RubyGems - sqreen - Versions diffs - 1.18.3.beta1 → 1.18.3.beta2 - Mend

sqreen 1.18.3.beta1 → 1.18.3.beta2

Files changed (121) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +0 -5
data/lib/sqreen/actions.rb +11 -337
data/lib/sqreen/actions/base.rb +110 -0
data/lib/sqreen/actions/block_ip.rb +32 -0
data/lib/sqreen/actions/block_user.rb +44 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +36 -0
data/lib/sqreen/actions/ip_ranges_index.rb +36 -0
data/lib/sqreen/actions/redirect_ip.rb +40 -0
data/lib/sqreen/actions/redirect_user.rb +45 -0
data/lib/sqreen/actions/repository.rb +24 -0
data/lib/sqreen/actions/unknown_action_type.rb +16 -0
data/lib/sqreen/actions/user_action_class.rb +41 -0
data/lib/sqreen/agent.rb +4 -1
data/lib/sqreen/attack_blocked.rb +17 -0
data/lib/sqreen/binding_accessor.rb +9 -102
data/lib/sqreen/binding_accessor/path_elem.rb +8 -0
data/lib/sqreen/binding_accessor/transforms.rb +107 -0
data/lib/sqreen/capped_queue.rb +2 -0
data/lib/sqreen/{callbacks.rb → cb.rb} +1 -53
data/lib/sqreen/{callback_tree.rb → cb_tree.rb} +2 -2
data/lib/sqreen/condition_evaluator.rb +22 -5
data/lib/sqreen/configuration.rb +3 -0
data/lib/sqreen/default_cb.rb +20 -0
data/lib/sqreen/deferred_logger.rb +63 -0
data/lib/sqreen/deliveries.rb +10 -0
data/lib/sqreen/deliveries/batch.rb +7 -1
data/lib/sqreen/deliveries/simple.rb +5 -0
data/lib/sqreen/dependency/rails.rb +4 -0
data/lib/sqreen/dependency/sinatra.rb +4 -0
data/lib/sqreen/error_handling_middleware.rb +30 -0
data/lib/sqreen/event.rb +2 -0
data/lib/sqreen/events/attack.rb +2 -0
data/lib/sqreen/events/request_record.rb +11 -56
data/lib/sqreen/exception.rb +9 -40
data/lib/sqreen/formatter_with_tid.rb +45 -0
data/lib/sqreen/framework_cb.rb +28 -0
data/lib/sqreen/frameworks.rb +7 -0
data/lib/sqreen/frameworks/generic.rb +5 -1
data/lib/sqreen/frameworks/rails.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +3 -0
data/lib/sqreen/frameworks/sinatra.rb +2 -0
data/lib/sqreen/frameworks/sqreen_test.rb +2 -0
data/lib/sqreen/instrumentation.rb +5 -5
data/lib/sqreen/invalid_signature_exception.rb +8 -0
data/lib/{sqreen-alt.rb → sqreen/js.rb} +6 -1
data/lib/sqreen/js/call_context.rb +10 -0
data/lib/sqreen/js/context_pool.rb +60 -0
data/lib/sqreen/js/exec_js_runnable.rb +20 -0
data/lib/sqreen/js/execjs_adapter.rb +6 -47
data/lib/sqreen/js/executable_js.rb +12 -0
data/lib/sqreen/js/js_service.rb +2 -22
data/lib/sqreen/js/js_service_adapter.rb +18 -0
data/lib/sqreen/js/mini_racer_adapter.rb +6 -180
data/lib/sqreen/js/mini_racer_executable_js.rb +142 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +47 -0
data/lib/sqreen/log.rb +8 -188
data/lib/sqreen/logger.rb +83 -0
data/lib/sqreen/metrics_store.rb +3 -11
data/lib/sqreen/metrics_store/already_registered_metric.rb +11 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +11 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +11 -0
data/lib/sqreen/middleware.rb +0 -44
data/lib/sqreen/mono_time.rb +2 -0
data/lib/sqreen/node.rb +44 -0
data/lib/sqreen/not_implemented_yet.rb +8 -0
data/lib/sqreen/null_logger.rb +24 -0
data/lib/sqreen/payload_creator.rb +2 -19
data/lib/sqreen/payload_creator/header_section.rb +28 -0
data/lib/sqreen/prefix.rb +33 -0
data/lib/sqreen/rails_middleware.rb +14 -0
data/lib/sqreen/remote_command.rb +1 -8
data/lib/sqreen/remote_command/failure_output.rb +11 -0
data/lib/sqreen/rules.rb +32 -2
data/lib/sqreen/{rule_attributes.rb → rules/attrs.rb} +0 -0
data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb} +4 -8
data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb +1 -1
data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb} +3 -2
data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb +2 -2
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb} +49 -50
data/lib/sqreen/{rules_callbacks/headers_insert.rb → rules/headers_insert_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/matcher_rule.rb +2 -2
data/lib/sqreen/{rules_callbacks/not_found.rb → rules/not_found_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks/rails_parameters.rb → rules/rails_parameters_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks → rules}/record_request_context.rb +1 -1
data/lib/sqreen/{rules_callbacks/regexp_rule.rb → rules/regexp_rule_cb.rb} +1 -1
data/lib/sqreen/{rule_callback.rb → rules/rule_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks → rules}/run_req_start_actions.rb +4 -2
data/lib/sqreen/{rules_callbacks → rules}/run_user_actions.rb +1 -1
data/lib/sqreen/{rules_callbacks/shell_env.rb → rules/shell_env_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/sdk_signup_track.rb → rules/signup_track_cb.rb} +2 -2
data/lib/sqreen/{rules_callbacks → rules}/update_request_context.rb +1 -1
data/lib/sqreen/{rules_callbacks/url_matches.rb → rules/url_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/user_agent_matches.rb → rules/user_agent_matches_cb.rb} +1 -1
data/lib/sqreen/{rules_callbacks/waf.rb → rules/waf_cb.rb} +7 -3
data/lib/sqreen/{rules_callbacks/reflected_xss.rb → rules/xss_cb.rb} +10 -7
data/lib/sqreen/run_when_called_cb.rb +21 -0
data/lib/sqreen/sensitive_data_redactor.rb +111 -0
data/lib/sqreen/signature_verifier.rb +20 -0
data/lib/sqreen/sinatra_middleware.rb +14 -0
data/lib/sqreen/{rules_signature.rb → sqreen_signed_verifier.rb} +5 -17
data/lib/sqreen/token_invalid_exception.rb +8 -0
data/lib/sqreen/token_not_found_exception.rb +9 -0
data/lib/sqreen/trie.rb +3 -64
data/lib/sqreen/unauthorized.rb +8 -0
data/lib/sqreen/util.rb +2 -0
data/lib/sqreen/util/capped_array.rb +30 -0
data/lib/sqreen/util/capped_hash.rb +36 -0
data/lib/sqreen/util/capped_string.rb +22 -0
data/lib/sqreen/util/capper.rb +57 -0
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/waf_error.rb +18 -0
metadata +85 -36
data/lib/sqreen/rules_callbacks.rb +0 -36
data/lib/sqreen/rules_callbacks/inspect_rule.rb +0 -25

data/lib/sqreen/actions/block_ip.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/ip_range_indexed_action_class'
+module Sqreen
+  module Actions
+    # Block a list of IP address ranges. Standard "raise" behavior.
+    class BlockIp < Base
+      extend IpRangeIndexedActionClass
+      self.type_name = 'block_ip'
+      def initialize(id, opts, _params = {})
+        # no need to store the ranges for this action, the index filter the class
+        super(id, opts)
+      end
+      def do_run(client_ip)
+        e = Sqreen::AttackBlocked.new("Blocked client's IP #{client_ip} " \
+          "(action: #{id}). No action is required")
+        { :status => :raise, :exception => e, :skip_rem_cbs => true }
+      end
+      def event_properties(client_ip)
+        { 'ip_address' => client_ip }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/block_user.rb ADDED Viewed

@@ -0,0 +1,44 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/user_action_class'
+module Sqreen
+  module Actions
+    # Blocks a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class BlockUser < Base
+      extend UserActionClass
+      self.type_name = 'block_user'
+      def initialize(id, opts, _params = {})
+        super(id, opts)
+      end
+      def do_run(identity_params)
+        Sqreen.log.info(
+          "Will raise due to user being blocked by action #{id}. " \
+          "Blocked user identity: #{identity_params}"
+        )
+        e = Sqreen::AttackBlocked.new(
+          "Blocked user with identity #{identity_params} " \
+          'due to automatic security response. No action is required'
+        )
+        {
+          :status => :raise,
+          :exception => e,
+        }
+      end
+      def event_properties(identity_params)
+        { 'user' => identity_params }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/ip_range_indexed_action_class.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/actions/ip_ranges_index'
+module Sqreen
+  module Actions
+    module IpRangeIndexedActionClass
+      include IpRangesIndex
+      def actions_matching(client_ip)
+        matching_actions client_ip
+      end
+      def index(params, action)
+        ranges = parse_ip_ranges params
+        ranges.each do |r|
+          add_prefix r, action
+        end
+      end
+      private
+      # returns array of prefixes in string form
+      def parse_ip_ranges(params)
+        ranges = params['ip_cidr']
+        unless ranges && ranges.is_a?(Array) && !ranges.empty?
+          raise 'no non-empty ip_cidr array present'
+        end
+        ranges
+      end
+    end
+  end
+end

data/lib/sqreen/actions/ip_ranges_index.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'ipaddr'
+require 'sqreen/trie'
+require 'sqreen/prefix'
+module Sqreen
+  module Actions
+    module IpRangesIndex
+      def add_prefix(prefix_str, data)
+        @trie_v4 ||= Sqreen::Trie.new
+        @trie_v6 ||= Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
+        prefix = Sqreen::Prefix.from_str(prefix_str, data)
+        trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
+        trie.insert prefix
+      end
+      def matching_actions(client_ip)
+        parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
+        trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
+        return [] unless trie
+        found = trie.search_matching(parsed_ip.to_i, parsed_ip.family)
+        return [] unless found.size > 0
+        Sqreen.log.debug("Client ip #{client_ip} matches #{found.inspect}")
+        found.map(&:data)
+      end
+      def clear
+        @trie_v4 = Sqreen::Trie.new
+        @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
+      end
+    end
+  end
+end

data/lib/sqreen/actions/redirect_ip.rb ADDED Viewed

@@ -0,0 +1,40 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+module Sqreen
+  module Actions
+    # Block a list of IP address ranges by forcefully redirecting the user
+    # to a specific URL.
+    class RedirectIp < Base
+      extend IpRangeIndexedActionClass
+      self.type_name = 'redirect_ip'
+      attr_reader :redirect_url
+      def initialize(id, opts, params = {})
+        super(id, opts)
+        @redirect_url = params['url']
+        raise "no url provided for action #{id}" unless @redirect_url
+      end
+      def do_run(client_ip)
+        Sqreen.log.info "Will request redirect for client with IP #{client_ip} " \
+          "(action: #{id})."
+        {
+          :status => :skip,
+          :new_return_value => [303, { 'Location' => @redirect_url }, ['']],
+          :skip_rem_cbs => true,
+        }
+      end
+      def event_properties(client_ip)
+        { 'ip_address' => client_ip, 'url' => @redirect_url }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/redirect_user.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log'
+require 'sqreen/exception'
+require 'sqreen/actions/base'
+require 'sqreen/actions/user_action_class'
+module Sqreen
+  module Actions
+    # Redirects a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class RedirectUser < Base
+      extend UserActionClass
+      self.type_name = 'redirect_user'
+      def initialize(id, opts, params = {})
+        super(id, opts)
+        @redirect_url = params['url']
+        raise "no url provided for action #{id}" unless @redirect_url
+      end
+      def do_run(identity_params)
+        Sqreen.log.info 'Will request redirect for user with identity ' \
+          "#{identity_params} (action: #{id})."
+        e = Sqreen::AttackBlocked.new(
+          "Redirected user with identity #{identity_params} " \
+          'due to automatic security response. No action is required'
+        )
+        e.redirect_url = @redirect_url
+        {
+          :status => :raise,
+          :exception => e,
+        }
+      end
+      def event_properties(identity_params)
+        { 'user' => identity_params }
+      end
+    end
+  end
+end

data/lib/sqreen/actions/repository.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+module Sqreen
+  module Actions
+    # Where the currently loaded actions are stored. Singleton
+    class Repository
+      include Singleton
+      def add(params, action)
+        action.class.index(params || {}, action)
+      end
+      def get(action_class, key)
+        action_class = Base.get_type_class(action_class) unless action_class.class == Class
+        action_class.actions_matching key
+      end
+      def clear
+        Base.known_subclasses.each(&:clear)
+      end
+    end
+  end
+end

data/lib/sqreen/actions/unknown_action_type.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+module Sqreen
+  # Implements actions (behavior taken in response to agent signals)
+  module Actions
+    # Exception for when an unknown action type is gotten from the server
+    class UnknownActionType < ::Sqreen::Exception
+      attr_reader :action_type
+      def initialize(action_type)
+        super("no such action type: #{action_type}. Must be one of #{Base.known_types}")
+        @action_type = action_type
+      end
+    end
+  end
+end

data/lib/sqreen/actions/user_action_class.rb ADDED Viewed

@@ -0,0 +1,41 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  module Actions
+    module UserActionClass
+      def actions_matching(identity_params)
+        return [] unless @idx
+        key = stringify_keys(identity_params)
+        actions = @idx[key]
+        actions || []
+      end
+      def index(params, action)
+        @idx ||= {}
+        users = params['users']
+        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
+        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
+        users.each do |u|
+          @idx[u] ||= []
+          @idx[u] << action
+        end
+      end
+      def clear
+        @idx = {}
+      end
+      private
+      def stringify_keys(hash)
+        Hash[
+          hash.map { |k, v| [k.to_s, v] }
+        ]
+      end
+    end
+  end
+end

data/lib/sqreen/agent.rb CHANGED Viewed

@@ -5,10 +5,13 @@ require 'sqreen/version'
 require 'sqreen/instrumentation'
 require 'sqreen/session'
 require 'sqreen/runner'
-require 'sqreen/callbacks'
 require 'sqreen/log'
 require 'sqreen/exception'
 require 'sqreen/configuration'
+require 'sqreen/cb'
+require 'sqreen/default_cb'
+require 'sqreen/run_when_called_cb'
+require 'sqreen/framework_cb'
 require 'sqreen/events/attack'
 require 'sqreen/sdk'
 require 'sqreen/dependency/detector'

data/lib/sqreen/attack_blocked.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
+module Sqreen
+  # This exception name is particularly important since it is often seen by
+  # Sqreen users when watching their logs. It should not raise any concern to
+  # them.
+  class AttackBlocked < Sqreen::Exception
+    attr_accessor :redirect_url
+    def log_message(msg)
+      Sqreen.log.warn(msg)
+    end
+  end
+end

data/lib/sqreen/binding_accessor.rb CHANGED Viewed

@@ -3,12 +3,13 @@
 require 'strscan'
 require 'sqreen/exception'
-require 'set'
+require 'sqreen/binding_accessor/path_elem'
+require 'sqreen/binding_accessor/transforms'
 module Sqreen
   # the value located at the given binding
   class BindingAccessor
-    PathElem = Struct.new(:kind, :value)
     attr_reader :path, :expression, :final_transform, :transform_args
     # Expression to be accessed
@@ -67,6 +68,7 @@ module Sqreen
     CONSTANT_KIND = 'constant'.freeze
     METHOD_KIND = 'method'.freeze
     INDEX_KIND = 'index'.freeze
+    NIL_KIND = 'nil'.freeze
     SQREEN_VAR_KIND = 'sqreen-variable'.freeze
     if binding.respond_to?(:local_variable_get)
@@ -101,6 +103,8 @@ module Sqreen
         current_value.send(component[:value])
       when INDEX_KIND
         current_value[component[:value]]
+      when NIL_KIND
+        current_value
       when SQREEN_VAR_KIND
         resolve_sqreen_variable(component[:value], *env)
       else
@@ -176,6 +180,8 @@ module Sqreen
         PathElem.new(SYMBOL_KIND, @scan[1].to_sym)
       elsif @scan.scan(/'((?:\\.|[^\\'])*)'/)
         PathElem.new(STRING_KIND, @scan[1])
+      elsif @scan.scan(/nil/)
+        PathElem.new(NIL_KIND, nil)
       end
     end
@@ -248,110 +254,11 @@ module Sqreen
       end
     end
-    # Available final transformations
-    module Transforms
-      def flat_keys(value, max_iter = 1000)
-        return nil if value.nil?
-        seen = Set.new
-        look_into = [value]
-        keys = []
-        idx = 0
-        until look_into.empty? || max_iter <= idx
-          idx += 1
-          val = look_into.pop
-          next unless seen.add?(val.object_id)
-          case val
-          when Hash
-            keys.concat(val.keys)
-            look_into.concat(val.values)
-          when Array
-            look_into.concat(val)
-          else
-            next if val.respond_to?(:seek)
-            val.each { |v| look_into << v } if val.respond_to?(:each)
-          end
-        end
-        keys
-      end
-      def flat_values(value, max_iter = 1000)
-        return nil if value.nil?
-        seen = Set.new
-        look_into = [value]
-        values = []
-        idx = 0
-        until look_into.empty? || max_iter <= idx
-          idx += 1
-          val = look_into.shift
-          next unless seen.add?(val.object_id)
-          case val
-          when Hash
-            look_into.concat(val.values)
-          when Array
-            look_into.concat(val)
-          else
-            next if val.respond_to?(:seek)
-            if val.respond_to?(:each)
-              val.each { |v| look_into << v }
-            else
-              values << val
-            end
-          end
-        end
-        values
-      end
-      def concat_keys_and_values(value, max_size = nil)
-        return nil if value.nil?
-        values = Set.new
-        max_size = max_size.to_i if max_size
-        res = ''
-        descend(value) do |x|
-          next unless values.add?(x)
-          x = x.to_s
-          return res if max_size && res.size + x.size + 1 > max_size
-          res << "\n" unless res.empty?
-          res << x
-        end
-        res
-      end
-      private
-      def descend(value, max_iter = 1000)
-        seen = Set.new
-        look_into = [value]
-        idx = 0
-        until look_into.empty? || max_iter <= idx
-          idx += 1
-          val = look_into.pop
-          case val
-          when Hash
-            next unless seen.add?(val.object_id)
-            look_into.concat(val.keys)
-            look_into.concat(val.values)
-          when Array
-            next unless seen.add?(val.object_id)
-            look_into.concat(val)
-          else
-            next if val.respond_to?(:seek)
-            if val.respond_to?(:each)
-              next unless seen.add?(val.object_id)
-              val.each { |v| look_into << v }
-            else
-              yield val
-            end
-          end
-        end
-      end
-    end # end module Transforms
     include Transforms
     KNOWN_TRANSFORMS = Transforms.public_instance_methods.map(&:to_s)
     def transform(value)
       send(@final_transform, value, *@transform_args) if @final_transform
     end
-  end # end class BindingAccessor
+  end
 end