RubyGems - sqreen - Versions diffs - 1.11.0 → 1.11.1 - Mend

sqreen 1.11.0 → 1.11.1

Files changed (39) hide show

checksums.yaml +4 -4
data/lib/sqreen.rb +0 -1
data/lib/sqreen/callback_tree.rb +38 -20
data/lib/sqreen/callbacks.rb +6 -4
data/lib/sqreen/conditionable.rb +3 -3
data/lib/sqreen/frameworks/generic.rb +38 -18
data/lib/sqreen/frameworks/request_recorder.rb +0 -2
data/lib/sqreen/instrumentation.rb +217 -160
data/lib/sqreen/performance_notifications.rb +10 -36
data/lib/sqreen/performance_notifications/log.rb +1 -2
data/lib/sqreen/performance_notifications/log_performance.rb +1 -2
data/lib/sqreen/performance_notifications/metrics.rb +1 -2
data/lib/sqreen/performance_notifications/newrelic.rb +1 -2
data/lib/sqreen/remote_command.rb +7 -7
data/lib/sqreen/rule_callback.rb +4 -0
data/lib/sqreen/rules.rb +2 -2
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +7 -1
data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb +3 -3
data/lib/sqreen/rules_callbacks/blacklist_ips.rb +1 -1
data/lib/sqreen/rules_callbacks/count_http_codes.rb +7 -6
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb +1 -1
data/lib/sqreen/rules_callbacks/custom_error.rb +2 -5
data/lib/sqreen/rules_callbacks/execjs.rb +76 -37
data/lib/sqreen/rules_callbacks/headers_insert.rb +1 -1
data/lib/sqreen/rules_callbacks/inspect_rule.rb +3 -3
data/lib/sqreen/rules_callbacks/matcher_rule.rb +18 -17
data/lib/sqreen/rules_callbacks/rails_parameters.rb +1 -1
data/lib/sqreen/rules_callbacks/record_request_context.rb +9 -8
data/lib/sqreen/rules_callbacks/reflected_xss.rb +40 -34
data/lib/sqreen/rules_callbacks/regexp_rule.rb +13 -4
data/lib/sqreen/rules_callbacks/shell_env.rb +2 -2
data/lib/sqreen/rules_callbacks/url_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/user_agent_matches.rb +1 -1
data/lib/sqreen/session.rb +1 -1
data/lib/sqreen/shared_storage.rb +16 -12
data/lib/sqreen/{stats.rb → shared_storage23.rb} +3 -11
data/lib/sqreen/version.rb +1 -1
metadata +4 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a04c8884aa63b248a08d85df2a8c88c2afaed0ae3ab1c09ee60225eac9c448f
-  data.tar.gz: caa7915935e6f34758261a63da938b77ea13d29cbd8b6a676b51593fba39dc77
+  metadata.gz: eee0cd857bae436a452af37bf21237fe240d24dd255f991586df7c925158ceb9
+  data.tar.gz: 310700ff34c420244c49873f3b6ccd38b3c8141fbefba8ce2ba268876b2dc982
 SHA512:
-  metadata.gz: 3d49fd81fce6e403e6a8964ce2d49c2d5c261335f77f73b36113a4fda8b938807bf64757ae5b3a33fdf80f7e4a0c027500c842883e16300ee37c600b2a0a97b9
-  data.tar.gz: 471ac71351a3a6fbfd326fb0a38296656532c57f19ea8c91347207284bc2867cf55da1bd90285d3cd3954a8be53f43040a9d7e46432447e7d0430e6a42bdb5e5
+  metadata.gz: 3e270c262f3583202ba31f4a58bbe06d292123903581a90b39bba351f434f81c4fd32c723e9abad6853cedb0d4a727409118828ddc037c92e9267a9a475a76d2
+  data.tar.gz: 69a4b0158995ef8029d72c635e0cccd5781be910468ee77e65016a73038727066eb2c0a465cbb9c7869238bbc7cd5ebbaff1b94a107b15fe9e512e77684f8485

data/lib/sqreen.rb CHANGED

@@ -7,7 +7,6 @@ require 'sqreen/runner'
 require 'sqreen/callbacks'
 require 'sqreen/version'
 require 'sqreen/log'
-require 'sqreen/stats'
 require 'sqreen/exception'
 require 'sqreen/configuration'
 require 'sqreen/events/attack'

data/lib/sqreen/callback_tree.rb CHANGED

@@ -19,50 +19,68 @@ module Sqreen
       @by_class[cb.klass] = {} unless @by_class[cb.klass]
       cb_klass = @by_class[cb.klass]
-      unless cb_klass[cb.method]
-        cb_klass[cb.method] = { :pre => [], :post => [], :failing => [] }
-      end
+      cb_klass[cb.method] ||= [nil, nil, nil]
       methods = cb_klass[cb.method]
-      methods[:pre] << cb if cb.pre?
-      methods[:post] << cb if cb.post?
-      methods[:failing] << cb if cb.failing?
+      if cb.pre?
+        methods[0] ||= []
+        methods[0] << cb
+      end
+      if cb.post?
+        methods[1] ||= []
+        methods[1] << cb
+      end
+      if cb.failing?
+        methods[2] ||= []
+        methods[2] << cb
+      end
     end
     def remove(cb)
-      types = @by_class[cb.klass][cb.method]
+      by_meth = @by_class[cb.klass]
+      return unless by_meth
+      types = by_meth[cb.method]
-      types[:pre].delete cb  if cb.pre?
-      types[:post].delete cb if cb.post?
-      types[:failing].delete cb if cb.failing?
+      if cb.pre? && types[0]
+        types[0].delete(cb)
+        types[0] = nil if types[0].empty?
+      end
+      if cb.post? && types[1]
+        types[1].delete(cb)
+        types[1] = nil if types[1].empty?
+      end
+      if cb.failing? && types[2]
+        types[2].delete(cb)
+        types[2] = nil if types[2].empty?
+      end
     end
-    def get(klass, method, type = nil)
+    def get(klass, method)
       k = @by_class[klass]
       unless k
         Sqreen.log.debug { format('Error: no cb registered for class %s (%s)', klass.inspect, klass.class) }
         Sqreen.log.debug { inspect }
-        return []
+        return [nil, nil, nil]
       end
       cbs = k[method]
       unless cbs
         Sqreen.log.debug { format('Error: no cbs registered for method %s.%s', klass, method) }
         Sqreen.log.debug { inspect }
-        return []
+        return [nil, nil, nil]
       end
-      return cbs[type] unless type.nil?
-      res = Set.new
-      cbs.each_value { |v| res += v }
-      res.to_a
+      cbs
+    rescue StandardError => e
+      Sqreen.log.warn "we catched an exception getting cbs: #{e.inspect}"
+      Sqreen::RemoteException.record(e)
+      [nil, nil, nil]
     end
     def each
       @by_class.each_value do |values|
         values.each_value do |cbs|
-          cbs.each_value do |cb_ary|
+          cbs.each do |cb_ary|
+            next unless cb_ary
             cb_ary.each do |cb|
               yield cb
             end

data/lib/sqreen/callbacks.rb CHANGED

@@ -37,6 +37,7 @@ module Sqreen
     #  CB can also declare that they are whitelisted and should not be run at the moment.
     attr_reader :klass, :method
+    attr_reader :overtimeable
     def initialize(klass, method)
       @method = method
@@ -45,6 +46,7 @@ module Sqreen
       @has_pre  = respond_to? :pre
       @has_post = respond_to? :post
       @has_failing = respond_to? :failing
+      @overtimeable = false
       raise(Sqreen::Exception, 'No callback provided') unless @has_pre || @has_post || @has_failing
     end
@@ -71,7 +73,7 @@ module Sqreen
     def overtime!
       Sqreen.log.debug { "#{self} is overtime!" }
-      false
+      @overtimeable
     end
     def framework
@@ -81,13 +83,13 @@ module Sqreen
   # target_method, position, callback, callback class
   class DefaultCB < CB
-    def pre(_inst, *args, &_block)
+    def pre(_inst, args, _budget = nil, &_block)
       Sqreen.log.debug "<< #{@klass} #{@method} #{Thread.current}"
       Sqreen.log.debug args.join ' '
       # log params
     end
-    def post(_rv, _inst, *_args, &_block)
+    def post(_rv, _inst, _args, _budget = nil, &_block)
       # log "#{rv}"
       Sqreen.log.debug ">> #{@klass} #{@method} #{Thread.current}"
     end
@@ -101,7 +103,7 @@ module Sqreen
       @block = block
     end
-    def pre(_inst, *_args, &_block)
+    def pre(_inst, _args, _budget = nil, &_block)
       # FIXME: implement this removal
       @remove_me = true
       @block.call

data/lib/sqreen/conditionable.rb CHANGED

@@ -26,19 +26,19 @@ module Sqreen
     end
     def pre_with_conditions(inst, *args, &block)
-      eargs = [binding, framework, inst, args, @data, nil]
+      eargs = [nil, framework, inst, args, @data, nil]
       return nil if !pre_conditions.nil? && !pre_conditions.evaluate(*eargs)
       pre_without_conditions(inst, *args, &block)
     end
     def post_with_conditions(rv, inst, *args, &block)
-      eargs = [binding, framework, inst, args, @data, rv]
+      eargs = [nil, framework, inst, args, @data, rv]
       return nil if !post_conditions.nil? && !post_conditions.evaluate(*eargs)
       post_without_conditions(rv, inst, *args, &block)
     end
     def failing_with_conditions(rv, inst, *args, &block)
-      eargs = [binding, framework, inst, args, @data, rv]
+      eargs = [nil, framework, inst, args, @data, rv]
       return nil if !failing_conditions.nil? && !failing_conditions.evaluate(*eargs)
       failing_without_conditions(rv, inst, *args, &block)
     end

data/lib/sqreen/frameworks/generic.rb CHANGED

@@ -234,6 +234,7 @@ module Sqreen
         SharedStorage.set(:request, Rack::Request.new(object))
         SharedStorage.inc(:stored_requests)
         SharedStorage.set(:xss_params, nil)
+        SharedStorage.set(:whitelisted, nil)
         SharedStorage.set(:request_overtime, nil)
       end
@@ -250,6 +251,7 @@ module Sqreen
         self.remaining_perf_budget = nil
         SharedStorage.set(:request, nil)
         SharedStorage.set(:xss_params, nil)
+        SharedStorage.set(:whitelisted, nil)
         SharedStorage.set(:request_overtime, nil)
       end
@@ -338,14 +340,13 @@ module Sqreen
         Dir.getwd
       end
-      WHITELIST_KEY = 'sqreen.whitelisted_request'.freeze
       # Return the current item that whitelist this request
       # returns nil if request is not whitelisted
       def whitelisted_match
         return nil unless request
-        return request.env[WHITELIST_KEY] if request.env.key?(WHITELIST_KEY)
-        request.env[WHITELIST_KEY] = whitelisted_ip || whitelisted_path
+        whitelisted = whitelisted_ip || whitelisted_path
+        SharedStorage.set(:whitelisted, !whitelisted.nil?)
+        whitelisted
       end
       # Returns the current path that whitelist the request
@@ -369,21 +370,40 @@ module Sqreen
         request.env['REMOTE_ADDR']
       end
-      def xss_params(regexp = nil)
-        p = SharedStorage.get(:xss_params)
-        return p unless p.nil?
-        p = request_params
-        parm = Set.new
-        each_key_value_for_hash(p) do |value|
-          next unless value.is_a?(String)
-          next if value.size < 5
-          next if regexp && !regexp.match(value)
-          parm << value
+      if Regexp.new('').respond_to?(:match?)
+        def xss_params(regexp = nil)
+          p = SharedStorage.get(:xss_params)
+          return p unless p.nil?
+          p = request_params
+          parm = Set.new
+          each_key_value_for_hash(p) do |value|
+            next unless value.is_a?(String)
+            next if value.size < 5
+            next if regexp && !regexp.match?(value)
+            parm << value
+          end
+          p = parm.to_a
+          Sqreen.log.debug { "Filtered XSS params: #{p.inspect}" }
+          SharedStorage.set(:xss_params, p)
+          p
+        end
+      else
+        def xss_params(regexp = nil)
+          p = SharedStorage.get(:xss_params)
+          return p unless p.nil?
+          p = request_params
+          parm = Set.new
+          each_key_value_for_hash(p) do |value|
+            next unless value.is_a?(String)
+            next if value.size < 5
+            next if regexp && !regexp.match(value)
+            parm << value
+          end
+          p = parm.to_a
+          Sqreen.log.debug { "Filtered XSS params: #{p.inspect}" }
+          SharedStorage.set(:xss_params, p)
+          p
         end
-        p = parm.to_a
-        Sqreen.log.debug { "Filtered XSS params: #{p.inspect}" }
-        SharedStorage.set(:xss_params, p)
-        p
       end
       protected

data/lib/sqreen/frameworks/request_recorder.rb CHANGED

@@ -47,8 +47,6 @@ module Sqreen
     end
     def close_request_record(queue, observations_queue, payload_creator)
-      Sqreen::PerformanceNotifications::LogPerformance.next_request
-      Sqreen::PerformanceNotifications::NewRelic.next_request
       clean_request_record if observed_items.nil?
       if only_metric_observation
         push_metrics(observations_queue, queue)

data/lib/sqreen/instrumentation.rb CHANGED

@@ -3,12 +3,13 @@
 require 'sqreen/callback_tree'
 require 'sqreen/log'
-require 'sqreen/stats'
 require 'sqreen/exception'
 require 'sqreen/performance_notifications'
 require 'sqreen/call_countable'
 require 'sqreen/events/remote_exception'
 require 'sqreen/rules_signature'
+require 'sqreen/shared_storage'
+require 'sqreen/rules_callbacks/record_request_context'
 require 'set'
 # How to override a class method:
@@ -33,13 +34,16 @@ require 'set'
 module Sqreen
   class Instrumentation
-    WHITELISTED_METRIC='whitelisted'.freeze
-    OVERTIME_METRIC='request_overtime'.freeze
+    OVERTIME_METRIC = 'request_overtime'.freeze
+    MGMT_COST = 0.000025
     @@override_semaphore = Mutex.new
+    @@overriden_singleton_methods = false
     ## Overriden methods and callbacks globals
     @@overriden_methods = []
     @@registered_callbacks = CBTree.new
+    @@unovertimable_hookpoints = Set.new
+    @@record_request_hookpoints = Set.new
     @@instrumented_pid = nil
     def self.semaphore
@@ -57,33 +61,29 @@ module Sqreen
     def self.overriden
       @@overriden_methods
     end
-    def self.callback_wrapper_pre(klass, method, instance, *args, &block)
-      Instrumentation.guard_call(method, []) do
-        callbacks = @@registered_callbacks.get(klass, method, :pre)
-        if callbacks.any?(&:whitelisted?)
-          callbacks = callbacks.reject(&:whitelisted?)
-        end
-        cb_with_framework = callbacks.find(&:framework)
-        budget = nil
-        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
+    def self.callback_wrapper_pre(callbacks, framework, budget, _klass, method, instance, args, &block)
+      all_start = Sqreen::PerformanceNotifications.time
+      #Instrumentation.guard_call(method, []) do
         returns = []
         callbacks.each do |cb|
           # If record_request is part of callbacks we should filter after it ran
           next if cb.whitelisted?
           rule = cb.rule_name if cb.respond_to?(:rule_name)
-          if !budget.nil? && budget <= 0
-            next if cb.overtime!
+          if budget && budget <= 0.0
+            next if cb.overtimeable
           end
           Sqreen.log.debug { "running pre cb #{cb}" }
           begin
             start = Sqreen::PerformanceNotifications.time
-            res = cb.send(:pre, instance, *args, &block)
+            res = cb.pre(instance, args, budget, &block)
             stop = Sqreen::PerformanceNotifications.time
             # The first few pre callbacks could not have a request & hence a budget just yet so we try harder to find it
-            budget = cb_with_framework.framework.remaining_perf_budget if budget.nil? && !Sqreen.performance_budget.nil? && cb.framework
-            budget -= (stop - start) unless budget.nil?
+            budget = framework.remaining_perf_budget if framework && !budget && Sqreen.performance_budget
+            if budget
+              budget -= (stop - start)
+              cb.overtime! if budget <= 0.0
+            end
+            all_start += (stop - start)
             if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
               Sqreen.log.debug do
                 "#{cb} cannot block, overriding return value"
@@ -94,7 +94,7 @@ module Sqreen
             end
             returns << res
           rescue StandardError => e
-            Sqreen.log.warn "we catch an exception: #{e.inspect}"
+            Sqreen.log.warn { "we catch an exception: #{e.inspect}" }
             Sqreen.log.debug e.backtrace
             if cb.respond_to?(:record_exception)
               cb.record_exception(e)
@@ -105,36 +105,37 @@ module Sqreen
           end
           Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/pre", start, stop)
         end
-        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil?
+        all_stop = Sqreen::PerformanceNotifications.time
+        framework.remaining_perf_budget = budget - (all_stop - all_start) - MGMT_COST * callbacks.size if framework && budget
+        Sqreen::PerformanceNotifications.notify('Callbacks/hooks_pre/pre', all_start, all_stop)
         returns
-      end
+      #end
     rescue StandardError => e
-      Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
+      Sqreen.log.warn { "we catched an exception between cbs: #{e.inspect}" }
       Sqreen::RemoteException.record(e)
+      []
     end
-    def self.callback_wrapper_post(klass, method, return_val, instance, *args, &block)
-      Instrumentation.guard_call(method, []) do
-        callbacks = @@registered_callbacks.get(klass, method, :post)
-        if callbacks.any?(&:whitelisted?)
-          callbacks = callbacks.reject(&:whitelisted?)
-        end
-        cb_with_framework = callbacks.find(&:framework)
-        budget = nil
-        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
+    def self.callback_wrapper_post(callbacks, framework, budget, _klass, method, return_val, instance, args, &block)
+      all_start = Sqreen::PerformanceNotifications.time
+      #Instrumentation.guard_call(method, []) do
         returns = []
         callbacks.reverse_each do |cb|
+          next if cb.whitelisted?
           rule = cb.rule_name if cb.respond_to?(:rule_name)
-          if !budget.nil? && budget <= 0
-            next if cb.overtime!
+          if budget && budget <= 0.0
+            next if cb.overtimeable
           end
           Sqreen.log.debug { "running post cb #{cb}" }
           begin
             start = Sqreen::PerformanceNotifications.time
-            res = cb.send(:post, return_val, instance, *args, &block)
+            res = cb.post(return_val, instance, args, budget, &block)
             stop = Sqreen::PerformanceNotifications.time
-            budget -= (stop - start) unless budget.nil?
+            if budget
+              budget -= (stop - start)
+              cb.overtime! if budget <= 0.0
+            end
+            all_start += (stop - start)
             if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
               Sqreen.log.debug do
                 "#{cb} cannot block, overriding return value"
@@ -144,8 +145,8 @@ module Sqreen
               res[:rule_name] = rule
             end
             returns << res
-          rescue => e
-            Sqreen.log.warn "we catch an exception: #{e.inspect}"
+          rescue StandardError => e
+            Sqreen.log.warn { "we catch an exception: #{e.inspect}" }
             Sqreen.log.debug e.backtrace
             if cb.respond_to?(:record_exception)
               cb.record_exception(e)
@@ -156,36 +157,39 @@ module Sqreen
           end
           Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/post", start, stop)
         end
-        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil? && !cb_with_framework.framework.remaining_perf_budget.nil?
+        all_stop = Sqreen::PerformanceNotifications.time
+        if framework && budget && framework.remaining_perf_budget
+          framework.remaining_perf_budget = budget - (all_stop - all_start) - MGMT_COST * callbacks.size
+        end
+        Sqreen::PerformanceNotifications.notify('Callbacks/hooks_post/post', all_start, all_stop)
         returns
-      end
+      #end
     rescue StandardError => e
-      Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
+      Sqreen.log.warn { "we catched an exception between cbs: #{e.inspect}" }
       Sqreen::RemoteException.record(e)
+      []
     end
-    def self.callback_wrapper_failing(exception, klass, method, instance, *args, &block)
-      Instrumentation.guard_call(method, []) do
-        callbacks = @@registered_callbacks.get(klass, method, :failing)
-        if callbacks.any?(&:whitelisted?)
-          callbacks = callbacks.reject(&:whitelisted?)
-        end
-        cb_with_framework = callbacks.find(&:framework)
-        budget = nil
-        budget = cb_with_framework.framework.remaining_perf_budget if cb_with_framework
+    def self.callback_wrapper_failing(callbacks, framework, budget, exception, _klass, method, instance, args, &block)
+      all_start = Sqreen::PerformanceNotifications.time
+      #Instrumentation.guard_call(method, []) do
         returns = []
         callbacks.each do |cb|
+          next if cb.whitelisted?
           rule = cb.rule_name if cb.respond_to?(:rule_name)
-          if !budget.nil? && budget <= 0
-            next if cb.overtime!
+          if budget && budget <= 0.0
+            next if cb.overtimeable
           end
           Sqreen.log.debug { "running failing cb #{cb}" }
           begin
             start = Sqreen::PerformanceNotifications.time
-            res = cb.send(:failing, exception, instance, *args, &block)
+            res = cb.failing(exception, instance, args, budget, &block)
             stop = Sqreen::PerformanceNotifications.time
-            budget -= (stop - start) unless budget.nil?
+            if budget
+              budget -= (stop - start)
+              cb.overtime! if budget <= 0.0
+            end
+            all_start += (stop - start)
             if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
               Sqreen.log.debug do
                 "#{cb} cannot block, overriding return value"
@@ -195,9 +199,9 @@ module Sqreen
               res[:rule_name] = rule
             end
             returns << res
-          rescue => e
-            Sqreen.log.warn "we catch an exception: #{e.inspect}"
-            Sqreen.log.debug e.backtrace
+          rescue StandardError => e
+            Sqreen.log.warn { "we catch an exception: #{e.inspect}" }
+            Sqreen.log.debug { e.backtrace }
             if cb.respond_to?(:record_exception)
               cb.record_exception(e)
             else
@@ -207,24 +211,27 @@ module Sqreen
           end
           Sqreen::PerformanceNotifications.notify("Callbacks/#{rule || cb.class.name}/failing", start, stop)
         end
-        cb_with_framework.framework.remaining_perf_budget=budget if cb_with_framework && !budget.nil? && !cb_with_framework.framework.remaining_perf_budget.nil?
+        all_stop = Sqreen::PerformanceNotifications.time
+        if framework && budget && framework.remaining_perf_budget
+          framework.remaining_perf_budget = budget - (all_stop - all_start) - MGMT_COST * callbacks.size
+        end
+        Sqreen::PerformanceNotifications.notify('Callbacks/hooks_failing/failing', all_start, all_stop)
         returns
-      end
+     # end
     rescue StandardError => e
       Sqreen.log.warn "we catched an exception between cbs: #{e.inspect}"
       Sqreen::RemoteException.record(e)
+      []
     end
     def self.guard_multi_call(instance, method, original_method, args, block)
-      @sqreen_multi_instr ||= nil
+      return yield unless @@overriden_singleton_methods
       key = [method]
-      Instrumentation.guard_call(nil, :guard_multi_call) do
-        args.each{|e| key.push(e.object_id)}
-      end
+      args.each { |e| key.push(e.object_id) }
       if key && @sqreen_multi_instr && @sqreen_multi_instr[instance.object_id].member?(key)
         return instance.send(original_method, *args, &block)
       end
-      @sqreen_multi_instr ||= Hash.new {|h, k| h[k]=Set.new } # TODO this should probably be a thread local
+      @sqreen_multi_instr ||= Hash.new { |h, k| h[k] = Set.new } # TODO: this should probably be a thread local
       @sqreen_multi_instr[instance.object_id].add(key)
       r = yield
       return r
@@ -234,103 +241,152 @@ module Sqreen
       end
     end
-    def self.guard_call(method, retval)
-      @sqreen_in_instr ||= nil
-      return retval if @sqreen_in_instr && @sqreen_in_instr.member?(method)
-      @sqreen_in_instr ||= Set.new # TODO this should probably be a thread local
-      @sqreen_in_instr.add(method)
-      r = yield
-      @sqreen_in_instr.delete(method)
-      return r
-    rescue Exception => e
-      @sqreen_in_instr.delete(method)
-      raise e
-    end
     def self.define_callback_method(meth, original_meth, klass_name)
+      @sqreen_multi_instr ||= nil
       proc do |*args, &block|
-        if Process.pid != Instrumentation.instrumented_pid
+        budget = nil
+        skip_call = Thread.current[:sqreen_in_use]
+        begin
+          if !skip_call && Sqreen.performance_budget
+            # Not using framework here to try to get a bit more perf by not loading cbs
+            budget = Sqreen::SharedStorage.get(:performance_budget)
+            skip_call = budget && budget <= 0.0 && !@@unovertimable_hookpoints.include?([klass_name, meth])
+          end
+        rescue StandardError => e
+          Sqreen.log.warn "we catched an exception looking for overtime: #{e.inspect}"
+          Sqreen::RemoteException.record(e)
+        end
+        if !skip_call && Process.pid != Instrumentation.instrumented_pid
           Sqreen.log.debug do
             "Instrumented #{Instrumentation.instrumented_pid} != PID #{Process.pid}"
           end
-          return send(original_meth, *args, &block)
+          skip_call = true
         end
+        # If we are already overbudget let's not work at all
+        return send(original_meth, *args, &block) if skip_call
         Instrumentation.guard_multi_call(self, meth, original_meth, args, block) do
-        Sqreen.stats.callbacks_calls += 1
-        skip = false
-        result = nil
-        # pre callback
-        returns = Instrumentation.callback_wrapper_pre(klass_name,
-                                                       meth,
-                                                       self,
-                                                       *args,
-                                                       &block)
-        returns.each do |ret|
-          next unless ret.is_a? Hash
-          case ret[:status]
-          when :skip, 'skip'
-            skip = true
-            result = ret[:new_return_value] if ret.key? :new_return_value
-            next
-          when :modify_args, 'modify_args'
-            args = ret[:args]
-          when :raise, 'raise'
-            fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
+          precbs, postcbs, failcbs = Instrumentation.callbacks.get(klass_name, meth)
+          Thread.current[:sqreen_in_use] = true
+          begin
+            if budget && budget <= 0.0
+              precbs = precbs.reject(&:overtimeable) if precbs
+            end
+            # We need the framework to set budget remaining time else don't look for it
+            if budget
+              cb_with_framework = nil
+              cb_with_framework = precbs.find(&:framework) if precbs
+              cb_with_framework = postcbs.find(&:framework) unless cb_with_framework || !postcbs
+              cb_with_framework = failcbs.find(&:framework) unless cb_with_framework || !failcbs
+              framework = cb_with_framework ? cb_with_framework.framework : nil
+            else
+              framework = nil
+            end
+          rescue StandardError => e
+            Sqreen.log.warn "we catched an exception looking for framework: #{e.inspect}"
+            Sqreen::RemoteException.record(e)
+            framework = nil
           end
-        end
-        return result if skip
-        begin
-          result = send(original_meth, *args, &block)
-        rescue => e
-          returns = Instrumentation.callback_wrapper_failing(e, klass_name,
-                                                             meth,
-                                                             self,
-                                                             *args,
-                                                             &block)
-          will_retry = false
-          will_raise = returns.empty?
-          returns.each do |ret|
-            will_raise = true if ret.nil?
-            next unless ret.is_a? Hash
-            case ret[:status]
-            when :override, 'override'
-              result = ret[:new_return_value] if ret.key? :new_return_value
-            when :retry, 'retry'
-              will_retry = true
-            else # :reraise, 'reraise'
-              will_raise = true
+          skip = false
+          result = nil
+          if precbs && !precbs.empty?
+            # pre callback
+            returns = Instrumentation.callback_wrapper_pre(precbs, framework,
+                                                           budget,
+                                                           klass_name,
+                                                           meth,
+                                                           self,
+                                                           args,
+                                                           &block)
+            returns.each do |ret|
+              next unless ret.is_a? Hash
+              case ret[:status]
+              when :skip, 'skip'
+                skip = true
+                result = ret[:new_return_value] if ret.key? :new_return_value
+                next
+              when :modify_args, 'modify_args'
+                args = ret[:args]
+              when :raise, 'raise'
+                Thread.current[:sqreen_in_use] = false
+                raise Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
+              end
             end
           end
-          raise e if will_raise
-          retry if will_retry
-          result
-        else
-          # post callback
-          returns = Instrumentation.callback_wrapper_post(klass_name,
-                                                          meth,
-                                                          result,
-                                                          self,
-                                                          *args,
-                                                          &block)
-          returns.each do |ret|
-            next unless ret.is_a? Hash
-            case ret[:status]
-            when :raise, 'raise'
-              fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
-            when :override, 'override'
-              result = ret[:new_return_value]
-            else
-              next
+          Thread.current[:sqreen_in_use] = false
+          return result if skip
+          begin
+            result = send(original_meth, *args, &block)
+          rescue StandardError => e
+            Thread.current[:sqreen_in_use] = true
+            budget = Sqreen.performance_budget && framework && framework.remaining_perf_budget
+            failcbs = failcbs.reject(&:overtimeable) if failcbs && budget && budget <= 0.0
+            raise e unless failcbs && !failcbs.empty?
+            returns = Instrumentation.callback_wrapper_failing(failcbs,
+                                                               framework,
+                                                               budget,
+                                                               e,
+                                                               klass_name,
+                                                               meth,
+                                                               self,
+                                                               args,
+                                                               &block)
+            will_retry = false
+            will_raise = returns.empty?
+            returns.each do |ret|
+              will_raise = true if ret.nil?
+              next unless ret.is_a? Hash
+              case ret[:status]
+              when :override, 'override'
+                result = ret[:new_return_value] if ret.key? :new_return_value
+              when :retry, 'retry'
+                will_retry = true
+              else # :reraise, 'reraise'
+                will_raise = true
+              end
+            end
+            raise e if will_raise
+            retry if will_retry
+            result
+          else
+            Thread.current[:sqreen_in_use] = true
+            budget = Sqreen.performance_budget && framework && framework.remaining_perf_budget
+            postcbs = postcbs.reject(&:overtimeable) if postcbs && budget && budget <= 0.0
+            return result unless postcbs && !postcbs.empty?
+            # post callback
+            returns = Instrumentation.callback_wrapper_post(postcbs,
+                                                            framework,
+                                                            budget,
+                                                            klass_name,
+                                                            meth,
+                                                            result,
+                                                            self,
+                                                            args,
+                                                            &block)
+            returns.each do |ret|
+              next unless ret.is_a? Hash
+              case ret[:status]
+              when :raise, 'raise'
+                raise Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
+              when :override, 'override'
+                result = ret[:new_return_value]
+              else
+                next
+              end
             end
+            result
+          ensure
+            if @@record_request_hookpoints.include?([klass_name, meth]) && Sqreen::PerformanceNotifications.listen_for?
+              Sqreen::PerformanceNotifications.instrument('Callbacks/hooks_reporting/pre') do
+                Sqreen::PerformanceNotifications::LogPerformance.next_request
+                Sqreen::PerformanceNotifications::NewRelic.next_request
+              end
+            end
+            Thread.current[:sqreen_in_use] = false
           end
-          result
         end
       end
-      end
     end
     def override_class_method(klass, meth)
@@ -372,12 +428,11 @@ module Sqreen
       method_kind = nil
       obj.class_eval do
         # Note: As a lambda the following will crash ruby 2.2.3p173
-        case
-        when public_method_defined?(meth)
+        if public_method_defined?(meth)
           method_kind = :public
-        when protected_method_defined?(meth)
+        elsif protected_method_defined?(meth)
           method_kind = :protected
-        when private_method_defined?(meth)
+        elsif private_method_defined?(meth)
           method_kind = :private
         end
         alias_method meth, saved_meth_name
@@ -385,7 +440,7 @@ module Sqreen
       end
     end
-    def get_saved_method_name(meth, suffix=nil)
+    def get_saved_method_name(meth, suffix = nil)
       "#{meth}_sq#{suffix}_not_modified".to_sym
     end
@@ -401,12 +456,11 @@ module Sqreen
         define_method(new_method, p)
-        case
-        when public_method_defined?(meth)
+        if public_method_defined?(meth)
           method_kind = :public
-        when protected_method_defined?(meth)
+        elsif protected_method_defined?(meth)
           method_kind = :protected
-        when private_method_defined?(meth)
+        elsif private_method_defined?(meth)
           method_kind = :private
         end
         alias_method meth, new_method
@@ -465,6 +519,7 @@ module Sqreen
     # Override a singleton method on an instance
     def override_singleton_method(instance, klass_name, meth)
+      @@overriden_singleton_methods = true
       saved_meth_name = get_saved_method_name(meth, 'singleton')
       if instance.respond_to?(saved_meth_name, true)
         Sqreen.log.debug { "#{saved_meth_name} found #{instance.class}##{instance.object_id} already instrumented" }
@@ -533,6 +588,8 @@ module Sqreen
         end
         @@registered_callbacks.add(cb)
+        @@unovertimable_hookpoints << key unless cb.overtimeable
+        @@record_request_hookpoints << key if cb.is_a?(Sqreen::Rules::RecordRequestContext)
         @@instrumented_pid = Process.pid
       end
     end
@@ -555,7 +612,7 @@ module Sqreen
         return
       end
-      defined_cbs = @@registered_callbacks.get(klass, method)
+      defined_cbs = @@registered_callbacks.get(klass, method).flatten
       nb_removed = 0
       defined_cbs.each do |found_cb|
@@ -607,7 +664,7 @@ module Sqreen
     # @param metrics_engine [MetricsStore] Metric storage facility
     def instrument!(rules, framework)
       verifier = nil
-      if Sqreen.features['rules_signature']         &&
+      if Sqreen.features['rules_signature'] &&
          Sqreen.config_get(:rules_verify_signature) == true &&
          !defined?(::JRUBY_VERSION)
         verifier = Sqreen::SqreenSignedVerifier.new
@@ -630,7 +687,7 @@ module Sqreen
       metrics_engine.create_metric('name' => CallCountable::COUNT_CALLS,
                                    'period' => 60,
                                    'kind' => 'Sum')
-      metrics_engine.create_metric('name' => WHITELISTED_METRIC,
+      metrics_engine.create_metric('name' => Sqreen::Rules::RecordRequestContext::WHITELISTED_METRIC,
                                    'period' => 60,
                                    'kind' => 'Sum')
       metrics_engine.create_metric('name' => OVERTIME_METRIC,