RubyGems - sqreen - Versions diffs - 1.17.2 → 1.18.0 - Mend

sqreen 1.17.2 → 1.18.0

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/lib/sqreen/encoding_sanitizer.rb +22 -0
data/lib/sqreen/events/request_record.rb +1 -21
data/lib/sqreen/log.rb +20 -0
data/lib/sqreen/rules_callbacks.rb +1 -0
data/lib/sqreen/rules_callbacks/waf.rb +102 -0
data/lib/sqreen/runtime_infos.rb +26 -1
data/lib/sqreen/session.rb +10 -10
data/lib/sqreen/version.rb +1 -1
metadata +18 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a76d5247720780e68021b3bf5b252d5ce95bb141bec396eb4dfbd32858c4cbc3
-  data.tar.gz: 84a2aa50afcff20f86a4232bf62a9a90c468d71c5eff8caf8028554721bcd965
+  metadata.gz: a588437667070c3e175082755b4f63a1bcc2a1c1f599142fc56ac2348d05a1bf
+  data.tar.gz: 1dd5d9a28a0d4285c807587d1a0740342561950c85c4fc84e273ced99b90a6c7
 SHA512:
-  metadata.gz: 0de1fbb01aadba0da7fe66a12aba82b5e388fd0d1a2a1c66da27d5ed4a09e1f211218a65c84718d0406215a70a8448dd1cf26e524d3920593e911e6a9417faef
-  data.tar.gz: 8fe62157f44cd084bcaf090782f1e28f70b3d274af2498d2625e25eba9c82b56986be087ab600be70b22730247dc15c964a6a784d16117d51a3aaf76464aa87f
+  metadata.gz: 4e2d876f635ceadf46df13484f50ec6dfd418ebece431916330d2319be79f6a0f38c27a73f2a4261809af30fc3d32e6024a68c415b372ad7214b245f2e2443f6
+  data.tar.gz: 38a0ee125e1ded9a6bbddd440f30a3011b7c36051ac7393f5cd8294a128952fd9f7a93735b20496394e77a042a14c95199817fad6598625d5583030f8c50aace

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 1.18.0
+* Support In-App WAF
 ## 1.17.2
 * Support Rails 6.0 (single database)

data/lib/sqreen/encoding_sanitizer.rb ADDED

@@ -0,0 +1,22 @@
+module Sqreen
+  class EncodingSanitizer
+    def self.sanitize(obj)
+      case obj
+      when String
+        sanitize_string(obj)
+      when Array
+        obj.map { |e| sanitize(e) }
+      when Hash
+        obj.each_with_object({}) { |(k, v), h| h[k] = sanitize(v) }
+      else
+        obj
+      end
+    end
+    def self.sanitize_string(s)
+      return s if s.encoding.name == 'UTF-8' && s.valid_encoding?
+      s.encode('UTF-16', :invalid => :replace, :undef => :replace).encode('UTF-8')
+    end
+  end
+end

data/lib/sqreen/events/request_record.rb CHANGED

@@ -3,6 +3,7 @@
 require 'json'
 require 'sqreen/event'
+require 'sqreen/encoding_sanitizer'
 module Sqreen
   # When a request is deeemed worthy of being sent to the backend
@@ -115,27 +116,6 @@ module Sqreen
     end
   end
-  class EncodingSanitizer
-    def self.sanitize(obj)
-      case obj
-      when String
-        sanitize_string(obj)
-      when Array
-        obj.map { |e| sanitize(e) }
-      when Hash
-        obj.each_with_object({}) { |(k, v), h| h[k] = sanitize(v) }
-      else
-        obj
-      end
-    end
-    def self.sanitize_string(s)
-      return s if s.encoding.name == 'UTF-8' && s.valid_encoding?
-      s.encode('UTF-16', :invalid => :replace, :undef => :replace).encode('UTF-8')
-    end
-  end
   # For redacting sensitive data and avoid having it sent to our servers
   class SensitiveDataRedactor
     DEFAULT_SENSITIVE_KEYS = Set.new(%w[password secret passwd authorization api_key apikey access_token]).freeze

data/lib/sqreen/log.rb CHANGED

@@ -62,6 +62,10 @@ module Sqreen
   # Wrapper class for sqreen logging
   class Logger
+    SEVERITY_TO_METHOD = ::Logger::Severity.constants.each_with_object({}) do |s, h|
+      h[::Logger::Severity.const_get(s)] = s.downcase
+    end
     def initialize(desired_level, log_location, force_logger = nil)
       if force_logger
         @logger = force_logger
@@ -90,6 +94,10 @@ module Sqreen
       @logger.error(msg, &block)
     end
+    def add(severity, msg = nil, &block)
+      send(SEVERITY_TO_METHOD[severity], msg, &block)
+    end
     protected
     def init_logger_output(path)
@@ -135,6 +143,10 @@ module Sqreen
     def error(_msg = nil); end
+    def fatal(_msg = nil); end
+    def add(_severity, _msg = nil); end
     def formatter=(_); end
   end
@@ -162,6 +174,14 @@ module Sqreen
       @logger.error(msg, &block)
     end
+    def fatal(msg = nil, &block)
+      @logger.error(msg, &block)
+    end
+    def add(severity, msg = nil, &block)
+      send(Sqreen::Logger::SEVERITY_TO_METHOD[severity], msg, &block)
+    end
     def formatter=(value)
       @logger.formatter = value
     end

data/lib/sqreen/rules_callbacks.rb CHANGED

@@ -31,3 +31,4 @@ require 'sqreen/rules_callbacks/devise_auth_track'
 require 'sqreen/rules_callbacks/devise_signup_track'
 require 'sqreen/rules_callbacks/custom_error'
+require 'sqreen/rules_callbacks/waf'

data/lib/sqreen/rules_callbacks/waf.rb ADDED

@@ -0,0 +1,102 @@
+require 'securerandom'
+require 'sqreen/rule_attributes'
+require 'sqreen/binding_accessor'
+require 'sqreen/rule_callback'
+require 'sqreen/safe_json'
+module Sqreen
+  module Rules
+    class WAFCB < RuleCB
+      BUDGET_MAX = 5000
+      # TODO: move to Dependency
+      begin
+        require 'libsqreen'
+        @libsqreen = true
+      rescue LoadError
+        Sqreen.log.warn('libsqreen gem not found')
+        @libsqreen = false
+      end
+      def self.libsqreen?
+        @libsqreen
+      end
+      attr_reader :binding_accessors, :budget, :waf_rule_name
+      def initialize(*args)
+        super(*args)
+        @overtimeable = false
+        unless WAFCB.libsqreen?
+          Sqreen.log.warn('libsqreen gem not found')
+          return
+        end
+        unless @data['values']
+          Sqreen.log.warn('no values in data')
+          return
+        end
+        ::LibSqreen::WAF.logger = Sqreen.log
+        name = format("%s_%s", SecureRandom.uuid, rule_name)
+        unless @data['values']['waf_rules'] && (::LibSqreen::WAF[name] = @data['values']['waf_rules'])
+          Sqreen.log.error("WAF rule #{name} failed to be set, from #<#{self.class.name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+          return
+        end
+        @waf_rule_name = name
+        Sqreen.log.debug("WAF rule #{name} set, from #<#{self.class.name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+        @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
+          h[e] = BindingAccessor.new(e)
+        end
+        @budget = @data['values'].fetch('budget', BUDGET_MAX)
+        ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
+      end
+      def pre(instance, args, _budget)
+        unless WAFCB.libsqreen?
+          Sqreen.log.warn('libsqreen not required')
+          return
+        end
+        request = framework.request
+        return if !waf_rule_name || !request
+        env = [binding, framework, instance, args]
+        waf_args = Hash[binding_accessors.map { |e, b| [e, b.resolve(*env)] }]
+        waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
+        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, budget)
+        case action
+        when :monitor
+          record_event({ 'waf_data' => data })
+          advise_action(nil)
+        when :block
+          record_event({ 'waf_data' => data })
+          advise_action(:raise)
+        when :good
+          advise_action(nil)
+        when :timeout, :invalid_call, :invalid_rule, :invalid_flow, :no_rule
+          Sqreen.log.warn("error from waf: #{action}")
+          advise_action(nil)
+        else
+          Sqreen.log.warn("unexpected action returned from waf")
+          advise_action(nil)
+        end
+      end
+      def self.finalizer(rule_name)
+        lambda do |object_id|
+          return unless WAFCB.libsqreen?
+          ::LibSqreen::WAF.delete(waf_rule_name, waf_args, budget)
+          Sqreen.log.debug("WAF rule #{rule_name} deleted, from #<#{name}:0x#{object_id.to_s(16).rjust(16, '0')}>")
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/runtime_infos.rb CHANGED

@@ -65,7 +65,32 @@ module Sqreen
       {
         :agent_type => :ruby,
         :agent_version => ::Sqreen::VERSION,
-      }
+      }.tap do |h|
+        h[:libsqreen_version] = libsqreen_version if libsqreen?
+      end
+    end
+    def libsqreen?
+      libsqreen_loaded? && !libsqreen_stub?
+    end
+    def libsqreen_loaded?
+      Kernel.const_defined?('LibSqreen')
+    end
+    def libsqreen_stub?
+      !::LibSqreen.respond_to?(:version)
+    end
+    def libsqreen_version
+      return unless libsqreen?
+      @libsqreen_version ||= case (version = ::LibSqreen.version)
+                             when Array
+                               version.map(&:to_s).join('.')
+                             else
+                               version
+                             end
     end
     def os

data/lib/sqreen/session.rb CHANGED

@@ -100,7 +100,7 @@ module Sqreen
       rescue StandardError => e
         Sqreen.log.debug { "Caught exception during request: #{e.inspect}" }
         Sqreen.log.debug { e.backtrace }
-        Sqreen.log.debug "Cannot connect, retry in #{RETRY_CONNECT_SECONDS} seconds"
+        Sqreen.log.debug { "Cannot connect, retry in #{RETRY_CONNECT_SECONDS} seconds" }
         sleep RETRY_CONNECT_SECONDS
         @conn_retry += 1
         retry
@@ -129,7 +129,7 @@ module Sqreen
       raise e if max_retry != RETRY_FOREVER && current_retry >= max_retry || e.is_a?(Sqreen::NotImplementedYet) || e.is_a?(Sqreen::Unauthorized)
       sleep_delay = [MAX_DELAY, retry_request_seconds * current_retry].min
-      Sqreen.log.debug format("Sleeping %ds before retry #{current_retry}/#{max_retry}", sleep_delay)
+      Sqreen.log.debug { format("Sleeping %ds before retry #{current_retry}/#{max_retry}", sleep_delay) }
       sleep(sleep_delay)
       retry
@@ -164,10 +164,10 @@ module Sqreen
       @req_nb += 1
       path = prefix_path(path)
-      Sqreen.log.debug format('%s %s (%s)', method, path, @token)
       payload = {}
       resiliently(RETRY_REQUEST_SECONDS, max_retry) do
+        Sqreen.log.debug { format('%s %s %s %s (%s)', method, path, JSON.dump(data), headers.inspect, @token) }
         res = nil
         MUTEX.synchronize do
           res = case method.upcase
@@ -181,7 +181,7 @@ module Sqreen
                   end
                   @con.post(path, json_data, headers)
                 else
-                  Sqreen.log.debug format('unknown method %s', method)
+                  Sqreen.log.debug { format('unknown method %s', method) }
                   raise Sqreen::NotImplementedYet
                 end
         end
@@ -192,17 +192,17 @@ module Sqreen
           if res['Content-Type'] && res['Content-Type'].start_with?('application/json')
             payload = JSON.parse(res.body)
             unless payload['status']
-              Sqreen.log.debug(format('Cannot %s %s. Parsed response body was: %s', method, path, payload.inspect))
+              Sqreen.log.debug { format('Cannot %s %s. Parsed response body was: %s', method, path, payload.inspect) }
             end
           else
-            Sqreen.log.debug "Unexpected response Content-Type: #{res['Content-Type']}"
-            Sqreen.log.debug "Unexpected response body: #{res.body.inspect}"
+            Sqreen.log.debug { "Unexpected response Content-Type: #{res['Content-Type']}" }
+            Sqreen.log.debug { "Unexpected response body: #{res.body.inspect}" }
           end
         else
-          Sqreen.log.debug 'warning: empty return value'
+          Sqreen.log.debug { 'warning: empty return value' }
         end
+        Sqreen.log.debug { format('%s %s (DONE: %s in %f ms)', method, path, res && res.code, (Time.now.utc - now) * 1000) }
       end
-      Sqreen.log.debug format('%s %s (DONE in %f ms)', method, path, (Time.now.utc - now) * 1000)
       payload
     end
@@ -233,7 +233,7 @@ module Sqreen
       end
       Sqreen.log.info 'Login success.'
       @session_id = res['session_id']
-      Sqreen.log.debug "received session_id #{@session_id}"
+      Sqreen.log.debug { "received session_id #{@session_id}" }
       Sqreen.logged_in = true
       res
     end

data/lib/sqreen/version.rb CHANGED

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.17.2'.freeze
+  VERSION = '1.18.0'.freeze
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.17.2
+  version: 1.18.0
 platform: ruby
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-08-30 00:00:00.000000000 Z
+date: 2019-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sq_mini_racer
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.2.4.sqreen2
+- !ruby/object:Gem::Dependency
+  name: libsqreen
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0.0
 description: Sqreen is a SaaS based Application protection and monitoring platform
   that integrates directly into your Ruby applications. Learn more at https://sqreen.io.
 email: contact@sqreen.io
@@ -64,6 +78,7 @@ files:
 - lib/sqreen/dependency/rails.rb
 - lib/sqreen/dependency/sentry.rb
 - lib/sqreen/dependency/sinatra.rb
+- lib/sqreen/encoding_sanitizer.rb
 - lib/sqreen/event.rb
 - lib/sqreen/events/attack.rb
 - lib/sqreen/events/remote_exception.rb
@@ -126,6 +141,7 @@ files:
 - lib/sqreen/rules_callbacks/shell_env.rb
 - lib/sqreen/rules_callbacks/url_matches.rb
 - lib/sqreen/rules_callbacks/user_agent_matches.rb
+- lib/sqreen/rules_callbacks/waf.rb
 - lib/sqreen/rules_signature.rb
 - lib/sqreen/runner.rb
 - lib/sqreen/runtime_infos.rb