RubyGems - sqreen - Versions diffs - 1.18.2-java → 1.19.0-java - Mend

sqreen 1.18.2-java → 1.19.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +35 -0
data/LICENSE +3 -0
data/lib/sqreen.rb +2 -0
data/lib/sqreen/actions.rb +13 -337
data/lib/sqreen/actions/actions_index.rb +16 -0
data/lib/sqreen/actions/base.rb +104 -0
data/lib/sqreen/actions/block_ip.rb +34 -0
data/lib/sqreen/actions/block_user.rb +46 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +16 -0
data/lib/sqreen/actions/ip_ranges_index.rb +57 -0
data/lib/sqreen/actions/redirect_ip.rb +42 -0
data/lib/sqreen/actions/redirect_user.rb +47 -0
data/lib/sqreen/actions/repository.rb +43 -0
data/lib/sqreen/actions/unknown_action_type.rb +20 -0
data/lib/sqreen/actions/user_action_class.rb +16 -0
data/lib/sqreen/actions/users_index.rb +35 -0
data/lib/sqreen/agent.rb +6 -2
data/lib/sqreen/attack_blocked.rb +19 -0
data/lib/sqreen/backport.rb +2 -0
data/lib/sqreen/backport/clock_gettime.rb +74 -0
data/lib/sqreen/backport/original_name.rb +2 -0
data/lib/sqreen/binding_accessor.rb +11 -102
data/lib/sqreen/binding_accessor/path_elem.rb +10 -0
data/lib/sqreen/binding_accessor/transforms.rb +114 -0
data/lib/sqreen/call_countable.rb +2 -0
data/lib/sqreen/capped_queue.rb +4 -0
data/lib/sqreen/{callbacks.rb → cb.rb} +3 -53
data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +4 -2
data/lib/sqreen/condition_evaluator.rb +24 -5
data/lib/sqreen/conditionable.rb +2 -0
data/lib/sqreen/configuration.rb +19 -0
data/lib/sqreen/context.rb +2 -0
data/lib/sqreen/default_cb.rb +22 -0
data/lib/sqreen/deferred_logger.rb +65 -0
data/lib/sqreen/deliveries.rb +12 -0
data/lib/sqreen/deliveries/batch.rb +9 -1
data/lib/sqreen/deliveries/simple.rb +7 -0
data/lib/sqreen/dependency.rb +3 -1
data/lib/sqreen/dependency/detector.rb +22 -14
data/lib/sqreen/dependency/libsqreen.rb +32 -0
data/lib/sqreen/dependency/new_relic.rb +2 -0
data/lib/sqreen/dependency/rack.rb +10 -5
data/lib/sqreen/dependency/rails.rb +8 -0
data/lib/sqreen/dependency/sentry.rb +2 -0
data/lib/sqreen/dependency/sinatra.rb +58 -14
data/lib/sqreen/encoding_sanitizer.rb +2 -0
data/lib/sqreen/error_handling_middleware.rb +32 -0
data/lib/sqreen/event.rb +4 -0
data/lib/sqreen/events/attack.rb +4 -0
data/lib/sqreen/events/remote_exception.rb +2 -0
data/lib/sqreen/events/request_record.rb +13 -56
data/lib/sqreen/exception.rb +11 -40
data/lib/sqreen/formatter_with_tid.rb +47 -0
data/lib/sqreen/framework_cb.rb +30 -0
data/lib/sqreen/frameworks.rb +9 -0
data/lib/sqreen/frameworks/generic.rb +22 -2
data/lib/sqreen/frameworks/rails.rb +3 -0
data/lib/sqreen/frameworks/rails3.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +5 -0
data/lib/sqreen/frameworks/sinatra.rb +4 -0
data/lib/sqreen/frameworks/sqreen_test.rb +4 -0
data/lib/sqreen/graft.rb +12 -0
data/lib/sqreen/graft/call.rb +150 -0
data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
data/lib/sqreen/graft/hook.rb +316 -0
data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
data/lib/sqreen/graft/hook_point_error.rb +10 -0
data/lib/sqreen/invalid_signature_exception.rb +10 -0
data/lib/sqreen/js.rb +11 -0
data/lib/sqreen/js/call_context.rb +12 -0
data/lib/sqreen/js/context_pool.rb +62 -0
data/lib/sqreen/js/exec_js_runnable.rb +22 -0
data/lib/sqreen/js/execjs_adapter.rb +8 -47
data/lib/sqreen/js/executable_js.rb +14 -0
data/lib/sqreen/js/js_service.rb +4 -22
data/lib/sqreen/js/js_service_adapter.rb +20 -0
data/lib/sqreen/js/mini_racer_adapter.rb +8 -180
data/lib/sqreen/js/mini_racer_executable_js.rb +144 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +49 -0
data/lib/{sqreen-alt.rb → sqreen/legacy.rb} +5 -1
data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +44 -15
data/lib/sqreen/log.rb +10 -188
data/lib/sqreen/log/loggable.rb +28 -0
data/lib/sqreen/logger.rb +85 -0
data/lib/sqreen/metrics.rb +2 -0
data/lib/sqreen/metrics/average.rb +2 -0
data/lib/sqreen/metrics/base.rb +2 -0
data/lib/sqreen/metrics/binning.rb +2 -0
data/lib/sqreen/metrics/collect.rb +2 -0
data/lib/sqreen/metrics/sum.rb +2 -0
data/lib/sqreen/metrics_store.rb +5 -11
data/lib/sqreen/metrics_store/already_registered_metric.rb +13 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +13 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +13 -0
data/lib/sqreen/middleware.rb +2 -34
data/lib/sqreen/mono_time.rb +4 -0
data/lib/sqreen/node.rb +46 -0
data/lib/sqreen/not_implemented_yet.rb +10 -0
data/lib/sqreen/null_logger.rb +26 -0
data/lib/sqreen/payload_creator.rb +4 -19
data/lib/sqreen/payload_creator/header_section.rb +30 -0
data/lib/sqreen/performance_notifications.rb +2 -0
data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
data/lib/sqreen/performance_notifications/log.rb +2 -0
data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
data/lib/sqreen/performance_notifications/metrics.rb +2 -0
data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
data/lib/sqreen/prefix.rb +35 -0
data/lib/sqreen/rails_middleware.rb +16 -0
data/lib/sqreen/remote_command.rb +3 -8
data/lib/sqreen/remote_command/failure_output.rb +16 -0
data/lib/sqreen/rules.rb +34 -2
data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +2 -0
data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +6 -8
data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +3 -1
data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +5 -2
data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +4 -2
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +51 -50
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +8 -1
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +4 -2
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +7 -2
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +3 -1
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +3 -1
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +4 -2
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +7 -3
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +4 -2
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +4 -2
data/lib/sqreen/rules/update_request_context.rb +22 -0
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +3 -1
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +41 -21
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +12 -7
data/lib/sqreen/run_when_called_cb.rb +23 -0
data/lib/sqreen/runner.rb +25 -7
data/lib/sqreen/runtime_infos.rb +4 -9
data/lib/sqreen/safe_json.rb +2 -0
data/lib/sqreen/sdk.rb +4 -0
data/lib/sqreen/sensitive_data_redactor.rb +113 -0
data/lib/sqreen/serializer.rb +2 -0
data/lib/sqreen/session.rb +2 -0
data/lib/sqreen/shared_storage.rb +2 -0
data/lib/sqreen/shared_storage23.rb +2 -0
data/lib/sqreen/shrink_wrap.rb +16 -0
data/lib/sqreen/signature_verifier.rb +22 -0
data/lib/sqreen/sinatra_middleware.rb +16 -0
data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +7 -17
data/lib/sqreen/token_invalid_exception.rb +10 -0
data/lib/sqreen/token_not_found_exception.rb +11 -0
data/lib/sqreen/trie.rb +5 -64
data/lib/sqreen/unauthorized.rb +10 -0
data/lib/sqreen/util.rb +7 -0
data/lib/sqreen/util/capped_array.rb +35 -0
data/lib/sqreen/util/capped_hash.rb +41 -0
data/lib/sqreen/util/capped_string.rb +26 -0
data/lib/sqreen/util/capper.rb +67 -0
data/lib/sqreen/version.rb +3 -1
data/lib/sqreen/waf_error.rb +20 -0
data/lib/sqreen/weave.rb +12 -0
data/lib/sqreen/weave/hardcoded.rb +19 -0
data/lib/sqreen/weave/instrumentor.rb +48 -0
data/lib/sqreen/weave/legacy.rb +12 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
data/lib/sqreen/web_server.rb +2 -0
data/lib/sqreen/web_server/generic.rb +2 -0
data/lib/sqreen/web_server/passenger.rb +2 -0
data/lib/sqreen/web_server/puma.rb +2 -0
data/lib/sqreen/web_server/rainbows.rb +2 -0
data/lib/sqreen/web_server/thin.rb +2 -0
data/lib/sqreen/web_server/unicorn.rb +2 -0
data/lib/sqreen/web_server/webrick.rb +2 -0
data/lib/sqreen/worker.rb +2 -0
metadata +105 -39
data/lib/sqreen/dependency/hook.rb +0 -102
data/lib/sqreen/rules_callbacks.rb +0 -35
data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25

data/lib/sqreen/js/executable_js.rb ADDED

@@ -0,0 +1,14 @@
+# typed: true
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+module Sqreen
+  module Js
+    class ExecutableJs
+      def run_js_cb(_cb_name, _budget, _arguments)
+        raise Sqreen::NotImplementedYet
+      end
+    end
+  end
+end

data/lib/sqreen/js/js_service.rb CHANGED

@@ -1,12 +1,14 @@
+# typed: ignore
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log'
 require 'sqreen/exception'
+require 'singleton'
 module Sqreen
   module Js
-    # start public interface
     class JsService
       include ::Singleton
@@ -66,25 +68,5 @@ module Sqreen
         false
       end
     end
-    CallContext = Struct.new(:inst, :args, :rv)
-    class ExecutableJs
-      def run_js_cb(_cb_name, _budget, _arguments)
-        raise Sqreen::NotImplementedYet
-      end
-    end
-    # end public interface
-    class JsServiceAdapter
-      def preprocess(rule_name, code)
-        raise Sqreen::NotImplementedYet
-      end
-      def variant_name
-        'unspecified'
-      end
-    end
   end
 end

data/lib/sqreen/js/js_service_adapter.rb ADDED

@@ -0,0 +1,20 @@
+# typed: true
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  module Js
+    class JsServiceAdapter
+      def preprocess(_rule_name, _code)
+        raise Sqreen::NotImplementedYet
+      end
+      def variant_name
+        'unspecified'
+      end
+    end
+  end
+end

data/lib/sqreen/js/mini_racer_adapter.rb CHANGED

@@ -1,14 +1,21 @@
+# typed: ignore
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+# TODO: => Sqreen::JS:MiniRacer
 require 'digest'
 require 'json'
+require 'sqreen/js/executable_js'
+require 'sqreen/js/js_service_adapter'
+require 'sqreen/js/context_pool'
+require 'sqreen/js/mini_racer_executable_js'
 module Sqreen
   module Js
     DEFAULT_GC_THRESHOLD = 15000000  # 15 MB
     class MiniRacerAdapter < JsServiceAdapter
       def initialize(vendored = false)
         @vendored = vendored
@@ -30,184 +37,5 @@ module Sqreen
         @done_static_init = true
       end
     end
-    # Auxiliary classes
-    class ContextPool
-      def initialize
-        @mutex = Mutex.new
-        @total_ctxs = 0
-        @contexts = []
-      end
-      def with_context(&block)
-        isolate = get_context
-        begin
-          block[isolate]
-        ensure
-          give_back_context isolate
-        end
-      end
-      private
-      def get_context
-        @mutex.synchronize do
-          if @contexts.empty?
-            @total_ctxs += 1
-            Sqreen.log.debug "Creating new V8 context (#{@total_ctxs})"
-            SqreenContext.new
-          else
-            @contexts.pop
-          end
-        end
-      end
-      def give_back_context(context)
-        context.possibly_gc
-        if context.gc_load > 30
-          if context.gc_threshold_in_bytes == DEFAULT_GC_THRESHOLD
-            context.gc_threshold_in_bytes *= 2
-            Sqreen.log.warn("Context #{context} had too many close garbage " \
-                            'collections; doubling the threshold to ' \
-                            "#{context.gc_threshold_in_bytes} bytes")
-            context.gc_load = 0
-          else
-            Sqreen.log.warn("Context #{context} had too many close garbage " \
-                            'collections; discarding it')
-            context.dispose
-            return
-          end
-        end
-        @mutex.synchronize { @contexts.push(context); }
-      end
-    end
-    class MiniRacerExecutableJs < ExecutableJs
-      @@ctx_defined = false
-      def initialize(pool, code, vendored)
-        @pool = pool
-        @code = code
-        @code_id = self.class.code_id(code)
-        @module = vendored ? Sqreen::MiniRacer : MiniRacer
-        mod = vendored ? Sqreen::MiniRacer : MiniRacer
-        unless @@ctx_defined
-          self.class.define_sqreen_context(mod)
-          @@ctx_defined = true
-        end
-      end
-      def run_js_cb(cb_name, budget, arguments)
-        @pool.with_context do |ctx|
-          if ctx.code_failed?(@code_id)
-            Sqreen.log.debug do
-              "Skipping execution of callback #{cb_name} (code md5 #{@code_id})" \
-              " due to prev failure of definition evaluation"
-            end
-            return nil
-          end
-          ctx.add_code(@code_id, @code) unless ctx.has_code?(@code_id)
-          # mini_racer expects timeout to be in ms
-          ctx.timeout = budget ? budget * 1000.0 : nil
-          begin
-            ctx.call("sqreen_#{@code_id}_#{cb_name}", *arguments)
-          rescue @module::ScriptTerminatedError
-            Sqreen.log.debug "ScriptTerminatedError/#{cb_name}"
-            nil
-          end
-        end
-      end
-      def self.code_id(code)
-        Digest::MD5.hexdigest(code)
-      end
-      private
-      class << self
-        def define_sqreen_context(modoole)
-          # Context specialized for Sqreen usage
-          Sqreen::Js.const_set 'SqreenContext', Class.new(modoole.const_get('Context'))
-          SqreenContext.class_eval do
-            attr_accessor :gc_threshold_in_bytes
-            attr_accessor :gc_load
-            attr_writer   :timeout
-            def has_code?(code_id)
-              return false unless @code_ids
-              @code_ids.include?(code_id)
-            end
-            def code_failed?(code_id)
-              return false unless @failed_code_ids
-              @failed_code_ids.include?(code_id)
-            end
-            def add_code(code_id, code)
-              # It's important that the definition is run in its own scope (by executing it inside an anonymous function)
-              # Otherwise some auxiliary functions that the backend server sends will collide the name
-              # Because they're defined with `var`, running the definitions inside a function is enough
-              eval_unsafe "(function() { #{code} })()"
-              transf_global_funcs code_id
-              @code_ids ||= Set.new
-              @code_ids << code_id
-            rescue
-              @failed_code_ids ||= Set.new
-              @failed_code_ids << code_id
-              raise
-            end
-            def eval_unsafe(str, filename = nil, timeoutv = nil)
-              # Beware, timeout could be kept in the context
-              # if perf cap is removed after having been activated
-              # As it's unused by execjscb we are not cleaning it
-              return super(str, filename) if timeoutv.nil?
-              return if timeoutv <= 0.0
-              timeoutv *= 1000 # Timeout are currently expressed in seconds
-              @timeout = timeoutv
-              @eval_thread = Thread.current
-              timeout do
-                super(str, filename)
-              end
-            end
-            def possibly_gc
-              @gc_threshold_in_bytes ||= DEFAULT_GC_THRESHOLD
-              @gc_load ||= 0
-              # garbage collections max 1 in every 4 calls (avg)
-              if heap_stats[:total_heap_size] > @gc_threshold_in_bytes
-                low_memory_notification
-                @gc_load += 4
-              else
-                @gc_load = [0, @gc_load - 1].max
-              end
-            end
-            private
-            def transf_global_funcs(code_id)
-              # Multiple callbacks may share the same name. In order to avoid collisions, we rename them here.
-              eval_unsafe <<EOD
-                Object.keys(this).forEach(name => {
-                  if (typeof this[name] === "function" && !name.startsWith("sqreen_")) {
-                    this['sqreen_#{code_id}_' + name] = this[name];
-                    this[name] = undefined;
-                  }
-                });
-EOD
-            end
-          end
-        end
-      end
-    end
   end
 end

data/lib/sqreen/js/mini_racer_executable_js.rb ADDED

@@ -0,0 +1,144 @@
+# typed: ignore
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+# TODO: => Sqreen::JS:MiniRacer
+# TODO: remove class vars
+require 'sqreen/log'
+module Sqreen
+  module Js
+    class MiniRacerExecutableJs < ExecutableJs
+      @@ctx_defined = false # rubocop:disable Style/ClassVars
+      def ctx_defined?
+        @@ctx_defined
+      end
+      def define_ctx!
+        @@ctx_defined = true # rubocop:disable Style/ClassVars
+      end
+      def initialize(pool, code, vendored)
+        @pool = pool
+        @code = code
+        @code_id = self.class.code_id(code)
+        @module = vendored ? Sqreen::MiniRacer : MiniRacer
+        mod = vendored ? Sqreen::MiniRacer : MiniRacer
+        return if ctx_defined?
+        self.class.define_sqreen_context(mod)
+        define_ctx!
+      end
+      def run_js_cb(cb_name, budget, arguments)
+        @pool.with_context do |ctx|
+          if ctx.code_failed?(@code_id)
+            Sqreen.log.debug do
+              "Skipping execution of callback #{cb_name} (code md5 #{@code_id})" \
+              " due to prev failure of definition evaluation"
+            end
+            return nil
+          end
+          ctx.add_code(@code_id, @code) unless ctx.code?(@code_id)
+          # mini_racer expects timeout to be in ms
+          ctx.timeout = budget ? budget * 1000.0 : nil
+          begin
+            ctx.call("sqreen_#{@code_id}_#{cb_name}", *arguments)
+          rescue @module::ScriptTerminatedError
+            Sqreen.log.debug "ScriptTerminatedError/#{cb_name}"
+            nil
+          end
+        end
+      end
+      def self.code_id(code)
+        Digest::MD5.hexdigest(code)
+      end
+      class << self
+        def define_sqreen_context(modoole)
+          # Context specialized for Sqreen usage
+          Sqreen::Js.const_set 'SqreenContext', Class.new(modoole.const_get('Context'))
+          SqreenContext.class_eval do
+            attr_accessor :gc_threshold_in_bytes
+            attr_accessor :gc_load
+            attr_writer   :timeout
+            def code?(code_id)
+              return false unless @code_ids
+              @code_ids.include?(code_id)
+            end
+            def code_failed?(code_id)
+              return false unless @failed_code_ids
+              @failed_code_ids.include?(code_id)
+            end
+            def add_code(code_id, code)
+              # It's important that the definition is run in its own scope (by executing it inside an anonymous function)
+              # Otherwise some auxiliary functions that the backend server sends will collide the name
+              # Because they're defined with `var`, running the definitions inside a function is enough
+              eval_unsafe "(function() { #{code} })()"
+              transf_global_funcs code_id
+              @code_ids ||= Set.new
+              @code_ids << code_id
+            rescue StandardError
+              @failed_code_ids ||= Set.new
+              @failed_code_ids << code_id
+              raise
+            end
+            def eval_unsafe(str, filename = nil, timeoutv = nil)
+              # Beware, timeout could be kept in the context
+              # if perf cap is removed after having been activated
+              # As it's unused by execjscb we are not cleaning it
+              return super(str, filename) if timeoutv.nil?
+              return if timeoutv <= 0.0
+              timeoutv *= 1000 # Timeout are currently expressed in seconds
+              @timeout = timeoutv
+              @eval_thread = Thread.current
+              timeout do
+                super(str, filename)
+              end
+            end
+            def possibly_gc
+              @gc_threshold_in_bytes ||= DEFAULT_GC_THRESHOLD
+              @gc_load ||= 0
+              # garbage collections max 1 in every 4 calls (avg)
+              if heap_stats[:total_heap_size] > @gc_threshold_in_bytes
+                low_memory_notification
+                @gc_load += 4
+              else
+                @gc_load = [0, @gc_load - 1].max
+              end
+            end
+            private
+            def transf_global_funcs(code_id)
+              # Multiple callbacks may share the same name. In order to avoid collisions, we rename them here.
+              eval_unsafe <<-JS
+                Object.keys(this).forEach(name => {
+                  if (typeof this[name] === "function" && !name.startsWith("sqreen_")) {
+                    this['sqreen_#{code_id}_' + name] = this[name];
+                    this[name] = undefined;
+                  }
+                });
+              JS
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/js/thread_local_exec_js_runnable.rb ADDED

@@ -0,0 +1,49 @@
+# typed: true
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+# TODO: => Sqreen::JS:ExecJS
+require 'sqreen/js/executable_js'
+module Sqreen
+  module Js
+    class ThreadLocalExecJsRunnable < ExecutableJs
+      def initialize(code)
+        @code = code
+        @tl_key = "SQREEN_EXECJS_CONTEXT_#{object_id}".freeze
+        @runtimes = [] # place where to keep strong references
+        @runtimes_mutex = Mutex.new
+      end
+      def run_js_cb(cbname, _budget, arguments)
+        tl_exec_js_runnable.call(cbname, *arguments)
+      end
+      def with_runtimes_mutex
+        @runtimes_mutex.synchronize { yield }
+      end
+      private
+      def dispose_from_dead_threads
+        with_runtimes_mutex do
+          @runtimes.delete_if { |th, _runtime| !th.alive? }
+        end
+      end
+      def tl_exec_js_runnable
+        runnable = Thread.current[@tl_key]
+        return runnable if runnable && runnable.weakref_alive?
+        dispose_from_dead_threads
+        runtime = ExecJS.compile(@code)
+        with_runtimes_mutex do
+          @runtimes << [Thread.current, runtime]
+        end
+        Thread.current[@tl_key] = WeakRef.new(runtime)
+      end
+    end
+  end
+end