sqreen 1.15.8-java → 1.16.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ddd45299219e0f95f822915a78a8ccbe5852587b99e28a0bf7da177e9d71664
-  data.tar.gz: 8313462505718cb8d5a25bfc64165c95897d7dbf4f8d6cd5c3fb7ef1cb4bfb31
+  metadata.gz: fb0e9ba4508186b7cec232b310977918cdaf55cd1e677bb4322fe78d8745bfa6
+  data.tar.gz: 27ab3ed66faced88fa455ab93311b441126b8ac0b0aca1fb1512fdfe5ff7ca28
 SHA512:
-  metadata.gz: a16f2274d12e4182256ff4d865dc177c5876dbbaa15817f66a4be7cb838d4e77aaaad52b7aac26fc00aa73ecc71b9b14b4b9870ed5146b1d9b6d92677968fa00
-  data.tar.gz: 172666ac64f2e38976d103462913559684e238e85c49e9eebbedd621791300585d026891c47f8bd8accdb15f858cf6c5d8476734f656c2485c7494bc26a1a7ef
+  metadata.gz: 1db65feedb4cd304bc268132430c058b52699ac25103d8c6578b55d5269281b26f60accdc14c26fc800f30b467c81d7ea1489ee5ab8ffb92895fd7a66beee1e5
+  data.tar.gz: 05b387f696e7b1892bab723a39828fb0c5dd7b7bc691fdb7bdaa64f53cda6982c87582b536d22e60f24c6a813251a115be454882d034d1546546d46b685551db

data/Rakefile

@@ -13,6 +13,7 @@ end
 
 Rake::TestTask.new do |t|
   t.pattern = 'test/**/*.rb'
+  t.warning = false
   t.libs << 'test'
 end
 

data/lib/sqreen.rb

@@ -17,7 +17,7 @@ require 'thread'
 # Auto start the instrumentation.
 
 Sqreen.framework.on_start do |framework|
-  if RUBY_VERSION =~ /\A2\.5\.[01]\z/ && Sqreen.framework.on_pre_fork_preload?
+  if Sqreen.framework.on_pre_fork_preload?
     STDERR.puts("Avoiding launching sqreen thread pre-fork") # sqreen log unavailable
     next
   end

data/lib/sqreen/actions.rb

@@ -265,45 +265,45 @@ module Sqreen
       end
     end
 
-    # Blocks a user at the point Sqreen::identify()
-    # or Sqreen::auth_track() are called
-    class BlockUser < Base
-      self.type_name = 'block_user'
-
-      class << self
-        def actions_matching(identity_params)
-          return [] unless @idx
-          key = stringify_keys(identity_params)
-          actions = @idx[key]
-          actions || []
-        end
-
-        def index(params, action)
-          @idx ||= {}
-          users = params['users']
-          raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
-          raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
+    module UserActionClass
+      def actions_matching(identity_params)
+        return [] unless @idx
+        key = stringify_keys(identity_params)
+        actions = @idx[key]
+        actions || []
+      end
 
-          users.each do |u|
-            @idx[u] ||= []
-            @idx[u] << action
-          end
+      def index(params, action)
+        @idx ||= {}
+        users = params['users']
+        raise ::Sqreen::Exception, 'nil "users" param for block_user action' if users.nil?
+        raise ::Sqreen::Exception, '"users" param must be an array' unless users.is_a? Array
+
+        users.each do |u|
+          @idx[u] ||= []
+          @idx[u] << action
         end
+      end
 
-        def clear
-          @idx = {}
-        end
+      def clear
+        @idx = {}
+      end
 
-        private
+      private
 
-        def stringify_keys(hash)
-          Hash[
-            hash.map { |k, v| [k.to_s, v] }
-          ]
-        end
+      def stringify_keys(hash)
+        Hash[
+          hash.map { |k, v| [k.to_s, v] }
+        ]
       end
+    end
 
-      # BlockUser proper definition continues
+    # Blocks a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class BlockUser < Base
+      extend UserActionClass
+
+      self.type_name = 'block_user'
 
       def initialize(id, opts, params = {})
         super(id, opts)
@@ -330,5 +330,39 @@ module Sqreen
         { 'user' => identity_params }
       end
     end
+
+    # Redirects a user at the point Sqreen::identify()
+    # or Sqreen::auth_track() are called
+    class RedirectUser < Base
+      extend UserActionClass
+
+      self.type_name = 'redirect_user'
+
+      def initialize(id, opts, params = {})
+        super(id, opts)
+        @redirect_url = params['url']
+        raise "no url provided for action #{id}" unless @redirect_url
+      end
+
+      def do_run(identity_params)
+        Sqreen.log.info 'Will request redirect for user with identity ' \
+          "#{identity_params} (action: #{id})."
+
+        e = Sqreen::AttackBlocked.new(
+          "Redirected user with identity #{identity_params} " \
+          'due to automatic security response. No action is required'
+        )
+        e.redirect_url = @redirect_url
+
+        {
+          :status => :raise,
+          :exception => e,
+        }
+      end
+
+      def event_properties(identity_params)
+        { 'user' => identity_params }
+      end
+    end
   end
 end

data/lib/sqreen/configuration.rb

@@ -35,6 +35,8 @@ module Sqreen
       :default => 'https://back.sqreen.io' },
     { :env => :SQREEN_TOKEN,     :name => :token,
       :default => nil },
+    { :env => :SQREEN_APP_NAME,  :name => :app_name,
+      :default => nil },
     { :env => :SQREEN_RULES,     :name => :local_rules,
       :default => nil },
     { :env => :SQREEN_RULES_SIGNATURE, :name => :rules_verify_signature,

data/lib/sqreen/exception.rb

@@ -28,6 +28,8 @@ module Sqreen
   # Sqreen users when watching their logs. It should not raise any concern to
   # them.
   class AttackBlocked < Exception
+    attr_accessor :redirect_url
+
     def log_message(msg)
       Sqreen.log.warn(msg)
     end

data/lib/sqreen/frameworks/generic.rb

@@ -178,6 +178,10 @@ module Sqreen
         nil
       end
 
+      def application_name
+        nil
+      end
+
       # Main entry point for sqreen.
       # launch whenever we are ready
       def on_start

data/lib/sqreen/frameworks/rails.rb

@@ -70,8 +70,11 @@ module Sqreen
       end
 
       def root
-        return nil unless @application
-        @application.root
+        Rails.application.root
+      end
+
+      def application_name
+        Rails.application.class.name.deconstantize.underscore
       end
 
       # Register a new initializer in rails to ba called when we are starting up

data/lib/sqreen/instrumentation.rb

@@ -11,7 +11,7 @@ require 'sqreen/rules_signature'
 require 'sqreen/shared_storage'
 require 'sqreen/rules_callbacks/record_request_context'
 require 'sqreen/rules_callbacks/run_req_start_actions'
-require 'sqreen/rules_callbacks/run_block_user_actions'
+require 'sqreen/rules_callbacks/run_user_actions'
 require 'sqreen/mono_time'
 require 'set'
 
@@ -706,8 +706,8 @@ module Sqreen
     def hardcoded_callbacks(framework)
       [
         Sqreen::Rules::RunReqStartActions.new(framework),
-        Sqreen::Rules::RunBlockUserActions.new(Sqreen, :identify, 0),
-        Sqreen::Rules::RunBlockUserActions.new(Sqreen, :auth_track, 1),
+        Sqreen::Rules::RunUserActions.new(Sqreen, :identify, 0),
+        Sqreen::Rules::RunUserActions.new(Sqreen, :auth_track, 1),
       ]
     end
 

data/lib/sqreen/js/mini_racer_adapter.rb

@@ -81,89 +81,6 @@ module Sqreen
       end
     end
 
-    class JsonConversion
-      class << self
-        if defined?(::JSON::Ext::Generator::State)
-          def convert_arguments(_args)
-            args = purge_dangerous_objs(_args)
-            new_state.generate(args)
-          rescue ::JSON::GeneratorError, ::Encoding::UndefinedConversionError
-            fixed_args = fixup_bad_encoding(args)
-            new_state.generate(fixed_args)
-          end
-        else
-          def convert_arguments(_args)
-            args = purge_dangerous_objs(_args)
-            args.to_json(new_state)
-          rescue ::EncodingError
-            fixed_args = fixup_bad_encoding(args)
-            fixed_args.to_json(new_state)
-          end
-        end
-
-        private
-
-        def new_state
-          ::JSON::SAFE_STATE_PROTOTYPE.dup
-        end
-
-        def fixup_bad_encoding(arg, max_depth = 100)
-          return nil if max_depth <= 0
-
-          if arg.is_a?(::Array)
-            return arg.map { |it| fixup_bad_encoding(it, max_depth - 1) }
-          end
-
-          if arg.is_a?(::Hash)
-            return ::Hash[
-              arg.map do |k, v|
-                [fixup_bad_encoding(k, max_depth - 1),
-                 fixup_bad_encoding(v, max_depth - 1)]
-              end
-            ]
-          end
-
-          return arg unless arg.is_a?(::String)
-
-          unless arg.valid_encoding?
-            return arg.dup.force_encoding(::Encoding::ISO_8859_1)
-          end
-
-          # encoding is valid if it reaches this point
-          return arg if arg.encoding == ::Encoding::UTF_8
-
-          begin
-            arg.encode(::Encoding::UTF_8)
-          rescue ::Encoding::UndefinedConversionError
-            arg.dup.force_encoding(::Encoding::ISO_8859_1)
-          end
-        end
-
-        def purge_dangerous_objs(arg, max_depth = 100)
-          return nil if max_depth <= 0
-
-          if arg.is_a?(::Array)
-            arg.map { |it| purge_dangerous_objs(it, max_depth - 1) }
-          elsif arg.is_a?(::Hash)
-            Hash[
-              arg.map do |k, v|
-                [purge_dangerous_objs(k, max_depth - 1),
-                 purge_dangerous_objs(v, max_depth - 1)]
-              end
-            ]
-          elsif arg.is_a?(::String) || arg.nil? || arg == false ||
-            arg == true || arg.is_a?(::Fixnum) || arg.is_a?(::Bignum) ||
-            arg.is_a?(::Float)
-            arg
-          elsif arg.respond_to?(:to_json)
-            arg.to_s
-          else
-            arg
-          end
-        end
-      end
-    end
-
     class MiniRacerExecutableJs < ExecutableJs
       @@ctx_defined = false
 
@@ -194,9 +111,7 @@ module Sqreen
           ctx.add_code(@code_id, @code) unless ctx.has_code?(@code_id)
 
           begin
-            json_args = JsonConversion.convert_arguments(arguments)
-            ctx.eval_unsafe(
-              "sqreen_data['#{@code_id}']['#{cb_name}'].apply(this, #{json_args})", nil, budget)
+            ctx.call("sqreen_#{@code_id}_#{cb_name}", *arguments)
           rescue @module::ScriptTerminatedError
             Sqreen.log.debug "ScriptTerminatedError/#{cb_name}"
             nil
@@ -205,7 +120,7 @@ module Sqreen
       end
 
       def self.code_id(code)
-        Digest::MD5.base64digest(code)
+        Digest::MD5.hexdigest(code)
       end
 
       private
@@ -231,6 +146,9 @@ module Sqreen
             end
 
             def add_code(code_id, code)
+              # It's important that the definition is run in its own scope (by executing it inside an anonymous function)
+              # Otherwise some auxiliary functions that the backend server sends will collide the name
+              # Because they're defined with `var`, running the definitions inside a function is enough
               eval_unsafe "(function() { #{code} })()"
               transf_global_funcs code_id
               @code_ids ||= Set.new
@@ -271,20 +189,14 @@ module Sqreen
             private
 
             def transf_global_funcs(code_id)
+              # Multiple callbacks may share the same name. In order to avoid collisions, we rename them here.
               eval_unsafe <<EOD
-                if (typeof sqreen_data === 'undefined') {
-                  sqreen_data = {};
-                }
-
-                group = {};
                 Object.keys(this).forEach(name => {
-                  if (typeof this[name] === "function") {
-                    group[name] = this[name];
+                  if (typeof this[name] === "function" && !name.startsWith("sqreen_")) {
+                    this['sqreen_#{code_id}_' + name] = this[name];
                     this[name] = undefined;
                   }
                 });
-                sqreen_data['#{code_id}'] = group
-                delete group;
 EOD
 
             end

data/lib/sqreen/middleware.rb

@@ -19,6 +19,20 @@ module Sqreen
 
     def call(env)
       @app.call(env)
+    rescue => e
+      sqreen_attack = nil
+      if e.is_a?(Sqreen::AttackBlocked)
+        sqreen_attack = e
+      elsif e.respond_to?(:original_exception) &&
+                            e.original_exception.is_a?(Sqreen::AttackBlocked)
+        sqreen_attack = e.original_exception
+      end
+
+      if sqreen_attack && sqreen_attack.redirect_url
+        return [303, { 'Location' => sqreen_attack.redirect_url }, ['']]
+      else
+        raise
+      end
     end
   end
 

data/lib/sqreen/mono_time.rb

@@ -6,6 +6,19 @@ module Sqreen
     false
   end
 
+  @has_thread_cpu_time = begin
+    Process.clock_gettime Process::CLOCK_THREAD_CPUTIME_ID
+    true
+  rescue StandardError
+    false
+  end
+
+  class << self
+    def thread_cpu_time?
+      @has_thread_cpu_time
+    end
+  end
+
   if has_mono_time
     def self.time
       Process.clock_gettime Process::CLOCK_MONOTONIC
@@ -15,4 +28,14 @@ module Sqreen
       Time.now.to_f
     end
   end
+
+  if @has_thread_cpu_time
+    def self.thread_cpu_time
+      Process.clock_gettime Process::CLOCK_THREAD_CPUTIME_ID
+    end
+  else
+    def self.thread_cpu_time
+      0
+    end
+  end
 end

data/lib/sqreen/performance_notifications/binned_metrics.rb

@@ -15,6 +15,7 @@ module Sqreen
       EVENT_REQ = 'req'.freeze # request total time
       EVENT_TOTAL_TIME = 'sq'.freeze # sqreen total overhead callback time
       EVENT_PERCENT = 'pct'.freeze # sqreen total overhead percent of time
+      EVENT_SQ_THREAD_CPU_PCT = 'sq_thread_cpu_pct'.freeze # sqreen thread cpu time
 
       # @param metrics_store [Sqreen::MetricsStore]
       def initialize(metrics_store, period, perf_metric_opts, perf_metric_percent_opts)
@@ -23,6 +24,8 @@ module Sqreen
         @subid = nil
         @perf_metric_opts = perf_metric_opts
         @perf_metric_percent_opts = perf_metric_percent_opts
+        @clock_time = Sqreen.time
+        @watcher_cpu_time = 0
       end
 
       def enable
@@ -38,6 +41,12 @@ module Sqreen
           'name' => EVENT_PERCENT, 'period' => period, 'kind' => 'Binning', 'options' => @perf_metric_percent_opts
         )
 
+        if Sqreen.thread_cpu_time?
+          metrics_store.create_metric('name' => EVENT_SQ_THREAD_CPU_PCT,
+                                      'period' => period, 'kind' => 'Binning',
+                                      'options' => @perf_metric_percent_opts)
+        end
+
         @subid = Sqreen::PerformanceNotifications.subscribe(&method(:log))
       end
 
@@ -85,6 +94,26 @@ module Sqreen
         )
       end
 
+      def finish_watcher_run
+        return unless Sqreen.thread_cpu_time?
+        new_clock_time = Sqreen.time
+        # collect observation at min 30 second intervals so it's nicely averaged
+        return if new_clock_time - @clock_time < 30.0
+
+        clock_time_before = @clock_time
+        watcher_cpu_time_before = @watcher_cpu_time
+        @clock_time = new_clock_time
+        @watcher_cpu_time = Sqreen.thread_cpu_time
+
+        clock_time_diff = @clock_time - clock_time_before
+        watcher_cpu_diff = @watcher_cpu_time - watcher_cpu_time_before
+
+        Sqreen.observations_queue.push(
+          [EVENT_SQ_THREAD_CPU_PCT, nil,
+           (watcher_cpu_diff * 100.0) / clock_time_diff, Time.now.utc]
+        )
+      end
+
       private
 
       # @return [Sqreen::MetricsStore]
@@ -111,7 +140,7 @@ module Sqreen
           @instance = new(metrics_store, period,
                           {'base'=> base, 'factor' => factor},
                           {'base' => base_pct, 'factor' => factor_pct}
-                      ).tap(&:enable)
+                         ).tap(&:enable)
         end
 
         def disable
@@ -129,6 +158,11 @@ module Sqreen
           return unless instance
           instance.finish_request
         end
+
+        def finish_watcher_run
+          return unless instance
+          instance.finish_watcher_run
+        end
       end
     end
   end

data/lib/sqreen/rules_callbacks/{run_block_user_actions.rb → run_user_actions.rb}

@@ -7,14 +7,15 @@ require 'sqreen/actions'
 module Sqreen
   module Rules
     # Runs the block_user actions (for hooking Sqreen.{identify,auth_user})
-    class RunBlockUserActions < CB
+    class RunUserActions < CB
       def initialize(klass, method, auth_keys_idx)
         super(klass, method)
         @auth_keys_idx = auth_keys_idx
       end
 
       def post(_retval, _inst, args, _budget = nil)
-        actions = actions_repo.get('block_user', args[@auth_keys_idx])
+        actions = actions_repo.get('block_user', args[@auth_keys_idx]) +
+                  actions_repo.get('redirect_user', args[@auth_keys_idx])
 
         actions.each do |action|
           res = action.run args[@auth_keys_idx]

data/lib/sqreen/runner.rb

@@ -109,6 +109,7 @@ module Sqreen
       @running = true
 
       @token = @configuration.get(:token)
+      @app_name = @configuration.get(:app_name)
       @url = @configuration.get(:url)
       Sqreen.update_whitelisted_paths([])
       Sqreen.update_whitelisted_ips({})
@@ -121,7 +122,7 @@ module Sqreen
       self.metrics_engine = MetricsStore.new
       @instrumenter = Instrumentation.new(metrics_engine)
 
-      Sqreen.log.warn "using token #{@token}"
+      Sqreen.log.warn "Using token #{@token}"
       response = create_session(session_class)
       wanted_features = response.fetch('features', {})
       conf_initial_features = configuration.get(:initial_features)
@@ -151,7 +152,7 @@ module Sqreen
     end
 
     def create_session(session_class)
-      @session = session_class.new(@url, @token)
+      @session = session_class.new(@url, @token, @app_name)
       session.login(@framework)
     end
 
@@ -378,6 +379,8 @@ module Sqreen
         Sqreen.log.debug 'Forced an heartbeat'
         periodic_cleanup # will trigger do_heartbeat since it's time
       end
+    ensure
+      PerformanceNotifications::BinnedMetrics.finish_watcher_run
     end
 
     def periodic_cleanup

data/lib/sqreen/session.rb

@@ -44,8 +44,9 @@ module Sqreen
 
     attr_accessor :request_compression
 
-    def initialize(server_url, token)
+    def initialize(server_url, token, app_name = nil)
       @token = token
+      @app_name = app_name
       @session_id = nil
       @server_url = server_url
       @request_compression = false
@@ -221,7 +222,12 @@ module Sqreen
     end
 
     def login(framework)
-      headers = { 'x-api-key' => @token }
+      headers = {
+        'x-api-key'  => @token,
+        'x-app-name' => @app_name || framework.application_name,
+      }.reject { |k, v| v ==  nil }
+
+      Sqreen.log.warn "Using app name: #{headers['x-app-name']}"
 
       res = resilient_post('app-login', RuntimeInfos.all(framework), headers)
 

data/lib/sqreen/version.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.15.8'.freeze
+  VERSION = '1.16.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.15.8
+  version: 1.16.0
 platform: java
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-07 00:00:00.000000000 Z
+date: 2019-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -118,8 +118,8 @@ files:
 - lib/sqreen/rules_callbacks/record_request_context.rb
 - lib/sqreen/rules_callbacks/reflected_xss.rb
 - lib/sqreen/rules_callbacks/regexp_rule.rb
-- lib/sqreen/rules_callbacks/run_block_user_actions.rb
 - lib/sqreen/rules_callbacks/run_req_start_actions.rb
+- lib/sqreen/rules_callbacks/run_user_actions.rb
 - lib/sqreen/rules_callbacks/shell_env.rb
 - lib/sqreen/rules_callbacks/url_matches.rb
 - lib/sqreen/rules_callbacks/user_agent_matches.rb