sqreen 1.9.1 → 1.9.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: acdbd441e6a336b097173d0945efa941df670e24
4
- data.tar.gz: 7608472b65debb8c64d5820ac1b7076edb876202
3
+ metadata.gz: e18e5e4043a3cb2cfa23b0de7e196fb36b2cb180
4
+ data.tar.gz: 62cc6f1b5b08aa6b01b9401085dea466e45bb2bc
5
5
  SHA512:
6
- metadata.gz: d432c4a0e7a22e4b1d7dcfe7932e63253a498c076b45cdc3bb9bde767ca97f4d874f0df74dba2b2e1d946b88b0646040ac37f22206b2cc1694d177912bf9300d
7
- data.tar.gz: 6df07a63fc61a412ed1c51504a6ef9d2fe40022272563b5226d10204db58c28c248f3a1f9fd8b20be791c689e87955aef8f7a7f7aa0e38b2f1fdad76a809a07e
6
+ metadata.gz: 0217afc0de67b065771e9cb102b94c12c6885ffd27031043f96fc14af7754b0f25a845c1a44a69b7dc5ef798f72300a4fc657aea583dab71398ebae01ad75c30
7
+ data.tar.gz: 929ae4a93889afb4ec576932c7e92993c9e52385f247d2bab928796ae6cb07037ccfad1fe42d53d459918f1024460003f5c74b0aa30d46ad1900c0cfedee23b1
@@ -14,18 +14,26 @@ module Sqreen
14
14
  def to_hash
15
15
  res = { :version => '20171208' }
16
16
  if payload[:observed]
17
- res[:observed] = payload[:observed]
17
+ res[:observed] = payload[:observed].dup
18
18
  rulespack = nil
19
- observed.fetch(:attacks, []).each do |att|
20
- rulespack = att.delete(:rulespack_id) || rulespack
19
+ if observed[:attacks]
20
+ res[:observed][:attacks] = observed[:attacks].map do |att|
21
+ natt = att.dup
22
+ rulespack = natt.delete(:rulespack_id) || rulespack
23
+ natt
24
+ end
21
25
  end
22
- observed.fetch(:sqreen_exceptions, []).each do |exc|
23
- excp = exc.delete(:exception)
24
- if excp
25
- exc[:message] = excp.message
26
- exc[:klass] = excp.class.name
26
+ if observed[:sqreen_exceptions]
27
+ res[:observed][:sqreen_exceptions] = observed[:sqreen_exceptions].map do |exc|
28
+ nex = exc.dup
29
+ excp = nex.delete(:exception)
30
+ if excp
31
+ nex[:message] = excp.message
32
+ nex[:klass] = excp.class.name
33
+ end
34
+ rulespack = nex.delete(:rulespack_id) || rulespack
35
+ nex
27
36
  end
28
- rulespack = exc.delete(:rulespack_id) || rulespack
29
37
  end
30
38
  res[:rulespack_id] = rulespack unless rulespack.nil?
31
39
  if observed[:observations]
@@ -34,14 +42,14 @@ module Sqreen
34
42
  end
35
43
  end
36
44
  if observed[:sdk]
37
- payload[:observed][:sdk] = observed[:sdk].map do |meth, time, *args|
45
+ res[:observed][:sdk] = observed[:sdk].map do |meth, time, *args|
38
46
  { :name => meth, :time => time, :args => args }
39
47
  end
40
48
  end
41
49
  end
42
50
  res[:local] = payload['local'] if payload['local']
43
51
  if payload['request']
44
- res[:request] = payload['request']
52
+ res[:request] = payload['request'].dup
45
53
  res[:client_ip] = res[:request].delete(:client_ip) if res[:request][:client_ip]
46
54
  else
47
55
  res[:request] = {}
@@ -27,6 +27,29 @@ module Sqreen
27
27
  true
28
28
  end
29
29
  end
30
+ class ReflectedUnsafeXSSCB < XSSCB
31
+ def pre(_inst, *args, &_block)
32
+ value = args[0]
33
+
34
+ return unless value.is_a?(String)
35
+
36
+ # Sqreen::log.debug value
37
+
38
+ return unless framework.params_include?(value)
39
+
40
+ Sqreen.log.debug { format('Found unescaped user param: %s', value) }
41
+
42
+ saved_value = value.dup
43
+ return unless report_dangerous_xss?(saved_value)
44
+
45
+ # potential XSS! let's escape
46
+ if block
47
+ args[0].replace(CGI.escape_html(value))
48
+ end
49
+
50
+ advise_action(nil)
51
+ end
52
+ end
30
53
  # look for reflected XSS with erb template engine
31
54
  class ReflectedXSSCB < XSSCB
32
55
  def pre(_inst, *args, &_block)
@@ -1,5 +1,5 @@
1
1
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
2
  # Please refer to our terms for more information: https://www.sqreen.io/terms.html
3
3
  module Sqreen
4
- VERSION = '1.9.1'.freeze
4
+ VERSION = '1.9.2'.freeze
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sqreen
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.9.1
4
+ version: 1.9.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sqreen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-01-23 00:00:00.000000000 Z
11
+ date: 2018-02-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: execjs