sqreen 1.17.0 → 1.17.2.beta1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: edfd8cc358ff6408be042a8d11d473b85b00c2a1cf80c97cf5b154a6fa7da037
4
- data.tar.gz: f558c9aef036f11b3e20fe0f8d41d7020b7d302233a4385d7cb760a983e91116
3
+ metadata.gz: 3862ecef24ba42830b6570cc6bf05902a40e605b467339a62499f929ff6ed953
4
+ data.tar.gz: 7aa4b16b8b80f5cbdeba29393aeef199c466e9148f6ad6a67fd522e8e5bf09d8
5
5
  SHA512:
6
- metadata.gz: aa39b3c2a3af1e2b2135dd735b736dce973eab3810cbbe7dc7d017d25ca69d7f309f9029e9f0281d51cd523f996f86c75963d83b77a2294f6a359f847305f100
7
- data.tar.gz: daa34349243dc5a56abadff975c776098db0e1d520f15720bae17443b157cc586ba77bc954ab4c7687866dab4bd4b8607cb6fee4c2e9e3bd68cc9f7b46b78faf
6
+ metadata.gz: f51c35e5537404e214faf6686b771882d40eda98c2850105f3067a82e56756666cb52b188651db8e26a832df5f02971dc0d2f9aa30a8a300a486f93390333345
7
+ data.tar.gz: 9c538573202337981c7b1daa6f369bb8e7115a280904a6d5f2040b4b2978526a90c52e0ab0762c5fe17a12fbfeb035aa08a001f51422c5dd4195836efab07c8e
@@ -0,0 +1,418 @@
1
+ ## 1.17.2.beta1
2
+
3
+ * Important note: this beta release supports Rails only, and notably excludes Sinatra support
4
+ * Important note: this beta release supports Ruby 2.2 or above only
5
+ * Improve Sqreen thread boot when using Unicorn, Rainbows, Puma, Passenger, Thin, Webrick
6
+ * Improve performance cap consistency with specification
7
+ * Improve consistency of rule precondition argument passing
8
+ * Remove extraneous log output on CLI tool execution
9
+
10
+ ## 1.17.0
11
+
12
+ * Implement HTTP Response Code, Content-Type, and Content-Length in relevant sqreen events
13
+ * Enhance reliability in face of unavailability of the backend
14
+ * Improve resilience to exceptional cases
15
+ * Improve handling and sanitization of non-UTF8 encodings
16
+ * Avoid concurrent hash modification during iteration
17
+ * Improve feedback accuracy in logs
18
+
19
+ ## 1.16.2
20
+
21
+ * Restore timeout functionality for JS calls
22
+ * Remove confusing warning about threading when using a forking server
23
+ * Make sensitive keys configuration fully case insensitive
24
+ * Avoid concurrent hash modification during iteration
25
+ * Support Ruby 2.6
26
+
27
+ ## 1.16.1
28
+
29
+ * Fix bugs in low memory JavaScript paths
30
+
31
+ ## 1.16.0
32
+
33
+ * Implement redirect\_user action
34
+ * Improve performance of JavaScript rules
35
+ * Support Organization Token
36
+
37
+ ## 1.15.9
38
+
39
+ * Improve the performance overhead of triggering dynamic protections (15% faster for SQL injection detection)
40
+
41
+ # 1.15.8 - 2018-01-07
42
+
43
+ * Fix doubing of JS heap maximum if GC is being triggered too frequently
44
+
45
+ ## 1.15.8.beta2 - 2018-12-21
46
+
47
+ * Improve memory usage with mini\_racer
48
+
49
+ ## 1.15.7 - 2018-11-28
50
+
51
+ * Improve performance of IP blacklisting
52
+
53
+ ## 1.15.7.beta1 - 2018-11-22
54
+
55
+ * Improve serialization of arguments to JS functions (MRI only)
56
+
57
+ ## 1.15.6 - 2018-11-21
58
+
59
+ * Avoid errors on sdk methods when sqreen is not configured
60
+
61
+ ## 1.15.5 - 2018-11-15
62
+
63
+ * Improve performance of performance monitoring
64
+
65
+ ## 1.15.4 - 2018-11-14
66
+
67
+ * Fix JS functions interfering with each other
68
+
69
+ ## 1.15.3 - 2018-11-07
70
+
71
+ * User customization of sensitive data purging
72
+ * Ignore redundant rules\_reload commands
73
+
74
+ ## 1.15.3.beta2 - 2018-11-05
75
+
76
+ * Eliminate reentering protection in request start/end hooks
77
+
78
+ ## 1.15.3.beta1 - 2018-10-31
79
+
80
+ * Add logging statements
81
+
82
+ ## 1.15.2 - 2018-10-31
83
+
84
+ * Fix exception when evaluating actions without the server having sent the
85
+ actions\_reload command
86
+ * Fix reporting of such an exception
87
+
88
+ ## 1.15.1 - 2018-10-26
89
+
90
+ * Use path-compressed trie to store action IP addr prefixes
91
+ * Changed order in which actions, whielisting and blacklisting are evaluated
92
+ * Improve serialization of arguments to JS functions (MRI only)
93
+
94
+ ## 1.15.0 - 2018-10-23
95
+
96
+ * Improve memory usage
97
+ * Fix uninitialized `@@issue_nojs_warn`
98
+ * Fix FloatDomainError when binning value 0
99
+
100
+ ## 1.14.2 - 2018-10-02
101
+
102
+ * Fix error when instrumented method is called between requests.
103
+ * Fix encoding error when passing errors to mini\_racer.
104
+ * Work around bug causing in Ruby 2.5.0 and 2.5.1.
105
+ * Fix JavaScript usage in jRuby.
106
+ * Increase minimum version of sq\_mini\_racer to 0.2.2.sqreen1.
107
+
108
+ ## 1.14.1 - 2018-09-21
109
+
110
+ * Tune performance metric collection to also capture overhead per request
111
+
112
+ ## 1.14.0 - 2018-09-12
113
+
114
+ * Improve log msgs for block and redirect (and make block a warning)
115
+ * Avoid v8 instances being created in master processes (before forking)
116
+
117
+ ## 1.14.0.beta3 - 2018-09-06
118
+
119
+ * Fixed sq\_mini\_racer not being declared as a runtime dependency
120
+
121
+ ## 1.14.0.beta1 - 2018-08-20
122
+
123
+ * Introduce sq\_mini\_racer
124
+
125
+ ## 1.13.5 - 2018-??-??
126
+
127
+ * Fix exception in XSS callback for HAML 4 script lines
128
+
129
+ ## 1.13.4 - 2018-08-16
130
+
131
+ * Fixed literals in HAML 4 being improperly escaped
132
+ * Fixed exception in XSS callback when some input is unproperly encoded
133
+
134
+ ## 1.13.3 - 2018-08-13
135
+
136
+ * Redact sensitive data before sending it to Sqreen's servers
137
+ * Specify a minimum version of therubyracer
138
+
139
+ ## 1.13.2 - 2018-07-23
140
+
141
+ * Automaticaly ignore uncaught `Sqreen::AttackBlocked` exceptions on Sentry and NewRelic
142
+
143
+ ## 1.13.1 - 2018-07-18
144
+
145
+ * Force mini\_racer gem dependency version to 0.1.x
146
+
147
+ ## 1.13.0 - 2018-07-03
148
+
149
+ * Implemented the `block_user` Security Automation action
150
+ * Add `ip_header` configuration option
151
+ * Prevent erroneous double instrumentation of instance methods
152
+ * Support performance metrics with binning of measurements for: total request
153
+ time, time per callback, and sum of all callback durations
154
+
155
+ ## 1.12.0 - 2018-05-31
156
+
157
+ * Add the `track` SDK method
158
+ * Support Security Automation's actions
159
+ * Improve CRS performance on requests with many parameters
160
+
161
+ ## 1.11.3 - 2018-03-26
162
+
163
+ * Improved workaround segfault in queue in Ruby 2.5.0 (reload queue as needed)
164
+
165
+ ## 1.11.2 - 2018-03-21
166
+
167
+ * Workaround segfault in queue in Ruby 2.5.0
168
+
169
+ ## 1.11.1 - 2018-03-20
170
+
171
+ * Optimize and tuned most of the instrumentation code, for better perf and better perf budget
172
+
173
+ ## 1.11.0 - 2018-03-06
174
+
175
+ * Overalled NR perf reports
176
+ * Timebox callback execution
177
+ * Improve XSS speed
178
+ * New per request overhead display
179
+ * Fix typo occuring in debug mode
180
+
181
+ ## 1.10.5 - 2018-02-20
182
+
183
+ * Don't start in `delayed_job` worker
184
+ * Fix log in cbtree when nothing exists
185
+ * Max length on CRS
186
+
187
+ ## 1.10.4 - 2018-02-19
188
+
189
+ * Fix signature if Oj is detected
190
+ * Reinstrument `instance_evaled` methods
191
+
192
+ ## 1.10.3 - 2018-02-15
193
+
194
+ * Correctly remove `mini_racer` context
195
+
196
+ ## 1.10.2 - 2018-02-15
197
+
198
+ * Recycle `mini_racer` context regurlarly because it leak memory in `sqreen-alt`
199
+
200
+ ## 1.10.1 - 2018-02-14
201
+
202
+ * Fix a leak when reloading rules in `sqreen-alt`
203
+
204
+ ## 1.10.0
205
+
206
+ * Publish `sqreen-alt` gem that requires `mini_racer`
207
+ * SharedStorage is per thread local
208
+
209
+ ## 1.9.2 - 2018-02-06
210
+
211
+ * Cover erb <%== %> unsafe output
212
+ * Fix request record `to_hash` not reentrant
213
+
214
+ ## 1.9.1 - 2018-01-23
215
+
216
+ * Fix bad init of RR when no data
217
+
218
+ ## 1.9.0 - 2018-01-22
219
+
220
+ * Fix init on sinatra when nothing to report
221
+
222
+ ## 1.9.0 - 2018-01-21
223
+
224
+ * Add `identify` SDKv1.5
225
+ * Observe attacks and metrics per requests
226
+ * Invert `HTTP_X_REAL_IP` & `HTTP_CLIENT_IP` in ip heuristics
227
+ * Update attack blocked page
228
+ * Accept more forwarding headers
229
+ * Change User-agent to sqreen-ruby/VERSION
230
+ * Fix issues when restricting `hash_val_include` in execjs on too deep payloads
231
+
232
+ ## 1.8.5 - 2017-10-15
233
+
234
+ * Fix crasher in slim templates (== val if something)
235
+
236
+ ## 1.8.4 - 2017-10-13
237
+
238
+ * Improve resilience on `json_pure`
239
+
240
+ ## 1.8.3 - 2017-10-04
241
+
242
+ * Convert symbol in headers keys to string
243
+
244
+ ## 1.8.2 - 2017-09-25
245
+
246
+ * Filter params sent to exec JS (perf improvement)
247
+ * Use private network address if remote addr is localhost
248
+
249
+ ## 1.8.1 - 2017-08-09
250
+
251
+ * Do not execute rules on a different process than instrumented
252
+
253
+ ## 1.8.0 - 2017-08-07
254
+
255
+ * Do not send packages at login
256
+ * Add agent version to user agent
257
+ * Make boolean config accept 1, true, "true" as boolean true
258
+
259
+ ## 1.7.2 - 2017-07-18
260
+
261
+ * Faster CRS
262
+ * Correctly whitelist CRS
263
+
264
+ ## 1.7.1 - 2017-07-10
265
+
266
+ * Fix whitelisting removing rules
267
+
268
+ ## 1.7.0 - 2017-06-30
269
+
270
+ * Fix exceptions when values are not correctly encoded in matcher
271
+ * Fix handling of badly encoded path in `binding_accessor_counter`
272
+ * Fix handling of incompatible encoding in CRS/matcher
273
+ * Add metric to shutdown `whitelisted_metric`
274
+ * Adding a whitelist ip command
275
+
276
+ ## 1.6.5 - 2017-06-08
277
+
278
+ * Only escape malicious reflections XSS
279
+ * Do not read file in CRS matchers
280
+
281
+ ## 1.6.4 - 2017-05-29
282
+
283
+ * More defensive HAML callbacks
284
+
285
+ ## 1.6.3 - 2017-05-22
286
+
287
+ * HAML5 support
288
+
289
+ ## 1.6.2 - 2017-05-16
290
+
291
+ * Display error page for attack catched in templates
292
+
293
+ ## 1.6.1 - 2017-05-15
294
+
295
+ * Add a middleware inside rails for blocking call with error page
296
+
297
+ ## 1.6.0 - 2017-05-12
298
+
299
+ * Add BindingAccessorMatcher
300
+ * Add transforms to binding accessors
301
+ * use regexp instead of regex in matcher
302
+ * Add error page callback
303
+ * Refactor JS exec
304
+
305
+ ## 1.5.0 - 2017-04-18
306
+
307
+ * Use ERB inside sqreen.yml config file
308
+ * Disable sqreen through config file
309
+
310
+ ## 1.4.3 - 2017-04-07
311
+
312
+ * More HAML templates support
313
+ * initial Temple (slim) support
314
+ * Add ability to count usage of an ip
315
+
316
+ ## 1.4.1, 1.4.2 - 2017-03-28
317
+
318
+ * Too wide `params_included`
319
+ (republished because of mis yank)
320
+
321
+ ## 1.4.0 - 2017-03-27
322
+
323
+ * Add support for HAML templates
324
+ * Enable whitelisting path
325
+ * Change patch numbering system
326
+
327
+ ## 1.3.2 - 2017-03-09
328
+
329
+ * Fast logout in development
330
+
331
+ ## 1.3.1 - 2017-03-06
332
+
333
+ * expose current working directory to rules
334
+ * Fine tune logging verbosity
335
+
336
+ ## 1.3.0 - 2017-02-23
337
+
338
+ * More stable middleware instrumentation
339
+ * Fix encoding objects when sending to sqreen
340
+
341
+ ## 1.2.0 - 2017-01-20
342
+
343
+ * Add a `force_logout` command
344
+ * Add SDK for signup tracking
345
+ * Only warn for network errors that are retried
346
+
347
+ ## 1.1.5 - 2016-12-27
348
+
349
+ * Better metrics collection
350
+
351
+ ## 1.1.4 - 2016-12-15
352
+
353
+ * Do not startup in cucumber environment
354
+
355
+ ## 1.1.3 - 2016-12-14
356
+
357
+ * Change `sqreen_call_counts` metric category
358
+
359
+ ## 1.1.2 - 2016-12-14
360
+
361
+ * do not freeze user-agent strings
362
+ * Count calls of each callbacks
363
+
364
+ ## 1.1.1 - 2016-12-07
365
+
366
+ * Change IP selection heuristic
367
+
368
+ ## 1.1.0 - 2016-12-05
369
+
370
+ * Add SDK for auth tracking
371
+
372
+ ## 1.0.0 - 2016-12-05
373
+
374
+ * Only 5min heartbeats
375
+ * New login flow
376
+ * Better char & JSON encoding of sent payloads
377
+ * Don't try to XSS things that are not strings
378
+ * Improve Sinatra startup under Puma
379
+ * HAML support
380
+
381
+ ## 0.8.1 - 2016-06-06
382
+
383
+ * Fix pre condition (`hash_val_include?`)
384
+
385
+ ## 0.8.0 - 2016-05-30
386
+
387
+ * ExecJS based CB log metrics
388
+ * Dynamic HTTP headers management
389
+
390
+ ## 0.7.X - 2016-04-20
391
+
392
+ * First version published to rubygems.org
393
+
394
+ ## 0.6.X
395
+
396
+ * [performance] Add precondition to rules
397
+
398
+ ## 0.5.X
399
+
400
+ * [feature] Add ability to push metrics
401
+
402
+ ## 0.4.X
403
+
404
+ * [performance] require v8 as a dependency
405
+
406
+ ## 0.3.X
407
+
408
+ * [performance] Add ability to push callback performance metrics to New Relic
409
+
410
+ ## 0.2.X
411
+
412
+ * [bugfix]: Many bug fixes after production
413
+
414
+ ## 0.1.X
415
+
416
+ * Initial private beta version!
417
+
418
+
data/README.md CHANGED
@@ -32,13 +32,13 @@ The only required parameter is your application's `token`.
32
32
  ```
33
33
  - for anything else:
34
34
  ```shell
35
- $ echo token: your_token > ~/sqreen.yml
36
- ```
35
+ $ echo token: your_token > ~/sqreen.yml
36
+ ```
37
37
 
38
38
  ### By environment:
39
- ```shell
40
- $ export SQREEN_TOKEN=your_token
41
- ```
39
+ ```shell
40
+ $ export SQREEN_TOKEN=your_token
41
+ ```
42
42
 
43
43
  The following can be set:
44
44
 
@@ -1,77 +1,7 @@
1
1
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
2
  # Please refer to our terms for more information: https://www.sqreen.io/terms.html
3
3
 
4
- require 'sqreen/instrumentation'
5
- require 'sqreen/session'
6
- require 'sqreen/runner'
7
- require 'sqreen/callbacks'
8
4
  require 'sqreen/version'
9
- require 'sqreen/log'
10
- require 'sqreen/exception'
11
- require 'sqreen/configuration'
12
- require 'sqreen/events/attack'
13
- require 'sqreen/sdk'
5
+ require 'sqreen/agent'
14
6
 
15
- require 'thread'
16
-
17
- # Auto start the instrumentation.
18
-
19
- Sqreen.framework.on_start do |framework|
20
- if Sqreen.framework.on_pre_fork_preload?
21
- Sqreen.log.debug "Sqreen detected a forking server with preloading"
22
- next
23
- else
24
- Sqreen.log.debug "Sqreen detected a single-process server"
25
- end
26
- Thread.new do
27
- begin
28
- runner = nil
29
- Sqreen.log.debug("Reading configuration")
30
- configuration = Sqreen.config_init(framework)
31
- framework.sqreen_configuration = configuration
32
- Sqreen.log.debug("Initializing logs")
33
- Sqreen.log_init
34
- Sqreen.log.debug("Starting Sqreen #{Sqreen::VERSION}")
35
- warn "[#{Process.pid}] Sqreen logging at level #{Sqreen.log.instance_eval { @logger }.level} to #{Sqreen.log.instance_eval { @logger }.instance_eval { @logdev.filename }}"
36
- prevent_startup = Sqreen.framework.prevent_startup
37
- if !prevent_startup
38
- runner = Sqreen::Runner.new(configuration, framework)
39
- runner.run_watcher
40
- else
41
- Sqreen.log.debug("#{prevent_startup} prevented Sqreen startup")
42
- end
43
- rescue Sqreen::TokenNotFoundException
44
- Sqreen.log.error "Sorry but we couldn't find your Sqreen token.\nYour application is NOT currently protected by Sqreen.\n\nHave you filled your config/sqreen.yml?\n\n"
45
- rescue Sqreen::TokenInvalidException
46
- Sqreen.log.error "Sorry but your Sqreen token appears to be invalid.\nYour application is NOT currently protected by Sqreen.\n\nHave you correctly filled your config/sqreen.yml?\n\n"
47
- rescue Exception => e
48
- Sqreen.log.debug("General exception caught: #{e.inspect}")
49
- Sqreen.log.debug e.backtrace
50
- if runner
51
- Sqreen.log.debug("Immediately posting exception for runner #{runner.inspect}")
52
- runner.session.post_sqreen_exception(Sqreen::RemoteException.new(e))
53
- begin
54
- runner.remove_instrumentation
55
- rescue => e
56
- Sqreen.log.debug("Unexpected exception when removing instrumentation: #{e.inspect}")
57
- Sqreen.log.debug e.backtrace
58
- Sqreen.log.error("Terminating Sqreen thread")
59
- return nil
60
- end
61
- begin
62
- runner.logout(false)
63
- rescue StandardError => e
64
- Sqreen.log.debug("Unexpected exception when logging out: #{remove_exception.inspect}")
65
- Sqreen.log.debug(e.backtrace)
66
- nil
67
- end
68
- end
69
- # Wait a few seconds before retrying
70
- delay = rand(120)
71
- Sqreen.log.debug("Sleeping #{delay} seconds before restarting Sqreen thread")
72
- sleep(delay)
73
- retry
74
- end
75
- Sqreen.log.debug("Shutting down Sqreen #{Sqreen::VERSION}")
76
- end
77
- end unless Sqreen::to_bool(ENV['SQREEN_DISABLE'])
7
+ Sqreen::Agent.start