tcell_agent 0.2.19 → 0.2.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/LICENSE_libinjection +32 -0
- data/Rakefile +14 -1
- data/ext/libinjection/extconf.rb +3 -0
- data/ext/libinjection/libinjection.h +65 -0
- data/ext/libinjection/libinjection_html5.c +847 -0
- data/ext/libinjection/libinjection_html5.h +54 -0
- data/ext/libinjection/libinjection_sqli.c +2317 -0
- data/ext/libinjection/libinjection_sqli.h +295 -0
- data/ext/libinjection/libinjection_sqli_data.h +9004 -0
- data/ext/libinjection/libinjection_wrap.c +3525 -0
- data/ext/libinjection/libinjection_xss.c +531 -0
- data/ext/libinjection/libinjection_xss.h +21 -0
- data/lib/tcell_agent/configuration.rb +0 -48
- data/lib/tcell_agent/logger.rb +1 -0
- data/lib/tcell_agent/policies/appsensor/database_sensor.rb +8 -20
- data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +30 -46
- data/lib/tcell_agent/policies/appsensor/login_sensor.rb +1 -4
- data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +8 -22
- data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +143 -0
- data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +3 -1
- data/lib/tcell_agent/policies/appsensor/sensor.rb +21 -2
- data/lib/tcell_agent/policies/appsensor/size_sensor.rb +3 -1
- data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +9 -0
- data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +1 -5
- data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +9 -1
- data/lib/tcell_agent/policies/appsensor_policy.rb +40 -19
- data/lib/tcell_agent/policies/http_redirect_policy.rb +12 -2
- data/lib/tcell_agent/rails/csrf_exception.rb +1 -1
- data/lib/tcell_agent/rails/dlp.rb +98 -76
- data/lib/tcell_agent/rails/middleware/global_middleware.rb +1 -2
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +2 -2
- data/lib/tcell_agent/rails/on_start.rb +53 -20
- data/lib/tcell_agent/sensor_events/appsensor_event.rb +12 -19
- data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +7 -2
- data/lib/tcell_agent/sensor_events/sensor.rb +10 -11
- data/lib/tcell_agent/sensor_events/server_agent.rb +17 -12
- data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +148 -139
- data/lib/tcell_agent/utils/params.rb +24 -21
- data/lib/tcell_agent/version.rb +1 -1
- data/spec/lib/tcell_agent/configuration_spec.rb +0 -179
- data/spec/lib/tcell_agent/policies/appsensor/database_sensor_spec.rb +6 -4
- data/spec/lib/tcell_agent/policies/appsensor/misc_sensor_spec.rb +31 -22
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_apply_spec.rb +466 -0
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_from_json_spec.rb +890 -0
- data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb +484 -0
- data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +4 -3
- data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +4 -4
- data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +85 -0
- data/spec/lib/tcell_agent/policies/appsensor/user_agent_sensor_spec.rb +36 -16
- data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +188 -312
- data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +61 -0
- data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +18 -11
- data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +14 -15
- data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +1 -1
- data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +6 -5
- data/spec/lib/tcell_agent/utils/params_spec.rb +28 -108
- data/tcell_agent.gemspec +21 -1
- metadata +37 -4
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
# encoding: utf-8
|
|
2
|
+
|
|
1
3
|
require 'spec_helper'
|
|
2
4
|
|
|
3
5
|
module TCellAgent
|
|
@@ -166,6 +168,48 @@ module TCellAgent
|
|
|
166
168
|
@sensor = XssSensor.new({"enabled" => true})
|
|
167
169
|
end
|
|
168
170
|
|
|
171
|
+
context "with libinjection enabled" do
|
|
172
|
+
context "with param value that doesn't match any vulnerabilities" do
|
|
173
|
+
it "should return nil" do
|
|
174
|
+
@sensor.libinjection = true
|
|
175
|
+
|
|
176
|
+
ruleset = double("ruleset")
|
|
177
|
+
expect(@sensor).to receive(:get_ruleset).and_return(ruleset)
|
|
178
|
+
expect(ruleset).to receive(:check_violation).with(
|
|
179
|
+
"param", "value", {}, false
|
|
180
|
+
).and_return(nil)
|
|
181
|
+
|
|
182
|
+
expect(@sensor.find_vulnerability("param", "value")).to eq(nil)
|
|
183
|
+
end
|
|
184
|
+
|
|
185
|
+
context "and it has utf-8 chars" do
|
|
186
|
+
it "should return nil but not fail miserably" do
|
|
187
|
+
@sensor.libinjection = true
|
|
188
|
+
|
|
189
|
+
ruleset = double("ruleset")
|
|
190
|
+
expect(@sensor).to receive(:get_ruleset).and_return(ruleset)
|
|
191
|
+
expect(ruleset).to receive(:check_violation).with(
|
|
192
|
+
"param", "Müller", {}, false
|
|
193
|
+
).and_return(nil)
|
|
194
|
+
|
|
195
|
+
expect(@sensor.find_vulnerability("param", "Müller")).to eq(nil)
|
|
196
|
+
end
|
|
197
|
+
end
|
|
198
|
+
end
|
|
199
|
+
|
|
200
|
+
context "with param value that matches a vulnerability" do
|
|
201
|
+
it "should return the param and it's value" do
|
|
202
|
+
@sensor.libinjection = true
|
|
203
|
+
|
|
204
|
+
expect(@sensor).to_not receive(:get_ruleset)
|
|
205
|
+
|
|
206
|
+
expect(@sensor.find_vulnerability("param_name", "<script>")).to eq(
|
|
207
|
+
{"param"=>"param_name", "value"=>"<script>", "pattern"=>"li"}
|
|
208
|
+
)
|
|
209
|
+
end
|
|
210
|
+
end
|
|
211
|
+
end
|
|
212
|
+
|
|
169
213
|
context "with no ruleset" do
|
|
170
214
|
it "should return nil" do
|
|
171
215
|
expect(@sensor).to receive(:get_ruleset).and_return(nil)
|
|
@@ -203,6 +247,8 @@ module TCellAgent
|
|
|
203
247
|
|
|
204
248
|
describe "#check" do
|
|
205
249
|
before(:each) do
|
|
250
|
+
@payloads_policy = double("payloads_policy")
|
|
251
|
+
|
|
206
252
|
@meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new
|
|
207
253
|
@meta.remote_address = "remote_address"
|
|
208
254
|
@meta.method = "get"
|
|
@@ -215,8 +261,10 @@ module TCellAgent
|
|
|
215
261
|
|
|
216
262
|
context "disabled sensor" do
|
|
217
263
|
it "should return false" do
|
|
264
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
265
|
+
|
|
218
266
|
sensor = XssSensor.new({"enabled" => false})
|
|
219
|
-
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
267
|
+
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
220
268
|
|
|
221
269
|
expect(result).to eq(false)
|
|
222
270
|
end
|
|
@@ -229,8 +277,16 @@ module TCellAgent
|
|
|
229
277
|
|
|
230
278
|
context "param has NO vulnerability" do
|
|
231
279
|
it "should return false" do
|
|
280
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
281
|
+
|
|
232
282
|
sensor = XssSensor.new({"enabled" => false})
|
|
233
|
-
result = sensor.check(
|
|
283
|
+
result = sensor.check(
|
|
284
|
+
XssSensor::GET_PARAM,
|
|
285
|
+
@meta,
|
|
286
|
+
"param_name",
|
|
287
|
+
"param_value",
|
|
288
|
+
@payloads_policy
|
|
289
|
+
)
|
|
234
290
|
|
|
235
291
|
expect(result).to eq(false)
|
|
236
292
|
end
|
|
@@ -238,7 +294,7 @@ module TCellAgent
|
|
|
238
294
|
context "no excluded routes" do
|
|
239
295
|
it "should return false" do
|
|
240
296
|
sensor = XssSensor.new({"enabled" => false, "exclude_routes" => []})
|
|
241
|
-
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
297
|
+
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
242
298
|
|
|
243
299
|
expect(result).to eq(false)
|
|
244
300
|
end
|
|
@@ -248,7 +304,7 @@ module TCellAgent
|
|
|
248
304
|
context "route id matches" do
|
|
249
305
|
it "should return false" do
|
|
250
306
|
sensor = XssSensor.new({"enabled" => false, "exclude_routes" => ["route_id"]})
|
|
251
|
-
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
307
|
+
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
252
308
|
|
|
253
309
|
expect(result).to eq(false)
|
|
254
310
|
end
|
|
@@ -256,7 +312,7 @@ module TCellAgent
|
|
|
256
312
|
context "route id does not match" do
|
|
257
313
|
it "should return false" do
|
|
258
314
|
sensor = XssSensor.new({"enabled" => false, "exclude_routes" => ["unmatching_route_id"]})
|
|
259
|
-
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
315
|
+
result = sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
260
316
|
|
|
261
317
|
expect(result).to eq(false)
|
|
262
318
|
end
|
|
@@ -265,17 +321,64 @@ module TCellAgent
|
|
|
265
321
|
end
|
|
266
322
|
|
|
267
323
|
context "param has a vulnerability" do
|
|
324
|
+
context "param is a URI param" do
|
|
325
|
+
context "exclude forms sensor" do
|
|
326
|
+
it "should return false" do
|
|
327
|
+
@sensor.exclude_forms = true
|
|
328
|
+
@sensor.exclude_cookies = false
|
|
329
|
+
|
|
330
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
331
|
+
expect(@sensor).to_not receive(:find_vulnerability)
|
|
332
|
+
expect(@sensor).to_not receive(:send_event)
|
|
333
|
+
|
|
334
|
+
result = @sensor.check(XssSensor::URI_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
335
|
+
|
|
336
|
+
expect(result).to eq(false)
|
|
337
|
+
end
|
|
338
|
+
end
|
|
339
|
+
|
|
340
|
+
context "exclude cookies sensor" do
|
|
341
|
+
it "should return true" do
|
|
342
|
+
@sensor.exclude_forms = false
|
|
343
|
+
@sensor.exclude_cookies = true
|
|
344
|
+
|
|
345
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
|
346
|
+
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
347
|
+
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
348
|
+
)
|
|
349
|
+
expect(@sensor).to receive(:send_event).with(
|
|
350
|
+
@meta,
|
|
351
|
+
"xss",
|
|
352
|
+
"vuln_param",
|
|
353
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::URI_PARAM]},
|
|
354
|
+
"vuln_value",
|
|
355
|
+
"1"
|
|
356
|
+
)
|
|
357
|
+
|
|
358
|
+
result = @sensor.check(XssSensor::URI_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
359
|
+
|
|
360
|
+
expect(result).to eq(true)
|
|
361
|
+
end
|
|
362
|
+
end
|
|
363
|
+
end
|
|
364
|
+
|
|
268
365
|
context "param is a GET param" do
|
|
269
366
|
context "exclude forms sensor" do
|
|
270
367
|
it "should return false" do
|
|
271
368
|
@sensor.exclude_forms = true
|
|
272
369
|
@sensor.exclude_cookies = false
|
|
273
370
|
|
|
274
|
-
expect(
|
|
371
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
275
372
|
expect(@sensor).to_not receive(:find_vulnerability)
|
|
276
373
|
expect(@sensor).to_not receive(:send_event)
|
|
277
374
|
|
|
278
|
-
result = @sensor.check(
|
|
375
|
+
result = @sensor.check(
|
|
376
|
+
XssSensor::GET_PARAM,
|
|
377
|
+
@meta,
|
|
378
|
+
"param_name",
|
|
379
|
+
"param_value",
|
|
380
|
+
@payloads_policy
|
|
381
|
+
)
|
|
279
382
|
|
|
280
383
|
expect(result).to eq(false)
|
|
281
384
|
end
|
|
@@ -286,11 +389,11 @@ module TCellAgent
|
|
|
286
389
|
@sensor.exclude_cookies = false
|
|
287
390
|
@sensor.excluded_route_ids = {}
|
|
288
391
|
|
|
289
|
-
expect(
|
|
392
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
290
393
|
expect(@sensor).to_not receive(:find_vulnerability)
|
|
291
394
|
expect(@sensor).to_not receive(:send_event)
|
|
292
395
|
|
|
293
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
396
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
294
397
|
|
|
295
398
|
expect(result).to eq(false)
|
|
296
399
|
end
|
|
@@ -303,11 +406,11 @@ module TCellAgent
|
|
|
303
406
|
@sensor.exclude_cookies = false
|
|
304
407
|
@sensor.excluded_route_ids = {"route_id" => true}
|
|
305
408
|
|
|
306
|
-
expect(
|
|
409
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
307
410
|
expect(@sensor).to_not receive(:find_vulnerability)
|
|
308
411
|
expect(@sensor).to_not receive(:send_event)
|
|
309
412
|
|
|
310
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
413
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
311
414
|
|
|
312
415
|
expect(result).to eq(false)
|
|
313
416
|
end
|
|
@@ -318,11 +421,11 @@ module TCellAgent
|
|
|
318
421
|
@sensor.exclude_cookies = false
|
|
319
422
|
@sensor.excluded_route_ids = {"unmatching_route_id" => true}
|
|
320
423
|
|
|
321
|
-
expect(
|
|
424
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
322
425
|
expect(@sensor).to_not receive(:find_vulnerability)
|
|
323
426
|
expect(@sensor).to_not receive(:send_event)
|
|
324
427
|
|
|
325
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
428
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
326
429
|
|
|
327
430
|
expect(result).to eq(false)
|
|
328
431
|
end
|
|
@@ -334,290 +437,53 @@ module TCellAgent
|
|
|
334
437
|
it "should return true" do
|
|
335
438
|
@sensor.exclude_forms = false
|
|
336
439
|
@sensor.exclude_cookies = true
|
|
337
|
-
configuration = double(
|
|
338
|
-
"configuration",
|
|
339
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
340
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
341
|
-
blacklisted_params: {},
|
|
342
|
-
whitelist_present: false
|
|
343
|
-
)
|
|
344
440
|
|
|
345
441
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
346
442
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
347
443
|
)
|
|
348
|
-
expect(
|
|
444
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
|
349
445
|
expect(@sensor).to receive(:send_event).with(
|
|
350
446
|
@meta,
|
|
351
447
|
"xss",
|
|
352
448
|
"vuln_param",
|
|
353
|
-
{"
|
|
449
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::GET_PARAM]},
|
|
354
450
|
"vuln_value",
|
|
355
451
|
"1"
|
|
356
452
|
)
|
|
357
453
|
|
|
358
|
-
result = @sensor.check(
|
|
454
|
+
result = @sensor.check(
|
|
455
|
+
XssSensor::GET_PARAM,
|
|
456
|
+
@meta,
|
|
457
|
+
"param_name",
|
|
458
|
+
"param_value",
|
|
459
|
+
@payloads_policy
|
|
460
|
+
)
|
|
359
461
|
|
|
360
462
|
expect(result).to eq(true)
|
|
361
463
|
end
|
|
362
464
|
|
|
363
|
-
context "allow_unencrypted_appfirewall_payloads is false" do
|
|
364
|
-
context "param is blacklisted" do
|
|
365
|
-
it "should return true" do
|
|
366
|
-
@sensor.exclude_forms = false
|
|
367
|
-
@sensor.exclude_cookies = true
|
|
368
|
-
|
|
369
|
-
configuration = double(
|
|
370
|
-
"configuration",
|
|
371
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
372
|
-
allow_unencrypted_appfirewall_payloads: false,
|
|
373
|
-
blacklisted_params: {"vuln_param" => true},
|
|
374
|
-
whitelist_present: false
|
|
375
|
-
)
|
|
376
|
-
|
|
377
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
378
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
379
|
-
)
|
|
380
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
|
381
|
-
expect(@sensor).to receive(:send_event).with(
|
|
382
|
-
@meta,
|
|
383
|
-
"xss",
|
|
384
|
-
"vuln_param",
|
|
385
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
|
386
|
-
nil,
|
|
387
|
-
"1"
|
|
388
|
-
)
|
|
389
|
-
|
|
390
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
391
|
-
|
|
392
|
-
expect(result).to eq(true)
|
|
393
|
-
end
|
|
394
|
-
end
|
|
395
|
-
|
|
396
|
-
context "param is whitelisted" do
|
|
397
|
-
it "should return true" do
|
|
398
|
-
@sensor.exclude_forms = false
|
|
399
|
-
@sensor.exclude_cookies = true
|
|
400
|
-
|
|
401
|
-
configuration = double(
|
|
402
|
-
"configuration",
|
|
403
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
404
|
-
allow_unencrypted_appfirewall_payloads: false,
|
|
405
|
-
blacklisted_params: {},
|
|
406
|
-
whitelist_present: true,
|
|
407
|
-
whitelisted_params: {"vuln_param" => true}
|
|
408
|
-
)
|
|
409
|
-
|
|
410
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
411
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
412
|
-
)
|
|
413
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
|
414
|
-
expect(@sensor).to receive(:send_event).with(
|
|
415
|
-
@meta,
|
|
416
|
-
"xss",
|
|
417
|
-
"vuln_param",
|
|
418
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
|
419
|
-
nil,
|
|
420
|
-
"1"
|
|
421
|
-
)
|
|
422
|
-
|
|
423
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
424
|
-
|
|
425
|
-
expect(result).to eq(true)
|
|
426
|
-
end
|
|
427
|
-
end
|
|
428
|
-
|
|
429
|
-
context "params is not blacklisted and there is no whitelist" do
|
|
430
|
-
it "should return true" do
|
|
431
|
-
@sensor.exclude_forms = false
|
|
432
|
-
@sensor.exclude_cookies = true
|
|
433
|
-
|
|
434
|
-
configuration = double(
|
|
435
|
-
"configuration",
|
|
436
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
437
|
-
allow_unencrypted_appfirewall_payloads: false,
|
|
438
|
-
blacklisted_params: {},
|
|
439
|
-
whitelist_present: false
|
|
440
|
-
)
|
|
441
|
-
|
|
442
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
443
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
444
|
-
)
|
|
445
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
|
446
|
-
expect(@sensor).to receive(:send_event).with(
|
|
447
|
-
@meta,
|
|
448
|
-
"xss",
|
|
449
|
-
"vuln_param",
|
|
450
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
|
451
|
-
nil,
|
|
452
|
-
"1"
|
|
453
|
-
)
|
|
454
|
-
|
|
455
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
456
|
-
|
|
457
|
-
expect(result).to eq(true)
|
|
458
|
-
end
|
|
459
|
-
end
|
|
460
|
-
end
|
|
461
|
-
|
|
462
|
-
context "allow_unencrypted_appfirewall_payloads is true" do
|
|
463
|
-
context "params is blacklisted" do
|
|
464
|
-
it "should return true" do
|
|
465
|
-
@sensor.exclude_forms = false
|
|
466
|
-
@sensor.exclude_cookies = true
|
|
467
|
-
|
|
468
|
-
configuration = double(
|
|
469
|
-
"configuration",
|
|
470
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
471
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
472
|
-
blacklisted_params: {"vuln_param" => true},
|
|
473
|
-
whitelist_present: false
|
|
474
|
-
)
|
|
475
|
-
|
|
476
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
477
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
478
|
-
)
|
|
479
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
|
480
|
-
expect(@sensor).to receive(:send_event).with(
|
|
481
|
-
@meta,
|
|
482
|
-
"xss",
|
|
483
|
-
"vuln_param",
|
|
484
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
|
485
|
-
"BLACKLISTED",
|
|
486
|
-
"1"
|
|
487
|
-
)
|
|
488
|
-
|
|
489
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
490
|
-
|
|
491
|
-
expect(result).to eq(true)
|
|
492
|
-
end
|
|
493
|
-
end
|
|
494
|
-
|
|
495
|
-
context "param is whitelisted" do
|
|
496
|
-
it "should return true" do
|
|
497
|
-
@sensor.exclude_forms = false
|
|
498
|
-
@sensor.exclude_cookies = true
|
|
499
|
-
|
|
500
|
-
configuration = double(
|
|
501
|
-
"configuration",
|
|
502
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
503
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
504
|
-
blacklisted_params: {},
|
|
505
|
-
whitelist_present: true,
|
|
506
|
-
whitelisted_params: {"vuln_param" => true}
|
|
507
|
-
)
|
|
508
|
-
|
|
509
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
510
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
511
|
-
)
|
|
512
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
|
513
|
-
expect(@sensor).to receive(:send_event).with(
|
|
514
|
-
@meta,
|
|
515
|
-
"xss",
|
|
516
|
-
"vuln_param",
|
|
517
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
|
518
|
-
"vuln_value",
|
|
519
|
-
"1"
|
|
520
|
-
)
|
|
521
|
-
|
|
522
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
523
|
-
|
|
524
|
-
expect(result).to eq(true)
|
|
525
|
-
end
|
|
526
|
-
end
|
|
527
|
-
|
|
528
|
-
context "param is blacklisted and whitelisted" do
|
|
529
|
-
it "should return true" do
|
|
530
|
-
@sensor.exclude_forms = false
|
|
531
|
-
@sensor.exclude_cookies = true
|
|
532
|
-
|
|
533
|
-
configuration = double(
|
|
534
|
-
"configuration",
|
|
535
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
536
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
537
|
-
blacklisted_params: {"vuln_param" => true},
|
|
538
|
-
whitelist_present: true,
|
|
539
|
-
whitelisted_params: {"vuln_param" => true}
|
|
540
|
-
)
|
|
541
|
-
|
|
542
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
543
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
544
|
-
)
|
|
545
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
|
546
|
-
expect(@sensor).to receive(:send_event).with(
|
|
547
|
-
@meta,
|
|
548
|
-
"xss",
|
|
549
|
-
"vuln_param",
|
|
550
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
|
551
|
-
"BLACKLISTED",
|
|
552
|
-
"1"
|
|
553
|
-
)
|
|
554
|
-
|
|
555
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
556
|
-
|
|
557
|
-
expect(result).to eq(true)
|
|
558
|
-
end
|
|
559
|
-
end
|
|
560
|
-
|
|
561
|
-
context "params is not blacklisted and there is no whitelist" do
|
|
562
|
-
it "should return true" do
|
|
563
|
-
@sensor.exclude_forms = false
|
|
564
|
-
@sensor.exclude_cookies = true
|
|
565
|
-
|
|
566
|
-
configuration = double(
|
|
567
|
-
"configuration",
|
|
568
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
569
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
570
|
-
blacklisted_params: {},
|
|
571
|
-
whitelist_present: false
|
|
572
|
-
)
|
|
573
|
-
|
|
574
|
-
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
575
|
-
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
576
|
-
)
|
|
577
|
-
expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
|
|
578
|
-
expect(@sensor).to receive(:send_event).with(
|
|
579
|
-
@meta,
|
|
580
|
-
"xss",
|
|
581
|
-
"vuln_param",
|
|
582
|
-
{"t" => XssSensor::GET_PARAM}.to_json,
|
|
583
|
-
"vuln_value",
|
|
584
|
-
"1"
|
|
585
|
-
)
|
|
586
|
-
|
|
587
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
588
|
-
|
|
589
|
-
expect(result).to eq(true)
|
|
590
|
-
end
|
|
591
|
-
end
|
|
592
|
-
end
|
|
593
|
-
|
|
594
465
|
context "no excluded routes" do
|
|
595
466
|
it "should return true" do
|
|
596
467
|
@sensor.exclude_forms = false
|
|
597
468
|
@sensor.exclude_cookies = true
|
|
598
469
|
@sensor.excluded_route_ids = {}
|
|
599
|
-
configuration = double(
|
|
600
|
-
"configuration",
|
|
601
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
602
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
603
|
-
blacklisted_params: {},
|
|
604
|
-
whitelist_present: false
|
|
605
|
-
)
|
|
606
470
|
|
|
607
471
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
608
472
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
609
473
|
)
|
|
610
|
-
expect(
|
|
474
|
+
expect(@payloads_policy).to receive(:apply).with(
|
|
475
|
+
"xss", {}, "get", "vuln_param", "vuln_value", {"l"=>"query"}, "1"
|
|
476
|
+
).and_return("vuln_value")
|
|
611
477
|
expect(@sensor).to receive(:send_event).with(
|
|
612
478
|
@meta,
|
|
613
479
|
"xss",
|
|
614
480
|
"vuln_param",
|
|
615
|
-
{"
|
|
481
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::GET_PARAM]},
|
|
616
482
|
"vuln_value",
|
|
617
483
|
"1"
|
|
618
484
|
)
|
|
619
485
|
|
|
620
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
486
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
621
487
|
|
|
622
488
|
expect(result).to eq(true)
|
|
623
489
|
end
|
|
@@ -630,11 +496,11 @@ module TCellAgent
|
|
|
630
496
|
@sensor.exclude_cookies = true
|
|
631
497
|
@sensor.excluded_route_ids = {"route_id" => true}
|
|
632
498
|
|
|
633
|
-
expect(TCellAgent).to_not receive(:configuration)
|
|
634
499
|
expect(@sensor).to_not receive(:find_vulnerability)
|
|
500
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
635
501
|
expect(@sensor).to_not receive(:send_event)
|
|
636
502
|
|
|
637
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
503
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
638
504
|
|
|
639
505
|
expect(result).to eq(false)
|
|
640
506
|
end
|
|
@@ -645,28 +511,23 @@ module TCellAgent
|
|
|
645
511
|
@sensor.exclude_forms = false
|
|
646
512
|
@sensor.exclude_cookies = true
|
|
647
513
|
@sensor.excluded_route_ids = {"unmatching_route_id" => true}
|
|
648
|
-
configuration = double(
|
|
649
|
-
"configuration",
|
|
650
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
651
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
652
|
-
blacklisted_params: {},
|
|
653
|
-
whitelist_present: false
|
|
654
|
-
)
|
|
655
514
|
|
|
656
515
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
657
516
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
658
517
|
)
|
|
659
|
-
expect(
|
|
518
|
+
expect(@payloads_policy).to receive(:apply).with(
|
|
519
|
+
"xss", {}, "get", "vuln_param", "vuln_value", {"l"=>"query"}, "1"
|
|
520
|
+
).and_return("vuln_value")
|
|
660
521
|
expect(@sensor).to receive(:send_event).with(
|
|
661
522
|
@meta,
|
|
662
523
|
"xss",
|
|
663
524
|
"vuln_param",
|
|
664
|
-
{"
|
|
525
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::GET_PARAM]},
|
|
665
526
|
"vuln_value",
|
|
666
527
|
"1"
|
|
667
528
|
)
|
|
668
529
|
|
|
669
|
-
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value")
|
|
530
|
+
result = @sensor.check(XssSensor::GET_PARAM, @meta, "param_name", "param_value", @payloads_policy)
|
|
670
531
|
|
|
671
532
|
expect(result).to eq(true)
|
|
672
533
|
end
|
|
@@ -681,11 +542,17 @@ module TCellAgent
|
|
|
681
542
|
@sensor.exclude_forms = true
|
|
682
543
|
@sensor.exclude_cookies = false
|
|
683
544
|
|
|
684
|
-
expect(
|
|
545
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
685
546
|
expect(@sensor).to_not receive(:find_vulnerability)
|
|
686
547
|
expect(@sensor).to_not receive(:send_event)
|
|
687
548
|
|
|
688
|
-
result = @sensor.check(
|
|
549
|
+
result = @sensor.check(
|
|
550
|
+
XssSensor::POST_PARAM,
|
|
551
|
+
@meta,
|
|
552
|
+
"param_name",
|
|
553
|
+
"param_value",
|
|
554
|
+
@payloads_policy
|
|
555
|
+
)
|
|
689
556
|
|
|
690
557
|
expect(result).to eq(false)
|
|
691
558
|
end
|
|
@@ -695,28 +562,27 @@ module TCellAgent
|
|
|
695
562
|
it "should return true" do
|
|
696
563
|
@sensor.exclude_forms = false
|
|
697
564
|
@sensor.exclude_cookies = true
|
|
698
|
-
configuration = double(
|
|
699
|
-
"configuration",
|
|
700
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
701
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
702
|
-
blacklisted_params: {},
|
|
703
|
-
whitelist_present: false
|
|
704
|
-
)
|
|
705
565
|
|
|
706
566
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
707
567
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
708
568
|
)
|
|
709
|
-
expect(
|
|
569
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
|
710
570
|
expect(@sensor).to receive(:send_event).with(
|
|
711
571
|
@meta,
|
|
712
572
|
"xss",
|
|
713
573
|
"vuln_param",
|
|
714
|
-
{"
|
|
574
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::POST_PARAM]},
|
|
715
575
|
"vuln_value",
|
|
716
576
|
"1"
|
|
717
577
|
)
|
|
718
578
|
|
|
719
|
-
result = @sensor.check(
|
|
579
|
+
result = @sensor.check(
|
|
580
|
+
XssSensor::POST_PARAM,
|
|
581
|
+
@meta,
|
|
582
|
+
"param_name",
|
|
583
|
+
"param_value",
|
|
584
|
+
@payloads_policy
|
|
585
|
+
)
|
|
720
586
|
|
|
721
587
|
expect(result).to eq(true)
|
|
722
588
|
end
|
|
@@ -729,11 +595,17 @@ module TCellAgent
|
|
|
729
595
|
@sensor.exclude_forms = true
|
|
730
596
|
@sensor.exclude_cookies = false
|
|
731
597
|
|
|
732
|
-
expect(
|
|
598
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
733
599
|
expect(@sensor).to_not receive(:find_vulnerability)
|
|
734
600
|
expect(@sensor).to_not receive(:send_event)
|
|
735
601
|
|
|
736
|
-
result = @sensor.check(
|
|
602
|
+
result = @sensor.check(
|
|
603
|
+
XssSensor::JSON_PARAM,
|
|
604
|
+
@meta,
|
|
605
|
+
"param_name",
|
|
606
|
+
"param_value",
|
|
607
|
+
@payloads_policy
|
|
608
|
+
)
|
|
737
609
|
|
|
738
610
|
expect(result).to eq(false)
|
|
739
611
|
end
|
|
@@ -743,28 +615,27 @@ module TCellAgent
|
|
|
743
615
|
it "should return true" do
|
|
744
616
|
@sensor.exclude_forms = false
|
|
745
617
|
@sensor.exclude_cookies = true
|
|
746
|
-
configuration = double(
|
|
747
|
-
"configuration",
|
|
748
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
749
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
750
|
-
blacklisted_params: {},
|
|
751
|
-
whitelist_present: false
|
|
752
|
-
)
|
|
753
618
|
|
|
754
619
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
755
620
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
756
621
|
)
|
|
757
|
-
expect(
|
|
622
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
|
758
623
|
expect(@sensor).to receive(:send_event).with(
|
|
759
624
|
@meta,
|
|
760
625
|
"xss",
|
|
761
626
|
"vuln_param",
|
|
762
|
-
{"
|
|
627
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::JSON_PARAM]},
|
|
763
628
|
"vuln_value",
|
|
764
629
|
"1"
|
|
765
630
|
)
|
|
766
631
|
|
|
767
|
-
result = @sensor.check(
|
|
632
|
+
result = @sensor.check(
|
|
633
|
+
XssSensor::JSON_PARAM,
|
|
634
|
+
@meta,
|
|
635
|
+
"param_name",
|
|
636
|
+
"param_value",
|
|
637
|
+
@payloads_policy
|
|
638
|
+
)
|
|
768
639
|
|
|
769
640
|
expect(result).to eq(true)
|
|
770
641
|
end
|
|
@@ -776,28 +647,27 @@ module TCellAgent
|
|
|
776
647
|
it "should return true" do
|
|
777
648
|
@sensor.exclude_forms = true
|
|
778
649
|
@sensor.exclude_cookies = false
|
|
779
|
-
configuration = double(
|
|
780
|
-
"configuration",
|
|
781
|
-
allow_unencrypted_appfirewall_payloads_logging: false,
|
|
782
|
-
allow_unencrypted_appfirewall_payloads: true,
|
|
783
|
-
blacklisted_params: {},
|
|
784
|
-
whitelist_present: false
|
|
785
|
-
)
|
|
786
650
|
|
|
787
651
|
expect(@sensor).to receive(:find_vulnerability).and_return(
|
|
788
652
|
{"param" => "vuln_param", "value" => "vuln_value", "pattern" => "1"}
|
|
789
653
|
)
|
|
790
|
-
expect(
|
|
654
|
+
expect(@payloads_policy).to receive(:apply).and_return("vuln_value")
|
|
791
655
|
expect(@sensor).to receive(:send_event).with(
|
|
792
656
|
@meta,
|
|
793
657
|
"xss",
|
|
794
658
|
"vuln_param",
|
|
795
|
-
{"
|
|
659
|
+
{"l" => XssSensor::PARAM_TYPE_TO_L[XssSensor::COOKIE_PARAM]},
|
|
796
660
|
"vuln_value",
|
|
797
661
|
"1"
|
|
798
662
|
)
|
|
799
663
|
|
|
800
|
-
result = @sensor.check(
|
|
664
|
+
result = @sensor.check(
|
|
665
|
+
XssSensor::COOKIE_PARAM,
|
|
666
|
+
@meta,
|
|
667
|
+
"param_name",
|
|
668
|
+
"param_value",
|
|
669
|
+
@payloads_policy
|
|
670
|
+
)
|
|
801
671
|
|
|
802
672
|
expect(result).to eq(true)
|
|
803
673
|
end
|
|
@@ -808,11 +678,17 @@ module TCellAgent
|
|
|
808
678
|
@sensor.exclude_forms = false
|
|
809
679
|
@sensor.exclude_cookies = true
|
|
810
680
|
|
|
811
|
-
expect(TCellAgent).to_not receive(:configuration)
|
|
812
681
|
expect(@sensor).to_not receive(:find_vulnerability)
|
|
682
|
+
expect(@payloads_policy).to_not receive(:apply)
|
|
813
683
|
expect(@sensor).to_not receive(:send_event)
|
|
814
684
|
|
|
815
|
-
result = @sensor.check(
|
|
685
|
+
result = @sensor.check(
|
|
686
|
+
XssSensor::COOKIE_PARAM,
|
|
687
|
+
@meta,
|
|
688
|
+
"param_name",
|
|
689
|
+
"param_value",
|
|
690
|
+
@payloads_policy
|
|
691
|
+
)
|
|
816
692
|
|
|
817
693
|
expect(result).to eq(false)
|
|
818
694
|
end
|