RubyGems - sqreen - Versions diffs - 1.10.5-java → 1.11.0-java - Mend

sqreen 1.10.5-java → 1.11.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

checksums.yaml +4 -4
data/lib/sqreen/callback_tree.rb +1 -1
data/lib/sqreen/callbacks.rb +10 -0
data/lib/sqreen/configuration.rb +15 -3
data/lib/sqreen/frameworks/generic.rb +43 -4
data/lib/sqreen/frameworks/request_recorder.rb +4 -0
data/lib/sqreen/instrumentation.rb +102 -60
data/lib/sqreen/log.rb +3 -0
data/lib/sqreen/performance_notifications.rb +39 -7
data/lib/sqreen/performance_notifications/log_performance.rb +70 -0
data/lib/sqreen/performance_notifications/metrics.rb +1 -1
data/lib/sqreen/performance_notifications/newrelic.rb +61 -5
data/lib/sqreen/remote_command.rb +1 -0
data/lib/sqreen/rule_callback.rb +11 -0
data/lib/sqreen/rules_callbacks/count_http_codes.rb +4 -0
data/lib/sqreen/rules_callbacks/custom_error.rb +4 -0
data/lib/sqreen/rules_callbacks/record_request_context.rb +4 -0
data/lib/sqreen/rules_callbacks/reflected_xss.rb +44 -14
data/lib/sqreen/runner.rb +14 -0
data/lib/sqreen/version.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 58abc14c547cc578aaf136de7ab1ec4171b64e1e3502177ac3c5d2490180ba22
-  data.tar.gz: 42ef798d12119ceaa07ed590c4c9196a6ea28b2c6daf5f122949ece0cca9d7c5
+  metadata.gz: 53669623f0ae28ec6d69e5811956073c925f977a0beceda24756f4c2dc0b1bf5
+  data.tar.gz: dd62e44b9461fc8fac1bd11a511d1c4023fc152ced31afdaf17934ed82824e85
 SHA512:
-  metadata.gz: b6acfc147fa7349d8c5535b77438402efaa674e9f1841fb58e59395100b82c469d62a0bac456b64e8dce3320378ec57113c6acbeee6b0c96a32af0bf1bb0c848
-  data.tar.gz: c24b36e4be8bfdc3f727d8810ed79b5a9e403fab122fdf3c240442e7dbdf392ce9b4e6aeb098003019947fbd8213bb93ad81b457cd6f33a29bbb44edf6f5faa4
+  metadata.gz: 23dd698494d6913be0cf911d034ae7c51fa2969959f3758eed165958d390e6b80860f1c20d40298a3b1acf42456c0ca276dc65b0ab161cae917cf18ede700fb7
+  data.tar.gz: c9567b90cdeb4cf836cf8f20a0781e584d3cf3dddf09b83434ad70b91d3f17122660dfac4766cf818b08c77f22fcf6fbc13d84bfc2668e2257d26fcc2ad77e42

data/lib/sqreen/callback_tree.rb CHANGED

@@ -48,7 +48,7 @@ module Sqreen
       cbs = k[method]
       unless cbs
         Sqreen.log.debug { format('Error: no cbs registered for method %s.%s', klass, method) }
-        Sqreen.log.debug { log(inspect) }
+        Sqreen.log.debug { inspect }
         return []
       end

data/lib/sqreen/callbacks.rb CHANGED

@@ -3,6 +3,7 @@
 require 'set'
 require 'sqreen/shared_storage'
+require 'sqreen/log'
 module Sqreen
@@ -67,6 +68,15 @@ module Sqreen
     def to_s
       format('#<%s: %s.%s>', self.class, @klass, @method)
     end
+    def overtime!
+      Sqreen.log.debug { "#{self} is overtime!" }
+      false
+    end
+    def framework
+      nil
+    end
   end
   # target_method, position, callback, callback class

data/lib/sqreen/configuration.rb CHANGED

@@ -11,8 +11,8 @@ module Sqreen
   def self.config_init(framework = nil)
     @config = Configuration.new(framework)
     @config.load!
-    if @config && config_get(:report_perf_newrelic)
-      Sqreen::PerformanceNotifications::NewRelic.enable
+    if @config && config_get(:report_perf_newrelic) > 0
+      Sqreen::PerformanceNotifications::NewRelic.enable(config_get(:report_perf_newrelic))
     end
     @config
   end
@@ -44,6 +44,8 @@ module Sqreen
     { :env => :SQREEN_BLOCK_ALL_RULES, :name => :block_all_rules,
       :default => nil },
     { :env => :SQREEN_REPORT_PERF_NR, :name => :report_perf_newrelic,
+      :default => 0, :convert => :to_int },
+    { :env => :SQREEN_REPORT_PERF, :name => :report_perf,
       :default => false, :convert => :to_bool },
     { :env => :SQREEN_INITIAL_FEATURES, :name => :initial_features,
       :default => nil },
@@ -53,7 +55,13 @@ module Sqreen
   CONFIG_FILE_NAME = 'sqreen.yml'.freeze
   def self.to_bool(value)
-      %w[1 true].include?(value.to_s.downcase.strip)
+    %w[1 true].include?(value.to_s.downcase.strip)
+  end
+  def self.to_int(value)
+    str = value.to_s.downcase.strip
+    str = 1 if str == 'true'
+    str.to_i
   end
   # Class to access configurations variables
@@ -164,5 +172,9 @@ module Sqreen
     def to_bool(value)
       Sqreen::to_bool(value)
     end
+    def to_int(value)
+      Sqreen::to_int(value)
+    end
   end
 end

data/lib/sqreen/frameworks/generic.rb CHANGED

@@ -1,6 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 require 'ipaddr'
+require 'set'
 require 'sqreen/events/remote_exception'
 require 'sqreen/callbacks'
@@ -199,8 +200,8 @@ module Sqreen
       end
       # Does the parameters value include this value
-      def params_include?(value)
-        params = request_params
+      def params_include?(value, params = nil)
+        params = request_params if params.nil?
         return false if params.nil?
         each_value_for_hash(params) do |param|
           return true if param == value
@@ -209,8 +210,8 @@ module Sqreen
       end
       # Does the parameters key/value include this value
-      def full_params_include?(value)
-        params = request_params
+      def full_params_include?(value, params = nil)
+        params = request_params if params.nil?
         return false if params.nil?
         each_key_value_for_hash(params) do |param|
           return true if param == value
@@ -218,12 +219,22 @@ module Sqreen
         false
       end
+      def mark_request_overtime!
+        over = SharedStorage.get(:request_overtime)
+        return false if over
+        SharedStorage.set(:request_overtime, true)
+        true
+      end
       # Fetch and store the current request object
       # Nota: cleanup should be performed at end of request (see clean_request)
       def store_request(object)
         return unless ensure_rack_loaded
+        self.remaining_perf_budget = Sqreen.performance_budget
         SharedStorage.set(:request, Rack::Request.new(object))
         SharedStorage.inc(:stored_requests)
+        SharedStorage.set(:xss_params, nil)
+        SharedStorage.set(:request_overtime, nil)
       end
       # Get the currently stored request
@@ -236,7 +247,18 @@ module Sqreen
         return unless SharedStorage.dec(:stored_requests) <= 0
         payload_creator = Sqreen::PayloadCreator.new(self)
         close_request_record(Sqreen.queue, Sqreen.observations_queue, payload_creator)
+        self.remaining_perf_budget = nil
         SharedStorage.set(:request, nil)
+        SharedStorage.set(:xss_params, nil)
+        SharedStorage.set(:request_overtime, nil)
+      end
+      def remaining_perf_budget
+        SharedStorage.get(:performance_budget)
+      end
+      def remaining_perf_budget=(value)
+        SharedStorage.set(:performance_budget, value)
       end
       def request_params
@@ -347,6 +369,23 @@ module Sqreen
         request.env['REMOTE_ADDR']
       end
+      def xss_params(regexp = nil)
+        p = SharedStorage.get(:xss_params)
+        return p unless p.nil?
+        p = request_params
+        parm = Set.new
+        each_key_value_for_hash(p) do |value|
+          next unless value.is_a?(String)
+          next if value.size < 5
+          next if regexp && !regexp.match(value)
+          parm << value
+        end
+        p = parm.to_a
+        Sqreen.log.debug { "Filtered XSS params: #{p.inspect}" }
+        SharedStorage.set(:xss_params, p)
+        p
+      end
       protected
       # Is this a whitelisted path?

data/lib/sqreen/frameworks/request_recorder.rb CHANGED

@@ -3,6 +3,8 @@
 require 'set'
 require 'sqreen/shared_storage'
 require 'sqreen/events/request_record'
+require 'sqreen/performance_notifications/log_performance'
+require 'sqreen/performance_notifications/newrelic'
 module Sqreen
   # Store event/observations that happened in this request
@@ -45,6 +47,8 @@ module Sqreen
     end
     def close_request_record(queue, observations_queue, payload_creator)
+      Sqreen::PerformanceNotifications::LogPerformance.next_request
+      Sqreen::PerformanceNotifications::NewRelic.next_request
       clean_request_record if observed_items.nil?
       if only_metric_observation
         push_metrics(observations_queue, queue)

data/lib/sqreen/instrumentation.rb CHANGED

@@ -34,6 +34,7 @@ require 'set'
 module Sqreen
   class Instrumentation
     WHITELISTED_METRIC='whitelisted'.freeze
+    OVERTIME_METRIC='request_overtime'.freeze
     @@override_semaphore = Mutex.new
     ## Overriden methods and callbacks globals
@@ -64,38 +65,52 @@ module Sqreen
           callbacks = callbacks.reject(&:whitelisted?)
         end
+        cb_with_framework = callbacks.find(&:framework)
+        budget = nil
+        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
         returns = []
         callbacks.each do |cb|
           # If record_request is part of callbacks we should filter after it ran
           next if cb.whitelisted?
           rule = cb.rule_name if cb.respond_to?(:rule_name)
+          if !budget.nil? && budget <= 0
+            next if cb.overtime!
+          end
           Sqreen.log.debug { "running pre cb #{cb}" }
-          Sqreen::PerformanceNotifications.instrument("Callbacks/#{rule || cb.class.name}/pre") do
-            begin
-              res = cb.send(:pre, instance, *args, &block)
-              if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
-                Sqreen.log.debug do
-                  "#{cb} cannot block, overriding return value"
-                end
-                res = nil
-              elsif res.is_a?(Hash)
-                res[:rule_name] = rule
-              end
-              returns << res
-            rescue => e
-              Sqreen.log.warn "we catch an exception: #{e.inspect}"
-              Sqreen.log.debug e.backtrace
-              if cb.respond_to?(:record_exception)
-                cb.record_exception(e)
-              else
-                Sqreen::RemoteException.record(e)
+          begin
+            start = Sqreen::PerformanceNotifications.time
+            res = cb.send(:pre, instance, *args, &block)
+            stop = Sqreen::PerformanceNotifications.time
+            # The first few pre callbacks could not have a request & hence a budget just yet so we try harder to find it
+            budget = cb_with_framework.framework.remaining_perf_budget if budget.nil? && !Sqreen.performance_budget.nil? && cb.framework
+            budget -= (stop - start) unless budget.nil?
+            if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
+              Sqreen.log.debug do
+                "#{cb} cannot block, overriding return value"
               end
-              next
+              res = nil
+            elsif res.is_a?(Hash)
+              res[:rule_name] = rule
+            end
+            returns << res
+          rescue StandardError => e
+            Sqreen.log.warn "we catch an exception: #{e.inspect}"
+            Sqreen.log.debug e.backtrace
+            if cb.respond_to?(:record_exception)
+              cb.record_exception(e)
+            else
+              Sqreen::RemoteException.record(e)
             end
+            next
           end
+          Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/pre", start, stop)
         end
+        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil?
         returns
       end
+    rescue StandardError => e
+      Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
+      Sqreen::RemoteException.record(e)
     end
     def self.callback_wrapper_post(klass, method, return_val, instance, *args, &block)
@@ -105,36 +120,48 @@ module Sqreen
           callbacks = callbacks.reject(&:whitelisted?)
         end
+        cb_with_framework = callbacks.find(&:framework)
+        budget = nil
+        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
         returns = []
         callbacks.reverse_each do |cb|
           rule = cb.rule_name if cb.respond_to?(:rule_name)
+          if !budget.nil? && budget <= 0
+            next if cb.overtime!
+          end
           Sqreen.log.debug { "running post cb #{cb}" }
-          Sqreen::PerformanceNotifications.instrument("Callbacks/#{rule || cb.class.name}/post") do
-            begin
-              res = cb.send(:post, return_val, instance, *args, &block)
-              if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
-                Sqreen.log.debug do
-                  "#{cb} cannot block, overriding return value"
-                end
-                res = nil
-              elsif res.is_a?(Hash)
-                res[:rule_name] = rule
-              end
-              returns << res
-            rescue => e
-              Sqreen.log.warn "we catch an exception: #{e.inspect}"
-              Sqreen.log.debug e.backtrace
-              if cb.respond_to?(:record_exception)
-                cb.record_exception(e)
-              else
-                Sqreen::RemoteException.record(e)
+          begin
+            start = Sqreen::PerformanceNotifications.time
+            res = cb.send(:post, return_val, instance, *args, &block)
+            stop = Sqreen::PerformanceNotifications.time
+            budget -= (stop - start) unless budget.nil?
+            if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
+              Sqreen.log.debug do
+                "#{cb} cannot block, overriding return value"
               end
-              next
+              res = nil
+            elsif res.is_a?(Hash)
+              res[:rule_name] = rule
+            end
+            returns << res
+          rescue => e
+            Sqreen.log.warn "we catch an exception: #{e.inspect}"
+            Sqreen.log.debug e.backtrace
+            if cb.respond_to?(:record_exception)
+              cb.record_exception(e)
+            else
+              Sqreen::RemoteException.record(e)
             end
+            next
           end
+          Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/post", start, stop)
         end
+        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil? && !cb_with_framework.framework.remaining_perf_budget.nil?
         returns
       end
+    rescue StandardError => e
+      Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
+      Sqreen::RemoteException.record(e)
     end
     def self.callback_wrapper_failing(exception, klass, method, instance, *args, &block)
@@ -144,36 +171,48 @@ module Sqreen
           callbacks = callbacks.reject(&:whitelisted?)
         end
+        cb_with_framework = callbacks.find(&:framework)
+        budget = nil
+        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
         returns = []
         callbacks.each do |cb|
           rule = cb.rule_name if cb.respond_to?(:rule_name)
+          if !budget.nil? && budget <= 0
+            next if cb.overtime!
+          end
           Sqreen.log.debug { "running failing cb #{cb}" }
-          Sqreen::PerformanceNotifications.instrument("Callbacks/#{rule || cb.class.name}/failing") do
-            begin
-              res = cb.send(:failing, exception, instance, *args, &block)
-              if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
-                Sqreen.log.debug do
-                  "#{cb} cannot block, overriding return value"
-                end
-                res = nil
-              elsif res.is_a?(Hash)
-                res[:rule_name] = rule
+          begin
+            start = Sqreen::PerformanceNotifications.time
+            res = cb.send(:failing, exception, instance, *args, &block)
+            stop = Sqreen::PerformanceNotifications.time
+            budget -= (stop - start) unless budget.nil?
+            if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
+              Sqreen.log.debug do
+                "#{cb} cannot block, overriding return value"
               end
-              returns << res
-            rescue => e
-              Sqreen.log.warn "we catch an exception: #{e.inspect}"
-              Sqreen.log.debug e.backtrace
-              if cb.respond_to?(:record_exception)
-                cb.record_exception(e)
-              else
-                Sqreen::RemoteException.record(e)
-              end
-              next
+              res = nil
+            elsif res.is_a?(Hash)
+              res[:rule_name] = rule
             end
+            returns << res
+          rescue => e
+            Sqreen.log.warn "we catch an exception: #{e.inspect}"
+            Sqreen.log.debug e.backtrace
+            if cb.respond_to?(:record_exception)
+              cb.record_exception(e)
+            else
+              Sqreen::RemoteException.record(e)
+            end
+            next
           end
+          Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/failing", start, stop)
         end
+        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil? && !cb_with_framework.framework.remaining_perf_budget.nil?
         returns
       end
+    rescue StandardError => e
+      Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
+      Sqreen::RemoteException.record(e)
     end
     def self.guard_multi_call(instance, method, original_method, args, block)
@@ -594,6 +633,9 @@ module Sqreen
       metrics_engine.create_metric('name' => WHITELISTED_METRIC,
                                    'period' => 60,
                                    'kind' => 'Sum')
+      metrics_engine.create_metric('name' => OVERTIME_METRIC,
+                                   'period' => 60,
+                                   'kind' => 'Sum')
     end
   end
 end

data/lib/sqreen/log.rb CHANGED

@@ -4,6 +4,7 @@
 require 'logger'
 require 'sqreen/performance_notifications/log'
+require 'sqreen/performance_notifications/log_performance'
 require 'sqreen/configuration'
 module Sqreen
@@ -105,6 +106,8 @@ module Sqreen
       log_level = ::Logger.const_get(level)
       @logger.level = log_level
       Sqreen::PerformanceNotifications::Log.enable if level == 'DEBUG'
+      return if level != 'DEBUG' && !Sqreen.config_get(:report_perf)
+      Sqreen::PerformanceNotifications::LogPerformance.enable
     end
     def create_error_logger

data/lib/sqreen/performance_notifications.rb CHANGED

@@ -1,6 +1,13 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
+begin
+  Process.clock_gettime Process::CLOCK_MONOTONIC
+  SQREEN_MONO_TIME = Process::CLOCK_MONOTONIC
+rescue StandardError
+  SQREEN_MONO_TIME = nil
+end
 module Sqreen
   # This module enable us to keep track of sqreen resource usage
   #
@@ -27,6 +34,16 @@ module Sqreen
         id
       end
+      if SQREEN_MONO_TIME
+        def time
+          Process.clock_gettime(SQREEN_MONO_TIME)
+        end
+      else
+        def time
+          Time.now
+        end
+      end
       # Is there a subscriber for this key
       def listen_for?(key)
         return true unless @subscriptions_all.empty?
@@ -40,6 +57,13 @@ module Sqreen
         _instrument(key, meta, &block)
       end
+      def notify(key, start, stop, meta = {})
+        return unless listen_for?(key)
+        notifiers_for(key).each do |callable|
+          callable.call(key, start, stop, meta)
+        end
+      end
       # Unsubscrube for a given subscription
       def unsubscribe(subscription)
         return unless @subscriptions_all.delete(subscription).nil?
@@ -72,13 +96,21 @@ module Sqreen
         @subscriptions_all.values + str + reg
       end
-      def _instrument(key, meta)
-        start = Time.now
-        yield
-      ensure
-        stop = Time.now
-        notifiers_for(key).each do |callable|
-          callable.call(key, start, stop, meta)
+      if SQREEN_MONO_TIME
+        def _instrument(key, meta)
+          start = Process.clock_gettime(SQREEN_MONO_TIME)
+          yield
+        ensure
+          stop = Process.clock_gettime(SQREEN_MONO_TIME)
+          notify(key, start, stop, meta)
+        end
+      else
+        def _instrument(key, meta)
+          start = Time.now
+          yield
+        ensure
+          stop = Time.now
+          notify(key, start, stop, meta)
         end
       end
     end

data/lib/sqreen/performance_notifications/log_performance.rb ADDED

@@ -0,0 +1,70 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'sqreen/performance_notifications'
+module Sqreen
+  module PerformanceNotifications
+    # Log performances on the console
+    class LogPerformance < Log
+      @subid = nil
+      @facility = nil
+      class << self
+        def timings
+          v = SharedStorage.get(:log_performance_timings)
+          if v.nil?
+            v = []
+            self.timings = v
+          end
+          v
+        end
+        def timings=(value)
+          SharedStorage.set(:log_performance_timings, value)
+        end
+        def log(event, start, finish, _meta)
+          timings << [event, start, finish]
+        end
+        def enabled?
+          !@subid.nil?
+        end
+        def next_request
+          return unless enabled?
+          (@facility || Sqreen.log).warn do
+            output = timings.map do |evt, start, finish|
+              [evt.split('/')[1], (finish - start) * 1000]
+            end
+            self.timings = []
+            total = output.map(&:last).inject(0, &:+)
+            rules = output.inject({}) do |acc, (e, t)|
+              tt, cc = (acc[e] || [0, 0])
+              acc[e] = [tt + t, cc + 1]
+              acc
+            end
+            format(
+              "Sqreen request overhead:\n" +
+              ("%s: %.2fms (%d calls)\n" * rules.size) +
+              'Total: %.2fms', *rules.to_a.sort_by { |e| e[1] }.flatten, total
+            )
+          end
+        end
+        def enable(facility = nil)
+          return unless @subid.nil?
+          @facility = facility
+          @subid = Sqreen::PerformanceNotifications.subscribe(nil,
+                                                              &method(:log))
+        end
+        def disable
+          return if @subid.nil?
+          Sqreen::PerformanceNotifications.unsubscribe(@subid)
+          @subid = nil
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/performance_notifications/metrics.rb CHANGED

@@ -12,7 +12,7 @@ module Sqreen
       class << self
         EVENT_CAT = 'sqreen_time'.freeze
         def log(event, start, finish, _meta)
-          evt = [EVENT_CAT, event, (finish - start) * 1000, finish]
+          evt = [EVENT_CAT, event, (finish - start) * 1000, SQREEN_MONO_TIME ? Time.now.utc : finish]
           Sqreen.observations_queue.push(evt)
         end

data/lib/sqreen/performance_notifications/newrelic.rb CHANGED

@@ -8,18 +8,73 @@ module Sqreen
     # Log performances on the console
     class NewRelic
       @subid = nil
-      @nr_name_regexp = %r{/([^/]+)$}
+      @level = 0
       class << self
+        def timings
+          v = SharedStorage.get(:log_performance_nr_timings)
+          if v.nil?
+            v = []
+            self.timings = v
+          end
+          v
+        end
+        def timings=(value)
+          SharedStorage.set(:log_performance_nr_timings, value)
+        end
         def log(event, start, finish, _meta)
-          event_name = "Custom/Sqreen#{event.sub(@nr_name_regexp, '_\1')}"
-          ::NewRelic::Agent.record_metric(event_name, finish - start)
+          timings << [event, start, finish]
+        end
+        def enabled?
+          !@subid.nil?
+        end
+        def report(hash)
+          if ::NewRelic::Agent.respond_to?(:add_custom_attributes)
+            return ::NewRelic::Agent.add_custom_attributes(hash)
+          end
+          ::NewRelic::Agent.add_custom_parameters(:user_id => @user.id)
+        end
+        def next_request
+          return unless enabled?
+          if @level == 1
+            overhead = timings.map do |_evt, start, finish|
+              (finish - start) * 1000
+            end.inject(0, &:+)
+            report('sqreen_time' => overhead)
+          else
+            output = timings.map do |evt, start, finish|
+              [evt.split('/')[1], (finish - start) * 1000]
+            end
+            total = 0
+            count = 0
+            rules = output.inject({}) do |acc, (e, t)|
+              tt, cc = (acc[e] || [0, 0])
+              acc[e] = [tt + t, cc + 1]
+              total += t
+              count += 1
+              acc
+            end
+            attrs = rules.inject('sqreen_time' => total, 'sqreen_count' => count) do |acc, (rule, values)|
+              acc["sqreen_#{rule}_time"] = values[0]
+              acc["sqreen_#{rule}_count"] = values[1]
+              acc
+            end
+            report(attrs)
+          end
+          self.timings = []
         end
-        def enable
+        def enable(level = 0)
           return unless @subid.nil?
           return unless defined?(::NewRelic::Agent)
+          return unless ::NewRelic::Agent.respond_to?(:add_custom_attributes) || ::NewRelic::Agent.respond_to?(:add_custom_parameters)
+          return unless level > 0
+          @level = level
           Sqreen.log.debug('Enabling New Relic reporting')
           @subid = Sqreen::PerformanceNotifications.subscribe(nil,
                                                               &method(:log))
@@ -29,6 +84,7 @@ module Sqreen
           return if @subid.nil?
           Sqreen::PerformanceNotifications.unsubscribe(@subid)
           @subid = nil
+          @level = 0
         end
       end
     end

data/lib/sqreen/remote_command.rb CHANGED

@@ -16,6 +16,7 @@ module Sqreen
       :paths_whitelist => :change_whitelisted_paths,
       :ips_whitelist => :change_whitelisted_ips,
       :get_bundle => :upload_bundle,
+      :performance_budget => :change_performance_budget,
     }.freeze
     attr_reader :uuid

data/lib/sqreen/rule_callback.rb CHANGED

@@ -103,6 +103,17 @@ module Sqreen
         }
         framework.observe(:sqreen_exceptions, payload)
       end
+      def overtime!
+        Sqreen.log.debug { "rulecb #{self} is overtime!" }
+        return true if framework.nil? || !framework.mark_request_overtime!
+        record_observation(
+          'request_overtime',
+          rule_name,
+          1
+        )
+        true
+      end
     end
   end
 end

data/lib/sqreen/rules_callbacks/count_http_codes.rb CHANGED

@@ -15,6 +15,10 @@ module Sqreen
         record_observation(METRIC_CATEGORY, rv[0], 1)
         advise_action(nil)
       end
+      def overtime!
+        false
+      end
     end
     # Count 1 for each things located by the binding accessor

data/lib/sqreen/rules_callbacks/custom_error.rb CHANGED

@@ -59,6 +59,10 @@ module Sqreen
         }
         [@status_code, headers, page]
       end
+      def overtime!
+        false
+      end
     end
   end
 end

data/lib/sqreen/rules_callbacks/record_request_context.rb CHANGED

@@ -12,6 +12,10 @@ module Sqreen
         false
       end
+      def overtime!
+        false
+      end
       def pre(_inst, *args, &_block)
         framework.store_request(args[0])
         wh = framework.whitelisted_match

data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED

@@ -12,6 +12,15 @@ module Sqreen
   module Rules
     # XSSCB abstract common behaviour of tpls
     class XSSCB < RegexpRuleCB
+      def initialize(*args)
+        super(*args)
+        @union_pattern = Regexp.union(*@patterns)
+      end
+      def xss_params
+        return nil unless framework
+        framework.xss_params(@union_pattern)
+      end
       # The remaining code is only to find out if user entry was an attack,
       # and record it. Since we don't rely on it to respond to user, it would
       # be better to do it in background.
@@ -35,7 +44,7 @@ module Sqreen
         # Sqreen::log.debug value
-        return unless framework.params_include?(value)
+        return unless xss_params.any? { |p| p == value }
         Sqreen.log.debug { format('Found unescaped user param: %s', value) }
@@ -62,7 +71,7 @@ module Sqreen
         # Sqreen::log.debug value
-        return unless framework.params_include?(value)
+        return unless xss_params.any? { |p| p == value }
         Sqreen.log.debug { format('Found unescaped user param: %s', value) }
@@ -70,9 +79,7 @@ module Sqreen
         return unless report_dangerous_xss?(saved_value)
         # potential XSS! let's escape
-        if block
-          args[0].replace(CGI.escape_html(value))
-        end
+        args[0].replace(CGI.escape_html(value)) if block
         advise_action(nil)
       end
@@ -85,16 +92,13 @@ module Sqreen
     class ReflectedXSSHamlCB < XSSCB
       def post(ret, _inst, *_args, &_block)
         value = ret
-        return if value.nil?
-        # Sqreen::log.debug value
+        return unless value.is_a?(String)
-        return unless framework.full_params_include?(value)
+        # 99% of the time we return here
+        return unless xss_params.any? { |p| p == value }
         Sqreen.log.debug { format('Found unescaped user param: %s', value) }
-        return unless value.is_a?(String)
         return unless report_dangerous_xss?(value)
         return unless block
@@ -117,6 +121,10 @@ module Sqreen
         end
         nil
       end
+      def overtime!
+        false
+      end
     end
     # Hook into haml4 tag parser
@@ -132,6 +140,10 @@ module Sqreen
         end
         nil
       end
+      def overtime!
+        false
+      end
     end
     class Haml4UtilInterpolationHookCB < RuleCB
@@ -147,13 +159,18 @@ module Sqreen
           if escapes.odd?
             res << '#{'
           else
+            # Use eval to get rid of string escapes
             content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"')
             content = "Haml::Helpers.html_escape((#{content}))" if escape_html
-            res << '#{Sqreen.escape_haml((' + content + '))}' # Use eval to get rid of string escapes
+            res << '#{Sqreen.escape_haml((' + content + '))}'
           end
         end
         { :status => :skip, :new_return_value => res + rest }
       end
+      def overtime!
+        false
+      end
     end
     # Hook build attributes
@@ -161,8 +178,9 @@ module Sqreen
       def pre(inst, *args, &_block)
         return unless Haml::VERSION < '5'
         attrs = args[-1]
+        params = xss_params
         new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
-          if !key.nil? && key.is_a?(String) && framework.full_params_include?(key) && report_dangerous_xss?(key)
+          if !key.nil? && key.is_a?(String) && params.any? { |p| p == key } && report_dangerous_xss?(key)
             Sqreen.log.debug { format('Found unescaped user param: %s', key) }
             [CGI.escape_html(key), true]
           else
@@ -199,6 +217,10 @@ module Sqreen
         end
         [new_h, has_xss]
       end
+      def overtime!
+        false
+      end
     end
     class Haml5EscapableHookCB < RuleCB
@@ -206,6 +228,10 @@ module Sqreen
         args[0] = "Sqreen.escape_haml((#{args[0]}))"
         { :status => :modify_args, :args => args }
       end
+      def overtime!
+        false
+      end
     end
     # Hook into temple template rendering
@@ -214,6 +240,10 @@ module Sqreen
         ret[1] = "Sqreen.escape_temple((#{ret[1]}))"
         { :status => :override, :new_return_value => ret }
       end
+      def overtime!
+        false
+      end
     end
     # Hook into temple template rendering
@@ -222,7 +252,7 @@ module Sqreen
         value = args[0]
         return if value.nil?
-        return unless framework.full_params_include?(value)
+        return unless xss_params.any? { |p| p == value }
         Sqreen.log.debug { format('Found unescaped user param: %s', value) }

data/lib/sqreen/runner.rb CHANGED

@@ -59,6 +59,12 @@ module Sqreen
     def update_whitelisted_ips(paths)
       @whitelisted_ips = Hash[paths.map { |v| [v, IPAddr.new(v)] }].freeze
     end
+    attr_reader :performance_budget
+    def update_performance_budget(value)
+      return @performance_budget = nil if value.nil?
+      @performance_budget = value.to_f / 1000
+    end
   end
   # Main running job class for the agent
@@ -94,6 +100,7 @@ module Sqreen
       @url = @configuration.get(:url)
       Sqreen.update_whitelisted_paths([])
       Sqreen.update_whitelisted_ips({})
+      Sqreen.update_performance_budget(nil)
       raise(Sqreen::Exception, 'no url found') unless @url
       raise(Sqreen::TokenNotFoundException, 'no token found') unless @token
@@ -251,6 +258,13 @@ module Sqreen
       true
     end
+    def change_performance_budget(budget, _context_infos = {})
+      return false unless budget.nil? || budget.to_f > 0
+      prev = Sqreen.performance_budget
+      Sqreen.update_performance_budget(budget)
+      { :was => prev }
+    end
     def upload_bundle(_context_infos = {})
       t = Time.now
       session.post_bundle(RuntimeInfos.dependencies_signature, RuntimeInfos.dependencies)

data/lib/sqreen/version.rb CHANGED

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.10.5'.freeze
+  VERSION = '1.11.0'.freeze
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.10.5
+  version: 1.11.0
 platform: java
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-02-22 00:00:00.000000000 Z
+date: 2018-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs
@@ -86,6 +86,7 @@ files:
 - lib/sqreen/payload_creator.rb
 - lib/sqreen/performance_notifications.rb
 - lib/sqreen/performance_notifications/log.rb
+- lib/sqreen/performance_notifications/log_performance.rb
 - lib/sqreen/performance_notifications/metrics.rb
 - lib/sqreen/performance_notifications/newrelic.rb
 - lib/sqreen/remote_command.rb