RubyGems - wafris - Versions diffs - 1.1.11 → 2.0.0 - Mend

wafris 1.1.11 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/lib/wafris/configuration.rb +121 -37
data/lib/wafris/log_suppressor.rb +3 -2
data/lib/wafris/middleware.rb +45 -23
data/lib/wafris/version.rb +1 -1
data/lib/wafris.rb +582 -38
metadata +44 -19
data/lib/lua/dist/wafris_core.lua +0 -305

metadata CHANGED Viewed

@@ -1,58 +1,86 @@
 --- !ruby/object:Gem::Specification
 name: wafris
 version: !ruby/object:Gem::Version
-  version: 1.1.11
+  version: 2.0.0
 platform: ruby
 authors:
-- Micahel Buckbee
+- Michael Buckbee
 - Ryan Castillo
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-04 00:00:00.000000000 Z
+date: 2024-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: connection_pool
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: rack
+  name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: redis
+  name: ipaddr
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.8.0
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.8.0
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -107,14 +135,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
@@ -149,7 +177,6 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/lua/dist/wafris_core.lua
 - lib/wafris.rb
 - lib/wafris/configuration.rb
 - lib/wafris/log_suppressor.rb
@@ -161,11 +188,9 @@ licenses:
 - Elastic-2.0
 metadata: {}
 post_install_message: |2+
-      Thank you for installing the wafris gem.
-      If you haven't already, please sign up for Wafris Hub at:
+      Thank you for installing the Wafris gem.
-      https://github.com/Wafris/wafris-rb
+      Get your API key and set firewall rules at https://hub.wafris.org
 rdoc_options: []
 require_paths:

data/lib/lua/dist/wafris_core.lua DELETED Viewed

@@ -1,305 +0,0 @@
-local USE_TIMESTAMPS_AS_REQUEST_IDS = false
-local EXPIRATION_IN_SECONDS = tonumber(redis.call("HGET", "waf-settings", "expiration-time")) or 86400
-local EXPIRATION_OFFSET_IN_SECONDS = 3600
-local function get_timebucket(timestamp_in_seconds)
-  local startOfHourTimestamp = math.floor(timestamp_in_seconds / 3600) * 3600
-  return tostring(startOfHourTimestamp)
-end
-local function set_property_value_id_lookups(property_abbreviation, property_value)
-  local value_key = property_abbreviation .. "V" .. property_value
-  local property_id = redis.call("GET", value_key)
-  if property_id == false then
-    property_id = redis.call("INCR", property_abbreviation .. "-id-counter")
-    redis.call("SET", value_key, property_id)
-    redis.call("SET", property_abbreviation .. "I" .. property_id, property_value)
-  end
-  redis.call("EXPIRE", value_key, EXPIRATION_IN_SECONDS + EXPIRATION_OFFSET_IN_SECONDS)
-  redis.call("EXPIRE", property_abbreviation .. "I" .. property_id, EXPIRATION_IN_SECONDS + EXPIRATION_OFFSET_IN_SECONDS)
-  return property_id
-end
-local function increment_leaderboard_for(property_abbreviation, property_id, timebucket)
-  local key = property_abbreviation .. "L" .. timebucket
-  redis.call("ZINCRBY", key, 1, property_id)
-  redis.call("EXPIRE", key, EXPIRATION_IN_SECONDS)
-end
-local function set_property_to_requests_list(property_abbreviation, property_id, request_id, timebucket)
-  local key = property_abbreviation .. "R" .. property_id .. "-" .. timebucket
-  redis.call("LPUSH", key, request_id)
-  redis.call("EXPIRE", key, EXPIRATION_IN_SECONDS + EXPIRATION_OFFSET_IN_SECONDS)
-end
-local function ip_in_hash(hash_name, ip_address)
-  local found_ip = redis.call('HEXISTS', hash_name, ip_address)
-  if found_ip == 1 then
-    return ip_address
-  else
-    return false
-  end
-end
-local function ip_in_cidr_range(cidr_set, ip_decimal_lexical)
-  local higher_value = redis.call('ZRANGEBYLEX', cidr_set, '['..ip_decimal_lexical, '+', 'LIMIT', 0, 1)[1]
-  local lower_value = redis.call('ZREVRANGEBYLEX', cidr_set, '['..ip_decimal_lexical, '-', 'LIMIT', 0, 1)[1]
-  if not (higher_value and lower_value) then
-      return false
-  end
-  local higher_compare = higher_value:match('([^%-]+)$')
-  local lower_compare = lower_value:match('([^%-]+)$')
-  if higher_compare == lower_compare then
-      return lower_compare
-  else
-      return false
-  end
-end
-local function escapePattern(s)
-    local patternSpecials = "[%^%$%(%)%%%.%[%]%*%+%-%?]"
-    return s:gsub(patternSpecials, "%%%1")
-end
-local function match_by_pattern(property_abbreviation, property_value)
-  local hash_name = "rules-blocked-" .. property_abbreviation
-  local patterns = redis.call('HKEYS', hash_name)
-  for _, pattern in ipairs(patterns) do
-    if string.find(string.lower(property_value), string.lower(escapePattern(pattern))) then
-      return pattern
-    end
-  end
-  return false
-end
-local function blocked_by_rate_limit(request_properties)
-  local rate_limiting_rules_values = redis.call('HKEYS', 'rules-blocked-rate-limits')
-  for i, rule_name in ipairs(rate_limiting_rules_values) do
-    local conditions_hash = redis.call('HGETALL', rule_name .. "-conditions")
-    local all_conditions_match = true
-    for j = 1, #conditions_hash, 2 do
-      local condition_key = conditions_hash[j]
-      local condition_value = conditions_hash[j + 1]
-      if request_properties[condition_key] ~= condition_value then
-        all_conditions_match = false
-        break
-      end
-    end
-    if all_conditions_match then
-      local rule_settings_key = rule_name .. "-settings"
-      local limit, time_period, limited_by, rule_id = unpack(redis.call('HMGET', rule_settings_key, 'limit', 'time-period', 'limited-by', 'rule-id'))
-      local throttle_key = rule_name .. ":" .. limit .. "V" .. request_properties.ip
-      local new_value = redis.call('INCR', throttle_key)
-      if new_value == 1 then
-        redis.call('EXPIRE', throttle_key, tonumber(time_period))
-      end
-      if tonumber(new_value) >= tonumber(limit) then
-        return rule_id
-      else
-        return false
-      end
-    end
-  end
-end
-local function check_rules(functions_to_check)
-  for _, check in ipairs(functions_to_check) do
-    local rule = check.func(unpack(check.args))
-    local category = check.category
-    if type(rule) == "string" then
-      return rule, category
-    end
-  end
-  return false, false
-end
-local function check_blocks(request)
-  local rule_categories = {
-    { category = "bi", func = ip_in_hash, args = { "rules-blocked-i", request.ip } },
-    { category = "bc", func = ip_in_cidr_range, args = { "rules-blocked-cidrs-set", request.ip_decimal_lexical } },
-    { category = "bs", func = ip_in_cidr_range, args = { "rules-blocked-cidrs-subscriptions-set", request.ip_decimal_lexical } },
-    { category = "bu", func = match_by_pattern, args = { "u", request.user_agent } },
-    { category = "bp", func = match_by_pattern, args = { "p", request.path } },
-    { category = "ba", func = match_by_pattern, args = { "a", request.parameters } },
-    { category = "bh", func = match_by_pattern, args = { "h", request.host } },
-    { category = "bm", func = match_by_pattern, args = { "m", request.method } },
-    { category = "bd", func = match_by_pattern, args = { "rh", request.headers } },
-    { category = "bpb", func = match_by_pattern, args = { "pb", request.post_body } },
-    { category = "brl", func = blocked_by_rate_limit, args = { request } }
-  }
-  return check_rules(rule_categories)
-end
-local function check_allowed(request)
-  local rule_categories = {
-    { category = "ai", func = ip_in_hash, args = { "rules-allowed-i", request.ip } },
-    { category = "ac", func = ip_in_cidr_range, args = { "rules-allowed-cidrs-set", request.ip_decimal_lexical } }
-  }
-  return check_rules(rule_categories)
-end
-local request = {
-  ["ip"] = ARGV[1],
-  ["ip_decimal_lexical"] = string.rep("0", 39 - #ARGV[2]) .. ARGV[2],
-  ["ts_in_milliseconds"] = ARGV[3],
-  ["ts_in_seconds"] = ARGV[3] / 1000,
-  ["user_agent"] = ARGV[4],
-  ["path"] = ARGV[5],
-  ["parameters"] = ARGV[6],
-  ["host"] = ARGV[7],
-  ["method"] = ARGV[8],
-  ["headers"] = ARGV[9],
-  ["post_body"] = ARGV[10],
-  ["ip_id"] = set_property_value_id_lookups("i", ARGV[1]),
-  ["user_agent_id"] = set_property_value_id_lookups("u", ARGV[4]),
-  ["path_id"] = set_property_value_id_lookups("p", ARGV[5]),
-  ["parameters_id"] = set_property_value_id_lookups("a", ARGV[6]),
-  ["host_id"] = set_property_value_id_lookups("h", ARGV[7]),
-  ["method_id"] = set_property_value_id_lookups("m", ARGV[8])
-}
-local current_timebucket = get_timebucket(request.ts_in_seconds)
-  local blocked_rule = false
-  local blocked_category = nil
-  local treatment = "p"
-  local stream_id
-  if USE_TIMESTAMPS_AS_REQUEST_IDS == true then
-      stream_id = request.ts_in_milliseconds
-  else
-      stream_id = "*"
-  end
-  local stream_args = {
-    "XADD",
-    "rStream",
-    "MINID",
-    tostring((current_timebucket - EXPIRATION_IN_SECONDS) * 1000 ),
-    stream_id,
-    "i", request.ip_id,
-    "u", request.user_agent_id,
-    "p", request.path_id,
-    "h", request.host_id,
-    "m", request.method_id,
-    "a", request.parameters_id,
-  }
-  local allowed_rule, allowed_category = check_allowed(request)
-  if allowed_rule then
-    table.insert(stream_args, "t")
-    table.insert(stream_args, "a")
-    treatment = "a"
-    table.insert(stream_args, "ac")
-    table.insert(stream_args, allowed_category)
-    table.insert(stream_args, "ar")
-    table.insert(stream_args, allowed_rule)
-  else
-    blocked_rule, blocked_category = check_blocks(request)
-  end
-  if blocked_rule then
-    table.insert(stream_args, "t")
-    table.insert(stream_args, "b")
-    treatment = "b"
-    table.insert(stream_args, "bc")
-    table.insert(stream_args, blocked_category)
-    table.insert(stream_args, "br")
-    table.insert(stream_args, blocked_rule)
-  end
-  if blocked_rule == false and allowed_rule == false then
-    table.insert(stream_args, "t")
-    table.insert(stream_args, "p")
-  end
-  local request_id = redis.call(unpack(stream_args))
-  increment_leaderboard_for("i", request.ip_id, current_timebucket)
-  increment_leaderboard_for("u", request.user_agent_id, current_timebucket)
-  increment_leaderboard_for("p", request.path_id, current_timebucket)
-  increment_leaderboard_for("a", request.parameters_id, current_timebucket)
-  increment_leaderboard_for("h", request.host_id, current_timebucket)
-  increment_leaderboard_for("m", request.method_id, current_timebucket)
-  increment_leaderboard_for("t", treatment, current_timebucket)
-  set_property_to_requests_list("i", request.ip_id, request_id, current_timebucket)
-  set_property_to_requests_list("u", request.user_agent_id, request_id, current_timebucket)
-  set_property_to_requests_list("p", request.path_id, request_id, current_timebucket)
-  set_property_to_requests_list("a", request.parameters_id, request_id, current_timebucket)
-  set_property_to_requests_list("h", request.host_id, request_id, current_timebucket)
-  set_property_to_requests_list("m", request.method_id, request_id, current_timebucket)
-  set_property_to_requests_list("t", treatment, request_id, current_timebucket)
-  if blocked_rule ~= false then
-    increment_leaderboard_for("bc", blocked_category, current_timebucket)
-    set_property_to_requests_list("bc", blocked_category, request_id, current_timebucket)
-    increment_leaderboard_for("br", blocked_rule, current_timebucket)
-    set_property_to_requests_list("br", blocked_rule, request_id, current_timebucket)
-  end
-  if allowed_rule ~= false then
-    increment_leaderboard_for("ac", allowed_category, current_timebucket)
-    set_property_to_requests_list("ac", allowed_category, request_id, current_timebucket)
-    increment_leaderboard_for("ar", allowed_rule, current_timebucket)
-    set_property_to_requests_list("ar", allowed_rule, request_id, current_timebucket)
-  end
-if blocked_rule ~= false then
-  return "Blocked"
-elseif allowed_rule ~= false then
-  return "Allowed"
-else
-  return "Passed"
-end