RubyGems - sqreen - Versions diffs - 1.18.3.beta1 → 1.18.3.beta2 - Mend

sqreen 1.18.3.beta1 → 1.18.3.beta2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +0 -5
data/lib/sqreen/actions.rb +11 -337
data/lib/sqreen/actions/base.rb +110 -0
data/lib/sqreen/actions/block_ip.rb +32 -0
data/lib/sqreen/actions/block_user.rb +44 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +36 -0
data/lib/sqreen/actions/ip_ranges_index.rb +36 -0
data/lib/sqreen/actions/redirect_ip.rb +40 -0
data/lib/sqreen/actions/redirect_user.rb +45 -0
data/lib/sqreen/actions/repository.rb +24 -0
data/lib/sqreen/actions/unknown_action_type.rb +16 -0
data/lib/sqreen/actions/user_action_class.rb +41 -0
data/lib/sqreen/agent.rb +4 -1
data/lib/sqreen/attack_blocked.rb +17 -0
data/lib/sqreen/binding_accessor.rb +9 -102
data/lib/sqreen/binding_accessor/path_elem.rb +8 -0
data/lib/sqreen/binding_accessor/transforms.rb +107 -0
data/lib/sqreen/capped_queue.rb +2 -0
data/lib/sqreen/{callbacks.rb → cb.rb} +1 -53
data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +2 -2
data/lib/sqreen/condition_evaluator.rb +22 -5
data/lib/sqreen/configuration.rb +3 -0
data/lib/sqreen/default_cb.rb +20 -0
data/lib/sqreen/deferred_logger.rb +63 -0
data/lib/sqreen/deliveries.rb +10 -0
data/lib/sqreen/deliveries/batch.rb +7 -1
data/lib/sqreen/deliveries/simple.rb +5 -0
data/lib/sqreen/dependency/rails.rb +4 -0
data/lib/sqreen/dependency/sinatra.rb +4 -0
data/lib/sqreen/error_handling_middleware.rb +30 -0
data/lib/sqreen/event.rb +2 -0
data/lib/sqreen/events/attack.rb +2 -0
data/lib/sqreen/events/request_record.rb +11 -56
data/lib/sqreen/exception.rb +9 -40
data/lib/sqreen/formatter_with_tid.rb +45 -0
data/lib/sqreen/framework_cb.rb +28 -0
data/lib/sqreen/frameworks.rb +7 -0
data/lib/sqreen/frameworks/generic.rb +5 -1
data/lib/sqreen/frameworks/rails.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +3 -0
data/lib/sqreen/frameworks/sinatra.rb +2 -0
data/lib/sqreen/frameworks/sqreen_test.rb +2 -0
data/lib/sqreen/instrumentation.rb +5 -5
data/lib/sqreen/invalid_signature_exception.rb +8 -0
data/lib/{sqreen-alt.rb → sqreen/js.rb} +6 -1
data/lib/sqreen/js/call_context.rb +10 -0
data/lib/sqreen/js/context_pool.rb +60 -0
data/lib/sqreen/js/exec_js_runnable.rb +20 -0
data/lib/sqreen/js/execjs_adapter.rb +6 -47
data/lib/sqreen/js/executable_js.rb +12 -0
data/lib/sqreen/js/js_service.rb +2 -22
data/lib/sqreen/js/js_service_adapter.rb +18 -0
data/lib/sqreen/js/mini_racer_adapter.rb +6 -180
data/lib/sqreen/js/mini_racer_executable_js.rb +142 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +47 -0
data/lib/sqreen/log.rb +8 -188
data/lib/sqreen/logger.rb +83 -0
data/lib/sqreen/metrics_store.rb +3 -11
data/lib/sqreen/metrics_store/already_registered_metric.rb +11 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +11 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +11 -0
data/lib/sqreen/middleware.rb +0 -44
data/lib/sqreen/mono_time.rb +2 -0
data/lib/sqreen/node.rb +44 -0
data/lib/sqreen/not_implemented_yet.rb +8 -0
data/lib/sqreen/null_logger.rb +24 -0
data/lib/sqreen/payload_creator.rb +2 -19
data/lib/sqreen/payload_creator/header_section.rb +28 -0
data/lib/sqreen/prefix.rb +33 -0
data/lib/sqreen/rails_middleware.rb +14 -0
data/lib/sqreen/remote_command.rb +1 -8
data/lib/sqreen/remote_command/failure_output.rb +11 -0
data/lib/sqreen/rules.rb +32 -2
data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +0 -0
data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +4 -8
data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +1 -1
data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +3 -2
data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +2 -2
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +49 -50
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +2 -2
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +1 -1
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +1 -1
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +4 -2
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +1 -1
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks → rules}/update_request_context.rb +1 -1
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +7 -3
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +10 -7
data/lib/sqreen/run_when_called_cb.rb +21 -0
data/lib/sqreen/sensitive_data_redactor.rb +111 -0
data/lib/sqreen/signature_verifier.rb +20 -0
data/lib/sqreen/sinatra_middleware.rb +14 -0
data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +5 -17
data/lib/sqreen/token_invalid_exception.rb +8 -0
data/lib/sqreen/token_not_found_exception.rb +9 -0
data/lib/sqreen/trie.rb +3 -64
data/lib/sqreen/unauthorized.rb +8 -0
data/lib/sqreen/util.rb +2 -0
data/lib/sqreen/util/capped_array.rb +30 -0
data/lib/sqreen/util/capped_hash.rb +36 -0
data/lib/sqreen/util/capped_string.rb +22 -0
data/lib/sqreen/util/capper.rb +57 -0
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/waf_error.rb +18 -0
metadata +85 -36
data/lib/sqreen/rules_callbacks.rb +0 -36
data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25

data/lib/sqreen/actions/block_ip.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/ip_range_indexed_action_class'
+module Sqreen
+  module Actions
+    # Block a list of IP address ranges. Standard "raise" behavior.
+    class BlockIp < Base
+      extend IpRangeIndexedActionClass
+      self.type_name = 'block_ip'
+      def initialize(id, opts, _params = {})
+        # no need to store the ranges for this action, the index filter the class
+        super(id, opts)
+      end
+      def do_run(client_ip)
+        e = Sqreen::AttackBlocked.new("Blocked client's IP #{client_ip} " \
+          "(action: #{id}). No action is required")
+        { :status => :raise, :exception => e, :skip_rem_cbs => true }
+      end
+      def event_properties(client_ip)
+        { 'ip_address' => client_ip }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/block_user.rb ADDED Viewed

@@ -0,0 +1,44 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/user_action_class'
+module Sqreen
+  module Actions
+    # Blocks a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class BlockUser < Base
+      extend UserActionClass
+      self.type_name = 'block_user'
+      def initialize(id, opts, _params = {})
+        super(id, opts)
+      end
+      def do_run(identity_params)
+        Sqreen.log.info(
+          "Will raise due to user being blocked by action #{id}. " \
+          "Blocked user identity: #{identity_params}"
+        )
+        e = Sqreen::AttackBlocked.new(
+          "Blocked user with identity #{identity_params} " \
+          'due to automatic security response. No action is required'
+        )
+        {
+          :status => :raise,
+          :exception => e,
+        }
+      end
+      def event_properties(identity_params)
+        { 'user' => identity_params }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/ip_range_indexed_action_class.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/actions/ip_ranges_index'
+module Sqreen
+  module Actions
+    module IpRangeIndexedActionClass
+      include IpRangesIndex
+      def actions_matching(client_ip)
+        matching_actions client_ip
+      end
+      def index(params, action)
+        ranges = parse_ip_ranges params
+        ranges.each do |r|
+          add_prefix r, action
+        end
+      end
+      private
+      # returns array of prefixes in string form
+      def parse_ip_ranges(params)
+        ranges = params['ip_cidr']
+        unless ranges && ranges.is_a?(Array) && !ranges.empty?
+          raise 'no non-empty ip_cidr array present'
+        end
+        ranges
+      end
+    end
+  end
+end

data/lib/sqreen/actions/ip_ranges_index.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'ipaddr'
+require 'sqreen/trie'
+require 'sqreen/prefix'
+module Sqreen
+  module Actions
+    module IpRangesIndex
+      def add_prefix(prefix_str, data)
+        @trie_v4 ||= Sqreen::Trie.new
+        @trie_v6 ||= Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
+        prefix = Sqreen::Prefix.from_str(prefix_str, data)
+        trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
+        trie.insert prefix
+      end
+      def matching_actions(client_ip)
+        parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
+        trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
+        return [] unless trie
+        found = trie.search_matching(parsed_ip.to_i, parsed_ip.family)
+        return [] unless found.size > 0
+        Sqreen.log.debug("Client ip #{client_ip} matches #{found.inspect}")
+        found.map(&:data)
+      end
+      def clear
+        @trie_v4 = Sqreen::Trie.new
+        @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
+      end
+    end
+  end
+end

data/lib/sqreen/actions/redirect_ip.rb ADDED Viewed

@@ -0,0 +1,40 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+module Sqreen
+  module Actions
+    # Block a list of IP address ranges by forcefully redirecting the user
+    # to a specific URL.
+    class RedirectIp < Base
+      extend IpRangeIndexedActionClass
+      self.type_name = 'redirect_ip'
+      attr_reader :redirect_url
+      def initialize(id, opts, params = {})
+        super(id, opts)
+        @redirect_url = params['url']
+        raise "no url provided for action #{id}" unless @redirect_url
+      end
+      def do_run(client_ip)
+        Sqreen.log.info "Will request redirect for client with IP #{client_ip} " \
+          "(action: #{id})."
+        {
+          :status => :skip,
+          :new_return_value => [303, { 'Location' => @redirect_url }, ['']],
+          :skip_rem_cbs => true,
+        }
+      end
+      def event_properties(client_ip)
+        { 'ip_address' => client_ip, 'url' => @redirect_url }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/redirect_user.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/user_action_class'
+module Sqreen
+  module Actions
+    # Redirects a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class RedirectUser < Base
+      extend UserActionClass
+      self.type_name = 'redirect_user'
+      def initialize(id, opts, params = {})
+        super(id, opts)
+        @redirect_url = params['url']
+        raise "no url provided for action #{id}" unless @redirect_url
+      end
+      def do_run(identity_params)
+        Sqreen.log.info 'Will request redirect for user with identity ' \
+          "#{identity_params} (action: #{id})."
+        e = Sqreen::AttackBlocked.new(
+          "Redirected user with identity #{identity_params} " \
+          'due to automatic security response. No action is required'
+        )
+        e.redirect_url = @redirect_url
+        {
+          :status => :raise,
+          :exception => e,
+        }
+      end
+      def event_properties(identity_params)
+        { 'user' => identity_params }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/repository.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+module Sqreen
+  module Actions
+    # Where the currently loaded actions are stored. Singleton
+    class Repository
+      include Singleton
+      def add(params, action)
+        action.class.index(params || {}, action)
+      end
+      def get(action_class, key)
+        action_class = Base.get_type_class(action_class) unless action_class.class == Class
+        action_class.actions_matching key
+      end
+      def clear
+        Base.known_subclasses.each(&:clear)
+      end
+    end
+  end
+end

data/lib/sqreen/actions/unknown_action_type.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+module Sqreen
+  # Implements actions (behavior taken in response to agent signals)
+  module Actions
+    # Exception for when an unknown action type is gotten from the server
+    class UnknownActionType < ::Sqreen::Exception
+      attr_reader :action_type
+      def initialize(action_type)
+        super("no such action type: #{action_type}. Must be one of #{Base.known_types}")
+        @action_type = action_type
+      end
+    end
+  end
+end

data/lib/sqreen/actions/user_action_class.rb ADDED Viewed

@@ -0,0 +1,41 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  module Actions
+    module UserActionClass
+      def actions_matching(identity_params)
+        return [] unless @idx
+        key = stringify_keys(identity_params)
+        actions = @idx[key]
+        actions || []
+      end
+      def index(params, action)
+        @idx ||= {}
+        users = params['users']
+        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
+        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
+        users.each do |u|
+          @idx[u] ||= []
+          @idx[u] << action
+        end
+      end
+      def clear
+        @idx = {}
+      end
+      private
+      def stringify_keys(hash)
+        Hash[
+          hash.map { |k, v| [k.to_s, v] }
+        ]
+      end
+    end
+  end
+end

data/lib/sqreen/agent.rb CHANGED Viewed

@@ -5,10 +5,13 @@ require 'sqreen/version'
 require 'sqreen/instrumentation'
 require 'sqreen/session'
 require 'sqreen/runner'
-require 'sqreen/callbacks'
 require 'sqreen/log'
 require 'sqreen/exception'
 require 'sqreen/configuration'
+require 'sqreen/cb'
+require 'sqreen/default_cb'
+require 'sqreen/run_when_called_cb'
+require 'sqreen/framework_cb'
 require 'sqreen/events/attack'
 require 'sqreen/sdk'
 require 'sqreen/dependency/detector'

data/lib/sqreen/attack_blocked.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  # This exception name is particularly important since it is often seen by
+  # Sqreen users when watching their logs. It should not raise any concern to
+  # them.
+  class AttackBlocked < Sqreen::Exception
+    attr_accessor :redirect_url
+    def log_message(msg)
+      Sqreen.log.warn(msg)
+    end
+  end
+end

data/lib/sqreen/binding_accessor.rb CHANGED Viewed

@@ -3,12 +3,13 @@
 require 'strscan'
 require 'sqreen/exception'
-require 'set'
+require 'sqreen/binding_accessor/path_elem'
+require 'sqreen/binding_accessor/transforms'
 module Sqreen
   # the value located at the given binding
   class BindingAccessor
-    PathElem = Struct.new(:kind, :value)
     attr_reader :path, :expression, :final_transform, :transform_args
     # Expression to be accessed
@@ -67,6 +68,7 @@ module Sqreen
     CONSTANT_KIND = 'constant'.freeze
     METHOD_KIND = 'method'.freeze
     INDEX_KIND = 'index'.freeze
+    NIL_KIND = 'nil'.freeze
     SQREEN_VAR_KIND = 'sqreen-variable'.freeze
     if binding.respond_to?(:local_variable_get)
@@ -101,6 +103,8 @@ module Sqreen
         current_value.send(component[:value])
       when INDEX_KIND
         current_value[component[:value]]
+      when NIL_KIND
+        current_value
       when SQREEN_VAR_KIND
         resolve_sqreen_variable(component[:value], *env)
       else
@@ -176,6 +180,8 @@ module Sqreen
         PathElem.new(SYMBOL_KIND, @scan[1].to_sym)
       elsif @scan.scan(/'((?:\\.|[^\\'])*)'/)
         PathElem.new(STRING_KIND, @scan[1])
+      elsif @scan.scan(/nil/)
+        PathElem.new(NIL_KIND, nil)
       end
     end
@@ -248,110 +254,11 @@ module Sqreen
       end
     end
-    # Available final transformations
-    module Transforms
-      def flat_keys(value, max_iter = 1000)
-        return nil if value.nil?
-        seen = Set.new
-        look_into = [value]
-        keys = []
-        idx = 0
-        until look_into.empty? || max_iter <= idx
-          idx += 1
-          val = look_into.pop
-          next unless seen.add?(val.object_id)
-          case val
-          when Hash
-            keys.concat(val.keys)
-            look_into.concat(val.values)
-          when Array
-            look_into.concat(val)
-          else
-            next if val.respond_to?(:seek)
-            val.each { |v| look_into << v } if val.respond_to?(:each)
-          end
-        end
-        keys
-      end
-      def flat_values(value, max_iter = 1000)
-        return nil if value.nil?
-        seen = Set.new
-        look_into = [value]
-        values = []
-        idx = 0
-        until look_into.empty? || max_iter <= idx
-          idx += 1
-          val = look_into.shift
-          next unless seen.add?(val.object_id)
-          case val
-          when Hash
-            look_into.concat(val.values)
-          when Array
-            look_into.concat(val)
-          else
-            next if val.respond_to?(:seek)
-            if val.respond_to?(:each)
-              val.each { |v| look_into << v }
-            else
-              values << val
-            end
-          end
-        end
-        values
-      end
-      def concat_keys_and_values(value, max_size = nil)
-        return nil if value.nil?
-        values = Set.new
-        max_size = max_size.to_i if max_size
-        res = ''
-        descend(value) do |x|
-          next unless values.add?(x)
-          x = x.to_s
-          return res if max_size && res.size + x.size + 1 > max_size
-          res << "\n" unless res.empty?
-          res << x
-        end
-        res
-      end
-      private
-      def descend(value, max_iter = 1000)
-        seen = Set.new
-        look_into = [value]
-        idx = 0
-        until look_into.empty? || max_iter <= idx
-          idx += 1
-          val = look_into.pop
-          case val
-          when Hash
-            next unless seen.add?(val.object_id)
-            look_into.concat(val.keys)
-            look_into.concat(val.values)
-          when Array
-            next unless seen.add?(val.object_id)
-            look_into.concat(val)
-          else
-            next if val.respond_to?(:seek)
-            if val.respond_to?(:each)
-              next unless seen.add?(val.object_id)
-              val.each { |v| look_into << v }
-            else
-              yield val
-            end
-          end
-        end
-      end
-    end # end module Transforms
     include Transforms
     KNOWN_TRANSFORMS = Transforms.public_instance_methods.map(&:to_s)
     def transform(value)
       send(@final_transform, value, *@transform_args) if @final_transform
     end
-  end # end class BindingAccessor
+  end
 end