sqreen 1.4.2 → 1.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3b13dece251d9c305d0f1f79ea551b1b51a35c20
-  data.tar.gz: 00acadad553d40803de98b2bb70c81c274e6aa83
+  metadata.gz: 36d9acaf03b582ce9120a6425278ccd50d113a9d
+  data.tar.gz: 18ac50baadde2c653751bcff36952738ddadf602
 SHA512:
-  metadata.gz: e61529e9cb80bf86226272f0843f9a8e9fc1d8fafaa71f29ec36ff0e7254f16d039ea5b083a6475c58b3ea2c49f4e9b112b616a3236c1e4a271c034a09a28b15
-  data.tar.gz: 6dd83b5fd2809940dcd9875c7321ef4efcad0b711fdeadb652197607e80003afe0d018c3bdc86643a1bc47839487a83cc6aeb5ca6f0812b4808e3033b6baa59c
+  metadata.gz: bad005dac888fccba0429e29c22f0bf2f471f53dd1745b5fe210af74a13742fedb3d78f4b091f17356d7f3fc7c8717a848ecaea325044ecb80ab443b23ed89ae
+  data.tar.gz: 7b8708e9c8d5f4c5a6d6428a12416a7904b3fa2e862f0384ccd4ff18865588d3e476a060ea448df15e86e5bd7e9aa75c8dae20cecb6aeed1686fc79f7dfaa60e

data/lib/sqreen/condition_evaluator.rb

@@ -56,6 +56,34 @@ class ConditionEvaluator
     end
   end
 
+  # Predicate: Is one of values deeply present in keys of hash
+  # @params value [Array] Array of objects to find
+  # @params hash [Hash] Hash to search into
+  # @params min_value_size [Fixnum] to compare against
+  def self.hash_key_include?(values, hash, min_value_size, rem = 10)
+    return true if rem <= 0
+    if hash.is_a?(Array)
+      return hash.any? do |v|
+        ConditionEvaluator.hash_key_include?(values, v, min_value_size, rem - 1)
+      end
+    end
+
+    return false unless hash.is_a?(Hash)
+
+    hash.any? do |hkey, hval|
+      case hkey
+      when NilClass
+        false
+      else
+        if hkey.respond_to?(:empty?) && hkey.empty?
+          false
+        else
+          values.include?(hkey.to_s) || ConditionEvaluator.hash_key_include?(values, hval, min_value_size, rem - 1)
+        end
+      end
+    end
+  end
+
   # Test is a str contains what. Rencode if necessary
   def self.str_include?(str, what)
     str1 = if str.encoding != Encoding::UTF_8
@@ -128,12 +156,14 @@ class ConditionEvaluator
   GT_OPERATOR       = '%gt'.freeze
   LT_OPERATOR       = '%lt'.freeze
   HASH_INC_OPERATOR = '%hash_val_include'.freeze
+  HASH_KEY_OPERATOR = '%hash_key_include'.freeze
   INC_OPERATOR      = '%include'.freeze
   OR_OPERATOR       = '%or'.freeze
   AND_OPERATOR      = '%and'.freeze
 
   OPERATORS_ARITY = {
     HASH_INC_OPERATOR => 3,
+    HASH_KEY_OPERATOR => 3,
     EQ_OPERATOR       => 2,
     NEQ_OPERATOR      => 2,
     INC_OPERATOR      => 2,
@@ -191,6 +221,8 @@ class ConditionEvaluator
                end
              when HASH_INC_OPERATOR
                ConditionEvaluator.hash_val_include?(res[0], res[1], res[2])
+             when HASH_KEY_OPERATOR
+               ConditionEvaluator.hash_key_include?(res[0], res[1], res[2])
              else
                # FIXME: this should be check in compile
                raise(Sqreen::Exception, "unknown op #{op})")

data/lib/sqreen/frameworks/generic.rb

@@ -167,7 +167,7 @@ module Sqreen
         @wait << block
       end
 
-      # Does the parameters include this value
+      # Does the parameters value include this value
       def params_include?(value)
         params = request_params
         return false if params.nil?
@@ -177,6 +177,16 @@ module Sqreen
         false
       end
 
+      # Does the parameters key/value include this value
+      def full_params_include?(value)
+        params = request_params
+        return false if params.nil?
+        each_key_value_for_hash(params) do |param|
+          return true if param == value
+        end
+        false
+      end
+
       # Fetch and store the current request object
       # Nota: cleanup should be performed at end of request (see clean_request)
       def store_request(object)
@@ -313,6 +323,18 @@ module Sqreen
         end
       end
 
+      def each_key_value_for_hash(params, &block)
+        case params
+        when Hash then params.each do |k, v|
+          yield k
+          each_key_value_for_hash(v, &block)
+        end
+        when Array then params.each { |v| each_key_value_for_hash(v, &block) }
+        else
+          yield params
+        end
+      end
+
       def ensure_rack_loaded
         @cannot_load_rack ||= false
         return false if @cannot_load_rack

data/lib/sqreen/rules_callbacks/count_http_codes.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 
+require 'sqreen/rule_attributes'
 require 'sqreen/rule_callback'
 
 module Sqreen
@@ -14,5 +15,25 @@ module Sqreen
         advise_action(nil)
       end
     end
+
+    # Count 1 for each things located by the binding accessor
+    class BindingAccessorCounter < RuleCB
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        @accessors = @data['values'].map do |expr|
+          BindingAccessor.new(expr, true)
+        end
+        @metric_category = rule_hash[Attrs::METRICS].first['name']
+      end
+
+      def post(rv, inst, *args, &_block)
+        return unless rv.is_a?(Array) && !rv.empty?
+        key = @accessors.map do |accessor|
+          accessor.resolve(binding, framework, inst, args, @data, rv)
+        end
+        record_observation(@metric_category, JSON.dump(key), 1)
+        advise_action(nil)
+      end
+    end
   end
 end

data/lib/sqreen/rules_callbacks/reflected_xss.rb

@@ -10,8 +10,24 @@ require 'sqreen/rules_callbacks/regexp_rule'
 module Sqreen
   # Sqreen rules
   module Rules
+    # XSSCB abstract common behaviour of tpls
+    class XSSCB < RegexpRuleCB
+      # The remaining code is only to find out if user entry was an attack,
+      # and record it. Since we don't rely on it to respond to user, it would
+      # be better to do it in background.
+      def report_dangerous_xss(value)
+        found = match_regexp(value)
+
+        return unless found
+        infos = {
+          :found => found,
+          :payload => value,
+        }
+        record_event(infos)
+      end
+    end
     # look for reflected XSS with erb template engine
-    class ReflectedXSSCB < RegexpRuleCB
+    class ReflectedXSSCB < XSSCB
       def pre(_inst, *args, &_block)
         value = args[0]
 
@@ -38,33 +54,20 @@ module Sqreen
         advise_action(nil)
       end
 
-      # The remaining code is only to find out if user entry was an attack,
-      # and record it. Since we don't rely on it to respond to user, it would
-      # be better to do it in background.
-      def report_dangerous_xss(value)
-        found = match_regexp(value)
-
-        return unless found
-        infos = {
-          :found => found,
-          :payload => value,
-        }
-        record_event(infos)
-      end
     end
     # look for reflected XSS with haml template engine
     # hook function arguments of
     # Haml::Buffer.format_script(result, preserve_script, in_tag, preserve_tag,
     #                            escape_html, nuke_inner_whitespace,
     #                            interpolated, ugly)
-    class ReflectedXSSHamlCB < ReflectedXSSCB
+    class ReflectedXSSHamlCB < XSSCB
       def post(ret, _inst, *_args, &_block)
         value = ret
         return if value.nil?
 
         # Sqreen::log.debug value
 
-        return unless framework.params_include?(value)
+        return unless framework.full_params_include?(value)
 
         Sqreen.log.debug { format('Found unescaped user param: %s', value) }
 
@@ -103,10 +106,117 @@ module Sqreen
         nil
       end
     end
+
+    class Haml4UtilInterpolationHookCB < RuleCB
+      def pre(_inst, *args, &_block)
+        str = args[0]
+        escape_html = args[1]
+        # Original code from HAML tuned up to insert escape_haml call
+        res = ''
+        rest = Haml::Util.handle_interpolation str.dump do |scan|
+          escapes = (scan[2].size - 1) / 2
+          res << scan.matched[0...-3 - escapes]
+          if escapes.odd?
+            res << '#{'
+          else
+            content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"')
+            content = "Haml::Helpers.html_escape((#{content}))" if escape_html
+            res << '#{Sqreen.escape_haml(' + content + ')}' # Use eval to get rid of string escapes
+          end
+        end
+        { :status => :skip, :new_return_value => res + rest }
+      end
+    end
+
+    # Hook build attributes
+    class Haml4CompilerBuildAttributeCB < XSSCB
+      def pre(inst, *args, &_block)
+        attrs = args[-1]
+        new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
+          if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
+            Sqreen.log.debug { format('Found unescaped user param: %s', key) }
+            report_dangerous_xss(key)
+            [CGI.escape_html(key), true]
+          else
+            [key, false]
+          end
+        end
+
+        return if !found_xss || !block
+        # potential XSS! let's escape
+        if !framework || !find_whitelisted_path(framework.request_path.to_s)
+          args[-1] = new_attrs
+          r = inst.send(method, *args)
+          return { :status => :skip, :new_return_value => r }
+        end
+      end
+
+      def self.clean_hash_key(hash, limit = 10, seen = [], &block)
+        seen << hash.object_id
+        has_xss = false
+        new_h = {}
+        return if limit <= 0
+        hash.each do |k, v|
+          if seen.include?(v.object_id)
+            new_h[k] = nil
+            next
+          end
+          seen << v.object_id
+          new_key, found_xss = yield k
+          has_xss |= found_xss
+          if v.is_a?(Hash)
+            new_h[new_key], found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(v, limit - 1, seen, &block)
+            has_xss |= found_xss
+          else
+            new_h[new_key] = v
+          end
+        end
+        [new_h, has_xss]
+      end
+    end
+
+    # Hook into temple template rendering
+    class TempleEscapableHookCB < RuleCB
+      def post(ret, _inst, *_args, &_block)
+        ret[1] = "Sqreen.escape_temple(#{ret[1]})"
+        { :status => :override, :new_return_value => ret }
+      end
+    end
+
+    # Hook into temple template rendering
+    class SlimSplatBuilderCB < XSSCB
+      def pre(inst, *args, &_block)
+        value = args[0]
+        return if value.nil?
+
+        return unless framework.full_params_include?(value)
+
+        Sqreen.log.debug { format('Found unescaped user param: %s', value) }
+
+        return unless value.is_a?(String)
+
+        report_dangerous_xss(value)
+
+        return unless block
+        # potential XSS! let's escape
+        if block &&
+           (!framework || !find_whitelisted_path(framework.request_path.to_s))
+          args[0] = CGI.escape_html(value)
+          r = inst.send(method, *args)
+          return { :status => :skip, :new_return_value => r }
+        end
+        nil
+      end
+    end
   end
 
   # Escape HAML when instrumented to do it
   def self.escape_haml(x)
     x
   end
+
+  # Escape Temple when instrumented to do it
+  def self.escape_temple(x)
+    x
+  end
 end

data/lib/sqreen/version.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.4.2'.freeze
+  VERSION = '1.4.3'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.4.3
 platform: ruby
 authors:
 - Sqreen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-28 00:00:00.000000000 Z
+date: 2017-04-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs