sqreen 1.18.2-java → 1.19.0-java

Sign up to get free protection for your applications and to get access to all the features.
Files changed (184) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +35 -0
  3. data/LICENSE +3 -0
  4. data/lib/sqreen.rb +2 -0
  5. data/lib/sqreen/actions.rb +13 -337
  6. data/lib/sqreen/actions/actions_index.rb +16 -0
  7. data/lib/sqreen/actions/base.rb +104 -0
  8. data/lib/sqreen/actions/block_ip.rb +34 -0
  9. data/lib/sqreen/actions/block_user.rb +46 -0
  10. data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
  11. data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
  12. data/lib/sqreen/actions/redirect_ip.rb +42 -0
  13. data/lib/sqreen/actions/redirect_user.rb +47 -0
  14. data/lib/sqreen/actions/repository.rb +43 -0
  15. data/lib/sqreen/actions/unknown_action_type.rb +20 -0
  16. data/lib/sqreen/actions/user_action_class.rb +16 -0
  17. data/lib/sqreen/actions/users_index.rb +35 -0
  18. data/lib/sqreen/agent.rb +6 -2
  19. data/lib/sqreen/attack_blocked.rb +19 -0
  20. data/lib/sqreen/backport.rb +2 -0
  21. data/lib/sqreen/backport/clock_gettime.rb +74 -0
  22. data/lib/sqreen/backport/original_name.rb +2 -0
  23. data/lib/sqreen/binding_accessor.rb +11 -102
  24. data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
  25. data/lib/sqreen/binding_accessor/transforms.rb +114 -0
  26. data/lib/sqreen/call_countable.rb +2 -0
  27. data/lib/sqreen/capped_queue.rb +4 -0
  28. data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
  29. data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
  30. data/lib/sqreen/condition_evaluator.rb +24 -5
  31. data/lib/sqreen/conditionable.rb +2 -0
  32. data/lib/sqreen/configuration.rb +19 -0
  33. data/lib/sqreen/context.rb +2 -0
  34. data/lib/sqreen/default_cb.rb +22 -0
  35. data/lib/sqreen/deferred_logger.rb +65 -0
  36. data/lib/sqreen/deliveries.rb +12 -0
  37. data/lib/sqreen/deliveries/batch.rb +9 -1
  38. data/lib/sqreen/deliveries/simple.rb +7 -0
  39. data/lib/sqreen/dependency.rb +3 -1
  40. data/lib/sqreen/dependency/detector.rb +22 -14
  41. data/lib/sqreen/dependency/libsqreen.rb +32 -0
  42. data/lib/sqreen/dependency/new_relic.rb +2 -0
  43. data/lib/sqreen/dependency/rack.rb +10 -5
  44. data/lib/sqreen/dependency/rails.rb +8 -0
  45. data/lib/sqreen/dependency/sentry.rb +2 -0
  46. data/lib/sqreen/dependency/sinatra.rb +58 -14
  47. data/lib/sqreen/encoding_sanitizer.rb +2 -0
  48. data/lib/sqreen/error_handling_middleware.rb +32 -0
  49. data/lib/sqreen/event.rb +4 -0
  50. data/lib/sqreen/events/attack.rb +4 -0
  51. data/lib/sqreen/events/remote_exception.rb +2 -0
  52. data/lib/sqreen/events/request_record.rb +13 -56
  53. data/lib/sqreen/exception.rb +11 -40
  54. data/lib/sqreen/formatter_with_tid.rb +47 -0
  55. data/lib/sqreen/framework_cb.rb +30 -0
  56. data/lib/sqreen/frameworks.rb +9 -0
  57. data/lib/sqreen/frameworks/generic.rb +22 -2
  58. data/lib/sqreen/frameworks/rails.rb +3 -0
  59. data/lib/sqreen/frameworks/rails3.rb +2 -0
  60. data/lib/sqreen/frameworks/request_recorder.rb +5 -0
  61. data/lib/sqreen/frameworks/sinatra.rb +4 -0
  62. data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
  63. data/lib/sqreen/graft.rb +12 -0
  64. data/lib/sqreen/graft/call.rb +150 -0
  65. data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
  66. data/lib/sqreen/graft/hook.rb +316 -0
  67. data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
  68. data/lib/sqreen/graft/hook_point_error.rb +10 -0
  69. data/lib/sqreen/invalid_signature_exception.rb +10 -0
  70. data/lib/sqreen/js.rb +11 -0
  71. data/lib/sqreen/js/call_context.rb +12 -0
  72. data/lib/sqreen/js/context_pool.rb +62 -0
  73. data/lib/sqreen/js/exec_js_runnable.rb +22 -0
  74. data/lib/sqreen/js/execjs_adapter.rb +8 -47
  75. data/lib/sqreen/js/executable_js.rb +14 -0
  76. data/lib/sqreen/js/js_service.rb +4 -22
  77. data/lib/sqreen/js/js_service_adapter.rb +20 -0
  78. data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
  79. data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
  80. data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
  81. data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
  82. data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
  83. data/lib/sqreen/log.rb +10 -188
  84. data/lib/sqreen/log/loggable.rb +28 -0
  85. data/lib/sqreen/logger.rb +85 -0
  86. data/lib/sqreen/metrics.rb +2 -0
  87. data/lib/sqreen/metrics/average.rb +2 -0
  88. data/lib/sqreen/metrics/base.rb +2 -0
  89. data/lib/sqreen/metrics/binning.rb +2 -0
  90. data/lib/sqreen/metrics/collect.rb +2 -0
  91. data/lib/sqreen/metrics/sum.rb +2 -0
  92. data/lib/sqreen/metrics_store.rb +5 -11
  93. data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
  94. data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
  95. data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
  96. data/lib/sqreen/middleware.rb +2 -34
  97. data/lib/sqreen/mono_time.rb +4 -0
  98. data/lib/sqreen/node.rb +46 -0
  99. data/lib/sqreen/not_implemented_yet.rb +10 -0
  100. data/lib/sqreen/null_logger.rb +26 -0
  101. data/lib/sqreen/payload_creator.rb +4 -19
  102. data/lib/sqreen/payload_creator/header_section.rb +30 -0
  103. data/lib/sqreen/performance_notifications.rb +2 -0
  104. data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
  105. data/lib/sqreen/performance_notifications/log.rb +2 -0
  106. data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
  107. data/lib/sqreen/performance_notifications/metrics.rb +2 -0
  108. data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
  109. data/lib/sqreen/prefix.rb +35 -0
  110. data/lib/sqreen/rails_middleware.rb +16 -0
  111. data/lib/sqreen/remote_command.rb +3 -8
  112. data/lib/sqreen/remote_command/failure_output.rb +16 -0
  113. data/lib/sqreen/rules.rb +34 -2
  114. data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
  115. data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
  116. data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
  117. data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
  118. data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
  119. data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
  120. data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
  121. data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
  122. data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
  123. data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
  124. data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
  125. data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
  126. data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
  127. data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
  128. data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
  129. data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
  130. data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
  131. data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
  132. data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
  133. data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
  134. data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
  135. data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
  136. data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
  137. data/lib/sqreen/rules/update_request_context.rb +22 -0
  138. data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
  139. data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
  140. data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
  141. data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
  142. data/lib/sqreen/run_when_called_cb.rb +23 -0
  143. data/lib/sqreen/runner.rb +25 -7
  144. data/lib/sqreen/runtime_infos.rb +4 -9
  145. data/lib/sqreen/safe_json.rb +2 -0
  146. data/lib/sqreen/sdk.rb +4 -0
  147. data/lib/sqreen/sensitive_data_redactor.rb +113 -0
  148. data/lib/sqreen/serializer.rb +2 -0
  149. data/lib/sqreen/session.rb +2 -0
  150. data/lib/sqreen/shared_storage.rb +2 -0
  151. data/lib/sqreen/shared_storage23.rb +2 -0
  152. data/lib/sqreen/shrink_wrap.rb +16 -0
  153. data/lib/sqreen/signature_verifier.rb +22 -0
  154. data/lib/sqreen/sinatra_middleware.rb +16 -0
  155. data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
  156. data/lib/sqreen/token_invalid_exception.rb +10 -0
  157. data/lib/sqreen/token_not_found_exception.rb +11 -0
  158. data/lib/sqreen/trie.rb +5 -64
  159. data/lib/sqreen/unauthorized.rb +10 -0
  160. data/lib/sqreen/util.rb +7 -0
  161. data/lib/sqreen/util/capped_array.rb +35 -0
  162. data/lib/sqreen/util/capped_hash.rb +41 -0
  163. data/lib/sqreen/util/capped_string.rb +26 -0
  164. data/lib/sqreen/util/capper.rb +67 -0
  165. data/lib/sqreen/version.rb +3 -1
  166. data/lib/sqreen/waf_error.rb +20 -0
  167. data/lib/sqreen/weave.rb +12 -0
  168. data/lib/sqreen/weave/hardcoded.rb +19 -0
  169. data/lib/sqreen/weave/instrumentor.rb +48 -0
  170. data/lib/sqreen/weave/legacy.rb +12 -0
  171. data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
  172. data/lib/sqreen/web_server.rb +2 -0
  173. data/lib/sqreen/web_server/generic.rb +2 -0
  174. data/lib/sqreen/web_server/passenger.rb +2 -0
  175. data/lib/sqreen/web_server/puma.rb +2 -0
  176. data/lib/sqreen/web_server/rainbows.rb +2 -0
  177. data/lib/sqreen/web_server/thin.rb +2 -0
  178. data/lib/sqreen/web_server/unicorn.rb +2 -0
  179. data/lib/sqreen/web_server/webrick.rb +2 -0
  180. data/lib/sqreen/worker.rb +2 -0
  181. metadata +105 -39
  182. data/lib/sqreen/dependency/hook.rb +0 -102
  183. data/lib/sqreen/rules_callbacks.rb +0 -35
  184. data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} RENAMED
@@ -1,12 +1,19 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
8
10
  # Display sqreen presence
9
11
  class HeadersInsertCB < RuleCB
12
+ def initialize(*args)
13
+ super
14
+ @overtimeable = false
15
+ end
16
+
10
17
  def post(rv, _inst, _args, _budget = nil, &_block)
11
18
  return unless rv && rv.respond_to?(:[]) && rv[1].is_a?(Hash)
12
19
  return nil unless @data
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
@@ -13,7 +15,7 @@ module Sqreen
13
15
  res |= Regexp::MULTILINE if options.include?('multiline')
14
16
  res |= Regexp::IGNORECASE unless case_sensitive
15
17
  r = Regexp.compile(value, res)
16
- r.match('')
18
+ r =~ ''
17
19
  r
18
20
  end
19
21
 
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} RENAMED
@@ -1,5 +1,10 @@
1
- require 'sqreen/rule_attributes'
2
- require 'sqreen/rule_callback'
1
+ # typed: ignore
2
+
3
+ # Copyright (c) 2015 Sqreen. All Rights Reserved.
4
+ # Please refer to our terms for more information: https://www.sqreen.com/terms.html
5
+
6
+ require 'sqreen/rules/attrs'
7
+ require 'sqreen/rules/rule_cb'
3
8
 
4
9
  module Sqreen
5
10
  module Rules
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} RENAMED
@@ -1,11 +1,13 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/callbacks'
6
+ require 'sqreen/framework_cb'
5
7
  require 'sqreen/context'
6
8
  require 'sqreen/conditionable'
7
9
  require 'sqreen/call_countable'
8
- require 'sqreen/rule_attributes'
10
+ require 'sqreen/rules/attrs'
9
11
  require 'sqreen/events/attack'
10
12
  require 'sqreen/events/remote_exception'
11
13
  require 'sqreen/payload_creator'
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb RENAMED
@@ -1,9 +1,13 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
  require 'sqreen/actions'
6
8
  require 'sqreen/middleware'
9
+ require 'sqreen/rails_middleware'
10
+ require 'sqreen/sinatra_middleware'
7
11
 
8
12
  module Sqreen
9
13
  module Rules
@@ -14,7 +18,7 @@ module Sqreen
14
18
  def initialize(framework)
15
19
  if defined?(Sqreen::Frameworks::SinatraFramework) &&
16
20
  framework.is_a?(Sqreen::Frameworks::SinatraFramework)
17
- super(Sinatra::ExtendedRack, :call)
21
+ super(Sqreen::SinatraMiddleware, :call)
18
22
  elsif defined?(Sqreen::Frameworks::RailsFramework) &&
19
23
  framework.is_a?(Sqreen::Frameworks::RailsFramework)
20
24
  super(Sqreen::RailsMiddleware, :call)
@@ -60,7 +64,7 @@ module Sqreen
60
64
 
61
65
  # @return [Sqreen::Actions::Repository]
62
66
  def actions_repo
63
- Sqreen::Actions::Repository.instance
67
+ Sqreen::Actions::Repository.current
64
68
  end
65
69
  end
66
70
  end
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: true
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/rule_cb'
5
7
  require 'sqreen/actions'
6
8
 
7
9
  module Sqreen
@@ -28,7 +30,7 @@ module Sqreen
28
30
 
29
31
  # @return [Sqreen::Actions::Repository]
30
32
  def actions_repo
31
- Sqreen::Actions::Repository.instance
33
+ Sqreen::Actions::Repository.current
32
34
  end
33
35
  end
34
36
  end
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rules_callbacks/regexp_rule'
6
+ require 'sqreen/rules/regexp_rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} RENAMED
@@ -1,8 +1,10 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rule_attributes'
5
- require 'sqreen/rule_callback'
6
+ require 'sqreen/rules/attrs'
7
+ require 'sqreen/rules/rule_cb'
6
8
  require 'sqreen/safe_json'
7
9
 
8
10
  module Sqreen
data/lib/sqreen/rules/update_request_context.rb ADDED
@@ -0,0 +1,22 @@
1
+ # typed: ignore
2
+
3
+ # Copyright (c) 2015 Sqreen. All Rights Reserved.
4
+ # Please refer to our terms for more information: https://www.sqreen.com/terms.html
5
+
6
+ require 'sqreen/rules/rule_cb'
7
+
8
+ module Sqreen
9
+ module Rules
10
+ class UpdateRequestContext < RuleCB
11
+ def initialize(*args)
12
+ super(*args)
13
+ @overtimeable = false
14
+ end
15
+
16
+ def pre(_inst, args, _budget = nil, &_block)
17
+ framework.store_request(args[0])
18
+ advise_action(nil)
19
+ end
20
+ end
21
+ end
22
+ end
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rules_callbacks/regexp_rule'
6
+ require 'sqreen/rules/regexp_rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} RENAMED
@@ -1,7 +1,9 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
- require 'sqreen/rules_callbacks/regexp_rule'
6
+ require 'sqreen/rules/regexp_rule_cb'
5
7
 
6
8
  module Sqreen
7
9
  module Rules
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} RENAMED
@@ -1,43 +1,42 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
6
  require 'securerandom'
5
- require 'sqreen/rule_attributes'
7
+ require 'sqreen/rules/attrs'
6
8
  require 'sqreen/binding_accessor'
7
- require 'sqreen/rule_callback'
9
+ require 'sqreen/rules/rule_cb'
8
10
  require 'sqreen/safe_json'
9
11
  require 'sqreen/exception'
12
+ require 'sqreen/util/capper'
13
+ require 'sqreen/dependency/libsqreen'
14
+ require 'sqreen/encoding_sanitizer'
10
15
 
11
16
  module Sqreen
12
17
  module Rules
13
18
  class WAFCB < RuleCB
14
- BUDGET_MAX = 5000
15
-
16
- # TODO: move to Dependency
17
- begin
18
- require 'libsqreen'
19
- @libsqreen = true
20
- rescue LoadError
21
- Sqreen.log.warn('libsqreen gem not found')
22
- @libsqreen = false
23
- end
19
+ # 2^30 -1 or 2^62 -1
20
+ MAX_FIXNUM = 1.size == 4 ? 1_073_741_823 : 4_611_686_018_427_387_903
21
+ # will be converted to a long, so better not to overflow
22
+ INFINITE_BUDGET_US = MAX_FIXNUM
24
23
 
25
24
  def self.libsqreen?
26
- @libsqreen
25
+ Sqreen::Dependency::LibSqreen.required?
27
26
  end
28
27
 
29
28
  def self.waf?
30
29
  Sqreen::Dependency.const_exist?('LibSqreen::WAF')
31
30
  end
32
31
 
33
- attr_reader :binding_accessors, :budget, :waf_rule_name
32
+ attr_reader :binding_accessors, :max_run_budget_us, :waf_rule_name
34
33
 
35
34
  def initialize(*args)
36
35
  super(*args)
37
36
  @overtimeable = false
38
37
 
39
38
  unless WAFCB.libsqreen? && WAFCB.waf?
40
- Sqreen.log.warn('libsqreen gem not found')
39
+ Sqreen.log.warn('libsqreen gem with waf not found')
41
40
  return
42
41
  end
43
42
 
@@ -59,12 +58,17 @@ module Sqreen
59
58
  @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
60
59
  h[e] = BindingAccessor.new(e)
61
60
  end
62
- @budget = @data['values'].fetch('budget', BUDGET_MAX)
61
+
62
+ # 0 for using defaults (PW_RUN_TIMEOUT)
63
+ @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
64
+ @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
65
+
66
+ Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
63
67
 
64
68
  ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
65
69
  end
66
70
 
67
- def pre(instance, args, _budget)
71
+ def pre(instance, args, budget)
68
72
  return unless WAFCB.libsqreen? && WAFCB.waf?
69
73
 
70
74
  request = framework.request
@@ -72,9 +76,25 @@ module Sqreen
72
76
 
73
77
  env = [binding, framework, instance, args]
74
78
 
75
- waf_args = Hash[binding_accessors.map { |e, b| [e, b.resolve(*env)] }]
79
+ start = Sqreen.time if budget
80
+
81
+ capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
82
+ waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
83
+ h[e] = capper.call(b.resolve(*env))
84
+ end
76
85
  waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
77
- action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, budget)
86
+
87
+ if budget
88
+ rem_budget_s = budget - (Sqreen.time - start)
89
+ return advise_action(nil) if rem_budget_s <= 0.0
90
+
91
+ waf_gen_budget_us = [(rem_budget_s * 1_000_000).to_i, MAX_FIXNUM].min
92
+ else # no budget
93
+ waf_gen_budget_us = INFINITE_BUDGET_US
94
+ end
95
+
96
+ action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args,
97
+ waf_gen_budget_us, @max_run_budget_us)
78
98
 
79
99
  case action
80
100
  when :monitor
@@ -106,13 +126,13 @@ module Sqreen
106
126
  lambda do |object_id|
107
127
  return unless WAFCB.libsqreen?
108
128
 
109
- ::LibSqreen::WAF.delete(waf_rule_name, waf_args, budget)
129
+ ::LibSqreen::WAF.delete(waf_rule_name)
110
130
  Sqreen.log.debug("WAF rule #{rule_name} deleted, from #<#{name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
111
131
  end
112
132
  end
113
133
 
114
134
  def record_exception(exception, infos = {}, at = Time.now.utc)
115
- infos.merge!(exception_to_infos(exception))
135
+ infos.merge!(exception_to_infos(exception)) if exception.is_a?(Sqreen::WAFError)
116
136
  super(exception, infos, at)
117
137
  end
118
138
 
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} RENAMED
@@ -1,10 +1,12 @@
1
+ # typed: ignore
2
+
1
3
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
3
5
 
4
6
  require 'cgi'
5
7
 
6
- require 'sqreen/rule_callback'
7
- require 'sqreen/rules_callbacks/regexp_rule'
8
+ require 'sqreen/rules/rule_cb'
9
+ require 'sqreen/rules/regexp_rule_cb'
8
10
 
9
11
  # Sqreen module
10
12
  module Sqreen
@@ -21,6 +23,7 @@ module Sqreen
21
23
  return nil unless framework
22
24
  framework.xss_params(@union_pattern)
23
25
  end
26
+
24
27
  # The remaining code is only to find out if user entry was an attack,
25
28
  # and record it. Since we don't rely on it to respond to user, it would
26
29
  # be better to do it in background.
@@ -36,6 +39,7 @@ module Sqreen
36
39
  true
37
40
  end
38
41
  end
42
+
39
43
  class ReflectedUnsafeXSSCB < XSSCB
40
44
  def pre(_inst, args, _budget = nil, &_block)
41
45
  value = args[0]
@@ -52,13 +56,12 @@ module Sqreen
52
56
  return unless report_dangerous_xss?(saved_value)
53
57
 
54
58
  # potential XSS! let's escape
55
- if block
56
- args[0].replace(CGI.escape_html(value))
57
- end
59
+ args[0].replace(CGI.escape_html(value)) if block
58
60
 
59
61
  advise_action(nil)
60
62
  end
61
63
  end
64
+
62
65
  # look for reflected XSS with erb template engine
63
66
  class ReflectedXSSCB < XSSCB
64
67
  def pre(_inst, args, _budget = nil, &_block)
@@ -84,6 +87,7 @@ module Sqreen
84
87
  advise_action(nil)
85
88
  end
86
89
  end
90
+
87
91
  # look for reflected XSS with haml template engine
88
92
  # hook function arguments of
89
93
  # Haml::Buffer.format_script(result, preserve_script, in_tag, preserve_tag,
@@ -145,7 +149,7 @@ module Sqreen
145
149
  if tag.value[:escape_html] == false &&
146
150
  tag.value[:value].respond_to?(:include?) &&
147
151
  !tag.value[:value].include?('html_escape') &&
148
- tag.value[:parse] == true
152
+ tag.value[:parse] == true
149
153
  tag.value[:value] = "Sqreen.escape_haml((#{tag.value[:value]}))"
150
154
  return { :status => :override, :new_return_value => tag }
151
155
  end
@@ -172,7 +176,8 @@ module Sqreen
172
176
  res << '#{'
173
177
  else
174
178
  # Use eval to get rid of string escapes
175
- content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"')
179
+ # TODO: look for eval removal
180
+ content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"') # rubocop:disable Security/Eval
176
181
  content = "Haml::Helpers.html_escape((#{content}))" if escape_html
177
182
  res << '#{Sqreen.escape_haml((' + content + '))}'
178
183
  end
data/lib/sqreen/run_when_called_cb.rb ADDED
@@ -0,0 +1,23 @@
1
+ # typed: true
2
+
3
+ # Copyright (c) 2015 Sqreen. All Rights Reserved.
4
+ # Please refer to our terms for more information: https://www.sqreen.com/terms.html
5
+
6
+ require 'sqreen/cb'
7
+
8
+ module Sqreen
9
+ class RunWhenCalledCB < CB
10
+ def initialize(klass, method, &block)
11
+ super(klass, method)
12
+
13
+ raise 'missing block' unless block_given?
14
+ @block = block
15
+ end
16
+
17
+ def pre(_inst, _args, _budget = nil, &_block)
18
+ # FIXME: implement this removal
19
+ @remove_me = true
20
+ @block.call
21
+ end
22
+ end
23
+ end