sqreen 1.3.21489051313-java → 1.4.2-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bbd1a6355ea5535de52247ae70720a09a06dabd2
-  data.tar.gz: 21623d5f5560c1661a43c31d25289c058d1e8edd
+  metadata.gz: fcc1bc6cf192ce4b177a5e638226a989e0f8e174
+  data.tar.gz: b52e7d1765d4021129bb0107a4345613872f389c
 SHA512:
-  metadata.gz: 3085456fa194abcdff7310b3183709307f8201ac322558336bd57a5ae3542fc7a4eb4f6cc0fbc4a2c3746c504d57a949bf31149e2d7a1196960153faf9df6221
-  data.tar.gz: 3e99b11d4953d41d7ed86310bcf594503bcaa258e7f3f7eb556daac21af6bf9afa9f9109f726116469555e9f800f5e43b60222356557c77872da53157b290424
+  metadata.gz: f9ffbbcfa1fa5c9ebeeca43963c74c724e2322de0feb38d42e39242bfd5402efe4c6043af307b55e34564f2ccec7d3847906f71e15b9987a635b2f97758d7d38
+  data.tar.gz: aeb35086030d9b6ce6cbf3d210b9388927066a237d3bdb83c080004b43b6a00b562b8d889f4499ae46336a7a889141dcc8ac259c0bfa5974c90b8db5e9db0b78

data/Rakefile

@@ -18,23 +18,3 @@ end
 
 desc 'Run tests'
 task :default => :test
-
-task :pre_build do
-  version = Bundler::GemHelper.new.send(:version)
-  template = <<-EOF.gsub(/^\s{0,3}/m, '')
-  # Copyright (c) 2015 Sqreen. All Rights Reserved.
-  # Please refer to our terms for more information: https://www.sqreen.io/terms.html
-  # Warning This file is auto generated! DO NOT edit.
-
-  module Sqreen
-     VERSION = #{version.to_s.inspect}.freeze
-  end
-  EOF
-  fname = File.join(File.dirname(__FILE__), 'lib', 'sqreen', 'version.rb')
-  File.open(fname, 'w') do |f|
-    f.puts template
-  end
-end
-
-default_build = Rake::Task['build']
-default_build.prerequisites.push(Rake::Task['pre_build'])

data/lib/sqreen/events/attack.rb

@@ -45,6 +45,7 @@ module Sqreen
       res = {}
       rule_p = payload['rule']
       request_p = payload['request']
+      whitelisted = request_p.delete('whitelisted') if request_p
       res[:rule_name]    = rule_p['name']         if rule_p && rule_p['name']
       res[:rulespack_id] = rule_p['rulespack_id'] if rule_p && rule_p['rulespack_id']
       res[:test]         = rule_p['test']         if rule_p && rule_p['test']
@@ -55,6 +56,7 @@ module Sqreen
       res[:params]       = payload['params']      if payload['params']
       res[:context]      = payload['context']     if payload['context']
       res[:headers]      = payload['headers']     if payload['headers']
+      res[:whitelist_match] = whitelisted         if whitelisted
       res
     end
   end

data/lib/sqreen/instrumentation.rb

@@ -371,6 +371,13 @@ module Sqreen
       klass.singleton_methods.include? method
     end
 
+    # Does this object or an instance of it respond_to method?
+    def valid_method?(obj, method)
+      return true if is_class_method?(obj, method)
+      return false unless obj.respond_to?(:instance_methods)
+      is_instance_method?(obj, method)
+    end
+
     def add_callback(cb)
       @@override_semaphore.synchronize do
         klass = cb.klass
@@ -487,7 +494,7 @@ module Sqreen
       end
       remove_all_callbacks # Force cb tree to be empty before instrumenting
       rules.each do |rule|
-        rcb = Sqreen::Rules.cb_from_rule(rule, metrics_engine, verifier)
+        rcb = Sqreen::Rules.cb_from_rule(rule, self, metrics_engine, verifier)
         next unless rcb
         rcb.framework = framework
         add_callback(rcb)

data/lib/sqreen/remote_command.rb

@@ -12,6 +12,7 @@ module Sqreen
       :features_get => :features,
       :features_change => :change_features,
       :force_logout => :shutdown,
+      :paths_whitelist => :change_whitelisted_paths,
     }.freeze
 
     attr_reader :uuid

data/lib/sqreen/rule_callback.rb

@@ -46,11 +46,39 @@ module Sqreen
         @rule[Attrs::RULESPACK_ID]
       end
 
+      # Recommend taking an action (optionnally adding more data/context)
+      #
+      # This will format the requested action and optionnally
+      # override it if it should not be taken (should not block for example)
+      def advise_action(action, additional_data = {})
+        return if action.nil? && additional_data.empty?
+        if %w(override raise).include?(action.to_s) && framework
+          prefix = find_whitelisted_path(framework.request_path.to_s)
+          if prefix
+            Sqreen.log.debug { "Trying to block on whitelisted path #{prefix}" }
+            action = nil
+          end
+        end
+        additional_data.merge(:status => action)
+      end
+
+      # Is this a whitelisted path?
+      # return the path witelisted prefix that match path
+      def find_whitelisted_path(rpath)
+        (Sqreen.whitelisted_paths || []).find do |path|
+          rpath.start_with?(path)
+        end
+      end
+
       # Record an attack event into Sqreen system
       # @param infos [Hash] Additional information about request
       def record_event(infos)
         payload = @payload_generator.payload(framework, @rule)
         payload['infos'] = infos
+        if framework && payload['request']
+          prefix = find_whitelisted_path(framework.request_path.to_s)
+          payload['request']['whitelisted'] = prefix
+        end
         Attack.record(payload)
       end
 

data/lib/sqreen/rules.rb

@@ -40,9 +40,10 @@ module Sqreen
 
     # Given a rule, will instantiate the related callback.
     # @param hash_rule     [Hash]                 Rules metadata
+    # @param instrumentation_engine [Instrumentation] Instrumentation engine
     # @param metrics_store [MetricStore]          Metrics storage facility
     # @param verifier      [SqreenSignedVerifier] Signed verifier
-    def self::cb_from_rule(hash_rule, metrics_store = nil, verifier = nil)
+    def self::cb_from_rule(hash_rule, instrumentation_engine=nil, metrics_store = nil, verifier = nil)
       # Check rules signature
       if verifier
         raise InvalidSignatureException unless verifier.verify(hash_rule)
@@ -56,12 +57,18 @@ module Sqreen
 
       if instr_class.nil?
         rule_name = hash_rule[Attrs::NAME]
-        Sqreen.log.debug "#{klass} does not exists. Skipping #{rule_name}"
+        Sqreen.log.debug { "#{klass} does not exists. Skipping #{rule_name}" }
         return nil
       end
 
       instr_method = hook[Attrs::METHOD]
       instr_method = instr_method.to_sym
+      if instrumentation_engine &&
+         !instrumentation_engine.valid_method?(instr_class, instr_method)
+
+        Sqreen.log.debug { "#{instr_method} does not exist on #{klass} Skipping #{rule_name}" }
+        return nil
+      end
 
       cbname = hook[Attrs::CALLBACK_CLASS]
 

data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb

@@ -63,7 +63,7 @@ module Sqreen
           accessor.resolve(binding, framework, inst, args, @data, rv)
         end
         record_observation(category, key, value)
-        nil
+        advise_action(nil)
       end
 
       def build_expressions(callbacks)

data/lib/sqreen/rules_callbacks/count_http_codes.rb

@@ -11,7 +11,7 @@ module Sqreen
       def post(rv, _inst, *_args, &_block)
         return unless rv.is_a?(Array) && !rv.empty?
         record_observation(METRIC_CATEGORY, rv[0], 1)
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb

@@ -17,7 +17,7 @@ module Sqreen
         Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
         infos = { :found => found }
         record_event(infos)
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb

@@ -17,7 +17,7 @@ module Sqreen
         return unless found
         Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
         record_observation(CRAWLER_CATEGORY, ua, 1)
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/execjs.rb

@@ -94,7 +94,10 @@ module Sqreen
           end
           Sqreen.log.debug { [name, arguments].inspect }
           ret = @compiled.call("callbacks.#{name}", *arguments)
-          return ret unless record_and_continue?(ret)
+          unless record_and_continue?(ret)
+            return nil if ret.nil?
+            return advise_action(ret[:status], ret)
+          end
           name = ret[:call]
           rv = ret[:data]
           args_override = ret[:args]

data/lib/sqreen/rules_callbacks/headers_insert.rb

@@ -15,7 +15,7 @@ module Sqreen
         headers.each do |name, value|
           rv[1][name] = value
         end
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/rails_parameters.rb

@@ -7,7 +7,7 @@ module Sqreen
   module Rules
     class RailsParametersCB < RuleCB
       def pre(_inst, *_args, &_block)
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/record_request_context.rb

@@ -9,14 +9,17 @@ module Sqreen
     class RecordRequestContext < RuleCB
       def pre(_inst, *args, &_block)
         framework.store_request(args[0])
+        advise_action(nil)
       end
 
       def post(_rv, _inst, *_args, &_block)
         framework.clean_request
+        advise_action(nil)
       end
 
       def failing(_exception, _inst, *_args, &_block)
         framework.clean_request
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/reflected_xss.rb

@@ -3,9 +3,12 @@
 
 require 'cgi'
 
+require 'sqreen/rule_callback'
 require 'sqreen/rules_callbacks/regexp_rule'
 
+# Sqreen module
 module Sqreen
+  # Sqreen rules
   module Rules
     # look for reflected XSS with erb template engine
     class ReflectedXSSCB < RegexpRuleCB
@@ -25,11 +28,14 @@ module Sqreen
 
         saved_value = value.dup
         # potential XSS! let's escape
-        args[0].replace(CGI.escape_html(value)) if block
+        if block &&
+           (!framework || !find_whitelisted_path(framework.request_path.to_s))
+          args[0].replace(CGI.escape_html(value))
+        end
 
         report_dangerous_xss(saved_value)
 
-        nil
+        advise_action(nil)
       end
 
       # The remaining code is only to find out if user entry was an attack,
@@ -41,7 +47,7 @@ module Sqreen
         return unless found
         infos = {
           :found => found,
-          :payload => value
+          :payload => value,
         }
         record_event(infos)
       end
@@ -52,35 +58,55 @@ module Sqreen
     #                            escape_html, nuke_inner_whitespace,
     #                            interpolated, ugly)
     class ReflectedXSSHamlCB < ReflectedXSSCB
-      def pre(inst, *args, &_block)
-        value = args[0]
+      def post(ret, _inst, *_args, &_block)
+        value = ret
+        return if value.nil?
 
-        return unless value.is_a?(String)
-
-        # if escape_html is already true, it will be escaped later
-        return if args[4]
+        # Sqreen::log.debug value
 
         return unless framework.params_include?(value)
 
         Sqreen.log.debug { format('Found unescaped user param: %s', value) }
 
-        # potential XSS ! Call the same method with the argument
-        # escape_html true
-        if block
-          nargs = args.dup
-          nargs[4] = true
-          return_value = {
-            :status => :skip,
-            # 'method' is an attribut reader in class CB, it's the name of the
-            # hooked method
-            :new_return_value => inst.send(method, *nargs),
-          }
-        end
+        return unless value.is_a?(String)
 
         report_dangerous_xss(value)
 
-        return_value
+        return unless block
+        # potential XSS! let's escape
+        advise_action(:override, :new_return_value => CGI.escape_html(value))
+      end
+    end
+
+    # Hook into haml4 script parser
+    class Haml4ParserScriptHookCB < RuleCB
+      def pre(_inst, *args, &_block)
+        return unless args.size > 1
+        text = args[0]
+        escape_html = args[1]
+        if escape_html == false && !text.include?('html_escape')
+          args[0].replace("Sqreen.escape_haml(#{args[0]})")
+        end
+        nil
       end
     end
+
+    # Hook into haml4 tag parser
+    class Haml4ParserTagHookCB < RuleCB
+      def post(ret, _inst, *_args, &_block)
+        tag = ret
+        if tag.value[:escape_html] == false &&
+           !tag.value[:value].include?('html_escape')
+          tag.value[:value] = "Sqreen.escape_haml(#{tag.value[:value]})"
+          return { :status => :override, :new_return_value => tag }
+        end
+        nil
+      end
+    end
+  end
+
+  # Escape HAML when instrumented to do it
+  def self.escape_haml(x)
+    x
   end
 end

data/lib/sqreen/rules_callbacks/shell_env.rb

@@ -25,7 +25,7 @@ module Sqreen
         }
         Sqreen.log.warn "presence of a shell env tampering: #{infos.inspect}"
         record_event(infos)
-        { :status => :raise }
+        advise_action(:raise)
       end
     end
   end

data/lib/sqreen/rules_callbacks/url_matches.rb

@@ -18,7 +18,7 @@ module Sqreen
         found = match_regexp(path)
         infos = { :path => path, :found => found }
         record_event(infos) if found
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/user_agent_matches.rb

@@ -15,7 +15,7 @@ module Sqreen
         Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
         infos = { :found => found }
         record_event(infos)
-        { :status => :raise, :data => found }
+        advise_action(:raise, :data => found)
       end
     end
   end

data/lib/sqreen/runner.rb

@@ -48,6 +48,11 @@ module Sqreen
 
     attr_accessor :logged_in
     alias logged_in? logged_in
+
+    attr_reader :whitelisted_paths
+    def update_whitelisted_paths(paths)
+      @whitelisted_paths = paths.freeze
+    end
   end
 
   # Main running job class for the agent
@@ -81,6 +86,7 @@ module Sqreen
 
       @token = @configuration.get(:token)
       @url = @configuration.get(:url)
+      Sqreen.update_whitelisted_paths([])
       raise(Sqreen::Exception, 'no url found') unless @url
       raise(Sqreen::TokenNotFoundException, 'no token found') unless @token
 
@@ -232,6 +238,12 @@ module Sqreen
       batch_events(features['batch_size'], features['max_staleness'])
     end
 
+    def change_whitelisted_paths(paths, _context_infos = {})
+      return false unless paths.respond_to?(:each)
+      Sqreen.update_whitelisted_paths(paths)
+      true
+    end
+
     def change_features(new_features, _context_infos = {})
       old = features
       self.features = new_features

data/lib/sqreen/version.rb

@@ -1,6 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
-# Warning This file is auto generated! DO NOT edit.
 module Sqreen
-  VERSION = "1.3.21489051313".freeze
+  VERSION = '1.4.2'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.3.21489051313
+  version: 1.4.2
 platform: java
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-03-09 00:00:00.000000000 Z
+date: 2017-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs