RubyGems - sqreen - Versions diffs - 1.20.1-java → 1.22.0-java - Mend

sqreen 1.20.1-java → 1.22.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +40 -0
data/lib/sqreen/actions/block_user.rb +1 -1
data/lib/sqreen/actions/redirect_ip.rb +1 -1
data/lib/sqreen/actions/redirect_user.rb +1 -1
data/lib/sqreen/attack_detected.html +1 -2
data/lib/sqreen/condition_evaluator.rb +8 -2
data/lib/sqreen/configuration.rb +1 -1
data/lib/sqreen/deferred_logger.rb +50 -14
data/lib/sqreen/deliveries/batch.rb +8 -1
data/lib/sqreen/dependency/detector.rb +11 -3
data/lib/sqreen/dependency/new_relic.rb +10 -1
data/lib/sqreen/deprecation.rb +38 -0
data/lib/sqreen/ecosystem.rb +123 -0
data/lib/sqreen/ecosystem/databases/database_connection_data.rb +23 -0
data/lib/sqreen/ecosystem/databases/mongo.rb +39 -0
data/lib/sqreen/ecosystem/databases/mysql.rb +54 -0
data/lib/sqreen/ecosystem/databases/postgres.rb +51 -0
data/lib/sqreen/ecosystem/databases/redis.rb +36 -0
data/lib/sqreen/ecosystem/dispatch_table.rb +43 -0
data/lib/sqreen/ecosystem/exception_reporting.rb +28 -0
data/lib/sqreen/ecosystem/http/net_http.rb +50 -0
data/lib/sqreen/ecosystem/http/rack_request.rb +39 -0
data/lib/sqreen/ecosystem/loggable.rb +13 -0
data/lib/sqreen/ecosystem/messaging/bunny.rb +61 -0
data/lib/sqreen/ecosystem/messaging/kafka.rb +70 -0
data/lib/sqreen/ecosystem/messaging/kinesis.rb +66 -0
data/lib/sqreen/ecosystem/messaging/sqs.rb +68 -0
data/lib/sqreen/ecosystem/module_api.rb +30 -0
data/lib/sqreen/ecosystem/module_api/event_listener.rb +18 -0
data/lib/sqreen/ecosystem/module_api/instrumentation.rb +23 -0
data/lib/sqreen/ecosystem/module_api/message_producer.rb +57 -0
data/lib/sqreen/ecosystem/module_api/signal_producer.rb +24 -0
data/lib/sqreen/ecosystem/module_api/tracing.rb +45 -0
data/lib/sqreen/ecosystem/module_api/tracing/client_data.rb +31 -0
data/lib/sqreen/ecosystem/module_api/tracing/consumer_data.rb +13 -0
data/lib/sqreen/ecosystem/module_api/tracing/messaging_data.rb +35 -0
data/lib/sqreen/ecosystem/module_api/tracing/producer_data.rb +13 -0
data/lib/sqreen/ecosystem/module_api/tracing/server_data.rb +27 -0
data/lib/sqreen/ecosystem/module_api/tracing_id_generation.rb +16 -0
data/lib/sqreen/ecosystem/module_api/transaction_storage.rb +71 -0
data/lib/sqreen/ecosystem/module_registry.rb +48 -0
data/lib/sqreen/ecosystem/tracing/modules/client.rb +35 -0
data/lib/sqreen/ecosystem/tracing/modules/consumer.rb +35 -0
data/lib/sqreen/ecosystem/tracing/modules/determine_ip.rb +28 -0
data/lib/sqreen/ecosystem/tracing/modules/producer.rb +35 -0
data/lib/sqreen/ecosystem/tracing/modules/server.rb +30 -0
data/lib/sqreen/ecosystem/tracing/sampler.rb +160 -0
data/lib/sqreen/ecosystem/tracing/sampling_configuration.rb +150 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_client.rb +53 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_consumer.rb +56 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_producer.rb +56 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_server.rb +53 -0
data/lib/sqreen/ecosystem/tracing_broker.rb +101 -0
data/lib/sqreen/ecosystem/tracing_id_setup.rb +34 -0
data/lib/sqreen/ecosystem/transaction_storage.rb +64 -0
data/lib/sqreen/ecosystem/util/call_writers_from_init.rb +13 -0
data/lib/sqreen/ecosystem_integration.rb +81 -0
data/lib/sqreen/ecosystem_integration/around_callbacks.rb +89 -0
data/lib/sqreen/ecosystem_integration/instrumentation_service.rb +38 -0
data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb +58 -0
data/lib/sqreen/ecosystem_integration/signal_consumption.rb +35 -0
data/lib/sqreen/events/request_record.rb +0 -1
data/lib/sqreen/frameworks/generic.rb +36 -1
data/lib/sqreen/frameworks/rails.rb +0 -7
data/lib/sqreen/frameworks/request_recorder.rb +2 -0
data/lib/sqreen/graft/call.rb +85 -18
data/lib/sqreen/graft/callback.rb +1 -1
data/lib/sqreen/graft/hook.rb +192 -88
data/lib/sqreen/graft/hook_point.rb +18 -11
data/lib/sqreen/kit/signals/specialized/sqreen_exception.rb +2 -0
data/lib/sqreen/legacy/instrumentation.rb +22 -10
data/lib/sqreen/legacy/old_event_submission_strategy.rb +9 -2
data/lib/sqreen/log.rb +3 -2
data/lib/sqreen/log/loggable.rb +1 -0
data/lib/sqreen/logger.rb +24 -0
data/lib/sqreen/metrics_store.rb +11 -0
data/lib/sqreen/null_logger.rb +22 -0
data/lib/sqreen/remote_command.rb +4 -0
data/lib/sqreen/rules.rb +8 -4
data/lib/sqreen/rules/blacklist_ips_cb.rb +2 -2
data/lib/sqreen/rules/custom_error_cb.rb +3 -3
data/lib/sqreen/rules/rule_cb.rb +2 -0
data/lib/sqreen/rules/waf_cb.rb +3 -3
data/lib/sqreen/runner.rb +47 -7
data/lib/sqreen/session.rb +2 -0
data/lib/sqreen/signals/conversions.rb +6 -1
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/weave/budget.rb +46 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +252 -109
data/lib/sqreen/worker.rb +6 -2
metadata +60 -11
data/lib/sqreen/encoding_sanitizer.rb +0 -27

data/lib/sqreen/ecosystem/tracing_id_setup.rb ADDED

@@ -0,0 +1,34 @@
+require 'sqreen/ecosystem/module_registry'
+require 'sqreen/ecosystem/transaction_storage'
+require 'sqreen/ecosystem/module_api/signal_producer'
+module Sqreen
+  module Ecosystem
+    class TracingIdSetup
+      # @param [Array<Sqreen::Ecosystem::ModuleApi::SignalProducer>] signal_producer_modules
+      def initialize(signal_producer_modules)
+        @modules = signal_producer_modules
+        @tracing_id_prefix = nil
+      end
+      def setup_modules
+        inject_out_of_tx_tracing_id_gen
+      end
+      attr_writer :tracing_id_prefix
+      private
+      def inject_out_of_tx_tracing_id_gen
+        @modules.each do |mod|
+          mod.tracing_id_producer = method(:generate_tracing_id)
+        end
+      end
+      def generate_tracing_id
+        return nil unless @tracing_id_prefix
+        "#{@tracing_id_prefix}.#{SecureRandom.uuid}"
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem/transaction_storage.rb ADDED

@@ -0,0 +1,64 @@
+require 'sqreen/ecosystem/loggable'
+module Sqreen
+  module Ecosystem
+    # The transaction storage is a mechanism for the modules to share
+    # request-scoped data with each other or to keep request-scoped objects
+    # themselves, although, for this last use case to be effective,
+    # propagation of request start/end events to the modules will likely be
+    # needed. A more generic notification of data availability to modules
+    # also may be needed in the future.
+    #
+    # This is not be used to share data with the Ecosystem client
+    #
+    # This class is not thread safe because it can call the lazy getter
+    # twice if [] is called concurrently.
+    class TransactionStorage
+      include Loggable
+      class << self
+        # @return [Sqreen::Ecosystem::TransactionStorage]
+        def create_thread_local
+          Thread.current[:tx_storage] = new
+        end
+        # @return [Sqreen::Ecosystem::TransactionStorage]
+        def fetch_thread_local
+          Thread.current[:tx_storage]
+        end
+        def destroy_thread_local
+          Thread.current[:tx_storage] = nil
+        end
+      end
+      def initialize
+        @values = {}
+        @values_lazy = {}
+      end
+      def []=(key, value)
+        @values[key] = value
+      end
+      def set_lazy(key, &block)
+        @values_lazy[key] = block
+      end
+      def [](key)
+        v = @values[key]
+        return v unless v.nil?
+        v = @values_lazy[key]
+        return nil if v.nil?
+        begin
+          @values[key] = v.call
+        rescue StandardError => e
+          logger.warn { "Error resolving key #{e} with lazy value: #{e.message}" }
+          raise
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem/util/call_writers_from_init.rb ADDED

@@ -0,0 +1,13 @@
+module Sqreen
+  module Ecosystem
+    module Util
+      module CallWritersFromInit
+        def initialize(values = {})
+          values.each do |attr, val|
+            public_send("#{attr}=", val)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration.rb ADDED

@@ -0,0 +1,81 @@
+require 'sqreen/log/loggable'
+require 'sqreen/ecosystem'
+require 'sqreen/ecosystem/dispatch_table'
+require 'sqreen/ecosystem_integration/instrumentation_service'
+require 'sqreen/ecosystem_integration/request_lifecycle_tracking'
+require 'sqreen/ecosystem_integration/signal_consumption'
+module Sqreen
+  # This class is the interface through which the agent interacts
+  # with the ecosystem.
+  #
+  # Other classes in the EcosystemIntegration module implement the
+  # functionality that the ecosystem requires in order to deliver
+  # data to the agent and to be informed by the agent of certain
+  # key events (see Sqreen::Ecosystem::DispatchTable).
+  class EcosystemIntegration
+    include Sqreen::Log::Loggable
+    # @param [Sqreen::Framework] framework
+    def initialize(framework, queue)
+      @framework = framework
+      @queue = queue
+      @request_lifecycle = RequestLifecycleTracking.new
+      @online = false
+    end
+    def init
+      raise 'already initialized' if @online
+      setup_dispatch_table
+      Ecosystem.init
+      logger.info 'Ecosystem successfully initialized'
+      @online = true
+    rescue ::Exception => e # rubocop:disable Lint/RescueException
+      logger.warn { "Error initializing Ecosystem: #{e.message}" }
+      logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+      Sqreen::RemoteException.record(e)
+    end
+    def disable
+      raise NotImplementedYet
+    end
+    def request_start(rack_request)
+      return unless @online
+      Ecosystem.start_transaction
+      @request_lifecycle.notify_request_start(rack_request)
+    end
+    def request_end
+      return unless @online
+      Ecosystem.end_transaction
+    end
+    def handle_tracing_command(trace_id_prefix, scopes_config)
+      return unless @online
+      Ecosystem.configure_sampling(trace_id_prefix, scopes_config)
+    end
+    private
+    def setup_dispatch_table
+      Ecosystem::DispatchTable.consume_signal =
+        create_signal_consumption.method(:consume_signal)
+      Ecosystem::DispatchTable.add_request_start_listener =
+        @request_lifecycle.method(:add_start_observer)
+      Ecosystem::DispatchTable.fetch_logger = lambda { logger }
+      Ecosystem::DispatchTable.instrument = InstrumentationService.method(:instrument)
+    end
+    def create_signal_consumption
+      SignalConsumption.new(@framework, @request_lifecycle, @queue)
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/around_callbacks.rb ADDED

@@ -0,0 +1,89 @@
+require 'sqreen/log/loggable'
+require 'sqreen/events/remote_exception'
+require 'sqreen/mono_time'
+module Sqreen
+  class EcosystemIntegration
+    module AroundCallbacks
+      class << self
+        include Log::Loggable::ClassMethods
+        # for instrumentation hooks
+        # instrumentation hooks already handle budgets, so nothing
+        # to do in that respect
+        def wrap_instrumentation_hook(module_name, action, callable)
+          perf_notif_name = "ecosystem_#{module_name}"
+          Proc.new do |*args|
+            begin
+              start = Sqreen.time
+              callable.call(*args)
+            rescue ::Exception => e # rubocop:disable Lint/RescueException
+              # 2) rescue exceptions
+              logger.warn { "Error in #{module_name}:#{action}: #{e.message}" }
+              logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+              Sqreen::RemoteException.record(e)
+            ensure
+              # 3) contribute to performance metrics
+              stop = Sqreen.time
+              Sqreen::PerformanceNotifications.notify(perf_notif_name, action, start, stop)
+            end # end proc
+          end # end begin
+        end
+        # XXX: not used yet
+        def wrap_generic_callback(module_name, action, callable)
+          timer_name = "ecosystem:#{module_name}@#{action}"
+          perf_notif_name = "ecosystem_#{module_name}"
+          Proc.new do |*args|
+            begin
+              req_storage = Thread.current[:sqreen_http_request]
+              timer = Graft::Timer.new(timer_name) do |t|
+                # this is an epilogue to measure()
+                req_storage && req_storage[:timed_hooks] << t
+              end
+              req_timer = nil
+              timer.measure do
+                # not in a request, no budget; call cb
+                next callable.call(*args) unless req_storage
+                # 1) budget enforcement
+                # skip callback if budget already expended
+                next if req_storage[:time_budget_expended]
+                budget = req_storage[:time_budget]
+                if budget
+                  req_timer = req_storage[:timer]
+                  remaining = budget - req_timer.elapsed
+                  unless remaining > 0
+                    req_storage[:time_budget_expended] = true
+                    next # skip callback
+                  end
+                end
+                callable.call(*args)
+              end
+            rescue ::Exception => e # rubocop:disable Lint/RescueException
+              # 2) rescue exceptions
+              logger.warn { "Error in #{module_name}:#{action}: #{e.message}" }
+              logger.debug { e.backtrace.map { |x| "  #{x}" }.join("\n") }
+              Sqreen::RemoteException.record(e)
+            ensure
+              # 3) contribute to performance metrics
+              if timer
+                req_timer.include_measurements(timer) if req_timer
+                Sqreen::PerformanceNotifications.notify(
+                  perf_notif_name, action, *timer.start_and_end
+                )
+              end
+            end # end begin
+          end # end proc
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/instrumentation_service.rb ADDED

@@ -0,0 +1,38 @@
+require 'sqreen/graft/hook'
+require 'sqreen/ecosystem_integration/around_callbacks'
+module Sqreen
+  class EcosystemIntegration
+    module InstrumentationService
+      class << self
+        # @param [String] module_name
+        # @param [String] method in form A::B#c or A::B.c
+        # @param [Hash{Symbol=>Proc}] spec
+        def instrument(module_name, method, spec)
+          hook = Sqreen::Graft::Hook[method].add do
+            if spec[:before]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'pre', spec[:before])
+              before(nil, flow: true, &cb)
+            end
+            if spec[:after]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'post', spec[:after])
+              after(nil, flow: true, &cb)
+            end
+            if spec[:raised]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'failing', spec[:raised])
+              raised(nil, flow: true, &cb)
+            end
+            if spec[:ensured]
+              cb = AroundCallbacks.wrap_instrumentation_hook(module_name, 'finally', spec[:ensured])
+              ensured(nil, flow: true, &cb)
+            end
+          end
+          hook.install
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb ADDED

@@ -0,0 +1,58 @@
+require 'sqreen/events/remote_exception'
+require 'sqreen/log/loggable'
+module Sqreen
+  class EcosystemIntegration
+    # This class gets notified of request start/end and
+    # 1) distributes such events to listeners (typically ecosystem modules;
+    #    the method add_start_observer is exposed to ecosystem modules through
+    #    +Sqreen::Ecosystem::ModuleApi::EventListener+ and the dispatch table).
+    # 2) keeps track of whether a request is active on this thread. This is
+    #    so that users of this class can have this information without needing
+    #    to subscribe to request start/events and keeping thread local state
+    #    themselves.
+    # XXX: Since the Ecosystem is also notified of request start/end, it could
+    # notify its modules of request start without going through the dispatch
+    # table and call add_start_observer. We need to think if we want to keep
+    # the transaction / request distinction or if they should just be
+    # assumed to be the same, though.
+    class RequestLifecycleTracking
+      include Sqreen::Log::Loggable
+      def initialize
+        @start_observers = []
+        @tl_key = "#{object_id}_req_in_flight"
+      end
+      # API for classes needing to know the request state
+      # @param cb A callback taking a Rack::Request
+      def add_start_observer(cb)
+        @start_observers << cb
+      end
+      def in_request?
+        Thread.current[@tl_key] ? true : false
+      end
+      # API for classes notifying this one of request events
+      def notify_request_start(rack_req)
+        Thread.current[@tl_key] = true
+        return if @start_observers.empty?
+        @start_observers.each do |cb|
+          begin
+            cb.call(rack_req)
+          rescue ::Exception => e # rubocop:disable Lint/RescueException
+            logger.warn { "Error calling #{cb} on request start: #{e.message}" }
+            Sqreen::RemoteException.record(e)
+          end
+        end
+      end
+      def notify_request_end
+        Thread.current[@tl_key] = false
+      end
+    end
+  end
+end

data/lib/sqreen/ecosystem_integration/signal_consumption.rb ADDED

@@ -0,0 +1,35 @@
+require 'sqreen/log/loggable'
+module Sqreen
+  class EcosystemIntegration
+    class SignalConsumption
+      include Sqreen::Log::Loggable
+      PAYLOAD_CREATOR_SECTIONS = %w[request response params headers].freeze
+      # @param [Sqreen::Frameworks::GenericFramework] framework
+      # @param [Sqreen::EcosystemIntegration::RequestLifecycleTracking]
+      # @param [Sqreen::CappedQueue]
+      def initialize(framework, req_lifecycle, queue)
+        @framework = framework
+        @req_lifecycle = req_lifecycle
+        @queue = queue
+      end
+      def consume_signal(signal)
+        # transitional
+        unless Sqreen.features.fetch('use_signals', DEFAULT_USE_SIGNALS)
+          logger.debug { "Discarding signal #{signal} (signals disabled)" }
+          return
+        end
+        if @req_lifecycle.in_request?
+          # add it to the request record
+          @framework.observe(:signals, signal, PAYLOAD_CREATOR_SECTIONS, true)
+        else
+          @queue.push signal
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/events/request_record.rb CHANGED

@@ -8,7 +8,6 @@
 require 'json'
 require 'sqreen/log'
 require 'sqreen/event'
-require 'sqreen/encoding_sanitizer'
 require 'sqreen/sensitive_data_redactor'
 module Sqreen

data/lib/sqreen/frameworks/generic.rb CHANGED

@@ -22,8 +22,17 @@ module Sqreen
       include RequestRecorder
       attr_accessor :sqreen_configuration
+      attr_writer :req_start_cb, :req_end_cb
       def initialize
         clean_request_record
+        # for notifying the ecosystem of request boundaries
+        # XXX: this should be refactored. It shouldn't be
+        # the framework doing these notifications to the ecosystem
+        # Probably the rule callback should do it itself
+        @req_start_cb = Proc.new {}
+        @req_end_cb = Proc.new {}
       end
       # What kind of database is this
@@ -209,7 +218,16 @@ module Sqreen
       # Should the agent not be starting up?
       def prevent_startup
+        # SQREEN-880 - prevent Sqreen startup on Sidekiq workers
+        return :sidekiq_cli if defined?(Sidekiq::CLI)
+        return :delayed_job if defined?(Delayed::Command)
+        # Prevent Sqreen startup on rake tasks - unless this is a Sqreen test
+        run_in_test = sqreen_configuration.get(:run_in_test)
+        return :rake if !run_in_test && $0.end_with?('rake')
         return :irb if $0 == 'irb'
         return if sqreen_configuration.nil?
         disable = sqreen_configuration.get(:disable)
         return :config_disable if disable == true || disable.to_s.to_i == 1
@@ -251,8 +269,12 @@ module Sqreen
       # Nota: cleanup should be performed at end of request (see clean_request)
       def store_request(object)
         return unless ensure_rack_loaded
+        rack_req = Rack::Request.new(object)
+        @req_start_cb.call(rack_req)
         self.remaining_perf_budget = Sqreen.performance_budget
-        SharedStorage.set(:request, Rack::Request.new(object))
+        SharedStorage.set(:request, rack_req)
         SharedStorage.set(:xss_params, nil)
         SharedStorage.set(:whitelisted, nil)
         SharedStorage.set(:request_overtime, nil)
@@ -281,6 +303,7 @@ module Sqreen
         SharedStorage.set(:xss_params, nil)
         SharedStorage.set(:whitelisted, nil)
         SharedStorage.set(:request_overtime, nil)
+        @req_end_cb.call
       end
       def remaining_perf_budget
@@ -377,6 +400,18 @@ module Sqreen
         r
       end
+      def body
+        return nil unless request.respond_to?(:body)
+        return nil unless request.body.respond_to?(:read)
+        return nil unless request.body.respond_to?(:rewind)
+        body_io = request.body
+        body = body_io.read(4096)
+        body_io.rewind
+        body
+      end
       # Expose current working directory
       def cwd
         Dir.getwd