sqreen 1.8.1 → 1.8.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/sqreen/condition_evaluator.rb +1 -1
- data/lib/sqreen/frameworks/generic.rb +10 -1
- data/lib/sqreen/rules_callbacks/execjs.rb +82 -1
- data/lib/sqreen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9315ecf6d216389270fd8ecbd7f761649ea79e11
|
|
4
|
+
data.tar.gz: d327d13f60ef6b9c152f916c575a559e6cc6f5f9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 421f877ad79464c5cad95ccdb31327f4d7e0118b6f1f8eff0c4c53dcb182c8f6253e005c3d9b38e49b7aff38d4b95258d6e2f7e2d96a52302314b87a9b3b445a
|
|
7
|
+
data.tar.gz: d9d378343df12409db43d396fe0fee79118264537fe623eba69fb83c284d149ce93b4c564a6f749e30dde80b01b51fbae3db5ba793d415380de592f96d58b15a
|
|
@@ -30,7 +30,7 @@ module Sqreen
|
|
|
30
30
|
# @params value [Object] object to find
|
|
31
31
|
# @params hash [Hash] Hash to search into
|
|
32
32
|
# @params min_value_size [Fixnum] to compare against
|
|
33
|
-
def self.hash_val_include?(value, hash, min_value_size, rem =
|
|
33
|
+
def self.hash_val_include?(value, hash, min_value_size, rem = 20)
|
|
34
34
|
return true if rem <= 0
|
|
35
35
|
vals = hash
|
|
36
36
|
vals = hash.values if hash.is_a?(Hash)
|
|
@@ -64,16 +64,25 @@ module Sqreen
|
|
|
64
64
|
|
|
65
65
|
# Sourced from rack:Request#trusted_proxy?
|
|
66
66
|
TRUSTED_PROXIES = /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
|
|
67
|
+
LOCALHOST = /\A127\.0\.0\.1\Z|\A::1\Z|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
|
|
67
68
|
|
|
68
69
|
# What is the current client IP
|
|
69
70
|
def client_ip
|
|
70
71
|
req = request
|
|
71
72
|
return nil unless req
|
|
73
|
+
# Look for an external address being forwarded
|
|
72
74
|
forwarded = req.env['HTTP_X_FORWARDED_FOR']
|
|
73
75
|
ips = split_ip_addresses(forwarded)
|
|
74
76
|
last = ips.find { |ip| (ip !~ TRUSTED_PROXIES) && valid_ip?(ip) }
|
|
75
77
|
return last unless last.nil?
|
|
76
|
-
|
|
78
|
+
# Else fall back to declared remote addr
|
|
79
|
+
r = req.env['REMOTE_ADDR']
|
|
80
|
+
# If this is localhost get the last hop before
|
|
81
|
+
if !ips.empty? && r =~ LOCALHOST
|
|
82
|
+
last = ips.find { |ip| (ip !~ LOCALHOST) && valid_ip?(ip) }
|
|
83
|
+
return last unless last.nil?
|
|
84
|
+
end
|
|
85
|
+
r
|
|
77
86
|
end
|
|
78
87
|
|
|
79
88
|
# Get a header by name
|
|
@@ -9,7 +9,9 @@ end
|
|
|
9
9
|
|
|
10
10
|
require 'execjs'
|
|
11
11
|
|
|
12
|
+
require 'sqreen/rule_attributes'
|
|
12
13
|
require 'sqreen/rule_callback'
|
|
14
|
+
require 'sqreen/condition_evaluator'
|
|
13
15
|
require 'sqreen/binding_accessor'
|
|
14
16
|
require 'sqreen/events/remote_exception'
|
|
15
17
|
|
|
@@ -19,7 +21,8 @@ module Sqreen
|
|
|
19
21
|
class ExecJSCB < RuleCB
|
|
20
22
|
def initialize(klass, method, rule_hash)
|
|
21
23
|
super(klass, method, rule_hash)
|
|
22
|
-
callbacks = @rule[
|
|
24
|
+
callbacks = @rule[Attrs::CALLBACKS]
|
|
25
|
+
@conditions = @rule.fetch(Attrs::CONDITIONS, {})
|
|
23
26
|
|
|
24
27
|
if callbacks['pre'].nil? &&
|
|
25
28
|
callbacks['post'].nil? &&
|
|
@@ -61,6 +64,48 @@ module Sqreen
|
|
|
61
64
|
call_callback('failing', inst, args, rv)
|
|
62
65
|
end
|
|
63
66
|
|
|
67
|
+
def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
|
|
68
|
+
new_obj = {}
|
|
69
|
+
insert = []
|
|
70
|
+
to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
|
|
71
|
+
until to_do.empty?
|
|
72
|
+
where, key, value, deepness = to_do.pop
|
|
73
|
+
safe_key = key.kind_of?(Integer) ? key : key.to_s
|
|
74
|
+
if value.is_a?(Hash) && deepness < max_depth
|
|
75
|
+
val = {}
|
|
76
|
+
insert << [where, safe_key, val]
|
|
77
|
+
to_do += value.map { |k, v| [val, k, v, deepness + 1] }
|
|
78
|
+
elsif value.is_a?(Array) && deepness < max_depth
|
|
79
|
+
val = []
|
|
80
|
+
insert << [where, safe_key, val]
|
|
81
|
+
i = -1
|
|
82
|
+
to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
|
|
83
|
+
elsif deepness >= max_depth # if we are after max_depth don't try to filter
|
|
84
|
+
insert << [where, safe_key, value]
|
|
85
|
+
else
|
|
86
|
+
v = value.to_s
|
|
87
|
+
if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
|
|
88
|
+
case where
|
|
89
|
+
when Array
|
|
90
|
+
where << value
|
|
91
|
+
else
|
|
92
|
+
where[safe_key] = value
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
insert.reverse.each do |wh, ikey, ival|
|
|
98
|
+
case wh
|
|
99
|
+
when Array
|
|
100
|
+
wh << ival unless ival.empty?
|
|
101
|
+
else
|
|
102
|
+
wh[ikey] = ival unless ival.empty?
|
|
103
|
+
end
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
new_obj
|
|
107
|
+
end
|
|
108
|
+
|
|
64
109
|
protected
|
|
65
110
|
|
|
66
111
|
def record_and_continue?(ret)
|
|
@@ -92,6 +137,7 @@ module Sqreen
|
|
|
92
137
|
arguments = (args_override || @argument_requirements[name]).map do |accessor|
|
|
93
138
|
accessor.resolve(binding, framework, inst, args, @data, rv)
|
|
94
139
|
end
|
|
140
|
+
arguments = restrict(name, arguments) if @conditions.key?(name)
|
|
95
141
|
Sqreen.log.debug { [name, arguments].inspect }
|
|
96
142
|
ret = @compiled.call(name, *arguments)
|
|
97
143
|
unless record_and_continue?(ret)
|
|
@@ -110,6 +156,41 @@ module Sqreen
|
|
|
110
156
|
nil
|
|
111
157
|
end
|
|
112
158
|
|
|
159
|
+
def each_hash_val_include(condition, depth = 10)
|
|
160
|
+
return if depth <= 0
|
|
161
|
+
condition.each do |key, values|
|
|
162
|
+
if key == ConditionEvaluator::HASH_INC_OPERATOR
|
|
163
|
+
yield values
|
|
164
|
+
else
|
|
165
|
+
values.map do |v|
|
|
166
|
+
each_hash_val_include(v, depth - 1) { |vals| yield vals } if v.is_a?(Hash)
|
|
167
|
+
end
|
|
168
|
+
end
|
|
169
|
+
end
|
|
170
|
+
end
|
|
171
|
+
|
|
172
|
+
def restrict(cbname, arguments)
|
|
173
|
+
condition = @conditions[cbname]
|
|
174
|
+
return arguments if condition.nil? or @argument_requirements[cbname].nil?
|
|
175
|
+
|
|
176
|
+
each_hash_val_include(condition) do |needle, haystack, min_length|
|
|
177
|
+
# We could actually run the binding accessor expression here.
|
|
178
|
+
needed_idx = @argument_requirements[cbname].map(&:expression).index(needle)
|
|
179
|
+
next unless needed_idx
|
|
180
|
+
|
|
181
|
+
haystack_idx = @argument_requirements[cbname].map(&:expression).index(haystack)
|
|
182
|
+
next unless haystack_idx
|
|
183
|
+
|
|
184
|
+
arguments[haystack_idx] = ExecJSCB.hash_val_included(
|
|
185
|
+
arguments[needed_idx],
|
|
186
|
+
arguments[haystack_idx],
|
|
187
|
+
min_length.to_i
|
|
188
|
+
)
|
|
189
|
+
end
|
|
190
|
+
|
|
191
|
+
arguments
|
|
192
|
+
end
|
|
193
|
+
|
|
113
194
|
def build_accessor(reqs)
|
|
114
195
|
reqs.map do |req|
|
|
115
196
|
BindingAccessor.new(req, true)
|
data/lib/sqreen/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sqreen
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.8.
|
|
4
|
+
version: 1.8.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sqreen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-09-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: execjs
|