RubyGems - sqreen - Versions diffs - 1.3.21489051313 → 1.4.2 - Mend

sqreen 1.3.21489051313 → 1.4.2

Files changed (22) hide show

checksums.yaml +4 -4
data/Rakefile +0 -20
data/lib/sqreen/events/attack.rb +2 -0
data/lib/sqreen/instrumentation.rb +8 -1
data/lib/sqreen/remote_command.rb +1 -0
data/lib/sqreen/rule_callback.rb +28 -0
data/lib/sqreen/rules.rb +9 -2
data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb +1 -1
data/lib/sqreen/rules_callbacks/count_http_codes.rb +1 -1
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb +1 -1
data/lib/sqreen/rules_callbacks/execjs.rb +4 -1
data/lib/sqreen/rules_callbacks/headers_insert.rb +1 -1
data/lib/sqreen/rules_callbacks/rails_parameters.rb +1 -1
data/lib/sqreen/rules_callbacks/record_request_context.rb +3 -0
data/lib/sqreen/rules_callbacks/reflected_xss.rb +48 -22
data/lib/sqreen/rules_callbacks/shell_env.rb +1 -1
data/lib/sqreen/rules_callbacks/url_matches.rb +1 -1
data/lib/sqreen/rules_callbacks/user_agent_matches.rb +1 -1
data/lib/sqreen/runner.rb +12 -0
data/lib/sqreen/version.rb +1 -2
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1832eec9e4dccfbd713daa35419d991e16ea73c9
-  data.tar.gz: fab4c69e57b92617ffafb1f96237ecf4863d407e
+  metadata.gz: 3b13dece251d9c305d0f1f79ea551b1b51a35c20
+  data.tar.gz: 00acadad553d40803de98b2bb70c81c274e6aa83
 SHA512:
-  metadata.gz: a760f2d396252dd000c83d55842f0ec14db02632539d9ec465ff85fa708c76aa768665844267e7c1af111844eb0d02121e8a70c7deac6d38d8d706405c3f1fad
-  data.tar.gz: 8189c5212276db0bae7161d62568271f19123095ea3f66d20da6671e8da6980c34df5b6d2598afa16481f08be3e15b940c7aa2629b1402df153216f0ff055fdd
+  metadata.gz: e61529e9cb80bf86226272f0843f9a8e9fc1d8fafaa71f29ec36ff0e7254f16d039ea5b083a6475c58b3ea2c49f4e9b112b616a3236c1e4a271c034a09a28b15
+  data.tar.gz: 6dd83b5fd2809940dcd9875c7321ef4efcad0b711fdeadb652197607e80003afe0d018c3bdc86643a1bc47839487a83cc6aeb5ca6f0812b4808e3033b6baa59c

data/Rakefile CHANGED

@@ -18,23 +18,3 @@ end
 desc 'Run tests'
 task :default => :test
-task :pre_build do
-  version = Bundler::GemHelper.new.send(:version)
-  template = <<-EOF.gsub(/^\s{0,3}/m, '')
-  # Copyright (c) 2015 Sqreen. All Rights Reserved.
-  # Please refer to our terms for more information: https://www.sqreen.io/terms.html
-  # Warning This file is auto generated! DO NOT edit.
-  module Sqreen
-     VERSION = #{version.to_s.inspect}.freeze
-  end
-  EOF
-  fname = File.join(File.dirname(__FILE__), 'lib', 'sqreen', 'version.rb')
-  File.open(fname, 'w') do |f|
-    f.puts template
-  end
-end
-default_build = Rake::Task['build']
-default_build.prerequisites.push(Rake::Task['pre_build'])

data/lib/sqreen/events/attack.rb CHANGED

@@ -45,6 +45,7 @@ module Sqreen
       res = {}
       rule_p = payload['rule']
       request_p = payload['request']
+      whitelisted = request_p.delete('whitelisted') if request_p
       res[:rule_name]    = rule_p['name']         if rule_p && rule_p['name']
       res[:rulespack_id] = rule_p['rulespack_id'] if rule_p && rule_p['rulespack_id']
       res[:test]         = rule_p['test']         if rule_p && rule_p['test']
@@ -55,6 +56,7 @@ module Sqreen
       res[:params]       = payload['params']      if payload['params']
       res[:context]      = payload['context']     if payload['context']
       res[:headers]      = payload['headers']     if payload['headers']
+      res[:whitelist_match] = whitelisted         if whitelisted
       res
     end
   end

data/lib/sqreen/instrumentation.rb CHANGED

@@ -371,6 +371,13 @@ module Sqreen
       klass.singleton_methods.include? method
     end
+    # Does this object or an instance of it respond_to method?
+    def valid_method?(obj, method)
+      return true if is_class_method?(obj, method)
+      return false unless obj.respond_to?(:instance_methods)
+      is_instance_method?(obj, method)
+    end
     def add_callback(cb)
       @@override_semaphore.synchronize do
         klass = cb.klass
@@ -487,7 +494,7 @@ module Sqreen
       end
       remove_all_callbacks # Force cb tree to be empty before instrumenting
       rules.each do |rule|
-        rcb = Sqreen::Rules.cb_from_rule(rule, metrics_engine, verifier)
+        rcb = Sqreen::Rules.cb_from_rule(rule, self, metrics_engine, verifier)
         next unless rcb
         rcb.framework = framework
         add_callback(rcb)

data/lib/sqreen/remote_command.rb CHANGED

@@ -12,6 +12,7 @@ module Sqreen
       :features_get => :features,
       :features_change => :change_features,
       :force_logout => :shutdown,
+      :paths_whitelist => :change_whitelisted_paths,
     }.freeze
     attr_reader :uuid

data/lib/sqreen/rule_callback.rb CHANGED

@@ -46,11 +46,39 @@ module Sqreen
         @rule[Attrs::RULESPACK_ID]
       end
+      # Recommend taking an action (optionnally adding more data/context)
+      #
+      # This will format the requested action and optionnally
+      # override it if it should not be taken (should not block for example)
+      def advise_action(action, additional_data = {})
+        return if action.nil? && additional_data.empty?
+        if %w(override raise).include?(action.to_s) && framework
+          prefix = find_whitelisted_path(framework.request_path.to_s)
+          if prefix
+            Sqreen.log.debug { "Trying to block on whitelisted path #{prefix}" }
+            action = nil
+          end
+        end
+        additional_data.merge(:status => action)
+      end
+      # Is this a whitelisted path?
+      # return the path witelisted prefix that match path
+      def find_whitelisted_path(rpath)
+        (Sqreen.whitelisted_paths || []).find do |path|
+          rpath.start_with?(path)
+        end
+      end
       # Record an attack event into Sqreen system
       # @param infos [Hash] Additional information about request
       def record_event(infos)
         payload = @payload_generator.payload(framework, @rule)
         payload['infos'] = infos
+        if framework && payload['request']
+          prefix = find_whitelisted_path(framework.request_path.to_s)
+          payload['request']['whitelisted'] = prefix
+        end
         Attack.record(payload)
       end

data/lib/sqreen/rules.rb CHANGED

@@ -40,9 +40,10 @@ module Sqreen
     # Given a rule, will instantiate the related callback.
     # @param hash_rule     [Hash]                 Rules metadata
+    # @param instrumentation_engine [Instrumentation] Instrumentation engine
     # @param metrics_store [MetricStore]          Metrics storage facility
     # @param verifier      [SqreenSignedVerifier] Signed verifier
-    def self::cb_from_rule(hash_rule, metrics_store = nil, verifier = nil)
+    def self::cb_from_rule(hash_rule, instrumentation_engine=nil, metrics_store = nil, verifier = nil)
       # Check rules signature
       if verifier
         raise InvalidSignatureException unless verifier.verify(hash_rule)
@@ -56,12 +57,18 @@ module Sqreen
       if instr_class.nil?
         rule_name = hash_rule[Attrs::NAME]
-        Sqreen.log.debug "#{klass} does not exists. Skipping #{rule_name}"
+        Sqreen.log.debug { "#{klass} does not exists. Skipping #{rule_name}" }
         return nil
       end
       instr_method = hook[Attrs::METHOD]
       instr_method = instr_method.to_sym
+      if instrumentation_engine &&
+         !instrumentation_engine.valid_method?(instr_class, instr_method)
+        Sqreen.log.debug { "#{instr_method} does not exist on #{klass} Skipping #{rule_name}" }
+        return nil
+      end
       cbname = hook[Attrs::CALLBACK_CLASS]

data/lib/sqreen/rules_callbacks/binding_accessor_metrics.rb CHANGED

@@ -63,7 +63,7 @@ module Sqreen
           accessor.resolve(binding, framework, inst, args, @data, rv)
         end
         record_observation(category, key, value)
-        nil
+        advise_action(nil)
       end
       def build_expressions(callbacks)

data/lib/sqreen/rules_callbacks/count_http_codes.rb CHANGED

@@ -11,7 +11,7 @@ module Sqreen
       def post(rv, _inst, *_args, &_block)
         return unless rv.is_a?(Array) && !rv.empty?
         record_observation(METRIC_CATEGORY, rv[0], 1)
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/crawler_user_agent_matches.rb CHANGED

@@ -17,7 +17,7 @@ module Sqreen
         Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
         infos = { :found => found }
         record_event(infos)
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/crawler_user_agent_matches_metrics.rb CHANGED

@@ -17,7 +17,7 @@ module Sqreen
         return unless found
         Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
         record_observation(CRAWLER_CATEGORY, ua, 1)
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/execjs.rb CHANGED

@@ -94,7 +94,10 @@ module Sqreen
           end
           Sqreen.log.debug { [name, arguments].inspect }
           ret = @compiled.call("callbacks.#{name}", *arguments)
-          return ret unless record_and_continue?(ret)
+          unless record_and_continue?(ret)
+            return nil if ret.nil?
+            return advise_action(ret[:status], ret)
+          end
           name = ret[:call]
           rv = ret[:data]
           args_override = ret[:args]

data/lib/sqreen/rules_callbacks/headers_insert.rb CHANGED

@@ -15,7 +15,7 @@ module Sqreen
         headers.each do |name, value|
           rv[1][name] = value
         end
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/rails_parameters.rb CHANGED

@@ -7,7 +7,7 @@ module Sqreen
   module Rules
     class RailsParametersCB < RuleCB
       def pre(_inst, *_args, &_block)
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/record_request_context.rb CHANGED

@@ -9,14 +9,17 @@ module Sqreen
     class RecordRequestContext < RuleCB
       def pre(_inst, *args, &_block)
         framework.store_request(args[0])
+        advise_action(nil)
       end
       def post(_rv, _inst, *_args, &_block)
         framework.clean_request
+        advise_action(nil)
       end
       def failing(_exception, _inst, *_args, &_block)
         framework.clean_request
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED

@@ -3,9 +3,12 @@
 require 'cgi'
+require 'sqreen/rule_callback'
 require 'sqreen/rules_callbacks/regexp_rule'
+# Sqreen module
 module Sqreen
+  # Sqreen rules
   module Rules
     # look for reflected XSS with erb template engine
     class ReflectedXSSCB < RegexpRuleCB
@@ -25,11 +28,14 @@ module Sqreen
         saved_value = value.dup
         # potential XSS! let's escape
-        args[0].replace(CGI.escape_html(value)) if block
+        if block &&
+           (!framework || !find_whitelisted_path(framework.request_path.to_s))
+          args[0].replace(CGI.escape_html(value))
+        end
         report_dangerous_xss(saved_value)
-        nil
+        advise_action(nil)
       end
       # The remaining code is only to find out if user entry was an attack,
@@ -41,7 +47,7 @@ module Sqreen
         return unless found
         infos = {
           :found => found,
-          :payload => value
+          :payload => value,
         }
         record_event(infos)
       end
@@ -52,35 +58,55 @@ module Sqreen
     #                            escape_html, nuke_inner_whitespace,
     #                            interpolated, ugly)
     class ReflectedXSSHamlCB < ReflectedXSSCB
-      def pre(inst, *args, &_block)
-        value = args[0]
+      def post(ret, _inst, *_args, &_block)
+        value = ret
+        return if value.nil?
-        return unless value.is_a?(String)
-        # if escape_html is already true, it will be escaped later
-        return if args[4]
+        # Sqreen::log.debug value
         return unless framework.params_include?(value)
         Sqreen.log.debug { format('Found unescaped user param: %s', value) }
-        # potential XSS ! Call the same method with the argument
-        # escape_html true
-        if block
-          nargs = args.dup
-          nargs[4] = true
-          return_value = {
-            :status => :skip,
-            # 'method' is an attribut reader in class CB, it's the name of the
-            # hooked method
-            :new_return_value => inst.send(method, *nargs),
-          }
-        end
+        return unless value.is_a?(String)
         report_dangerous_xss(value)
-        return_value
+        return unless block
+        # potential XSS! let's escape
+        advise_action(:override, :new_return_value => CGI.escape_html(value))
+      end
+    end
+    # Hook into haml4 script parser
+    class Haml4ParserScriptHookCB < RuleCB
+      def pre(_inst, *args, &_block)
+        return unless args.size > 1
+        text = args[0]
+        escape_html = args[1]
+        if escape_html == false && !text.include?('html_escape')
+          args[0].replace("Sqreen.escape_haml(#{args[0]})")
+        end
+        nil
       end
     end
+    # Hook into haml4 tag parser
+    class Haml4ParserTagHookCB < RuleCB
+      def post(ret, _inst, *_args, &_block)
+        tag = ret
+        if tag.value[:escape_html] == false &&
+           !tag.value[:value].include?('html_escape')
+          tag.value[:value] = "Sqreen.escape_haml(#{tag.value[:value]})"
+          return { :status => :override, :new_return_value => tag }
+        end
+        nil
+      end
+    end
+  end
+  # Escape HAML when instrumented to do it
+  def self.escape_haml(x)
+    x
   end
 end

data/lib/sqreen/rules_callbacks/shell_env.rb CHANGED

@@ -25,7 +25,7 @@ module Sqreen
         }
         Sqreen.log.warn "presence of a shell env tampering: #{infos.inspect}"
         record_event(infos)
-        { :status => :raise }
+        advise_action(:raise)
       end
     end
   end

data/lib/sqreen/rules_callbacks/url_matches.rb CHANGED

@@ -18,7 +18,7 @@ module Sqreen
         found = match_regexp(path)
         infos = { :path => path, :found => found }
         record_event(infos) if found
-        nil
+        advise_action(nil)
       end
     end
   end

data/lib/sqreen/rules_callbacks/user_agent_matches.rb CHANGED

@@ -15,7 +15,7 @@ module Sqreen
         Sqreen.log.debug { "Found UA #{ua} - found: #{found}" }
         infos = { :found => found }
         record_event(infos)
-        { :status => :raise, :data => found }
+        advise_action(:raise, :data => found)
       end
     end
   end

data/lib/sqreen/runner.rb CHANGED

@@ -48,6 +48,11 @@ module Sqreen
     attr_accessor :logged_in
     alias logged_in? logged_in
+    attr_reader :whitelisted_paths
+    def update_whitelisted_paths(paths)
+      @whitelisted_paths = paths.freeze
+    end
   end
   # Main running job class for the agent
@@ -81,6 +86,7 @@ module Sqreen
       @token = @configuration.get(:token)
       @url = @configuration.get(:url)
+      Sqreen.update_whitelisted_paths([])
       raise(Sqreen::Exception, 'no url found') unless @url
       raise(Sqreen::TokenNotFoundException, 'no token found') unless @token
@@ -232,6 +238,12 @@ module Sqreen
       batch_events(features['batch_size'], features['max_staleness'])
     end
+    def change_whitelisted_paths(paths, _context_infos = {})
+      return false unless paths.respond_to?(:each)
+      Sqreen.update_whitelisted_paths(paths)
+      true
+    end
     def change_features(new_features, _context_infos = {})
       old = features
       self.features = new_features

data/lib/sqreen/version.rb CHANGED

@@ -1,6 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
-# Warning This file is auto generated! DO NOT edit.
 module Sqreen
-  VERSION = "1.3.21489051313".freeze
+  VERSION = '1.4.2'.freeze
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.3.21489051313
+  version: 1.4.2
 platform: ruby
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-03-09 00:00:00.000000000 Z
+date: 2017-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs