sqreen 1.17.0 → 1.17.2.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: edfd8cc358ff6408be042a8d11d473b85b00c2a1cf80c97cf5b154a6fa7da037
-  data.tar.gz: f558c9aef036f11b3e20fe0f8d41d7020b7d302233a4385d7cb760a983e91116
+  metadata.gz: 3862ecef24ba42830b6570cc6bf05902a40e605b467339a62499f929ff6ed953
+  data.tar.gz: 7aa4b16b8b80f5cbdeba29393aeef199c466e9148f6ad6a67fd522e8e5bf09d8
 SHA512:
-  metadata.gz: aa39b3c2a3af1e2b2135dd735b736dce973eab3810cbbe7dc7d017d25ca69d7f309f9029e9f0281d51cd523f996f86c75963d83b77a2294f6a359f847305f100
-  data.tar.gz: daa34349243dc5a56abadff975c776098db0e1d520f15720bae17443b157cc586ba77bc954ab4c7687866dab4bd4b8607cb6fee4c2e9e3bd68cc9f7b46b78faf
+  metadata.gz: f51c35e5537404e214faf6686b771882d40eda98c2850105f3067a82e56756666cb52b188651db8e26a832df5f02971dc0d2f9aa30a8a300a486f93390333345
+  data.tar.gz: 9c538573202337981c7b1daa6f369bb8e7115a280904a6d5f2040b4b2978526a90c52e0ab0762c5fe17a12fbfeb035aa08a001f51422c5dd4195836efab07c8e

data/CHANGELOG.md

@@ -0,0 +1,418 @@
+## 1.17.2.beta1
+
+* Important note: this beta release supports Rails only, and notably excludes Sinatra support
+* Important note: this beta release supports Ruby 2.2 or above only
+* Improve Sqreen thread boot when using Unicorn, Rainbows, Puma, Passenger, Thin, Webrick
+* Improve performance cap consistency with specification
+* Improve consistency of rule precondition argument passing
+* Remove extraneous log output on CLI tool execution
+
+## 1.17.0
+
+* Implement HTTP Response Code, Content-Type, and Content-Length in relevant sqreen events
+* Enhance reliability in face of unavailability of the backend
+* Improve resilience to exceptional cases
+* Improve handling and sanitization of non-UTF8 encodings
+* Avoid concurrent hash modification during iteration
+* Improve feedback accuracy in logs
+
+## 1.16.2
+
+* Restore timeout functionality for JS calls
+* Remove confusing warning about threading when using a forking server
+* Make sensitive keys configuration fully case insensitive
+* Avoid concurrent hash modification during iteration
+* Support Ruby 2.6
+
+## 1.16.1
+
+* Fix bugs in low memory JavaScript paths
+
+## 1.16.0
+
+* Implement redirect\_user action
+* Improve performance of JavaScript rules
+* Support Organization Token
+
+## 1.15.9
+
+* Improve the performance overhead of triggering dynamic protections (15% faster for SQL injection detection)
+
+# 1.15.8 - 2018-01-07
+
+* Fix doubing of JS heap maximum if GC is being triggered too frequently
+
+## 1.15.8.beta2 - 2018-12-21
+
+* Improve memory usage with mini\_racer
+
+## 1.15.7 - 2018-11-28
+
+* Improve performance of IP blacklisting
+
+## 1.15.7.beta1 - 2018-11-22
+
+* Improve serialization of arguments to JS functions (MRI only)
+
+## 1.15.6 - 2018-11-21
+
+* Avoid errors on sdk methods when sqreen is not configured
+
+## 1.15.5 - 2018-11-15
+
+* Improve performance of performance monitoring
+
+## 1.15.4 - 2018-11-14
+
+* Fix JS functions interfering with each other
+
+## 1.15.3 - 2018-11-07
+
+* User customization of sensitive data purging
+* Ignore redundant rules\_reload commands
+
+## 1.15.3.beta2 - 2018-11-05
+
+* Eliminate reentering protection in request start/end hooks
+
+## 1.15.3.beta1 - 2018-10-31
+
+* Add logging statements
+
+## 1.15.2 - 2018-10-31
+
+* Fix exception when evaluating actions without the server having sent the
+  actions\_reload command
+* Fix reporting of such an exception
+
+## 1.15.1 - 2018-10-26
+
+* Use path-compressed trie to store action IP addr prefixes
+* Changed order in which actions, whielisting and blacklisting are evaluated
+* Improve serialization of arguments to JS functions (MRI only)
+
+## 1.15.0 - 2018-10-23
+
+* Improve memory usage
+* Fix uninitialized `@@issue_nojs_warn`
+* Fix FloatDomainError when binning value 0
+
+## 1.14.2 - 2018-10-02
+
+* Fix error when instrumented method is called between requests.
+* Fix encoding error when passing errors to mini\_racer.
+* Work around bug causing in Ruby 2.5.0 and 2.5.1.
+* Fix JavaScript usage in jRuby.
+* Increase minimum version of sq\_mini\_racer to 0.2.2.sqreen1.
+
+## 1.14.1 - 2018-09-21
+
+* Tune performance metric collection to also capture overhead per request
+
+## 1.14.0 - 2018-09-12
+
+* Improve log msgs for block and redirect (and make block a warning)
+* Avoid v8 instances being created in master processes (before forking)
+
+## 1.14.0.beta3 - 2018-09-06
+
+* Fixed sq\_mini\_racer not being declared as a runtime dependency
+
+## 1.14.0.beta1 - 2018-08-20
+
+* Introduce sq\_mini\_racer
+
+## 1.13.5 - 2018-??-??
+
+* Fix exception in XSS callback for HAML 4 script lines
+
+## 1.13.4 - 2018-08-16
+
+* Fixed literals in HAML 4 being improperly escaped
+* Fixed exception in XSS callback when some input is unproperly encoded
+
+## 1.13.3 - 2018-08-13
+
+* Redact sensitive data before sending it to Sqreen's servers
+* Specify a minimum version of therubyracer
+
+## 1.13.2 - 2018-07-23
+
+* Automaticaly ignore uncaught `Sqreen::AttackBlocked` exceptions on Sentry and NewRelic
+
+## 1.13.1 - 2018-07-18
+
+* Force mini\_racer gem dependency version to 0.1.x
+
+## 1.13.0 - 2018-07-03
+
+* Implemented the `block_user` Security Automation action
+* Add `ip_header` configuration option
+* Prevent erroneous double instrumentation of instance methods
+* Support performance metrics with binning of measurements for: total request
+  time, time per callback, and sum of all callback durations
+
+## 1.12.0 - 2018-05-31
+
+* Add the `track` SDK method
+* Support Security Automation's actions
+* Improve CRS performance on requests with many parameters
+
+## 1.11.3 - 2018-03-26
+
+* Improved workaround segfault in queue in Ruby 2.5.0 (reload queue as needed)
+
+## 1.11.2 - 2018-03-21
+
+* Workaround segfault in queue in Ruby 2.5.0
+
+## 1.11.1 - 2018-03-20
+
+* Optimize and tuned most of the instrumentation code, for better perf and better perf budget
+
+## 1.11.0 - 2018-03-06
+
+* Overalled NR perf reports
+* Timebox callback execution
+* Improve XSS speed
+* New per request overhead display
+* Fix typo occuring in debug mode
+
+## 1.10.5 - 2018-02-20
+
+* Don't start in `delayed_job` worker
+* Fix log in cbtree when nothing exists
+* Max length on CRS
+
+## 1.10.4 - 2018-02-19
+
+* Fix signature if Oj is detected
+* Reinstrument `instance_evaled` methods
+
+## 1.10.3 - 2018-02-15
+
+* Correctly remove `mini_racer` context
+
+## 1.10.2 - 2018-02-15
+
+* Recycle `mini_racer` context regurlarly because it leak memory in `sqreen-alt`
+
+## 1.10.1 - 2018-02-14
+
+* Fix a leak when reloading rules in `sqreen-alt`
+
+## 1.10.0
+
+* Publish `sqreen-alt` gem that requires `mini_racer`
+* SharedStorage is per thread local
+
+## 1.9.2 - 2018-02-06
+
+* Cover erb <%== %> unsafe output
+* Fix request record `to_hash` not reentrant
+
+## 1.9.1 - 2018-01-23
+
+* Fix bad init of RR when no data
+
+## 1.9.0 - 2018-01-22
+
+* Fix init on sinatra when nothing to report
+
+## 1.9.0 - 2018-01-21
+
+* Add `identify` SDKv1.5
+* Observe attacks and metrics per requests
+* Invert `HTTP_X_REAL_IP` & `HTTP_CLIENT_IP` in ip heuristics
+* Update attack blocked page
+* Accept more forwarding headers
+* Change User-agent to sqreen-ruby/VERSION
+* Fix issues when restricting `hash_val_include` in execjs on too deep payloads
+
+## 1.8.5 - 2017-10-15
+
+* Fix crasher in slim templates (== val if something)
+
+## 1.8.4 - 2017-10-13
+
+* Improve resilience on `json_pure`
+
+## 1.8.3 - 2017-10-04
+
+* Convert symbol in headers keys to string
+
+## 1.8.2 - 2017-09-25
+
+* Filter params sent to exec JS (perf improvement)
+* Use private network address if remote addr is localhost
+
+## 1.8.1 - 2017-08-09
+
+* Do not execute rules on a different process than instrumented
+
+## 1.8.0 - 2017-08-07
+
+* Do not send packages at login
+* Add agent version to user agent
+* Make boolean config accept 1, true, "true" as boolean true
+
+## 1.7.2 - 2017-07-18
+
+* Faster CRS
+* Correctly whitelist CRS
+
+## 1.7.1 - 2017-07-10
+
+* Fix whitelisting removing rules
+
+## 1.7.0 - 2017-06-30
+
+* Fix exceptions when values are not correctly encoded in matcher
+* Fix handling of badly encoded path in `binding_accessor_counter`
+* Fix handling of incompatible encoding in CRS/matcher
+* Add metric to shutdown `whitelisted_metric`
+* Adding a whitelist ip command
+
+## 1.6.5 - 2017-06-08
+
+* Only escape malicious reflections XSS
+* Do not read file in CRS matchers
+
+## 1.6.4 - 2017-05-29
+
+* More defensive HAML callbacks
+
+## 1.6.3 - 2017-05-22
+
+* HAML5 support
+
+## 1.6.2 - 2017-05-16
+
+* Display error page for attack catched in templates
+
+## 1.6.1 - 2017-05-15
+
+* Add a middleware inside rails for blocking call with error page
+
+## 1.6.0 - 2017-05-12
+
+* Add BindingAccessorMatcher
+* Add transforms to binding accessors
+* use regexp instead of regex in matcher
+* Add error page callback
+* Refactor JS exec
+
+## 1.5.0 - 2017-04-18
+
+* Use ERB inside sqreen.yml config file
+* Disable sqreen through config file
+
+## 1.4.3 - 2017-04-07
+
+* More HAML templates support
+* initial Temple (slim) support
+* Add ability to count usage of an ip
+
+## 1.4.1, 1.4.2 - 2017-03-28
+
+* Too wide `params_included`
+(republished because of mis yank)
+
+## 1.4.0 - 2017-03-27
+
+* Add support for HAML templates
+* Enable whitelisting path
+* Change patch numbering system
+
+## 1.3.2 - 2017-03-09
+
+* Fast logout in development
+
+## 1.3.1 - 2017-03-06
+
+* expose current working directory to rules
+* Fine tune logging verbosity
+
+## 1.3.0 - 2017-02-23
+
+* More stable middleware instrumentation
+* Fix encoding objects when sending to sqreen
+
+## 1.2.0 - 2017-01-20
+
+* Add a `force_logout` command
+* Add SDK for signup tracking
+* Only warn for network errors that are retried
+
+## 1.1.5 - 2016-12-27
+
+* Better metrics collection
+
+## 1.1.4 - 2016-12-15
+
+* Do not startup in cucumber environment
+
+## 1.1.3 - 2016-12-14
+
+* Change `sqreen_call_counts` metric category
+
+## 1.1.2 - 2016-12-14
+
+* do not freeze user-agent strings
+* Count calls of each callbacks
+
+## 1.1.1 - 2016-12-07
+
+* Change IP selection heuristic
+
+## 1.1.0 - 2016-12-05
+
+* Add SDK for auth tracking
+
+## 1.0.0 - 2016-12-05
+
+* Only 5min heartbeats
+* New login flow
+* Better char & JSON encoding of sent payloads
+* Don't try to XSS things that are not strings
+* Improve Sinatra startup under Puma
+* HAML support
+
+## 0.8.1 - 2016-06-06
+
+* Fix pre condition (`hash_val_include?`)
+
+## 0.8.0 - 2016-05-30
+
+* ExecJS based CB log metrics
+* Dynamic HTTP headers management
+
+## 0.7.X - 2016-04-20
+
+* First version published to rubygems.org
+
+## 0.6.X
+
+* [performance] Add precondition to rules
+
+## 0.5.X
+
+* [feature] Add ability to push metrics
+
+## 0.4.X
+
+* [performance] require v8 as a dependency
+
+## 0.3.X
+
+* [performance] Add ability to push callback performance metrics to New Relic
+
+## 0.2.X
+
+* [bugfix]: Many bug fixes after production
+
+## 0.1.X
+
+* Initial private beta version!
+
+

data/README.md

@@ -32,13 +32,13 @@ The only required parameter is your application's `token`.
 ```
 - for anything else:
 ```shell
-      $ echo token: your_token > ~/sqreen.yml
-    ```
+    $ echo token: your_token > ~/sqreen.yml
+ ```
 
 ### By environment:
-    ```shell
-          $ export SQREEN_TOKEN=your_token
-    ```
+```shell
+    $ export SQREEN_TOKEN=your_token
+```
 
 The following can be set:
 

data/lib/sqreen.rb

@@ -1,77 +1,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 
-require 'sqreen/instrumentation'
-require 'sqreen/session'
-require 'sqreen/runner'
-require 'sqreen/callbacks'
 require 'sqreen/version'
-require 'sqreen/log'
-require 'sqreen/exception'
-require 'sqreen/configuration'
-require 'sqreen/events/attack'
-require 'sqreen/sdk'
+require 'sqreen/agent'
 
-require 'thread'
-
-# Auto start the instrumentation.
-
-Sqreen.framework.on_start do |framework|
-  if Sqreen.framework.on_pre_fork_preload?
-    Sqreen.log.debug "Sqreen detected a forking server with preloading"
-    next
-  else
-    Sqreen.log.debug "Sqreen detected a single-process server"
-  end
-  Thread.new do
-    begin
-      runner = nil
-      Sqreen.log.debug("Reading configuration")
-      configuration = Sqreen.config_init(framework)
-      framework.sqreen_configuration = configuration
-      Sqreen.log.debug("Initializing logs")
-      Sqreen.log_init
-      Sqreen.log.debug("Starting Sqreen #{Sqreen::VERSION}")
-      warn "[#{Process.pid}] Sqreen logging at level #{Sqreen.log.instance_eval { @logger }.level} to #{Sqreen.log.instance_eval { @logger }.instance_eval { @logdev.filename }}"
-      prevent_startup = Sqreen.framework.prevent_startup
-      if !prevent_startup
-        runner = Sqreen::Runner.new(configuration, framework)
-        runner.run_watcher
-      else
-        Sqreen.log.debug("#{prevent_startup} prevented Sqreen startup")
-      end
-    rescue Sqreen::TokenNotFoundException
-      Sqreen.log.error "Sorry but we couldn't find your Sqreen token.\nYour application is NOT currently protected by Sqreen.\n\nHave you filled your config/sqreen.yml?\n\n"
-    rescue Sqreen::TokenInvalidException
-      Sqreen.log.error "Sorry but your Sqreen token appears to be invalid.\nYour application is NOT currently protected by Sqreen.\n\nHave you correctly filled your config/sqreen.yml?\n\n"
-    rescue Exception => e
-      Sqreen.log.debug("General exception caught: #{e.inspect}")
-      Sqreen.log.debug e.backtrace
-      if runner
-        Sqreen.log.debug("Immediately posting exception for runner #{runner.inspect}")
-        runner.session.post_sqreen_exception(Sqreen::RemoteException.new(e))
-        begin
-          runner.remove_instrumentation
-        rescue => e
-          Sqreen.log.debug("Unexpected exception when removing instrumentation: #{e.inspect}")
-          Sqreen.log.debug e.backtrace
-          Sqreen.log.error("Terminating Sqreen thread")
-          return nil
-        end
-        begin
-          runner.logout(false)
-        rescue StandardError => e
-          Sqreen.log.debug("Unexpected exception when logging out: #{remove_exception.inspect}")
-          Sqreen.log.debug(e.backtrace)
-          nil
-        end
-      end
-      # Wait a few seconds before retrying
-      delay = rand(120)
-      Sqreen.log.debug("Sleeping #{delay} seconds before restarting Sqreen thread")
-      sleep(delay)
-      retry
-    end
-    Sqreen.log.debug("Shutting down Sqreen #{Sqreen::VERSION}")
-  end
-end unless Sqreen::to_bool(ENV['SQREEN_DISABLE'])
+Sqreen::Agent.start