sqreen 1.18.3.beta1 → 1.18.3.beta2

data/lib/sqreen/mono_time.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
+# TODO: move to Sqreen::Time
+
 module Sqreen
   has_mono_time = begin
     Process.clock_gettime Process::CLOCK_MONOTONIC

data/lib/sqreen/node.rb

@@ -0,0 +1,44 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+# TODO: move to Sqreen::IP::Trie
+
+module Sqreen
+  # bit starts at 0 (most significant)
+  Node = Struct.new(:bit, :prefix, :l, :r, :parent) do
+    def initialize(*args)
+      super
+      raise ArgumentError, 'no bit given' if bit.nil?
+    end
+
+    def empty?
+      prefix.nil?
+    end
+
+    # cover the whole tree
+    def walk(max_bits, empty_nodes = false)
+      xstack = Array.new(max_bits + 1)
+      sidx = 0 # stack index
+      xhead = self
+      xcur = xhead
+      until xcur.nil?
+        yield xcur unless xcur.empty? && !empty_nodes
+
+        if xcur.l
+          if xcur.r
+            xstack[sidx] = xcur.r
+            sidx += 1
+          end
+          xcur = xcur.l
+        elsif xcur.r
+          xcur = xcur.r
+        elsif sidx.nonzero?
+          sidx -= 1
+          xcur = xstack[sidx]
+        else
+          xcur = nil
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/not_implemented_yet.rb

@@ -0,0 +1,8 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/exception'
+
+module Sqreen
+  class NotImplementedYet < Sqreen::Exception; end
+end

data/lib/sqreen/null_logger.rb

@@ -0,0 +1,24 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'singleton'
+
+module Sqreen
+  class NullLogger
+    include Singleton
+
+    def debug(_msg = nil); end
+
+    def info(_msg = nil); end
+
+    def warn(_msg = nil); end
+
+    def error(_msg = nil); end
+
+    def fatal(_msg = nil); end
+
+    def add(_severity, _msg = nil); end
+
+    def formatter=(_); end
+  end
+end

data/lib/sqreen/payload_creator.rb

@@ -3,6 +3,7 @@
 
 require 'sqreen/runtime_infos'
 require 'sqreen/events/remote_exception'
+require 'sqreen/payload_creator/header_section'
 
 module Sqreen
   # Create a payload from a given query
@@ -116,26 +117,8 @@ module Sqreen
       Sqreen::RemoteException.record(e)
     end
 
-    # object that default to call on framework header
-    class HeaderSection
-      def initialize(framework)
-        @framework = framework
-      end
-
-      def [](value)
-        if %w[rack_client_ip rails_client_ip ip_headers].include?(value)
-          return @framework.send(value)
-        end
-        @framework.header(value)
-      end
-
-      def ip_headers
-        @framework.ip_headers
-      end
-    end
-
     def section_headers(framework)
-      HeaderSection.new(framework)
+      Sqreen::PayloadCreator::HeaderSection.new(framework)
     end
   end
 end

data/lib/sqreen/payload_creator/header_section.rb

@@ -0,0 +1,28 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/runtime_infos'
+require 'sqreen/events/remote_exception'
+require 'sqreen/payload_creator/header_section'
+
+module Sqreen
+  class PayloadCreator
+    # object that default to call on framework header
+    class HeaderSection
+      def initialize(framework)
+        @framework = framework
+      end
+
+      def [](value)
+        if %w[rack_client_ip rails_client_ip ip_headers].include?(value)
+          return @framework.send(value)
+        end
+        @framework.header(value)
+      end
+
+      def ip_headers
+        @framework.ip_headers
+      end
+    end
+  end
+end

data/lib/sqreen/prefix.rb

@@ -0,0 +1,33 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'ipaddr'
+
+# TODO: move to Sqreen::IP
+
+module Sqreen
+  Prefix = Struct.new(:family, :bitlen, :address, :data) do # addr is integer
+    def initialize(*args)
+      super
+      raise ArgumentError, 'no family given' unless family
+      raise ArgumentError, 'no bitlen given' unless bitlen
+      raise ArgumentError, 'no address given' unless address
+    end
+
+    def matches?(address, family)
+      raise 'family mismatch' unless family == self.family
+      shift_amount = (family == Socket::AF_INET ? 32 : 128) - bitlen
+      (address ^ self.address) >> shift_amount == 0
+    end
+  end
+
+  def Prefix.from_str(str, data = nil)
+    ip_addr = IPAddr.new(str)
+    bitlen = if str =~ /\/(\d+)$/
+               $~[1].to_i
+             else
+               ip_addr.family == Socket::AF_INET6 ? 128 : 32
+             end
+    Prefix.new(ip_addr.family, bitlen, ip_addr.to_i, data)
+  end
+end

data/lib/sqreen/rails_middleware.rb

@@ -0,0 +1,14 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+module Sqreen
+  class RailsMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/sqreen/remote_command.rb

@@ -3,6 +3,7 @@
 
 require 'sqreen/log'
 require 'sqreen/events/remote_exception'
+require 'sqreen/remote_command/failure_output'
 
 module Sqreen
   # Execute and sanitize remote commands
@@ -21,14 +22,6 @@ module Sqreen
       :performance_budget => :change_performance_budget,
     }.freeze
 
-    # wraps output returned by a command that should also result in status: false
-    class FailureOutput
-      attr_reader :wrapped_output
-      def initialize(output)
-        @wrapped_output = output
-      end
-    end
-
     attr_reader :uuid
 
     def initialize(json_desc)

data/lib/sqreen/remote_command/failure_output.rb

@@ -0,0 +1,11 @@
+module Sqreen
+  class RemoteCommand
+    # wraps output returned by a command that should also result in status: false
+    class FailureOutput
+      attr_reader :wrapped_output
+      def initialize(output)
+        @wrapped_output = output
+      end
+    end
+  end
+end

data/lib/sqreen/rules.rb

@@ -2,9 +2,39 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 require 'sqreen/log'
-require 'sqreen/rule_attributes'
-require 'sqreen/rules_callbacks'
+require 'sqreen/rules/attrs'
 
+require 'sqreen/rules/regexp_rule_cb'
+require 'sqreen/rules/matcher_rule'
+
+require 'sqreen/rules/record_request_context'
+require 'sqreen/rules/update_request_context'
+require 'sqreen/rules/rails_parameters_cb'
+
+require 'sqreen/rules/headers_insert_cb'
+require 'sqreen/rules/blacklist_ips_cb'
+
+require 'sqreen/rules/shell_env_cb'
+
+require 'sqreen/rules/url_matches_cb'
+require 'sqreen/rules/user_agent_matches_cb'
+require 'sqreen/rules/crawler_user_agent_matches_cb'
+
+require 'sqreen/rules/xss_cb'
+require 'sqreen/rules/execjs_cb'
+
+require 'sqreen/rules/binding_accessor_metrics'
+require 'sqreen/rules/binding_accessor_matcher_cb'
+require 'sqreen/rules/count_http_codes'
+require 'sqreen/rules/not_found_cb'
+require 'sqreen/rules/crawler_user_agent_matches_metrics_cb'
+require 'sqreen/rules/auth_track_cb'
+require 'sqreen/rules/signup_track_cb'
+require 'sqreen/rules/devise_auth_track_cb'
+require 'sqreen/rules/devise_signup_track_cb'
+
+require 'sqreen/rules/custom_error_cb'
+require 'sqreen/rules/waf_cb'
 
 ## Rules
 #

data/lib/sqreen/{rules_callbacks/sdk_auth_track.rb → rules/auth_track_cb.rb}

@@ -1,8 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rule_attributes'
-require 'sqreen/rule_callback'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/safe_json'
 
 module Sqreen

data/lib/sqreen/{rules_callbacks/binding_accessor_matcher.rb → rules/binding_accessor_matcher_cb.rb}

@@ -1,10 +1,10 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rule_callback'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/binding_accessor'
 require 'sqreen/mono_time'
-require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/rules/matcher_rule'
 
 module Sqreen
   module Rules
@@ -49,9 +49,7 @@ module Sqreen
       end
 
       def pre(inst, args, budget = nil, &_block)
-        unless budget.nil?
-          finish = budget + Sqreen.time
-        end
+        finish = budget + Sqreen.time unless budget.nil?
         resol_cache = Hash.new do |hash, accessor|
           hash[accessor] = accessor.resolve(binding, framework, inst, args)
         end
@@ -62,9 +60,7 @@ module Sqreen
             next unless val.respond_to?(:each)
             next if val.respond_to?(:seek)
             val.each do |v|
-              if !budget.nil? && Sqreen.time > finish
-                return nil
-              end
+              return nil if !budget.nil? && Sqreen.time > finish
               next if !v.is_a?(String) || (!matcher.min_size.nil? && v.size < matcher.min_size)
               next if v.size > MAX_LENGTH
               next if matcher.match(v).nil?

data/lib/sqreen/{rules_callbacks → rules}/binding_accessor_metrics.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rule_callback'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/binding_accessor'
 require 'sqreen/events/remote_exception'
 

data/lib/sqreen/{rules_callbacks/blacklist_ips.rb → rules/blacklist_ips_cb.rb}

@@ -2,8 +2,9 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 require 'sqreen/trie'
+require 'sqreen/prefix'
 
-require 'sqreen/rule_callback'
+require 'sqreen/rules/rule_cb'
 
 module Sqreen
   module Rules
@@ -46,7 +47,7 @@ module Sqreen
       def find_blacklisted_ip(rip)
         begin
           ipa = IPAddr.new(rip)
-        rescue
+        rescue StandardError
           Sqreen.log.info "invalid IP address given by framework: #{rip}"
           return nil
         end

data/lib/sqreen/{rules_callbacks → rules}/count_http_codes.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rule_attributes'
-require 'sqreen/rule_callback'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/safe_json'
 
 module Sqreen

data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches.rb → rules/crawler_user_agent_matches_cb.rb}

@@ -1,7 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/rules/matcher_rule'
 require 'sqreen/frameworks'
 
 module Sqreen

data/lib/sqreen/{rules_callbacks/crawler_user_agent_matches_metrics.rb → rules/crawler_user_agent_matches_metrics_cb.rb}

@@ -1,7 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rules_callbacks/matcher_rule'
+require 'sqreen/rules/matcher_rule'
 require 'sqreen/frameworks'
 
 module Sqreen

data/lib/sqreen/{rules_callbacks/custom_error.rb → rules/custom_error_cb.rb}

@@ -1,7 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rule_callback'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/exception'
 
 module Sqreen

data/lib/sqreen/{rules_callbacks/devise_auth_track.rb → rules/devise_auth_track_cb.rb}

@@ -1,8 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rule_attributes'
-require 'sqreen/rule_callback'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/safe_json'
 
 module Sqreen

data/lib/sqreen/{rules_callbacks/devise_signup_track.rb → rules/devise_signup_track_cb.rb}

@@ -1,8 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-require 'sqreen/rule_attributes'
-require 'sqreen/rule_callback'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/safe_json'
 
 module Sqreen

data/lib/sqreen/{rules_callbacks/execjs.rb → rules/execjs_cb.rb}

@@ -1,11 +1,10 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
-
 require 'sqreen/js/js_service'
 
-require 'sqreen/rule_attributes'
-require 'sqreen/rule_callback'
+require 'sqreen/rules/attrs'
+require 'sqreen/rules/rule_cb'
 require 'sqreen/condition_evaluator'
 require 'sqreen/binding_accessor'
 require 'sqreen/events/remote_exception'
@@ -14,7 +13,6 @@ module Sqreen
   module Rules
     # Exec js callbacks
     class ExecJSCB < RuleCB
-
       class << self
         # @return [Sqreen::Js::JsService]
         def js_service
@@ -77,7 +75,7 @@ module Sqreen
         when NilClass
           false
         when Hash
-          ret.keys.each do |k|
+          ret.keys.each do |k| # rubocop:disable Performance/HashEachMethods
             ret[(begin
               k.to_sym
             rescue StandardError
@@ -119,7 +117,6 @@ module Sqreen
 
         # XXX: budgets was not subtracted from
         call_callback(name, budget, inst, new_ba_args, args, rv)
-
       rescue StandardError => e
         Sqreen.log.warn { "Caught JS callback exception: #{e.inspect}" }
         Sqreen.log.debug e.backtrace
@@ -127,10 +124,11 @@ module Sqreen
         nil
       end
 
-
-      def self.build_accessors(reqs)
-        reqs.map do |req|
-          BindingAccessor.new(req, true)
+      class << self
+        def build_accessors(reqs)
+          reqs.map do |req|
+            BindingAccessor.new(req, true)
+          end
         end
       end
 
@@ -176,10 +174,10 @@ module Sqreen
           next unless haystack_idx
 
           arguments[haystack_idx] = ArgumentFilter.hash_val_included(
-              arguments[needed_idx],
-              arguments[haystack_idx],
-              min_length.to_i,
-              MAX_DEPTH
+            arguments[needed_idx],
+            arguments[haystack_idx],
+            min_length.to_i,
+            MAX_DEPTH
           )
         end
 
@@ -193,7 +191,7 @@ module Sqreen
           next unless args_or_func.is_a?(Array)
           args_bas = args_or_func[0..-2] unless args_or_func.empty?
           @ba_expressions[name] =
-              ExecJSCB.build_accessors(args_bas).map(&:expression)
+            ExecJSCB.build_accessors(args_bas).map(&:expression)
         end
       end
 
@@ -212,47 +210,48 @@ module Sqreen
         end
       end
 
-      def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
-        new_obj = {}
-        insert = []
-        to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
-        until to_do.empty?
-          where, key, value, deepness = to_do.pop
-          safe_key = key.is_a?(Integer) ? key : key.to_s
-          if value.is_a?(Hash) && deepness < max_depth
-            val = {}
-            insert << [where, safe_key, val]
-            to_do += value.map { |k, v| [val, k, v, deepness + 1] }
-          elsif value.is_a?(Array) && deepness < max_depth
-            val = []
-            insert << [where, safe_key, val]
-            i = -1
-            to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
-          elsif deepness >= max_depth # if we are after max_depth don't try to filter
-            insert << [where, safe_key, value]
-          else
-            v = value.to_s
-            if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
-              case where
-              when Array
-                where << value
-              else
-                where[safe_key] = value
+      class << self
+        def hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
+          new_obj = {}
+          insert = []
+          to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
+          until to_do.empty?
+            where, key, value, deepness = to_do.pop
+            safe_key = key.is_a?(Integer) ? key : key.to_s
+            if value.is_a?(Hash) && deepness < max_depth
+              val = {}
+              insert << [where, safe_key, val]
+              to_do += value.map { |k, v| [val, k, v, deepness + 1] }
+            elsif value.is_a?(Array) && deepness < max_depth
+              val = []
+              insert << [where, safe_key, val]
+              i = -1
+              to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
+            elsif deepness >= max_depth # if we are after max_depth don't try to filter
+              insert << [where, safe_key, value]
+            else
+              v = value.to_s
+              if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
+                case where
+                when Array
+                  where << value
+                else
+                  where[safe_key] = value
+                end
               end
             end
           end
-        end
-        insert.reverse.each do |wh, ikey, ival|
-          case wh
-          when Array
-            wh << ival unless ival.respond_to?(:empty?) && ival.empty?
-          else
-            wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
+          insert.reverse.each do |wh, ikey, ival|
+            case wh
+            when Array
+              wh << ival unless ival.respond_to?(:empty?) && ival.empty?
+            else
+              wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
+            end
           end
+          new_obj
         end
-        new_obj
       end
     end
   end
 end
-