tcell_agent 0.2.19 → 0.2.21
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/LICENSE_libinjection +32 -0
- data/Rakefile +14 -1
- data/ext/libinjection/extconf.rb +3 -0
- data/ext/libinjection/libinjection.h +65 -0
- data/ext/libinjection/libinjection_html5.c +847 -0
- data/ext/libinjection/libinjection_html5.h +54 -0
- data/ext/libinjection/libinjection_sqli.c +2317 -0
- data/ext/libinjection/libinjection_sqli.h +295 -0
- data/ext/libinjection/libinjection_sqli_data.h +9004 -0
- data/ext/libinjection/libinjection_wrap.c +3525 -0
- data/ext/libinjection/libinjection_xss.c +531 -0
- data/ext/libinjection/libinjection_xss.h +21 -0
- data/lib/tcell_agent/configuration.rb +0 -48
- data/lib/tcell_agent/logger.rb +1 -0
- data/lib/tcell_agent/policies/appsensor/database_sensor.rb +8 -20
- data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +30 -46
- data/lib/tcell_agent/policies/appsensor/login_sensor.rb +1 -4
- data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +8 -22
- data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +143 -0
- data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +3 -1
- data/lib/tcell_agent/policies/appsensor/sensor.rb +21 -2
- data/lib/tcell_agent/policies/appsensor/size_sensor.rb +3 -1
- data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +9 -0
- data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +1 -5
- data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +9 -1
- data/lib/tcell_agent/policies/appsensor_policy.rb +40 -19
- data/lib/tcell_agent/policies/http_redirect_policy.rb +12 -2
- data/lib/tcell_agent/rails/csrf_exception.rb +1 -1
- data/lib/tcell_agent/rails/dlp.rb +98 -76
- data/lib/tcell_agent/rails/middleware/global_middleware.rb +1 -2
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +2 -2
- data/lib/tcell_agent/rails/on_start.rb +53 -20
- data/lib/tcell_agent/sensor_events/appsensor_event.rb +12 -19
- data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +7 -2
- data/lib/tcell_agent/sensor_events/sensor.rb +10 -11
- data/lib/tcell_agent/sensor_events/server_agent.rb +17 -12
- data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +148 -139
- data/lib/tcell_agent/utils/params.rb +24 -21
- data/lib/tcell_agent/version.rb +1 -1
- data/spec/lib/tcell_agent/configuration_spec.rb +0 -179
- data/spec/lib/tcell_agent/policies/appsensor/database_sensor_spec.rb +6 -4
- data/spec/lib/tcell_agent/policies/appsensor/misc_sensor_spec.rb +31 -22
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_apply_spec.rb +466 -0
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_from_json_spec.rb +890 -0
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb +484 -0
- data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +4 -3
- data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +4 -4
- data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +85 -0
- data/spec/lib/tcell_agent/policies/appsensor/user_agent_sensor_spec.rb +36 -16
- data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +188 -312
- data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +61 -0
- data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +18 -11
- data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +14 -15
- data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +1 -1
- data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +6 -5
- data/spec/lib/tcell_agent/utils/params_spec.rb +28 -108
- data/tcell_agent.gemspec +21 -1
- metadata +37 -4
@@ -1,3 +1,5 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
|
1
3
|
require 'spec_helper'
|
2
4
|
|
3
5
|
module TCellAgent
|
@@ -166,6 +168,48 @@ module TCellAgent
|
|
166
168
|
@sensor = XssSensor.new({"enabled" => true})
|
167
169
|
end
|
168
170
|
|
171
|
+
context "with libinjection enabled" do
|
172
|
+
context "with param value that doesn't match any vulnerabilities" do
|
173
|
+
it "should return nil" do
|
174
|
+
@sensor.libinjection = true
|
175
|
+
|
176
|
+
ruleset = double("ruleset")
|
177
|
+
expect(@sensor).to receive(:get_ruleset).and_return(ruleset)
|
178
|
+
expect(ruleset).to receive(:check_violation).with(
|
179
|
+
"param", "value", {}, false
|
180
|
+
).and_return(nil)
|
181
|
+
|
182
|
+
expect(@sensor.find_vulnerability("param", "value")).to eq(nil)
|
183
|
+
end
|
184
|
+
|
185
|
+
context "and it has utf-8 chars" do
|
186
|
+
it "should return nil but not fail miserably" do
|
187
|
+
@sensor.libinjection = true
|
188
|
+
|
189
|
+
ruleset = double("ruleset")
|
190
|
+
expect(@sensor).to receive(:get_ruleset).and_return(ruleset)
|
191
|
+
expect(ruleset).to receive(:check_violation).with(
|
192
|
+
"param", "Müller", {}, false
|
193
|
+
).and_return(nil)
|
194
|
+
|
195
|
+
expect(@sensor.find_vulnerability("param", "Müller")).to eq(nil)
|
196
|
+
end
|
197
|
+
end
|
198
|
+
end
|
199
|
+
|
200
|
+
context "with param value that matches a vulnerability" do
|
201
|
+
it "should return the param and it's value" do
|
202
|
+
@sensor.libinjection = true
|
203
|
+
|
204
|
+
expect(@sensor).to_not receive(:get_ruleset)
|
205
|
+
|
206
|
+
expect(@sensor.find_vulnerability("param_name", "<script>")).to eq(
|
207
|
+
{"param"=>"param_name", "value"=>"<script>", "pattern"=>"li"}
|
208
|
+
)
|
209
|
+
end
|
210
|
+
end
|
211
|
+
end
|
212
|
+
|
169
213
|
context "with no ruleset" do
|
170
214
|
it "should return nil" do
|
171
215
|
expect(@sensor).to receive(:get_ruleset).and_return(nil)
|
@@ -203,6 +247,8 @@ module TCellAgent
|
|
203
247
|
|
204
248
|
describe "#check" do
|
205
249
|
before(:each) do
|
250
|
+
@payloads_policy = double("payloads_policy")
|
251
|
+
|
206
252
|
@meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new
|
207
253
|
@meta.remote_address = "remote_address"
|
208
254
|
@meta.method = "get"
|
@@ -215,8 +261,10 @@ module TCellAgent
|
|
215
261
|
|
216
262
|
context "disabled sensor" do
|
217
263
|
it "should return false" do
|
264
|
+
expect(@payloads_policy).to_not receive(:apply)
|
265
|
+
|
218
266
|
sensor = XssSensor.new({"enabled" => false})
|
219
|
-
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
267
|
+
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
220
268
|
|
221
269
|
expect(result).to eq(false)
|
222
270
|
end
|
@@ -229,8 +277,16 @@ module TCellAgent
|
|
229
277
|
|
230
278
|
context "param has NO vulnerability" do
|
231
279
|
it "should return false" do
|
280
|
+
expect(@payloads_policy).to_not receive(:apply)
|
281
|
+
|
232
282
|
sensor = XssSensor.new({"enabled" => false})
|
233
|
-
result = sensor.check(
|
283
|
+
result = sensor.check(
|
284
|
+
XssSensor::GET_PARAM,
|
285
|
+
@meta,
|
286
|
+
"param_name",
|
287
|
+
"param_value",
|
288
|
+
@payloads_policy
|
289
|
+
)
|
234
290
|
|
235
291
|
expect(result).to eq(false)
|
236
292
|
end
|
@@ -238,7 +294,7 @@ module TCellAgent
|
|
238
294
|
context "no excluded routes" do
|
239
295
|
it "should return false" do
|
240
296
|
sensor = XssSensor.new({"enabled" => false, "exclude_routes" => []})
|
241
|
-
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
297
|
+
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
242
298
|
|
243
299
|
expect(result).to eq(false)
|
244
300
|
end
|
@@ -248,7 +304,7 @@ module TCellAgent
|
|
248
304
|
context "route id matches" do
|
249
305
|
it "should return false" do
|
250
306
|
sensor = XssSensor.new({"enabled" => false, "exclude_routes" => ["route_id"]})
|
251
|
-
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
307
|
+
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
252
308
|
|
253
309
|
expect(result).to eq(false)
|
254
310
|
end
|
@@ -256,7 +312,7 @@ module TCellAgent
|
|
256
312
|
context "route id does not match" do
|
257
313
|
it "should return false" do
|
258
314
|
sensor = XssSensor.new({"enabled" => false, "exclude_routes" => ["unmatching_route_id"]})
|
259
|
-
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
315
|
+
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
260
316
|
|
261
317
|
expect(result).to eq(false)
|
262
318
|
end
|
@@ -265,17 +321,64 @@ module TCellAgent
|
|
265
321
|
end
|
266
322
|
|
267
323
|
context "param has a vulnerability" do
|
324
|
+
context "param is a URI param" do
|
325
|
+
context "exclude forms sensor" do
|
326
|
+
it "should return false" do
|
327
|
+
@sensor.exclude_forms = true
|
328
|
+
@sensor.exclude_cookies = false
|
329
|
+
|
330
|
+
expect(@payloads_policy).to_not receive(:apply)
|
331
|
+
expect(@sensor).to_not receive(:find_vulnerability)
|
332
|
+
expect(@sensor).to_not receive(:send_event)
|
333
|
+
|
334
|
+
result = @sensor.check(XssSensor::URI_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
335
|
+
|
336
|
+
expect(result).to eq(false)
|
337
|
+
end
|
338
|
+
end
|
339
|
+
|
340
|
+
context "exclude cookies sensor" do
|
341
|
+
it "should return true" do
|
342
|
+
@sensor.exclude_forms = false
|
343
|
+
@sensor.exclude_cookies = true
|
344
|
+
|
345
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
346
|
+
expect(@sensor).to receive(:find_vulnerability).and_return(
|
347
|
+
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
348
|
+
)
|
349
|
+
expect(@sensor).to receive(:send_event).with(
|
350
|
+
@meta,
|
351
|
+
"xss",
|
352
|
+
"vuln_param",
|
353
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::URI_PARAM]},
|
354
|
+
"vuln_value",
|
355
|
+
"1"
|
356
|
+
)
|
357
|
+
|
358
|
+
result = @sensor.check(XssSensor::URI_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
359
|
+
|
360
|
+
expect(result).to eq(true)
|
361
|
+
end
|
362
|
+
end
|
363
|
+
end
|
364
|
+
|
268
365
|
context "param is a GET param" do
|
269
366
|
context "exclude forms sensor" do
|
270
367
|
it "should return false" do
|
271
368
|
@sensor.exclude_forms = true
|
272
369
|
@sensor.exclude_cookies = false
|
273
370
|
|
274
|
-
expect(
|
371
|
+
expect(@payloads_policy).to_not receive(:apply)
|
275
372
|
expect(@sensor).to_not receive(:find_vulnerability)
|
276
373
|
expect(@sensor).to_not receive(:send_event)
|
277
374
|
|
278
|
-
result = @sensor.check(
|
375
|
+
result = @sensor.check(
|
376
|
+
XssSensor::GET_PARAM,
|
377
|
+
@meta,
|
378
|
+
"param_name",
|
379
|
+
"param_value",
|
380
|
+
@payloads_policy
|
381
|
+
)
|
279
382
|
|
280
383
|
expect(result).to eq(false)
|
281
384
|
end
|
@@ -286,11 +389,11 @@ module TCellAgent
|
|
286
389
|
@sensor.exclude_cookies = false
|
287
390
|
@sensor.excluded_route_ids = {}
|
288
391
|
|
289
|
-
expect(
|
392
|
+
expect(@payloads_policy).to_not receive(:apply)
|
290
393
|
expect(@sensor).to_not receive(:find_vulnerability)
|
291
394
|
expect(@sensor).to_not receive(:send_event)
|
292
395
|
|
293
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
396
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
294
397
|
|
295
398
|
expect(result).to eq(false)
|
296
399
|
end
|
@@ -303,11 +406,11 @@ module TCellAgent
|
|
303
406
|
@sensor.exclude_cookies = false
|
304
407
|
@sensor.excluded_route_ids = {"route_id" => true}
|
305
408
|
|
306
|
-
expect(
|
409
|
+
expect(@payloads_policy).to_not receive(:apply)
|
307
410
|
expect(@sensor).to_not receive(:find_vulnerability)
|
308
411
|
expect(@sensor).to_not receive(:send_event)
|
309
412
|
|
310
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
413
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
311
414
|
|
312
415
|
expect(result).to eq(false)
|
313
416
|
end
|
@@ -318,11 +421,11 @@ module TCellAgent
|
|
318
421
|
@sensor.exclude_cookies = false
|
319
422
|
@sensor.excluded_route_ids = {"unmatching_route_id" => true}
|
320
423
|
|
321
|
-
expect(
|
424
|
+
expect(@payloads_policy).to_not receive(:apply)
|
322
425
|
expect(@sensor).to_not receive(:find_vulnerability)
|
323
426
|
expect(@sensor).to_not receive(:send_event)
|
324
427
|
|
325
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
428
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
326
429
|
|
327
430
|
expect(result).to eq(false)
|
328
431
|
end
|
@@ -334,290 +437,53 @@ module TCellAgent
|
|
334
437
|
it "should return true" do
|
335
438
|
@sensor.exclude_forms = false
|
336
439
|
@sensor.exclude_cookies = true
|
337
|
-
configuration = double(
|
338
|
-
"configuration",
|
339
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
340
|
-
allow_unencrypted_appfirewall_payloads: true,
|
341
|
-
blacklisted_params: {},
|
342
|
-
whitelist_present: false
|
343
|
-
)
|
344
440
|
|
345
441
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
346
442
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
347
443
|
)
|
348
|
-
expect(
|
444
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
349
445
|
expect(@sensor).to receive(:send_event).with(
|
350
446
|
@meta,
|
351
447
|
"xss",
|
352
448
|
"vuln_param",
|
353
|
-
{"
|
449
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::GET_PARAM]},
|
354
450
|
"vuln_value",
|
355
451
|
"1"
|
356
452
|
)
|
357
453
|
|
358
|
-
result = @sensor.check(
|
454
|
+
result = @sensor.check(
|
455
|
+
XssSensor::GET_PARAM,
|
456
|
+
@meta,
|
457
|
+
"param_name",
|
458
|
+
"param_value",
|
459
|
+
@payloads_policy
|
460
|
+
)
|
359
461
|
|
360
462
|
expect(result).to eq(true)
|
361
463
|
end
|
362
464
|
|
363
|
-
context "allow_unencrypted_appfirewall_payloads is false" do
|
364
|
-
context "param is blacklisted" do
|
365
|
-
it "should return true" do
|
366
|
-
@sensor.exclude_forms = false
|
367
|
-
@sensor.exclude_cookies = true
|
368
|
-
|
369
|
-
configuration = double(
|
370
|
-
"configuration",
|
371
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
372
|
-
allow_unencrypted_appfirewall_payloads: false,
|
373
|
-
blacklisted_params: {"vuln_param" => true},
|
374
|
-
whitelist_present: false
|
375
|
-
)
|
376
|
-
|
377
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
378
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
379
|
-
)
|
380
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
381
|
-
expect(@sensor).to receive(:send_event).with(
|
382
|
-
@meta,
|
383
|
-
"xss",
|
384
|
-
"vuln_param",
|
385
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
386
|
-
nil,
|
387
|
-
"1"
|
388
|
-
)
|
389
|
-
|
390
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
391
|
-
|
392
|
-
expect(result).to eq(true)
|
393
|
-
end
|
394
|
-
end
|
395
|
-
|
396
|
-
context "param is whitelisted" do
|
397
|
-
it "should return true" do
|
398
|
-
@sensor.exclude_forms = false
|
399
|
-
@sensor.exclude_cookies = true
|
400
|
-
|
401
|
-
configuration = double(
|
402
|
-
"configuration",
|
403
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
404
|
-
allow_unencrypted_appfirewall_payloads: false,
|
405
|
-
blacklisted_params: {},
|
406
|
-
whitelist_present: true,
|
407
|
-
whitelisted_params: {"vuln_param" => true}
|
408
|
-
)
|
409
|
-
|
410
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
411
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
412
|
-
)
|
413
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
414
|
-
expect(@sensor).to receive(:send_event).with(
|
415
|
-
@meta,
|
416
|
-
"xss",
|
417
|
-
"vuln_param",
|
418
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
419
|
-
nil,
|
420
|
-
"1"
|
421
|
-
)
|
422
|
-
|
423
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
424
|
-
|
425
|
-
expect(result).to eq(true)
|
426
|
-
end
|
427
|
-
end
|
428
|
-
|
429
|
-
context "params is not blacklisted and there is no whitelist" do
|
430
|
-
it "should return true" do
|
431
|
-
@sensor.exclude_forms = false
|
432
|
-
@sensor.exclude_cookies = true
|
433
|
-
|
434
|
-
configuration = double(
|
435
|
-
"configuration",
|
436
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
437
|
-
allow_unencrypted_appfirewall_payloads: false,
|
438
|
-
blacklisted_params: {},
|
439
|
-
whitelist_present: false
|
440
|
-
)
|
441
|
-
|
442
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
443
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
444
|
-
)
|
445
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
446
|
-
expect(@sensor).to receive(:send_event).with(
|
447
|
-
@meta,
|
448
|
-
"xss",
|
449
|
-
"vuln_param",
|
450
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
451
|
-
nil,
|
452
|
-
"1"
|
453
|
-
)
|
454
|
-
|
455
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
456
|
-
|
457
|
-
expect(result).to eq(true)
|
458
|
-
end
|
459
|
-
end
|
460
|
-
end
|
461
|
-
|
462
|
-
context "allow_unencrypted_appfirewall_payloads is true" do
|
463
|
-
context "params is blacklisted" do
|
464
|
-
it "should return true" do
|
465
|
-
@sensor.exclude_forms = false
|
466
|
-
@sensor.exclude_cookies = true
|
467
|
-
|
468
|
-
configuration = double(
|
469
|
-
"configuration",
|
470
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
471
|
-
allow_unencrypted_appfirewall_payloads: true,
|
472
|
-
blacklisted_params: {"vuln_param" => true},
|
473
|
-
whitelist_present: false
|
474
|
-
)
|
475
|
-
|
476
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
477
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
478
|
-
)
|
479
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
480
|
-
expect(@sensor).to receive(:send_event).with(
|
481
|
-
@meta,
|
482
|
-
"xss",
|
483
|
-
"vuln_param",
|
484
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
485
|
-
"BLACKLISTED",
|
486
|
-
"1"
|
487
|
-
)
|
488
|
-
|
489
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
490
|
-
|
491
|
-
expect(result).to eq(true)
|
492
|
-
end
|
493
|
-
end
|
494
|
-
|
495
|
-
context "param is whitelisted" do
|
496
|
-
it "should return true" do
|
497
|
-
@sensor.exclude_forms = false
|
498
|
-
@sensor.exclude_cookies = true
|
499
|
-
|
500
|
-
configuration = double(
|
501
|
-
"configuration",
|
502
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
503
|
-
allow_unencrypted_appfirewall_payloads: true,
|
504
|
-
blacklisted_params: {},
|
505
|
-
whitelist_present: true,
|
506
|
-
whitelisted_params: {"vuln_param" => true}
|
507
|
-
)
|
508
|
-
|
509
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
510
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
511
|
-
)
|
512
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
513
|
-
expect(@sensor).to receive(:send_event).with(
|
514
|
-
@meta,
|
515
|
-
"xss",
|
516
|
-
"vuln_param",
|
517
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
518
|
-
"vuln_value",
|
519
|
-
"1"
|
520
|
-
)
|
521
|
-
|
522
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
523
|
-
|
524
|
-
expect(result).to eq(true)
|
525
|
-
end
|
526
|
-
end
|
527
|
-
|
528
|
-
context "param is blacklisted and whitelisted" do
|
529
|
-
it "should return true" do
|
530
|
-
@sensor.exclude_forms = false
|
531
|
-
@sensor.exclude_cookies = true
|
532
|
-
|
533
|
-
configuration = double(
|
534
|
-
"configuration",
|
535
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
536
|
-
allow_unencrypted_appfirewall_payloads: true,
|
537
|
-
blacklisted_params: {"vuln_param" => true},
|
538
|
-
whitelist_present: true,
|
539
|
-
whitelisted_params: {"vuln_param" => true}
|
540
|
-
)
|
541
|
-
|
542
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
543
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
544
|
-
)
|
545
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
546
|
-
expect(@sensor).to receive(:send_event).with(
|
547
|
-
@meta,
|
548
|
-
"xss",
|
549
|
-
"vuln_param",
|
550
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
551
|
-
"BLACKLISTED",
|
552
|
-
"1"
|
553
|
-
)
|
554
|
-
|
555
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
556
|
-
|
557
|
-
expect(result).to eq(true)
|
558
|
-
end
|
559
|
-
end
|
560
|
-
|
561
|
-
context "params is not blacklisted and there is no whitelist" do
|
562
|
-
it "should return true" do
|
563
|
-
@sensor.exclude_forms = false
|
564
|
-
@sensor.exclude_cookies = true
|
565
|
-
|
566
|
-
configuration = double(
|
567
|
-
"configuration",
|
568
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
569
|
-
allow_unencrypted_appfirewall_payloads: true,
|
570
|
-
blacklisted_params: {},
|
571
|
-
whitelist_present: false
|
572
|
-
)
|
573
|
-
|
574
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
575
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
576
|
-
)
|
577
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
578
|
-
expect(@sensor).to receive(:send_event).with(
|
579
|
-
@meta,
|
580
|
-
"xss",
|
581
|
-
"vuln_param",
|
582
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
583
|
-
"vuln_value",
|
584
|
-
"1"
|
585
|
-
)
|
586
|
-
|
587
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
588
|
-
|
589
|
-
expect(result).to eq(true)
|
590
|
-
end
|
591
|
-
end
|
592
|
-
end
|
593
|
-
|
594
465
|
context "no excluded routes" do
|
595
466
|
it "should return true" do
|
596
467
|
@sensor.exclude_forms = false
|
597
468
|
@sensor.exclude_cookies = true
|
598
469
|
@sensor.excluded_route_ids = {}
|
599
|
-
configuration = double(
|
600
|
-
"configuration",
|
601
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
602
|
-
allow_unencrypted_appfirewall_payloads: true,
|
603
|
-
blacklisted_params: {},
|
604
|
-
whitelist_present: false
|
605
|
-
)
|
606
470
|
|
607
471
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
608
472
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
609
473
|
)
|
610
|
-
expect(
|
474
|
+
expect(@payloads_policy).to receive(:apply).with(
|
475
|
+
"xss", {}, "get", "vuln_param", "vuln_value", {"l"=>"query"}, "1"
|
476
|
+
).and_return("vuln_value")
|
611
477
|
expect(@sensor).to receive(:send_event).with(
|
612
478
|
@meta,
|
613
479
|
"xss",
|
614
480
|
"vuln_param",
|
615
|
-
{"
|
481
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::GET_PARAM]},
|
616
482
|
"vuln_value",
|
617
483
|
"1"
|
618
484
|
)
|
619
485
|
|
620
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
486
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
621
487
|
|
622
488
|
expect(result).to eq(true)
|
623
489
|
end
|
@@ -630,11 +496,11 @@ module TCellAgent
|
|
630
496
|
@sensor.exclude_cookies = true
|
631
497
|
@sensor.excluded_route_ids = {"route_id" => true}
|
632
498
|
|
633
|
-
expect(TCellAgent).to_not receive(:configuration)
|
634
499
|
expect(@sensor).to_not receive(:find_vulnerability)
|
500
|
+
expect(@payloads_policy).to_not receive(:apply)
|
635
501
|
expect(@sensor).to_not receive(:send_event)
|
636
502
|
|
637
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
503
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
638
504
|
|
639
505
|
expect(result).to eq(false)
|
640
506
|
end
|
@@ -645,28 +511,23 @@ module TCellAgent
|
|
645
511
|
@sensor.exclude_forms = false
|
646
512
|
@sensor.exclude_cookies = true
|
647
513
|
@sensor.excluded_route_ids = {"unmatching_route_id" => true}
|
648
|
-
configuration = double(
|
649
|
-
"configuration",
|
650
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
651
|
-
allow_unencrypted_appfirewall_payloads: true,
|
652
|
-
blacklisted_params: {},
|
653
|
-
whitelist_present: false
|
654
|
-
)
|
655
514
|
|
656
515
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
657
516
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
658
517
|
)
|
659
|
-
expect(
|
518
|
+
expect(@payloads_policy).to receive(:apply).with(
|
519
|
+
"xss", {}, "get", "vuln_param", "vuln_value", {"l"=>"query"}, "1"
|
520
|
+
).and_return("vuln_value")
|
660
521
|
expect(@sensor).to receive(:send_event).with(
|
661
522
|
@meta,
|
662
523
|
"xss",
|
663
524
|
"vuln_param",
|
664
|
-
{"
|
525
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::GET_PARAM]},
|
665
526
|
"vuln_value",
|
666
527
|
"1"
|
667
528
|
)
|
668
529
|
|
669
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
530
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
670
531
|
|
671
532
|
expect(result).to eq(true)
|
672
533
|
end
|
@@ -681,11 +542,17 @@ module TCellAgent
|
|
681
542
|
@sensor.exclude_forms = true
|
682
543
|
@sensor.exclude_cookies = false
|
683
544
|
|
684
|
-
expect(
|
545
|
+
expect(@payloads_policy).to_not receive(:apply)
|
685
546
|
expect(@sensor).to_not receive(:find_vulnerability)
|
686
547
|
expect(@sensor).to_not receive(:send_event)
|
687
548
|
|
688
|
-
result = @sensor.check(
|
549
|
+
result = @sensor.check(
|
550
|
+
XssSensor::POST_PARAM,
|
551
|
+
@meta,
|
552
|
+
"param_name",
|
553
|
+
"param_value",
|
554
|
+
@payloads_policy
|
555
|
+
)
|
689
556
|
|
690
557
|
expect(result).to eq(false)
|
691
558
|
end
|
@@ -695,28 +562,27 @@ module TCellAgent
|
|
695
562
|
it "should return true" do
|
696
563
|
@sensor.exclude_forms = false
|
697
564
|
@sensor.exclude_cookies = true
|
698
|
-
configuration = double(
|
699
|
-
"configuration",
|
700
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
701
|
-
allow_unencrypted_appfirewall_payloads: true,
|
702
|
-
blacklisted_params: {},
|
703
|
-
whitelist_present: false
|
704
|
-
)
|
705
565
|
|
706
566
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
707
567
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
708
568
|
)
|
709
|
-
expect(
|
569
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
710
570
|
expect(@sensor).to receive(:send_event).with(
|
711
571
|
@meta,
|
712
572
|
"xss",
|
713
573
|
"vuln_param",
|
714
|
-
{"
|
574
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::POST_PARAM]},
|
715
575
|
"vuln_value",
|
716
576
|
"1"
|
717
577
|
)
|
718
578
|
|
719
|
-
result = @sensor.check(
|
579
|
+
result = @sensor.check(
|
580
|
+
XssSensor::POST_PARAM,
|
581
|
+
@meta,
|
582
|
+
"param_name",
|
583
|
+
"param_value",
|
584
|
+
@payloads_policy
|
585
|
+
)
|
720
586
|
|
721
587
|
expect(result).to eq(true)
|
722
588
|
end
|
@@ -729,11 +595,17 @@ module TCellAgent
|
|
729
595
|
@sensor.exclude_forms = true
|
730
596
|
@sensor.exclude_cookies = false
|
731
597
|
|
732
|
-
expect(
|
598
|
+
expect(@payloads_policy).to_not receive(:apply)
|
733
599
|
expect(@sensor).to_not receive(:find_vulnerability)
|
734
600
|
expect(@sensor).to_not receive(:send_event)
|
735
601
|
|
736
|
-
result = @sensor.check(
|
602
|
+
result = @sensor.check(
|
603
|
+
XssSensor::JSON_PARAM,
|
604
|
+
@meta,
|
605
|
+
"param_name",
|
606
|
+
"param_value",
|
607
|
+
@payloads_policy
|
608
|
+
)
|
737
609
|
|
738
610
|
expect(result).to eq(false)
|
739
611
|
end
|
@@ -743,28 +615,27 @@ module TCellAgent
|
|
743
615
|
it "should return true" do
|
744
616
|
@sensor.exclude_forms = false
|
745
617
|
@sensor.exclude_cookies = true
|
746
|
-
configuration = double(
|
747
|
-
"configuration",
|
748
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
749
|
-
allow_unencrypted_appfirewall_payloads: true,
|
750
|
-
blacklisted_params: {},
|
751
|
-
whitelist_present: false
|
752
|
-
)
|
753
618
|
|
754
619
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
755
620
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
756
621
|
)
|
757
|
-
expect(
|
622
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
758
623
|
expect(@sensor).to receive(:send_event).with(
|
759
624
|
@meta,
|
760
625
|
"xss",
|
761
626
|
"vuln_param",
|
762
|
-
{"
|
627
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::JSON_PARAM]},
|
763
628
|
"vuln_value",
|
764
629
|
"1"
|
765
630
|
)
|
766
631
|
|
767
|
-
result = @sensor.check(
|
632
|
+
result = @sensor.check(
|
633
|
+
XssSensor::JSON_PARAM,
|
634
|
+
@meta,
|
635
|
+
"param_name",
|
636
|
+
"param_value",
|
637
|
+
@payloads_policy
|
638
|
+
)
|
768
639
|
|
769
640
|
expect(result).to eq(true)
|
770
641
|
end
|
@@ -776,28 +647,27 @@ module TCellAgent
|
|
776
647
|
it "should return true" do
|
777
648
|
@sensor.exclude_forms = true
|
778
649
|
@sensor.exclude_cookies = false
|
779
|
-
configuration = double(
|
780
|
-
"configuration",
|
781
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
782
|
-
allow_unencrypted_appfirewall_payloads: true,
|
783
|
-
blacklisted_params: {},
|
784
|
-
whitelist_present: false
|
785
|
-
)
|
786
650
|
|
787
651
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
788
652
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
789
653
|
)
|
790
|
-
expect(
|
654
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
791
655
|
expect(@sensor).to receive(:send_event).with(
|
792
656
|
@meta,
|
793
657
|
"xss",
|
794
658
|
"vuln_param",
|
795
|
-
{"
|
659
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::COOKIE_PARAM]},
|
796
660
|
"vuln_value",
|
797
661
|
"1"
|
798
662
|
)
|
799
663
|
|
800
|
-
result = @sensor.check(
|
664
|
+
result = @sensor.check(
|
665
|
+
XssSensor::COOKIE_PARAM,
|
666
|
+
@meta,
|
667
|
+
"param_name",
|
668
|
+
"param_value",
|
669
|
+
@payloads_policy
|
670
|
+
)
|
801
671
|
|
802
672
|
expect(result).to eq(true)
|
803
673
|
end
|
@@ -808,11 +678,17 @@ module TCellAgent
|
|
808
678
|
@sensor.exclude_forms = false
|
809
679
|
@sensor.exclude_cookies = true
|
810
680
|
|
811
|
-
expect(TCellAgent).to_not receive(:configuration)
|
812
681
|
expect(@sensor).to_not receive(:find_vulnerability)
|
682
|
+
expect(@payloads_policy).to_not receive(:apply)
|
813
683
|
expect(@sensor).to_not receive(:send_event)
|
814
684
|
|
815
|
-
result = @sensor.check(
|
685
|
+
result = @sensor.check(
|
686
|
+
XssSensor::COOKIE_PARAM,
|
687
|
+
@meta,
|
688
|
+
"param_name",
|
689
|
+
"param_value",
|
690
|
+
@payloads_policy
|
691
|
+
)
|
816
692
|
|
817
693
|
expect(result).to eq(false)
|
818
694
|
end
|