sqreen 1.9.1-java → 1.9.2-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/sqreen/events/request_record.rb +19 -11
  3. data/lib/sqreen/rules_callbacks/reflected_xss.rb +23 -0
  4. data/lib/sqreen/version.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 37d3a22e3058785af671a89e73cc469b60fdd010
4
- data.tar.gz: 347a2279b06c9ec23e06b8a054239f44e77b41c1
3
+ metadata.gz: ad04bee0a61218373cab51d02d3690ddd5f19021
4
+ data.tar.gz: f4921ac550a7801022795f66f959a2e5e1ebd8e4
5
5
  SHA512:
6
- metadata.gz: 1c71b83145340e66c5c9665592cb66d7352218a9430c6fbf29027e58f43655e89050dd58b36964230f0addd3afb5a014524cf1acf802cee6222636037e00d022
7
- data.tar.gz: c3c70217629d3f13f6b24546bd2fc373f84a0972008c42651aeac3d5cfa5e20e4caf159f7892695fd2b61d6a1b5142417afb9bc226b87d161cd60c95d37698ad
6
+ metadata.gz: 4ed1ca9938ab9bcb1b6277641ac1470270f3c9bd350a32e5f58eb9ca9bf7fb42c1a6951fd7cc1f5d97ea40a6cd79aa76e970f1b166823bc15610b9eafb940de7
7
+ data.tar.gz: aacc4964978719bf65037639a063a9c8a5d00eaad956fb81c1f9f579e997f38b5fb7f064a1bbd460a9748471ec0db62be5d350c45d34c355ffd7480639f0b3cd
data/lib/sqreen/events/request_record.rb CHANGED
@@ -14,18 +14,26 @@ module Sqreen
14
14
  def to_hash
15
15
  res = { :version => '20171208' }
16
16
  if payload[:observed]
17
- res[:observed] = payload[:observed]
17
+ res[:observed] = payload[:observed].dup
18
18
  rulespack = nil
19
- observed.fetch(:attacks, []).each do |att|
20
- rulespack = att.delete(:rulespack_id) || rulespack
19
+ if observed[:attacks]
20
+ res[:observed][:attacks] = observed[:attacks].map do |att|
21
+ natt = att.dup
22
+ rulespack = natt.delete(:rulespack_id) || rulespack
23
+ natt
24
+ end
21
25
  end
22
- observed.fetch(:sqreen_exceptions, []).each do |exc|
23
- excp = exc.delete(:exception)
24
- if excp
25
- exc[:message] = excp.message
26
- exc[:klass] = excp.class.name
26
+ if observed[:sqreen_exceptions]
27
+ res[:observed][:sqreen_exceptions] = observed[:sqreen_exceptions].map do |exc|
28
+ nex = exc.dup
29
+ excp = nex.delete(:exception)
30
+ if excp
31
+ nex[:message] = excp.message
32
+ nex[:klass] = excp.class.name
33
+ end
34
+ rulespack = nex.delete(:rulespack_id) || rulespack
35
+ nex
27
36
  end
28
- rulespack = exc.delete(:rulespack_id) || rulespack
29
37
  end
30
38
  res[:rulespack_id] = rulespack unless rulespack.nil?
31
39
  if observed[:observations]
@@ -34,14 +42,14 @@ module Sqreen
34
42
  end
35
43
  end
36
44
  if observed[:sdk]
37
- payload[:observed][:sdk] = observed[:sdk].map do |meth, time, *args|
45
+ res[:observed][:sdk] = observed[:sdk].map do |meth, time, *args|
38
46
  { :name => meth, :time => time, :args => args }
39
47
  end
40
48
  end
41
49
  end
42
50
  res[:local] = payload['local'] if payload['local']
43
51
  if payload['request']
44
- res[:request] = payload['request']
52
+ res[:request] = payload['request'].dup
45
53
  res[:client_ip] = res[:request].delete(:client_ip) if res[:request][:client_ip]
46
54
  else
47
55
  res[:request] = {}
data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED
@@ -27,6 +27,29 @@ module Sqreen
27
27
  true
28
28
  end
29
29
  end
30
+ class ReflectedUnsafeXSSCB < XSSCB
31
+ def pre(_inst, *args, &_block)
32
+ value = args[0]
33
+
34
+ return unless value.is_a?(String)
35
+
36
+ # Sqreen::log.debug value
37
+
38
+ return unless framework.params_include?(value)
39
+
40
+ Sqreen.log.debug { format('Found unescaped user param: %s', value) }
41
+
42
+ saved_value = value.dup
43
+ return unless report_dangerous_xss?(saved_value)
44
+
45
+ # potential XSS! let's escape
46
+ if block
47
+ args[0].replace(CGI.escape_html(value))
48
+ end
49
+
50
+ advise_action(nil)
51
+ end
52
+ end
30
53
  # look for reflected XSS with erb template engine
31
54
  class ReflectedXSSCB < XSSCB
32
55
  def pre(_inst, *args, &_block)
data/lib/sqreen/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
2
  # Please refer to our terms for more information: https://www.sqreen.io/terms.html
3
3
  module Sqreen
4
- VERSION = '1.9.1'.freeze
4
+ VERSION = '1.9.2'.freeze
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sqreen
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.9.1
4
+ version: 1.9.2
5
5
  platform: java
6
6
  authors:
7
7
  - Sqreen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-01-23 00:00:00.000000000 Z
11
+ date: 2018-02-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: execjs