sqreen 1.18.3-java → 1.19.1-java

data/lib/sqreen/rules/user_agent_matches_cb.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/rules/waf_cb.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
@@ -9,11 +11,15 @@ require 'sqreen/safe_json'
 require 'sqreen/exception'
 require 'sqreen/util/capper'
 require 'sqreen/dependency/libsqreen'
+require 'sqreen/encoding_sanitizer'
 
 module Sqreen
   module Rules
     class WAFCB < RuleCB
-      BUDGET_MAX = 5000
+      # 2^30 -1 or 2^62 -1
+      MAX_FIXNUM = 1.size == 4 ? 1_073_741_823 : 4_611_686_018_427_387_903
+      # will be converted to a long, so better not to overflow
+      INFINITE_BUDGET_US = MAX_FIXNUM
 
       def self.libsqreen?
         Sqreen::Dependency::LibSqreen.required?
@@ -23,7 +29,7 @@ module Sqreen
         Sqreen::Dependency.const_exist?('LibSqreen::WAF')
       end
 
-      attr_reader :binding_accessors, :budget, :waf_rule_name
+      attr_reader :binding_accessors, :max_run_budget_us, :waf_rule_name
 
       def initialize(*args)
         super(*args)
@@ -52,12 +58,17 @@ module Sqreen
         @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
           h[e] = BindingAccessor.new(e)
         end
-        @budget = @data['values'].fetch('budget', BUDGET_MAX)
+
+        # 0 for using defaults (PW_RUN_TIMEOUT)
+        @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
+        @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
+
+        Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
 
         ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
       end
 
-      def pre(instance, args, _budget)
+      def pre(instance, args, budget)
         return unless WAFCB.libsqreen? && WAFCB.waf?
 
         request = framework.request
@@ -65,12 +76,25 @@ module Sqreen
 
         env = [binding, framework, instance, args]
 
+        start = Sqreen.time if budget
+
         capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
         waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
           h[e] = capper.call(b.resolve(*env))
         end
         waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
-        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, budget)
+
+        if budget
+          rem_budget_s = budget - (Sqreen.time - start)
+          return advise_action(nil) if rem_budget_s <= 0.0
+
+          waf_gen_budget_us = [(rem_budget_s * 1_000_000).to_i, MAX_FIXNUM].min
+        else # no budget
+          waf_gen_budget_us = INFINITE_BUDGET_US
+        end
+
+        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args,
+                                            waf_gen_budget_us, @max_run_budget_us)
 
         case action
         when :monitor
@@ -102,13 +126,13 @@ module Sqreen
         lambda do |object_id|
           return unless WAFCB.libsqreen?
 
-          ::LibSqreen::WAF.delete(waf_rule_name, waf_args, budget)
+          ::LibSqreen::WAF.delete(waf_rule_name)
           Sqreen.log.debug("WAF rule #{rule_name} deleted, from #<#{name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
         end
       end
 
       def record_exception(exception, infos = {}, at = Time.now.utc)
-        infos.merge!(exception_to_infos(exception))
+        infos.merge!(exception_to_infos(exception)) if exception.is_a?(Sqreen::WAFError)
         super(exception, infos, at)
       end
 

data/lib/sqreen/rules/xss_cb.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/run_when_called_cb.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/runner.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
@@ -18,8 +20,9 @@ require 'sqreen/deliveries/simple'
 require 'sqreen/deliveries/batch'
 require 'sqreen/performance_notifications/metrics'
 require 'sqreen/performance_notifications/binned_metrics'
-require 'sqreen/instrumentation'
+require 'sqreen/legacy/instrumentation'
 require 'sqreen/call_countable'
+require 'sqreen/weave/legacy/instrumentation'
 
 module Sqreen
   @features = {}
@@ -117,7 +120,16 @@ module Sqreen
       register_exit_cb if set_at_exit
 
       self.metrics_engine = MetricsStore.new
-      @instrumenter = Instrumentation.new(metrics_engine)
+
+      needs_weave = proc do
+        Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      end
+
+      if @configuration.get(:weave) || needs_weave.call
+        @instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine)
+      else
+        @instrumenter = Sqreen::Legacy::Instrumentation.new(metrics_engine)
+      end
 
       Sqreen.log.debug "Using token #{@token}"
       response = create_session(session_class)
@@ -235,7 +247,7 @@ module Sqreen
     def remove_instrumentation(_context_infos = {})
       Sqreen.log.debug 'Removing instrumentation'
       instrumenter.remove_all_callbacks
-      Sqreen::Actions::Repository.instance.clear
+      Sqreen::Actions::Repository.clear
       Sqreen.log.debug 'Instrumentation removed'
       true
     end
@@ -244,7 +256,6 @@ module Sqreen
       Sqreen.log.debug 'Reloading rules'
       rulespack_id, rules = load_rules
       instrumenter.remove_all_callbacks
-      Sqreen::Actions::Repository.instance.clear
 
       @framework.instrument_when_ready!(instrumenter, rules)
       Sqreen.log.debug 'Rules reloaded'
@@ -304,12 +315,18 @@ module Sqreen
       Sqreen.update_features(features)
       session.request_compression = features['request_compression'] if session
       self.performance_metrics_period = features['performance_metrics_period']
+
+      unless @configuration.get(:weave)
+
       config_binned_metrics(features['perf_level'] || DEFAULT_PERF_LEVEL,
                             features['perf_base'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_BASE,
                             features['perf_unit'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_UNIT,
                             features['perf_pct_base'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_PCT_BASE,
                             features['perf_pct_unit'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_PCT_UNIT,
                            )
+
+      end
+
       self.call_counts_metrics_period = features['call_counts_metrics_period']
       hd = features['heartbeat_delay'].to_i
       self.heartbeat_delay = hd if hd > 0
@@ -456,13 +473,12 @@ module Sqreen
     def load_actions(hashes)
       unsupported = Set.new
 
-      repos = Sqreen::Actions::Repository.instance
-      repos.clear
+      new_repos = Sqreen::Actions::Repository.new
 
       actions = hashes.map do |h|
         begin
           act = Sqreen::Actions.deserialize_action(h)
-          repos.add h['parameters'], act
+          new_repos.add h['parameters'], act
           act
         rescue Sqreen::Actions::UnknownActionType => e
           Sqreen.log.warn("Unsupported action type: #{e.action_type}")
@@ -476,6 +492,8 @@ module Sqreen
       actions = actions.reject(&:nil?)
       Sqreen.log.debug("Added #{actions.size} valid actions")
 
+      Sqreen::Actions::Repository.current = new_repos
+
       unsupported
     end
   end

data/lib/sqreen/runtime_infos.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/safe_json.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/sdk.rb

@@ -1,6 +1,10 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
+require 'sqreen/frameworks'
+
 # Sqreen Namespace
 module Sqreen
 

data/lib/sqreen/sensitive_data_redactor.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/serializer.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/session.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shared_storage.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shared_storage23.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shrink_wrap.rb

@@ -0,0 +1,16 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+module Sqreen
+  class ShrinkWrap
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/sqreen/signature_verifier.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/sinatra_middleware.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/sqreen_signed_verifier.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/token_invalid_exception.rb

@@ -1,3 +1,5 @@
+# typed: strong
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/token_not_found_exception.rb

@@ -1,3 +1,5 @@
+# typed: strong
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/trie.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/unauthorized.rb

@@ -1,3 +1,5 @@
+# typed: strong
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/util.rb

@@ -1,2 +1,7 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
 module Sqreen; end
 module Sqreen::Util; end

data/lib/sqreen/util/capped_array.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/util/capped_hash.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/util/capped_string.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/util/capper.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/version.rb

@@ -1,6 +1,8 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 module Sqreen
-  VERSION = '1.18.3'.freeze
+  VERSION = '1.19.1'.freeze
 end

data/lib/sqreen/waf_error.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/weave.rb

@@ -0,0 +1,12 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/log/loggable'
+
+module Sqreen
+  module Weave
+    include Sqreen::Log::Loggable
+  end
+end

data/lib/sqreen/weave/hardcoded.rb

@@ -0,0 +1,19 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/weave'
+
+class Sqreen::Weave::Hardcoded
+  # [
+  #   ### callback for performing sec responses based on ip
+  #   ### init redefined to implement smartass way to hook it upon the
+  #   ### framework's middleware #call
+  #   Sqreen::Rules::RunReqStartActions.new(framework),
+  #   ### callback for performing sec responses based on user
+  #   Sqreen::Rules::RunUserActions.new(Sqreen, :identify, 0),
+  #   ### callback for performing sec responses based on user
+  #   Sqreen::Rules::RunUserActions.new(Sqreen, :auth_track, 1),
+  # ]
+end

data/lib/sqreen/weave/instrumentor.rb

@@ -0,0 +1,48 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/weave'
+
+# rule loader: decouple from runner
+# remote rules from back
+# local rules from local files
+# => rule list (what is a rule?)
+# => to callback (what is a callback?)
+# => to instrumentation (== attach callbacks to their targets using graft)
+
+# make shit like instrument framework independent (block passing?)
+# => too much things assume only one framework
+# possible to do run req actions without hardcoded cbs?
+# (data comes from actions command, native cb merely binds to middleware)
+# can cb be a form of abstraction?
+
+# rule sig: decouple/split
+# - data signer/checker
+# apply this to rule data
+
+# whitelist is mixed in
+
+# metrics
+# three dedicated metrics: abstract and isolate
+
+class Sqreen::Weave::Instrumentor
+  def initialize(metrics_engine)
+    ### bail out if no metric engine
+    ### init metric to count calls to sqreen
+    ### init metric to count request whitelist matches (ip or path whitelist)
+    ### init metric to count over budget hits
+  end
+
+  def instrument!(rules, framework)
+    ### set up rule signature verifier
+    ### force clean instrumentation callback list
+    ### for each rule description, transform into format for adding callback
+    ###   attach framework to callback
+    ###   install callback, observing priority
+    ### for each hardcoded callback
+    ###   install hardcoded callbacks, observing priority
+    ### globally declare instrumentation ready
+  end
+end