RubyGems - sqreen - Versions diffs - 1.19.0.beta1 → 1.19.0 - Mend

sqreen 1.19.0.beta1 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -2
data/lib/sqreen/rules/waf_cb.rb +26 -6
data/lib/sqreen/runner.rb +5 -1
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/weave/legacy/instrumentation.rb +11 -3
metadata +9 -10

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0ffc604ca6c427fc4f689c67c3973a00bf83d6f0207f394c4df333bea1690799
-  data.tar.gz: 3b36a33e74f0dabb4ab75449807d2c2d2459f3edebe5e324ae593f12487815db
+  metadata.gz: d9ee940962990208133a70a5b307638cd43dda2b269cccce3f145ed96816e64a
+  data.tar.gz: '012987d55219ddd310337f6c0a9837d1e52aae1b7e165ab24e855c4f5fbeb767'
 SHA512:
-  metadata.gz: 622abad5c40c24d5740dde29bd53da136ccbe40f357b541f0e9d9fec5131e61aa71f391d525eaf4819dbffb22901d7ca9a186c2b615f9b5f0e617254bce40bdc
-  data.tar.gz: d4072082a4aaf7a22e6d7ccaa0699f19b029c0236c6a5be12125e2c8ee5de3cbd99afa4a7560a772f2d1ac6224511f3ef600daa9b13fbae4cf7d85b65147bdd4
+  metadata.gz: 602e605c2d82de6d011dba78ce03411973ca25c2fb8a00322af9cb80937eff2997f8eda20e00d08bb2106073a3ffe8bbf4bc7f01409d123d510ebb16a7915405
+  data.tar.gz: 2363c998cb4af54018638c7d6e46f54e6d98afcac94c6be5747a3c1f555bdd59321441b3196c85f1eec08555dc579af80cdf6728ade7dfb4b9bf0f506669d55d

data/CHANGELOG.md CHANGED

@@ -1,6 +1,8 @@
-## 1.19.0.beta1
+## 1.19.0
-* Improve compatibility with a new optional instrumentation engine
+* Upgrade WAF features via libsqreen 0.6.1
+* Improve time defensiveness in WAF
+* Improve compatibility with APM agents via a new optional instrumentation engine
 * Fix action reloading not being entirely cleared on reload
 * Improve handling of hash symbol keys in some security rules
 * Fix constant resolution scope on agent boot

data/lib/sqreen/rules/waf_cb.rb CHANGED

@@ -11,11 +11,15 @@ require 'sqreen/safe_json'
 require 'sqreen/exception'
 require 'sqreen/util/capper'
 require 'sqreen/dependency/libsqreen'
+require 'sqreen/encoding_sanitizer'
 module Sqreen
   module Rules
     class WAFCB < RuleCB
-      BUDGET_MAX = 5
+      # 2^30 -1 or 2^62 -1
+      MAX_FIXNUM = 1.size == 4 ? 1_073_741_823 : 4_611_686_018_427_387_903
+      # will be converted to a long, so better not to overflow
+      INFINITE_BUDGET_US = MAX_FIXNUM
       def self.libsqreen?
         Sqreen::Dependency::LibSqreen.required?
@@ -25,7 +29,7 @@ module Sqreen
         Sqreen::Dependency.const_exist?('LibSqreen::WAF')
       end
-      attr_reader :binding_accessors, :budget, :waf_rule_name
+      attr_reader :binding_accessors, :max_run_budget_us, :waf_rule_name
       def initialize(*args)
         super(*args)
@@ -54,8 +58,12 @@ module Sqreen
         @binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
           h[e] = BindingAccessor.new(e)
         end
-        @budget = (@data['values'].fetch('budget_in_ms', nil) || BUDGET_MAX) * 1000
-        Sqreen.log.debug("WAF budget for #{@waf_rule_name} set to #{@budget}us")
+        # 0 for using defaults (PW_RUN_TIMEOUT)
+        @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
+        @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
+        Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
         ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
       end
@@ -68,13 +76,25 @@ module Sqreen
         env = [binding, framework, instance, args]
+        start = Sqreen.time if budget
         capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
         waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
           h[e] = capper.call(b.resolve(*env))
         end
         waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
-        waf_budget = [self.budget, budget && budget * 1_000_000].compact.min.to_i
-        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args, waf_budget)
+        if budget
+          rem_budget_s = budget - (Sqreen.time - start)
+          return advise_action(nil) if rem_budget_s <= 0.0
+          waf_gen_budget_us = [(rem_budget_s * 1_000_000).to_i, MAX_FIXNUM].min
+        else # no budget
+          waf_gen_budget_us = INFINITE_BUDGET_US
+        end
+        action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args,
+                                            waf_gen_budget_us, @max_run_budget_us)
         case action
         when :monitor

data/lib/sqreen/runner.rb CHANGED

@@ -121,7 +121,11 @@ module Sqreen
       self.metrics_engine = MetricsStore.new
-      if @configuration.get(:weave)
+      needs_weave = proc do
+        Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      end
+      if @configuration.get(:weave) || needs_weave.call
         @instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine)
       else
         @instrumenter = Sqreen::Legacy::Instrumentation.new(metrics_engine)

data/lib/sqreen/version.rb CHANGED

@@ -4,5 +4,5 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 module Sqreen
-  VERSION = '1.19.0.beta1'.freeze
+  VERSION = '1.19.0'.freeze
 end

data/lib/sqreen/weave/legacy/instrumentation.rb CHANGED

@@ -76,6 +76,9 @@ class Sqreen::Weave::Legacy::Instrumentation
     if strategy == :prepend && !Module.respond_to?(:prepend)
       Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable, falling back to :chain" }
       strategy = :chain
+    elsif strategy == :chain && Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable with scout_apm >= 2.5.2, switching to :prepend" }
+      strategy = :prepend
     end
     Sqreen::Weave.logger.debug { "strategy: #{strategy.inspect}" }
@@ -108,6 +111,8 @@ class Sqreen::Weave::Legacy::Instrumentation
     @hooks << request_hook
     request_hook.add do
       before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
+        next unless Sqreen.instrumentation_ready
         uuid = SecureRandom.uuid
         now = Sqreen::Graft::Timer.read
         Thread.current[:sqreen_http_request] = {
@@ -130,6 +135,9 @@ class Sqreen::Weave::Legacy::Instrumentation
       ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
         request = Thread.current[:sqreen_http_request]
+        next if request.nil?
         Thread.current[:sqreen_http_request] = nil
         now = Sqreen::Graft::Timer.read
         utc_now = Time.now.utc
@@ -261,7 +269,7 @@ class Sqreen::Weave::Legacy::Instrumentation
     hook.add do
       if callback.pre?
         before(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
-          return unless Sqreen.instrumentation_ready
+          return unless Thread.current[:sqreen_http_request]
           i = call.instance
           a = call.args
@@ -294,7 +302,7 @@ class Sqreen::Weave::Legacy::Instrumentation
       if callback.post?
         after(rule, rank: -priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
-          return unless Sqreen.instrumentation_ready
+          return unless Thread.current[:sqreen_http_request]
           i = call.instance
           v = call.returned
@@ -326,7 +334,7 @@ class Sqreen::Weave::Legacy::Instrumentation
       if callback.failing?
         raised(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
-          return unless Sqreen.instrumentation_ready
+          return unless Thread.current[:sqreen_http_request]
           i = call.instance
           e = call.raised

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.19.0.beta1
+  version: 1.19.0
 platform: ruby
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-11 00:00:00.000000000 Z
+date: 2020-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sq_mini_racer
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0.0
+        version: 0.6.1.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0.0
+        version: 0.6.1.0.0
 description: Sqreen is a SaaS based Application protection and monitoring platform
   that integrates directly into your Ruby applications. Learn more at https://sqreen.com.
 email: contact@sqreen.com
@@ -233,9 +233,7 @@ homepage: https://www.sqreen.com/
 licenses:
 - Sqreen
 metadata: {}
-post_install_message: |2
-      This is a Sqreen beta release and may not work in all situations.
-      Make sure to review CHANGELOG.md for important details.
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -246,11 +244,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubyforge_project:
+rubygems_version: 2.7.7
 signing_key:
 specification_version: 4
 summary: Sqreen Ruby agent