sqreen 1.20.1-java → 1.20.4-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +25 -0
- data/lib/sqreen/actions/block_user.rb +1 -1
- data/lib/sqreen/actions/redirect_ip.rb +1 -1
- data/lib/sqreen/actions/redirect_user.rb +1 -1
- data/lib/sqreen/attack_detected.html +1 -2
- data/lib/sqreen/condition_evaluator.rb +8 -2
- data/lib/sqreen/configuration.rb +1 -1
- data/lib/sqreen/deferred_logger.rb +50 -14
- data/lib/sqreen/deprecation.rb +38 -0
- data/lib/sqreen/events/request_record.rb +0 -1
- data/lib/sqreen/frameworks/generic.rb +9 -0
- data/lib/sqreen/frameworks/rails.rb +0 -7
- data/lib/sqreen/frameworks/request_recorder.rb +2 -0
- data/lib/sqreen/graft/call.rb +76 -18
- data/lib/sqreen/graft/callback.rb +1 -1
- data/lib/sqreen/graft/hook.rb +187 -85
- data/lib/sqreen/graft/hook_point.rb +1 -1
- data/lib/sqreen/legacy/instrumentation.rb +22 -10
- data/lib/sqreen/legacy/old_event_submission_strategy.rb +2 -1
- data/lib/sqreen/log.rb +3 -2
- data/lib/sqreen/log/loggable.rb +1 -0
- data/lib/sqreen/logger.rb +24 -0
- data/lib/sqreen/metrics_store.rb +11 -0
- data/lib/sqreen/null_logger.rb +22 -0
- data/lib/sqreen/remote_command.rb +1 -0
- data/lib/sqreen/rules.rb +8 -4
- data/lib/sqreen/rules/blacklist_ips_cb.rb +2 -2
- data/lib/sqreen/rules/custom_error_cb.rb +3 -3
- data/lib/sqreen/rules/rule_cb.rb +2 -0
- data/lib/sqreen/rules/waf_cb.rb +3 -3
- data/lib/sqreen/runner.rb +28 -2
- data/lib/sqreen/version.rb +1 -1
- data/lib/sqreen/weave/budget.rb +46 -0
- data/lib/sqreen/weave/legacy/instrumentation.rb +194 -103
- data/lib/sqreen/worker.rb +6 -2
- metadata +7 -6
- data/lib/sqreen/encoding_sanitizer.rb +0 -27
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 67f60f1ad0bd4392e5a60272ef50f406aa511a5e
|
4
|
+
data.tar.gz: bbd2e7baacc6c6cdaa7bb95d06300fa325a5ef09
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 86bdc374c4a1e7a01cfc371ef975fd17d6e58709a06dde323a8b7006766472cd974f4fb22ce663c693b840d3cbb19556d7cb0310df931217872283da5f1c2292
|
7
|
+
data.tar.gz: 6ee3811d3d1292d8b4d818323624b98837cb24c4f62f994f83a6c1b6d0eb3616961067073f20527ef0f246ad5f2665fe0c193d2b8ed79d95642ccb02d2125d7c
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,28 @@
|
|
1
|
+
## 1.20.4
|
2
|
+
|
3
|
+
* Fix missing budget check
|
4
|
+
* Improve performance
|
5
|
+
* Align internal setting name for WAF
|
6
|
+
* Include response information in all payloads
|
7
|
+
* Improve robustness against invalid Unicode
|
8
|
+
* Prevent rule execution to pursue in early block cases
|
9
|
+
|
10
|
+
## 1.20.4.beta1
|
11
|
+
|
12
|
+
* Add optional dynamic time budget
|
13
|
+
* Add advanced per request metrics
|
14
|
+
* Improve robustness against exception in instrumentation
|
15
|
+
* Improve metric engine thread safety
|
16
|
+
* Restrict deferred logger to final logger severity on agent boot
|
17
|
+
|
18
|
+
## 1.20.3
|
19
|
+
|
20
|
+
* Fix signature check
|
21
|
+
|
22
|
+
## 1.20.2
|
23
|
+
|
24
|
+
* Fix performance regression in instrumentation engine
|
25
|
+
|
1
26
|
## 1.20.1
|
2
27
|
|
3
28
|
* Add fallback mechanisms when connecting to new Sqreen backend API domains
|
@@ -24,7 +24,7 @@ module Sqreen
|
|
24
24
|
end
|
25
25
|
|
26
26
|
def do_run(identity_params)
|
27
|
-
Sqreen.log.
|
27
|
+
Sqreen.log.debug 'Will request redirect for user with identity ' \
|
28
28
|
"#{identity_params} (action: #{id})."
|
29
29
|
|
30
30
|
e = Sqreen::AttackBlocked.new(
|
@@ -1,2 +1 @@
|
|
1
|
-
|
2
|
-
|
1
|
+
<!-- Sorry, you’ve been blocked --><!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You've been blocked</title><style>a,body,div,h1,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}h1,p,svg{display:block}svg{margin:0 auto 4vh}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}h1{font-family:sans-serif;font-weight:600;font-size:34px;color:#1e0936;line-height:1.2}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}</style></head><body><main><svg width="170px" height="193px" viewBox="0 0 170 193" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true"><g id="exports" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"><g id="Artboard" transform="translate(-186.000000, -189.000000)"><g id="logo-cmyk-indigo" transform="translate(186.000000, 189.000000)"><g id="nest-cmyk-indigo"><ellipse id="sqreen" fill="#B0ACFF" cx="85" cy="96.5" rx="45.7692308" ry="45.7966102"></ellipse><path d="M78.4615385,175.749389 L78.4615385,102.2092 L13.1398162,64.4731256 L13.1398162,129.181112 L36.352167,115.771438 C37.9764468,119.873152 40.1038639,123.720553 42.6582364,127.237412 L18.5723996,141.151695 L78.4615385,175.749389 Z M91.5384615,175.749389 L151.4276,141.151695 L127.341764,127.237412 C129.896136,123.720553 132.023553,119.873152 133.647833,115.771438 L156.860184,129.181112 L156.860184,64.4731256 L91.5384615,102.2092 L91.5384615,175.749389 Z M18.0061522,52.1754237 L85,90.8774777 L151.993848,52.1754237 L91.5384615,17.2506105 L91.5384615,44.565949 C89.3964992,44.2986903 87.2143177,44.1610169 85,44.1610169 C82.7856823,44.1610169 80.6035008,44.2986903 78.4615385,44.565949 L78.4615385,17.2506105 L18.0061522,52.1754237 Z M90.8846156,1.76392358 L164.052491,44.0326866 C167.693904,46.1363149 169.937107,50.0239804 169.937107,54.231237 L169.937107,138.768763 C169.937107,142.97602 167.693904,146.863685 164.052491,148.967313 L90.8846156,191.236076 C87.2432028,193.339705 82.7567972,193.339705 79.1153844,191.236076 L5.94750871,148.967313 C2.30609589,146.863685 0.0628930904,142.97602 0.0628930904,138.768763 L0.0628930904,54.231237 C0.0628930904,50.0239804 2.30609589,46.1363149 5.94750871,44.0326866 L79.1153844,1.76392358 C82.7567972,-0.339704735 87.2432028,-0.339704735 90.8846156,1.76392358 Z" id="app" fill="#4842B7"></path></g></g></g></g></svg><h1>Sorry, you've been blocked</h1><p>Contact the website owner</p></main><footer><p>Security provided by <a href="https://www.sqreen.com/?utm_medium=block_page" target="_blank">Sqreen</a></p></footer></body></html>
|
@@ -67,7 +67,7 @@ module Sqreen
|
|
67
67
|
return true if rem <= 0
|
68
68
|
if hash.is_a?(Array)
|
69
69
|
return hash.any? do |v|
|
70
|
-
|
70
|
+
hash_key_include?(values, v, min_value_size, rem - 1)
|
71
71
|
end
|
72
72
|
end
|
73
73
|
|
@@ -81,7 +81,13 @@ module Sqreen
|
|
81
81
|
if hkey.respond_to?(:empty?) && hkey.empty?
|
82
82
|
false
|
83
83
|
else
|
84
|
-
|
84
|
+
key_incl = if values.is_a?(String)
|
85
|
+
str_include?(values, hkey.to_s)
|
86
|
+
else
|
87
|
+
values.include?(hkey.to_s)
|
88
|
+
end
|
89
|
+
|
90
|
+
key_incl || hash_key_include?(values, hval, min_value_size, rem - 1)
|
85
91
|
end
|
86
92
|
end
|
87
93
|
end
|
data/lib/sqreen/configuration.rb
CHANGED
@@ -57,7 +57,7 @@ module Sqreen
|
|
57
57
|
{ :env => :SQREEN_RULES_SIGNATURE, :name => :rules_verify_signature,
|
58
58
|
:default => true },
|
59
59
|
{ :env => :SQREEN_LOG_LEVEL, :name => :log_level,
|
60
|
-
:default => '
|
60
|
+
:default => 'INFO', :choice => %w[UNKNOWN FATAL ERROR WARN INFO DEBUG] },
|
61
61
|
{ :env => :SQREEN_LOG_LOCATION, :name => :log_location,
|
62
62
|
:default => 'log/sqreen.log' },
|
63
63
|
{ :env => :SQREEN_RUN_IN_TEST, :name => :run_in_test,
|
@@ -9,35 +9,70 @@ require 'sqreen/logger'
|
|
9
9
|
|
10
10
|
module Sqreen
|
11
11
|
class DeferredLogger
|
12
|
-
|
12
|
+
MAX_ENTRIES = 1000
|
13
|
+
|
14
|
+
Entry = Struct.new(:severity, :message)
|
13
15
|
|
14
16
|
def initialize
|
15
17
|
@buffer = StringIO.new
|
16
18
|
@logger = ::Logger.new(@buffer)
|
19
|
+
@entries = []
|
20
|
+
@mutex = Mutex.new
|
21
|
+
end
|
22
|
+
|
23
|
+
def debug?
|
24
|
+
true
|
25
|
+
end
|
26
|
+
|
27
|
+
def info?
|
28
|
+
true
|
29
|
+
end
|
30
|
+
|
31
|
+
def warn?
|
32
|
+
true
|
33
|
+
end
|
34
|
+
|
35
|
+
def error?
|
36
|
+
true
|
37
|
+
end
|
38
|
+
|
39
|
+
def fatal?
|
40
|
+
true
|
17
41
|
end
|
18
42
|
|
19
43
|
def debug(msg = nil, &block)
|
20
|
-
|
44
|
+
add(::Logger::DEBUG, msg, &block)
|
21
45
|
end
|
22
46
|
|
23
47
|
def info(msg = nil, &block)
|
24
|
-
|
48
|
+
add(::Logger::INFO, msg, &block)
|
25
49
|
end
|
26
50
|
|
27
51
|
def warn(msg = nil, &block)
|
28
|
-
|
52
|
+
add(::Logger::WARN, msg, &block)
|
29
53
|
end
|
30
54
|
|
31
55
|
def error(msg = nil, &block)
|
32
|
-
|
56
|
+
add(::Logger::ERROR, msg, &block)
|
33
57
|
end
|
34
58
|
|
35
59
|
def fatal(msg = nil, &block)
|
36
|
-
|
60
|
+
add(::Logger::FATAL, msg, &block)
|
61
|
+
end
|
62
|
+
|
63
|
+
def unknown(msg = nil, &block)
|
64
|
+
add(::Logger::UNKNOWN, msg, &block)
|
37
65
|
end
|
38
66
|
|
39
67
|
def add(severity, msg = nil, &block)
|
40
|
-
|
68
|
+
@mutex.synchronize do
|
69
|
+
@entries.shift if @entries.count >= MAX_ENTRIES
|
70
|
+
mark = @buffer.pos
|
71
|
+
@logger.add(severity, msg, &block)
|
72
|
+
@buffer.seek(mark)
|
73
|
+
@entries << Entry.new(severity, @buffer.read)
|
74
|
+
@buffer.truncate(0)
|
75
|
+
end
|
41
76
|
end
|
42
77
|
|
43
78
|
def formatter=(value)
|
@@ -45,21 +80,22 @@ module Sqreen
|
|
45
80
|
end
|
46
81
|
|
47
82
|
def flush_to(logger)
|
48
|
-
|
83
|
+
@mutex.synchronize do
|
84
|
+
@entries.each do |entry|
|
85
|
+
next if entry.severity < logger.level
|
86
|
+
logger.instance_eval { @logdev }.write(entry.message)
|
87
|
+
end
|
88
|
+
reset
|
89
|
+
end
|
49
90
|
end
|
50
91
|
|
51
92
|
private
|
52
93
|
|
53
|
-
def read
|
54
|
-
@buffer.rewind
|
55
|
-
@buffer.read
|
56
|
-
end
|
57
|
-
|
58
94
|
def reset
|
59
95
|
buffer = StringIO.new
|
60
96
|
logger = ::Logger.new(buffer)
|
61
97
|
logger.formatter = @logger.formatter
|
62
|
-
@buffer, @logger = buffer, logger
|
98
|
+
@buffer, @logger, @entries = buffer, logger, []
|
63
99
|
end
|
64
100
|
end
|
65
101
|
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
# typed: strong
|
2
|
+
|
3
|
+
# Copyright (c) 2015 Sqreen. All Rights Reserved.
|
4
|
+
# Please refer to our terms for more information: https://www.sqreen.com/terms.html
|
5
|
+
|
6
|
+
require 'sqreen/log/loggable'
|
7
|
+
|
8
|
+
module Sqreen
|
9
|
+
module Deprecation
|
10
|
+
include Sqreen::Log::Loggable
|
11
|
+
|
12
|
+
module_function
|
13
|
+
|
14
|
+
def deprecate(method)
|
15
|
+
return unless ENV['SQREEN_DEBUG_DEPRECATION']
|
16
|
+
|
17
|
+
owner = method.owner
|
18
|
+
deprecated = :"_deprecated_#{method.name}"
|
19
|
+
klass = owner.is_a?(Module)
|
20
|
+
target = klass ? owner.to_s : owner.class.to_s
|
21
|
+
|
22
|
+
method.owner.instance_eval do
|
23
|
+
alias_method deprecated, method.name
|
24
|
+
|
25
|
+
define_method(method.name) do |*args, &block|
|
26
|
+
msg = [
|
27
|
+
"deprecation",
|
28
|
+
"target:#{target}",
|
29
|
+
"method:#{method.name}",
|
30
|
+
"caller:#{Kernel.caller_locations[0]}",
|
31
|
+
].join(' ')
|
32
|
+
Sqreen::Deprecation.logger.info(msg)
|
33
|
+
send(deprecated, *args, &block)
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -209,7 +209,16 @@ module Sqreen
|
|
209
209
|
|
210
210
|
# Should the agent not be starting up?
|
211
211
|
def prevent_startup
|
212
|
+
# SQREEN-880 - prevent Sqreen startup on Sidekiq workers
|
213
|
+
return :sidekiq_cli if defined?(Sidekiq::CLI)
|
214
|
+
return :delayed_job if defined?(Delayed::Command)
|
215
|
+
|
216
|
+
# Prevent Sqreen startup on rake tasks - unless this is a Sqreen test
|
217
|
+
run_in_test = sqreen_configuration.get(:run_in_test)
|
218
|
+
return :rake if !run_in_test && $0.end_with?('rake')
|
219
|
+
|
212
220
|
return :irb if $0 == 'irb'
|
221
|
+
|
213
222
|
return if sqreen_configuration.nil?
|
214
223
|
disable = sqreen_configuration.get(:disable)
|
215
224
|
return :config_disable if disable == true || disable.to_s.to_i == 1
|
@@ -103,13 +103,6 @@ module Sqreen
|
|
103
103
|
run_in_test = sqreen_configuration.get(:run_in_test)
|
104
104
|
return :rails_test if !run_in_test && (Rails.env.test? || Rails.env.cucumber?)
|
105
105
|
|
106
|
-
# SQREEN-880 - prevent Sqreen startup on Sidekiq workers
|
107
|
-
return :sidekiq_cli if defined?(Sidekiq::CLI)
|
108
|
-
return :delayed_job if defined?(Delayed::Command)
|
109
|
-
|
110
|
-
# Prevent Sqreen startup on rake tasks - unless this is a Sqreen test
|
111
|
-
return :rake if !run_in_test && $0.end_with?('rake')
|
112
|
-
|
113
106
|
return nil unless defined?(Rails::CommandsTasks)
|
114
107
|
return nil if defined?(Rails::Server)
|
115
108
|
return :rails_console if defined?(Rails::Console)
|
@@ -69,6 +69,8 @@ module Sqreen
|
|
69
69
|
|
70
70
|
# signals require request section to be present
|
71
71
|
payload_requests << 'request'
|
72
|
+
# for signals, response is optional, but the backend team wants them
|
73
|
+
payload_requests << 'response'
|
72
74
|
payload = payload_creator.payload(payload_requests)
|
73
75
|
payload[:observed] = observed_items
|
74
76
|
|
data/lib/sqreen/graft/call.rb
CHANGED
@@ -93,58 +93,116 @@ module Sqreen
|
|
93
93
|
end
|
94
94
|
end
|
95
95
|
|
96
|
+
class TimerError < StandardError; end
|
97
|
+
|
96
98
|
class Timer
|
97
99
|
def self.read
|
98
100
|
Process.clock_gettime(Process::CLOCK_MONOTONIC)
|
99
101
|
end
|
100
102
|
|
101
|
-
attr_reader :tag
|
103
|
+
attr_reader :tag, :size
|
102
104
|
|
103
105
|
def initialize(tag, &block)
|
104
106
|
@tag = tag
|
105
|
-
@blips = []
|
106
107
|
@block = block
|
108
|
+
@tally = 0
|
109
|
+
@size = 0
|
107
110
|
end
|
108
111
|
|
109
|
-
def
|
110
|
-
|
112
|
+
def elapsed
|
113
|
+
raise(TimerError, 'Timer#elapsed when paused') if @size.even?
|
114
|
+
|
115
|
+
@tally + Timer.read
|
111
116
|
end
|
112
117
|
|
113
|
-
def
|
114
|
-
|
118
|
+
def duration
|
119
|
+
raise(TimerError, 'Timer#duration when running') if @size.odd?
|
120
|
+
|
121
|
+
@tally
|
115
122
|
end
|
116
123
|
|
117
124
|
def ignore
|
118
|
-
|
125
|
+
raise(TimerError, 'Timer#ignore when paused') if @size.even?
|
126
|
+
|
127
|
+
@size += 1
|
128
|
+
@tally += Timer.read
|
119
129
|
yield(self)
|
120
130
|
ensure
|
121
|
-
@
|
131
|
+
@size += 1
|
132
|
+
@tally -= Timer.read
|
122
133
|
end
|
123
134
|
|
124
|
-
def measure
|
125
|
-
|
135
|
+
def measure(opts = nil)
|
136
|
+
raise(TimerError, 'Timer#measure when running') if @size.odd?
|
137
|
+
|
138
|
+
now = Timer.read
|
139
|
+
|
140
|
+
ignore = opts[:ignore] if opts
|
141
|
+
if ignore
|
142
|
+
ignore.size += 1
|
143
|
+
ignore.tally += now
|
144
|
+
end
|
145
|
+
|
146
|
+
@size += 1
|
147
|
+
@tally -= now
|
148
|
+
|
126
149
|
yield(self)
|
127
150
|
ensure
|
128
|
-
|
151
|
+
now = Timer.read
|
152
|
+
|
153
|
+
if ignore
|
154
|
+
ignore.size += 1
|
155
|
+
ignore.tally -= now
|
156
|
+
end
|
157
|
+
|
158
|
+
@size += 1
|
159
|
+
@tally += now
|
160
|
+
|
129
161
|
@block.call(self) if @block
|
130
|
-
Sqreen::Graft.logger.debug { "#{@tag}: time=%.03fus" % (duration * 1_000_000) }
|
131
162
|
end
|
132
163
|
|
133
|
-
def start
|
134
|
-
|
164
|
+
def start(at = Timer.read)
|
165
|
+
raise(TimerError, 'Timer#start when started') unless @size.even?
|
166
|
+
|
167
|
+
@size += 1
|
168
|
+
@tally -= at
|
169
|
+
|
170
|
+
at
|
171
|
+
end
|
172
|
+
|
173
|
+
def stop(at = Timer.read)
|
174
|
+
raise(TimerError, 'Timer#stop when unstarted') unless @size.odd?
|
175
|
+
|
176
|
+
@size += 1
|
177
|
+
@tally += at
|
178
|
+
|
179
|
+
at
|
180
|
+
end
|
181
|
+
|
182
|
+
def started?
|
183
|
+
@size != 0 && @size.odd?
|
135
184
|
end
|
136
185
|
|
137
|
-
def
|
138
|
-
@
|
186
|
+
def stopped?
|
187
|
+
@size != 0 && @size.even?
|
139
188
|
end
|
140
189
|
|
141
|
-
def
|
142
|
-
@
|
190
|
+
def running?
|
191
|
+
@size.odd?
|
192
|
+
end
|
193
|
+
|
194
|
+
def paused?
|
195
|
+
@size.even?
|
143
196
|
end
|
144
197
|
|
145
198
|
def to_s
|
146
199
|
"#{@tag}: time=%.03fus" % (duration * 1_000_000)
|
147
200
|
end
|
201
|
+
|
202
|
+
protected
|
203
|
+
|
204
|
+
attr_reader :tally
|
205
|
+
attr_writer :size, :tally
|
148
206
|
end
|
149
207
|
end
|
150
208
|
end
|