sqreen 1.19.0.beta1 → 1.19.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0ffc604ca6c427fc4f689c67c3973a00bf83d6f0207f394c4df333bea1690799
-  data.tar.gz: 3b36a33e74f0dabb4ab75449807d2c2d2459f3edebe5e324ae593f12487815db
+  metadata.gz: a1a0d2f8489dac7835a9d2135b0e35c15848a4fa094f7912f9979a83a9d2670e
+  data.tar.gz: 9bfc5db45531824d4f968f45fe495c9fad5da7c258c368fec5821aba8f66b124
 SHA512:
-  metadata.gz: 622abad5c40c24d5740dde29bd53da136ccbe40f357b541f0e9d9fec5131e61aa71f391d525eaf4819dbffb22901d7ca9a186c2b615f9b5f0e617254bce40bdc
-  data.tar.gz: d4072082a4aaf7a22e6d7ccaa0699f19b029c0236c6a5be12125e2c8ee5de3cbd99afa4a7560a772f2d1ac6224511f3ef600daa9b13fbae4cf7d85b65147bdd4
+  metadata.gz: f2c2e5a91c6e415c6003dae1c3ca775b9d40eaacb34e4d28d07c991e46941bcb0bb0f1e9d01bdb1644562fb35852c9fb222bd8f1b83a008be3871ee6a5880cb9
+  data.tar.gz: 9164671762553af1f0cd658e3d654432a3eebfe81050f32d9cf8fc7c36fedb8c40a530629e57a16bec62536a080a931a2f2b34ba1fcb33521ab2964db38bc224

data/CHANGELOG.md

@@ -1,6 +1,25 @@
-## 1.19.0.beta1
+## 1.19.4
 
-* Improve compatibility with a new optional instrumentation engine
+* Fix signature check
+
+## 1.19.3
+
+* Improve WAF PII protection
+
+## 1.19.2
+
+* Handle unexpected rule callback return values more gracefully
+* Fix incorrect return value for 404 native callback
+
+## 1.19.1
+
+* Fix LocalJumpError when reaching a Rack app nested in a Rails app
+
+## 1.19.0
+
+* Upgrade WAF features via libsqreen 0.6.1
+* Improve time defensiveness in WAF
+* Improve compatibility with APM agents via a new optional instrumentation engine
 * Fix action reloading not being entirely cleared on reload
 * Improve handling of hash symbol keys in some security rules
 * Fix constant resolution scope on agent boot

data/lib/sqreen/rules/not_found_cb.rb

@@ -24,6 +24,8 @@ module Sqreen
         exception   = env['action_dispatch.exception']
 
         record_from_env(ua, script_name, path_info, verb, override, host, exception)
+
+        nil
       end
 
       def record_from_env(ua, script_name, path_info, verb, override, host, exception)

data/lib/sqreen/rules/waf_cb.rb

@@ -11,11 +11,15 @@ require 'sqreen/safe_json'
 require 'sqreen/exception'
 require 'sqreen/util/capper'
 require 'sqreen/dependency/libsqreen'
+require 'sqreen/encoding_sanitizer'
 
 module Sqreen
   module Rules
     class WAFCB < RuleCB
-      BUDGET_MAX = 5
+      # 2^30 -1 or 2^62 -1
+      MAX_FIXNUM = 1.size == 4 ? 1_073_741_823 : 4_611_686_018_427_387_903
+      # will be converted to a long, so better not to overflow
+      INFINITE_BUDGET_US = MAX_FIXNUM
 
       def self.libsqreen?
         Sqreen::Dependency::LibSqreen.required?
@@ -25,7 +29,7 @@ module Sqreen
         Sqreen::Dependency.const_exist?('LibSqreen::WAF')
       end
 
-      attr_reader :binding_accessors, :budget, :waf_rule_name
+      attr_reader :binding_accessors, :max_run_budget_us, :waf_rule_name
 
       def initialize(*args)
         super(*args)
@@ -54,8 +58,12 @@ module Sqreen
         @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
           h[e] = BindingAccessor.new(e)
         end
-        @budget = (@data['values'].fetch('budget_in_ms', nil) || BUDGET_MAX) * 1000
-        Sqreen.log.debug("WAF budget for #{@waf_rule_name} set to #{@budget}us")
+
+        # 0 for using defaults (PW_RUN_TIMEOUT)
+        @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
+        @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
+
+        Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
 
         ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
       end
@@ -68,20 +76,32 @@ module Sqreen
 
         env = [binding, framework, instance, args]
 
+        start = Sqreen.time if budget
+
         capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
         waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
           h[e] = capper.call(b.resolve(*env))
         end
         waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
-        waf_budget = [self.budget, budget && budget * 1_000_000].compact.min.to_i
-        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, waf_budget)
+
+        if budget
+          rem_budget_s = budget - (Sqreen.time - start)
+          return advise_action(nil) if rem_budget_s <= 0.0
+
+          waf_gen_budget_us = [(rem_budget_s * 1_000_000).to_i, MAX_FIXNUM].min
+        else # no budget
+          waf_gen_budget_us = INFINITE_BUDGET_US
+        end
+
+        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args,
+                                            waf_gen_budget_us, @max_run_budget_us)
 
         case action
         when :monitor
-          record_event({ 'waf_data' => data })
+          record_event({ waf_data: data })
           advise_action(nil)
         when :block
-          record_event({ 'waf_data' => data })
+          record_event({ waf_data: data })
           advise_action(:raise)
         when :good
           advise_action(nil)

data/lib/sqreen/runner.rb

@@ -121,7 +121,11 @@ module Sqreen
 
       self.metrics_engine = MetricsStore.new
 
-      if @configuration.get(:weave)
+      needs_weave = proc do
+        Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      end
+
+      if @configuration.get(:weave) || needs_weave.call
         @instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine)
       else
         @instrumenter = Sqreen::Legacy::Instrumentation.new(metrics_engine)

data/lib/sqreen/version.rb

@@ -4,5 +4,5 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 module Sqreen
-  VERSION = '1.19.0.beta1'.freeze
+  VERSION = '1.19.4'.freeze
 end

data/lib/sqreen/weave/legacy/instrumentation.rb

@@ -8,6 +8,7 @@ require 'sqreen/graft/hook_point'
 require 'sqreen/call_countable'
 require 'sqreen/rules'
 require 'sqreen/rules/record_request_context'
+require 'sqreen/sqreen_signed_verifier'
 
 class Sqreen::Weave::Legacy::Instrumentation
   attr_accessor :metrics_engine
@@ -76,11 +77,23 @@ class Sqreen::Weave::Legacy::Instrumentation
     if strategy == :prepend && !Module.respond_to?(:prepend)
       Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable, falling back to :chain" }
       strategy = :chain
+    elsif strategy == :chain && Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable with scout_apm >= 2.5.2, switching to :prepend" }
+      strategy = :prepend
     end
     Sqreen::Weave.logger.debug { "strategy: #{strategy.inspect}" }
 
     ### set up rule signature verifier
     verifier = nil
+    if Sqreen.features['rules_signature'] &&
+       Sqreen.config_get(:rules_verify_signature) == true &&
+       !defined?(::JRUBY_VERSION)
+      verifier = Sqreen::SqreenSignedVerifier.new
+      Sqreen::Weave.logger.debug('Rules signature enabled')
+    else
+      Sqreen::Weave.logger.debug('Rules signature disabled')
+    end
+
     ### force clean instrumentation callback list
     @hooks = []
     ### for each rule description
@@ -108,6 +121,8 @@ class Sqreen::Weave::Legacy::Instrumentation
     @hooks << request_hook
     request_hook.add do
       before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
+        next unless Sqreen.instrumentation_ready
+
         uuid = SecureRandom.uuid
         now = Sqreen::Graft::Timer.read
         Thread.current[:sqreen_http_request] = {
@@ -130,6 +145,9 @@ class Sqreen::Weave::Legacy::Instrumentation
 
       ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
         request = Thread.current[:sqreen_http_request]
+
+        next if request.nil?
+
         Thread.current[:sqreen_http_request] = nil
         now = Sqreen::Graft::Timer.read
         utc_now = Time.now.utc
@@ -261,7 +279,7 @@ class Sqreen::Weave::Legacy::Instrumentation
     hook.add do
       if callback.pre?
         before(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
-          return unless Sqreen.instrumentation_ready
+          next unless Thread.current[:sqreen_http_request]
 
           i = call.instance
           a = call.args
@@ -288,13 +306,13 @@ class Sqreen::Weave::Legacy::Instrumentation
           when :raise, 'raise'
             throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
             throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          end unless ret.nil?
+          end unless ret.nil? || !ret.is_a?(Hash)
         end
       end
 
       if callback.post?
         after(rule, rank: -priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
-          return unless Sqreen.instrumentation_ready
+          next unless Thread.current[:sqreen_http_request]
 
           i = call.instance
           v = call.returned
@@ -320,13 +338,13 @@ class Sqreen::Weave::Legacy::Instrumentation
           when :raise, 'raise'
             throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
             throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          end unless ret.nil?
+          end unless ret.nil? || !ret.is_a?(Hash)
         end
       end
 
       if callback.failing?
         raised(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
-          return unless Sqreen.instrumentation_ready
+          next unless Thread.current[:sqreen_http_request]
 
           i = call.instance
           e = call.raised
@@ -346,7 +364,7 @@ class Sqreen::Weave::Legacy::Instrumentation
           end
           Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i} => return=#{ret.inspect}" }
 
-          raise e if ret.nil?
+          throw(b, b.raise(e)) if ret.nil? || !ret.is_a?(Hash)
 
           case ret[:status]
           when :override, 'override'
@@ -360,7 +378,7 @@ class Sqreen::Weave::Legacy::Instrumentation
             throw(b, b.raise(e))
           else
             throw(b, b.raise(e))
-          end unless ret.nil?
+          end unless ret.nil? || !ret.is_a?(Hash)
         end
       end
     end.install

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.19.0.beta1
+  version: 1.19.4
 platform: ruby
 authors:
 - Sqreen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-11 00:00:00.000000000 Z
+date: 2020-07-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sq_mini_racer
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0.0
+        version: 0.6.1.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0.0
+        version: 0.6.1.0.0
 description: Sqreen is a SaaS based Application protection and monitoring platform
   that integrates directly into your Ruby applications. Learn more at https://sqreen.com.
 email: contact@sqreen.com
@@ -232,10 +232,13 @@ files:
 homepage: https://www.sqreen.com/
 licenses:
 - Sqreen
-metadata: {}
-post_install_message: |2
-      This is a Sqreen beta release and may not work in all situations.
-      Make sure to review CHANGELOG.md for important details.
+metadata:
+  homepage_uri: https://sqreen.com
+  documentation_uri: https://docs.sqreen.com/
+  changelog_uri: https://docs.sqreen.com/ruby/release-notes/
+  source_code_uri: https://github.com/sqreen/ruby-agent
+  bug_tracker_uri: https://github.com/sqreen/ruby-agent/issues
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -246,11 +249,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Sqreen Ruby agent