sqreen 1.19.0.beta1 → 1.19.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -2
- data/lib/sqreen/rules/waf_cb.rb +26 -6
- data/lib/sqreen/runner.rb +5 -1
- data/lib/sqreen/version.rb +1 -1
- data/lib/sqreen/weave/legacy/instrumentation.rb +11 -3
- metadata +9 -10
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d9ee940962990208133a70a5b307638cd43dda2b269cccce3f145ed96816e64a
|
4
|
+
data.tar.gz: '012987d55219ddd310337f6c0a9837d1e52aae1b7e165ab24e855c4f5fbeb767'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 602e605c2d82de6d011dba78ce03411973ca25c2fb8a00322af9cb80937eff2997f8eda20e00d08bb2106073a3ffe8bbf4bc7f01409d123d510ebb16a7915405
|
7
|
+
data.tar.gz: 2363c998cb4af54018638c7d6e46f54e6d98afcac94c6be5747a3c1f555bdd59321441b3196c85f1eec08555dc579af80cdf6728ade7dfb4b9bf0f506669d55d
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,8 @@
|
|
1
|
-
## 1.19.0
|
1
|
+
## 1.19.0
|
2
2
|
|
3
|
-
*
|
3
|
+
* Upgrade WAF features via libsqreen 0.6.1
|
4
|
+
* Improve time defensiveness in WAF
|
5
|
+
* Improve compatibility with APM agents via a new optional instrumentation engine
|
4
6
|
* Fix action reloading not being entirely cleared on reload
|
5
7
|
* Improve handling of hash symbol keys in some security rules
|
6
8
|
* Fix constant resolution scope on agent boot
|
data/lib/sqreen/rules/waf_cb.rb
CHANGED
@@ -11,11 +11,15 @@ require 'sqreen/safe_json'
|
|
11
11
|
require 'sqreen/exception'
|
12
12
|
require 'sqreen/util/capper'
|
13
13
|
require 'sqreen/dependency/libsqreen'
|
14
|
+
require 'sqreen/encoding_sanitizer'
|
14
15
|
|
15
16
|
module Sqreen
|
16
17
|
module Rules
|
17
18
|
class WAFCB < RuleCB
|
18
|
-
|
19
|
+
# 2^30 -1 or 2^62 -1
|
20
|
+
MAX_FIXNUM = 1.size == 4 ? 1_073_741_823 : 4_611_686_018_427_387_903
|
21
|
+
# will be converted to a long, so better not to overflow
|
22
|
+
INFINITE_BUDGET_US = MAX_FIXNUM
|
19
23
|
|
20
24
|
def self.libsqreen?
|
21
25
|
Sqreen::Dependency::LibSqreen.required?
|
@@ -25,7 +29,7 @@ module Sqreen
|
|
25
29
|
Sqreen::Dependency.const_exist?('LibSqreen::WAF')
|
26
30
|
end
|
27
31
|
|
28
|
-
attr_reader :binding_accessors, :
|
32
|
+
attr_reader :binding_accessors, :max_run_budget_us, :waf_rule_name
|
29
33
|
|
30
34
|
def initialize(*args)
|
31
35
|
super(*args)
|
@@ -54,8 +58,12 @@ module Sqreen
|
|
54
58
|
@binding_accessors = @data['values'].fetch('binding_accessors', []).each_with_object({}) do |e, h|
|
55
59
|
h[e] = BindingAccessor.new(e)
|
56
60
|
end
|
57
|
-
|
58
|
-
|
61
|
+
|
62
|
+
# 0 for using defaults (PW_RUN_TIMEOUT)
|
63
|
+
@max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
|
64
|
+
@max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
|
65
|
+
|
66
|
+
Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
|
59
67
|
|
60
68
|
ObjectSpace.define_finalizer(self, WAFCB.finalizer(@waf_rule_name.dup))
|
61
69
|
end
|
@@ -68,13 +76,25 @@ module Sqreen
|
|
68
76
|
|
69
77
|
env = [binding, framework, instance, args]
|
70
78
|
|
79
|
+
start = Sqreen.time if budget
|
80
|
+
|
71
81
|
capper = Sqreen::Util::Capper.new(string_size_cap: 4096, size_cap: 150, depth_cap: 10)
|
72
82
|
waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
|
73
83
|
h[e] = capper.call(b.resolve(*env))
|
74
84
|
end
|
75
85
|
waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
|
76
|
-
|
77
|
-
|
86
|
+
|
87
|
+
if budget
|
88
|
+
rem_budget_s = budget - (Sqreen.time - start)
|
89
|
+
return advise_action(nil) if rem_budget_s <= 0.0
|
90
|
+
|
91
|
+
waf_gen_budget_us = [(rem_budget_s * 1_000_000).to_i, MAX_FIXNUM].min
|
92
|
+
else # no budget
|
93
|
+
waf_gen_budget_us = INFINITE_BUDGET_US
|
94
|
+
end
|
95
|
+
|
96
|
+
action, data = ::LibSqreen::WAF.run(waf_rule_name, waf_args,
|
97
|
+
waf_gen_budget_us, @max_run_budget_us)
|
78
98
|
|
79
99
|
case action
|
80
100
|
when :monitor
|
data/lib/sqreen/runner.rb
CHANGED
@@ -121,7 +121,11 @@ module Sqreen
|
|
121
121
|
|
122
122
|
self.metrics_engine = MetricsStore.new
|
123
123
|
|
124
|
-
|
124
|
+
needs_weave = proc do
|
125
|
+
Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
|
126
|
+
end
|
127
|
+
|
128
|
+
if @configuration.get(:weave) || needs_weave.call
|
125
129
|
@instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine)
|
126
130
|
else
|
127
131
|
@instrumenter = Sqreen::Legacy::Instrumentation.new(metrics_engine)
|
data/lib/sqreen/version.rb
CHANGED
@@ -76,6 +76,9 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
76
76
|
if strategy == :prepend && !Module.respond_to?(:prepend)
|
77
77
|
Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable, falling back to :chain" }
|
78
78
|
strategy = :chain
|
79
|
+
elsif strategy == :chain && Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
|
80
|
+
Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable with scout_apm >= 2.5.2, switching to :prepend" }
|
81
|
+
strategy = :prepend
|
79
82
|
end
|
80
83
|
Sqreen::Weave.logger.debug { "strategy: #{strategy.inspect}" }
|
81
84
|
|
@@ -108,6 +111,8 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
108
111
|
@hooks << request_hook
|
109
112
|
request_hook.add do
|
110
113
|
before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
|
114
|
+
next unless Sqreen.instrumentation_ready
|
115
|
+
|
111
116
|
uuid = SecureRandom.uuid
|
112
117
|
now = Sqreen::Graft::Timer.read
|
113
118
|
Thread.current[:sqreen_http_request] = {
|
@@ -130,6 +135,9 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
130
135
|
|
131
136
|
ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
|
132
137
|
request = Thread.current[:sqreen_http_request]
|
138
|
+
|
139
|
+
next if request.nil?
|
140
|
+
|
133
141
|
Thread.current[:sqreen_http_request] = nil
|
134
142
|
now = Sqreen::Graft::Timer.read
|
135
143
|
utc_now = Time.now.utc
|
@@ -261,7 +269,7 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
261
269
|
hook.add do
|
262
270
|
if callback.pre?
|
263
271
|
before(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
|
264
|
-
return unless
|
272
|
+
return unless Thread.current[:sqreen_http_request]
|
265
273
|
|
266
274
|
i = call.instance
|
267
275
|
a = call.args
|
@@ -294,7 +302,7 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
294
302
|
|
295
303
|
if callback.post?
|
296
304
|
after(rule, rank: -priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
|
297
|
-
return unless
|
305
|
+
return unless Thread.current[:sqreen_http_request]
|
298
306
|
|
299
307
|
i = call.instance
|
300
308
|
v = call.returned
|
@@ -326,7 +334,7 @@ class Sqreen::Weave::Legacy::Instrumentation
|
|
326
334
|
|
327
335
|
if callback.failing?
|
328
336
|
raised(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
|
329
|
-
return unless
|
337
|
+
return unless Thread.current[:sqreen_http_request]
|
330
338
|
|
331
339
|
i = call.instance
|
332
340
|
e = call.raised
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sqreen
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.19.0
|
4
|
+
version: 1.19.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sqreen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-05-
|
11
|
+
date: 2020-05-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: sq_mini_racer
|
@@ -30,14 +30,14 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 0.
|
33
|
+
version: 0.6.1.0.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 0.
|
40
|
+
version: 0.6.1.0.0
|
41
41
|
description: Sqreen is a SaaS based Application protection and monitoring platform
|
42
42
|
that integrates directly into your Ruby applications. Learn more at https://sqreen.com.
|
43
43
|
email: contact@sqreen.com
|
@@ -233,9 +233,7 @@ homepage: https://www.sqreen.com/
|
|
233
233
|
licenses:
|
234
234
|
- Sqreen
|
235
235
|
metadata: {}
|
236
|
-
post_install_message:
|
237
|
-
This is a Sqreen beta release and may not work in all situations.
|
238
|
-
Make sure to review CHANGELOG.md for important details.
|
236
|
+
post_install_message:
|
239
237
|
rdoc_options: []
|
240
238
|
require_paths:
|
241
239
|
- lib
|
@@ -246,11 +244,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
246
244
|
version: 1.9.3
|
247
245
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
248
246
|
requirements:
|
249
|
-
- - "
|
247
|
+
- - ">="
|
250
248
|
- !ruby/object:Gem::Version
|
251
|
-
version:
|
249
|
+
version: '0'
|
252
250
|
requirements: []
|
253
|
-
|
251
|
+
rubyforge_project:
|
252
|
+
rubygems_version: 2.7.7
|
254
253
|
signing_key:
|
255
254
|
specification_version: 4
|
256
255
|
summary: Sqreen Ruby agent
|