v0.14.0

New Feature:

- (#142) RASP: add Shellshock protection support. This protection is currently
  attached to `os.StartProcess()` which is the common function of the Go
  standard library to execute a process. This protection can be configured at
  <https://my.sqreen.com/application/goto/modules/rasp/details/shellshock>.

Fixes:

- (#145) In-App WAF: always recover from panics as this in the way the `reflect`
  package handles usage errors.

- (#144) Backend client: avoid dropping HTTP traces in case of `Host` header
  parsing errors.

Author: Julio Guerra

.github/workflows/agent-tests.yaml

@@ -0,0 +1,51 @@
+name: Agent Tests
+on:
+  pull_request:
+  schedule:
+    - cron: "0 0 * * *"
+jobs:
+  native:
+    strategy:
+      matrix:
+        runs-on: [ macos-latest, ubuntu-latest, windows-latest ]
+        go-version: [ 1, 1.15, 1.14, 1.13, 1.12 ]
+      fail-fast: false
+    runs-on: ${{ matrix.runs-on }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - run: go test ./...
+
+  # Same tests but on the official golang container for linux
+  # Docker for Windows is not yet available on Github Actions.
+  golang-linux-container:
+    strategy:
+      matrix:
+        go-version: [ 1, 1.15, 1.14, 1.13, 1.12 ]
+        distribution: [ alpine, buster ]
+      fail-fast: false
+    runs-on: ubuntu-latest
+    container:
+      image: golang:${{ matrix.go-version }}-${{ matrix.distribution }}
+    steps:
+      - uses: actions/checkout@v2
+      # Install gcc and the libc headers on alpine images
+      - if: ${{ matrix.distribution == 'alpine' }}
+        run: apk add gcc musl-dev libc6-compat git
+      - run: go test ./...
+
+  # debian stretch doesn't have the latest go versions
+  golang-debian-stretch-container:
+    strategy:
+      matrix:
+        go-version: [ 1.14, 1.13, 1.12 ]
+      fail-fast: false
+    runs-on: ubuntu-latest
+    container:
+      image: golang:${{ matrix.go-version }}-stretch
+    steps:
+      - uses: actions/checkout@v2
+      - run: go test ./...

.github/workflows/ci-example-apps.yaml .github/workflows/example-apps.yaml

@@ -1,6 +1,5 @@
-name: Example App Builds
+name: Example Apps
 on:
-  push:
   pull_request:
   schedule:
     - cron: "0 0 * * *"
@@ -10,7 +9,7 @@ jobs:
     strategy:
       matrix:
         example: [ alpine, debian, scratch ]
-        go-version: [ rc, 1.14, 1.13, 1.12]
+        go-version: [ rc, 1.14, 1.13, 1.12 ]
         do-vendoring: [ true, false ]
     runs-on: ubuntu-latest
     steps:

.github/workflows/system-tests.yaml

@@ -0,0 +1,21 @@
+name: System Tests
+on:
+  push:
+    branches: [ 'master', 'dev', 'hotfix/*', 'release/*', 'feature/*', 'fix/*' ]
+jobs:
+  # Run system tests when the PR is no longer a draft
+  system-tests:
+    if: github.event.pull_request.draft == false
+    name: System Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run System Tests
+        uses: felixp8/[email protected]
+        with:
+          token: ${{ secrets.GH_TOKEN }}
+          owner: sqreen
+          repo: AgentGoTests
+          event_type: go-agent-commit
+          client_payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}"}'
+          wait_time: 10
+          max_time: 600

CHANGELOG.md

@@ -1,3 +1,21 @@
+# v0.14.0 - 2 September 2020
+
+## New Feature
+
+- (#142) RASP: add Shellshock protection support. This protection is currently
+  attached to `os.StartProcess()` which is the common function of the Go
+  standard library to execute a process. This protection can be configured at
+  <https://my.sqreen.com/application/goto/modules/rasp/details/shellshock>.
+
+## Fixes
+
+- (#145) In-App WAF: always recover from panics as this in the way the `reflect`
+  package handles usage errors.
+
+- (#144) Backend client: avoid dropping HTTP traces in case of `Host` header
+  parsing errors.
+
+
 # v0.13.0 - 24 July 2020
 
 ## New Feature
@@ -80,21 +98,21 @@
 
 ## New Features
 
-- (#119) RASP: add Shell Injection protection support. This protection is currently dynamically applied to `os.StartProcess()` which is the only entry point of the Go standard library to execute a process.  This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/shi.
+- (#119) RASP: add Shell Injection protection support. This protection is currently dynamically applied to `os.StartProcess()` which is the only entry point of the Go standard library to execute a process.  This protection can be configured at <https://my.sqreen.com/application/goto/modules/rasp/details/shi>.
 
-- (#119) RASP: add Local File Inclusion protection support. This protection is currently dynamically applied to `os.Open()` which is the only entry point of the Go standard library to open a file for reading. This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/lfi.
+- (#119) RASP: add Local File Inclusion protection support. This protection is currently dynamically applied to `os.Open()` which is the only entry point of the Go standard library to open a file for reading. This protection can be configured at <https://my.sqreen.com/application/goto/modules/rasp/details/lfi>.
 
-- (#120) RASP: add Server-Side Request Forgery protection support. This protection is currently dynamically applied to `net/http.(*Client).do()` which is the only entry point of the Go standard library to perform an HTTP request. This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/ssrf.
+- (#120) RASP: add Server-Side Request Forgery protection support. This protection is currently dynamically applied to `net/http.(*Client).do()` which is the only entry point of the Go standard library to perform an HTTP request. This protection can be configured at <https://my.sqreen.com/application/goto/modules/rasp/details/ssrf>.
 
-- (#125) RASP: enable SQL Injection protection for every MySQL, Oracle, SQLite and PostgreSQL drivers listed in the Go language wiki page https://github.com/golang/go/wiki/SQLDrivers.
+- (#125) RASP: enable SQL Injection protection for every MySQL, Oracle, SQLite and PostgreSQL drivers listed in the Go language wiki page <https://github.com/golang/go/wiki/SQLDrivers>.
 
 - (#115) RASP: store Sqreen's request protection context into the Goroutine Local Storage (GLS). Therefore, Sqreen can now protect every Go function without requiring the request Go context (eg. both `QueryContext()` and `Query()` can be now protected against SQL injections). For now, this protection context is only available in the goroutine handling the request, and sub-goroutines are not protected. Further support will be added very soon to remove this limitation.
 
-- (#121) Add IP denylist support: block every request performed by an IP address of the denylist. Every usage of whitelist and blacklist in the agent was also removed when possible. The IP denylist can be configured at https://my.sqreen.com/application/goto/settings/denylist.
+- (#121) Add IP denylist support: block every request performed by an IP address of the denylist. Every usage of whitelist and blacklist in the agent was also removed when possible. The IP denylist can be configured at <https://my.sqreen.com/application/goto/settings/denylist>.
 
-- (#122) Add path passlist support: requests performed on those paths are not monitored nor protected by Sqreen. The Path passlist can be configured at https://my.sqreen.com/application/goto/settings/passlist.
+- (#122) Add path passlist support: requests performed on those paths are not monitored nor protected by Sqreen. The Path passlist can be configured at <https://my.sqreen.com/application/goto/settings/passlist>.
 
-- (#123) Export the error type returned by Sqreen protections when blocking in the new SDK package `github.com/sqreen/go-agent/sdk/types` in order to avoid retrying blocked function calls (eg. avoid retrying a blocked SQL query). It must be used along with `errors.As()` to detect such cases. Read more at https://godoc.org/github.com/sqreen/go-agent/sdk/types.
+- (#123) Export the error type returned by Sqreen protections when blocking in the new SDK package `github.com/sqreen/go-agent/sdk/types` in order to avoid retrying blocked function calls (eg. avoid retrying a blocked SQL query). It must be used along with `errors.As()` to detect such cases. Read more at <https://godoc.org/github.com/sqreen/go-agent/sdk/types>.
 
 - (#124) Allow to "quickly" remove the agent from a program by only removing it from the source code without disabling the program instrumentation. This is made possible by making the instrumentation fully autonomous to avoid compilation errors.
 

azure-pipelines.yml

@@ -24,11 +24,11 @@ require (
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/onsi/ginkgo v1.7.0
 	github.com/onsi/gomega v1.4.3
-	github.com/pkg/errors v0.8.1
+	github.com/pkg/errors v0.9.1
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.3.2
-	github.com/sqreen/go-libsqreen v0.7.0
+	github.com/sqreen/go-libsqreen v0.7.1
 	github.com/sqreen/go-sdk/signal v1.1.0
 	github.com/stretchr/testify v1.6.1
 	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 // indirect

go.mod

@@ -81,8 +81,8 @@ github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
@@ -101,8 +101,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2 h1:VUFqw5KcqRf7i70GOzW7N+Q7+gxVBkSSqiXB12+JQ4M=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
-github.com/sqreen/go-libsqreen v0.7.0 h1:MRX/KB5lX3O6ucvmTUap6iSDt27bM+76MQpuDNjL+1o=
-github.com/sqreen/go-libsqreen v0.7.0/go.mod h1:D324eoKlZGfW+TF3WGg+2fUtpdrI+cEK5UYwpxfaeUc=
+github.com/sqreen/go-libsqreen v0.7.1 h1:wKjpt2+BjDx9Gi8VsQOS9YP3Q43lX0o835LwFPpDItQ=
+github.com/sqreen/go-libsqreen v0.7.1/go.mod h1:krFVmXmHM5SaWeED8jDb8KwrViK505KDBpYJ8IY2Ks8=
 github.com/sqreen/go-sdk/signal v1.1.0 h1:l22lqlUNDlEaqsNjpgVelGteBCwGodZqUDPUMBOLzhE=
 github.com/sqreen/go-sdk/signal v1.1.0/go.mod h1:XWJV0TzuoN6PotzRn4YSe6fhTxyw67yRpVYr9NJTzto=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

go.sum

@@ -58,15 +58,11 @@ func NewAgentInfra(agentVersion, osType, hostname, runtimeVersion string) *Agent
 }
 
 func fromLegacyRequestRecord(record *legacy_api.RequestRecord, infra *AgentInfra) (*http_trace.Trace, error) {
-	port, err := strconv.ParseUint(record.Request.Port, 10, 64)
-	if err != nil {
-		return nil, sqerrors.Wrap(err, "could not parse the request port number as an uint64 value")
-	}
-
-	remotePort, err := strconv.ParseUint(record.Request.RemotePort, 10, 64)
-	if err != nil {
-		return nil, sqerrors.Wrap(err, "could not parse the request remote port number as an uint64 value")
-	}
+	// Parse the port numbers by ignoring parsing errors and keeping the default
+	// zero value otherwise anyway to avoid dropping the the trace for that error.
+	// For example, the port number can be possibly empty.
+	port, _ := strconv.ParseUint(record.Request.Port, 10, 64)
+	remotePort, _ := strconv.ParseUint(record.Request.RemotePort, 10, 64)
 
 	headers := make([][]string, len(record.Request.Headers))
 	for i, e := range record.Request.Headers {
@@ -276,7 +272,7 @@ func convertLegacyMetrics(metric *legacy_api.MetricResponse, agentVersion string
 
 	values, ok := metric.Observation.Value.(map[string]int64)
 	if !ok {
-		return nil, sqerrors.Errorf("unexpected type of metric values `%T` instead of `map[string]intr64`", metric.Observation.Value)
+		return nil, sqerrors.Errorf("unexpected type of metric values `%T` instead of `%T`", metric.Observation.Value, values)
 	}
 
 	return api.NewSumMetric(name.String(), source, metric.Start, metric.Finish, metric.Finish.Sub(metric.Start), values), nil