sqreen 1.9.1 → 1.9.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/sqreen/events/request_record.rb +19 -11
- data/lib/sqreen/rules_callbacks/reflected_xss.rb +23 -0
- data/lib/sqreen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e18e5e4043a3cb2cfa23b0de7e196fb36b2cb180
|
4
|
+
data.tar.gz: 62cc6f1b5b08aa6b01b9401085dea466e45bb2bc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0217afc0de67b065771e9cb102b94c12c6885ffd27031043f96fc14af7754b0f25a845c1a44a69b7dc5ef798f72300a4fc657aea583dab71398ebae01ad75c30
|
7
|
+
data.tar.gz: 929ae4a93889afb4ec576932c7e92993c9e52385f247d2bab928796ae6cb07037ccfad1fe42d53d459918f1024460003f5c74b0aa30d46ad1900c0cfedee23b1
|
@@ -14,18 +14,26 @@ module Sqreen
|
|
14
14
|
def to_hash
|
15
15
|
res = { :version => '20171208' }
|
16
16
|
if payload[:observed]
|
17
|
-
res[:observed] = payload[:observed]
|
17
|
+
res[:observed] = payload[:observed].dup
|
18
18
|
rulespack = nil
|
19
|
-
observed
|
20
|
-
|
19
|
+
if observed[:attacks]
|
20
|
+
res[:observed][:attacks] = observed[:attacks].map do |att|
|
21
|
+
natt = att.dup
|
22
|
+
rulespack = natt.delete(:rulespack_id) || rulespack
|
23
|
+
natt
|
24
|
+
end
|
21
25
|
end
|
22
|
-
observed
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
26
|
+
if observed[:sqreen_exceptions]
|
27
|
+
res[:observed][:sqreen_exceptions] = observed[:sqreen_exceptions].map do |exc|
|
28
|
+
nex = exc.dup
|
29
|
+
excp = nex.delete(:exception)
|
30
|
+
if excp
|
31
|
+
nex[:message] = excp.message
|
32
|
+
nex[:klass] = excp.class.name
|
33
|
+
end
|
34
|
+
rulespack = nex.delete(:rulespack_id) || rulespack
|
35
|
+
nex
|
27
36
|
end
|
28
|
-
rulespack = exc.delete(:rulespack_id) || rulespack
|
29
37
|
end
|
30
38
|
res[:rulespack_id] = rulespack unless rulespack.nil?
|
31
39
|
if observed[:observations]
|
@@ -34,14 +42,14 @@ module Sqreen
|
|
34
42
|
end
|
35
43
|
end
|
36
44
|
if observed[:sdk]
|
37
|
-
|
45
|
+
res[:observed][:sdk] = observed[:sdk].map do |meth, time, *args|
|
38
46
|
{ :name => meth, :time => time, :args => args }
|
39
47
|
end
|
40
48
|
end
|
41
49
|
end
|
42
50
|
res[:local] = payload['local'] if payload['local']
|
43
51
|
if payload['request']
|
44
|
-
res[:request] = payload['request']
|
52
|
+
res[:request] = payload['request'].dup
|
45
53
|
res[:client_ip] = res[:request].delete(:client_ip) if res[:request][:client_ip]
|
46
54
|
else
|
47
55
|
res[:request] = {}
|
@@ -27,6 +27,29 @@ module Sqreen
|
|
27
27
|
true
|
28
28
|
end
|
29
29
|
end
|
30
|
+
class ReflectedUnsafeXSSCB < XSSCB
|
31
|
+
def pre(_inst, *args, &_block)
|
32
|
+
value = args[0]
|
33
|
+
|
34
|
+
return unless value.is_a?(String)
|
35
|
+
|
36
|
+
# Sqreen::log.debug value
|
37
|
+
|
38
|
+
return unless framework.params_include?(value)
|
39
|
+
|
40
|
+
Sqreen.log.debug { format('Found unescaped user param: %s', value) }
|
41
|
+
|
42
|
+
saved_value = value.dup
|
43
|
+
return unless report_dangerous_xss?(saved_value)
|
44
|
+
|
45
|
+
# potential XSS! let's escape
|
46
|
+
if block
|
47
|
+
args[0].replace(CGI.escape_html(value))
|
48
|
+
end
|
49
|
+
|
50
|
+
advise_action(nil)
|
51
|
+
end
|
52
|
+
end
|
30
53
|
# look for reflected XSS with erb template engine
|
31
54
|
class ReflectedXSSCB < XSSCB
|
32
55
|
def pre(_inst, *args, &_block)
|
data/lib/sqreen/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sqreen
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.9.
|
4
|
+
version: 1.9.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sqreen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-02-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: execjs
|