RubyGems - sqreen - Versions diffs - 1.18.3.beta1 → 1.18.3.beta2 - Mend

sqreen 1.18.3.beta1 → 1.18.3.beta2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +0 -5
data/lib/sqreen/actions.rb +11 -337
data/lib/sqreen/actions/base.rb +110 -0
data/lib/sqreen/actions/block_ip.rb +32 -0
data/lib/sqreen/actions/block_user.rb +44 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +36 -0
data/lib/sqreen/actions/ip_ranges_index.rb +36 -0
data/lib/sqreen/actions/redirect_ip.rb +40 -0
data/lib/sqreen/actions/redirect_user.rb +45 -0
data/lib/sqreen/actions/repository.rb +24 -0
data/lib/sqreen/actions/unknown_action_type.rb +16 -0
data/lib/sqreen/actions/user_action_class.rb +41 -0
data/lib/sqreen/agent.rb +4 -1
data/lib/sqreen/attack_blocked.rb +17 -0
data/lib/sqreen/binding_accessor.rb +9 -102
data/lib/sqreen/binding_accessor/path_elem.rb +8 -0
data/lib/sqreen/binding_accessor/transforms.rb +107 -0
data/lib/sqreen/capped_queue.rb +2 -0
data/lib/sqreen/{callbacks.rb → cb.rb} +1 -53
data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +2 -2
data/lib/sqreen/condition_evaluator.rb +22 -5
data/lib/sqreen/configuration.rb +3 -0
data/lib/sqreen/default_cb.rb +20 -0
data/lib/sqreen/deferred_logger.rb +63 -0
data/lib/sqreen/deliveries.rb +10 -0
data/lib/sqreen/deliveries/batch.rb +7 -1
data/lib/sqreen/deliveries/simple.rb +5 -0
data/lib/sqreen/dependency/rails.rb +4 -0
data/lib/sqreen/dependency/sinatra.rb +4 -0
data/lib/sqreen/error_handling_middleware.rb +30 -0
data/lib/sqreen/event.rb +2 -0
data/lib/sqreen/events/attack.rb +2 -0
data/lib/sqreen/events/request_record.rb +11 -56
data/lib/sqreen/exception.rb +9 -40
data/lib/sqreen/formatter_with_tid.rb +45 -0
data/lib/sqreen/framework_cb.rb +28 -0
data/lib/sqreen/frameworks.rb +7 -0
data/lib/sqreen/frameworks/generic.rb +5 -1
data/lib/sqreen/frameworks/rails.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +3 -0
data/lib/sqreen/frameworks/sinatra.rb +2 -0
data/lib/sqreen/frameworks/sqreen_test.rb +2 -0
data/lib/sqreen/instrumentation.rb +5 -5
data/lib/sqreen/invalid_signature_exception.rb +8 -0
data/lib/{sqreen-alt.rb → sqreen/js.rb} +6 -1
data/lib/sqreen/js/call_context.rb +10 -0
data/lib/sqreen/js/context_pool.rb +60 -0
data/lib/sqreen/js/exec_js_runnable.rb +20 -0
data/lib/sqreen/js/execjs_adapter.rb +6 -47
data/lib/sqreen/js/executable_js.rb +12 -0
data/lib/sqreen/js/js_service.rb +2 -22
data/lib/sqreen/js/js_service_adapter.rb +18 -0
data/lib/sqreen/js/mini_racer_adapter.rb +6 -180
data/lib/sqreen/js/mini_racer_executable_js.rb +142 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +47 -0
data/lib/sqreen/log.rb +8 -188
data/lib/sqreen/logger.rb +83 -0
data/lib/sqreen/metrics_store.rb +3 -11
data/lib/sqreen/metrics_store/already_registered_metric.rb +11 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +11 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +11 -0
data/lib/sqreen/middleware.rb +0 -44
data/lib/sqreen/mono_time.rb +2 -0
data/lib/sqreen/node.rb +44 -0
data/lib/sqreen/not_implemented_yet.rb +8 -0
data/lib/sqreen/null_logger.rb +24 -0
data/lib/sqreen/payload_creator.rb +2 -19
data/lib/sqreen/payload_creator/header_section.rb +28 -0
data/lib/sqreen/prefix.rb +33 -0
data/lib/sqreen/rails_middleware.rb +14 -0
data/lib/sqreen/remote_command.rb +1 -8
data/lib/sqreen/remote_command/failure_output.rb +11 -0
data/lib/sqreen/rules.rb +32 -2
data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +0 -0
data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +4 -8
data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +1 -1
data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +3 -2
data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +2 -2
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +49 -50
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +2 -2
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +1 -1
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +1 -1
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +4 -2
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +1 -1
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks → rules}/update_request_context.rb +1 -1
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +7 -3
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +10 -7
data/lib/sqreen/run_when_called_cb.rb +21 -0
data/lib/sqreen/sensitive_data_redactor.rb +111 -0
data/lib/sqreen/signature_verifier.rb +20 -0
data/lib/sqreen/sinatra_middleware.rb +14 -0
data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +5 -17
data/lib/sqreen/token_invalid_exception.rb +8 -0
data/lib/sqreen/token_not_found_exception.rb +9 -0
data/lib/sqreen/trie.rb +3 -64
data/lib/sqreen/unauthorized.rb +8 -0
data/lib/sqreen/util.rb +2 -0
data/lib/sqreen/util/capped_array.rb +30 -0
data/lib/sqreen/util/capped_hash.rb +36 -0
data/lib/sqreen/util/capped_string.rb +22 -0
data/lib/sqreen/util/capper.rb +57 -0
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/waf_error.rb +18 -0
metadata +85 -36
data/lib/sqreen/rules_callbacks.rb +0 -36
data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0cb385fddb3e1bb873a5def8b85d4e0865650ba97268d8cd3f67d84640439010
-  data.tar.gz: 65d395b3926571d088603a7e604a3c377a6e57c334ab4c106354812e65d8f84d
+  metadata.gz: 1a1340b0e4265b69cea5bb84456f52586f310ccc03aadd9d6974779707d55329
+  data.tar.gz: 4da37a0e4bd305d18fc06d164683f46dddf830c54a67c3a3f3481a6314efbc34
 SHA512:
-  metadata.gz: b0ae2a6ebe375573a26372a63fb383e7176bda425e52d977b9e42172c6e95b13143f3be83f069985bdcbea5816f61a53a4b6fabc98ed004ffb8142a17f10400c
-  data.tar.gz: 8d233a01e2ef20ed7b1f1fd6d1ddbb384b482ca62d01ebec4100a1138430064e04368d9e078313364e8c99885bb0b137e2cc19a52b5e91e1ab5f50dbeaf67967
+  metadata.gz: 662b2f798f20452c4a8cd328608277f68748584e2e335a9e2f4cc5a3acdc97fd5345136048f23813c76dee8974a0ae1e62bb2018b97b0d2bbe729d31603fbfec
+  data.tar.gz: 9f4d4c1efad12ed3831dedb528a677d1cf92bb7a0c3c7a07c21c26b5838a5081e2b3a8944bfb3a89c80b6f80f09c9cb676af23839c401187702038aae014c8cf

data/CHANGELOG.md CHANGED Viewed

@@ -1,8 +1,3 @@
-## 1.18.3.beta1
-* Improve middleware hookpoints on Sinatra
-* Support application/json payloads on Sinatra
 ## 1.18.2
 * Improve internal WAF error reporting

data/lib/sqreen/actions.rb CHANGED Viewed

@@ -1,51 +1,26 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'ipaddr'
-require 'sqreen/trie'
-require 'sqreen/log'
-require 'sqreen/exception'
-require 'sqreen/sdk'
-require 'sqreen/frameworks'
-require 'singleton'
+require 'sqreen/actions/unknown_action_type'
+require 'sqreen/actions/base'
+require 'sqreen/actions/block_user'
+require 'sqreen/actions/redirect_user'
+require 'sqreen/actions/block_ip'
+require 'sqreen/actions/redirect_ip'
+require 'sqreen/actions/repository'
+require 'sqreen/actions/unknown_action_type'
 module Sqreen
   # Implements actions (behavior taken in response to agent signals)
   module Actions
-    # Exception for when an unknown action type is gotten from the server
-    class UnknownActionType < ::Sqreen::Exception
-      attr_reader :action_type
-      def initialize(action_type)
-        super("no such action type: #{action_type}. Must be one of #{Base.known_types}")
-        @action_type = action_type
-      end
-    end
-    # Where the currently loaded actions are stored. Singleton
-    class Repository
-      include Singleton
-      def add(params, action)
-        action.class.index(params || {}, action)
-      end
-      def get(action_class, key)
-        action_class = Base.get_type_class(action_class) unless action_class.class == Class
-        action_class.actions_matching key
-      end
-      def clear
-        Base.known_subclasses.each(&:clear)
-      end
-    end
     # @return [Sqreen::Actions::Base]
     def self.deserialize_action(hash)
       action_type = hash['action']
       raise 'no action type available' unless action_type
-      subclass = Base.get_type_class(action_type)
-      raise UnknownActionType, action_type unless subclass
+      subclass = Sqreen::Actions::Base.get_type_class(action_type)
+      raise Sqreen::Actions::UnknownActionType, action_type unless subclass
       id = hash['action_id']
       raise 'no action id available' unless id
@@ -63,306 +38,5 @@ module Sqreen
       subclass.new(id, opts, hash['parameters'] || {})
     end
-    # Base class for actions
-    # subclasses must also implement some methods in their singleton classes
-    # (actions_matching, index and clear)
-    class Base
-      attr_reader :id, :expiry, :send_response
-      def initialize(id, opts)
-        @id = id
-        duration = opts[:duration]
-        @expiry = Time.new + duration unless duration.nil?
-        @send_response = if opts[:send_response].nil?
-                           true
-                         else
-                           !!opts[:send_response]
-                         end
-      end
-      # See Sqreen::CB for return values
-      def run(*args)
-        return if expiry && Time.new > expiry
-        ret = do_run *args
-        unless ret.nil? || !@send_response
-          Sqreen.internal_track(event_name,
-                                'properties' => {
-                                  'output' => event_properties(*args),
-                                  'action_id' => id,
-                                })
-        end
-        ret
-      end
-      protected
-      def do_run(*_args)
-        raise ::Sqreen::NotImplementedYet, "do_run not implemented in #{self.class}"
-        # implement in subclasses
-      end
-      def event_properties(*_run_args)
-        raise ::Sqreen::NotImplementedYet, "event_properties not implemented in #{self.class}"
-        # implement in subclasses
-      end
-      private
-      def event_name
-        "sq.action.#{self.class.type_name}"
-      end
-      @@subclasses = {}
-      class << self
-        private :new
-        attr_reader :type_name
-        def get_type_class(name)
-          @@subclasses[name]
-        end
-        def known_subclasses
-          @@subclasses.values
-        end
-        def known_types
-          @@subclasses.keys
-        end
-        # all actions matching, possibly already expired
-        def actions_matching(_key)
-          raise 'implement in singletons of subclasses'
-        end
-        def index(_params, _action)
-          raise 'implement in singletons of subclasses'
-        end
-        def clear
-          raise 'implement in singletons of subclasses'
-        end
-        def inherited(subclass)
-          class << subclass
-            public :new
-          end
-        end
-        protected
-        def type_name=(name)
-          @type_name = name
-          @@subclasses[name] = self
-        end
-      end
-    end
-    module IpRangesIndex
-      def add_prefix(prefix_str, data)
-        @trie_v4 ||= Sqreen::Trie.new
-        @trie_v6 ||= Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
-        prefix = Sqreen::Prefix.from_str(prefix_str, data)
-        trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
-        trie.insert prefix
-      end
-      def matching_actions(client_ip)
-        parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
-        trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
-        return [] unless trie
-        found = trie.search_matching(parsed_ip.to_i, parsed_ip.family)
-        return [] unless found.size > 0
-        Sqreen.log.debug("Client ip #{client_ip} matches #{found.inspect}")
-        found.map(&:data)
-      end
-      def clear
-        @trie_v4 = Sqreen::Trie.new
-        @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
-      end
-    end
-    module IpRangeIndexedActionClass
-      include IpRangesIndex
-      def actions_matching(client_ip)
-         matching_actions client_ip
-      end
-      def index(params, action)
-        ranges = parse_ip_ranges params
-        ranges.each do |r|
-          add_prefix r, action
-        end
-      end
-      private
-      # returns array of prefixes in string form
-      def parse_ip_ranges(params)
-        ranges = params['ip_cidr']
-        unless ranges && ranges.is_a?(Array) && !ranges.empty?
-          raise 'no non-empty ip_cidr array present'
-        end
-        ranges
-      end
-    end
-    # Block a list of IP address ranges. Standard "raise" behavior.
-    class BlockIp < Base
-      extend IpRangeIndexedActionClass
-      self.type_name = 'block_ip'
-      def initialize(id, opts, params = {})
-        # no need to store the ranges for this action, the index filter the class
-        super(id, opts)
-      end
-      def do_run(client_ip)
-        e = Sqreen::AttackBlocked.new("Blocked client's IP #{client_ip} " \
-          "(action: #{id}). No action is required")
-        { :status => :raise, :exception => e, :skip_rem_cbs => true }
-      end
-      def event_properties(client_ip)
-        { 'ip_address' => client_ip }
-      end
-    end
-    # Block a list of IP address ranges by forcefully redirecting the user
-    # to a specific URL.
-    class RedirectIp < Base
-      extend IpRangeIndexedActionClass
-      self.type_name = 'redirect_ip'
-      attr_reader :redirect_url
-      def initialize(id, opts, params = {})
-        super(id, opts)
-        @redirect_url = params['url']
-        raise "no url provided for action #{id}" unless @redirect_url
-      end
-      def do_run(client_ip)
-        Sqreen.log.info "Will request redirect for client with IP #{client_ip} " \
-          "(action: #{id})."
-        {
-          :status => :skip,
-          :new_return_value => [303, { 'Location' => @redirect_url }, ['']],
-          :skip_rem_cbs => true,
-        }
-      end
-      def event_properties(client_ip)
-        { 'ip_address' => client_ip, 'url' => @redirect_url }
-      end
-    end
-    module UserActionClass
-      def actions_matching(identity_params)
-        return [] unless @idx
-        key = stringify_keys(identity_params)
-        actions = @idx[key]
-        actions || []
-      end
-      def index(params, action)
-        @idx ||= {}
-        users = params['users']
-        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
-        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
-        users.each do |u|
-          @idx[u] ||= []
-          @idx[u] << action
-        end
-      end
-      def clear
-        @idx = {}
-      end
-      private
-      def stringify_keys(hash)
-        Hash[
-          hash.map { |k, v| [k.to_s, v] }
-        ]
-      end
-    end
-    # Blocks a user at the point Sqreen::identify()
-    # or Sqreen::auth_track() are called
-    class BlockUser < Base
-      extend UserActionClass
-      self.type_name = 'block_user'
-      def initialize(id, opts, params = {})
-        super(id, opts)
-      end
-      def do_run(identity_params)
-        Sqreen.log.info(
-          "Will raise due to user being blocked by action #{id}. " \
-          "Blocked user identity: #{identity_params}"
-        )
-        e = Sqreen::AttackBlocked.new(
-          "Blocked user with identity #{identity_params} " \
-          'due to automatic security response. No action is required'
-        )
-        {
-          :status => :raise,
-          :exception => e,
-        }
-      end
-      def event_properties(identity_params)
-        { 'user' => identity_params }
-      end
-    end
-    # Redirects a user at the point Sqreen::identify()
-    # or Sqreen::auth_track() are called
-    class RedirectUser < Base
-      extend UserActionClass
-      self.type_name = 'redirect_user'
-      def initialize(id, opts, params = {})
-        super(id, opts)
-        @redirect_url = params['url']
-        raise "no url provided for action #{id}" unless @redirect_url
-      end
-      def do_run(identity_params)
-        Sqreen.log.info 'Will request redirect for user with identity ' \
-          "#{identity_params} (action: #{id})."
-        e = Sqreen::AttackBlocked.new(
-          "Redirected user with identity #{identity_params} " \
-          'due to automatic security response. No action is required'
-        )
-        e.redirect_url = @redirect_url
-        {
-          :status => :raise,
-          :exception => e,
-        }
-      end
-      def event_properties(identity_params)
-        { 'user' => identity_params }
-      end
-    end
   end
 end

data/lib/sqreen/actions/base.rb ADDED Viewed

@@ -0,0 +1,110 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+# TODO: remove class vars
+require 'sqreen/exception'
+module Sqreen
+  # Implements actions (behavior taken in response to agent signals)
+  module Actions
+    # Base class for actions
+    # subclasses must also implement some methods in their singleton classes
+    # (actions_matching, index and clear)
+    class Base
+      attr_reader :id, :expiry, :send_response
+      def initialize(id, opts)
+        @id = id
+        duration = opts[:duration]
+        @expiry = Time.new + duration unless duration.nil?
+        @send_response = if opts[:send_response].nil?
+                           true
+                         else
+                           opts[:send_response] ? true : false
+                         end
+      end
+      # See Sqreen::CB for return values
+      def run(*args)
+        return if expiry && Time.new > expiry
+        ret = do_run(*args)
+        unless ret.nil? || !@send_response
+          Sqreen.internal_track(event_name,
+                                'properties' => {
+                                  'output' => event_properties(*args),
+                                  'action_id' => id,
+                                })
+        end
+        ret
+      end
+      protected
+      def do_run(*_args)
+        raise ::Sqreen::NotImplementedYet, "do_run not implemented in #{self.class}"
+        # implement in subclasses
+      end
+      def event_properties(*_run_args)
+        raise ::Sqreen::NotImplementedYet, "event_properties not implemented in #{self.class}"
+        # implement in subclasses
+      end
+      private
+      def event_name
+        "sq.action.#{self.class.type_name}"
+      end
+      @@subclasses = {} # rubocop:disable Style/ClassVars
+      class << self
+        private :new
+        attr_reader :type_name
+        def get_type_class(name)
+          subclasses[name]
+        end
+        def known_subclasses
+          subclasses.values
+        end
+        def known_types
+          subclasses.keys
+        end
+        # all actions matching, possibly already expired
+        def actions_matching(_key)
+          raise 'implement in singletons of subclasses'
+        end
+        def index(_params, _action)
+          raise 'implement in singletons of subclasses'
+        end
+        def clear
+          raise 'implement in singletons of subclasses'
+        end
+        def inherited(subclass)
+          class << subclass
+            public :new
+          end
+        end
+        protected
+        def subclasses
+          @@subclasses
+        end
+        def type_name=(name)
+          @type_name = name
+          subclasses[name] = self
+        end
+      end
+    end
+  end
+end