newrelic_security 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.github/ISSUE_TEMPLATE/bug_report.md +38 -0
- data/.github/ISSUE_TEMPLATE/enhancement.md +27 -0
- data/.github/actions/simplecov-report/LICENSE +22 -0
- data/.github/actions/simplecov-report/README.md +36 -0
- data/.github/actions/simplecov-report/__tests__/.keep +0 -0
- data/.github/actions/simplecov-report/__tests__/main.test.ts +3 -0
- data/.github/actions/simplecov-report/action.yml +25 -0
- data/.github/actions/simplecov-report/dist/index.js +10238 -0
- data/.github/actions/simplecov-report/dummy_coverage/.last_run.json +5 -0
- data/.github/actions/simplecov-report/jest.config.js +11 -0
- data/.github/actions/simplecov-report/package.json +51 -0
- data/.github/actions/simplecov-report/src/main.ts +54 -0
- data/.github/actions/simplecov-report/src/report.ts +28 -0
- data/.github/actions/simplecov-report/tsconfig.json +12 -0
- data/.github/workflows/pr_ci.yml +77 -0
- data/.github/workflows/release.yml +51 -0
- data/.github/workflows/repolinter.yml +31 -0
- data/.github/workflows/rubocop.yml +17 -0
- data/.github/workflows/scripts/rubygems-authenticate.py +13 -0
- data/.github/workflows/scripts/rubygems-publish.rb +33 -0
- data/.gitignore +72 -0
- data/.rubocop.yml +9 -0
- data/.rubocop_todo.yml +1414 -0
- data/.simplecov +16 -0
- data/CHANGELOG.md +69 -0
- data/CONTRIBUTING.md +22 -0
- data/Gemfile +6 -0
- data/Gemfile_test +58 -0
- data/LICENSE +43 -0
- data/README.md +133 -0
- data/README_agent.md +44 -0
- data/Rakefile +28 -0
- data/THIRD_PARTY_NOTICES.md +36 -0
- data/lib/newrelic_security/agent/agent.rb +109 -0
- data/lib/newrelic_security/agent/configuration/default_source.rb +8 -0
- data/lib/newrelic_security/agent/configuration/environment_source.rb +8 -0
- data/lib/newrelic_security/agent/configuration/manager.rb +178 -0
- data/lib/newrelic_security/agent/configuration/manual_source.rb +8 -0
- data/lib/newrelic_security/agent/configuration/server_source.rb +8 -0
- data/lib/newrelic_security/agent/configuration/yaml_source.rb +8 -0
- data/lib/newrelic_security/agent/control/app_info.rb +132 -0
- data/lib/newrelic_security/agent/control/application_url_mappings.rb +66 -0
- data/lib/newrelic_security/agent/control/collector.rb +117 -0
- data/lib/newrelic_security/agent/control/control_command.rb +117 -0
- data/lib/newrelic_security/agent/control/critical_message.rb +58 -0
- data/lib/newrelic_security/agent/control/event.rb +149 -0
- data/lib/newrelic_security/agent/control/event_counter.rb +28 -0
- data/lib/newrelic_security/agent/control/event_processor.rb +134 -0
- data/lib/newrelic_security/agent/control/event_stats.rb +26 -0
- data/lib/newrelic_security/agent/control/event_subscriber.rb +28 -0
- data/lib/newrelic_security/agent/control/exit_event.rb +38 -0
- data/lib/newrelic_security/agent/control/fuzz_request.rb +18 -0
- data/lib/newrelic_security/agent/control/grpc_context.rb +57 -0
- data/lib/newrelic_security/agent/control/health_check.rb +136 -0
- data/lib/newrelic_security/agent/control/http_context.rb +73 -0
- data/lib/newrelic_security/agent/control/iast_client.rb +151 -0
- data/lib/newrelic_security/agent/control/iast_data_transfer_request.rb +32 -0
- data/lib/newrelic_security/agent/control/reflected_xss.rb +258 -0
- data/lib/newrelic_security/agent/control/websocket_client.rb +131 -0
- data/lib/newrelic_security/agent/logging/init_logger.rb +91 -0
- data/lib/newrelic_security/agent/logging/logger.rb +92 -0
- data/lib/newrelic_security/agent/logging/null_logger.rb +21 -0
- data/lib/newrelic_security/agent/resources/cert.pem +50 -0
- data/lib/newrelic_security/agent/utils/agent_utils.rb +219 -0
- data/lib/newrelic_security/agent.rb +57 -0
- data/lib/newrelic_security/constants.rb +67 -0
- data/lib/newrelic_security/instrumentation-security/active_record/mysql2_adapter/chain.rb +70 -0
- data/lib/newrelic_security/instrumentation-security/active_record/mysql2_adapter/instrumentation.rb +187 -0
- data/lib/newrelic_security/instrumentation-security/active_record/mysql2_adapter/prepend.rb +54 -0
- data/lib/newrelic_security/instrumentation-security/active_record/postgresql_adapter/chain.rb +60 -0
- data/lib/newrelic_security/instrumentation-security/active_record/postgresql_adapter/instrumentation.rb +143 -0
- data/lib/newrelic_security/instrumentation-security/active_record/postgresql_adapter/prepend.rb +48 -0
- data/lib/newrelic_security/instrumentation-security/active_record/sqlite3_adapter/chain.rb +72 -0
- data/lib/newrelic_security/instrumentation-security/active_record/sqlite3_adapter/instrumentation.rb +187 -0
- data/lib/newrelic_security/instrumentation-security/active_record/sqlite3_adapter/prepend.rb +54 -0
- data/lib/newrelic_security/instrumentation-security/async-http/chain.rb +21 -0
- data/lib/newrelic_security/instrumentation-security/async-http/instrumentation.rb +46 -0
- data/lib/newrelic_security/instrumentation-security/async-http/prepend.rb +16 -0
- data/lib/newrelic_security/instrumentation-security/curb/chain.rb +26 -0
- data/lib/newrelic_security/instrumentation-security/curb/instrumentation.rb +52 -0
- data/lib/newrelic_security/instrumentation-security/curb/prepend.rb +18 -0
- data/lib/newrelic_security/instrumentation-security/dir/chain.rb +42 -0
- data/lib/newrelic_security/instrumentation-security/dir/instrumentation.rb +102 -0
- data/lib/newrelic_security/instrumentation-security/dir/prepend.rb +28 -0
- data/lib/newrelic_security/instrumentation-security/ethon/chain.rb +53 -0
- data/lib/newrelic_security/instrumentation-security/ethon/instrumentation.rb +122 -0
- data/lib/newrelic_security/instrumentation-security/ethon/prepend.rb +39 -0
- data/lib/newrelic_security/instrumentation-security/excon/chain.rb +23 -0
- data/lib/newrelic_security/instrumentation-security/excon/instrumentation.rb +44 -0
- data/lib/newrelic_security/instrumentation-security/excon/prepend.rb +17 -0
- data/lib/newrelic_security/instrumentation-security/file/chain.rb +34 -0
- data/lib/newrelic_security/instrumentation-security/file/instrumentation.rb +62 -0
- data/lib/newrelic_security/instrumentation-security/file/prepend.rb +22 -0
- data/lib/newrelic_security/instrumentation-security/grape/chain.rb +42 -0
- data/lib/newrelic_security/instrumentation-security/grape/instrumentation.rb +56 -0
- data/lib/newrelic_security/instrumentation-security/grape/prepend.rb +30 -0
- data/lib/newrelic_security/instrumentation-security/grpc/client/chain.rb +47 -0
- data/lib/newrelic_security/instrumentation-security/grpc/client/instrumentation.rb +37 -0
- data/lib/newrelic_security/instrumentation-security/grpc/client/prepend.rb +36 -0
- data/lib/newrelic_security/instrumentation-security/grpc/server/chain.rb +62 -0
- data/lib/newrelic_security/instrumentation-security/grpc/server/instrumentation.rb +65 -0
- data/lib/newrelic_security/instrumentation-security/grpc/server/prepend.rb +46 -0
- data/lib/newrelic_security/instrumentation-security/httpclient/chain.rb +30 -0
- data/lib/newrelic_security/instrumentation-security/httpclient/instrumentation.rb +82 -0
- data/lib/newrelic_security/instrumentation-security/httpclient/prepend.rb +22 -0
- data/lib/newrelic_security/instrumentation-security/httprb/chain.rb +21 -0
- data/lib/newrelic_security/instrumentation-security/httprb/instrumentation.rb +44 -0
- data/lib/newrelic_security/instrumentation-security/httprb/prepend.rb +16 -0
- data/lib/newrelic_security/instrumentation-security/httpx/chain.rb +23 -0
- data/lib/newrelic_security/instrumentation-security/httpx/instrumentation.rb +51 -0
- data/lib/newrelic_security/instrumentation-security/httpx/prepend.rb +18 -0
- data/lib/newrelic_security/instrumentation-security/instrumentation_loader.rb +50 -0
- data/lib/newrelic_security/instrumentation-security/instrumentation_utils.rb +165 -0
- data/lib/newrelic_security/instrumentation-security/io/chain.rb +113 -0
- data/lib/newrelic_security/instrumentation-security/io/instrumentation.rb +300 -0
- data/lib/newrelic_security/instrumentation-security/io/prepend.rb +86 -0
- data/lib/newrelic_security/instrumentation-security/kernel/chain.rb +65 -0
- data/lib/newrelic_security/instrumentation-security/kernel/instrumentation.rb +167 -0
- data/lib/newrelic_security/instrumentation-security/kernel/prepend.rb +50 -0
- data/lib/newrelic_security/instrumentation-security/mongo/chain.rb +106 -0
- data/lib/newrelic_security/instrumentation-security/mongo/instrumentation.rb +273 -0
- data/lib/newrelic_security/instrumentation-security/mongo/prepend.rb +77 -0
- data/lib/newrelic_security/instrumentation-security/mysql2/chain.rb +53 -0
- data/lib/newrelic_security/instrumentation-security/mysql2/instrumentation.rb +84 -0
- data/lib/newrelic_security/instrumentation-security/mysql2/prepend.rb +37 -0
- data/lib/newrelic_security/instrumentation-security/net_http/chain.rb +21 -0
- data/lib/newrelic_security/instrumentation-security/net_http/instrumentation.rb +60 -0
- data/lib/newrelic_security/instrumentation-security/net_http/prepend.rb +16 -0
- data/lib/newrelic_security/instrumentation-security/net_ldap/chain.rb +21 -0
- data/lib/newrelic_security/instrumentation-security/net_ldap/instrumentation.rb +42 -0
- data/lib/newrelic_security/instrumentation-security/net_ldap/prepend.rb +16 -0
- data/lib/newrelic_security/instrumentation-security/nokogiri/chain.rb +46 -0
- data/lib/newrelic_security/instrumentation-security/nokogiri/instrumentation.rb +36 -0
- data/lib/newrelic_security/instrumentation-security/nokogiri/prepend.rb +31 -0
- data/lib/newrelic_security/instrumentation-security/padrino/chain.rb +26 -0
- data/lib/newrelic_security/instrumentation-security/padrino/instrumentation.rb +42 -0
- data/lib/newrelic_security/instrumentation-security/padrino/prepend.rb +20 -0
- data/lib/newrelic_security/instrumentation-security/patron/chain.rb +23 -0
- data/lib/newrelic_security/instrumentation-security/patron/instrumentation.rb +50 -0
- data/lib/newrelic_security/instrumentation-security/patron/prepend.rb +18 -0
- data/lib/newrelic_security/instrumentation-security/pg/chain.rb +49 -0
- data/lib/newrelic_security/instrumentation-security/pg/instrumentation.rb +102 -0
- data/lib/newrelic_security/instrumentation-security/pg/prepend.rb +36 -0
- data/lib/newrelic_security/instrumentation-security/pty/chain.rb +31 -0
- data/lib/newrelic_security/instrumentation-security/pty/instrumentation.rb +52 -0
- data/lib/newrelic_security/instrumentation-security/pty/prepend.rb +22 -0
- data/lib/newrelic_security/instrumentation-security/rails/chain.rb +46 -0
- data/lib/newrelic_security/instrumentation-security/rails/instrumentation.rb +67 -0
- data/lib/newrelic_security/instrumentation-security/rails/prepend.rb +33 -0
- data/lib/newrelic_security/instrumentation-security/roda/chain.rb +22 -0
- data/lib/newrelic_security/instrumentation-security/roda/instrumentation.rb +41 -0
- data/lib/newrelic_security/instrumentation-security/roda/prepend.rb +16 -0
- data/lib/newrelic_security/instrumentation-security/sinatra/chain.rb +29 -0
- data/lib/newrelic_security/instrumentation-security/sinatra/instrumentation.rb +49 -0
- data/lib/newrelic_security/instrumentation-security/sinatra/prepend.rb +21 -0
- data/lib/newrelic_security/instrumentation-security/sqlite3/chain.rb +79 -0
- data/lib/newrelic_security/instrumentation-security/sqlite3/instrumentation.rb +164 -0
- data/lib/newrelic_security/instrumentation-security/sqlite3/prepend.rb +56 -0
- data/lib/newrelic_security/newrelic-security-api/api.rb +72 -0
- data/lib/newrelic_security/version.rb +5 -0
- data/lib/newrelic_security/websocket-client-simple/client.rb +128 -0
- data/lib/newrelic_security/websocket-client-simple/event_emitter.rb +72 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/error.rb +129 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/exception_handler.rb +32 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/base.rb +62 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/data.rb +49 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/base.rb +41 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler03.rb +224 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler04.rb +18 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler05.rb +15 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler07.rb +78 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler75.rb +78 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler.rb +15 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/incoming/client.rb +17 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/incoming/server.rb +17 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/incoming.rb +52 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/outgoing/client.rb +17 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/outgoing/server.rb +17 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/outgoing.rb +35 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame.rb +11 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/base.rb +142 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/client.rb +130 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/base.rb +49 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client.rb +32 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client01.rb +20 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client04.rb +63 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client11.rb +22 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client75.rb +39 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client76.rb +105 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/server.rb +10 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/server04.rb +56 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/server75.rb +40 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/server76.rb +75 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler.rb +21 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/server.rb +179 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake.rb +10 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/nice_inspect.rb +12 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/version.rb +5 -0
- data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket.rb +50 -0
- data/lib/newrelic_security.rb +6 -0
- data/lib/tasks/all.rb +8 -0
- data/lib/tasks/coverage_report.rake +27 -0
- data/newrelic_security.gemspec +51 -0
- metadata +342 -0
data/.simplecov
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'securerandom'
|
4
|
+
|
5
|
+
if ENV['CI']
|
6
|
+
random = SecureRandom.uuid
|
7
|
+
SimpleCov.command_name(random)
|
8
|
+
SimpleCov.coverage_dir("coverage_#{random}")
|
9
|
+
end
|
10
|
+
|
11
|
+
SimpleCov.start do
|
12
|
+
enable_coverage(:branch)
|
13
|
+
SimpleCov.root(File.join(File.dirname(__FILE__), '/lib'))
|
14
|
+
track_files('**/*.rb')
|
15
|
+
formatter(SimpleCov::Formatter::SimpleFormatter) if ENV['CI']
|
16
|
+
end
|
data/CHANGELOG.md
ADDED
@@ -0,0 +1,69 @@
|
|
1
|
+
# New Relic Ruby Security Agent Release Notes
|
2
|
+
|
3
|
+
## v0.1.0
|
4
|
+
|
5
|
+
Version 0.1.0 introduces `newrelic_security` agent for public preview under Newrelic pre-release software notice.
|
6
|
+
|
7
|
+
- json_version: 1.2.0
|
8
|
+
|
9
|
+
[New Relic Interactive Application Security Testing (IAST)](https://docs.newrelic.com/docs/iast/introduction/) can help you prevent cyberattacks and breaches on your applications by probing your running code for exploitable vulnerabilities.
|
10
|
+
|
11
|
+
The `newrelic_security` gem provides this feature for Ruby. It depends on `newrelic_rpm` gem version v9.12.0 or above.
|
12
|
+
|
13
|
+
At this time, the security agent is intended for use only within a dedicated security testing environment(or pre production) with data that can tolerate modification or deletion. The security agent is available as a separate Ruby gem, `newrelic_security`. It is recommended that this separate gem only be introduced to a security testing environment by leveraging Bundler grouping like so:
|
14
|
+
|
15
|
+
```ruby
|
16
|
+
# Gemfile
|
17
|
+
gem 'newrelic_rpm' # New Relic APM observability agent
|
18
|
+
|
19
|
+
group :security do
|
20
|
+
gem 'newrelic_security', require: false # New Relic security agent
|
21
|
+
end
|
22
|
+
```
|
23
|
+
|
24
|
+
In order to run the security agent, make sure `newrelic_security` is not loaded by bundler but `newrelic_rpm` only by adding `require: false` in Gemfile. To run the security agent by newrelic_rpm, you need to update your configuration in newrelic.yml. At a minimum, `security.agent.enabled` and `security.enabled` must be set to `true`. They are `false` by default. Similar to the gem installation, we recommend you set these configurations for a special security testing environment only.
|
25
|
+
|
26
|
+
Here's an example using `newrelic.yml`:
|
27
|
+
|
28
|
+
```yaml
|
29
|
+
common: &default_settings
|
30
|
+
license_key: <%= ENV['NEW_RELIC_LICENSE_KEY'] %>
|
31
|
+
app_name: "Example app"
|
32
|
+
|
33
|
+
development:
|
34
|
+
<<: *default_settings
|
35
|
+
app_name: <%= app_name %> (Development)
|
36
|
+
|
37
|
+
security:
|
38
|
+
<<: *default_settings
|
39
|
+
security.enabled: true
|
40
|
+
security.agent.enabled: true
|
41
|
+
|
42
|
+
production:
|
43
|
+
<<: *default_settings
|
44
|
+
```
|
45
|
+
|
46
|
+
The following configuration relate to the `newrelic_security` gem:
|
47
|
+
|
48
|
+
| Configuration name | Default | Behavior |
|
49
|
+
| ------------------ | ------- |----------|
|
50
|
+
| security.agent.enabled | `false` | If `true`, the security agent is loaded (a Ruby 'require' is performed) |
|
51
|
+
| security.enabled | `false` | If `true`, the security agent is started (the agent runs in its event loop) |
|
52
|
+
| security.mode | `'IAST'` | Defines the mode for the security agent to operate in. Currently only 'IAST' is supported |
|
53
|
+
| security.validator_service_url | `'wss://csec.nr-data.net'` | Defines the endpoint URL for posting security related data |
|
54
|
+
| security.detection.rci.enabled | `true` | If `true`, enables RCI (remote code injection) detection |
|
55
|
+
| security.detection.rxss.enabled | `true` | If `true`, enables RXSS (reflected cross-site scripting) detection |
|
56
|
+
| security.detection.deserialization.enabled | `true` | If `true`, enables deserialization detection |
|
57
|
+
| security.application_info.port | `nil` | An Integer representing the port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default. |
|
58
|
+
|
59
|
+
## v0.0.3
|
60
|
+
|
61
|
+
This is pre released test version.
|
62
|
+
|
63
|
+
## v0.0.2
|
64
|
+
|
65
|
+
This is pre released test version.
|
66
|
+
|
67
|
+
## v0.0.1
|
68
|
+
|
69
|
+
This is pre released test version.
|
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
# New Relic CSEC Agent Contributor License Agreement
|
2
|
+
|
3
|
+
Any feedback provided to New Relic about the pre-release csec-ruby-agent, including feedback provided as source code, comments, or other copyrightable or patentable material, is provided to New Relic under the terms of the Apache Software License, version 2. If you do not provide attribution information or a copy of the license with your feedback, you waive the performance of those requirements of the Apache License with respect to New Relic. The license grant regarding any feedback is irrevocable and persists past the termination of this license.
|
4
|
+
|
5
|
+
Keep in mind that you will need to sign the CSEC Agent CLA via the click-through using CLA-Assistant. If you have any questions, please drop our New Relic GitHub team an email at opensource@newrelic.com.
|
6
|
+
|
7
|
+
For more information about CLAs, please check out Alex Russell’s excellent post,
|
8
|
+
[“Why Do I Need to Sign This?”](https://infrequently.org/2008/06/why-do-i-need-to-sign-this/).
|
9
|
+
|
10
|
+
## Contributing Feedback
|
11
|
+
|
12
|
+
Contributions are always welcome. Before contributing please read the
|
13
|
+
[code of conduct](https://github.com/newrelic/.github/blob/main/CODE_OF_CONDUCT.md) and [search the issue tracker](issues); your issue may have already been discussed or fixed in `main`. To contribute,
|
14
|
+
[fork](https://help.github.com/articles/fork-a-repo/) this repository, commit your changes, and [send a Pull Request](https://help.github.com/articles/using-pull-requests/).
|
15
|
+
|
16
|
+
Note that our [code of conduct](https://github.com/newrelic/.github/blob/main/CODE_OF_CONDUCT.md) applies to all platforms and venues related to this project; please follow it in all your interactions with the project and its participants.
|
17
|
+
|
18
|
+
## Feedback on Feature Requests
|
19
|
+
|
20
|
+
Feature requests should be submitted in the [Issue tracker](../../issues), with a description of the expected behavior & use case, where they’ll remain closed until sufficient interest, [e.g. :+1: reactions](https://help.github.com/articles/about-discussions-in-issues-and-pull-requests/), has been [shown by the community](../../issues?q=label%3A%22votes+needed%22+sort%3Areactions-%2B1-desc).
|
21
|
+
Before submitting an Issue, please search for similar ones in the
|
22
|
+
[closed issues](../../issues?q=is%3Aissue+is%3Aclosed+label%3Aenhancement).
|
data/Gemfile
ADDED
data/Gemfile_test
ADDED
@@ -0,0 +1,58 @@
|
|
1
|
+
source 'https://rubygems.org'
|
2
|
+
gem 'excon'
|
3
|
+
gem 'faraday'
|
4
|
+
gem 'httpclient'
|
5
|
+
gem 'net-http-persistent'
|
6
|
+
gem 'net-ldap'
|
7
|
+
gem 'nokogiri'
|
8
|
+
gem 'minitest'
|
9
|
+
gem 'rake'
|
10
|
+
gem 'rack'
|
11
|
+
gem 'rackup'
|
12
|
+
gem 'rubocop'
|
13
|
+
gem 'rubocop-minitest'
|
14
|
+
gem 'rubocop-rake'
|
15
|
+
gem 'simplecov'
|
16
|
+
gem 'railties'
|
17
|
+
if RUBY_VERSION >= '3.0.0'
|
18
|
+
gem 'rails', '~>6.0.0'
|
19
|
+
elsif RUBY_VERSION < '2.5.0'
|
20
|
+
gem 'rails', '~>4'
|
21
|
+
else
|
22
|
+
gem 'rails'
|
23
|
+
end
|
24
|
+
gem 'loofah', '~> 2.19.0'
|
25
|
+
gem 'sinatra'
|
26
|
+
gem 'padrino'
|
27
|
+
gem 'grape'
|
28
|
+
gem 'roda'
|
29
|
+
gem 'docker-api'
|
30
|
+
gem 'http'
|
31
|
+
gem 'httpx'
|
32
|
+
gem 'typhoeus'
|
33
|
+
gem 'async-http'
|
34
|
+
gem 'ethon'
|
35
|
+
if RUBY_ENGINE == 'jruby'
|
36
|
+
gem 'activerecord-jdbc-adapter'
|
37
|
+
gem 'jdbc-sqlite3'
|
38
|
+
gem 'activerecord-jdbcsqlite3-adapter'
|
39
|
+
gem 'jdbc-mysql'
|
40
|
+
gem 'activerecord-jdbcmysql-adapter'
|
41
|
+
gem 'jdbc-postgres'
|
42
|
+
gem 'activerecord-jdbcpostgresql-adapter'
|
43
|
+
gem 'mongo', '2.19'
|
44
|
+
gem 'nio4r', '<= 2.5.4'
|
45
|
+
gem 'async', '1.32.1'
|
46
|
+
else
|
47
|
+
if RUBY_VERSION < '2.5.0'
|
48
|
+
gem 'sqlite3', '~> 1.3.0'
|
49
|
+
gem 'pg', '~>0.5'
|
50
|
+
else
|
51
|
+
gem 'sqlite3', '~> 1.4.0'
|
52
|
+
gem 'pg'
|
53
|
+
end
|
54
|
+
gem 'mysql2'
|
55
|
+
gem 'mongo'
|
56
|
+
gem 'curb'
|
57
|
+
gem 'patron'
|
58
|
+
end
|
data/LICENSE
ADDED
@@ -0,0 +1,43 @@
|
|
1
|
+
## New Relic Pre-Release Software Notice
|
2
|
+
|
3
|
+
### Acceptance
|
4
|
+
|
5
|
+
This software license applies to the repositories, directories, or files that it has been associated with (referred to here as the “Pre-Release Software”). In order to get any license under these terms, you must agree to them as both strict obligations and conditions to all your licenses.
|
6
|
+
License
|
7
|
+
|
8
|
+
New Relic, Inc. (“New Relic”) grants you a license under its copyrights and patents to do everything necessary for you to use the Pre-Release Software for the Permitted Purposes and subject to your compliance with the Confidentiality terms and all other Restrictions on Use. All other uses are prohibited.
|
9
|
+
|
10
|
+
### Permitted Purposes
|
11
|
+
|
12
|
+
The Pre-Release Software is solely for use with New Relic’s proprietary SaaS service (“New Relic Service”). To use the Pre-Release Software you must have a valid and active subscription agreement to the New Relic Service. You may not use the Pre-Release Software in conjunction with any other similar service.
|
13
|
+
|
14
|
+
Use of the Pre-Release Software is limited to evaluation and feedback, including pull requests, of the pre-release features and capabilities. The use of the Pre-Release Software requires a signed New Relic Pre-Release Agreement. The New Relic Pre-Release Agreement will control in event of a conflict with this license. The Pre-Release Software is also subject to the New Relic pre-release policy. A copy of the New Relic Pre-release policy available at https://docs.newrelic.com/docs/licenses/license-information/referenced-policies/new-relic-pre-release-policy/.
|
15
|
+
|
16
|
+
### Confidentiality
|
17
|
+
|
18
|
+
Any Pre-Release Software not posted publicly contains New Relic Trade Secrets. You may not disclose the features and capabilities of the Pre-Release Software to any third party by any means. You will use commercially reasonable measures to maintain the secrecy of the features and capabilities of the Pre-Release Software. Without limiting the permissions you receive under any open source software (“OSS”) license, you may not disclose the source code of any OSS included as part of the Pre-Release Software in a way that discloses the New Relic Trade Secrets.
|
19
|
+
|
20
|
+
### Restrictions on Use
|
21
|
+
|
22
|
+
1. The use of the Pre-Release Software is limited to you and your organization. You cannot expose the Pre-Release Software to third parties via the network or use the Pre-Release Software on behalf of anyone else.
|
23
|
+
2. You cannot modify the Pre-Release Software. You can compile or link the Pre-Release Software into your programs as described in the New Relic Documentation, but you cannot otherwise make any derivative works of the Pre-Release Software.
|
24
|
+
3. You cannot reverse engineer or decompile the Pre-Release Software.
|
25
|
+
4. You cannot use the Pre-Release Software for competitive analysis, benchmarking, or any purposes that compete with or are intended to compete with New Relic.
|
26
|
+
5. You cannot remove or obscure any proprietary notices in the Pre-Release Software.
|
27
|
+
6. You can only copy the Software to the extent needed to use the Pre-Release Software within your organization. You cannot distribute the Software to any third parties.
|
28
|
+
7. You can only use the New Relic Services and the Pre-Release Software consistent with New Relic’s product Documentation and Acceptable Use Policy.
|
29
|
+
|
30
|
+
### Intellectual Property
|
31
|
+
|
32
|
+
Any feedback provided to New Relic about the Pre-Release Software, including feedback provided as source code, comments, or other copyrightable or patentable material, is provided to New Relic under the terms of the Apache Software License, version 2. If you do not provide attribution information or a copy of the license with your feedback, you waive the performance of those requirements of the Apache License with respect to New Relic. The license grant regarding any feedback is irrevocable and persists past the termination of this license.
|
33
|
+
|
34
|
+
### Termination
|
35
|
+
|
36
|
+
This license terminates when the Pre-Release Software stops being provided by New Relic or when described by the New Relic Pre-Release Agreement, whichever comes first. When this license terminates, you have a commercially reasonable time to either remove the Pre-Release Software from your systems or to upgrade to a publicly released version of the Software.
|
37
|
+
|
38
|
+
### Other Terms
|
39
|
+
|
40
|
+
1. The Pre-Release Software is provided “AS IS.” New Relic disclaims all warranties, whether express, implied, statutory or otherwise, including warranties of merchantability, fitness for a particular purpose, title and noninfringement.
|
41
|
+
2. The Pre-Release Software has known flaws. You use the Pre-Release Software at your own risk.
|
42
|
+
3. To the full extent permitted by law, New Relic will have no liability arising from or related to the Pre-Release Software or from this license for any direct, indirect, special, incidental, or consequential damages of any kind, even if advised of their possibility in advance, and regardless of legal theory (whether contract, tort, negligence, strict liability or otherwise).
|
43
|
+
4. The Pre-Release Software may contain third-party software, including open source software. The third party software is governed by its own license and subject to its own terms, disclosed in the provided licensing information associated with the third party components. If a source code disclosure is required under the terms of the license covering any OSS component, the source code can be requested of New Relic by emailing opensource@newrelic.com.
|
data/README.md
ADDED
@@ -0,0 +1,133 @@
|
|
1
|
+
# New Relic Ruby security agent
|
2
|
+
|
3
|
+
The New Relic security agent for Ruby is in public preview and is not generally available. This module enables instrumentation of Ruby applications for interactive application security analysis (IAST) and exposes exploitable vulnerabilities.
|
4
|
+
|
5
|
+
**Note:** The IAST capability should only be used in pre-production environments and never in production.
|
6
|
+
|
7
|
+
[![Gem Version](https://badge.fury.io/rb/newrelic_security.svg)](https://badge.fury.io/rb/newrelic_security)
|
8
|
+
|
9
|
+
## Installation
|
10
|
+
|
11
|
+
The software is meant to be used along with the [New Relic Ruby Agent](https://github.com/newrelic/newrelic-ruby-agent). You can see New Relic ruby agent install instructions [here](https://github.com/newrelic/newrelic-ruby-agent#installing-and-using).
|
12
|
+
|
13
|
+
#### With Bundler
|
14
|
+
For using with Bundler, add the Ruby agent to your project's Gemfile.
|
15
|
+
|
16
|
+
```
|
17
|
+
gem 'newrelic_security', require: false
|
18
|
+
```
|
19
|
+
|
20
|
+
and run `bundle install` to activate the new gem.
|
21
|
+
|
22
|
+
#### Without Bundler
|
23
|
+
If you are not using Bundler, install the gem with:
|
24
|
+
|
25
|
+
```
|
26
|
+
gem install newrelic_security
|
27
|
+
```
|
28
|
+
|
29
|
+
## Getting Started
|
30
|
+
The newrelic_security must be explicitly enabled in order to perform IAST analysis of the application. In the newrelic.yml, set the following parameters:
|
31
|
+
|
32
|
+
```
|
33
|
+
security:
|
34
|
+
agent:
|
35
|
+
enabled: true
|
36
|
+
enabled: true
|
37
|
+
```
|
38
|
+
|
39
|
+
## Support Matrix
|
40
|
+
### Ruby Versions
|
41
|
+
- CRuby: 2.4 or higher
|
42
|
+
- JRuby: 9.0 or higher
|
43
|
+
### Web frameworks
|
44
|
+
- Rails: 4.0 or higher
|
45
|
+
- Sinatra: 2.0 or higher
|
46
|
+
- Padrino: 0.15 or higher
|
47
|
+
- Grape: 1.2 or higher
|
48
|
+
- Roda: 3.19 or higher
|
49
|
+
- gRPC: 1 or higher
|
50
|
+
### Web servers
|
51
|
+
- Puma: 3 or higher
|
52
|
+
- Unicorn: 4 or higher
|
53
|
+
- Thin: 1 or higher
|
54
|
+
- Passenger: 5 or higher
|
55
|
+
- Falcon: 0.29 or higher
|
56
|
+
- Webrick: Supported for all agent-supported versions of Ruby
|
57
|
+
### Databases
|
58
|
+
- Active Record: 4.0 or higher
|
59
|
+
- Sequel: 4.45 or higher
|
60
|
+
- MongoDB: 2.4 or higher
|
61
|
+
- Sqlite3
|
62
|
+
- Mysql2
|
63
|
+
- PostgreSql
|
64
|
+
|
65
|
+
### HTTP / network clients
|
66
|
+
- Async::HTTP: 0.59.0 or higher
|
67
|
+
- Curb: 0.8.1 or higher
|
68
|
+
- Ethon: 0.12.0 or higher
|
69
|
+
- Excon: 0.19.0 or higher
|
70
|
+
- gRPC: 1.0.0 or higher
|
71
|
+
- HttpClient: 2.2.0 or higher
|
72
|
+
- HttpRb: 0.9.9 or higher
|
73
|
+
- HTTPX: 1.0.0 or higher
|
74
|
+
- Net::HTTP: Supported for all agent-supported versions of Ruby.
|
75
|
+
- Typhoeus: 0.5.3 or higher
|
76
|
+
- Patron: 0.10 or higher
|
77
|
+
|
78
|
+
### Other
|
79
|
+
- nokogiri
|
80
|
+
- net-ldap
|
81
|
+
|
82
|
+
### Supported Vulnerabilities
|
83
|
+
- Remote Code Execution
|
84
|
+
- SQL Injection
|
85
|
+
- NoSQL Injection
|
86
|
+
- Stored XSS
|
87
|
+
- Reflected XSS
|
88
|
+
- Reverse Shell attack
|
89
|
+
- File Access
|
90
|
+
- SSRF
|
91
|
+
- Application Integrity Violation
|
92
|
+
- LDAP Injection
|
93
|
+
- XPath Injection
|
94
|
+
|
95
|
+
## Testing
|
96
|
+
We use Minitest for the Ruby Security agent.
|
97
|
+
#### Prerequisite
|
98
|
+
```
|
99
|
+
rake test_bundle
|
100
|
+
```
|
101
|
+
#### Running All Unit tests
|
102
|
+
The following command runs all the unit tests:
|
103
|
+
```
|
104
|
+
BUNDLE_GEMFILE=Gemfile_test bundle exec rake test
|
105
|
+
```
|
106
|
+
#### Running Specific Tests
|
107
|
+
To run a single unit test file use the command like:
|
108
|
+
```
|
109
|
+
BUNDLE_GEMFILE=Gemfile_test bundle exec ruby test/newrelic_security/instrumentation-security/kernel/kernel_test.rb
|
110
|
+
```
|
111
|
+
|
112
|
+
## Feedback or Contribute
|
113
|
+
|
114
|
+
Any feedback provided to New Relic about the New Relic csec-ruby-agent, including feedback provided as source code, comments, or other copyrightable or patentable material, is provided to New Relic under the terms of the Apache Software License, version 2. If you do not provide attribution information or a copy of the license with your feedback, you waive the performance of those requirements of the Apache License with respect to New Relic. The license grant regarding any feedback is irrevocable and persists past the termination of the preview license.
|
115
|
+
|
116
|
+
Keep in mind that when you submit a pull request or other feedback, you'll need to sign the New Relic CSEC Agent CLA via the click-through using CLA-Assistant. You only have to sign this CLA one time per project.
|
117
|
+
|
118
|
+
If you have any questions, or to execute our corporate CLA (which is required if your contribution is on behalf of a company), drop us an email at opensource@newrelic.com.
|
119
|
+
|
120
|
+
**A note about vulnerabilities**
|
121
|
+
|
122
|
+
As noted in our [security policy](../../security/policy), New Relic is committed to the privacy and security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.
|
123
|
+
|
124
|
+
If you believe you have found a security vulnerability in this project or any of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through [HackerOne](https://hackerone.com/newrelic).
|
125
|
+
|
126
|
+
If you would like to contribute to this project, review [these guidelines](./CONTRIBUTING.md).
|
127
|
+
|
128
|
+
To all contributors, we thank you! Without your contribution, this project would not be what it is today. We also host a community project page dedicated to [Project Name](<LINK TO https://opensource.newrelic.com/projects/... PAGE>).
|
129
|
+
|
130
|
+
## License
|
131
|
+
The New Relic csec-ruby-agent is licensed under the New Relic Pre-Release Software Notice.
|
132
|
+
|
133
|
+
The New Relic csec-ruby-agent also uses source code from third-party libraries. You can find full details on which libraries are used and the terms under which they are licensed in the [third-party notices document](./THIRD_PARTY_NOTICES.md).
|
data/README_agent.md
ADDED
@@ -0,0 +1,44 @@
|
|
1
|
+
<a href="https://opensource.newrelic.com/oss-category/#community-project"><picture><source media="(prefers-color-scheme: dark)" srcset="https://github.com/newrelic/opensource-website/raw/main/src/images/categories/dark/Community_Project.png"><source media="(prefers-color-scheme: light)" srcset="https://github.com/newrelic/opensource-website/raw/main/src/images/categories/Community_Project.png"><img alt="New Relic Open Source community project banner." src="https://github.com/newrelic/opensource-website/raw/main/src/images/categories/Community_Project.png"></picture></a>
|
2
|
+
|
3
|
+
# [Name of Project] [build badges go here when available]
|
4
|
+
|
5
|
+
>[Brief description - what is the software and what value does it provide? How often should users expect to get releases? How is versioning set up? What are some next phases for the project or how will it evolve?]
|
6
|
+
|
7
|
+
## Installing and using [project name]
|
8
|
+
|
9
|
+
> [Link to the relevant information for this agent on docs.newrelic.com. Create a bulleted list with links to install, usage, and getting started info on docs. Avoid duplicating information from docs in the open source content to ensure there's no inconsistency between the two.]
|
10
|
+
|
11
|
+
|
12
|
+
## Building
|
13
|
+
|
14
|
+
>[**Optional** - Include this section if users will need to follow specific instructions to build the software from source. Be sure to include any third-party build dependencies that need to be installed separately. As mentioned, link to docs for install info that's already included there. Remove this section if it's not needed.]
|
15
|
+
|
16
|
+
## Testing
|
17
|
+
|
18
|
+
>[**Optional** - Include instructions on how to run tests if we include tests with the codebase. Remove this section if it's not needed.]
|
19
|
+
|
20
|
+
## Support
|
21
|
+
|
22
|
+
New Relic hosts and moderates an online forum where customers can interact with New Relic employees as well as other customers to get help and share best practices. Like all official New Relic open source projects, there's a related Community topic in the New Relic Explorers Hub. You can find this project's topic/threads here:
|
23
|
+
|
24
|
+
>[Add the url for the support thread here: discuss.newrelic.com]
|
25
|
+
|
26
|
+
## Contribute
|
27
|
+
|
28
|
+
We encourage your contributions to improve [project name]! Keep in mind that when you submit your pull request, you'll need to sign the CLA via the click-through using CLA-Assistant. You only have to sign the CLA one time per project.
|
29
|
+
|
30
|
+
If you have any questions, or to execute our corporate CLA (which is required if your contribution is on behalf of a company), drop us an email at opensource@newrelic.com.
|
31
|
+
|
32
|
+
**A note about vulnerabilities**
|
33
|
+
|
34
|
+
As noted in our [security policy](../../security/policy), New Relic is committed to the privacy and security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.
|
35
|
+
|
36
|
+
If you believe you have found a security vulnerability in this project or any of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through [HackerOne](https://hackerone.com/newrelic).
|
37
|
+
|
38
|
+
If you would like to contribute to this project, review [these guidelines](./CONTRIBUTING.md).
|
39
|
+
|
40
|
+
To all contributors, we thank you! Without your contribution, this project would not be what it is today. We also host a community project page dedicated to [Project Name](<LINK TO https://opensource.newrelic.com/projects/... PAGE>).
|
41
|
+
|
42
|
+
## License
|
43
|
+
[Project name] is licensed under the [Apache 2.0](http://apache.org/licenses/LICENSE-2.0.txt) License.
|
44
|
+
>[If applicable: The [project name] also uses source code from third-party libraries. Full details on which libraries are used and the terms under which they are licensed can be found in the third-party notices document.]
|
data/Rakefile
ADDED
@@ -0,0 +1,28 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'bundler/gem_tasks'
|
4
|
+
require 'rake/testtask'
|
5
|
+
require "#{File.dirname(__FILE__)}/lib/tasks/all.rb"
|
6
|
+
|
7
|
+
desc 'Install dependencies needed to run tests'
|
8
|
+
task :test_bundle do
|
9
|
+
if RUBY_VERSION < '2.5.0'
|
10
|
+
sh 'gem install bundler -v 1.17.2'
|
11
|
+
exec('bundle _1.17.2_ install --gemfile Gemfile_test')
|
12
|
+
else
|
13
|
+
exec('bundle install --gemfile Gemfile_test')
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
Rake::TestTask.new(:test) do |t|
|
18
|
+
# ENV['BUNDLE_GEMFILE'] = 'Gemfile_test'
|
19
|
+
t.libs << 'test'
|
20
|
+
t.libs << 'lib'
|
21
|
+
ENV['TESTOPTS'] = '--verbose'
|
22
|
+
t.test_files = FileList['test/**/*_test.rb']
|
23
|
+
end
|
24
|
+
|
25
|
+
task :rubocop do
|
26
|
+
require 'rubocop/rake_task'
|
27
|
+
RuboCop::RakeTask.new
|
28
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# Third Party Notices
|
2
|
+
|
3
|
+
The New Relic Ruby Security Agent uses source code from third party libraries which carry
|
4
|
+
their own copyright notices and license terms. These notices are provided
|
5
|
+
below.
|
6
|
+
|
7
|
+
In the event that a required notice is missing or incorrect, please notify us
|
8
|
+
by e-mailing [support@newrelic.com](mailto:support@newrelic.com).
|
9
|
+
|
10
|
+
|
11
|
+
## [websocket-client-simple](https://rubygems.org/gems/websocket-client-simple)
|
12
|
+
|
13
|
+
Copyright (c) 2013-2014 Sho Hashimoto
|
14
|
+
|
15
|
+
Distributed under the following license(s):
|
16
|
+
|
17
|
+
* [The MIT License](http://opensource.org/licenses/MIT)
|
18
|
+
|
19
|
+
|
20
|
+
## [event_emitter](https://rubygems.org/gems/event_emitter)
|
21
|
+
|
22
|
+
Copyright (c) 2012 Sho Hashimoto
|
23
|
+
|
24
|
+
Distributed under the following license(s):
|
25
|
+
|
26
|
+
* [The MIT License](http://opensource.org/licenses/MIT)
|
27
|
+
|
28
|
+
|
29
|
+
## [websocket-ruby](https://rubygems.org/gems/websocket)
|
30
|
+
|
31
|
+
Copyright (c) 2012 Bernard Potocki
|
32
|
+
|
33
|
+
Distributed under the following license(s):
|
34
|
+
|
35
|
+
* [The MIT License](http://opensource.org/licenses/MIT)
|
36
|
+
|
@@ -0,0 +1,109 @@
|
|
1
|
+
require 'newrelic_security/agent/control/event_subscriber'
|
2
|
+
require 'newrelic_security/agent/control/websocket_client'
|
3
|
+
require 'newrelic_security/agent/control/event_processor'
|
4
|
+
require 'newrelic_security/agent/control/iast_client'
|
5
|
+
require 'newrelic_security/agent/control/iast_data_transfer_request'
|
6
|
+
require 'newrelic_security/agent/control/control_command'
|
7
|
+
require 'newrelic_security/agent/control/fuzz_request'
|
8
|
+
require 'newrelic_security/agent/control/reflected_xss'
|
9
|
+
require 'newrelic_security/agent/control/http_context'
|
10
|
+
require 'newrelic_security/agent/control/grpc_context'
|
11
|
+
require 'newrelic_security/agent/control/collector'
|
12
|
+
require 'newrelic_security/agent/control/app_info'
|
13
|
+
require 'newrelic_security/agent/control/application_url_mappings'
|
14
|
+
require 'newrelic_security/agent/control/health_check'
|
15
|
+
require 'newrelic_security/agent/control/event'
|
16
|
+
require 'newrelic_security/agent/control/critical_message'
|
17
|
+
require 'newrelic_security/agent/control/event_counter'
|
18
|
+
require 'newrelic_security/agent/control/event_stats'
|
19
|
+
require 'newrelic_security/agent/control/exit_event'
|
20
|
+
require 'newrelic_security/instrumentation-security/instrumentation_loader'
|
21
|
+
|
22
|
+
module NewRelic::Security
|
23
|
+
module Agent
|
24
|
+
class Agent
|
25
|
+
|
26
|
+
attr_accessor :websocket_client, :event_processor, :iast_client, :http_request_count, :event_processed_count, :event_sent_count, :event_drop_count, :route_map, :iast_event_stats, :rasp_event_stats, :exit_event_stats
|
27
|
+
|
28
|
+
def initialize
|
29
|
+
NewRelic::Security::Agent.config
|
30
|
+
create_agent_home
|
31
|
+
NewRelic::Security::Agent::Utils.enable_object_space_in_jruby
|
32
|
+
NewRelic::Security::Agent.config.save_uuid
|
33
|
+
@started = false
|
34
|
+
@event_subscriber = NewRelic::Security::Agent::Control::EventSubscriber.new
|
35
|
+
@started = true
|
36
|
+
@route_map = ::Set.new
|
37
|
+
@http_request_count = NewRelic::Security::Agent::Control::EventCounter.new
|
38
|
+
@event_processed_count = NewRelic::Security::Agent::Control::EventCounter.new
|
39
|
+
@event_sent_count = NewRelic::Security::Agent::Control::EventCounter.new
|
40
|
+
@event_drop_count = NewRelic::Security::Agent::Control::EventCounter.new
|
41
|
+
@iast_event_stats = NewRelic::Security::Agent::Control::EventStats.new
|
42
|
+
@rasp_event_stats = NewRelic::Security::Agent::Control::EventStats.new
|
43
|
+
@exit_event_stats = NewRelic::Security::Agent::Control::EventStats.new
|
44
|
+
end
|
45
|
+
|
46
|
+
def init
|
47
|
+
NewRelic::Security::Agent.logger.info "Initializing Security Agent with config : #{NewRelic::Security::Agent::Utils.filtered_log(NewRelic::Security::Agent.config.inspect)}\n"
|
48
|
+
@ready = false
|
49
|
+
start_event_processor
|
50
|
+
start_websocket_client
|
51
|
+
NewRelic::Security::Instrumentation::InstrumentationLoader.add_instrumentation()
|
52
|
+
NewRelic::Security::Agent.logger.info "Security Agent ready.\n"
|
53
|
+
NewRelic::Security::Agent.init_logger.info "Security Agent ready.\n"
|
54
|
+
@ready = true
|
55
|
+
rescue Exception => exception
|
56
|
+
NewRelic::Security::Agent.logger.error "Exception in security agent init: #{exception.inspect} #{exception.backtrace}\n"
|
57
|
+
end
|
58
|
+
|
59
|
+
def start_websocket_client
|
60
|
+
NewRelic::Security::Agent::Control::WebsocketClient.instance.close(false) if NewRelic::Security::Agent::Control::WebsocketClient.instance.is_open?
|
61
|
+
@websocket_client = NewRelic::Security::Agent::Control::WebsocketClient.instance.connect
|
62
|
+
end
|
63
|
+
|
64
|
+
def start_event_processor
|
65
|
+
@event_processor&.event_dequeue_thread&.kill
|
66
|
+
@event_processor&.healthcheck_thread&.kill
|
67
|
+
@event_processor = nil
|
68
|
+
@event_processor = NewRelic::Security::Agent::Control::EventProcessor.new
|
69
|
+
end
|
70
|
+
|
71
|
+
def start_iast_client
|
72
|
+
@iast_client&.iast_dequeue_threads&.each { |t| t.kill if t }
|
73
|
+
@iast_client&.iast_data_transfer_request_processor_thread&.kill
|
74
|
+
@iast_client = nil
|
75
|
+
@iast_client = NewRelic::Security::Agent::Control::IASTClient.new
|
76
|
+
end
|
77
|
+
|
78
|
+
def self.config
|
79
|
+
::NewRelic::Security::Agent.config
|
80
|
+
end
|
81
|
+
|
82
|
+
def add_instrumentation
|
83
|
+
|
84
|
+
end
|
85
|
+
|
86
|
+
def create_agent_home
|
87
|
+
log_dir = ::File.join(NewRelic::Security::Agent.config[:log_file_path], SEC_HOME_PATH, LOGS_DIR)
|
88
|
+
find_or_create_file_path(log_dir)
|
89
|
+
tmp_dir = ::File.join(NewRelic::Security::Agent.config[:log_file_path], SEC_HOME_PATH, TMP_DIR)
|
90
|
+
find_or_create_file_path(tmp_dir)
|
91
|
+
end
|
92
|
+
|
93
|
+
def find_or_create_file_path(path)
|
94
|
+
::FileUtils.mkdir_p(path) unless ::File.directory?(path)
|
95
|
+
::File.directory?(path)
|
96
|
+
rescue
|
97
|
+
return false
|
98
|
+
end
|
99
|
+
|
100
|
+
def reconnect(sleep_time = 15)
|
101
|
+
NewRelic::Security::Agent::Control::WebsocketClient.instance.close(false) if NewRelic::Security::Agent::Control::WebsocketClient.instance.is_open?
|
102
|
+
NewRelic::Security::Agent.logger.info "Trying to reconnect to websocket connection in #{sleep_time} sec..."
|
103
|
+
sleep sleep_time
|
104
|
+
NewRelic::Security::Agent.agent.start_websocket_client
|
105
|
+
end
|
106
|
+
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|