
24
  super(Sqreen::RailsMiddleware, :call)
@@ -60,7 +64,7 @@ module Sqreen
60
64
 
61
65
  # @return [Sqreen::Actions::Repository]
62
66
  def actions_repo
63
- Sqreen::Actions::Repository.instance
67
+ Sqreen::Actions::Repository.current
64
68
  end
65
69
  end
66
70
  end
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: true
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
  require 'sqreen/actions'
6
8
 
7
9
  module Sqreen
@@ -28,7 +30,7 @@ module Sqreen
28
30
 
29
31
  # @return [Sqreen::Actions::Repository]
30
32
  def actions_repo
31
- Sqreen::Actions::Repository.instance
33
+ Sqreen::Actions::Repository.current
32
34
  end
33
35
  end
34
36
  end
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rules_callbacks/regexp_rule'
6
+ require 'sqreen/rules/regexp_rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} RENAMED
@@ -1,8 +1,10 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_attributes'
5
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/attrs'
7
+ require 'sqreen/rules/rule_cb'
6
8
  require 'sqreen/safe_json'
7
9
 
8
10
  module Sqreen
data/lib/sqreen/rules/update_request_context.rb ADDED
@@ -0,0 +1,22 @@
1
+ # typed: ignore
2
+
3
+ # Copyright (c) 2015 Sqreen. All Rights Reserved.
4
+ # Please refer to our terms for more information: https://www.sqreen.com/terms.html
5
+
6
+ require 'sqreen/rules/rule_cb'
7
+
8
+ module Sqreen
9
+ module Rules
10
+ class UpdateRequestContext < RuleCB
11
+ def initialize(*args)
12
+ super(*args)
13
+ @overtimeable = false
14
+ end
15
+
16
+ def pre(_inst, args, _budget = nil, &_block)
17
+ framework.store_request(args[0])
18
+ advise_action(nil)
19
+ end
20
+ end
21
+ end
22
+ end
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rules_callbacks/regexp_rule'
6
+ require 'sqreen/rules/regexp_rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rules_callbacks/regexp_rule'
6
+ require 'sqreen/rules/regexp_rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} RENAMED
@@ -1,43 +1,42 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
6
  require 'securerandom'
5
- require 'sqreen/rule_attributes'
7
+ require 'sqreen/rules/attrs'
6
8
  require 'sqreen/binding_accessor'
7
- require 'sqreen/rule_callback'
9
+ require 'sqreen/rules/rule_cb'
8
10
  require 'sqreen/safe_json'
9
11
  require 'sqreen/exception'
12
+ require 'sqreen/util/capper'
13
+ require 'sqreen/dependency/libsqreen'
14
+ require 'sqreen/encoding_sanitizer'
10
15
 
11
16
  module Sqreen
12
17
  module Rules
13
18
  class WAFCB < RuleCB
14
- BUDGET_MAX = 5000
15
-
16
- # TODO: move to Dependency
17
- begin
18
- require 'libsqreen'
19
- @libsqreen = true
20
- rescue LoadError
21
- Sqreen.log.warn('libsqreen gem not found')
22
- @libsqreen = false
23
- end
19
+ # 2^30 -1 or 2^62 -1
20
+ MAX_FIXNUM = 1.size == 4 ? 1_073_741_823 : 4_611_686_018_427_387_903
21
+ # will be converted to a long, so better not to overflow
22
+ INFINITE_BUDGET_US = MAX_FIXNUM
24
23
 
25
24
  def self.libsqreen?
26
- @libsqreen
25
+ Sqreen::Dependency::LibSqreen.required?
27
26
  end
28
27
 
29
28
  def self.waf?
30
29
  Sqreen::Dependency.const_exist?('LibSqreen::WAF')
31
30
  end
32
31
 
33
- attr_reader :binding_accessors, :budget, :waf_rule_name
32
+ attr_reader :binding_accessors, :max_run_budget_us, :waf_rule_name
34
33
 
35
34
  def initialize(*args)
36
35
  super(*args)
37
36
  @overtimeable = false
38
37
 
39
38
  unless WAFCB.libsqreen? && WAFCB.waf?
40
- Sqreen.log.warn('libsqreen gem not found')
39
+ Sqreen.log.warn('libsqreen gem with waf not found')
41
40
  return
42
41
  end
43
42
 
@@ -59,12 +58,17 @@ module Sqreen
59
58
  @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
60
59
  h[e] = BindingAccessor.new(e)
61
60
  end
62
- @budget = @data['values'].fetch('budget', BUDGET_MAX)
61
+
62
+ # 0 for using defaults (PW_RUN_TIMEOUT)
63
+ @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
64
+ @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
65
+
66
+ Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
63
67
 
64
68
  ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
65
69
  end
66
70
 
67
- def pre(instance, args, _budget)
71
+ def pre(instance, args, budget)
68
72
  return unless WAFCB.libsqreen? && WAFCB.waf?
69
73
 
70
74
  request = framework.request
@@ -72,9 +76,25 @@ module Sqreen
72
76
 
73
77
  env = [binding, framework, instance, args]
74
78
 
75
- waf_args = Hash[binding_accessors.map { |e, b| [e, b.resolve(*env)] }]
79
+ start = Sqreen.time if budget
80
+
81
+ capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
82
+ waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
83
+ h[e] = capper.call(b.resolve(*env))
84
+ end
76
85
  waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
77
- action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, budget)
86
+
87
+ if budget
88
+ rem_budget_s = budget - (Sqreen.time - start)
89
+ return advise_action(nil) if rem_budget_s <= 0.0
90
+
91
+ waf_gen_budget_us = [(rem_budget_s * 1_000_000).to_i, MAX_FIXNUM].min
92
+ else # no budget
93
+ waf_gen_budget_us = INFINITE_BUDGET_US
94
+ end
95
+
96
+ action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args,
97
+ waf_gen_budget_us, @max_run_budget_us)
78
98
 
79
99
  case action
80
100
  when :monitor
@@ -106,13 +126,13 @@ module Sqreen
106
126
  lambda do |object_id|
107
127
  return unless WAFCB.libsqreen?
108
128
 
109
- ::LibSqreen::WAF.delete(waf_rule_name, waf_args, budget)
129
+ ::LibSqreen::WAF.delete(waf_rule_name)
110
130
  Sqreen.log.debug("WAF rule #{rule_name} deleted, from #<#{name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
111
131
  end
112
132
  end
113
133
 
114
134
  def record_exception(exception, infos = {}, at = Time.now.utc)
115
- infos.merge!(exception_to_infos(exception))
135
+ infos.merge!(exception_to_infos(exception)) if exception.is_a?(Sqreen::WAFError)
116
136
  super(exception, infos, at)
117
137
  end
118
138
 
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} RENAMED
@@ -1,10 +1,12 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
6
  require 'cgi'
5
7
 
6
- require 'sqreen/rule_callback'
7
- require 'sqreen/rules_callbacks/regexp_rule'
8
+ require 'sqreen/rules/rule_cb'
9
+ require 'sqreen/rules/regexp_rule_cb'
8
10
 
9
11
  # Sqreen module
10
12
  module Sqreen
@@ -21,6 +23,7 @@ module Sqreen
21
23
  return nil unless framework
22
24
  framework.xss_params(@union_pattern)
23
25
  end
26
+
24
27
  # The remaining code is only to find out if user entry was an attack,
25
28
  # and record it. Since we don't rely on it to respond to user, it would
26
29
  # be better to do it in background.
@@ -36,6 +39,7 @@ module Sqreen
36
39
  true
37
40
  end
38
41
  end
42
+
39
43
  class ReflectedUnsafeXSSCB < XSSCB
40
44
  def pre(_inst, args, _budget = nil, &_block)
41
45
  value = args[0]
@@ -52,13 +56,12 @@ module Sqreen
52
56
  return unless report_dangerous_xss?(saved_value)
53
57
 
54
58
  # potential XSS! let's escape
55
- if block
56
- args[0].replace(CGI.escape_html(value))
57
- end
59
+ args[0].replace(CGI.escape_html(value)) if block
58
60
 
59
61
  advise_action(nil)
60
62
  end
61
63
  end
64
+
62
65
  # look for reflected XSS with erb template engine
63
66
  class ReflectedXSSCB < XSSCB
64
67
  def pre(_inst, args, _budget = nil, &_block)
@@ -84,6 +87,7 @@ module Sqreen
84
87
  advise_action(nil)
85
88
  end
86
89
  end
90
+
87
91
  # look for reflected XSS with haml template engine
88
92
  # hook function arguments of
89
93
  # Haml::Buffer.format_script(result, preserve_script, in_tag, preserve_tag,
@@ -145,7 +149,7 @@ module Sqreen
145
149
  if tag.value[:escape_html] == false &&
146
150
  tag.value[:value].respond_to?(:include?) &&
147
151
  !tag.value[:value].include?('html_escape') &&
148
- tag.value[:parse] == true
152
+ tag.value[:parse] == true
149
153
  tag.value[:value] = "Sqreen.escape_haml((#{tag.value[:value]}))"
150
154
  return { :status => :override, :new_return_value => tag }
151
155
  end
@@ -172,7 +176,8 @@ module Sqreen
172
176
  res << '#{'
173
177
  else
174
178
  # Use eval to get rid of string escapes
175
- content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"')
179
+ # TODO: look for eval removal
180
+ content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"') # rubocop:disable Security/Eval
176
181
  content = "Haml::Helpers.html_escape((#{content}))" if escape_html
177
182
  res << '#{Sqreen.escape_haml((' + content + '))}'
178
183
  end
data/lib/sqreen/run_when_called_cb.rb ADDED
@@ -0,0 +1,23 @@
1
+ # typed: true
2
+
3
+ # Copyright (c) 2015 Sqreen. All Rights Reserved.
4
+ # Please refer to our terms for more information: https://www.sqreen.com/terms.html
5
+
6
+ require 'sqreen/cb'
7
+
8
+ module Sqreen
9
+ class RunWhenCalledCB < CB
10
+ def initialize(klass, method, &block)
11
+ super(klass, method)
12
+
13
+ raise 'missing block' unless block_given?
14
+ @block = block
15
+ end
16
+
17
+ def pre(_inst, _args, _budget = nil, &_block)
18
+ # FIXME: implement this removal
19
+ @remove_me = true
20
+ @block.call
21
+ end
22
+ end
23
+ end