Instrument Rack to visualize Rails requests processing
0 likes1,013 views
The document discusses rack as the interface between web servers and frameworks like Ruby on Rails and Sinatra, highlighting its significance in request processing. It explains the concept of instrumentation and how it can modify software behavior, along with Ruby's capabilities for implementing such features. Additionally, the document invites Rails or Sinatra developers to explore the beta program of Sqreen for automatic application protection.
![© Sqreenhttps://www.sqreen.io
What is Rack ?
« Interface between webservers and frameworks »
Ruby framework: Rails, Sinatra…
Ruby server: Webrick, Puma, Mongrel…
require 'rack'
app = Proc.new do |env|
[‘200',
{'Content-Type' => ‘text/html'},
[Time.now.to_s]
]
end
Rack::Handler::WEBrick.run app](https://image.slidesharecdn.com/slides-151105231225-lva1-app6891/85/Instrument-Rack-to-visualize-Rails-requests-processing-3-320.jpg)
![© Sqreenhttps://www.sqreen.io
Function identification example
Locate where the SqreenUA User-Agent is processed:
In Sinatra output:
$ curl -A SqreenUA localhost:4567/hi
Regexp.c-return (webrick/httprequest.rb:436) `User-Agent: SqreenUA`
Kernel.c-return (webrick/httputils.rb:140) `Host: localhost:4567
User-Agent: SqreenUA
Accept: */*`
[…]
String.c-return (webrick/httprequest.rb:403) - `SqreenUA`
Kernel.c-return (/rack/handler/webrick.rb:60) - `SqreenUA`](https://image.slidesharecdn.com/slides-151105231225-lva1-app6891/85/Instrument-Rack-to-visualize-Rails-requests-processing-8-320.jpg)
Instrument Rack to visualize Rails requests processing
- 1. Confidential & proprietary © Sqreen We make products antifragile. https://www.sqreen.io Instrument Rack to visualize Rails requests processing
- 2. © Sqreenhttps://www.sqreen.io Jean-Baptiste Aviat Sqreen CTO (https://sqreen.io) Former Apple software security engineer Former white hat hacker Twitter: @JbAviat Mail: jb@sqreen.io
- 3. © Sqreenhttps://www.sqreen.io What is Rack ? « Interface between webservers and frameworks » Ruby framework: Rails, Sinatra… Ruby server: Webrick, Puma, Mongrel… require 'rack' app = Proc.new do |env| [‘200', {'Content-Type' => ‘text/html'}, [Time.now.to_s] ] end Rack::Handler::WEBrick.run app
- 4. © Sqreenhttps://www.sqreen.io Rails with Rack request processing Around 6000 lines of code No strict boundaries: frameworks rely on Rack for some tasks Need to instrument low level HTTP calls Sinatra Rails with Grape Needed a clear and simple Rack knowledge
- 5. © Sqreenhttps://www.sqreen.io Instrumentation: what is it? Hooking into software to modify original behavior Display Rack actions x86 compiled code 3 engineers for 1 month work, databases, ASM Ruby code 3 lines and 1 minute
- 6. © Sqreenhttps://www.sqreen.io Ruby instrumentation capabilities Kernel#set_trace_func Arguments are: 1. An event name (call, line, return…) 2. A filename and a line number 3. An object id 4. A binding 5. The name of a class set_trace_func proc { |*args| puts args }
- 7. © Sqreenhttps://www.sqreen.io Find the needle in the haystack The Binding class holds a block binding You can inspect anything in any line of code binding.local_variables.each do |var| val = binding.local_variable_get var if val.is_a? String and val.include? query puts "#{classname}.#{event} (#{file}:#{line} - #{val}" end end }
- 8. © Sqreenhttps://www.sqreen.io Function identification example Locate where the SqreenUA User-Agent is processed: In Sinatra output: $ curl -A SqreenUA localhost:4567/hi Regexp.c-return (webrick/httprequest.rb:436) `User-Agent: SqreenUA` Kernel.c-return (webrick/httputils.rb:140) `Host: localhost:4567 User-Agent: SqreenUA Accept: */*` […] String.c-return (webrick/httprequest.rb:403) - `SqreenUA` Kernel.c-return (/rack/handler/webrick.rb:60) - `SqreenUA`
- 9. © Sqreenhttps://www.sqreen.io Modules involved in request processing
- 10. © Sqreenhttps://www.sqreen.io Instruction count (most used classes)
- 11. © Sqreenhttps://www.sqreen.io Instruction count (exhaustive)
- 12. © Sqreenhttps://www.sqreen.io Sqreen: you code, we protect We automatically protect your apps Strong and transparent Beta program available: Come and see me if you have Rails or Sinatra based applications Sqreen is growing… jobs@sqreen.io