sqreen 1.18.2-java → 1.19.0-java

data/lib/sqreen/runner.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
@@ -18,8 +20,9 @@ require 'sqreen/deliveries/simple'
 require 'sqreen/deliveries/batch'
 require 'sqreen/performance_notifications/metrics'
 require 'sqreen/performance_notifications/binned_metrics'
-require 'sqreen/instrumentation'
+require 'sqreen/legacy/instrumentation'
 require 'sqreen/call_countable'
+require 'sqreen/weave/legacy/instrumentation'
 
 module Sqreen
   @features = {}
@@ -117,7 +120,16 @@ module Sqreen
       register_exit_cb if set_at_exit
 
       self.metrics_engine = MetricsStore.new
-      @instrumenter = Instrumentation.new(metrics_engine)
+
+      needs_weave = proc do
+        Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      end
+
+      if @configuration.get(:weave) || needs_weave.call
+        @instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine)
+      else
+        @instrumenter = Sqreen::Legacy::Instrumentation.new(metrics_engine)
+      end
 
       Sqreen.log.debug "Using token #{@token}"
       response = create_session(session_class)
@@ -235,7 +247,7 @@ module Sqreen
     def remove_instrumentation(_context_infos = {})
       Sqreen.log.debug 'Removing instrumentation'
       instrumenter.remove_all_callbacks
-      Sqreen::Actions::Repository.instance.clear
+      Sqreen::Actions::Repository.clear
       Sqreen.log.debug 'Instrumentation removed'
       true
     end
@@ -244,7 +256,6 @@ module Sqreen
       Sqreen.log.debug 'Reloading rules'
       rulespack_id, rules = load_rules
       instrumenter.remove_all_callbacks
-      Sqreen::Actions::Repository.instance.clear
 
       @framework.instrument_when_ready!(instrumenter, rules)
       Sqreen.log.debug 'Rules reloaded'
@@ -304,12 +315,18 @@ module Sqreen
       Sqreen.update_features(features)
       session.request_compression = features['request_compression'] if session
       self.performance_metrics_period = features['performance_metrics_period']
+
+      unless @configuration.get(:weave)
+
       config_binned_metrics(features['perf_level'] || DEFAULT_PERF_LEVEL,
                             features['perf_base'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_BASE,
                             features['perf_unit'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_UNIT,
                             features['perf_pct_base'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_PCT_BASE,
                             features['perf_pct_unit'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_PCT_UNIT,
                            )
+
+      end
+
       self.call_counts_metrics_period = features['call_counts_metrics_period']
       hd = features['heartbeat_delay'].to_i
       self.heartbeat_delay = hd if hd > 0
@@ -456,13 +473,12 @@ module Sqreen
     def load_actions(hashes)
       unsupported = Set.new
 
-      repos = Sqreen::Actions::Repository.instance
-      repos.clear
+      new_repos = Sqreen::Actions::Repository.new
 
       actions = hashes.map do |h|
         begin
           act = Sqreen::Actions.deserialize_action(h)
-          repos.add h['parameters'], act
+          new_repos.add h['parameters'], act
           act
         rescue Sqreen::Actions::UnknownActionType => e
           Sqreen.log.warn("Unsupported action type: #{e.action_type}")
@@ -476,6 +492,8 @@ module Sqreen
       actions = actions.reject(&:nil?)
       Sqreen.log.debug("Added #{actions.size} valid actions")
 
+      Sqreen::Actions::Repository.current = new_repos
+
       unsupported
     end
   end

data/lib/sqreen/runtime_infos.rb

@@ -1,8 +1,11 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 require 'sqreen/version'
 require 'sqreen/frameworks'
+require 'sqreen/dependency/libsqreen'
 
 require 'socket'
 require 'digest/sha1'
@@ -71,15 +74,7 @@ module Sqreen
     end
 
     def libsqreen?
-      libsqreen_loaded? && !libsqreen_stub?
-    end
-
-    def libsqreen_loaded?
-      Kernel.const_defined?('LibSqreen')
-    end
-
-    def libsqreen_stub?
-      !::LibSqreen.respond_to?(:version)
+      Sqreen::Dependency::LibSqreen.required? && !Sqreen::Dependency::LibSqreen.stub?
     end
 
     def libsqreen_version

data/lib/sqreen/safe_json.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/sdk.rb

@@ -1,6 +1,10 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
+require 'sqreen/frameworks'
+
 # Sqreen Namespace
 module Sqreen
 

data/lib/sqreen/sensitive_data_redactor.rb

@@ -0,0 +1,113 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+# TODO: Sqreen.config_get
+
+require 'json'
+require 'sqreen/log'
+
+module Sqreen
+  # For redacting sensitive data and avoid having it sent to our servers
+  class SensitiveDataRedactor
+    DEFAULT_SENSITIVE_KEYS = Set.new(%w[password secret passwd authorization api_key apikey access_token]).freeze
+    DEFAULT_REGEX = /\A(?:\d[ -]*?){13,16}\z/
+    MASK = '<Redacted by Sqreen>'.freeze
+
+    def self.from_config
+      keys = Sqreen.config_get(:strip_sensitive_keys)
+      keys = keys.split(',') if keys && keys.is_a?(String)
+
+      regex = Sqreen.config_get(:strip_sensitive_regex)
+      if regex && regex.is_a?(String)
+        begin
+          regex = Regexp.compile(regex)
+        rescue RegexpError
+          Sqreen.log.warn("Invalid regular expression given in strip_sensitive_regex: #{regex}")
+          regex = nil
+        end
+      else
+        regex = nil
+      end
+
+      new(keys: keys, regex: regex)
+    end
+
+    def initialize(params = {})
+      @regex = params[:regex] || DEFAULT_REGEX
+      @keys = (params[:keys] || DEFAULT_SENSITIVE_KEYS).map(&:downcase)
+    end
+
+    def redact(obj)
+      result = obj
+      redacted = []
+
+      case obj
+      when String
+        if obj =~ @regex
+          result = MASK
+          redacted << obj
+        end
+      when Array
+        result = []
+        obj.each do |e|
+          e, r = redact(e)
+          result << e
+          redacted += r
+        end
+      when Hash
+        result = {}
+        obj.each do |k, v|
+          ck = k.is_a?(String) ? k.downcase : k
+          if @keys.include?(ck)
+            redacted << v
+            v = MASK
+          else
+            v, r = redact(v)
+            redacted += r
+          end
+          result[k] = v
+        end
+      end
+
+      [result, redacted]
+    end
+
+    def redact_attacks!(attacks, values)
+      return attacks if values.empty?
+
+      values = values.map { |v| v.downcase if v.is_a?(String) }
+
+      attacks.each do |e|
+        next(e) unless e[:infos]
+        next(e) unless e[:infos][:waf_data]
+
+        parsed = JSON.parse(e[:infos][:waf_data])
+        redacted = parsed.each do |w|
+          next unless (filters = w['filter'])
+
+          filters.each do |f|
+            next unless (v = f['resolved_value'])
+            next unless values.include?(v.downcase)
+
+            f['match_status'] = MASK
+            f['resolved_value'] = MASK
+          end
+        end
+        e[:infos][:waf_data] = JSON.dump(redacted)
+      end
+    end
+
+    def redact_exceptions!(exceptions, values)
+      return exceptions if values.empty?
+
+      exceptions.each do |e|
+        next(e) unless e[:infos]
+        next(e) unless e[:infos][:waf]
+
+        e[:infos][:waf].delete(:args)
+      end
+    end
+  end
+end

data/lib/sqreen/serializer.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/session.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shared_storage.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shared_storage23.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shrink_wrap.rb

@@ -0,0 +1,16 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+module Sqreen
+  class ShrinkWrap
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/sqreen/signature_verifier.rb

@@ -0,0 +1,22 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'openssl'
+
+## Rules signature
+module Sqreen
+  # Perform an EC + digest verification of a message.
+  class SignatureVerifier
+    def initialize(key, digest)
+      @pub_key              = OpenSSL::PKey.read(key)
+      @digest               = digest
+    end
+
+    def verify(sig, val)
+      hashed_val = @digest.digest(val)
+      @pub_key.dsa_verify_asn1(hashed_val, sig)
+    end
+  end
+end

data/lib/sqreen/sinatra_middleware.rb

@@ -0,0 +1,16 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+module Sqreen
+  class SinatraMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb}

@@ -1,8 +1,8 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/exception'
-
 require 'set'
 require 'openssl'
 require 'base64'
@@ -18,21 +18,11 @@ else
   end
 end
 
+require 'sqreen/exception'
+require 'sqreen/signature_verifier'
+
 ## Rules signature
 module Sqreen
-  # Perform an EC + digest verification of a message.
-  class SignatureVerifier
-    def initialize(key, digest)
-      @pub_key              = OpenSSL::PKey.read(key)
-      @digest               = digest
-    end
-
-    def verify(sig, val)
-      hashed_val = @digest.digest(val)
-      @pub_key.dsa_verify_asn1(hashed_val, sig)
-    end
-  end
-
   # Normalize and verify a rule
   class SqreenSignedVerifier
     REQUIRED_SIGNED_KEYS = %w[hookpoint name callbacks conditions].freeze
@@ -40,14 +30,14 @@ module Sqreen
     SIGNATURE_VALUE_KEY  = 'value'.freeze
     SIGNED_KEYS_KEY      = 'keys'.freeze
     SIGNATURE_VERSION    = 'v0_9'.freeze
-    PUBLIC_KEY           = <<-END.gsub(/^ */, '').freeze
+    PUBLIC_KEY           = <<-KEY.gsub(/^ */, '').freeze
     -----BEGIN PUBLIC KEY-----
     MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA39oWMHR8sxb9LRaM5evZ7mw03iwJ
     WNHuDeGqgPo1HmvuMfLnAyVLwaMXpGPuvbqhC1U65PG90bTJLpvNokQf0VMA5Tpi
     m+NXwl7bjqa03vO/HErLbq3zBRysrZnC4OhJOF1jazkAg0psQOea2r5HcMcPHgMK
     fnWXiKWnZX+uOWPuerE=
     -----END PUBLIC KEY-----
-    END
+    KEY
 
     attr_accessor :pub_key
     attr_accessor :required_signed_keys

data/lib/sqreen/token_invalid_exception.rb

@@ -0,0 +1,10 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/exception'
+
+module Sqreen
+  class TokenInvalidException < Sqreen::Exception; end
+end

data/lib/sqreen/token_not_found_exception.rb

@@ -0,0 +1,11 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/exception'
+
+module Sqreen
+  # When the token is not found
+  class TokenNotFoundException < Sqreen::Exception; end
+end

data/lib/sqreen/trie.rb

@@ -1,7 +1,12 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 require 'ipaddr'
+require 'sqreen/node'
+
+# TODO: move to Sqreen::IP
 
 module Sqreen
   Trie = Struct.new(:head, :num_active_nodes, :family) do
@@ -211,68 +216,4 @@ module Sqreen
       xstack
     end
   end
-
-  Prefix = Struct.new(:family, :bitlen, :address, :data) do # addr is integer
-    def initialize(*args)
-      super
-      raise ArgumentError, 'no family given' unless family
-      raise ArgumentError, 'no bitlen given' unless bitlen
-      raise ArgumentError, 'no address given' unless address
-    end
-
-    def matches?(addr, family)
-      raise 'family mismatch' unless family == self.family
-      shift_amount = (family == Socket::AF_INET ? 32 : 128) - self.bitlen
-      (addr ^ self.address) >> shift_amount == 0
-    end
-  end
-
-  def Prefix.from_str(str, data = nil)
-    ip_addr = IPAddr.new(str)
-    if str =~ /\/(\d+)$/
-      bitlen = $~[1].to_i
-    else
-      bitlen = ip_addr.family == Socket::AF_INET6 ? 128 : 32
-    end
-    Prefix.new(ip_addr.family, bitlen, ip_addr.to_i, data)
-  end
-
-  # bit starts at 0 (most significant)
-  Node = Struct.new(:bit, :prefix, :l, :r, :parent) do
-    def initialize(*args)
-      super
-      raise ArgumentError, 'no bit given' if bit.nil?
-    end
-
-    def empty?
-      prefix.nil?
-    end
-
-    # cover the whole tree
-    def walk(max_bits, empty_nodes = false)
-      xstack = Array.new(max_bits + 1)
-      sidx = 0 # stack index
-      xhead = self
-      xcur = xhead
-      while !xcur.nil?
-        yield xcur unless xcur.empty? && !empty_nodes
-
-        if xcur.l
-          if xcur.r
-            xstack[sidx] = xcur.r
-            sidx += 1
-          end
-          xcur = xcur.l
-        elsif xcur.r
-          xcur = xcur.r
-        elsif sidx.nonzero?
-          sidx -= 1
-          xcur = xstack[sidx]
-        else
-          xcur = nil
-        end
-      end
-    end
-  end
-
 end