RubyGems - sqreen - Versions diffs - 1.5.0-java → 1.6.0-java - Mend

sqreen 1.5.0-java → 1.6.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/lib/sqreen/attack_detected.html +2 -0
data/lib/sqreen/binding_accessor.rb +247 -157
data/lib/sqreen/condition_evaluator.rb +191 -189
data/lib/sqreen/frameworks/generic.rb +6 -0
data/lib/sqreen/frameworks/rails.rb +1 -0
data/lib/sqreen/frameworks/sinatra.rb +18 -0
data/lib/sqreen/middleware.rb +10 -0
data/lib/sqreen/rules_callbacks.rb +3 -0
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +75 -0
data/lib/sqreen/rules_callbacks/custom_error.rb +57 -0
data/lib/sqreen/rules_callbacks/execjs.rb +4 -7
data/lib/sqreen/rules_callbacks/matcher_rule.rb +26 -20
data/lib/sqreen/version.rb +1 -1
metadata +6 -3

data/lib/sqreen/middleware.rb CHANGED Viewed

@@ -11,4 +11,14 @@ module Sqreen
       @app.call(env)
     end
   end
+  class ErrorHandlingMiddleware
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      @app.call(env)
+    end
+  end
 end

data/lib/sqreen/rules_callbacks.rb CHANGED Viewed

@@ -21,5 +21,8 @@ require 'sqreen/rules_callbacks/reflected_xss'
 require 'sqreen/rules_callbacks/execjs'
 require 'sqreen/rules_callbacks/binding_accessor_metrics'
+require 'sqreen/rules_callbacks/binding_accessor_matcher'
 require 'sqreen/rules_callbacks/count_http_codes'
 require 'sqreen/rules_callbacks/crawler_user_agent_matches_metrics'
+require 'sqreen/rules_callbacks/custom_error'

data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb ADDED Viewed

@@ -0,0 +1,75 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rule_callback'
+require 'sqreen/binding_accessor'
+require 'sqreen/rules_callbacks/matcher_rule'
+module Sqreen
+  module Rules
+    # Callback that match on a list or matcher+binding accessor
+    class BindingAccessorMatcherCB < RuleCB
+      attr_reader :rules
+      # matcher on one elem
+      class MatcherElem
+        def initialize(expr)
+          prepare([expr])
+        end
+        include Matcher
+      end
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        @rules = []
+        if @data.empty? || @data['values'].nil? || @data['values'].empty?
+          msg = "no rules in data (had #{@data.keys})"
+          raise Sqreen::Exception, msg
+        end
+        prepare_rules(@data['values'])
+      end
+      def prepare_rules(rules)
+        accessors = Hash.new do |hash, key|
+          hash[key] = BindingAccessor.new(key, true)
+        end
+        @rules = rules.map do |r|
+          if r['binding_accessor'].empty?
+            raise Sqreen::Exception, "no accessors #{r['id']}"
+          end
+          [
+            r['id'],
+            r['binding_accessor'].map { |expression| accessors[expression] },
+            MatcherElem.new(r['matcher']),
+            r['matcher']['value'],
+          ]
+        end
+      end
+      def pre(inst, *args, &_block)
+        resol_cache = Hash.new do |hash, accessor|
+          hash[accessor] = accessor.resolve(binding, framework, inst, args)
+        end
+        @rules.each do |id, accessors, matcher, matcher_ref|
+          accessors.each do |accessor|
+            val = resol_cache[accessor]
+            val = [val] if val.is_a?(String)
+            next unless val.respond_to?(:each)
+            val.each do |v|
+              next if matcher.match(v).nil?
+              infos = {
+                'id' => id,
+                'binding_accessor' => accessor.expression,
+                'matcher' => matcher_ref,
+                'found' => v,
+              }
+              record_event(infos)
+              return advise_action(:raise, :infos => infos)
+            end
+          end
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/custom_error.rb ADDED Viewed

@@ -0,0 +1,57 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/rule_callback'
+require 'sqreen/exception'
+module Sqreen
+  module Rules
+    # Display sqreen presence
+    class CustomErrorCB < RuleCB
+      attr_reader :status_code, :redirect_url
+      def initialize(klass, method, rule_hash)
+        @redirect_url = nil
+        @status_code = nil
+        super(klass, method, rule_hash)
+        if @data.nil? || @data['values'].empty?
+          raise Sqreen::Exception, 'No data'
+        end
+        configure_custom_error(@data['values'][0])
+      end
+      def configure_custom_error(custom_error)
+        case custom_error['type']
+        when 'custom_error_page' then
+          @status_code = custom_error['status_code'].to_i
+        when 'redirection' then
+          @redirect_url = custom_error['redirection_url']
+          @status_code = custom_error.fetch('status_code', 303).to_i
+        else
+          raise Sqreen::Exception, "No custom error #{custom_error['type']}"
+        end
+      end
+      def failing(except, _inst, *_args, &_block)
+        return advise_action(nil) unless except.is_a?(Sqreen::AttackBlocked)
+        if @redirect_url
+          advise_action(:override, :new_return_value => respond_redirect)
+        else
+          advise_action(:override, :new_return_value => respond_page)
+        end
+      end
+      def respond_redirect
+        [@status_code, { 'Location' => @redirect_url }, ['']]
+      end
+      def respond_page
+        page = open(File.join(File.dirname(__FILE__), '../attack_detected.html'))
+        headers = {
+          'Content-Type' => 'text/html',
+          'Content-Length' => page.size.to_s,
+        }
+        [@status_code, headers, page]
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/execjs.rb CHANGED Viewed

@@ -93,7 +93,7 @@ module Sqreen
             accessor.resolve(binding, framework, inst, args, @data, rv)
           end
           Sqreen.log.debug { [name, arguments].inspect }
-          ret = @compiled.call("callbacks.#{name}", *arguments)
+          ret = @compiled.call(name, *arguments)
           unless record_and_continue?(ret)
             return nil if ret.nil?
             return advise_action(ret[:status], ret)
@@ -118,13 +118,12 @@ module Sqreen
       def build_runnable(callbacks)
         @argument_requirements = {}
-        @source = 'var callbacks = {'
+        @source = ''
         @js_pre = !callbacks['pre'].nil?
         @js_post = !callbacks['post'].nil?
         @js_failing = !callbacks['failing'].nil?
         callbacks.each do |name, args_or_func|
-          @source << name
-          @source << ': '
+          @source << "var #{name} = "
           if args_or_func.is_a?(Array)
             @source << args_or_func.pop
             @argument_requirements[name] = build_accessor(args_or_func)
@@ -132,10 +131,8 @@ module Sqreen
             @source << args_or_func
             @argument_requirements[name] = []
           end
-          @source << ",\n"
+          @source << ";\n"
         end
-        @source << "\n"
-        @source << '}'
       end
     end
   end

data/lib/sqreen/rules_callbacks/matcher_rule.rb CHANGED Viewed

@@ -5,33 +5,29 @@ require 'sqreen/rule_callback'
 module Sqreen
   module Rules
-    # A configurable matcher rule
-    class MatcherRuleCB < RuleCB
-      def initialize(*args)
-        super(*args)
-        prepare
-      end
+    # matcher behavior
+    module Matcher
       def self.prepare_re_pattern(value, options, case_sensitive)
         res = 0
         res |= Regexp::MULTILINE  if options.include?('multiline')
         res |= Regexp::IGNORECASE unless case_sensitive
-        Regexp.compile(value, res)
+        r = Regexp.compile(value, res)
+        r.match("")
+        r
       end
       ANYWHERE_OPT = 'anywhere'.freeze
-      def prepare
+      def prepare(patterns)
         @string = {}
-        @regex_patterns = []
+        @regexp_patterns = []
-        patterns = @data['values']
         if patterns.nil?
           msg = "no key 'values' in data (had #{@data.keys})"
           raise Sqreen::Exception, msg
         end
         @funs = {
-          ANYWHERE_OPT       => lambda { |value, str| str.include?(value)   },
+          ANYWHERE_OPT => lambda { |value, str| str.include?(value) },
           'starts_with'.freeze => lambda { |value, str| str.start_with?(value) },
           'ends_with'.freeze => lambda { |value, str| str.end_with?(value)   },
           'equals'.freeze    => lambda { |value, str| str == value           },
@@ -61,17 +57,18 @@ module Sqreen
             @string[opt] = { :ci => [], :cs => [] } unless @string.key?(opt)
             @string[opt][case_type] << val
-          when 'regex'
-            pattern = MatcherRuleCB.prepare_re_pattern(val, opt, case_sensitive)
+          when 'regexp'
+            pattern = Matcher.prepare_re_pattern(val, opt, case_sensitive)
             next unless pattern
-            @regex_patterns << pattern
+            @regexp_patterns << pattern
+          else
+            raise Sqreen::Exception, "No such matcher type #{type}"
           end
         end
-        if [@regex_patterns, @string].map { |s| s == 0 }.all?
-          msg = "no key 'regex' nor 'match' in data (had #{@data.keys})"
-          raise Sqreen::Exception, msg
-        end
+        return unless [@regexp_patterns, @string].map(&:empty?).all?
+        msg = "no key 'regexp' nor 'match' in data (had #{@data.keys})"
+        raise Sqreen::Exception, msg
       end
       def match(str)
@@ -95,11 +92,20 @@ module Sqreen
           end
         end
-        @regex_patterns.each do |p|
+        @regexp_patterns.each do |p|
           return p if p.match(str)
         end
         nil
       end
     end
+    # A configurable matcher rule
+    class MatcherRuleCB < RuleCB
+      def initialize(*args)
+        super(*args)
+        prepare(@data['values'])
+      end
+      include Matcher
+    end
   end
 end

data/lib/sqreen/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.5.0'.freeze
+  VERSION = '1.6.0'.freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: java
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-04-18 00:00:00.000000000 Z
+date: 2017-05-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs
@@ -48,6 +48,7 @@ files:
 - README.md
 - Rakefile
 - lib/sqreen.rb
+- lib/sqreen/attack_detected.html
 - lib/sqreen/binding_accessor.rb
 - lib/sqreen/ca.crt
 - lib/sqreen/call_countable.rb
@@ -89,10 +90,12 @@ files:
 - lib/sqreen/rule_callback.rb
 - lib/sqreen/rules.rb
 - lib/sqreen/rules_callbacks.rb
+- lib/sqreen/rules_callbacks/binding_accessor_matcher.rb
 - lib/sqreen/rules_callbacks/binding_accessor_metrics.rb
 - lib/sqreen/rules_callbacks/count_http_codes.rb
 - lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb
 - lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb
+- lib/sqreen/rules_callbacks/custom_error.rb
 - lib/sqreen/rules_callbacks/execjs.rb
 - lib/sqreen/rules_callbacks/headers_insert.rb
 - lib/sqreen/rules_callbacks/inspect_rule.rb
@@ -131,7 +134,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.10
+rubygems_version: 2.6.11
 signing_key:
 specification_version: 4
 summary: Sqreen Ruby agent