tcell_agent 0.2.19 → 0.2.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. checksums.yaml +4 -4
  2. data/LICENSE_libinjection +32 -0
  3. data/Rakefile +14 -1
  4. data/ext/libinjection/extconf.rb +3 -0
  5. data/ext/libinjection/libinjection.h +65 -0
  6. data/ext/libinjection/libinjection_html5.c +847 -0
  7. data/ext/libinjection/libinjection_html5.h +54 -0
  8. data/ext/libinjection/libinjection_sqli.c +2317 -0
  9. data/ext/libinjection/libinjection_sqli.h +295 -0
  10. data/ext/libinjection/libinjection_sqli_data.h +9004 -0
  11. data/ext/libinjection/libinjection_wrap.c +3525 -0
  12. data/ext/libinjection/libinjection_xss.c +531 -0
  13. data/ext/libinjection/libinjection_xss.h +21 -0
  14. data/lib/tcell_agent/configuration.rb +0 -48
  15. data/lib/tcell_agent/logger.rb +1 -0
  16. data/lib/tcell_agent/policies/appsensor/database_sensor.rb +8 -20
  17. data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +30 -46
  18. data/lib/tcell_agent/policies/appsensor/login_sensor.rb +1 -4
  19. data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +8 -22
  20. data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +143 -0
  21. data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +3 -1
  22. data/lib/tcell_agent/policies/appsensor/sensor.rb +21 -2
  23. data/lib/tcell_agent/policies/appsensor/size_sensor.rb +3 -1
  24. data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +9 -0
  25. data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +1 -5
  26. data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +9 -1
  27. data/lib/tcell_agent/policies/appsensor_policy.rb +40 -19
  28. data/lib/tcell_agent/policies/http_redirect_policy.rb +12 -2
  29. data/lib/tcell_agent/rails/csrf_exception.rb +1 -1
  30. data/lib/tcell_agent/rails/dlp.rb +98 -76
  31. data/lib/tcell_agent/rails/middleware/global_middleware.rb +1 -2
  32. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +2 -2
  33. data/lib/tcell_agent/rails/on_start.rb +53 -20
  34. data/lib/tcell_agent/sensor_events/appsensor_event.rb +12 -19
  35. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +7 -2
  36. data/lib/tcell_agent/sensor_events/sensor.rb +10 -11
  37. data/lib/tcell_agent/sensor_events/server_agent.rb +17 -12
  38. data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +148 -139
  39. data/lib/tcell_agent/utils/params.rb +24 -21
  40. data/lib/tcell_agent/version.rb +1 -1
  41. data/spec/lib/tcell_agent/configuration_spec.rb +0 -179
  42. data/spec/lib/tcell_agent/policies/appsensor/database_sensor_spec.rb +6 -4
  43. data/spec/lib/tcell_agent/policies/appsensor/misc_sensor_spec.rb +31 -22
  44. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_apply_spec.rb +466 -0
  45. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_from_json_spec.rb +890 -0
  46. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb +484 -0
  47. data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +4 -3
  48. data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +4 -4
  49. data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +1 -1
  50. data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +85 -0
  51. data/spec/lib/tcell_agent/policies/appsensor/user_agent_sensor_spec.rb +36 -16
  52. data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +188 -312
  53. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +61 -0
  54. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +18 -11
  55. data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +14 -15
  56. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +1 -1
  57. data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +6 -5
  58. data/spec/lib/tcell_agent/utils/params_spec.rb +28 -108
  59. data/tcell_agent.gemspec +21 -1
  60. metadata +37 -4
@@ -0,0 +1,295 @@
1
+ /**
2
+ * Copyright 2012-2016 Nick Galbreath
3
+ * nickg@client9.com
4
+ * BSD License -- see `COPYING.txt` for details
5
+ *
6
+ * https://libinjection.client9.com/
7
+ *
8
+ */
9
+
10
+ #ifndef LIBINJECTION_SQLI_H
11
+ #define LIBINJECTION_SQLI_H
12
+
13
+ #ifdef __cplusplus
14
+ extern "C" {
15
+ #endif
16
+
17
+ /*
18
+ * Pull in size_t
19
+ */
20
+ #include <string.h>
21
+
22
+ enum sqli_flags {
23
+ FLAG_NONE = 0
24
+ , FLAG_QUOTE_NONE = 1 /* 1 << 0 */
25
+ , FLAG_QUOTE_SINGLE = 2 /* 1 << 1 */
26
+ , FLAG_QUOTE_DOUBLE = 4 /* 1 << 2 */
27
+
28
+ , FLAG_SQL_ANSI = 8 /* 1 << 3 */
29
+ , FLAG_SQL_MYSQL = 16 /* 1 << 4 */
30
+ };
31
+
32
+ enum lookup_type {
33
+ LOOKUP_WORD = 1
34
+ , LOOKUP_TYPE = 2
35
+ , LOOKUP_OPERATOR = 3
36
+ , LOOKUP_FINGERPRINT = 4
37
+ };
38
+
39
+ struct libinjection_sqli_token {
40
+ #ifdef SWIG
41
+ %immutable;
42
+ #endif
43
+ char type;
44
+ char str_open;
45
+ char str_close;
46
+
47
+ /*
48
+ * position and length of token
49
+ * in original string
50
+ */
51
+ size_t pos;
52
+ size_t len;
53
+
54
+ /* count:
55
+ * in type 'v', used for number of opening '@'
56
+ * but maybe used in other contexts
57
+ */
58
+ int count;
59
+
60
+ char val[32];
61
+ };
62
+
63
+ typedef struct libinjection_sqli_token stoken_t;
64
+
65
+ /**
66
+ * Pointer to function, takes c-string input,
67
+ * returns '\0' for no match, else a char
68
+ */
69
+ struct libinjection_sqli_state;
70
+ typedef char (*ptr_lookup_fn)(struct libinjection_sqli_state*, int lookuptype, const char* word, size_t len);
71
+
72
+ struct libinjection_sqli_state {
73
+ #ifdef SWIG
74
+ %immutable;
75
+ #endif
76
+
77
+ /*
78
+ * input, does not need to be null terminated.
79
+ * it is also not modified.
80
+ */
81
+ const char *s;
82
+
83
+ /*
84
+ * input length
85
+ */
86
+ size_t slen;
87
+
88
+ /*
89
+ * How to lookup a word or fingerprint
90
+ */
91
+ ptr_lookup_fn lookup;
92
+ void* userdata;
93
+
94
+ /*
95
+ *
96
+ */
97
+ int flags;
98
+
99
+ /*
100
+ * pos is the index in the string during tokenization
101
+ */
102
+ size_t pos;
103
+
104
+ #ifndef SWIG
105
+ /* for SWIG.. don't use this.. use functional API instead */
106
+
107
+ /* MAX TOKENS + 1 since we use one extra token
108
+ * to determine the type of the previous token
109
+ */
110
+ struct libinjection_sqli_token tokenvec[8];
111
+ #endif
112
+
113
+ /*
114
+ * Pointer to token position in tokenvec, above
115
+ */
116
+ struct libinjection_sqli_token *current;
117
+
118
+ /*
119
+ * fingerprint pattern c-string
120
+ * +1 for ending null
121
+ * Minimum of 8 bytes to add gcc's -fstack-protector to work
122
+ */
123
+ char fingerprint[8];
124
+
125
+ /*
126
+ * Line number of code that said decided if the input was SQLi or
127
+ * not. Most of the time it's line that said "it's not a matching
128
+ * fingerprint" but there is other logic that sometimes approves
129
+ * an input. This is only useful for debugging.
130
+ *
131
+ */
132
+ int reason;
133
+
134
+ /* Number of ddw (dash-dash-white) comments
135
+ * These comments are in the form of
136
+ * '--[whitespace]' or '--[EOF]'
137
+ *
138
+ * All databases treat this as a comment.
139
+ */
140
+ int stats_comment_ddw;
141
+
142
+ /* Number of ddx (dash-dash-[notwhite]) comments
143
+ *
144
+ * ANSI SQL treats these are comments, MySQL treats this as
145
+ * two unary operators '-' '-'
146
+ *
147
+ * If you are parsing result returns FALSE and
148
+ * stats_comment_dd > 0, you should reparse with
149
+ * COMMENT_MYSQL
150
+ *
151
+ */
152
+ int stats_comment_ddx;
153
+
154
+ /*
155
+ * c-style comments found /x .. x/
156
+ */
157
+ int stats_comment_c;
158
+
159
+ /* '#' operators or MySQL EOL comments found
160
+ *
161
+ */
162
+ int stats_comment_hash;
163
+
164
+ /*
165
+ * number of tokens folded away
166
+ */
167
+ int stats_folds;
168
+
169
+ /*
170
+ * total tokens processed
171
+ */
172
+ int stats_tokens;
173
+
174
+ };
175
+
176
+ typedef struct libinjection_sqli_state sfilter;
177
+
178
+ struct libinjection_sqli_token* libinjection_sqli_get_token(
179
+ struct libinjection_sqli_state* sqlistate, int i);
180
+
181
+ /*
182
+ * Version info.
183
+ *
184
+ * This is moved into a function to allow SWIG and other auto-generated
185
+ * binding to not be modified during minor release changes. We change
186
+ * change the version number in the c source file, and not regenerated
187
+ * the binding
188
+ *
189
+ * See python's normalized version
190
+ * http://www.python.org/dev/peps/pep-0386/#normalizedversion
191
+ */
192
+ const char* libinjection_version(void);
193
+
194
+ /**
195
+ *
196
+ */
197
+ void libinjection_sqli_init(struct libinjection_sqli_state* sql_state,
198
+ const char* s, size_t slen,
199
+ int flags);
200
+
201
+ /**
202
+ * Main API: tests for SQLi in three possible contexts, no quotes,
203
+ * single quote and double quote
204
+ *
205
+ * \param sql_state core data structure
206
+ *
207
+ * \return 1 (true) if SQLi, 0 (false) if benign
208
+ */
209
+ int libinjection_is_sqli(struct libinjection_sqli_state* sql_state);
210
+
211
+ /* FOR HACKERS ONLY
212
+ * provides deep hooks into the decision making process
213
+ */
214
+ void libinjection_sqli_callback(struct libinjection_sqli_state* sql_state,
215
+ ptr_lookup_fn fn,
216
+ void* userdata);
217
+
218
+
219
+ /*
220
+ * Resets state, but keeps initial string and callbacks
221
+ */
222
+ void libinjection_sqli_reset(struct libinjection_sqli_state* sql_state,
223
+ int flags);
224
+
225
+ /**
226
+ *
227
+ */
228
+
229
+ /**
230
+ * This detects SQLi in a single context, mostly useful for custom
231
+ * logic and debugging.
232
+ *
233
+ * \param sql_state Main data structure
234
+ * \param flags flags to adjust parsing
235
+ *
236
+ * \returns a pointer to sfilter.fingerprint as convenience
237
+ * do not free!
238
+ *
239
+ */
240
+ const char* libinjection_sqli_fingerprint(struct libinjection_sqli_state* sql_state,
241
+ int flags);
242
+
243
+ /**
244
+ * The default "word" to token-type or fingerprint function. This
245
+ * uses a ASCII case-insensitive binary tree.
246
+ */
247
+ char libinjection_sqli_lookup_word(struct libinjection_sqli_state* sql_state,
248
+ int lookup_type,
249
+ const char* s,
250
+ size_t slen);
251
+
252
+ /* Streaming tokenization interface.
253
+ *
254
+ * sql_state->current is updated with the current token.
255
+ *
256
+ * \returns 1, has a token, keep going, or 0 no tokens
257
+ *
258
+ */
259
+ int libinjection_sqli_tokenize(struct libinjection_sqli_state * sql_state);
260
+
261
+ /**
262
+ * parses and folds input, up to 5 tokens
263
+ *
264
+ */
265
+ int libinjection_sqli_fold(struct libinjection_sqli_state * sql_state);
266
+
267
+ /** The built-in default function to match fingerprints
268
+ * and do false negative/positive analysis. This calls the following
269
+ * two functions. With this, you over-ride one part or the other.
270
+ *
271
+ * return libinjection_sqli_blacklist(sql_state) &&
272
+ * libinjection_sqli_not_whitelist(sql_state);
273
+ *
274
+ * \param sql_state should be filled out after libinjection_sqli_fingerprint is called
275
+ */
276
+ int libinjection_sqli_check_fingerprint(struct libinjection_sqli_state * sql_state);
277
+
278
+ /* Given a pattern determine if it's a SQLi pattern.
279
+ *
280
+ * \return TRUE if sqli, false otherwise
281
+ */
282
+ int libinjection_sqli_blacklist(struct libinjection_sqli_state* sql_state);
283
+
284
+ /* Given a positive match for a pattern (i.e. pattern is SQLi), this function
285
+ * does additional analysis to reduce false positives.
286
+ *
287
+ * \return TRUE if SQLi, false otherwise
288
+ */
289
+ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state * sql_state);
290
+
291
+ #ifdef __cplusplus
292
+ }
293
+ #endif
294
+
295
+ #endif /* LIBINJECTION_SQLI_H */