sqreen 1.9.1-java → 1.9.2-java

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/sqreen/events/request_record.rb +19 -11
  3. data/lib/sqreen/rules_callbacks/reflected_xss.rb +23 -0
  4. data/lib/sqreen/version.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 37d3a22e3058785af671a89e73cc469b60fdd010
4
- data.tar.gz: 347a2279b06c9ec23e06b8a054239f44e77b41c1
3
+ metadata.gz: ad04bee0a61218373cab51d02d3690ddd5f19021
4
+ data.tar.gz: f4921ac550a7801022795f66f959a2e5e1ebd8e4
5
5
  SHA512:
6
- metadata.gz: 1c71b83145340e66c5c9665592cb66d7352218a9430c6fbf29027e58f43655e89050dd58b36964230f0addd3afb5a014524cf1acf802cee6222636037e00d022
7
- data.tar.gz: c3c70217629d3f13f6b24546bd2fc373f84a0972008c42651aeac3d5cfa5e20e4caf159f7892695fd2b61d6a1b5142417afb9bc226b87d161cd60c95d37698ad
6
+ metadata.gz: 4ed1ca9938ab9bcb1b6277641ac1470270f3c9bd350a32e5f58eb9ca9bf7fb42c1a6951fd7cc1f5d97ea40a6cd79aa76e970f1b166823bc15610b9eafb940de7
7
+ data.tar.gz: aacc4964978719bf65037639a063a9c8a5d00eaad956fb81c1f9f579e997f38b5fb7f064a1bbd460a9748471ec0db62be5d350c45d34c355ffd7480639f0b3cd
data/lib/sqreen/events/request_record.rb CHANGED
@@ -14,18 +14,26 @@ module Sqreen
14
14
  def to_hash
15
15
  res = { :version => '20171208' }
16
16
  if payload[:observed]
17
- res[:observed] = payload[:observed]
17
+ res[:observed] = payload[:observed].dup
18
18
  rulespack = nil
19
- observed.fetch(:attacks, []).each do |att|
20
- rulespack = att.delete(:rulespack_id) || rulespack
19
+ if observed[:attacks]
20
+ res[:observed][:attacks] = observed[:attacks].map do |att|
21
+ natt = att.dup
22
+ rulespack = natt.delete(:rulespack_id) || rulespack
23
+ natt
24
+ end
21
25
  end
22
- observed.fetch(:sqreen_exceptions, []).each do |exc|
23
- excp = exc.delete(:exception)
24
- if excp
25
- exc[:message] = excp.message
26
- exc[:klass] = excp.class.name
26
+ if observed[:sqreen_exceptions]
27
+ res[:observed][:sqreen_exceptions] = observed[:sqreen_exceptions].map do |exc|
28
+ nex = exc.dup
29
+ excp = nex.delete(:exception)
30
+ if excp
31
+ nex[:message] = excp.message
32
+ nex[:klass] = excp.class.name
33
+ end
34
+ rulespack = nex.delete(:rulespack_id) || rulespack
35
+ nex
27
36
  end
28
- rulespack = exc.delete(:rulespack_id) || rulespack
29
37
  end
30
38
  res[:rulespack_id] = rulespack unless rulespack.nil?
31
39
  if observed[:observations]
@@ -34,14 +42,14 @@ module Sqreen
34
42
  end
35
43
  end
36
44
  if observed[:sdk]
37
- payload[:observed][:sdk] = observed[:sdk].map do |meth, time, *args|
45
+ res[:observed][:sdk] = observed[:sdk].map do |meth, time, *args|
38
46
  { :name => meth, :time => time, :args => args }
39
47
  end
40
48
  end
41
49
  end
42
50
  res[:local] = payload['local'] if payload['local']
43
51
  if payload['request']
44
- res[:request] = payload['request']
52
+ res[:request] = payload['request'].dup
45
53
  res[:client_ip] = res[:request].delete(:client_ip) if res[:request][:client_ip]
46
54
  else
47
55
  res[:request] = {}
data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED
@@ -27,6 +27,29 @@ module Sqreen
27
27
  true
28
28
  end
29
29
  end
30
+ class ReflectedUnsafeXSSCB < XSSCB
31
+ def pre(_inst, *args, &_block)
32
+ value = args[0]
33
+
34
+ return unless value.is_a?(String)
35
+
36
+ # Sqreen::log.debug value
37
+
38
+ return unless framework.params_include?(value)
39
+
40
+ Sqreen.log.debug { format('Found unescaped user param: %s', value) }
41
+
42
+ saved_value = value.dup
43
+ return unless report_dangerous_xss?(saved_value)
44
+
45
+ # potential XSS! let's escape
46
+ if block
47
+ args[0].replace(CGI.escape_html(value))
48
+ end
49
+
50
+ advise_action(nil)
51
+ end
52
+ end
30
53
  # look for reflected XSS with erb template engine
31
54
  class ReflectedXSSCB < XSSCB
32
55
  def pre(_inst, *args, &_block)
data/lib/sqreen/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
2
  # Please refer to our terms for more information: https://www.sqreen.io/terms.html
3
3
  module Sqreen
4
- VERSION = '1.9.1'.freeze
4
+ VERSION = '1.9.2'.freeze
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sqreen
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.9.1
4
+ version: 1.9.2
5
5
  platform: java
6
6
  authors:
7
7
  - Sqreen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-01-23 00:00:00.000000000 Z
11
+ date: 2018-02-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: execjs