sqreen 1.5.0 → 1.6.0

data/lib/sqreen/middleware.rb

@@ -11,4 +11,14 @@ module Sqreen
       @app.call(env)
     end
   end
+
+  class ErrorHandlingMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @app.call(env)
+    end
+  end
 end

data/lib/sqreen/rules_callbacks.rb

@@ -21,5 +21,8 @@ require 'sqreen/rules_callbacks/reflected_xss'
 require 'sqreen/rules_callbacks/execjs'
 
 require 'sqreen/rules_callbacks/binding_accessor_metrics'
+require 'sqreen/rules_callbacks/binding_accessor_matcher'
 require 'sqreen/rules_callbacks/count_http_codes'
 require 'sqreen/rules_callbacks/crawler_user_agent_matches_metrics'
+
+require 'sqreen/rules_callbacks/custom_error'

data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb

@@ -0,0 +1,75 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+require 'sqreen/binding_accessor'
+require 'sqreen/rules_callbacks/matcher_rule'
+
+module Sqreen
+  module Rules
+    # Callback that match on a list or matcher+binding accessor
+    class BindingAccessorMatcherCB < RuleCB
+      attr_reader :rules
+
+      # matcher on one elem
+      class MatcherElem
+        def initialize(expr)
+          prepare([expr])
+        end
+        include Matcher
+      end
+
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        @rules = []
+        if @data.empty? || @data['values'].nil? || @data['values'].empty?
+          msg = "no rules in data (had #{@data.keys})"
+          raise Sqreen::Exception, msg
+        end
+        prepare_rules(@data['values'])
+      end
+
+      def prepare_rules(rules)
+        accessors = Hash.new do |hash, key|
+          hash[key] = BindingAccessor.new(key, true)
+        end
+        @rules = rules.map do |r|
+          if r['binding_accessor'].empty?
+            raise Sqreen::Exception, "no accessors #{r['id']}"
+          end
+          [
+            r['id'],
+            r['binding_accessor'].map { |expression| accessors[expression] },
+            MatcherElem.new(r['matcher']),
+            r['matcher']['value'],
+          ]
+        end
+      end
+
+      def pre(inst, *args, &_block)
+        resol_cache = Hash.new do |hash, accessor|
+          hash[accessor] = accessor.resolve(binding, framework, inst, args)
+        end
+        @rules.each do |id, accessors, matcher, matcher_ref|
+          accessors.each do |accessor|
+            val = resol_cache[accessor]
+            val = [val] if val.is_a?(String)
+            next unless val.respond_to?(:each)
+            val.each do |v|
+              next if matcher.match(v).nil?
+              infos = {
+                'id' => id,
+                'binding_accessor' => accessor.expression,
+                'matcher' => matcher_ref,
+                'found' => v,
+              }
+              record_event(infos)
+              return advise_action(:raise, :infos => infos)
+            end
+          end
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/custom_error.rb

@@ -0,0 +1,57 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/rule_callback'
+require 'sqreen/exception'
+
+module Sqreen
+  module Rules
+    # Display sqreen presence
+    class CustomErrorCB < RuleCB
+      attr_reader :status_code, :redirect_url
+      def initialize(klass, method, rule_hash)
+        @redirect_url = nil
+        @status_code = nil
+        super(klass, method, rule_hash)
+        if @data.nil? || @data['values'].empty?
+          raise Sqreen::Exception, 'No data'
+        end
+        configure_custom_error(@data['values'][0])
+      end
+
+      def configure_custom_error(custom_error)
+        case custom_error['type']
+        when 'custom_error_page' then
+          @status_code = custom_error['status_code'].to_i
+        when 'redirection' then
+          @redirect_url = custom_error['redirection_url']
+          @status_code = custom_error.fetch('status_code', 303).to_i
+        else
+          raise Sqreen::Exception, "No custom error #{custom_error['type']}"
+        end
+      end
+
+      def failing(except, _inst, *_args, &_block)
+        return advise_action(nil) unless except.is_a?(Sqreen::AttackBlocked)
+        if @redirect_url
+          advise_action(:override, :new_return_value => respond_redirect)
+        else
+          advise_action(:override, :new_return_value => respond_page)
+        end
+      end
+
+      def respond_redirect
+        [@status_code, { 'Location' => @redirect_url }, ['']]
+      end
+
+      def respond_page
+        page = open(File.join(File.dirname(__FILE__), '../attack_detected.html'))
+        headers = {
+          'Content-Type' => 'text/html',
+          'Content-Length' => page.size.to_s,
+        }
+        [@status_code, headers, page]
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/execjs.rb

@@ -93,7 +93,7 @@ module Sqreen
             accessor.resolve(binding, framework, inst, args, @data, rv)
           end
           Sqreen.log.debug { [name, arguments].inspect }
-          ret = @compiled.call("callbacks.#{name}", *arguments)
+          ret = @compiled.call(name, *arguments)
           unless record_and_continue?(ret)
             return nil if ret.nil?
             return advise_action(ret[:status], ret)
@@ -118,13 +118,12 @@ module Sqreen
 
       def build_runnable(callbacks)
         @argument_requirements = {}
-        @source = 'var callbacks = {'
+        @source = ''
         @js_pre = !callbacks['pre'].nil?
         @js_post = !callbacks['post'].nil?
         @js_failing = !callbacks['failing'].nil?
         callbacks.each do |name, args_or_func|
-          @source << name
-          @source << ': '
+          @source << "var #{name} = "
           if args_or_func.is_a?(Array)
             @source << args_or_func.pop
             @argument_requirements[name] = build_accessor(args_or_func)
@@ -132,10 +131,8 @@ module Sqreen
             @source << args_or_func
             @argument_requirements[name] = []
           end
-          @source << ",\n"
+          @source << ";\n"
         end
-        @source << "\n"
-        @source << '}'
       end
     end
   end

data/lib/sqreen/rules_callbacks/matcher_rule.rb

@@ -5,33 +5,29 @@ require 'sqreen/rule_callback'
 
 module Sqreen
   module Rules
-    # A configurable matcher rule
-    class MatcherRuleCB < RuleCB
-      def initialize(*args)
-        super(*args)
-        prepare
-      end
-
+    # matcher behavior
+    module Matcher
       def self.prepare_re_pattern(value, options, case_sensitive)
         res = 0
         res |= Regexp::MULTILINE  if options.include?('multiline')
         res |= Regexp::IGNORECASE unless case_sensitive
-        Regexp.compile(value, res)
+        r = Regexp.compile(value, res)
+        r.match("")
+        r
       end
 
       ANYWHERE_OPT = 'anywhere'.freeze
-      def prepare
+      def prepare(patterns)
         @string = {}
-        @regex_patterns = []
+        @regexp_patterns = []
 
-        patterns = @data['values']
         if patterns.nil?
           msg = "no key 'values' in data (had #{@data.keys})"
           raise Sqreen::Exception, msg
         end
 
         @funs = {
-          ANYWHERE_OPT       => lambda { |value, str| str.include?(value)   },
+          ANYWHERE_OPT => lambda { |value, str| str.include?(value) },
           'starts_with'.freeze => lambda { |value, str| str.start_with?(value) },
           'ends_with'.freeze => lambda { |value, str| str.end_with?(value)   },
           'equals'.freeze    => lambda { |value, str| str == value           },
@@ -61,17 +57,18 @@ module Sqreen
             @string[opt] = { :ci => [], :cs => [] } unless @string.key?(opt)
             @string[opt][case_type] << val
 
-          when 'regex'
-            pattern = MatcherRuleCB.prepare_re_pattern(val, opt, case_sensitive)
+          when 'regexp'
+            pattern = Matcher.prepare_re_pattern(val, opt, case_sensitive)
             next unless pattern
-            @regex_patterns << pattern
+            @regexp_patterns << pattern
+          else
+            raise Sqreen::Exception, "No such matcher type #{type}"
           end
         end
 
-        if [@regex_patterns, @string].map { |s| s == 0 }.all?
-          msg = "no key 'regex' nor 'match' in data (had #{@data.keys})"
-          raise Sqreen::Exception, msg
-        end
+        return unless [@regexp_patterns, @string].map(&:empty?).all?
+        msg = "no key 'regexp' nor 'match' in data (had #{@data.keys})"
+        raise Sqreen::Exception, msg
       end
 
       def match(str)
@@ -95,11 +92,20 @@ module Sqreen
           end
         end
 
-        @regex_patterns.each do |p|
+        @regexp_patterns.each do |p|
           return p if p.match(str)
         end
         nil
       end
     end
+
+    # A configurable matcher rule
+    class MatcherRuleCB < RuleCB
+      def initialize(*args)
+        super(*args)
+        prepare(@data['values'])
+      end
+      include Matcher
+    end
   end
 end

data/lib/sqreen/version.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.5.0'.freeze
+  VERSION = '1.6.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - Sqreen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-04-18 00:00:00.000000000 Z
+date: 2017-05-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs
@@ -49,6 +49,7 @@ files:
 - README.md
 - Rakefile
 - lib/sqreen.rb
+- lib/sqreen/attack_detected.html
 - lib/sqreen/binding_accessor.rb
 - lib/sqreen/ca.crt
 - lib/sqreen/call_countable.rb
@@ -90,10 +91,12 @@ files:
 - lib/sqreen/rule_callback.rb
 - lib/sqreen/rules.rb
 - lib/sqreen/rules_callbacks.rb
+- lib/sqreen/rules_callbacks/binding_accessor_matcher.rb
 - lib/sqreen/rules_callbacks/binding_accessor_metrics.rb
 - lib/sqreen/rules_callbacks/count_http_codes.rb
 - lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb
 - lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb
+- lib/sqreen/rules_callbacks/custom_error.rb
 - lib/sqreen/rules_callbacks/execjs.rb
 - lib/sqreen/rules_callbacks/headers_insert.rb
 - lib/sqreen/rules_callbacks/inspect_rule.rb
@@ -132,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.10
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Sqreen Ruby agent