sqreen 1.23.1 → 1.23.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a273f9a80bf30fbd4dcf8fc21551639e1c8df66b3dfa8be2d16e8ad5d58d4b47
-  data.tar.gz: cf2ff1d623cdae5a55ec39bc9959351775375836e5cf2ae71844bb7ee51b5ab6
+  metadata.gz: 8e1881ab1def0e4a82ccfe791c150b0213517084619d71f5c942a0d14a0189e1
+  data.tar.gz: beeef4f164a84efbc00824a5c63926da6a4e3fcc5952577442061e1c509e8fda
 SHA512:
-  metadata.gz: 68e69af0cb0d36971cea1ea58919372840faa792d620d99e7bc9e30c6afc39aa2aa564cf529a8f67bea8da79411c5d270df9e27a4db71e015461eba1c2d9f788
-  data.tar.gz: 14b82f5804bf6da658f44c3702ca8f877811cb0363f754703f2f7efa6440c0ffaa1a19e09c17c96f920e2855382041420069169bed8d7a77d1b4285d083af3ca
+  metadata.gz: b1d1ea43737baa0db830e556fc835f93104dc70465fc5695372c5a922e8108cb9e657e915cc7ffe06f655dc632b0d5e56daf659e0c6ef499b66484fcd6d33076
+  data.tar.gz: 98b0e405e39de271a9d8988692ea037b5f462b2af9314d384b7ca7dfec9dce43229b1aa317fbb8fccde84f1cd743d90637dabde392a2c7bfe88d6a6353e25235

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 1.23.2
+
+* Fix compatibility with NewRelic for attack events
+* Fix incorrect rule rejection despite all signature checks individually passing
+
 ## 1.23.1
 
 * Improve compatibility with gems such as puma and graphql on Ruby 3.0

data/bin/sqreen

@@ -0,0 +1,43 @@
+#!/usr/bin/env ruby
+
+def logger
+  @logger ||= Logger.new(STDOUT, level: :debug)
+end
+
+def verify(rules)
+  verifier = Sqreen::SqreenSignedVerifier.new
+
+  invalid_rules = rules.reject do |rule|
+    valid = verifier.verify(rule)
+
+    if valid
+      logger.debug { "rule: #{rule['name']} signed: true result: ok" }
+    else
+      logger.error { "rule: #{rule['name']} singed: true result: fail" }
+    end
+
+    valid
+  end
+
+  if invalid_rules.any?
+    logger.error { "weave: instrument status: abort reason: signature result: fail" }
+    raise Sqreen::Exception, "Signature error: rules: #{invalid_rules.map { |r| r['name'] }.inspect}"
+  else
+    logger.info { "weave: instrument rules: signed result: ok" }
+  end
+end
+
+def check_signature(file)
+  require 'json'
+  require 'logger'
+  require 'sqreen/sqreen_signed_verifier'
+
+  content = File.open(file, 'rb', &:read)
+  json = JSON.parse(content)
+
+  p verify(json)
+end
+
+case ARGV[0]
+when 'check-signature' then check_signature(ARGV[1]) || exit(1)
+end

data/lib/sqreen/configuration.rb

@@ -56,6 +56,8 @@ module Sqreen
       :default => nil },
     { :env => :SQREEN_RULES_SIGNATURE, :name => :rules_verify_signature,
       :default => true },
+    { :env => :SQREEN_RULES_DUMP, :name => :rules_dump,
+      :default => false },
     { :env => :SQREEN_LOG_LEVEL, :name => :log_level,
       :default => 'INFO', :choice => %w[UNKNOWN FATAL ERROR WARN INFO DEBUG] },
     { :env => :SQREEN_LOG_LOCATION, :name => :log_location,

data/lib/sqreen/dependency/new_relic.rb

@@ -19,7 +19,7 @@ module Sqreen
       def ignore_sqreen_exceptions
         return unless required?
 
-        NewRelic::Agent::Agent.instance.error_collector.ignore(['Sqreen::AttackBlocked'])
+        ::NewRelic::Agent::Agent.instance.error_collector.ignore(['Sqreen::AttackBlocked'])
       rescue ::Exception => e # rubocop:disable Lint/RescueException
         Sqreen.log.warn "Failed ignoring AttackBlocked on NewRelic: #{e.inspect}"
       end

data/lib/sqreen/runner.rb

@@ -6,6 +6,7 @@
 require 'ipaddr'
 require 'timeout'
 require 'json'
+require 'pathname'
 
 require 'sqreen/events/attack'
 
@@ -217,6 +218,16 @@ module Sqreen
         session_rules = session.rules
         rules_pack = session_rules['rules']
         rulespack_id = session_rules['pack_id']
+      elsif @configuration.get(:rules_dump)
+        rules_dir = (defined?(Rails) ? Rails.root : Pathname.pwd) + 'tmp/sqreen/rules'
+        FileUtils.mkdir_p(rules_dir.to_s)
+        File.open("#{rules_dir}/#{rulespack_id}.json", "wb") { |f| f.write(JSON.pretty_generate(rules_pack)) }
+        FileUtils.mkdir_p("#{rules_dir}/#{rulespack_id}")
+        rules_pack.each do |r|
+          r = r.dup
+          r['rulespack_id'] = rulespack_id
+          File.open("#{rules_dir}/#{rulespack_id}/#{r['name']}.json", "wb") { |f| f.write(JSON.pretty_generate(r)) }
+        end
       end
       rules = rules_pack.each { |r| r['rulespack_id'] = rulespack_id }
       Sqreen.log.info { format('retrieved rulespack id: %s', rulespack_id) }

data/lib/sqreen/version.rb

@@ -4,5 +4,5 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 module Sqreen
-  VERSION = '1.23.1'.freeze
+  VERSION = '1.23.2'.freeze
 end

data/lib/sqreen/weave/legacy/instrumentation.rb

@@ -180,6 +180,8 @@ class Sqreen::Weave::Legacy::Instrumentation
         else
           Sqreen::Weave.logger.error { "rule: #{rule['name']} singed: true result: fail" }
         end
+
+        valid
       end
       if invalid_rules.any?
         Sqreen::Weave.logger.error { "weave: instrument status: abort reason: signature result: fail" }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.23.1
+  version: 1.23.2
 platform: ruby
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-24 00:00:00.000000000 Z
+date: 2021-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sqreen-backport
@@ -75,7 +75,8 @@ dependencies:
 description: Sqreen is a SaaS based Application protection and monitoring platform
   that integrates directly into your Ruby applications. Learn more at https://sqreen.com.
 email: contact@sqreen.com
-executables: []
+executables:
+- sqreen
 extensions: []
 extra_rdoc_files: []
 files:
@@ -84,6 +85,7 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- bin/sqreen
 - lib/sqreen.rb
 - lib/sqreen/actions.rb
 - lib/sqreen/actions/actions_index.rb