sqreen 1.19.0.beta1 → 1.19.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -2
  3. data/lib/sqreen/rules/waf_cb.rb +26 -6
  4. data/lib/sqreen/runner.rb +5 -1
  5. data/lib/sqreen/version.rb +1 -1
  6. data/lib/sqreen/weave/legacy/instrumentation.rb +11 -3
  7. metadata +9 -10
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0ffc604ca6c427fc4f689c67c3973a00bf83d6f0207f394c4df333bea1690799
4
- data.tar.gz: 3b36a33e74f0dabb4ab75449807d2c2d2459f3edebe5e324ae593f12487815db
3
+ metadata.gz: d9ee940962990208133a70a5b307638cd43dda2b269cccce3f145ed96816e64a
4
+ data.tar.gz: '012987d55219ddd310337f6c0a9837d1e52aae1b7e165ab24e855c4f5fbeb767'
5
5
  SHA512:
6
- metadata.gz: 622abad5c40c24d5740dde29bd53da136ccbe40f357b541f0e9d9fec5131e61aa71f391d525eaf4819dbffb22901d7ca9a186c2b615f9b5f0e617254bce40bdc
7
- data.tar.gz: d4072082a4aaf7a22e6d7ccaa0699f19b029c0236c6a5be12125e2c8ee5de3cbd99afa4a7560a772f2d1ac6224511f3ef600daa9b13fbae4cf7d85b65147bdd4
6
+ metadata.gz: 602e605c2d82de6d011dba78ce03411973ca25c2fb8a00322af9cb80937eff2997f8eda20e00d08bb2106073a3ffe8bbf4bc7f01409d123d510ebb16a7915405
7
+ data.tar.gz: 2363c998cb4af54018638c7d6e46f54e6d98afcac94c6be5747a3c1f555bdd59321441b3196c85f1eec08555dc579af80cdf6728ade7dfb4b9bf0f506669d55d
data/CHANGELOG.md CHANGED
@@ -1,6 +1,8 @@
1
- ## 1.19.0.beta1
1
+ ## 1.19.0
2
2
 
3
- * Improve compatibility with a new optional instrumentation engine
3
+ * Upgrade WAF features via libsqreen 0.6.1
4
+ * Improve time defensiveness in WAF
5
+ * Improve compatibility with APM agents via a new optional instrumentation engine
4
6
  * Fix action reloading not being entirely cleared on reload
5
7
  * Improve handling of hash symbol keys in some security rules
6
8
  * Fix constant resolution scope on agent boot
data/lib/sqreen/rules/waf_cb.rb CHANGED
@@ -11,11 +11,15 @@ require 'sqreen/safe_json'
11
11
  require 'sqreen/exception'
12
12
  require 'sqreen/util/capper'
13
13
  require 'sqreen/dependency/libsqreen'
14
+ require 'sqreen/encoding_sanitizer'
14
15
 
15
16
  module Sqreen
16
17
  module Rules
17
18
  class WAFCB < RuleCB
18
- BUDGET_MAX = 5
19
+ # 2^30 -1 or 2^62 -1
20
+ MAX_FIXNUM = 1.size == 4 ? 1_073_741_823 : 4_611_686_018_427_387_903
21
+ # will be converted to a long, so better not to overflow
22
+ INFINITE_BUDGET_US = MAX_FIXNUM
19
23
 
20
24
  def self.libsqreen?
21
25
  Sqreen::Dependency::LibSqreen.required?
@@ -25,7 +29,7 @@ module Sqreen
25
29
  Sqreen::Dependency.const_exist?('LibSqreen::WAF')
26
30
  end
27
31
 
28
- attr_reader :binding_accessors, :budget, :waf_rule_name
32
+ attr_reader :binding_accessors, :max_run_budget_us, :waf_rule_name
29
33
 
30
34
  def initialize(*args)
31
35
  super(*args)
@@ -54,8 +58,12 @@ module Sqreen
54
58
  @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
55
59
  h[e] = BindingAccessor.new(e)
56
60
  end
57
- @budget = (@data['values'].fetch('budget_in_ms', nil) || BUDGET_MAX) * 1000
58
- Sqreen.log.debug("WAF budget for #{@waf_rule_name} set to #{@budget}us")
61
+
62
+ # 0 for using defaults (PW_RUN_TIMEOUT)
63
+ @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
64
+ @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
65
+
66
+ Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
59
67
 
60
68
  ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
61
69
  end
@@ -68,13 +76,25 @@ module Sqreen
68
76
 
69
77
  env = [binding, framework, instance, args]
70
78
 
79
+ start = Sqreen.time if budget
80
+
71
81
  capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
72
82
  waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
73
83
  h[e] = capper.call(b.resolve(*env))
74
84
  end
75
85
  waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
76
- waf_budget = [self.budget, budget && budget * 1_000_000].compact.min.to_i
77
- action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, waf_budget)
86
+
87
+ if budget
88
+ rem_budget_s = budget - (Sqreen.time - start)
89
+ return advise_action(nil) if rem_budget_s <= 0.0
90
+
91
+ waf_gen_budget_us = [(rem_budget_s * 1_000_000).to_i, MAX_FIXNUM].min
92
+ else # no budget
93
+ waf_gen_budget_us = INFINITE_BUDGET_US
94
+ end
95
+
96
+ action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args,
97
+ waf_gen_budget_us, @max_run_budget_us)
78
98
 
79
99
  case action
80
100
  when :monitor
data/lib/sqreen/runner.rb CHANGED
@@ -121,7 +121,11 @@ module Sqreen
121
121
 
122
122
  self.metrics_engine = MetricsStore.new
123
123
 
124
- if @configuration.get(:weave)
124
+ needs_weave = proc do
125
+ Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
126
+ end
127
+
128
+ if @configuration.get(:weave) || needs_weave.call
125
129
  @instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine)
126
130
  else
127
131
  @instrumenter = Sqreen::Legacy::Instrumentation.new(metrics_engine)
data/lib/sqreen/version.rb CHANGED
@@ -4,5 +4,5 @@
4
4
  # Please refer to our terms for more information: https://www.sqreen.com/terms.html
5
5
 
6
6
  module Sqreen
7
- VERSION = '1.19.0.beta1'.freeze
7
+ VERSION = '1.19.0'.freeze
8
8
  end
data/lib/sqreen/weave/legacy/instrumentation.rb CHANGED
@@ -76,6 +76,9 @@ class Sqreen::Weave::Legacy::Instrumentation
76
76
  if strategy == :prepend && !Module.respond_to?(:prepend)
77
77
  Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable, falling back to :chain" }
78
78
  strategy = :chain
79
+ elsif strategy == :chain && Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
80
+ Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable with scout_apm >= 2.5.2, switching to :prepend" }
81
+ strategy = :prepend
79
82
  end
80
83
  Sqreen::Weave.logger.debug { "strategy: #{strategy.inspect}" }
81
84
 
@@ -108,6 +111,8 @@ class Sqreen::Weave::Legacy::Instrumentation
108
111
  @hooks << request_hook
109
112
  request_hook.add do
110
113
  before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
114
+ next unless Sqreen.instrumentation_ready
115
+
111
116
  uuid = SecureRandom.uuid
112
117
  now = Sqreen::Graft::Timer.read
113
118
  Thread.current[:sqreen_http_request] = {
@@ -130,6 +135,9 @@ class Sqreen::Weave::Legacy::Instrumentation
130
135
 
131
136
  ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
132
137
  request = Thread.current[:sqreen_http_request]
138
+
139
+ next if request.nil?
140
+
133
141
  Thread.current[:sqreen_http_request] = nil
134
142
  now = Sqreen::Graft::Timer.read
135
143
  utc_now = Time.now.utc
@@ -261,7 +269,7 @@ class Sqreen::Weave::Legacy::Instrumentation
261
269
  hook.add do
262
270
  if callback.pre?
263
271
  before(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
264
- return unless Sqreen.instrumentation_ready
272
+ return unless Thread.current[:sqreen_http_request]
265
273
 
266
274
  i = call.instance
267
275
  a = call.args
@@ -294,7 +302,7 @@ class Sqreen::Weave::Legacy::Instrumentation
294
302
 
295
303
  if callback.post?
296
304
  after(rule, rank: -priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
297
- return unless Sqreen.instrumentation_ready
305
+ return unless Thread.current[:sqreen_http_request]
298
306
 
299
307
  i = call.instance
300
308
  v = call.returned
@@ -326,7 +334,7 @@ class Sqreen::Weave::Legacy::Instrumentation
326
334
 
327
335
  if callback.failing?
328
336
  raised(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
329
- return unless Sqreen.instrumentation_ready
337
+ return unless Thread.current[:sqreen_http_request]
330
338
 
331
339
  i = call.instance
332
340
  e = call.raised
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sqreen
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.19.0.beta1
4
+ version: 1.19.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sqreen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-11 00:00:00.000000000 Z
11
+ date: 2020-05-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: sq_mini_racer
@@ -30,14 +30,14 @@ dependencies:
30
30
  requirements:
31
31
  - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: 0.3.0.0
33
+ version: 0.6.1.0.0
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: 0.3.0.0
40
+ version: 0.6.1.0.0
41
41
  description: Sqreen is a SaaS based Application protection and monitoring platform
42
42
  that integrates directly into your Ruby applications. Learn more at https://sqreen.com.
43
43
  email: contact@sqreen.com
@@ -233,9 +233,7 @@ homepage: https://www.sqreen.com/
233
233
  licenses:
234
234
  - Sqreen
235
235
  metadata: {}
236
- post_install_message: |2
237
- This is a Sqreen beta release and may not work in all situations.
238
- Make sure to review CHANGELOG.md for important details.
236
+ post_install_message:
239
237
  rdoc_options: []
240
238
  require_paths:
241
239
  - lib
@@ -246,11 +244,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
246
244
  version: 1.9.3
247
245
  required_rubygems_version: !ruby/object:Gem::Requirement
248
246
  requirements:
249
- - - ">"
247
+ - - ">="
250
248
  - !ruby/object:Gem::Version
251
- version: 1.3.1
249
+ version: '0'
252
250
  requirements: []
253
- rubygems_version: 3.0.3
251
+ rubyforge_project:
252
+ rubygems_version: 2.7.7
254
253
  signing_key:
255
254
  specification_version: 4
256
255
  summary: Sqreen Ruby agent