sqreen 1.18.2-java → 1.19.0-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/LICENSE +3 -0
- data/lib/sqreen.rb +2 -0
- data/lib/sqreen/actions.rb +13 -337
- data/lib/sqreen/actions/actions_index.rb +16 -0
- data/lib/sqreen/actions/base.rb +104 -0
- data/lib/sqreen/actions/block_ip.rb +34 -0
- data/lib/sqreen/actions/block_user.rb +46 -0
- data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
- data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
- data/lib/sqreen/actions/redirect_ip.rb +42 -0
- data/lib/sqreen/actions/redirect_user.rb +47 -0
- data/lib/sqreen/actions/repository.rb +43 -0
- data/lib/sqreen/actions/unknown_action_type.rb +20 -0
- data/lib/sqreen/actions/user_action_class.rb +16 -0
- data/lib/sqreen/actions/users_index.rb +35 -0
- data/lib/sqreen/agent.rb +6 -2
- data/lib/sqreen/attack_blocked.rb +19 -0
- data/lib/sqreen/backport.rb +2 -0
- data/lib/sqreen/backport/clock_gettime.rb +74 -0
- data/lib/sqreen/backport/original_name.rb +2 -0
- data/lib/sqreen/binding_accessor.rb +11 -102
- data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
- data/lib/sqreen/binding_accessor/transforms.rb +114 -0
- data/lib/sqreen/call_countable.rb +2 -0
- data/lib/sqreen/capped_queue.rb +4 -0
- data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
- data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
- data/lib/sqreen/condition_evaluator.rb +24 -5
- data/lib/sqreen/conditionable.rb +2 -0
- data/lib/sqreen/configuration.rb +19 -0
- data/lib/sqreen/context.rb +2 -0
- data/lib/sqreen/default_cb.rb +22 -0
- data/lib/sqreen/deferred_logger.rb +65 -0
- data/lib/sqreen/deliveries.rb +12 -0
- data/lib/sqreen/deliveries/batch.rb +9 -1
- data/lib/sqreen/deliveries/simple.rb +7 -0
- data/lib/sqreen/dependency.rb +3 -1
- data/lib/sqreen/dependency/detector.rb +22 -14
- data/lib/sqreen/dependency/libsqreen.rb +32 -0
- data/lib/sqreen/dependency/new_relic.rb +2 -0
- data/lib/sqreen/dependency/rack.rb +10 -5
- data/lib/sqreen/dependency/rails.rb +8 -0
- data/lib/sqreen/dependency/sentry.rb +2 -0
- data/lib/sqreen/dependency/sinatra.rb +58 -14
- data/lib/sqreen/encoding_sanitizer.rb +2 -0
- data/lib/sqreen/error_handling_middleware.rb +32 -0
- data/lib/sqreen/event.rb +4 -0
- data/lib/sqreen/events/attack.rb +4 -0
- data/lib/sqreen/events/remote_exception.rb +2 -0
- data/lib/sqreen/events/request_record.rb +13 -56
- data/lib/sqreen/exception.rb +11 -40
- data/lib/sqreen/formatter_with_tid.rb +47 -0
- data/lib/sqreen/framework_cb.rb +30 -0
- data/lib/sqreen/frameworks.rb +9 -0
- data/lib/sqreen/frameworks/generic.rb +22 -2
- data/lib/sqreen/frameworks/rails.rb +3 -0
- data/lib/sqreen/frameworks/rails3.rb +2 -0
- data/lib/sqreen/frameworks/request_recorder.rb +5 -0
- data/lib/sqreen/frameworks/sinatra.rb +4 -0
- data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
- data/lib/sqreen/graft.rb +12 -0
- data/lib/sqreen/graft/call.rb +150 -0
- data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
- data/lib/sqreen/graft/hook.rb +316 -0
- data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
- data/lib/sqreen/graft/hook_point_error.rb +10 -0
- data/lib/sqreen/invalid_signature_exception.rb +10 -0
- data/lib/sqreen/js.rb +11 -0
- data/lib/sqreen/js/call_context.rb +12 -0
- data/lib/sqreen/js/context_pool.rb +62 -0
- data/lib/sqreen/js/exec_js_runnable.rb +22 -0
- data/lib/sqreen/js/execjs_adapter.rb +8 -47
- data/lib/sqreen/js/executable_js.rb +14 -0
- data/lib/sqreen/js/js_service.rb +4 -22
- data/lib/sqreen/js/js_service_adapter.rb +20 -0
- data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
- data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
- data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
- data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
- data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
- data/lib/sqreen/log.rb +10 -188
- data/lib/sqreen/log/loggable.rb +28 -0
- data/lib/sqreen/logger.rb +85 -0
- data/lib/sqreen/metrics.rb +2 -0
- data/lib/sqreen/metrics/average.rb +2 -0
- data/lib/sqreen/metrics/base.rb +2 -0
- data/lib/sqreen/metrics/binning.rb +2 -0
- data/lib/sqreen/metrics/collect.rb +2 -0
- data/lib/sqreen/metrics/sum.rb +2 -0
- data/lib/sqreen/metrics_store.rb +5 -11
- data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
- data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
- data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
- data/lib/sqreen/middleware.rb +2 -34
- data/lib/sqreen/mono_time.rb +4 -0
- data/lib/sqreen/node.rb +46 -0
- data/lib/sqreen/not_implemented_yet.rb +10 -0
- data/lib/sqreen/null_logger.rb +26 -0
- data/lib/sqreen/payload_creator.rb +4 -19
- data/lib/sqreen/payload_creator/header_section.rb +30 -0
- data/lib/sqreen/performance_notifications.rb +2 -0
- data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
- data/lib/sqreen/performance_notifications/log.rb +2 -0
- data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
- data/lib/sqreen/performance_notifications/metrics.rb +2 -0
- data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
- data/lib/sqreen/prefix.rb +35 -0
- data/lib/sqreen/rails_middleware.rb +16 -0
- data/lib/sqreen/remote_command.rb +3 -8
- data/lib/sqreen/remote_command/failure_output.rb +16 -0
- data/lib/sqreen/rules.rb +34 -2
- data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
- data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
- data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
- data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
- data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
- data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
- data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
- data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
- data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
- data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
- data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
- data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
- data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
- data/lib/sqreen/rules/update_request_context.rb +22 -0
- data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
- data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
- data/lib/sqreen/run_when_called_cb.rb +23 -0
- data/lib/sqreen/runner.rb +25 -7
- data/lib/sqreen/runtime_infos.rb +4 -9
- data/lib/sqreen/safe_json.rb +2 -0
- data/lib/sqreen/sdk.rb +4 -0
- data/lib/sqreen/sensitive_data_redactor.rb +113 -0
- data/lib/sqreen/serializer.rb +2 -0
- data/lib/sqreen/session.rb +2 -0
- data/lib/sqreen/shared_storage.rb +2 -0
- data/lib/sqreen/shared_storage23.rb +2 -0
- data/lib/sqreen/shrink_wrap.rb +16 -0
- data/lib/sqreen/signature_verifier.rb +22 -0
- data/lib/sqreen/sinatra_middleware.rb +16 -0
- data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
- data/lib/sqreen/token_invalid_exception.rb +10 -0
- data/lib/sqreen/token_not_found_exception.rb +11 -0
- data/lib/sqreen/trie.rb +5 -64
- data/lib/sqreen/unauthorized.rb +10 -0
- data/lib/sqreen/util.rb +7 -0
- data/lib/sqreen/util/capped_array.rb +35 -0
- data/lib/sqreen/util/capped_hash.rb +41 -0
- data/lib/sqreen/util/capped_string.rb +26 -0
- data/lib/sqreen/util/capper.rb +67 -0
- data/lib/sqreen/version.rb +3 -1
- data/lib/sqreen/waf_error.rb +20 -0
- data/lib/sqreen/weave.rb +12 -0
- data/lib/sqreen/weave/hardcoded.rb +19 -0
- data/lib/sqreen/weave/instrumentor.rb +48 -0
- data/lib/sqreen/weave/legacy.rb +12 -0
- data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
- data/lib/sqreen/web_server.rb +2 -0
- data/lib/sqreen/web_server/generic.rb +2 -0
- data/lib/sqreen/web_server/passenger.rb +2 -0
- data/lib/sqreen/web_server/puma.rb +2 -0
- data/lib/sqreen/web_server/rainbows.rb +2 -0
- data/lib/sqreen/web_server/thin.rb +2 -0
- data/lib/sqreen/web_server/unicorn.rb +2 -0
- data/lib/sqreen/web_server/webrick.rb +2 -0
- data/lib/sqreen/worker.rb +2 -0
- metadata +105 -39
- data/lib/sqreen/dependency/hook.rb +0 -102
- data/lib/sqreen/rules_callbacks.rb +0 -35
- data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25
@@ -1,12 +1,19 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/rules/rule_cb'
|
5
7
|
|
6
8
|
module Sqreen
|
7
9
|
module Rules
|
8
10
|
# Display sqreen presence
|
9
11
|
class HeadersInsertCB < RuleCB
|
12
|
+
def initialize(*args)
|
13
|
+
super
|
14
|
+
@overtimeable = false
|
15
|
+
end
|
16
|
+
|
10
17
|
def post(rv, _inst, _args, _budget = nil, &_block)
|
11
18
|
return unless rv && rv.respond_to?(:[]) && rv[1].is_a?(Hash)
|
12
19
|
return nil unless @data
|
@@ -1,7 +1,9 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/rules/rule_cb'
|
5
7
|
|
6
8
|
module Sqreen
|
7
9
|
module Rules
|
@@ -13,7 +15,7 @@ module Sqreen
|
|
13
15
|
res |= Regexp::MULTILINE if options.include?('multiline')
|
14
16
|
res |= Regexp::IGNORECASE unless case_sensitive
|
15
17
|
r = Regexp.compile(value, res)
|
16
|
-
r
|
18
|
+
r =~ ''
|
17
19
|
r
|
18
20
|
end
|
19
21
|
|
@@ -1,5 +1,10 @@
|
|
1
|
-
|
2
|
-
|
1
|
+
# typed: ignore
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/rules/attrs'
|
7
|
+
require 'sqreen/rules/rule_cb'
|
3
8
|
|
4
9
|
module Sqreen
|
5
10
|
module Rules
|
@@ -1,11 +1,13 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/framework_cb'
|
5
7
|
require 'sqreen/context'
|
6
8
|
require 'sqreen/conditionable'
|
7
9
|
require 'sqreen/call_countable'
|
8
|
-
require 'sqreen/
|
10
|
+
require 'sqreen/rules/attrs'
|
9
11
|
require 'sqreen/events/attack'
|
10
12
|
require 'sqreen/events/remote_exception'
|
11
13
|
require 'sqreen/payload_creator'
|
@@ -1,9 +1,13 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/rules/rule_cb'
|
5
7
|
require 'sqreen/actions'
|
6
8
|
require 'sqreen/middleware'
|
9
|
+
require 'sqreen/rails_middleware'
|
10
|
+
require 'sqreen/sinatra_middleware'
|
7
11
|
|
8
12
|
module Sqreen
|
9
13
|
module Rules
|
@@ -14,7 +18,7 @@ module Sqreen
|
|
14
18
|
def initialize(framework)
|
15
19
|
if defined?(Sqreen::Frameworks::SinatraFramework) &&
|
16
20
|
framework.is_a?(Sqreen::Frameworks::SinatraFramework)
|
17
|
-
super(
|
21
|
+
super(Sqreen::SinatraMiddleware, :call)
|
18
22
|
elsif defined?(Sqreen::Frameworks::RailsFramework) &&
|
19
23
|
framework.is_a?(Sqreen::Frameworks::RailsFramework)
|
20
24
|
super(Sqreen::RailsMiddleware, :call)
|
@@ -60,7 +64,7 @@ module Sqreen
|
|
60
64
|
|
61
65
|
# @return [Sqreen::Actions::Repository]
|
62
66
|
def actions_repo
|
63
|
-
Sqreen::Actions::Repository.
|
67
|
+
Sqreen::Actions::Repository.current
|
64
68
|
end
|
65
69
|
end
|
66
70
|
end
|
@@ -1,7 +1,9 @@
|
|
1
|
+
# typed: true
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/rules/rule_cb'
|
5
7
|
require 'sqreen/actions'
|
6
8
|
|
7
9
|
module Sqreen
|
@@ -28,7 +30,7 @@ module Sqreen
|
|
28
30
|
|
29
31
|
# @return [Sqreen::Actions::Repository]
|
30
32
|
def actions_repo
|
31
|
-
Sqreen::Actions::Repository.
|
33
|
+
Sqreen::Actions::Repository.current
|
32
34
|
end
|
33
35
|
end
|
34
36
|
end
|
@@ -1,7 +1,9 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/rules/regexp_rule_cb'
|
5
7
|
|
6
8
|
module Sqreen
|
7
9
|
module Rules
|
@@ -1,8 +1,10 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
5
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/rules/attrs'
|
7
|
+
require 'sqreen/rules/rule_cb'
|
6
8
|
require 'sqreen/safe_json'
|
7
9
|
|
8
10
|
module Sqreen
|
@@ -0,0 +1,22 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/rules/rule_cb'
|
7
|
+
|
8
|
+
module Sqreen
|
9
|
+
module Rules
|
10
|
+
class UpdateRequestContext < RuleCB
|
11
|
+
def initialize(*args)
|
12
|
+
super(*args)
|
13
|
+
@overtimeable = false
|
14
|
+
end
|
15
|
+
|
16
|
+
def pre(_inst, args, _budget = nil, &_block)
|
17
|
+
framework.store_request(args[0])
|
18
|
+
advise_action(nil)
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -1,7 +1,9 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/rules/regexp_rule_cb'
|
5
7
|
|
6
8
|
module Sqreen
|
7
9
|
module Rules
|
@@ -1,7 +1,9 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
|
-
require 'sqreen/
|
6
|
+
require 'sqreen/rules/regexp_rule_cb'
|
5
7
|
|
6
8
|
module Sqreen
|
7
9
|
module Rules
|
@@ -1,43 +1,42 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
6
|
require 'securerandom'
|
5
|
-
require 'sqreen/
|
7
|
+
require 'sqreen/rules/attrs'
|
6
8
|
require 'sqreen/binding_accessor'
|
7
|
-
require 'sqreen/
|
9
|
+
require 'sqreen/rules/rule_cb'
|
8
10
|
require 'sqreen/safe_json'
|
9
11
|
require 'sqreen/exception'
|
12
|
+
require 'sqreen/util/capper'
|
13
|
+
require 'sqreen/dependency/libsqreen'
|
14
|
+
require 'sqreen/encoding_sanitizer'
|
10
15
|
|
11
16
|
module Sqreen
|
12
17
|
module Rules
|
13
18
|
class WAFCB < RuleCB
|
14
|
-
|
15
|
-
|
16
|
-
#
|
17
|
-
|
18
|
-
require 'libsqreen'
|
19
|
-
@libsqreen = true
|
20
|
-
rescue LoadError
|
21
|
-
Sqreen.log.warn('libsqreen gem not found')
|
22
|
-
@libsqreen = false
|
23
|
-
end
|
19
|
+
# 2^30 -1 or 2^62 -1
|
20
|
+
MAX_FIXNUM = 1.size == 4 ? 1_073_741_823 : 4_611_686_018_427_387_903
|
21
|
+
# will be converted to a long, so better not to overflow
|
22
|
+
INFINITE_BUDGET_US = MAX_FIXNUM
|
24
23
|
|
25
24
|
def self.libsqreen?
|
26
|
-
|
25
|
+
Sqreen::Dependency::LibSqreen.required?
|
27
26
|
end
|
28
27
|
|
29
28
|
def self.waf?
|
30
29
|
Sqreen::Dependency.const_exist?('LibSqreen::WAF')
|
31
30
|
end
|
32
31
|
|
33
|
-
attr_reader :binding_accessors, :
|
32
|
+
attr_reader :binding_accessors, :max_run_budget_us, :waf_rule_name
|
34
33
|
|
35
34
|
def initialize(*args)
|
36
35
|
super(*args)
|
37
36
|
@overtimeable = false
|
38
37
|
|
39
38
|
unless WAFCB.libsqreen? && WAFCB.waf?
|
40
|
-
Sqreen.log.warn('libsqreen gem not found')
|
39
|
+
Sqreen.log.warn('libsqreen gem with waf not found')
|
41
40
|
return
|
42
41
|
end
|
43
42
|
|
@@ -59,12 +58,17 @@ module Sqreen
|
|
59
58
|
@binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
|
60
59
|
h[e] = BindingAccessor.new(e)
|
61
60
|
end
|
62
|
-
|
61
|
+
|
62
|
+
# 0 for using defaults (PW_RUN_TIMEOUT)
|
63
|
+
@max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
|
64
|
+
@max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
|
65
|
+
|
66
|
+
Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
|
63
67
|
|
64
68
|
ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
|
65
69
|
end
|
66
70
|
|
67
|
-
def pre(instance, args,
|
71
|
+
def pre(instance, args, budget)
|
68
72
|
return unless WAFCB.libsqreen? && WAFCB.waf?
|
69
73
|
|
70
74
|
request = framework.request
|
@@ -72,9 +76,25 @@ module Sqreen
|
|
72
76
|
|
73
77
|
env = [binding, framework, instance, args]
|
74
78
|
|
75
|
-
|
79
|
+
start = Sqreen.time if budget
|
80
|
+
|
81
|
+
capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
|
82
|
+
waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
|
83
|
+
h[e] = capper.call(b.resolve(*env))
|
84
|
+
end
|
76
85
|
waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
|
77
|
-
|
86
|
+
|
87
|
+
if budget
|
88
|
+
rem_budget_s = budget - (Sqreen.time - start)
|
89
|
+
return advise_action(nil) if rem_budget_s <= 0.0
|
90
|
+
|
91
|
+
waf_gen_budget_us = [(rem_budget_s * 1_000_000).to_i, MAX_FIXNUM].min
|
92
|
+
else # no budget
|
93
|
+
waf_gen_budget_us = INFINITE_BUDGET_US
|
94
|
+
end
|
95
|
+
|
96
|
+
action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args,
|
97
|
+
waf_gen_budget_us, @max_run_budget_us)
|
78
98
|
|
79
99
|
case action
|
80
100
|
when :monitor
|
@@ -106,13 +126,13 @@ module Sqreen
|
|
106
126
|
lambda do |object_id|
|
107
127
|
return unless WAFCB.libsqreen?
|
108
128
|
|
109
|
-
::LibSqreen::WAF.delete(waf_rule_name
|
129
|
+
::LibSqreen::WAF.delete(waf_rule_name)
|
110
130
|
Sqreen.log.debug("WAF rule #{rule_name} deleted, from #<#{name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
|
111
131
|
end
|
112
132
|
end
|
113
133
|
|
114
134
|
def record_exception(exception, infos = {}, at = Time.now.utc)
|
115
|
-
infos.merge!(exception_to_infos(exception))
|
135
|
+
infos.merge!(exception_to_infos(exception)) if exception.is_a?(Sqreen::WAFError)
|
116
136
|
super(exception, infos, at)
|
117
137
|
end
|
118
138
|
|
@@ -1,10 +1,12 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
6
|
require 'cgi'
|
5
7
|
|
6
|
-
require 'sqreen/
|
7
|
-
require 'sqreen/
|
8
|
+
require 'sqreen/rules/rule_cb'
|
9
|
+
require 'sqreen/rules/regexp_rule_cb'
|
8
10
|
|
9
11
|
# Sqreen module
|
10
12
|
module Sqreen
|
@@ -21,6 +23,7 @@ module Sqreen
|
|
21
23
|
return nil unless framework
|
22
24
|
framework.xss_params(@union_pattern)
|
23
25
|
end
|
26
|
+
|
24
27
|
# The remaining code is only to find out if user entry was an attack,
|
25
28
|
# and record it. Since we don't rely on it to respond to user, it would
|
26
29
|
# be better to do it in background.
|
@@ -36,6 +39,7 @@ module Sqreen
|
|
36
39
|
true
|
37
40
|
end
|
38
41
|
end
|
42
|
+
|
39
43
|
class ReflectedUnsafeXSSCB < XSSCB
|
40
44
|
def pre(_inst, args, _budget = nil, &_block)
|
41
45
|
value = args[0]
|
@@ -52,13 +56,12 @@ module Sqreen
|
|
52
56
|
return unless report_dangerous_xss?(saved_value)
|
53
57
|
|
54
58
|
# potential XSS! let's escape
|
55
|
-
if block
|
56
|
-
args[0].replace(CGI.escape_html(value))
|
57
|
-
end
|
59
|
+
args[0].replace(CGI.escape_html(value)) if block
|
58
60
|
|
59
61
|
advise_action(nil)
|
60
62
|
end
|
61
63
|
end
|
64
|
+
|
62
65
|
# look for reflected XSS with erb template engine
|
63
66
|
class ReflectedXSSCB < XSSCB
|
64
67
|
def pre(_inst, args, _budget = nil, &_block)
|
@@ -84,6 +87,7 @@ module Sqreen
|
|
84
87
|
advise_action(nil)
|
85
88
|
end
|
86
89
|
end
|
90
|
+
|
87
91
|
# look for reflected XSS with haml template engine
|
88
92
|
# hook function arguments of
|
89
93
|
# Haml::Buffer.format_script(result, preserve_script, in_tag, preserve_tag,
|
@@ -145,7 +149,7 @@ module Sqreen
|
|
145
149
|
if tag.value[:escape_html] == false &&
|
146
150
|
tag.value[:value].respond_to?(:include?) &&
|
147
151
|
!tag.value[:value].include?('html_escape') &&
|
148
|
-
|
152
|
+
tag.value[:parse] == true
|
149
153
|
tag.value[:value] = "Sqreen.escape_haml((#{tag.value[:value]}))"
|
150
154
|
return { :status => :override, :new_return_value => tag }
|
151
155
|
end
|
@@ -172,7 +176,8 @@ module Sqreen
|
|
172
176
|
res << '#{'
|
173
177
|
else
|
174
178
|
# Use eval to get rid of string escapes
|
175
|
-
|
179
|
+
# TODO: look for eval removal
|
180
|
+
content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"') # rubocop:disable Security/Eval
|
176
181
|
content = "Haml::Helpers.html_escape((#{content}))" if escape_html
|
177
182
|
res << '#{Sqreen.escape_haml((' + content + '))}'
|
178
183
|
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
# typed: true
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/cb'
|
7
|
+
|
8
|
+
module Sqreen
|
9
|
+
class RunWhenCalledCB < CB
|
10
|
+
def initialize(klass, method, &block)
|
11
|
+
super(klass, method)
|
12
|
+
|
13
|
+
raise 'missing block' unless block_given?
|
14
|
+
@block = block
|
15
|
+
end
|
16
|
+
|
17
|
+
def pre(_inst, _args, _budget = nil, &_block)
|
18
|
+
# FIXME: implement this removal
|
19
|
+
@remove_me = true
|
20
|
+
@block.call
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|