sqreen 1.22.0 → 1.24.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +25 -0
- data/bin/sqreen +43 -0
- data/lib/sqreen/actions.rb +1 -1
- data/lib/sqreen/actions/actions_index.rb +5 -1
- data/lib/sqreen/actions/base.rb +1 -1
- data/lib/sqreen/actions/block_ip.rb +1 -1
- data/lib/sqreen/actions/block_user.rb +1 -1
- data/lib/sqreen/actions/ip_range_indexed_action_class.rb +1 -1
- data/lib/sqreen/actions/ip_ranges_index.rb +1 -1
- data/lib/sqreen/actions/redirect_ip.rb +1 -1
- data/lib/sqreen/actions/redirect_user.rb +1 -1
- data/lib/sqreen/actions/repository.rb +1 -1
- data/lib/sqreen/actions/unknown_action_type.rb +1 -1
- data/lib/sqreen/actions/user_action_class.rb +1 -1
- data/lib/sqreen/actions/users_index.rb +5 -1
- data/lib/sqreen/agent_message.rb +5 -0
- data/lib/sqreen/aggregated_metric.rb +5 -0
- data/lib/sqreen/attack_blocked.rb +1 -1
- data/lib/sqreen/binding_accessor.rb +1 -1
- data/lib/sqreen/binding_accessor/path_elem.rb +1 -1
- data/lib/sqreen/binding_accessor/transforms.rb +1 -1
- data/lib/sqreen/call_countable.rb +1 -1
- data/lib/sqreen/capped_queue.rb +1 -1
- data/lib/sqreen/cb.rb +1 -1
- data/lib/sqreen/condition_evaluator.rb +1 -1
- data/lib/sqreen/conditionable.rb +1 -1
- data/lib/sqreen/configuration.rb +2 -0
- data/lib/sqreen/context.rb +1 -1
- data/lib/sqreen/default_cb.rb +1 -1
- data/lib/sqreen/deferred_logger.rb +1 -1
- data/lib/sqreen/deliveries.rb +1 -1
- data/lib/sqreen/deliveries/batch.rb +1 -1
- data/lib/sqreen/deliveries/simple.rb +1 -1
- data/lib/sqreen/dependency.rb +1 -1
- data/lib/sqreen/dependency/new_relic.rb +1 -1
- data/lib/sqreen/deprecation.rb +1 -1
- data/lib/sqreen/ecosystem.rb +5 -0
- data/lib/sqreen/ecosystem/databases/database_connection_data.rb +5 -0
- data/lib/sqreen/ecosystem/databases/mongo.rb +5 -0
- data/lib/sqreen/ecosystem/databases/mysql.rb +5 -0
- data/lib/sqreen/ecosystem/databases/postgres.rb +5 -0
- data/lib/sqreen/ecosystem/databases/redis.rb +5 -0
- data/lib/sqreen/ecosystem/dispatch_table.rb +5 -0
- data/lib/sqreen/ecosystem/exception_reporting.rb +5 -0
- data/lib/sqreen/ecosystem/http/net_http.rb +5 -0
- data/lib/sqreen/ecosystem/http/rack_request.rb +5 -0
- data/lib/sqreen/ecosystem/loggable.rb +5 -0
- data/lib/sqreen/ecosystem/messaging/bunny.rb +5 -0
- data/lib/sqreen/ecosystem/messaging/kafka.rb +5 -0
- data/lib/sqreen/ecosystem/messaging/kinesis.rb +5 -0
- data/lib/sqreen/ecosystem/messaging/sqs.rb +5 -0
- data/lib/sqreen/ecosystem/module_api.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/event_listener.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/instrumentation.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/message_producer.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/signal_producer.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/tracing.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/tracing/client_data.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/tracing/consumer_data.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/tracing/messaging_data.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/tracing/producer_data.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/tracing/server_data.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/tracing_id_generation.rb +5 -0
- data/lib/sqreen/ecosystem/module_api/transaction_storage.rb +5 -0
- data/lib/sqreen/ecosystem/module_registry.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/modules/client.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/modules/consumer.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/modules/determine_ip.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/modules/producer.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/modules/server.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/sampler.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/sampling_configuration.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/signals/tracing_client.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/signals/tracing_consumer.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/signals/tracing_producer.rb +5 -0
- data/lib/sqreen/ecosystem/tracing/signals/tracing_server.rb +5 -0
- data/lib/sqreen/ecosystem/tracing_broker.rb +5 -0
- data/lib/sqreen/ecosystem/tracing_id_setup.rb +5 -0
- data/lib/sqreen/ecosystem/transaction_storage.rb +5 -0
- data/lib/sqreen/ecosystem/util/call_writers_from_init.rb +5 -0
- data/lib/sqreen/ecosystem_integration.rb +5 -0
- data/lib/sqreen/ecosystem_integration/around_callbacks.rb +5 -0
- data/lib/sqreen/ecosystem_integration/instrumentation_service.rb +5 -0
- data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb +5 -0
- data/lib/sqreen/ecosystem_integration/signal_consumption.rb +6 -8
- data/lib/sqreen/endpoint_testing.rb +5 -0
- data/lib/sqreen/error_handling_middleware.rb +1 -1
- data/lib/sqreen/event.rb +1 -1
- data/lib/sqreen/events/attack.rb +9 -1
- data/lib/sqreen/events/remote_exception.rb +1 -1
- data/lib/sqreen/events/request_record.rb +1 -1
- data/lib/sqreen/exception.rb +1 -1
- data/lib/sqreen/formatter_with_tid.rb +1 -1
- data/lib/sqreen/framework_cb.rb +1 -1
- data/lib/sqreen/frameworks/generic.rb +18 -1
- data/lib/sqreen/frameworks/sqreen_test.rb +1 -1
- data/lib/sqreen/graft.rb +1 -1
- data/lib/sqreen/graft/call.rb +1 -1
- data/lib/sqreen/graft/callback.rb +1 -1
- data/lib/sqreen/graft/hook.rb +8 -294
- data/lib/sqreen/graft/hook.ruby_2.rb +305 -0
- data/lib/sqreen/graft/hook.ruby_3.rb +305 -0
- data/lib/sqreen/graft/hook_point.rb +7 -7
- data/lib/sqreen/graft/hook_point.ruby_2.rb +18 -0
- data/lib/sqreen/graft/hook_point.ruby_3.rb +19 -0
- data/lib/sqreen/graft/hook_point_error.rb +1 -1
- data/lib/sqreen/invalid_signature_exception.rb +1 -1
- data/lib/sqreen/js.rb +1 -1
- data/lib/sqreen/js/call_context.rb +1 -1
- data/lib/sqreen/js/context_pool.rb +8 -6
- data/lib/sqreen/js/exec_js_runnable.rb +1 -1
- data/lib/sqreen/js/execjs_adapter.rb +1 -1
- data/lib/sqreen/js/executable_js.rb +1 -1
- data/lib/sqreen/js/js_service_adapter.rb +1 -1
- data/lib/sqreen/js/mini_racer_adapter.rb +2 -1
- data/lib/sqreen/js/mini_racer_executable_js.rb +2 -0
- data/lib/sqreen/js/thread_local_exec_js_runnable.rb +1 -1
- data/lib/sqreen/legacy.rb +1 -1
- data/lib/sqreen/log/loggable.rb +1 -1
- data/lib/sqreen/logger.rb +1 -1
- data/lib/sqreen/metrics.rb +1 -1
- data/lib/sqreen/metrics/average.rb +1 -1
- data/lib/sqreen/metrics/base.rb +1 -1
- data/lib/sqreen/metrics/binning.rb +1 -1
- data/lib/sqreen/metrics/collect.rb +1 -1
- data/lib/sqreen/metrics/sum.rb +1 -1
- data/lib/sqreen/metrics_store.rb +1 -1
- data/lib/sqreen/metrics_store/already_registered_metric.rb +1 -1
- data/lib/sqreen/metrics_store/unknown_metric.rb +1 -1
- data/lib/sqreen/metrics_store/unregistered_metric.rb +1 -1
- data/lib/sqreen/middleware.rb +1 -1
- data/lib/sqreen/node.rb +1 -1
- data/lib/sqreen/not_implemented_yet.rb +1 -1
- data/lib/sqreen/null_logger.rb +1 -1
- data/lib/sqreen/payload_creator/header_section.rb +1 -1
- data/lib/sqreen/performance_notifications.rb +1 -1
- data/lib/sqreen/performance_notifications/binned_metrics.rb +1 -1
- data/lib/sqreen/performance_notifications/log.rb +1 -1
- data/lib/sqreen/performance_notifications/log_performance.rb +1 -1
- data/lib/sqreen/performance_notifications/metrics.rb +1 -1
- data/lib/sqreen/prefix.rb +1 -1
- data/lib/sqreen/rails_middleware.rb +1 -1
- data/lib/sqreen/remote_command.rb +1 -1
- data/lib/sqreen/remote_command/failure_output.rb +1 -1
- data/lib/sqreen/rules/attrs.rb +1 -1
- data/lib/sqreen/rules/execjs_cb.rb +1 -0
- data/lib/sqreen/rules/run_user_actions.rb +1 -1
- data/lib/sqreen/run_when_called_cb.rb +1 -1
- data/lib/sqreen/runner.rb +11 -0
- data/lib/sqreen/safe_json.rb +1 -1
- data/lib/sqreen/sensitive_data_redactor.rb +2 -2
- data/lib/sqreen/serializer.rb +1 -1
- data/lib/sqreen/shared_storage.rb +1 -1
- data/lib/sqreen/shrink_wrap.rb +1 -1
- data/lib/sqreen/signals/conversions.rb +22 -2
- data/lib/sqreen/signals/http_trace_redaction.rb +5 -0
- data/lib/sqreen/signals/signals_submission_strategy.rb +5 -0
- data/lib/sqreen/signature_verifier.rb +1 -1
- data/lib/sqreen/sinatra_middleware.rb +1 -1
- data/lib/sqreen/sqreen_signed_verifier.rb +1 -1
- data/lib/sqreen/token_invalid_exception.rb +1 -1
- data/lib/sqreen/token_not_found_exception.rb +1 -1
- data/lib/sqreen/trie.rb +1 -1
- data/lib/sqreen/unauthorized.rb +1 -1
- data/lib/sqreen/util.rb +1 -1
- data/lib/sqreen/util/capped_array.rb +1 -1
- data/lib/sqreen/util/capped_hash.rb +1 -1
- data/lib/sqreen/util/capped_string.rb +1 -1
- data/lib/sqreen/util/capper.rb +1 -1
- data/lib/sqreen/version.rb +2 -2
- data/lib/sqreen/waf_error.rb +1 -1
- data/lib/sqreen/weave.rb +1 -1
- data/lib/sqreen/weave/budget.rb +1 -1
- data/lib/sqreen/weave/hardcoded.rb +1 -1
- data/lib/sqreen/weave/instrumentor.rb +1 -1
- data/lib/sqreen/weave/legacy.rb +1 -1
- data/lib/sqreen/weave/legacy/instrumentation.rb +62 -7
- data/lib/sqreen/web_server/generic.rb +1 -1
- data/lib/sqreen/web_server/webrick.rb +1 -1
- data/lib/sqreen/worker.rb +1 -1
- metadata +24 -12
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: ignore
|
2
2
|
|
3
3
|
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
4
|
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
@@ -105,12 +105,6 @@ module Sqreen
|
|
105
105
|
@strategy == :prepend
|
106
106
|
end
|
107
107
|
|
108
|
-
def apply(obj, suffix, *args, &block)
|
109
|
-
raise 'use super' if super?
|
110
|
-
|
111
|
-
obj.send("#{method_name}_without_#{suffix}", *args, &block)
|
112
|
-
end
|
113
|
-
|
114
108
|
def install(key, &block)
|
115
109
|
if installed?(key)
|
116
110
|
Sqreen::Graft.logger.debug { "[#{Process.pid}] #{self} already installed" }
|
@@ -344,3 +338,9 @@ module Sqreen
|
|
344
338
|
end
|
345
339
|
end
|
346
340
|
end
|
341
|
+
|
342
|
+
if RUBY_VERSION =~ /^2\./
|
343
|
+
load File.join(__dir__, 'hook_point.ruby_2.rb')
|
344
|
+
else
|
345
|
+
load File.join(__dir__, 'hook_point.ruby_3.rb')
|
346
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/graft'
|
7
|
+
|
8
|
+
module Sqreen
|
9
|
+
module Graft
|
10
|
+
class HookPoint
|
11
|
+
def apply(obj, suffix, *args, &block)
|
12
|
+
raise 'use super' if super?
|
13
|
+
|
14
|
+
obj.send("#{method_name}_without_#{suffix}", *args, &block)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
# typed: ignore
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/graft'
|
7
|
+
|
8
|
+
module Sqreen
|
9
|
+
module Graft
|
10
|
+
class HookPoint
|
11
|
+
def apply(obj, suffix, *args, **kwargs, &block)
|
12
|
+
raise 'use super' if super?
|
13
|
+
|
14
|
+
obj.send("#{method_name}_without_#{suffix}", *args, **kwargs, &block)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
data/lib/sqreen/js.rb
CHANGED
@@ -29,9 +29,10 @@ module Sqreen
|
|
29
29
|
@mutex.synchronize do
|
30
30
|
if @contexts.empty?
|
31
31
|
@total_ctxs += 1
|
32
|
-
Sqreen.log.debug "
|
32
|
+
Sqreen.log.debug { "js:context_pool action:spawn count:#{@total_ctxs}" }
|
33
33
|
SqreenContext.new
|
34
34
|
else
|
35
|
+
Sqreen.log.debug { "js:context_pool action:pop count:#{@total_ctxs}" }
|
35
36
|
@contexts.pop
|
36
37
|
end
|
37
38
|
end
|
@@ -43,18 +44,19 @@ module Sqreen
|
|
43
44
|
if context.gc_load > 30
|
44
45
|
if context.gc_threshold_in_bytes == DEFAULT_GC_THRESHOLD
|
45
46
|
context.gc_threshold_in_bytes *= 2
|
46
|
-
Sqreen.log.warn
|
47
|
-
'collections; doubling the threshold to ' \
|
48
|
-
"#{context.gc_threshold_in_bytes} bytes")
|
47
|
+
Sqreen.log.warn { "js:context action:increase reason:gc threshold:#{context.gc_threshold_in_bytes}" }
|
49
48
|
context.gc_load = 0
|
50
49
|
else
|
51
|
-
Sqreen.log.warn
|
52
|
-
|
50
|
+
Sqreen.log.warn { "js:context action:discard reason:gc threshold:#{context.gc_threshold_in_bytes}" }
|
51
|
+
|
52
|
+
Sqreen.log.debug { "js:context_pool action:drop reason:gc count:#{@total_ctxs}" }
|
53
53
|
context.dispose
|
54
54
|
return
|
55
55
|
end
|
56
56
|
end
|
57
57
|
|
58
|
+
Sqreen.log.debug { "js:context_pool action:push count:#{@total_ctxs}" }
|
59
|
+
|
58
60
|
@mutex.synchronize { @contexts.push(context); }
|
59
61
|
end
|
60
62
|
end
|
@@ -23,7 +23,8 @@ module Sqreen
|
|
23
23
|
self.class.static_init
|
24
24
|
end
|
25
25
|
|
26
|
-
def preprocess(
|
26
|
+
def preprocess(rule_name, code)
|
27
|
+
Sqreen.log.debug("js:#{self.class.name} variant:#{variant_name} preprocess:#{rule_name}")
|
27
28
|
MiniRacerExecutableJs.new(@pool, code, @vendored)
|
28
29
|
end
|
29
30
|
|
@@ -37,7 +37,9 @@ module Sqreen
|
|
37
37
|
end
|
38
38
|
|
39
39
|
def run_js_cb(cb_name, budget, arguments)
|
40
|
+
Sqreen.log.debug { "js:#{self.class} callback:#{cb_name} pool:#{@pool.inspect}" }
|
40
41
|
@pool.with_context do |ctx|
|
42
|
+
Sqreen.log.debug { "js:#{self.class} callback:#{cb_name} context:#{ctx.inspect}" }
|
41
43
|
if ctx.code_failed?(@code_id)
|
42
44
|
Sqreen.log.debug do
|
43
45
|
"Skipping execution of callback #{cb_name} (code md5 #{@code_id})" \
|
data/lib/sqreen/legacy.rb
CHANGED
data/lib/sqreen/log/loggable.rb
CHANGED
data/lib/sqreen/logger.rb
CHANGED
data/lib/sqreen/metrics.rb
CHANGED
data/lib/sqreen/metrics/base.rb
CHANGED
data/lib/sqreen/metrics/sum.rb
CHANGED
data/lib/sqreen/metrics_store.rb
CHANGED
data/lib/sqreen/middleware.rb
CHANGED
data/lib/sqreen/node.rb
CHANGED
data/lib/sqreen/null_logger.rb
CHANGED
data/lib/sqreen/prefix.rb
CHANGED
data/lib/sqreen/rules/attrs.rb
CHANGED
@@ -102,6 +102,7 @@ module Sqreen
|
|
102
102
|
end
|
103
103
|
arguments = @argument_filter.filter(cb_name, arguments)
|
104
104
|
|
105
|
+
Sqreen.log.debug { "js:#{@executable.class} callback:#{cb_name}" }
|
105
106
|
ret = @executable.run_js_cb(cb_name, budget, arguments)
|
106
107
|
|
107
108
|
unless record_and_continue?(ret)
|
data/lib/sqreen/runner.rb
CHANGED
@@ -6,6 +6,7 @@
|
|
6
6
|
require 'ipaddr'
|
7
7
|
require 'timeout'
|
8
8
|
require 'json'
|
9
|
+
require 'pathname'
|
9
10
|
|
10
11
|
require 'sqreen/events/attack'
|
11
12
|
|
@@ -217,6 +218,16 @@ module Sqreen
|
|
217
218
|
session_rules = session.rules
|
218
219
|
rules_pack = session_rules['rules']
|
219
220
|
rulespack_id = session_rules['pack_id']
|
221
|
+
elsif @configuration.get(:rules_dump)
|
222
|
+
rules_dir = (defined?(Rails) ? Rails.root : Pathname.pwd) + 'tmp/sqreen/rules'
|
223
|
+
FileUtils.mkdir_p(rules_dir.to_s)
|
224
|
+
File.open("#{rules_dir}/#{rulespack_id}.json", "wb") { |f| f.write(JSON.pretty_generate(rules_pack)) }
|
225
|
+
FileUtils.mkdir_p("#{rules_dir}/#{rulespack_id}")
|
226
|
+
rules_pack.each do |r|
|
227
|
+
r = r.dup
|
228
|
+
r['rulespack_id'] = rulespack_id
|
229
|
+
File.open("#{rules_dir}/#{rulespack_id}/#{r['name']}.json", "wb") { |f| f.write(JSON.pretty_generate(r)) }
|
230
|
+
end
|
220
231
|
end
|
221
232
|
rules = rules_pack.each { |r| r['rulespack_id'] = rulespack_id }
|
222
233
|
Sqreen.log.info { format('retrieved rulespack id: %s', rulespack_id) }
|