RubyGems - sqreen - Versions diffs - 1.18.5 → 1.19.2 - Mend

sqreen 1.18.5 → 1.19.2

Files changed (180) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +22 -0
data/lib/sqreen/actions.rb +2 -0
data/lib/sqreen/actions/actions_index.rb +16 -0
data/lib/sqreen/actions/base.rb +4 -10
data/lib/sqreen/actions/block_ip.rb +2 -0
data/lib/sqreen/actions/block_user.rb +2 -0
data/lib/sqreen/actions/ip_range_indexed_action_class.rb +4 -24
data/lib/sqreen/actions/ip_ranges_index.rb +32 -11
data/lib/sqreen/actions/redirect_ip.rb +2 -0
data/lib/sqreen/actions/redirect_user.rb +2 -0
data/lib/sqreen/actions/repository.rb +27 -8
data/lib/sqreen/actions/unknown_action_type.rb +4 -0
data/lib/sqreen/actions/user_action_class.rb +5 -30
data/lib/sqreen/actions/users_index.rb +35 -0
data/lib/sqreen/agent.rb +2 -1
data/lib/sqreen/attack_blocked.rb +2 -0
data/lib/sqreen/backport.rb +2 -0
data/lib/sqreen/backport/clock_gettime.rb +74 -0
data/lib/sqreen/backport/original_name.rb +2 -0
data/lib/sqreen/binding_accessor.rb +2 -0
data/lib/sqreen/binding_accessor/path_elem.rb +2 -0
data/lib/sqreen/binding_accessor/transforms.rb +8 -1
data/lib/sqreen/call_countable.rb +2 -0
data/lib/sqreen/capped_queue.rb +2 -0
data/lib/sqreen/cb.rb +2 -0
data/lib/sqreen/cb_tree.rb +2 -0
data/lib/sqreen/condition_evaluator.rb +2 -0
data/lib/sqreen/conditionable.rb +2 -0
data/lib/sqreen/configuration.rb +14 -0
data/lib/sqreen/context.rb +2 -0
data/lib/sqreen/default_cb.rb +2 -0
data/lib/sqreen/deferred_logger.rb +2 -0
data/lib/sqreen/deliveries.rb +2 -0
data/lib/sqreen/deliveries/batch.rb +2 -0
data/lib/sqreen/deliveries/simple.rb +2 -0
data/lib/sqreen/dependency.rb +3 -1
data/lib/sqreen/dependency/detector.rb +22 -14
data/lib/sqreen/dependency/libsqreen.rb +4 -0
data/lib/sqreen/dependency/new_relic.rb +2 -0
data/lib/sqreen/dependency/rack.rb +10 -5
data/lib/sqreen/dependency/rails.rb +4 -0
data/lib/sqreen/dependency/sentry.rb +2 -0
data/lib/sqreen/dependency/sinatra.rb +12 -1
data/lib/sqreen/encoding_sanitizer.rb +2 -0
data/lib/sqreen/error_handling_middleware.rb +2 -0
data/lib/sqreen/event.rb +2 -0
data/lib/sqreen/events/attack.rb +2 -0
data/lib/sqreen/events/remote_exception.rb +2 -0
data/lib/sqreen/events/request_record.rb +2 -0
data/lib/sqreen/exception.rb +2 -0
data/lib/sqreen/formatter_with_tid.rb +2 -0
data/lib/sqreen/framework_cb.rb +2 -0
data/lib/sqreen/frameworks.rb +2 -0
data/lib/sqreen/frameworks/generic.rb +2 -0
data/lib/sqreen/frameworks/rails.rb +1 -0
data/lib/sqreen/frameworks/rails3.rb +2 -0
data/lib/sqreen/frameworks/request_recorder.rb +2 -0
data/lib/sqreen/frameworks/sinatra.rb +2 -0
data/lib/sqreen/frameworks/sqreen_test.rb +2 -0
data/lib/sqreen/graft.rb +12 -0
data/lib/sqreen/graft/call.rb +150 -0
data/lib/sqreen/{dependency → graft}/callback.rb +12 -4
data/lib/sqreen/graft/hook.rb +316 -0
data/lib/sqreen/{dependency → graft}/hook_point.rb +152 -33
data/lib/sqreen/graft/hook_point_error.rb +10 -0
data/lib/sqreen/invalid_signature_exception.rb +2 -0
data/lib/sqreen/js.rb +2 -0
data/lib/sqreen/js/call_context.rb +2 -0
data/lib/sqreen/js/context_pool.rb +2 -0
data/lib/sqreen/js/exec_js_runnable.rb +2 -0
data/lib/sqreen/js/execjs_adapter.rb +2 -0
data/lib/sqreen/js/executable_js.rb +2 -0
data/lib/sqreen/js/js_service.rb +2 -0
data/lib/sqreen/js/js_service_adapter.rb +2 -0
data/lib/sqreen/js/mini_racer_adapter.rb +2 -0
data/lib/sqreen/js/mini_racer_executable_js.rb +2 -0
data/lib/sqreen/js/thread_local_exec_js_runnable.rb +2 -0
data/lib/sqreen/legacy.rb +8 -0
data/lib/sqreen/{instrumentation.rb → legacy/instrumentation.rb} +31 -2
data/lib/sqreen/log.rb +2 -0
data/lib/sqreen/log/loggable.rb +28 -0
data/lib/sqreen/logger.rb +2 -0
data/lib/sqreen/metrics.rb +2 -0
data/lib/sqreen/metrics/average.rb +2 -0
data/lib/sqreen/metrics/base.rb +2 -0
data/lib/sqreen/metrics/binning.rb +2 -0
data/lib/sqreen/metrics/collect.rb +2 -0
data/lib/sqreen/metrics/sum.rb +2 -0
data/lib/sqreen/metrics_store.rb +2 -0
data/lib/sqreen/metrics_store/already_registered_metric.rb +2 -0
data/lib/sqreen/metrics_store/unknown_metric.rb +2 -0
data/lib/sqreen/metrics_store/unregistered_metric.rb +2 -0
data/lib/sqreen/middleware.rb +2 -0
data/lib/sqreen/mono_time.rb +2 -0
data/lib/sqreen/node.rb +2 -0
data/lib/sqreen/not_implemented_yet.rb +2 -0
data/lib/sqreen/null_logger.rb +2 -0
data/lib/sqreen/payload_creator.rb +2 -0
data/lib/sqreen/payload_creator/header_section.rb +2 -0
data/lib/sqreen/performance_notifications.rb +2 -0
data/lib/sqreen/performance_notifications/binned_metrics.rb +2 -0
data/lib/sqreen/performance_notifications/log.rb +2 -0
data/lib/sqreen/performance_notifications/log_performance.rb +2 -0
data/lib/sqreen/performance_notifications/metrics.rb +2 -0
data/lib/sqreen/performance_notifications/newrelic.rb +2 -0
data/lib/sqreen/prefix.rb +2 -0
data/lib/sqreen/rails_middleware.rb +2 -0
data/lib/sqreen/remote_command.rb +2 -0
data/lib/sqreen/remote_command/failure_output.rb +5 -0
data/lib/sqreen/rules.rb +2 -0
data/lib/sqreen/rules/attrs.rb +2 -0
data/lib/sqreen/rules/auth_track_cb.rb +2 -0
data/lib/sqreen/rules/binding_accessor_matcher_cb.rb +2 -0
data/lib/sqreen/rules/binding_accessor_metrics.rb +2 -0
data/lib/sqreen/rules/blacklist_ips_cb.rb +2 -0
data/lib/sqreen/rules/count_http_codes.rb +2 -0
data/lib/sqreen/rules/crawler_user_agent_matches_cb.rb +2 -0
data/lib/sqreen/rules/crawler_user_agent_matches_metrics_cb.rb +2 -0
data/lib/sqreen/rules/custom_error_cb.rb +2 -0
data/lib/sqreen/rules/devise_auth_track_cb.rb +2 -0
data/lib/sqreen/rules/devise_signup_track_cb.rb +2 -0
data/lib/sqreen/rules/execjs_cb.rb +2 -0
data/lib/sqreen/rules/headers_insert_cb.rb +7 -0
data/lib/sqreen/rules/matcher_rule.rb +2 -0
data/lib/sqreen/rules/not_found_cb.rb +7 -0
data/lib/sqreen/rules/rails_parameters_cb.rb +2 -0
data/lib/sqreen/rules/record_request_context.rb +2 -0
data/lib/sqreen/rules/regexp_rule_cb.rb +2 -0
data/lib/sqreen/rules/rule_cb.rb +2 -0
data/lib/sqreen/rules/run_req_start_actions.rb +3 -1
data/lib/sqreen/rules/run_user_actions.rb +3 -1
data/lib/sqreen/rules/shell_env_cb.rb +2 -0
data/lib/sqreen/rules/signup_track_cb.rb +2 -0
data/lib/sqreen/rules/update_request_context.rb +2 -0
data/lib/sqreen/rules/url_matches_cb.rb +2 -0
data/lib/sqreen/rules/user_agent_matches_cb.rb +2 -0
data/lib/sqreen/rules/waf_cb.rb +28 -5
data/lib/sqreen/rules/xss_cb.rb +2 -0
data/lib/sqreen/run_when_called_cb.rb +2 -0
data/lib/sqreen/runner.rb +25 -7
data/lib/sqreen/runtime_infos.rb +2 -0
data/lib/sqreen/safe_json.rb +2 -0
data/lib/sqreen/sdk.rb +4 -0
data/lib/sqreen/sensitive_data_redactor.rb +2 -0
data/lib/sqreen/serializer.rb +2 -0
data/lib/sqreen/session.rb +2 -0
data/lib/sqreen/shared_storage.rb +2 -0
data/lib/sqreen/shared_storage23.rb +2 -0
data/lib/sqreen/shrink_wrap.rb +16 -0
data/lib/sqreen/signature_verifier.rb +2 -0
data/lib/sqreen/sinatra_middleware.rb +2 -0
data/lib/sqreen/sqreen_signed_verifier.rb +2 -0
data/lib/sqreen/token_invalid_exception.rb +2 -0
data/lib/sqreen/token_not_found_exception.rb +2 -0
data/lib/sqreen/trie.rb +2 -0
data/lib/sqreen/unauthorized.rb +2 -0
data/lib/sqreen/util.rb +5 -0
data/lib/sqreen/util/capped_array.rb +2 -0
data/lib/sqreen/util/capped_hash.rb +2 -0
data/lib/sqreen/util/capped_string.rb +2 -0
data/lib/sqreen/util/capper.rb +2 -0
data/lib/sqreen/version.rb +3 -1
data/lib/sqreen/waf_error.rb +2 -0
data/lib/sqreen/weave.rb +12 -0
data/lib/sqreen/weave/hardcoded.rb +19 -0
data/lib/sqreen/weave/instrumentor.rb +48 -0
data/lib/sqreen/weave/legacy.rb +12 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +406 -0
data/lib/sqreen/web_server.rb +2 -0
data/lib/sqreen/web_server/generic.rb +2 -0
data/lib/sqreen/web_server/passenger.rb +2 -0
data/lib/sqreen/web_server/puma.rb +2 -0
data/lib/sqreen/web_server/rainbows.rb +2 -0
data/lib/sqreen/web_server/thin.rb +2 -0
data/lib/sqreen/web_server/unicorn.rb +2 -0
data/lib/sqreen/web_server/webrick.rb +2 -0
data/lib/sqreen/worker.rb +2 -0
metadata +28 -9
data/lib/sqreen/dependency/hook.rb +0 -102

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 321074d4cc69c79e906d6b4a865e49a36a22f786201a8def57d48d1164716282
-  data.tar.gz: 1edd7b85daa4ef20b624d0ff2ee16178b4cfe14d948c065cceba7374f1ad41d2
+  metadata.gz: 315d183f0c86adad0c106a7f3a9b31ae5049c387233b78e1df3d3ec5e93db21d
+  data.tar.gz: 75b7d65ba2dd9ac049f7a81f6d60c5c96b67d2a7fb453f8e3a181b07035542ab
 SHA512:
-  metadata.gz: '0085800cf5856cdab2003506d1fad265b1bb5744cf80063e4e380af44a5cc4d49a6bca7a2e6199882cea7d296511089ae1c8c2155c4e04840795afb5bbcd6817'
-  data.tar.gz: f1f2dc1680ec65f9cfd8cefde2c47fae7bbf0300f9c2d18811a21b0d1e6ac01abb0679027ce69b5faf322975ab5d17afd92c05a6bc85cf2459fc514f385e0bbc
+  metadata.gz: e2358bca4465a486e04b5454f44a03244e980f1b59e5118bc8aaa6ddb57030cdcf73507949a796cdbbd9d8bc91ca1cf6028e9a12a7a61faceb1250ffca062a73
+  data.tar.gz: d126dbefe095bd988e378dbacdee915e0e0de6c5cce4c0865b988816df20f71b2552b52087779792537071ff7c2757f868899c2aa93671813caf02e7795ed7cc

data/CHANGELOG.md CHANGED

@@ -1,3 +1,25 @@
+## 1.19.2
+* Handle unexpected rule callback return values more gracefully
+* Fix incorrect return value for 404 native callback
+## 1.19.1
+* Fix LocalJumpError when reaching a Rack app nested in a Rails app
+## 1.19.0
+* Upgrade WAF features via libsqreen 0.6.1
+* Improve time defensiveness in WAF
+* Improve compatibility with APM agents via a new optional instrumentation engine
+* Fix action reloading not being entirely cleared on reload
+* Improve handling of hash symbol keys in some security rules
+* Fix constant resolution scope on agent boot
+## 1.18.6
+* Improve default WAF time budget handling logic
 ## 1.18.5
 * Fix type mismatch in WAF time budget handling

data/lib/sqreen/actions.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/actions/actions_index.rb ADDED

@@ -0,0 +1,16 @@
+# typed: true
+module Sqreen
+  module Actions
+    # documents the operations an actions index should implement
+    class ActionsIndex
+      # all actions matching, possibly already expired
+      def actions_matching(_key)
+        raise 'implement in subclasses'
+      end
+      def index(_params, _action)
+        raise 'implement in subclasses'
+      end
+    end
+  end
+end

data/lib/sqreen/actions/base.rb CHANGED

@@ -1,8 +1,11 @@
+# typed: false
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 # TODO: remove class vars
+require 'sqreen/sdk'
 require 'sqreen/exception'
 module Sqreen
@@ -75,16 +78,7 @@ module Sqreen
           subclasses.keys
         end
-        # all actions matching, possibly already expired
-        def actions_matching(_key)
-          raise 'implement in singletons of subclasses'
-        end
-        def index(_params, _action)
-          raise 'implement in singletons of subclasses'
-        end
-        def clear
+        def new_index
           raise 'implement in singletons of subclasses'
         end

data/lib/sqreen/actions/block_ip.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/actions/block_user.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/actions/ip_range_indexed_action_class.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
@@ -6,30 +8,8 @@ require 'sqreen/actions/ip_ranges_index'
 module Sqreen
   module Actions
     module IpRangeIndexedActionClass
-      include IpRangesIndex
-      def actions_matching(client_ip)
-        matching_actions client_ip
-      end
-      def index(params, action)
-        ranges = parse_ip_ranges params
-        ranges.each do |r|
-          add_prefix r, action
-        end
-      end
-      private
-      # returns array of prefixes in string form
-      def parse_ip_ranges(params)
-        ranges = params['ip_cidr']
-        unless ranges && ranges.is_a?(Array) && !ranges.empty?
-          raise 'no non-empty ip_cidr array present'
-        end
-        ranges
+      def new_index
+        IpRangesIndex.new
       end
     end
   end

data/lib/sqreen/actions/ip_ranges_index.rb CHANGED

@@ -1,22 +1,30 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 require 'ipaddr'
+require 'sqreen/actions/actions_index'
 require 'sqreen/trie'
 require 'sqreen/prefix'
 module Sqreen
   module Actions
-    module IpRangesIndex
-      def add_prefix(prefix_str, data)
-        @trie_v4 ||= Sqreen::Trie.new
-        @trie_v6 ||= Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
-        prefix = Sqreen::Prefix.from_str(prefix_str, data)
-        trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
-        trie.insert prefix
+    class IpRangesIndex < ActionsIndex
+      def initialize
+        @trie_v4 = Sqreen::Trie.new
+        @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
+      end
+      def index(params, action)
+        ranges = parse_ip_ranges params
+        ranges.each do |r|
+          add_prefix r, action
+        end
       end
-      def matching_actions(client_ip)
+      def actions_matching(client_ip)
         parsed_ip = IPAddr.new(client_ip.gsub(/%[^%\/]+/, ''))
         trie = parsed_ip.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
         return [] unless trie
@@ -27,9 +35,22 @@ module Sqreen
         found.map(&:data)
       end
-      def clear
-        @trie_v4 = Sqreen::Trie.new
-        @trie_v6 = Sqreen::Trie.new(nil, nil, Socket::AF_INET6)
+      private
+      # returns array of prefixes in string form
+      def parse_ip_ranges(params)
+        ranges = params['ip_cidr']
+        unless ranges && ranges.is_a?(Array) && !ranges.empty?
+          raise 'no non-empty ip_cidr array present'
+        end
+        ranges
+      end
+      def add_prefix(prefix_str, data)
+        prefix = Sqreen::Prefix.from_str(prefix_str, data)
+        trie = prefix.family == Socket::AF_INET6 ? @trie_v6 : @trie_v4
+        trie.insert prefix
       end
     end
   end

data/lib/sqreen/actions/redirect_ip.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/actions/redirect_user.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/actions/repository.rb CHANGED

@@ -1,24 +1,43 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 module Sqreen
   module Actions
-    # Where the currently loaded actions are stored. Singleton
+    # Where the actions are stored
+    # The current ones are stored in Repository.current
     class Repository
-      include Singleton
+      def initialize
+        @indexes = Hash[Base.known_subclasses.map do |clazz|
+          [clazz.type_name, clazz.new_index]
+        end]
+      end
       def add(params, action)
-        action.class.index(params || {}, action)
+        @indexes[action.class.type_name].index(params || {}, action)
       end
-      def get(action_class, key)
-        action_class = Base.get_type_class(action_class) unless action_class.class == Class
-        action_class.actions_matching key
+      # type is either a class or a type name
+      def get(type, key)
+        type = type.type_name if type.class == Class
+        @indexes[type].actions_matching key
       end
-      def clear
-        Base.known_subclasses.each(&:clear)
+      singleton_class.class_eval do
+        attr_reader :current
+        def current=(new_inst)
+          raise 'nil is unacceptable' if new_inst.nil?
+          @current = new_inst
+        end
+        def clear
+          self.current = Repository.new
+        end
       end
+      # initialize current to empty repository
+      clear
     end
   end
 end

data/lib/sqreen/actions/unknown_action_type.rb CHANGED

@@ -1,6 +1,10 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/exception'
 module Sqreen
   # Implements actions (behavior taken in response to agent signals)
   module Actions

data/lib/sqreen/actions/user_action_class.rb CHANGED

@@ -1,40 +1,15 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
-require 'sqreen/exception'
+require 'sqreen/actions/users_index'
 module Sqreen
   module Actions
     module UserActionClass
-      def actions_matching(identity_params)
-        return [] unless @idx
-        key = stringify_keys(identity_params)
-        actions = @idx[key]
-        actions || []
-      end
-      def index(params, action)
-        @idx ||= {}
-        users = params['users']
-        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
-        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
-        users.each do |u|
-          @idx[u] ||= []
-          @idx[u] << action
-        end
-      end
-      def clear
-        @idx = {}
-      end
-      private
-      def stringify_keys(hash)
-        Hash[
-          hash.map { |k, v| [k.to_s, v] }
-        ]
+      def new_index
+        UsersIndex.new
       end
     end
   end

data/lib/sqreen/actions/users_index.rb ADDED

@@ -0,0 +1,35 @@
+# typed: true
+require 'sqreen/actions/actions_index'
+module Sqreen
+  module Actions
+    class UsersIndex < ActionsIndex
+      def actions_matching(identity_params)
+        return [] unless @idx
+        key = stringify_keys(identity_params)
+        actions = @idx[key]
+        actions || []
+      end
+      def index(params, action)
+        @idx ||= {}
+        users = params['users']
+        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
+        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
+        users.each do |u|
+          @idx[u] ||= []
+          @idx[u] << action
+        end
+      end
+      private
+      def stringify_keys(hash)
+        Hash[
+          hash.map { |k, v| [k.to_s, v] }
+        ]
+      end
+    end
+  end
+end

data/lib/sqreen/agent.rb CHANGED

@@ -1,8 +1,9 @@
+# typed: ignore
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 require 'sqreen/version'
-require 'sqreen/instrumentation'
 require 'sqreen/session'
 require 'sqreen/runner'
 require 'sqreen/log'

data/lib/sqreen/attack_blocked.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: true
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/backport.rb CHANGED

@@ -1,3 +1,5 @@
+# typed: strong
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html

data/lib/sqreen/backport/clock_gettime.rb ADDED

@@ -0,0 +1,74 @@
+# typed: ignore
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/backport'
+module Sqreen
+  module Backport
+    module ClockGettime
+      class << self
+        def supported?
+          Process.respond_to?(:clock_gettime)
+        end
+      end
+      unless supported?
+        require 'ffi'
+        class Timespec < FFI::Struct
+          layout :tv_sec => :time_t, :tv_nsec => :long
+        end
+        module LibC
+          extend FFI::Library
+          ffi_lib FFI::Library::LIBC
+          # TODO: FFI::NotFoundError
+          if RUBY_PLATFORM =~ /darwin/
+            attach_function :mach_absolute_time, [], :uint64
+          end
+          attach_function :clock_gettime, [:int, :pointer], :int
+        end
+        module Constants
+          case RUBY_PLATFORM
+          when /darwin/
+            CLOCK_REALTIME = 0
+            CLOCK_MONOTONIC = 6
+            CLOCK_PROCESS_CPUTIME_ID = 12
+            CLOCK_THERAD_CPUTIME_ID = 16
+          when /linux/
+            CLOCK_REALTIME = 0
+            CLOCK_MONOTONIC = 1
+            CLOCK_PROCESS_CPUTIME_ID = 2
+            CLOCK_THREAD_CPUTIME_ID = 3
+          end
+        end
+        def clock_gettime(clock_id, unit = :float_second)
+          unless unit == :float_second
+            raise "Process.clock_gettime: unsupported unit #{unit.inspect}"
+          end
+          t = Timespec.new
+          ret = LibC.clock_gettime(clock_id, t.pointer)
+          raise SystemCallError, "Errno #{FFI.errno}" if ret == -1
+          t[:tv_sec].to_f + t[:tv_nsec].to_f / 1_000_000_000
+        end
+      end
+    end
+  end
+end
+unless Sqreen::Backport::ClockGettime.supported?
+  Process.instance_eval do
+    extend Sqreen::Backport::ClockGettime
+    include Sqreen::Backport::ClockGettime::Constants
+  end
+end