sqreen 1.18.2-java → 1.19.0-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/LICENSE +3 -0
- data/lib/sqreen.rb +2 -0
- data/lib/sqreen/actions.rb +13 -337
- data/lib/sqreen/actions/actions_index.rb +16 -0
- data/lib/sqreen/actions/base.rb +104 -0
- data/lib/sqreen/actions/block_ip.rb +34 -0
- data/lib/sqreen/actions/block_user.rb +46 -0
- data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
- data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
- data/lib/sqreen/actions/redirect_ip.rb +42 -0
- data/lib/sqreen/actions/redirect_user.rb +47 -0
- data/lib/sqreen/actions/repository.rb +43 -0
- data/lib/sqreen/actions/unknown_action_type.rb +20 -0
- data/lib/sqreen/actions/user_action_class.rb +16 -0
- data/lib/sqreen/actions/users_index.rb +35 -0
- data/lib/sqreen/agent.rb +6 -2
- data/lib/sqreen/attack_blocked.rb +19 -0
- data/lib/sqreen/backport.rb +2 -0
- data/lib/sqreen/backport/clock_gettime.rb +74 -0
- data/lib/sqreen/backport/original_name.rb +2 -0
- data/lib/sqreen/binding_accessor.rb +11 -102
- data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
- data/lib/sqreen/binding_accessor/transforms.rb +114 -0
- data/lib/sqreen/call_countable.rb +2 -0
- data/lib/sqreen/capped_queue.rb +4 -0
- data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
- data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
- data/lib/sqreen/condition_evaluator.rb +24 -5
- data/lib/sqreen/conditionable.rb +2 -0
- data/lib/sqreen/configuration.rb +19 -0
- data/lib/sqreen/context.rb +2 -0
- data/lib/sqreen/default_cb.rb +22 -0
- data/lib/sqreen/deferred_logger.rb +65 -0
- data/lib/sqreen/deliveries.rb +12 -0
- data/lib/sqreen/deliveries/batch.rb +9 -1
- data/lib/sqreen/deliveries/simple.rb +7 -0
- data/lib/sqreen/dependency.rb +3 -1
- data/lib/sqreen/dependency/detector.rb +22 -14
- data/lib/sqreen/dependency/libsqreen.rb +32 -0
- data/lib/sqreen/dependency/new_relic.rb +2 -0
- data/lib/sqreen/dependency/rack.rb +10 -5
- data/lib/sqreen/dependency/rails.rb +8 -0
- data/lib/sqreen/dependency/sentry.rb +2 -0
- data/lib/sqreen/dependency/sinatra.rb +58 -14
- data/lib/sqreen/encoding_sanitizer.rb +2 -0
- data/lib/sqreen/error_handling_middleware.rb +32 -0
- data/lib/sqreen/event.rb +4 -0
- data/lib/sqreen/events/attack.rb +4 -0
- data/lib/sqreen/events/remote_exception.rb +2 -0
- data/lib/sqreen/events/request_record.rb +13 -56
- data/lib/sqreen/exception.rb +11 -40
- data/lib/sqreen/formatter_with_tid.rb +47 -0
- data/lib/sqreen/framework_cb.rb +30 -0
- data/lib/sqreen/frameworks.rb +9 -0
- data/lib/sqreen/frameworks/generic.rb +22 -2
- data/lib/sqreen/frameworks/rails.rb +3 -0
- data/lib/sqreen/frameworks/rails3.rb +2 -0
- data/lib/sqreen/frameworks/request_recorder.rb +5 -0
- data/lib/sqreen/frameworks/sinatra.rb +4 -0
- data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
- data/lib/sqreen/graft.rb +12 -0
- data/lib/sqreen/graft/call.rb +150 -0
- data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
- data/lib/sqreen/graft/hook.rb +316 -0
- data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
- data/lib/sqreen/graft/hook_point_error.rb +10 -0
- data/lib/sqreen/invalid_signature_exception.rb +10 -0
- data/lib/sqreen/js.rb +11 -0
- data/lib/sqreen/js/call_context.rb +12 -0
- data/lib/sqreen/js/context_pool.rb +62 -0
- data/lib/sqreen/js/exec_js_runnable.rb +22 -0
- data/lib/sqreen/js/execjs_adapter.rb +8 -47
- data/lib/sqreen/js/executable_js.rb +14 -0
- data/lib/sqreen/js/js_service.rb +4 -22
- data/lib/sqreen/js/js_service_adapter.rb +20 -0
- data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
- data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
- data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
- data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
- data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
- data/lib/sqreen/log.rb +10 -188
- data/lib/sqreen/log/loggable.rb +28 -0
- data/lib/sqreen/logger.rb +85 -0
- data/lib/sqreen/metrics.rb +2 -0
- data/lib/sqreen/metrics/average.rb +2 -0
- data/lib/sqreen/metrics/base.rb +2 -0
- data/lib/sqreen/metrics/binning.rb +2 -0
- data/lib/sqreen/metrics/collect.rb +2 -0
- data/lib/sqreen/metrics/sum.rb +2 -0
- data/lib/sqreen/metrics_store.rb +5 -11
- data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
- data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
- data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
- data/lib/sqreen/middleware.rb +2 -34
- data/lib/sqreen/mono_time.rb +4 -0
- data/lib/sqreen/node.rb +46 -0
- data/lib/sqreen/not_implemented_yet.rb +10 -0
- data/lib/sqreen/null_logger.rb +26 -0
- data/lib/sqreen/payload_creator.rb +4 -19
- data/lib/sqreen/payload_creator/header_section.rb +30 -0
- data/lib/sqreen/performance_notifications.rb +2 -0
- data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
- data/lib/sqreen/performance_notifications/log.rb +2 -0
- data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
- data/lib/sqreen/performance_notifications/metrics.rb +2 -0
- data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
- data/lib/sqreen/prefix.rb +35 -0
- data/lib/sqreen/rails_middleware.rb +16 -0
- data/lib/sqreen/remote_command.rb +3 -8
- data/lib/sqreen/remote_command/failure_output.rb +16 -0
- data/lib/sqreen/rules.rb +34 -2
- data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
- data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
- data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
- data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
- data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
- data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
- data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
- data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
- data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
- data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
- data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
- data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
- data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
- data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
- data/lib/sqreen/rules/update_request_context.rb +22 -0
- data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
- data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
- data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
- data/lib/sqreen/run_when_called_cb.rb +23 -0
- data/lib/sqreen/runner.rb +25 -7
- data/lib/sqreen/runtime_infos.rb +4 -9
- data/lib/sqreen/safe_json.rb +2 -0
- data/lib/sqreen/sdk.rb +4 -0
- data/lib/sqreen/sensitive_data_redactor.rb +113 -0
- data/lib/sqreen/serializer.rb +2 -0
- data/lib/sqreen/session.rb +2 -0
- data/lib/sqreen/shared_storage.rb +2 -0
- data/lib/sqreen/shared_storage23.rb +2 -0
- data/lib/sqreen/shrink_wrap.rb +16 -0
- data/lib/sqreen/signature_verifier.rb +22 -0
- data/lib/sqreen/sinatra_middleware.rb +16 -0
- data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
- data/lib/sqreen/token_invalid_exception.rb +10 -0
- data/lib/sqreen/token_not_found_exception.rb +11 -0
- data/lib/sqreen/trie.rb +5 -64
- data/lib/sqreen/unauthorized.rb +10 -0
- data/lib/sqreen/util.rb +7 -0
- data/lib/sqreen/util/capped_array.rb +35 -0
- data/lib/sqreen/util/capped_hash.rb +41 -0
- data/lib/sqreen/util/capped_string.rb +26 -0
- data/lib/sqreen/util/capper.rb +67 -0
- data/lib/sqreen/version.rb +3 -1
- data/lib/sqreen/waf_error.rb +20 -0
- data/lib/sqreen/weave.rb +12 -0
- data/lib/sqreen/weave/hardcoded.rb +19 -0
- data/lib/sqreen/weave/instrumentor.rb +48 -0
- data/lib/sqreen/weave/legacy.rb +12 -0
- data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
- data/lib/sqreen/web_server.rb +2 -0
- data/lib/sqreen/web_server/generic.rb +2 -0
- data/lib/sqreen/web_server/passenger.rb +2 -0
- data/lib/sqreen/web_server/puma.rb +2 -0
- data/lib/sqreen/web_server/rainbows.rb +2 -0
- data/lib/sqreen/web_server/thin.rb +2 -0
- data/lib/sqreen/web_server/unicorn.rb +2 -0
- data/lib/sqreen/web_server/webrick.rb +2 -0
- data/lib/sqreen/worker.rb +2 -0
- metadata +105 -39
- data/lib/sqreen/dependency/hook.rb +0 -102
- data/lib/sqreen/rules_callbacks.rb +0 -35
- data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25
@@ -1,6 +1,13 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
6
|
+
require 'sqreen/shrink_wrap'
|
7
|
+
require 'sqreen/middleware'
|
8
|
+
require 'sqreen/error_handling_middleware'
|
9
|
+
require 'sqreen/rails_middleware'
|
10
|
+
|
4
11
|
module Sqreen
|
5
12
|
module Dependency
|
6
13
|
module Rails
|
@@ -23,6 +30,7 @@ module Sqreen
|
|
23
30
|
def insert_sqreen_middlewares
|
24
31
|
Sqreen.log.debug { 'Inserting Sqreen middlewares for Rails' }
|
25
32
|
app = ::Rails.application
|
33
|
+
app.middleware.insert(0, Sqreen::ShrinkWrap)
|
26
34
|
app.middleware.insert_after(::Rack::Runtime, Sqreen::Middleware)
|
27
35
|
app.middleware.insert_after(::ActionDispatch::DebugExceptions, Sqreen::RailsMiddleware)
|
28
36
|
app.middleware.insert_after(::ActionDispatch::DebugExceptions, Sqreen::ErrorHandlingMiddleware)
|
@@ -1,6 +1,13 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
6
|
+
require 'sqreen/shrink_wrap'
|
7
|
+
require 'sqreen/middleware'
|
8
|
+
require 'sqreen/error_handling_middleware'
|
9
|
+
require 'sqreen/sinatra_middleware'
|
10
|
+
|
4
11
|
module Sqreen
|
5
12
|
module Dependency
|
6
13
|
module Sinatra
|
@@ -12,25 +19,62 @@ module Sqreen
|
|
12
19
|
|
13
20
|
def insert_sqreen_middlewares(builder, *args, &block)
|
14
21
|
Sqreen.log.debug { 'Inserting Sqreen middlewares for Sinatra' }
|
15
|
-
middleware = Sqreen::ErrorHandlingMiddleware
|
16
|
-
use = builder.instance_variable_get('@use')
|
17
22
|
|
18
|
-
|
23
|
+
insert_middleware(builder, Sqreen::ErrorHandlingMiddleware, args, block) do |p, u|
|
24
|
+
if middlewares(builder).include?(::Sinatra::ShowExceptions)
|
25
|
+
Sqreen.log.warn('Sinatra :show_exceptions detected: Sinatra exception handling may prevent the Sqreen error page to display on attacks.')
|
26
|
+
end
|
27
|
+
|
28
|
+
if (i = middlewares(builder).index(::Rack::Head))
|
29
|
+
u.insert(i, p)
|
30
|
+
elsif (i = middlewares(builder).index(::Rack::MethodOverride))
|
31
|
+
u.insert(i + 1, p)
|
32
|
+
elsif (i = middlewares(builder).index(::Sinatra::ExtendedRack))
|
33
|
+
u.insert(i + 1, p)
|
34
|
+
else
|
35
|
+
u.insert(0, p)
|
36
|
+
end
|
37
|
+
end
|
19
38
|
|
20
|
-
|
39
|
+
insert_middleware(builder, Sqreen::ShrinkWrap, args, block) do |p, u|
|
40
|
+
if (i = middlewares(builder).index(::Sinatra::ExtendedRack))
|
41
|
+
u.insert(i, p)
|
42
|
+
else
|
43
|
+
u.insert(0, p)
|
44
|
+
end
|
45
|
+
end
|
21
46
|
|
22
|
-
|
23
|
-
|
47
|
+
insert_middleware(builder, Sqreen::Middleware, args, block) do |p, u|
|
48
|
+
if (i = middlewares(builder).index(::Sinatra::ExtendedRack))
|
49
|
+
u.insert(i, p)
|
50
|
+
else
|
51
|
+
u.insert(1, p)
|
52
|
+
end
|
24
53
|
end
|
25
54
|
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
55
|
+
insert_middleware(builder, Sqreen::SinatraMiddleware, args, block) do |p, u|
|
56
|
+
if ::Sqreen::Dependency.const_exist?('Rack::PostBodyContentTypeParser') && (i = middlewares(builder).index(::Rack::PostBodyContentTypeParser))
|
57
|
+
u.insert(i + 1, p)
|
58
|
+
elsif (i = middlewares(builder).index(::Rack::Protection))
|
59
|
+
u.insert(i + 1, p)
|
60
|
+
else
|
61
|
+
u.append(p)
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
66
|
+
def wrap_middleware(middleware, *args, &block)
|
67
|
+
proc { |app| middleware.new(app, *args, &block) }
|
68
|
+
end
|
69
|
+
|
70
|
+
def insert_middleware(builder, middleware, args, block)
|
71
|
+
use = builder.instance_variable_get('@use')
|
72
|
+
wrapped = wrap_middleware(middleware, *args, &block)
|
73
|
+
|
74
|
+
catch(:skip) do
|
75
|
+
throw(:skip) if middlewares(builder).include?(middleware)
|
76
|
+
|
77
|
+
yield(wrapped, use)
|
34
78
|
end
|
35
79
|
end
|
36
80
|
|
@@ -0,0 +1,32 @@
|
|
1
|
+
# typed: false
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/attack_blocked'
|
7
|
+
|
8
|
+
module Sqreen
|
9
|
+
class ErrorHandlingMiddleware
|
10
|
+
def initialize(app)
|
11
|
+
@app = app
|
12
|
+
end
|
13
|
+
|
14
|
+
def call(env)
|
15
|
+
@app.call(env)
|
16
|
+
rescue StandardError => e
|
17
|
+
sqreen_attack = nil
|
18
|
+
if e.is_a?(Sqreen::AttackBlocked)
|
19
|
+
sqreen_attack = e
|
20
|
+
elsif e.respond_to?(:original_exception) &&
|
21
|
+
e.original_exception.is_a?(Sqreen::AttackBlocked)
|
22
|
+
sqreen_attack = e.original_exception
|
23
|
+
end
|
24
|
+
|
25
|
+
if sqreen_attack && sqreen_attack.redirect_url
|
26
|
+
return [303, { 'Location' => sqreen_attack.redirect_url }, ['']]
|
27
|
+
end
|
28
|
+
|
29
|
+
raise
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
data/lib/sqreen/event.rb
CHANGED
@@ -1,6 +1,10 @@
|
|
1
|
+
# typed: true
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
6
|
+
# TODO: see sqreen/events
|
7
|
+
|
4
8
|
module Sqreen
|
5
9
|
# Master interface for point in time events (e.g. Attack, RemoteException)
|
6
10
|
class Event
|
data/lib/sqreen/events/attack.rb
CHANGED
@@ -1,9 +1,15 @@
|
|
1
|
+
# typed: false
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
6
|
+
# TODO: sqreen/events
|
7
|
+
|
4
8
|
require 'json'
|
9
|
+
require 'sqreen/log'
|
5
10
|
require 'sqreen/event'
|
6
11
|
require 'sqreen/encoding_sanitizer'
|
12
|
+
require 'sqreen/sensitive_data_redactor'
|
7
13
|
|
8
14
|
module Sqreen
|
9
15
|
# When a request is deeemed worthy of being sent to the backend
|
@@ -70,7 +76,13 @@ module Sqreen
|
|
70
76
|
res = Sqreen::EncodingSanitizer.sanitize(res)
|
71
77
|
|
72
78
|
if @redactor
|
73
|
-
res[:request] = @redactor.redact(res[:request])
|
79
|
+
res[:request], redacted = @redactor.redact(res[:request])
|
80
|
+
if redacted.any? && res[:observed] && res[:observed][:attacks]
|
81
|
+
res[:observed][:attacks] = @redactor.redact_attacks!(res[:observed][:attacks], redacted)
|
82
|
+
end
|
83
|
+
if redacted.any? && res[:observed] && res[:observed][:sqreen_exceptions]
|
84
|
+
res[:observed][:sqreen_exceptions] = @redactor.redact_exceptions!(res[:observed][:sqreen_exceptions], redacted)
|
85
|
+
end
|
74
86
|
end
|
75
87
|
|
76
88
|
res
|
@@ -115,59 +127,4 @@ module Sqreen
|
|
115
127
|
nil
|
116
128
|
end
|
117
129
|
end
|
118
|
-
|
119
|
-
# For redacting sensitive data and avoid having it sent to our servers
|
120
|
-
class SensitiveDataRedactor
|
121
|
-
DEFAULT_SENSITIVE_KEYS = Set.new(%w[password secret passwd authorization api_key apikey access_token]).freeze
|
122
|
-
DEFAULT_REGEX = /\A(?:\d[ -]*?){13,16}\z/
|
123
|
-
MASK = '<Redacted by Sqreen>'.freeze
|
124
|
-
|
125
|
-
def self.from_config
|
126
|
-
keys = Sqreen.config_get(:strip_sensitive_keys)
|
127
|
-
if keys && keys.is_a?(String)
|
128
|
-
keys = keys.split(',')
|
129
|
-
else
|
130
|
-
keys = nil
|
131
|
-
end
|
132
|
-
|
133
|
-
regex = Sqreen.config_get(:strip_sensitive_regex)
|
134
|
-
if regex && regex.is_a?(String)
|
135
|
-
begin
|
136
|
-
regex = Regexp.compile(regex)
|
137
|
-
rescue RegexpError
|
138
|
-
Sqreen.log.warn("Invalid regular expression given in strip_sensitive_regex: #{regex}")
|
139
|
-
regex = nil
|
140
|
-
end
|
141
|
-
else
|
142
|
-
regex = nil
|
143
|
-
end
|
144
|
-
|
145
|
-
new(keys: keys, regex: regex)
|
146
|
-
end
|
147
|
-
|
148
|
-
def initialize(params = {})
|
149
|
-
@regex = params[:regex] || DEFAULT_REGEX
|
150
|
-
@keys = (params[:keys] || DEFAULT_SENSITIVE_KEYS).map(&:downcase)
|
151
|
-
end
|
152
|
-
|
153
|
-
def redact(obj)
|
154
|
-
case obj
|
155
|
-
when String
|
156
|
-
return MASK if obj =~ @regex
|
157
|
-
|
158
|
-
when Array
|
159
|
-
return obj.map(&method(:redact))
|
160
|
-
|
161
|
-
when Hash
|
162
|
-
return Hash[
|
163
|
-
obj.map do |k, v|
|
164
|
-
ck = k.is_a?(String) ? k.downcase : k
|
165
|
-
[k, @keys.include?(ck) ? MASK : redact(v)]
|
166
|
-
end
|
167
|
-
]
|
168
|
-
end
|
169
|
-
|
170
|
-
obj
|
171
|
-
end
|
172
|
-
end
|
173
130
|
end
|
data/lib/sqreen/exception.rb
CHANGED
@@ -1,9 +1,12 @@
|
|
1
|
+
# typed: false
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
4
6
|
require 'sqreen/log'
|
5
7
|
|
6
8
|
module Sqreen
|
9
|
+
# TODO: do we really want this to be StandardError?
|
7
10
|
# Base exeception class for sqreen
|
8
11
|
class Exception < ::StandardError
|
9
12
|
def initialize(msg = nil, *args)
|
@@ -15,44 +18,12 @@ module Sqreen
|
|
15
18
|
Sqreen.log.error(msg)
|
16
19
|
end
|
17
20
|
end
|
18
|
-
|
19
|
-
# When the token is not found
|
20
|
-
class TokenNotFoundException < Exception
|
21
|
-
end
|
22
|
-
|
23
|
-
# When the token is invalid
|
24
|
-
class TokenInvalidException < Exception
|
25
|
-
end
|
26
|
-
|
27
|
-
# This exception name is particularly important since it is often seen by
|
28
|
-
# Sqreen users when watching their logs. It should not raise any concern to
|
29
|
-
# them.
|
30
|
-
class AttackBlocked < Exception
|
31
|
-
attr_accessor :redirect_url
|
32
|
-
|
33
|
-
def log_message(msg)
|
34
|
-
Sqreen.log.warn(msg)
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
class NotImplementedYet < Exception
|
39
|
-
end
|
40
|
-
|
41
|
-
class InvalidSignatureException < Exception
|
42
|
-
end
|
43
|
-
|
44
|
-
class Unauthorized < Exception
|
45
|
-
end
|
46
|
-
|
47
|
-
class WAFError < Exception
|
48
|
-
attr_reader :rule_name, :error, :data, :args
|
49
|
-
|
50
|
-
def initialize(rule_name, error, data = nil, args = nil)
|
51
|
-
super(error.to_s)
|
52
|
-
@rule_name = rule_name
|
53
|
-
@error = error
|
54
|
-
@data = data
|
55
|
-
@args = args
|
56
|
-
end
|
57
|
-
end
|
58
21
|
end
|
22
|
+
|
23
|
+
require 'sqreen/token_not_found_exception'
|
24
|
+
require 'sqreen/token_invalid_exception'
|
25
|
+
require 'sqreen/attack_blocked'
|
26
|
+
require 'sqreen/not_implemented_yet'
|
27
|
+
require 'sqreen/invalid_signature_exception'
|
28
|
+
require 'sqreen/unauthorized'
|
29
|
+
require 'sqreen/waf_error'
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# typed: true
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/log'
|
7
|
+
|
8
|
+
module Sqreen
|
9
|
+
# Ruby default formatter modified to display current thread_id
|
10
|
+
class FormatterWithTid
|
11
|
+
# TODO: constant name
|
12
|
+
Format = "%s, [%s#%d.%s] %5s -- %s: %s\n".freeze
|
13
|
+
DatetimeFormat = '%Y-%m-%dT%H:%M:%S.%6N '.freeze
|
14
|
+
|
15
|
+
attr_accessor :datetime_format
|
16
|
+
|
17
|
+
def initialize
|
18
|
+
@datetime_format = nil
|
19
|
+
end
|
20
|
+
|
21
|
+
def call(severity, time, progname, msg)
|
22
|
+
format(
|
23
|
+
Format,
|
24
|
+
severity[0..0], format_datetime(time), $$,
|
25
|
+
Thread.current.object_id.to_s(36),
|
26
|
+
severity, progname, msg2str(msg),
|
27
|
+
)
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def format_datetime(time)
|
33
|
+
time.strftime(DatetimeFormat)
|
34
|
+
end
|
35
|
+
|
36
|
+
def msg2str(msg)
|
37
|
+
case msg
|
38
|
+
when ::String
|
39
|
+
msg
|
40
|
+
when ::Exception
|
41
|
+
"#{msg.message} (#{msg.class})\n" << (msg.backtrace || []).join("\n")
|
42
|
+
else
|
43
|
+
msg.inspect
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
# typed: true
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/cb'
|
7
|
+
require 'sqreen/shared_storage'
|
8
|
+
|
9
|
+
module Sqreen
|
10
|
+
# Framework-aware callback
|
11
|
+
class FrameworkCB < CB
|
12
|
+
attr_accessor :framework
|
13
|
+
|
14
|
+
def whitelisted?
|
15
|
+
whitelisted = SharedStorage.get(:whitelisted)
|
16
|
+
return whitelisted unless whitelisted.nil?
|
17
|
+
framework && !framework.whitelisted_match.nil?
|
18
|
+
end
|
19
|
+
|
20
|
+
# Record a metric observation
|
21
|
+
# @param category [String] Name of the metric observed
|
22
|
+
# @param key [String] aggregation key
|
23
|
+
# @param observation [Object] data observed
|
24
|
+
# @param at [Time] time when observation was made
|
25
|
+
def record_observation(category, key, observation, at = Time.now.utc)
|
26
|
+
return unless framework
|
27
|
+
framework.observe(:observations, [category, key, observation, at], [], false)
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
data/lib/sqreen/frameworks.rb
CHANGED
@@ -1,7 +1,16 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
6
|
+
# TODO: @@framework global of hell, misscoped (move to Sqreen::Framework?)
|
7
|
+
# TODO: Sqreen::Frameworks => Sqreen::Framework
|
8
|
+
|
9
|
+
require 'sqreen/log'
|
10
|
+
|
4
11
|
module Sqreen
|
12
|
+
module Frameworks; end
|
13
|
+
|
5
14
|
@@framework = nil
|
6
15
|
|
7
16
|
def self::set_framework(fwk)
|
@@ -1,13 +1,18 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
1
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
2
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
3
5
|
|
6
|
+
# TODO: Sqreen::NotImplementedYet => sqreen/exceptions
|
7
|
+
|
4
8
|
require 'ipaddr'
|
5
9
|
require 'set'
|
6
10
|
|
7
11
|
require 'sqreen/events/remote_exception'
|
8
|
-
require 'sqreen/
|
12
|
+
require 'sqreen/shared_storage'
|
9
13
|
require 'sqreen/exception'
|
10
14
|
require 'sqreen/log'
|
15
|
+
|
11
16
|
require 'sqreen/frameworks/request_recorder'
|
12
17
|
|
13
18
|
module Sqreen
|
@@ -49,6 +54,7 @@ module Sqreen
|
|
49
54
|
HTTP_X_CLUSTER_CLIENT_IP HTTP_FORWARDED_FOR
|
50
55
|
HTTP_FORWARDED HTTP_VIA].freeze
|
51
56
|
|
57
|
+
# TODO: remove global config_get
|
52
58
|
def preferred_ip_headers
|
53
59
|
@preferred_ip_headers ||=
|
54
60
|
begin
|
@@ -295,13 +301,14 @@ module Sqreen
|
|
295
301
|
params
|
296
302
|
end
|
297
303
|
|
298
|
-
%w(form query cookies).each do |section|
|
304
|
+
%w(form query cookies rack).each do |section|
|
299
305
|
define_method("#{section}_params") do
|
300
306
|
self.class.send("#{section}_params", request)
|
301
307
|
end
|
302
308
|
end
|
303
309
|
|
304
310
|
P_FORM = 'form'.freeze
|
311
|
+
P_RACK = 'rack'.freeze
|
305
312
|
P_QUERY = 'query'.freeze
|
306
313
|
P_COOKIE = 'cookies'.freeze
|
307
314
|
P_GRAPE = 'grape_params'.freeze
|
@@ -317,6 +324,16 @@ module Sqreen
|
|
317
324
|
end
|
318
325
|
end
|
319
326
|
|
327
|
+
def self.rack_params(request)
|
328
|
+
return nil unless request
|
329
|
+
begin
|
330
|
+
request.params
|
331
|
+
rescue => e
|
332
|
+
Sqreen.log.debug("Rack Parameters are invalid #{e.inspect}")
|
333
|
+
nil
|
334
|
+
end
|
335
|
+
end
|
336
|
+
|
320
337
|
def self.cookies_params(request)
|
321
338
|
return nil unless request
|
322
339
|
begin
|
@@ -345,6 +362,9 @@ module Sqreen
|
|
345
362
|
P_QUERY => query_params(request),
|
346
363
|
P_COOKIE => cookies_params(request),
|
347
364
|
}
|
365
|
+
if (p = rack_params(request))
|
366
|
+
r[P_RACK] = p
|
367
|
+
end
|
348
368
|
# Add grape parameters if seen
|
349
369
|
p = request.env['grape.request.params']
|
350
370
|
r[P_GRAPE] = p if p
|