RubyGems - sqreen - Versions diffs - 1.13.4 → 1.14.0.beta1 - Mend

sqreen 1.13.4 → 1.14.0.beta1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/sqreen/js/execjs_adapter.rb +25 -0
data/lib/sqreen/js/js_service.rb +133 -0
data/lib/sqreen/js/mini_racer_adapter.rb +118 -0
data/lib/sqreen/rules.rb +11 -0
data/lib/sqreen/rules_callbacks/execjs.rb +144 -204
data/lib/sqreen/rules_callbacks/execjs_old.rb +315 -0
data/lib/sqreen/rules_callbacks/reflected_xss.rb +5 -1
data/lib/sqreen/version.rb +1 -1
metadata +9 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67667de7c101298b439e12b54ab0a2572dce27cec1e60237e9baa54b2f3791fb
-  data.tar.gz: b689401bd7b0bc4731d93a511e458f1aec7bd0257c7f318090278962597be245
+  metadata.gz: be5e0fc0157660b4143e23279952f83b846a5c85b922b6bcdb6740f88ec1a6b1
+  data.tar.gz: 3b07af02a64839b8028d783831c42f7a46af9faeaed32d535ad7092ca1e667ee
 SHA512:
-  metadata.gz: c2b627b8d752c78eb16a9a0a9ea050b0bf6c59b2a99dd86568c30d8926bf10d60f9ebc62ee241267c187c47f2621bae275f5bcce7ffb15779ae42570df61de51
-  data.tar.gz: c272f746230f351ce74f3fd6d7b7118cf4dcebf0f6f0fc5a38a64cedbfbfee07f21c9d5f577d1c36a9b8264b4bbb92d06ea99cd9776ff47a35415f6f5791e2f0
+  metadata.gz: 8a5cae395aa6f18212e296675641be3f8e55237b808346deed258496b8eb6597323146702cd2e34531c6154e8faee6d974610e3a054069ef815b915f97c32950
+  data.tar.gz: cf0e72d2bf2e976bed8e29dd3f3c9f1c718efdc55490745e550e5163ea16f33e7bccee3e9169944bd669d1d6a4ab679ecf705ca22febfbb0ebd07a21702ffc9b

data/lib/sqreen/js/execjs_adapter.rb ADDED Viewed

@@ -0,0 +1,25 @@
+require 'execjs'
+module Sqreen
+  module Js
+    class ExecjsAdapter < JsServiceAdapter
+      def preprocess(_rule_name, code)
+        ExecJsRunnable.new(ExecJS.compile(code))
+      end
+      def variant_name
+        ExecJS.runtime.name + ' (ExecJS)'
+      end
+    end
+    class ExecJsRunnable < ExecutableJs
+      def initialize(compiled)
+        @compiled = compiled
+      end
+      def run_js_cb(cbname, _budget, arguments)
+        @compiled.call(cbname, *arguments)
+      end
+    end
+  end
+end

data/lib/sqreen/js/js_service.rb ADDED Viewed

@@ -0,0 +1,133 @@
+require 'sqreen/exception'
+module Sqreen
+  module Js
+    # start public interface
+    class JsService
+      include Singleton
+      def initialize
+        detect_adapter
+      end
+      # @return [Sqreen::Js::ExecutableJs]
+      def prepare(rule_name, code)
+        raise 'Not online' unless online?
+        @adapter.preprocess(rule_name, code)
+      end
+      def online?
+        @online
+      end
+      def variant
+        @adapter.variant_name
+      end
+      private
+      def detect_adapter
+        if Sqreen.features['isolated_mini_racer'] || ENV['SQREEN_FORCE_SQ_MINI_RACER']
+          @online = try_sq_mini_racer
+        else
+          @online = try_mini_racer || try_rhino || try_therubyracer
+        end
+        Sqreen.log.info "JS engine online: #{variant}" if @online
+      end
+      def try_mini_racer
+        gem = Gem.loaded_specs['mini_racer']
+        unless gem
+          Sqreen.log.info "mini_racer gem not detected"
+          return false
+        end
+        unless gem.version >= Gem::Version.create('0.1.15') &&
+            gem.version < Gem::Version.create('2.0')
+          Sqreen.log.warn 'mini_racer won\'t be used because its version is' \
+              "#{gem.version}; not >= 0.1.15, < 2.0"
+          return false
+        end
+        require 'mini_racer'
+        require 'sqreen/js/mini_racer_adapter'
+        @adapter = MiniRacerAdapter.new
+      rescue LoadError => e
+        Sqreen.log.warn "Failed loading mini_racer: #{e}"
+        false
+      end
+      def try_sq_mini_racer
+        gem = Gem.loaded_specs['sq_mini_racer']
+        unless gem
+          Sqreen.log.info "sq_mini_racer gem not detected"
+          return false
+        end
+        require 'sqreen/mini_racer'
+        require 'sqreen/js/mini_racer_adapter'
+        @adapter = MiniRacerAdapter.new(true)
+      rescue LoadError => e
+        Sqreen.log.warn "Failed loading sq_mini_racer: #{e}"
+        false
+      end
+      def try_rhino
+        gem = Gem.loaded_specs['therubyrhino']
+        unless gem
+          Sqreen.log.info "therubyrhino gem not detected"
+          return false
+        end
+        require 'rhino'
+        require 'sqreen/js/execjs_adapter'
+        @adapter = ExecjsAdapter.new
+      rescue LoadError => e
+        Sqreen.log.warn "Failed loading rhino: #{e}"
+        false
+      end
+      def try_therubyracer
+        gem = Gem.loaded_specs['therubyracer']
+        unless gem
+          Sqreen.log.info "therubyracer gem not detected"
+          return false
+        end
+        unless gem.version >= Gem::Version.create('0.12.1')
+          Sqreen.log.warn 'therubyracer won\'t be used because its version is ' \
+              "#{gem.version}; not >= 0.12.1"
+          return false
+        end
+        require 'therubyracer'
+        require 'sqreen/js/execjs_adapter'
+        @adapter = ExecjsAdapter.new
+      rescue LoadError => e
+        Sqreen.log.warn "Failed loading therubyracer: #{e}"
+        false
+      end
+    end
+    CallContext = Struct.new(:inst, :args, :rv)
+    class ExecutableJs
+      def run_js_cb(_cb_name, _budget, _arguments)
+        raise Sqreen::NotImplementedYet
+      end
+    end
+    # end public interface
+    class JsServiceAdapter
+      def preprocess(code)
+        raise Sqreen::NotImplementedYet
+      end
+      def variant_name
+        'unspecified'
+      end
+    end
+  end
+end

data/lib/sqreen/js/mini_racer_adapter.rb ADDED Viewed

@@ -0,0 +1,118 @@
+require 'weakref'
+module Sqreen
+  module Js
+    GC_MINI_RACER = 10_000
+    class MiniRacerAdapter < JsServiceAdapter
+      def initialize(vendored = false)
+        @vendored = vendored
+      end
+      def preprocess(_rule_name, code)
+        MiniRacerExecutableJs.new(code, @vendored)
+      end
+      def variant_name
+        @vendored ? 'sq_mini_racer' : 'mini_racer'
+      end
+    end
+    # Auxiliary classes
+    class MiniRacerExecutableJs < ExecutableJs
+      @@ctx_defined = false
+      def initialize(source, vendored)
+        @module = vendored ? Sqreen::MiniRacer : MiniRacer
+        @source = source
+        @recycle_runtime_every = GC_MINI_RACER
+        @snapshot = @module::Snapshot.new(source)
+        @runtimes = []
+        @tl_key = "SQREEN_MINI_RACER_CONTEXT_#{object_id}".freeze
+        unless @@ctx_defined
+          self.class.define_sqreen_context(@module)
+          @@ctx_defined = true
+        end
+      end
+      def run_js_cb(cb_name, budget, arguments)
+        mini_racer_context = Thread.current[@tl_key]
+        dead_runtime = !mini_racer_context ||
+            !mini_racer_context[:r] || !mini_racer_context[:r].weakref_alive?
+        if !dead_runtime && mini_racer_context[:c] >= @recycle_runtime_every
+          dispose_runtime(mini_racer_context[:r])
+          dead_runtime = true
+        end
+        if dead_runtime
+          new_runtime = SqreenContext.new(:snapshot => @snapshot)
+          push_runtime new_runtime
+          mini_racer_context = {
+              :c => 0,
+              :r => WeakCtx.new(new_runtime),
+          }
+          Thread.current[@tl_key] = mini_racer_context
+        end
+        mini_racer_context[:c] += 1
+        begin
+          mini_racer_context[:r].eval_unsafe(
+              "#{cb_name}.apply(this, #{::JSON.generate(arguments)})", nil, budget)
+        rescue @module::ScriptTerminatedError
+          nil
+        end
+      end
+      private
+      def push_runtime(runtime)
+        @runtimes.delete_if do |th, runt, _thid|
+          del = th.nil? || !th.weakref_alive? || !th.alive?
+          runt.dispose if del
+          del
+        end
+        @runtimes.push [WeakRef.new(Thread.current), runtime, Thread.current.object_id]
+      end
+      def dispose_runtime(runtime)
+        @runtimes.delete_if { |_th, _runt, thid| thid == Thread.current.object_id }
+        runtime.dispose
+      end
+      class << self
+        def define_sqreen_context(modoole)
+          # Context specialized for Sqreen usage
+          Sqreen::Js.const_set 'SqreenContext', Class.new(modoole.const_get('Context'))
+          SqreenContext.class_eval do
+            def eval_unsafe(str, filename = nil, timeoutv = nil)
+              # Beware, timeout could be kept in the context
+              # if perf cap is removed after having been activated
+              # As it's unused by execjscb we are not cleaning it
+              return super(str, filename) if timeoutv.nil?
+              return if timeoutv <= 0.0
+              timeoutv *= 1000 # Timeout are currently expressed in seconds
+              @timeout = timeoutv
+              @eval_thread = Thread.current
+              timeout do
+                super(str, filename)
+              end
+            end
+          end
+        end
+      end
+    end
+    # Weak ref to a context
+    # enables us to skip a method missing call
+    class WeakCtx < WeakRef
+      def initialize(*args)
+        super(*args)
+      end
+      def eval_unsafe(str, filename, timeoutv)
+        __getobj__.eval_unsafe(str, filename, timeoutv)
+      end
+    end
+  end
+end

data/lib/sqreen/rules.rb CHANGED Viewed

@@ -75,6 +75,17 @@ module Sqreen
       cb_class = nil
       js = hash_rule[Attrs::CALLBACKS]
+      if js && !Sqreen::Js::JsService.instance.online?
+        unless @@issue_nojs_warn
+          @@issue_nojs_warn = true
+          Sqreen.log.warn('No JavaScript engine is available. ' \
+              'JavaScript callbacks will be ignored')
+        end
+        Sqreen.log.info("Ignoring JS callback #{rule_name}")
+        return nil
+      end
       cb_class = ExecJSCB if js
       if cbname && Rules.const_defined?(cbname)

data/lib/sqreen/rules_callbacks/execjs.rb CHANGED Viewed

@@ -1,22 +1,8 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
-if defined?(::JRUBY_VERSION)
-  require 'rhino'
-  SQREEN_MINI_RACER = false
-else
-  begin
-    require 'mini_racer'
-    SQREEN_MINI_RACER = true
-    GC_MINI_RACER = 10_000
-  rescue LoadError
-    require 'therubyracer'
-    SQREEN_MINI_RACER = false
-  end
-end
-require 'weakref'
-require 'execjs'
+require 'sqreen/js/js_service'
 require 'sqreen/rule_attributes'
 require 'sqreen/rule_callback'
@@ -25,64 +11,30 @@ require 'sqreen/binding_accessor'
 require 'sqreen/events/remote_exception'
 module Sqreen
-  if SQREEN_MINI_RACER
-    # Context specialized for Sqreen usage
-    class SqreenContext < MiniRacer::Context
-      def eval_unsafe(str, filename = nil, timeoutv = nil)
-        # Beware, timeout could be kept in the context
-        # if perf cap is removed after having been activated
-        # As it's unused by execjscb we are not cleaning it
-        return super(str, filename) if timeoutv.nil?
-        return if timeoutv <= 0.0
-        timeoutv *= 1000 # Timeout are currently expressed in seconds
-        @timeout = timeoutv
-        @eval_thread = Thread.current
-        timeout do
-          super(str, filename)
-        end
-      end
-    end
-    # Weak ref to a context
-    # enables us to skip a method missing call
-    class WeakCtx < WeakRef
-      def initialize(*args)
-        super(*args)
-      end
-      def eval_unsafe(str, filename, timeoutv)
-        __getobj__.eval_unsafe(str, filename, timeoutv)
-      end
-    end
-  end
   module Rules
     # Exec js callbacks
     class ExecJSCB < RuleCB
-      attr_accessor :restrict_max_depth
-      attr_reader :runtimes
-      attr_accessor :recycle_runtime_every
+      class << self
+        # @return [Sqreen::Js::JsService]
+        def js_service
+          Sqreen::Js::JsService.instance
+        end
+      end
       def initialize(klass, method, rule_hash)
         super(klass, method, rule_hash)
         callbacks = @rule[Attrs::CALLBACKS]
         @conditions = @rule.fetch(Attrs::CONDITIONS, {})
-        if callbacks['pre'].nil? &&
-           callbacks['post'].nil? &&
-           callbacks['failing'].nil?
-          raise(Sqreen::Exception, 'no JS CB provided')
-        end
         build_runnable(callbacks)
-        @restrict_max_depth = 20
-        unless SQREEN_MINI_RACER
-          @compiled = ExecJS.compile(@source)
-          return
+        unless pre? || post? || failing?
+          raise Sqreen::Exception, 'no JS CB provided'
         end
-        @recycle_runtime_every = GC_MINI_RACER
-        @snapshot = MiniRacer::Snapshot.new(@source)
-        @runtimes = []
-        @key = "SQREEN_MINI_RACER_CONTEXT_#{object_id}".freeze
+        @executable = ExecJSCB.js_service.prepare(rule_name, @source)
+        @argument_filter = ArgumentFilter.new(rule_hash)
       end
       def pre?
@@ -100,63 +52,22 @@ module Sqreen
       def pre(inst, args, budget = nil, &_block)
         return unless pre?
-        call_callback('pre', inst, budget, args)
+        call_callback('pre', budget, inst, @cb_bas['pre'], args)
       end
       def post(rv, inst, args, budget = nil, &_block)
         return unless post?
-        call_callback('post', inst, budget, args, rv)
+        call_callback('post', budget, inst, @cb_bas['post'], args, rv)
       end
       def failing(rv, inst, args, budget = nil, &_block)
         return unless failing?
-        call_callback('failing', inst, budget, args, rv)
-      end
-      def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
-        new_obj = {}
-        insert = []
-        to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
-        until to_do.empty?
-          where, key, value, deepness = to_do.pop
-          safe_key = key.is_a?(Integer) ? key : key.to_s
-          if value.is_a?(Hash) && deepness < max_depth
-            val = {}
-            insert << [where, safe_key, val]
-            to_do += value.map { |k, v| [val, k, v, deepness + 1] }
-          elsif value.is_a?(Array) && deepness < max_depth
-            val = []
-            insert << [where, safe_key, val]
-            i = -1
-            to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
-          elsif deepness >= max_depth # if we are after max_depth don't try to filter
-            insert << [where, safe_key, value]
-          else
-            v = value.to_s
-            if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
-              case where
-              when Array
-                where << value
-              else
-                where[safe_key] = value
-              end
-            end
-          end
-        end
-        insert.reverse.each do |wh, ikey, ival|
-          case wh
-          when Array
-            wh << ival unless ival.respond_to?(:empty?) && ival.empty?
-          else
-            wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
-          end
-        end
-        new_obj
+        call_callback('failing', budget, inst, @cb_bas['failing'], args, rv)
       end
-      protected
+      private
       def record_and_continue?(ret)
         case ret
@@ -165,10 +76,10 @@ module Sqreen
         when Hash
           ret.keys.each do |k|
             ret[(begin
-                                     k.to_sym
-                                   rescue StandardError
-                                     k
-                                   end)] = ret[k] end
+              k.to_sym
+            rescue StandardError
+              k
+            end)] = ret[k] end
           record_event(ret[:record]) unless ret[:record].nil?
           unless ret['observations'].nil?
             ret['observations'].each do |obs|
@@ -182,134 +93,163 @@ module Sqreen
         end
       end
-      def push_runtime(runtime)
-        @runtimes.delete_if do |th, runt, _thid|
-          del = th.nil? || !th.weakref_alive? || !th.alive?
-          runt.dispose if del
-          del
+      def call_callback(cb_name, budget, inst, cb_ba_args, args, rv = nil)
+        arguments = cb_ba_args.map do |ba|
+           ba.resolve(binding, framework, inst, args, @data, rv)
         end
-        @runtimes.push [WeakRef.new(Thread.current), runtime, Thread.current.object_id]
-      end
+        arguments = @argument_filter.filter(cb_name, arguments)
-      def dispose_runtime(runtime)
-        @runtimes.delete_if { |_th, _runt, thid| thid == Thread.current.object_id }
-        runtime.dispose
-      end
+        ret = @executable.run_js_cb(cb_name, budget, arguments)
-      def call_callback(name, inst, budget, args, rv = nil)
-        mini_racer_context = nil
-        if SQREEN_MINI_RACER
-          mini_racer_context = Thread.current[@key]
-          dead_runtime = !mini_racer_context || !mini_racer_context[:r] || !mini_racer_context[:r].weakref_alive?
-          if !dead_runtime && mini_racer_context[:c] >= @recycle_runtime_every
-            dispose_runtime(mini_racer_context[:r])
-            dead_runtime = true
-          end
-          if dead_runtime
-            new_runtime = SqreenContext.new(:snapshot => @snapshot)
-            push_runtime new_runtime
-            mini_racer_context = {
-              :c => 0,
-              :r => WeakCtx.new(new_runtime),
-            }
-            Thread.current[@key] = mini_racer_context
-          end
-        end
-        ret = nil
-        args_override = nil
-        arguments = nil
-        while true
-          arguments = (args_override || @argument_requirements[name]).map do |accessor|
-            accessor.resolve(binding, framework, inst, args, @data, rv)
-          end
-          arguments = restrict(name, arguments) if @conditions.key?(name)
-          Sqreen.log.debug { [name, arguments].inspect }
-          if SQREEN_MINI_RACER
-            mini_racer_context[:c] += 1
-            begin
-              ret = mini_racer_context[:r].eval_unsafe("#{name}.apply(this, #{::JSON.generate(arguments)})", nil, budget)
-            rescue MiniRacer::ScriptTerminatedError
-              ret = nil
-            end
-          else
-            ret = @compiled.call(name, *arguments)
-          end
-          unless record_and_continue?(ret)
-            return nil if ret.nil?
-            return advise_action(ret[:status], ret)
-          end
-          name = ret[:call]
-          rv = ret[:data]
-          args_override = ret[:args]
-          args_override = build_accessor(args_override) if args_override
+        unless record_and_continue?(ret)
+          return nil if ret.nil?
+          return advise_action(ret[:status], ret)
         end
+        name = ret[:call]
+        rv = ret[:data]
+        new_ba_args = if ret[:args]
+                        self.class.build_accessors(ret[:args])
+                      else
+                        @cb_bas[name] || []
+                      end
+        # XXX: budgets was not subtracted from
+        call_callback(name, budget, inst, new_ba_args, args, rv)
       rescue StandardError => e
-        Sqreen.log.warn { "we catch a JScb exception: #{e.inspect}" }
+        Sqreen.log.warn { "Caught JS callback exception: #{e.inspect}" }
         Sqreen.log.debug e.backtrace
-        record_exception(e, :cb => name, :args => arguments)
+        record_exception(e, :cb => cb_name, :args => arguments)
         nil
       end
-      def each_hash_val_include(condition, depth = 10)
-        return if depth <= 0
-        condition.each do |key, values|
-          if key == ConditionEvaluator::HASH_INC_OPERATOR
-            yield values
+      def self.build_accessors(reqs)
+        reqs.map do |req|
+          BindingAccessor.new(req, true)
+        end
+      end
+      def build_runnable(callbacks)
+        @cb_bas = {}
+        @source = ''
+        @js_pre = !callbacks['pre'].nil?
+        @js_post = !callbacks['post'].nil?
+        @js_failing = !callbacks['failing'].nil?
+        callbacks.each do |name, args_or_func|
+          @source << "this['#{name.tr("'", "\\'")}'] = "
+          if args_or_func.is_a?(Array)
+            args_or_func = args_or_func.dup
+            @source << args_or_func.pop
+            @cb_bas[name] = self.class.build_accessors(args_or_func)
           else
-            values.map do |v|
-              each_hash_val_include(v, depth - 1) { |vals| yield vals } if v.is_a?(Hash)
-            end
+            @source << args_or_func
+            @cb_bas[name] = []
           end
+          @source << ";\n"
         end
       end
+    end
+    class ArgumentFilter
+      MAX_DEPTH = 2
+      def initialize(rule)
+        @conditions = rule.fetch(Attrs::CONDITIONS, {})
+        build_arg_requirements rule
+      end
-      def restrict(cbname, arguments)
+      def filter(cbname, arguments)
         condition = @conditions[cbname]
-        return arguments if condition.nil? || @argument_requirements[cbname].nil?
+        return arguments if condition.nil? || @ba_expressions[cbname].nil?
         each_hash_val_include(condition) do |needle, haystack, min_length|
           # We could actually run the binding accessor expression here.
-          needed_idx = @argument_requirements[cbname].map(&:expression).index(needle)
+          needed_idx = @ba_expressions[cbname].index(needle)
           next unless needed_idx
-          haystack_idx = @argument_requirements[cbname].map(&:expression).index(haystack)
+          haystack_idx = @ba_expressions[cbname].index(haystack)
           next unless haystack_idx
-          arguments[haystack_idx] = ExecJSCB.hash_val_included(
-            arguments[needed_idx],
-            arguments[haystack_idx],
-            min_length.to_i,
-            @restrict_max_depth
+          arguments[haystack_idx] = ArgumentFilter.hash_val_included(
+              arguments[needed_idx],
+              arguments[haystack_idx],
+              min_length.to_i,
+              MAX_DEPTH
           )
         end
         arguments
       end
-      def build_accessor(reqs)
-        reqs.map do |req|
-          BindingAccessor.new(req, true)
+      def build_arg_requirements(rule)
+        @ba_expressions = {}
+        callbacks = rule[Attrs::CALLBACKS]
+        callbacks.each do |name, args_or_func|
+          next unless args_or_func.is_a?(Array)
+          args_bas = args_or_func[0..-2] unless args_or_func.empty?
+          @ba_expressions[name] =
+              ExecJSCB.build_accessors(args_bas).map(&:expression)
         end
       end
-      def build_runnable(callbacks)
-        @argument_requirements = {}
-        @source = ''
-        @js_pre = !callbacks['pre'].nil?
-        @js_post = !callbacks['post'].nil?
-        @js_failing = !callbacks['failing'].nil?
-        callbacks.each do |name, args_or_func|
-          @source << "var #{name} = "
-          if args_or_func.is_a?(Array)
-            @source << args_or_func.pop
-            @argument_requirements[name] = build_accessor(args_or_func)
+      private
+      def each_hash_val_include(condition, depth = 10)
+        return if depth <= 0
+        condition.each do |key, values|
+          if key == ConditionEvaluator::HASH_INC_OPERATOR
+            yield values
           else
-            @source << args_or_func
-            @argument_requirements[name] = []
+            values.map do |v|
+              each_hash_val_include(v, depth - 1) { |vals| yield vals } if v.is_a?(Hash)
+            end
+          end
+        end
+      end
+      def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
+        new_obj = {}
+        insert = []
+        to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
+        until to_do.empty?
+          where, key, value, deepness = to_do.pop
+          safe_key = key.is_a?(Integer) ? key : key.to_s
+          if value.is_a?(Hash) && deepness < max_depth
+            val = {}
+            insert << [where, safe_key, val]
+            to_do += value.map { |k, v| [val, k, v, deepness + 1] }
+          elsif value.is_a?(Array) && deepness < max_depth
+            val = []
+            insert << [where, safe_key, val]
+            i = -1
+            to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
+          elsif deepness >= max_depth # if we are after max_depth don't try to filter
+            insert << [where, safe_key, value]
+          else
+            v = value.to_s
+            if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
+              case where
+              when Array
+                where << value
+              else
+                where[safe_key] = value
+              end
+            end
           end
-          @source << ";\n"
         end
+        insert.reverse.each do |wh, ikey, ival|
+          case wh
+          when Array
+            wh << ival unless ival.respond_to?(:empty?) && ival.empty?
+          else
+            wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
+          end
+        end
+        new_obj
       end
     end
   end
 end

data/lib/sqreen/rules_callbacks/execjs_old.rb ADDED Viewed

@@ -0,0 +1,315 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+if defined?(::JRUBY_VERSION)
+  require 'rhino'
+  SQREEN_MINI_RACER = false
+else
+  begin
+    require 'mini_racer'
+    SQREEN_MINI_RACER = true
+    GC_MINI_RACER = 10_000
+  rescue LoadError
+    require 'therubyracer'
+    SQREEN_MINI_RACER = false
+  end
+end
+require 'weakref'
+require 'execjs'
+require 'sqreen/rule_attributes'
+require 'sqreen/rule_callback'
+require 'sqreen/condition_evaluator'
+require 'sqreen/binding_accessor'
+require 'sqreen/events/remote_exception'
+module Sqreen
+  if SQREEN_MINI_RACER
+    # Context specialized for Sqreen usage
+    class SqreenContext < MiniRacer::Context
+      def eval_unsafe(str, filename = nil, timeoutv = nil)
+        # Beware, timeout could be kept in the context
+        # if perf cap is removed after having been activated
+        # As it's unused by execjscb we are not cleaning it
+        return super(str, filename) if timeoutv.nil?
+        return if timeoutv <= 0.0
+        timeoutv *= 1000 # Timeout are currently expressed in seconds
+        @timeout = timeoutv
+        @eval_thread = Thread.current
+        timeout do
+          super(str, filename)
+        end
+      end
+    end
+    # Weak ref to a context
+    # enables us to skip a method missing call
+    class WeakCtx < WeakRef
+      def initialize(*args)
+        super(*args)
+      end
+      def eval_unsafe(str, filename, timeoutv)
+        __getobj__.eval_unsafe(str, filename, timeoutv)
+      end
+    end
+  end
+  module Rules
+    # Exec js callbacks
+    class ExecJSCBOld < RuleCB
+      attr_accessor :restrict_max_depth
+      attr_reader :runtimes
+      attr_accessor :recycle_runtime_every
+      def initialize(klass, method, rule_hash)
+        super(klass, method, rule_hash)
+        callbacks = @rule[Attrs::CALLBACKS]
+        @conditions = @rule.fetch(Attrs::CONDITIONS, {})
+        if callbacks['pre'].nil? &&
+           callbacks['post'].nil? &&
+           callbacks['failing'].nil?
+          raise(Sqreen::Exception, 'no JS CB provided')
+        end
+        build_runnable(callbacks)
+        @restrict_max_depth = 20
+        unless SQREEN_MINI_RACER
+          @compiled = ExecJS.compile(@source)
+          return
+        end
+        @recycle_runtime_every = GC_MINI_RACER
+        @snapshot = MiniRacer::Snapshot.new(@source)
+        @runtimes = []
+        @key = "SQREEN_MINI_RACER_CONTEXT_#{object_id}".freeze
+      end
+      def pre?
+        @js_pre
+      end
+      def post?
+        @js_post
+      end
+      def failing?
+        @js_failing
+      end
+      def pre(inst, args, budget = nil, &_block)
+        return unless pre?
+        call_callback('pre', inst, budget, args)
+      end
+      def post(rv, inst, args, budget = nil, &_block)
+        return unless post?
+        call_callback('post', inst, budget, args, rv)
+      end
+      def failing(rv, inst, args, budget = nil, &_block)
+        return unless failing?
+        call_callback('failing', inst, budget, args, rv)
+      end
+      def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
+        new_obj = {}
+        insert = []
+        to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
+        until to_do.empty?
+          where, key, value, deepness = to_do.pop
+          safe_key = key.is_a?(Integer) ? key : key.to_s
+          if value.is_a?(Hash) && deepness < max_depth
+            val = {}
+            insert << [where, safe_key, val]
+            to_do += value.map { |k, v| [val, k, v, deepness + 1] }
+          elsif value.is_a?(Array) && deepness < max_depth
+            val = []
+            insert << [where, safe_key, val]
+            i = -1
+            to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
+          elsif deepness >= max_depth # if we are after max_depth don't try to filter
+            insert << [where, safe_key, value]
+          else
+            v = value.to_s
+            if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
+              case where
+              when Array
+                where << value
+              else
+                where[safe_key] = value
+              end
+            end
+          end
+        end
+        insert.reverse.each do |wh, ikey, ival|
+          case wh
+          when Array
+            wh << ival unless ival.respond_to?(:empty?) && ival.empty?
+          else
+            wh[ikey] = ival unless ival.respond_to?(:empty?) && ival.empty?
+          end
+        end
+        new_obj
+      end
+      protected
+      def record_and_continue?(ret)
+        case ret
+        when NilClass
+          false
+        when Hash
+          ret.keys.each do |k|
+            ret[(begin
+                                     k.to_sym
+                                   rescue StandardError
+                                     k
+                                   end)] = ret[k] end
+          record_event(ret[:record]) unless ret[:record].nil?
+          unless ret['observations'].nil?
+            ret['observations'].each do |obs|
+              obs[3] = Time.parse(obs[3]) if obs.size >= 3 && obs[3].is_a?(String)
+              record_observation(*obs)
+            end
+          end
+          !ret[:call].nil?
+        else
+          raise Sqreen::Exception, "Invalid return type #{ret.inspect}"
+        end
+      end
+      def push_runtime(runtime)
+        @runtimes.delete_if do |th, runt, _thid|
+          del = th.nil? || !th.weakref_alive? || !th.alive?
+          runt.dispose if del
+          del
+        end
+        @runtimes.push [WeakRef.new(Thread.current), runtime, Thread.current.object_id]
+      end
+      def dispose_runtime(runtime)
+        @runtimes.delete_if { |_th, _runt, thid| thid == Thread.current.object_id }
+        runtime.dispose
+      end
+      def call_callback(name, inst, budget, args, rv = nil)
+        mini_racer_context = nil
+        if SQREEN_MINI_RACER
+          mini_racer_context = Thread.current[@key]
+          dead_runtime = !mini_racer_context || !mini_racer_context[:r] || !mini_racer_context[:r].weakref_alive?
+          if !dead_runtime && mini_racer_context[:c] >= @recycle_runtime_every
+            dispose_runtime(mini_racer_context[:r])
+            dead_runtime = true
+          end
+          if dead_runtime
+            new_runtime = SqreenContext.new(:snapshot => @snapshot)
+            push_runtime new_runtime
+            mini_racer_context = {
+              :c => 0,
+              :r => WeakCtx.new(new_runtime),
+            }
+            Thread.current[@key] = mini_racer_context
+          end
+        end
+        ret = nil
+        args_override = nil
+        arguments = nil
+        while true
+          arguments = (args_override || @argument_requirements[name]).map do |accessor|
+            accessor.resolve(binding, framework, inst, args, @data, rv)
+          end
+          arguments = restrict(name, arguments) if @conditions.key?(name)
+          Sqreen.log.debug { [name, arguments].inspect }
+          if SQREEN_MINI_RACER
+            mini_racer_context[:c] += 1
+            begin
+              ret = mini_racer_context[:r].eval_unsafe("#{name}.apply(this, #{::JSON.generate(arguments)})", nil, budget)
+            rescue MiniRacer::ScriptTerminatedError
+              ret = nil
+            end
+          else
+            ret = @compiled.call(name, *arguments)
+          end
+          unless record_and_continue?(ret)
+            return nil if ret.nil?
+            return advise_action(ret[:status], ret)
+          end
+          name = ret[:call]
+          rv = ret[:data]
+          args_override = ret[:args]
+          args_override = build_accessor(args_override) if args_override
+        end
+      rescue StandardError => e
+        Sqreen.log.warn { "we catch a JScb exception: #{e.inspect}" }
+        Sqreen.log.debug e.backtrace
+        record_exception(e, :cb => name, :args => arguments)
+        nil
+      end
+      def each_hash_val_include(condition, depth = 10)
+        return if depth <= 0
+        condition.each do |key, values|
+          if key == ConditionEvaluator::HASH_INC_OPERATOR
+            yield values
+          else
+            values.map do |v|
+              each_hash_val_include(v, depth - 1) { |vals| yield vals } if v.is_a?(Hash)
+            end
+          end
+        end
+      end
+      def restrict(cbname, arguments)
+        condition = @conditions[cbname]
+        return arguments if condition.nil? || @argument_requirements[cbname].nil?
+        each_hash_val_include(condition) do |needle, haystack, min_length|
+          # We could actually run the binding accessor expression here.
+          needed_idx = @argument_requirements[cbname].map(&:expression).index(needle)
+          next unless needed_idx
+          haystack_idx = @argument_requirements[cbname].map(&:expression).index(haystack)
+          next unless haystack_idx
+          arguments[haystack_idx] = ExecJSCB.hash_val_included(
+            arguments[needed_idx],
+            arguments[haystack_idx],
+            min_length.to_i,
+            @restrict_max_depth
+          )
+        end
+        arguments
+      end
+      def build_accessor(reqs)
+        reqs.map do |req|
+          BindingAccessor.new(req, true)
+        end
+      end
+      def build_runnable(callbacks)
+        @argument_requirements = {}
+        @source = ''
+        @js_pre = !callbacks['pre'].nil?
+        @js_post = !callbacks['post'].nil?
+        @js_failing = !callbacks['failing'].nil?
+        callbacks.each do |name, args_or_func|
+          @source << "var #{name} = "
+          if args_or_func.is_a?(Array)
+            @source << args_or_func.pop
+            @argument_requirements[name] = build_accessor(args_or_func)
+          else
+            @source << args_or_func
+            @argument_requirements[name] = []
+          end
+          @source << ";\n"
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED Viewed

@@ -122,7 +122,11 @@ module Sqreen
         if escape_html == false &&
            text.respond_to?(:include?) &&
            !text.include?('html_escape')
-          args[0].replace("Sqreen.escape_haml((#{args[0]}))")
+          if text.respond_to? :text=
+            args[0].text = "Sqreen.escape_haml((#{args[0].text}))"
+          else
+            args[0].replace("Sqreen.escape_haml((#{args[0]}))")
+          end
         end
         nil
       end

data/lib/sqreen/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.13.4'.freeze
+  VERSION = '1.14.0.beta1'.freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.13.4
+  version: 1.14.0.beta1
 platform: ruby
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-08-16 00:00:00.000000000 Z
+date: 2018-08-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs
@@ -77,6 +77,9 @@ files:
 - lib/sqreen/frameworks/sinatra.rb
 - lib/sqreen/frameworks/sqreen_test.rb
 - lib/sqreen/instrumentation.rb
+- lib/sqreen/js/execjs_adapter.rb
+- lib/sqreen/js/js_service.rb
+- lib/sqreen/js/mini_racer_adapter.rb
 - lib/sqreen/log.rb
 - lib/sqreen/metrics.rb
 - lib/sqreen/metrics/average.rb
@@ -106,6 +109,7 @@ files:
 - lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb
 - lib/sqreen/rules_callbacks/custom_error.rb
 - lib/sqreen/rules_callbacks/execjs.rb
+- lib/sqreen/rules_callbacks/execjs_old.rb
 - lib/sqreen/rules_callbacks/headers_insert.rb
 - lib/sqreen/rules_callbacks/inspect_rule.rb
 - lib/sqreen/rules_callbacks/matcher_rule.rb
@@ -142,12 +146,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
-rubygems_version: 2.7.6
+rubygems_version: 2.7.7
 signing_key:
 specification_version: 4
 summary: Sqreen Ruby agent