sqreen 1.23.0 → 1.25.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e6b62b53864420b27411824bf5d51c80949a7e98357edd128e64ee0e77039476
-  data.tar.gz: 85a9d762af8063c9e42978100907561397bd00e8278978b9a67f01e5fe52670f
+  metadata.gz: 91d799812d8133a1915b8174bc71b1986028bbea556ed445cc8bd8c240176d96
+  data.tar.gz: d7f9e221109affd64736c772f030ba618dba20cdbaac1b5369772e2d151b12ff
 SHA512:
-  metadata.gz: ca4c03f84749101fe1b2235ead061cf597bfb0a4d08d95d9cd3b24cdb9ca77eea3928fa00ce4db22219acea02c93539251f384002ccb3e4fffd1c484d54ad938
-  data.tar.gz: 02e372ee65122d783685df0756bf069a30225348239703465a7a20f751865bc5ab79ba9c0c99dafc1551d1812532669089681dc71b8375cb4791df749f9d3977
+  metadata.gz: 996a203e716bb890c32c00d75b89e534e78e7fad75dc1ec05acf1089cfc2865ab1d907ea5f364dacd377cbf3e102f3a1ca14ac246a1960a3986334cb5f3de698
+  data.tar.gz: 8af17107b023e921b9a660126cc368eb43893724b35c7af76afb6461c623e8d80c9d35f5537af9078b51df8d8f84d6a44b361595249e6db514e64c5e24594bd7

data/CHANGELOG.md

@@ -1,3 +1,38 @@
+## 1.25.0
+
+* Switch from old sq_mini_racer to upstream mini_racer
+* Support Ruby 3.1
+* Restrict compatiblity to Ruby 2.6 and up
+
+## 1.24.3
+
+* Fix WAF exception reporting corner case
+
+## 1.24.2
+
+* Fix kwargs for rule callbacks on Ruby 3+
+* Fix properties propagation for custom events
+* Fix Devise key type mismatch for signup
+
+## 1.24.1
+
+* Add Datadog trace keeping through sampling
+* Improve Datadog correlation compatibility with Sinatra
+* Improve attack event correlation with Datadog spans
+
+## 1.24.0
+
+* Add Sqreen event correlation with Datadog traces
+
+## 1.23.2
+
+* Fix compatibility with NewRelic for attack events
+* Fix incorrect rule rejection despite all signature checks individually passing
+
+## 1.23.1
+
+* Improve compatibility with gems such as puma and graphql on Ruby 3.0
+
 ## 1.23.0
 
 * Implement GraphQL support

data/bin/sqreen

@@ -0,0 +1,43 @@
+#!/usr/bin/env ruby
+
+def logger
+  @logger ||= Logger.new(STDOUT, level: :debug)
+end
+
+def verify(rules)
+  verifier = Sqreen::SqreenSignedVerifier.new
+
+  invalid_rules = rules.reject do |rule|
+    valid = verifier.verify(rule)
+
+    if valid
+      logger.debug { "rule: #{rule['name']} signed: true result: ok" }
+    else
+      logger.error { "rule: #{rule['name']} singed: true result: fail" }
+    end
+
+    valid
+  end
+
+  if invalid_rules.any?
+    logger.error { "weave: instrument status: abort reason: signature result: fail" }
+    raise Sqreen::Exception, "Signature error: rules: #{invalid_rules.map { |r| r['name'] }.inspect}"
+  else
+    logger.info { "weave: instrument rules: signed result: ok" }
+  end
+end
+
+def check_signature(file)
+  require 'json'
+  require 'logger'
+  require 'sqreen/sqreen_signed_verifier'
+
+  content = File.open(file, 'rb', &:read)
+  json = JSON.parse(content)
+
+  p verify(json)
+end
+
+case ARGV[0]
+when 'check-signature' then check_signature(ARGV[1]) || exit(1)
+end

data/lib/sqreen/configuration.rb

@@ -56,6 +56,8 @@ module Sqreen
       :default => nil },
     { :env => :SQREEN_RULES_SIGNATURE, :name => :rules_verify_signature,
       :default => true },
+    { :env => :SQREEN_RULES_DUMP, :name => :rules_dump,
+      :default => false },
     { :env => :SQREEN_LOG_LEVEL, :name => :log_level,
       :default => 'INFO', :choice => %w[UNKNOWN FATAL ERROR WARN INFO DEBUG] },
     { :env => :SQREEN_LOG_LOCATION, :name => :log_location,

data/lib/sqreen/dependency/new_relic.rb

@@ -19,7 +19,7 @@ module Sqreen
       def ignore_sqreen_exceptions
         return unless required?
 
-        NewRelic::Agent::Agent.instance.error_collector.ignore(['Sqreen::AttackBlocked'])
+        ::NewRelic::Agent::Agent.instance.error_collector.ignore(['Sqreen::AttackBlocked'])
       rescue ::Exception => e # rubocop:disable Lint/RescueException
         Sqreen.log.warn "Failed ignoring AttackBlocked on NewRelic: #{e.inspect}"
       end

data/lib/sqreen/dependency/sinatra.rb

@@ -61,6 +61,26 @@ module Sqreen
             u.append(p)
           end
         end
+
+        insert_datadog_middleware(builder, *args, &block)
+      end
+
+      def insert_datadog_middleware(builder, *args, &block)
+        return unless defined?(Datadog) && Datadog.respond_to?(:configuration) && Datadog.configuration.instrumented_integrations.key?(:sinatra)
+
+        Datadog.configure do |c|
+          sinatra_config = Datadog.configuration[:sinatra]
+
+          c.use(
+            :rack,
+            service_name: sinatra_config[:service_name],
+            distributed_tracing: sinatra_config[:distributed_tracing],
+          ) unless Datadog.configuration.instrumented_integrations.key?(:rack)
+        end
+
+        insert_middleware(builder, Datadog::Contrib::Rack::TraceMiddleware, args, block) do |p, u|
+          u.insert(0, p)
+        end
       end
 
       def wrap_middleware(middleware, *args, &block)

data/lib/sqreen/events/attack.rb

@@ -63,6 +63,14 @@ module Sqreen
       payload['context']['backtrace']
     end
 
+    def datadog_trace_id
+      payload['context']['datadog_trace_id']
+    end
+
+    def datadog_span_id
+      payload['context']['datadog_span_id']
+    end
+
     def enqueue
       Sqreen.queue.push(self)
     end

data/lib/sqreen/frameworks/generic.rb

@@ -173,7 +173,18 @@ module Sqreen
           :remote_port => req.env['REMOTE_PORT'],
           :remote_ip => remote_addr,
           :client_ip => client_ip,
-        }
+        }.tap do |h|
+          h.merge!(
+            :datadog_trace_id => datadog_span.trace_id,
+            :datadog_span_id => datadog_span.span_id,
+          ) if datadog_span
+        end
+      end
+
+      def datadog_span
+        return unless defined?(Datadog) && (tracer = Datadog.tracer)
+
+        tracer.active_span
       end
 
       def response_infos

data/lib/sqreen/graft/hook.rb

@@ -4,9 +4,8 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 require 'sqreen/graft'
-require 'sqreen/graft/call'
-require 'sqreen/graft/callback'
 require 'sqreen/graft/hook_point'
+require 'sqreen/graft/callback'
 
 module Sqreen
   module Graft
@@ -124,299 +123,12 @@ module Sqreen
         @raised = []
         @ensured = []
       end
-
-      def self.wrapper(hook)
-        timed_hooks_proc = proc do |t|
-          if (request = Thread.current[:sqreen_http_request])
-            request[:timed_hooks] << t if request[:timed_level] >= 1
-          end
-        end
-        timed_callbacks_proc = proc do |t|
-          if (request = Thread.current[:sqreen_http_request])
-            request[:timed_callbacks] << t if request[:timed_level] >= 1
-          end
-        end
-
-        Proc.new do |*args, &block|
-          request = Thread.current[:sqreen_http_request]
-
-          if Thread.current[:sqreen_hook_entered]
-            if hook.point.super?
-              return super(*args, &block)
-            else
-              return hook.point.apply(self, 'sqreen_hook', *args, &block)
-            end
-          end
-
-          if request && request[:time_budget_expended] && (hook.before + hook.after + hook.raised + hook.ensured).none?(&:mandatory)
-            if request[:timed_level] >= 2
-              begin
-                request[:skipped_callbacks].concat(hook.before)
-
-                if hook.point.super?
-                  return super(*args, &block)
-                else
-                  return hook.point.apply(self, 'sqreen_hook', *args, &block)
-                end
-              rescue ::Exception # rubocop:disable Lint/RescueException
-                request[:skipped_callbacks].concat(hook.raised)
-                raise
-              else
-                request[:skipped_callbacks].concat(hook.after)
-              ensure
-                request[:skipped_callbacks].concat(hook.ensured)
-              end
-            else
-              if hook.point.super? # rubocop:disable Style/IfInsideElse
-                return super(*args, &block)
-              else
-                return hook.point.apply(self, 'sqreen_hook', *args, &block)
-              end
-            end
-          end
-
-          hook_point_super = hook.point.super?
-          logger = Sqreen::Graft.logger
-          logger_debug = Sqreen::Graft.logger.debug?
-
-          Timer.new(hook.point, &timed_hooks_proc).measure do |chrono|
-            # budget implies request
-            # TODO: make budget depend on a generic context (currently "request")
-            budget = request[:time_budget] if request
-            if budget
-              budget_threshold = request[:time_budget_threshold]
-              budget_ratio = request[:time_budget_ratio]
-              sqreen_timer = request[:sqreen_timer]
-              request_timer = request[:request_timer]
-            end
-
-            hooked_call = HookedCall.new(self, args)
-
-            begin
-              begin
-                sqreen_timer.start if budget
-                Thread.current[:sqreen_hook_entered] = true
-
-                # TODO: make Call have #ball to throw by cb
-                # TODO: can Call be the ball? r = catch(Call.new, &c)
-                # TODO: is catch return value a Call? a #dispatch?
-                # TODO: make before/after/raised return a CallbackCollection << Array (or extend with module)
-                # TODO: add CallbackCollection#each_with_call(instance, args) { |call| ... } ?
-                # TODO: HookCall x CallbackCollection#each_with_call x Flow
-                # TODO: TimedHookCall TimedCallbackCall
-                # TODO: TimeBoundHookCall TimeBoundCallbackCall TimeBoundFlow?
-
-                request_elapsed = request_timer.elapsed if budget
-
-                hook.before.each do |c|
-                  next if c.ignore && c.ignore.call
-
-                  if budget && !c.mandatory
-                    sqreen_elapsed = sqreen_timer.elapsed
-                    if budget_ratio && !request[:time_budget_expended]
-                      fixed_budget = budget_threshold
-                      proportional_budget = (request_elapsed - sqreen_elapsed) * budget_ratio
-                      remaining = (fixed_budget > proportional_budget ? fixed_budget : proportional_budget) - sqreen_elapsed
-                    else
-                      remaining = budget_threshold - sqreen_elapsed
-                    end
-                    unless remaining > 0
-                      request[:skipped_callbacks] << c
-                      request[:time_budget_expended] = true
-                      next
-                    end
-                  end
-
-                  flow = catch(Ball.new) do |ball|
-                    Timer.new(c.name, &timed_callbacks_proc).measure(ignore: chrono) do
-                      c.call(CallbackCall.new(c, remaining, hooked_call.instance, hooked_call.args_passed), ball)
-                    end
-                  end
-
-                  next unless c.flow && flow.is_a?(Flow)
-                  hooked_call.raise = flow.raise and hooked_call.raising = true if flow.raise?
-                  hooked_call.args_pass = flow.args and hooked_call.args_passing = true if flow.args?
-                  hooked_call.return = flow.return and hooked_call.returning = true if flow.return?
-                  break if flow.break?
-                end unless hook.disabled?
-              rescue StandardError => e
-                Sqreen::Weave.logger.debug { "exception:#{e.class} when:before message:'#{e.message}' location:\"#{e.backtrace[0]}\"" }
-                Sqreen::RemoteException.record(e) if Sqreen.queue
-              end
-
-              raise hooked_call.raise if hooked_call.raising
-              return hooked_call.return if hooked_call.returning
-            ensure
-              Thread.current[:sqreen_hook_entered] = false
-              sqreen_timer.stop if budget
-            end unless hook.before.empty?
-
-            begin
-              chrono.ignore do
-                if hook_point_super
-                  hooked_call.returned = super(*(hooked_call.args_passing ? hooked_call.args_pass : hooked_call.args_passed), &block)
-                else
-                  hooked_call.returned = hook.point.apply(hooked_call.instance, 'sqreen_hook', *(hooked_call.args_passing ? hooked_call.args_pass : hooked_call.args_passed), &block)
-                end
-              end
-            rescue ::Exception => e # rubocop:disable Lint/RescueException
-              begin
-                sqreen_timer.start if budget
-                Thread.current[:sqreen_hook_entered] = true
-                hooked_call.raised = e
-
-                logger.debug { "[#{Process.pid}] Hook #{hook.point} disabled:#{hook.disabled?} exception:#{e}" } if logger_debug
-
-                # TODO: early escape causes raise too early then caught by ensure which mistakenly reports legit errors to sqreen
-                # raise if hook.raised.empty?
-
-                request_elapsed = request_timer.elapsed if budget
-
-                hook.raised.each do |c|
-                  next if c.ignore && c.ignore.call
-
-                  if budget && !c.mandatory
-                    sqreen_elapsed = sqreen_timer.elapsed
-                    if budget_ratio && !request[:time_budget_expended]
-                      fixed_budget = budget_threshold
-                      proportional_budget = (request_elapsed - sqreen_elapsed) * budget_ratio
-                      remaining = (fixed_budget > proportional_budget ? fixed_budget : proportional_budget) - sqreen_elapsed
-                    else
-                      remaining = budget_threshold - sqreen_elapsed
-                    end
-                    unless remaining > 0
-                      request[:skipped_callbacks] << c
-                      request[:time_budget_expended] = true
-                      next
-                    end
-                  end
-
-                  flow = catch(Ball.new) do |ball|
-                    Timer.new(c.name, &timed_callbacks_proc).measure(ignore: chrono) do
-                      c.call(CallbackCall.new(c, remaining, hooked_call.instance, hooked_call.args_passing ? hooked_call.args_pass : hooked_call.args_passed, hooked_call.raised), ball)
-                    end
-                  end
-
-                  next unless c.flow && flow.is_a?(Flow)
-                  hooked_call.raise = flow.raise and hooked_call.raising = true if flow.raise?
-                  hooked_call.return = flow.return and hooked_call.returning = true if flow.return?
-                  hooked_call.retrying = true if flow.retry?
-                  break if flow.break?
-                end unless hook.disabled?
-              rescue StandardError => e
-                Sqreen::Weave.logger.debug { "exception:#{e.class} when:raised message:'#{e.message}' location:\"#{e.backtrace[0]}\"" }
-                Sqreen::RemoteException.record(e) if Sqreen.queue
-              end
-
-              retry if hooked_call.retrying
-              raise hooked_call.raise if hooked_call.raising
-              return hooked_call.return if hooked_call.returning
-              raise
-            else
-              begin
-                sqreen_timer.start if budget
-                Thread.current[:sqreen_hook_entered] = true
-
-                # TODO: hooked_call.returning should be always false here?
-                return hooked_call.returning ? hooked_call.return : hooked_call.returned if hook.after.empty?
-
-                request_elapsed = request_timer.elapsed if budget
-
-                hook.after.each do |c|
-                  next if c.ignore && c.ignore.call
-
-                  if budget && !c.mandatory
-                    sqreen_elapsed = sqreen_timer.elapsed
-                    if budget_ratio && !request[:time_budget_expended]
-                      fixed_budget = budget_threshold
-                      proportional_budget = (request_elapsed - sqreen_elapsed) * budget_ratio
-                      remaining = (fixed_budget > proportional_budget ? fixed_budget : proportional_budget) - sqreen_elapsed
-                    else
-                      remaining = budget_threshold - sqreen_elapsed
-                    end
-                    unless remaining > 0
-                      request[:skipped_callbacks] << c
-                      request[:time_budget_expended] = true
-                      next
-                    end
-                  end
-
-                  flow = catch(Ball.new) do |ball|
-                    Timer.new(c.name, &timed_callbacks_proc).measure(ignore: chrono) do
-                      c.call(CallbackCall.new(c, remaining, hooked_call.instance, hooked_call.args_passing ? hooked_call.args_pass : hooked_call.args_passed, nil, hooked_call.returned), ball)
-                    end
-                  end
-
-                  next unless c.flow && flow.is_a?(Flow)
-                  hooked_call.raise = flow.raise and hooked_call.raising = true if flow.raise?
-                  hooked_call.return = flow.return and hooked_call.returning = true if flow.return?
-                  break if flow.break?
-                end unless hook.disabled?
-              rescue StandardError => e
-                Sqreen::Weave.logger.debug { "exception:#{e.class} when:after message:'#{e.message}' location:\"#{e.backtrace[0]}\"" }
-                Sqreen::RemoteException.record(e) if Sqreen.queue
-              end
-
-              raise hooked_call.raise if hooked_call.raising
-              return hooked_call.returning ? hooked_call.return : hooked_call.returned
-            ensure
-              begin
-                # TODO: sqreen_timer.start if someone has thrown?
-                # TODO: sqreen_timer.stop at end of rescue+else?
-                # TODO: Thread.current[:sqreen_hook_entered] = true if neither rescue nor else ie thrown?
-                # TODO: Thread.current[:sqreen_hook_entered] = false at end of rescue+else? (risky?)
-
-                # TODO: uniform early bail out? (but don't forget sqreen_hook_entered and sqreen_timer)
-                # return hooked_call.returning ? hooked_call.return : hooked_call.returned if hook.ensured.empty?
-
-                # done at either rescue or else
-                # request_elapsed = request_timer.elapsed if budget # && !hook.ensured.empty?
-
-                hook.ensured.each do |c|
-                  next if c.ignore && c.ignore.call
-
-                  if budget && !c.mandatory
-                    sqreen_elapsed = sqreen_timer.elapsed
-                    if budget_ratio && !request[:time_budget_expended]
-                      fixed_budget = budget_threshold
-                      proportional_budget = (request_elapsed - sqreen_elapsed) * budget_ratio
-                      remaining = (fixed_budget > proportional_budget ? fixed_budget : proportional_budget) - sqreen_elapsed
-                    else
-                      remaining = budget_threshold - sqreen_elapsed
-                    end
-                    unless remaining > 0
-                      request[:skipped_callbacks] << c
-                      request[:time_budget_expended] = true
-                      next
-                    end
-                  end
-
-                  flow = catch(Ball.new) do |ball|
-                    Timer.new(c.name, &timed_callbacks_proc).measure(ignore: chrono) do
-                      c.call(CallbackCall.new(c, remaining, hooked_call.instance, hooked_call.args_passing ? hooked_call.args_pass : hooked_call.args_passed, nil, hooked_call.returned), ball)
-                    end
-                  end
-
-                  next unless c.flow && flow.is_a?(Flow)
-                  hooked_call.raise = flow.raise and hooked_call.raising = true if flow.raise?
-                  hooked_call.return = flow.return and hooked_call.returning = true if flow.return?
-                  break if flow.break?
-                end unless hook.ensured.empty? || hook.disabled?
-
-                Thread.current[:sqreen_hook_entered] = false
-                sqreen_timer.stop if budget
-              rescue StandardError => e
-                Sqreen::Weave.logger.debug { "exception:#{e.class} when:ensured message:'#{e.message}' location:\"#{e.backtrace[0]}\"" }
-                Sqreen::RemoteException.record(e) if Sqreen.queue
-              end
-
-              # TODO: should we run the following?
-              # raise hooked_call.raise if hooked_call.raising
-              # return hooked_call.returning ? hooked_call.return : hooked_call.returned
-            end
-          end # chrono
-        end
-      end
     end
   end
 end
+
+if RUBY_VERSION =~ /^2\./
+  load File.join(__dir__, 'hook.ruby_2.rb')
+else
+  load File.join(__dir__, 'hook.ruby_3.rb')
+end