sqreen 1.23.0 → 1.25.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/bin/sqreen +43 -0
- data/lib/sqreen/configuration.rb +2 -0
- data/lib/sqreen/dependency/new_relic.rb +1 -1
- data/lib/sqreen/dependency/sinatra.rb +20 -0
- data/lib/sqreen/events/attack.rb +8 -0
- data/lib/sqreen/frameworks/generic.rb +12 -1
- data/lib/sqreen/graft/hook.rb +7 -295
- data/lib/sqreen/graft/hook.ruby_2.rb +305 -0
- data/lib/sqreen/graft/hook.ruby_3.rb +305 -0
- data/lib/sqreen/graft/hook_point.rb +6 -6
- data/lib/sqreen/graft/hook_point.ruby_2.rb +18 -0
- data/lib/sqreen/graft/hook_point.ruby_3.rb +19 -0
- data/lib/sqreen/js/js_service.rb +16 -1
- data/lib/sqreen/js/mini_racer_adapter.rb +1 -1
- data/lib/sqreen/js/mini_racer_executable_js.rb +1 -1
- data/lib/sqreen/rules/devise_signup_track_cb.rb +1 -1
- data/lib/sqreen/rules/rule_cb.rb +9 -0
- data/lib/sqreen/rules/waf_cb.rb +1 -1
- data/lib/sqreen/runner.rb +11 -0
- data/lib/sqreen/signals/conversions.rb +20 -4
- data/lib/sqreen/version.rb +1 -1
- data/lib/sqreen/weave/legacy/instrumentation.rb +6 -0
- metadata +18 -18
data/lib/sqreen/js/js_service.rb
CHANGED
@@ -33,7 +33,7 @@ module Sqreen
|
|
33
33
|
private
|
34
34
|
|
35
35
|
def detect_adapter
|
36
|
-
@online = try_sq_mini_racer || try_rhino
|
36
|
+
@online = try_sq_mini_racer || try_mini_racer || try_rhino
|
37
37
|
|
38
38
|
Sqreen.log.info "JS engine online: #{variant}" if @online
|
39
39
|
end
|
@@ -53,6 +53,21 @@ module Sqreen
|
|
53
53
|
false
|
54
54
|
end
|
55
55
|
|
56
|
+
def try_mini_racer
|
57
|
+
gem = Gem.loaded_specs['mini_racer']
|
58
|
+
unless gem
|
59
|
+
Sqreen.log.info "mini_racer gem not detected"
|
60
|
+
return false
|
61
|
+
end
|
62
|
+
|
63
|
+
require 'mini_racer'
|
64
|
+
require 'sqreen/js/mini_racer_adapter'
|
65
|
+
@adapter = MiniRacerAdapter.new(false)
|
66
|
+
rescue LoadError => e
|
67
|
+
Sqreen.log.warn "Failed loading mini_racer: #{e}"
|
68
|
+
false
|
69
|
+
end
|
70
|
+
|
56
71
|
def try_rhino
|
57
72
|
gem = Gem.loaded_specs['therubyrhino']
|
58
73
|
unless gem
|
@@ -34,7 +34,7 @@ module Sqreen
|
|
34
34
|
|
35
35
|
def self.static_init
|
36
36
|
return if @done_static_init
|
37
|
-
Sqreen::MiniRacer::Platform.set_flags! :noconcurrent_recompilation
|
37
|
+
Sqreen::MiniRacer::Platform.set_flags! :noconcurrent_recompilation if @vendored
|
38
38
|
@done_static_init = true
|
39
39
|
end
|
40
40
|
end
|
@@ -118,7 +118,7 @@ module Sqreen
|
|
118
118
|
|
119
119
|
# garbage collections max 1 in every 4 calls (avg)
|
120
120
|
if heap_stats[:total_heap_size] > @gc_threshold_in_bytes
|
121
|
-
low_memory_notification
|
121
|
+
low_memory_notification if respond_to?(:low_memory_notification)
|
122
122
|
@gc_load += 4
|
123
123
|
else
|
124
124
|
@gc_load = [0, @gc_load - 1].max
|
@@ -20,7 +20,7 @@ module Sqreen
|
|
20
20
|
keys = args[1].class.authentication_keys
|
21
21
|
ip = framework.client_ip
|
22
22
|
category = 'auto-signup'
|
23
|
-
data = data.select { |k, _| keys.include?(k) }
|
23
|
+
data = data.select { |k, _| keys.map(&:to_s).include?(k.to_s) }
|
24
24
|
|
25
25
|
if data.empty?
|
26
26
|
Sqreen.log.debug { "#{category} from #{ip} but keys empty" }
|
data/lib/sqreen/rules/rule_cb.rb
CHANGED
@@ -70,6 +70,15 @@ module Sqreen
|
|
70
70
|
if payload_tpl.include?('context')
|
71
71
|
payload[:backtrace] = Sqreen::Context.new.bt
|
72
72
|
end
|
73
|
+
if framework.respond_to?(:datadog_span) && (datadog_span = framework.datadog_span)
|
74
|
+
Sqreen::Weave.logger.debug { "attack datadog:true span_id:#{datadog_span.span_id} parent_id:#{datadog_span.parent_id} trace_id:#{datadog_span.trace_id}" }
|
75
|
+
payload.merge!(
|
76
|
+
:datadog_trace_id => datadog_span.trace_id,
|
77
|
+
:datadog_span_id => datadog_span.span_id,
|
78
|
+
)
|
79
|
+
datadog_span.set_tag(Datadog::Ext::ManualTracing::TAG_KEEP, true)
|
80
|
+
datadog_span.set_tag('sqreen.event', true)
|
81
|
+
end
|
73
82
|
framework.observe(:attacks, payload, payload_tpl)
|
74
83
|
end
|
75
84
|
|
data/lib/sqreen/rules/waf_cb.rb
CHANGED
data/lib/sqreen/runner.rb
CHANGED
@@ -6,6 +6,7 @@
|
|
6
6
|
require 'ipaddr'
|
7
7
|
require 'timeout'
|
8
8
|
require 'json'
|
9
|
+
require 'pathname'
|
9
10
|
|
10
11
|
require 'sqreen/events/attack'
|
11
12
|
|
@@ -217,6 +218,16 @@ module Sqreen
|
|
217
218
|
session_rules = session.rules
|
218
219
|
rules_pack = session_rules['rules']
|
219
220
|
rulespack_id = session_rules['pack_id']
|
221
|
+
elsif @configuration.get(:rules_dump)
|
222
|
+
rules_dir = (defined?(Rails) ? Rails.root : Pathname.pwd) + 'tmp/sqreen/rules'
|
223
|
+
FileUtils.mkdir_p(rules_dir.to_s)
|
224
|
+
File.open("#{rules_dir}/#{rulespack_id}.json", "wb") { |f| f.write(JSON.pretty_generate(rules_pack)) }
|
225
|
+
FileUtils.mkdir_p("#{rules_dir}/#{rulespack_id}")
|
226
|
+
rules_pack.each do |r|
|
227
|
+
r = r.dup
|
228
|
+
r['rulespack_id'] = rulespack_id
|
229
|
+
File.open("#{rules_dir}/#{rulespack_id}/#{r['name']}.json", "wb") { |f| f.write(JSON.pretty_generate(r)) }
|
230
|
+
end
|
220
231
|
end
|
221
232
|
rules = rules_pack.each { |r| r['rulespack_id'] = rulespack_id }
|
222
233
|
Sqreen.log.info { format('retrieved rulespack id: %s', rulespack_id) }
|
@@ -44,11 +44,17 @@ module Sqreen
|
|
44
44
|
# XXX: not used because we don't use Sqreen::Attack
|
45
45
|
def convert_attack(attack)
|
46
46
|
# no need to set actor/context as we only include them in request records/traces
|
47
|
+
location_h = {}
|
48
|
+
location_h.merge!(stack_trace: attack.backtrace) if attack.backtrace
|
49
|
+
location_h.merge!(datadog_trace_id: datadog_trace_id) if attack.datadog_trace_id
|
50
|
+
location_h.merge!(datadog_span_id: datadog_span_id) if attack.datadog_span_id
|
51
|
+
location = Kit::Signals::Location.new(location_h) unless location_h.empty?
|
52
|
+
|
47
53
|
Kit::Signals::Specialized::Attack.new(
|
48
54
|
signal_name: "sq.agent.attack.#{attack.attack_type}",
|
49
55
|
source: "sqreen:rule:#{attack.rulespack_id}:#{attack.rule_name}",
|
50
56
|
time: attack.time,
|
51
|
-
location:
|
57
|
+
location: location,
|
52
58
|
payload: Kit::Signals::Specialized::Attack::Payload.new(
|
53
59
|
test: attack.test?,
|
54
60
|
block: attack.block?,
|
@@ -59,11 +65,17 @@ module Sqreen
|
|
59
65
|
|
60
66
|
# see Sqreen::Rules::RuleCB.record_event
|
61
67
|
def convert_unstructured_attack(payload)
|
68
|
+
location_h = {}
|
69
|
+
location_h.merge!(stack_trace: payload[:backtrace]) if payload[:backtrace]
|
70
|
+
location_h.merge!(datadog_trace_id: payload[:datadog_trace_id]) if payload[:datadog_span_id]
|
71
|
+
location_h.merge!(datadog_span_id: payload[:datadog_span_id]) if payload[:datadog_span_id]
|
72
|
+
location = Kit::Signals::Location.new(location_h) unless location_h.empty?
|
73
|
+
|
62
74
|
Kit::Signals::Specialized::Attack.new(
|
63
75
|
signal_name: "sq.agent.attack.#{payload[:attack_type]}",
|
64
76
|
source: "sqreen:rule:#{payload[:rulespack_id]}:#{payload[:rule_name]}",
|
65
77
|
time: payload[:time],
|
66
|
-
location:
|
78
|
+
location: location,
|
67
79
|
payload: Kit::Signals::Specialized::Attack::Payload.new(
|
68
80
|
test: payload[:test],
|
69
81
|
block: payload[:block],
|
@@ -185,12 +197,13 @@ module Sqreen
|
|
185
197
|
# see Sqreen::RequestRecord.processed_sdk_calls
|
186
198
|
def convert_track(call_info)
|
187
199
|
options = call_info[:args][1] || {}
|
200
|
+
args = options[:args] || {}
|
188
201
|
Kit::Signals::Specialized::SdkTrackCall.new(
|
189
202
|
signal_name: "sq.sdk.#{call_info[:args][0]}",
|
190
203
|
time: call_info[:time],
|
191
204
|
payload: Kit::Signals::Specialized::SdkTrackCall::Payload.new(
|
192
|
-
properties:
|
193
|
-
user_identifiers:
|
205
|
+
properties: args[:properties],
|
206
|
+
user_identifiers: args[:user_identifiers]
|
194
207
|
)
|
195
208
|
)
|
196
209
|
end
|
@@ -234,6 +247,9 @@ module Sqreen
|
|
234
247
|
status: resp_payload[:status],
|
235
248
|
content_length: resp_payload[:content_length],
|
236
249
|
content_type: resp_payload[:content_type],
|
250
|
+
# datadog
|
251
|
+
datadog_trace_id: req_payload[:datadog_trace_id],
|
252
|
+
datadog_span_id: req_payload[:datadog_span_id],
|
237
253
|
}
|
238
254
|
)
|
239
255
|
end
|
data/lib/sqreen/version.rb
CHANGED
@@ -180,6 +180,8 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
180
180
|
else
|
181
181
|
Sqreen::Weave.logger.error { "rule: #{rule['name']} singed: true result: fail" }
|
182
182
|
end
|
183
|
+
|
184
|
+
valid
|
183
185
|
end
|
184
186
|
if invalid_rules.any?
|
185
187
|
Sqreen::Weave.logger.error { "weave: instrument status: abort reason: signature result: fail" }
|
@@ -242,6 +244,9 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
242
244
|
|
243
245
|
# shrinkwrap_timer = Sqreen::Graft::Timer.new('weave,shrinkwrap')
|
244
246
|
# shrinkwrap_timer.start
|
247
|
+
if defined?(Datadog) && Datadog.tracer && (datadog_span = Datadog.tracer.active_root_span)
|
248
|
+
Sqreen::Weave.logger.debug { "request datadog:true span_id:#{datadog_span.span_id} parent_id:#{datadog_span.parent_id} trace_id:#{datadog_span.trace_id}" }
|
249
|
+
end
|
245
250
|
|
246
251
|
request_timer = Sqreen::Graft::Timer.new("request")
|
247
252
|
request_timer.start
|
@@ -267,6 +272,7 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
267
272
|
timed_level: timed_level,
|
268
273
|
skipped_callbacks: [],
|
269
274
|
# timed_shrinkwrap: shrinkwrap_timer,
|
275
|
+
datadog_span: datadog_span,
|
270
276
|
}
|
271
277
|
|
272
278
|
# shrinkwrap_timer.stop
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sqreen
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.25.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sqreen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 1980-01-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: sqreen-backport
|
@@ -30,34 +30,28 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 0.2.
|
33
|
+
version: 0.2.4
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 0.2.
|
40
|
+
version: 0.2.4
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
|
-
name:
|
42
|
+
name: mini_racer
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
|
-
- - "
|
46
|
-
- !ruby/object:Gem::Version
|
47
|
-
version: '0.2'
|
48
|
-
- - "<"
|
45
|
+
- - ">="
|
49
46
|
- !ruby/object:Gem::Version
|
50
|
-
version: 0.4.
|
47
|
+
version: 0.4.0
|
51
48
|
type: :runtime
|
52
49
|
prerelease: false
|
53
50
|
version_requirements: !ruby/object:Gem::Requirement
|
54
51
|
requirements:
|
55
|
-
- - "
|
56
|
-
- !ruby/object:Gem::Version
|
57
|
-
version: '0.2'
|
58
|
-
- - "<"
|
52
|
+
- - ">="
|
59
53
|
- !ruby/object:Gem::Version
|
60
|
-
version: 0.4.
|
54
|
+
version: 0.4.0
|
61
55
|
- !ruby/object:Gem::Dependency
|
62
56
|
name: libsqreen
|
63
57
|
requirement: !ruby/object:Gem::Requirement
|
@@ -75,7 +69,8 @@ dependencies:
|
|
75
69
|
description: Sqreen is a SaaS based Application protection and monitoring platform
|
76
70
|
that integrates directly into your Ruby applications. Learn more at https://sqreen.com.
|
77
71
|
email: contact@sqreen.com
|
78
|
-
executables:
|
72
|
+
executables:
|
73
|
+
- sqreen
|
79
74
|
extensions: []
|
80
75
|
extra_rdoc_files: []
|
81
76
|
files:
|
@@ -84,6 +79,7 @@ files:
|
|
84
79
|
- LICENSE
|
85
80
|
- README.md
|
86
81
|
- Rakefile
|
82
|
+
- bin/sqreen
|
87
83
|
- lib/sqreen.rb
|
88
84
|
- lib/sqreen/actions.rb
|
89
85
|
- lib/sqreen/actions/actions_index.rb
|
@@ -198,7 +194,11 @@ files:
|
|
198
194
|
- lib/sqreen/graft/call.rb
|
199
195
|
- lib/sqreen/graft/callback.rb
|
200
196
|
- lib/sqreen/graft/hook.rb
|
197
|
+
- lib/sqreen/graft/hook.ruby_2.rb
|
198
|
+
- lib/sqreen/graft/hook.ruby_3.rb
|
201
199
|
- lib/sqreen/graft/hook_point.rb
|
200
|
+
- lib/sqreen/graft/hook_point.ruby_2.rb
|
201
|
+
- lib/sqreen/graft/hook_point.ruby_3.rb
|
202
202
|
- lib/sqreen/graft/hook_point_error.rb
|
203
203
|
- lib/sqreen/invalid_signature_exception.rb
|
204
204
|
- lib/sqreen/js.rb
|
@@ -341,14 +341,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
341
341
|
requirements:
|
342
342
|
- - ">="
|
343
343
|
- !ruby/object:Gem::Version
|
344
|
-
version:
|
344
|
+
version: '2.6'
|
345
345
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
346
346
|
requirements:
|
347
347
|
- - ">="
|
348
348
|
- !ruby/object:Gem::Version
|
349
349
|
version: '0'
|
350
350
|
requirements: []
|
351
|
-
rubygems_version: 3.2.
|
351
|
+
rubygems_version: 3.2.26
|
352
352
|
signing_key:
|
353
353
|
specification_version: 4
|
354
354
|
summary: Sqreen Ruby agent
|