tcell_agent 0.2.19 → 0.2.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. checksums.yaml +4 -4
  2. data/LICENSE_libinjection +32 -0
  3. data/Rakefile +14 -1
  4. data/ext/libinjection/extconf.rb +3 -0
  5. data/ext/libinjection/libinjection.h +65 -0
  6. data/ext/libinjection/libinjection_html5.c +847 -0
  7. data/ext/libinjection/libinjection_html5.h +54 -0
  8. data/ext/libinjection/libinjection_sqli.c +2317 -0
  9. data/ext/libinjection/libinjection_sqli.h +295 -0
  10. data/ext/libinjection/libinjection_sqli_data.h +9004 -0
  11. data/ext/libinjection/libinjection_wrap.c +3525 -0
  12. data/ext/libinjection/libinjection_xss.c +531 -0
  13. data/ext/libinjection/libinjection_xss.h +21 -0
  14. data/lib/tcell_agent/configuration.rb +0 -48
  15. data/lib/tcell_agent/logger.rb +1 -0
  16. data/lib/tcell_agent/policies/appsensor/database_sensor.rb +8 -20
  17. data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +30 -46
  18. data/lib/tcell_agent/policies/appsensor/login_sensor.rb +1 -4
  19. data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +8 -22
  20. data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +143 -0
  21. data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +3 -1
  22. data/lib/tcell_agent/policies/appsensor/sensor.rb +21 -2
  23. data/lib/tcell_agent/policies/appsensor/size_sensor.rb +3 -1
  24. data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +9 -0
  25. data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +1 -5
  26. data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +9 -1
  27. data/lib/tcell_agent/policies/appsensor_policy.rb +40 -19
  28. data/lib/tcell_agent/policies/http_redirect_policy.rb +12 -2
  29. data/lib/tcell_agent/rails/csrf_exception.rb +1 -1
  30. data/lib/tcell_agent/rails/dlp.rb +98 -76
  31. data/lib/tcell_agent/rails/middleware/global_middleware.rb +1 -2
  32. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +2 -2
  33. data/lib/tcell_agent/rails/on_start.rb +53 -20
  34. data/lib/tcell_agent/sensor_events/appsensor_event.rb +12 -19
  35. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +7 -2
  36. data/lib/tcell_agent/sensor_events/sensor.rb +10 -11
  37. data/lib/tcell_agent/sensor_events/server_agent.rb +17 -12
  38. data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +148 -139
  39. data/lib/tcell_agent/utils/params.rb +24 -21
  40. data/lib/tcell_agent/version.rb +1 -1
  41. data/spec/lib/tcell_agent/configuration_spec.rb +0 -179
  42. data/spec/lib/tcell_agent/policies/appsensor/database_sensor_spec.rb +6 -4
  43. data/spec/lib/tcell_agent/policies/appsensor/misc_sensor_spec.rb +31 -22
  44. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_apply_spec.rb +466 -0
  45. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_from_json_spec.rb +890 -0
  46. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb +484 -0
  47. data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +4 -3
  48. data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +4 -4
  49. data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +1 -1
  50. data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +85 -0
  51. data/spec/lib/tcell_agent/policies/appsensor/user_agent_sensor_spec.rb +36 -16
  52. data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +188 -312
  53. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +61 -0
  54. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +18 -11
  55. data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +14 -15
  56. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +1 -1
  57. data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +6 -5
  58. data/spec/lib/tcell_agent/utils/params_spec.rb +28 -108
  59. data/tcell_agent.gemspec +21 -1
  60. metadata +37 -4
@@ -5,7 +5,19 @@ require 'tcell_agent/utils/params'
5
5
  module TCellAgent
6
6
  module Policies
7
7
  class InjectionSensor < Sensor
8
- include TCellAgent::Utils::Params
8
+ GET_PARAM = TCellAgent::Utils::Params::GET_PARAM
9
+ POST_PARAM = TCellAgent::Utils::Params::POST_PARAM
10
+ JSON_PARAM = TCellAgent::Utils::Params::JSON_PARAM
11
+ COOKIE_PARAM = TCellAgent::Utils::Params::COOKIE_PARAM
12
+ URI_PARAM = TCellAgent::Utils::Params::URI_PARAM
13
+
14
+ PARAM_TYPE_TO_L = {
15
+ GET_PARAM => 'query',
16
+ POST_PARAM => 'body',
17
+ JSON_PARAM => 'body',
18
+ URI_PARAM => 'uri',
19
+ COOKIE_PARAM => 'cookie'
20
+ }
9
21
 
10
22
  attr_accessor :enabled, :detection_point, :exclude_headers, :exclude_forms,
11
23
  :exclude_cookies, :exclusions, :active_pattern_ids, :v1_compatability_enabled,
@@ -54,17 +66,19 @@ module TCellAgent
54
66
  rules = get_ruleset
55
67
  return nil unless rules
56
68
 
57
- param_deep_loop(param_name, param_value) do |name, value|
58
- rules.check_violation(name, value, @active_pattern_ids, @v1_compatability_enabled)
59
- end
69
+ rules.check_violation(param_name, param_value, @active_pattern_ids, @v1_compatability_enabled)
60
70
  end
61
71
 
62
- def check(type_of_param, appsensor_meta, param_name, param_value)
72
+ def check(type_of_param, appsensor_meta, param_name, param_value, payloads_policy)
63
73
  return false unless @enabled
64
74
 
65
75
  return false if @excluded_route_ids.fetch(appsensor_meta.route_id, false)
66
76
 
67
- if @exclude_forms && (GET_PARAM == type_of_param or POST_PARAM == type_of_param or JSON_PARAM == type_of_param)
77
+ if @exclude_forms &&
78
+ (GET_PARAM == type_of_param ||
79
+ POST_PARAM == type_of_param ||
80
+ JSON_PARAM == type_of_param ||
81
+ URI_PARAM == type_of_param)
68
82
  return false
69
83
  end
70
84
 
@@ -76,34 +90,23 @@ module TCellAgent
76
90
 
77
91
  if vuln_results
78
92
  vuln_param = vuln_results["param"]
79
- payload = nil
80
-
81
- if TCellAgent.configuration.allow_unencrypted_appfirewall_payloads
82
- payload = vuln_results["value"]
83
- end
84
93
 
85
94
  if vuln_param
86
- unless payload.nil?
87
- if TCellAgent.configuration.blacklisted_params.has_key?(vuln_param.downcase)
88
- payload = "BLACKLISTED"
95
+ meta = {"l" => PARAM_TYPE_TO_L[type_of_param]}
96
+ pattern = vuln_results["pattern"]
89
97
 
90
- elsif TCellAgent.configuration.whitelist_present &&
91
- !TCellAgent.configuration.whitelisted_params.has_key?(vuln_param.downcase)
92
- payload = "NOT_WHITELISTED"
93
- end
94
- end
95
-
96
- log_appsensor_events(type_of_param, appsensor_meta, vuln_param, vuln_results["value"])
97
-
98
- send_event(
99
- appsensor_meta,
98
+ payload = payloads_policy.apply(
100
99
  @detection_point,
100
+ appsensor_meta,
101
+ type_of_param,
101
102
  vuln_param,
102
- {"t" => type_of_param}.to_json,
103
- payload,
104
- vuln_results["pattern"]
103
+ vuln_results["value"],
104
+ meta,
105
+ pattern
105
106
  )
106
107
 
108
+ send_event(appsensor_meta, @detection_point, vuln_param, meta, payload, pattern)
109
+
107
110
  return true
108
111
  end
109
112
  end
@@ -111,25 +114,6 @@ module TCellAgent
111
114
  return false
112
115
  end
113
116
 
114
- def log_appsensor_events(type_of_param, appsensor_meta, vuln_param, vuln_value)
115
- if TCellAgent.configuration.allow_unencrypted_appfirewall_payloads_logging
116
- event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
117
- appsensor_meta.location,
118
- @detection_point,
119
- appsensor_meta.method,
120
- appsensor_meta.remote_address,
121
- vuln_param,
122
- appsensor_meta.route_id,
123
- {"t" => type_of_param}.to_json,
124
- appsensor_meta.session_id,
125
- appsensor_meta.user_id,
126
- vuln_value
127
- )
128
- event.post_process
129
- TCellAgent.appfirewall_payloads_logger.info(event.to_json)
130
- end
131
- end
132
-
133
117
  def to_s
134
118
  "<#{self.class.name} enabled: #{@enabled} dp: #{@detection_point} " +
135
119
  "exclude_headers: #{@exclude_headers} exclude_forms: #{exclude_forms} " +
@@ -23,10 +23,7 @@ module TCellAgent
23
23
  return unless self.enabled
24
24
 
25
25
  if username
26
- username = TCellAgent::SensorEvents::Util.hmac(
27
- username,
28
- TCellAgent::SensorEvents::Util.getHmacKey()
29
- )
26
+ username = TCellAgent::SensorEvents::Util.hmac(username)
30
27
  end
31
28
 
32
29
  send_event(appsensor_meta, LOGIN_FAILURE_DP, username, nil)
@@ -1,7 +1,9 @@
1
+ require 'tcell_agent/policies/appsensor/sensor'
2
+
1
3
  module TCellAgent
2
4
  module Policies
3
5
 
4
- class MiscSensor
6
+ class MiscSensor < Sensor
5
7
 
6
8
  attr_accessor :enabled, :csrf_exception_enabled, :sql_exception_enabled, :excluded_route_ids
7
9
 
@@ -22,12 +24,13 @@ module TCellAgent
22
24
  end
23
25
  end
24
26
 
25
- def csrf_rejected(tcell_data)
27
+ def csrf_rejected(tcell_data, exception_class)
26
28
  return unless @enabled && @csrf_exception_enabled
27
29
 
28
30
  return if tcell_data && @excluded_route_ids.fetch(tcell_data.route_id, false)
29
31
 
30
- send_event("excsrf", tcell_data)
32
+ meta = nil
33
+ send_event_from_tcell_data(tcell_data, "excsrf", exception_class.name, meta)
31
34
  end
32
35
 
33
36
  def sql_exception_detected(tcell_data, exception)
@@ -35,25 +38,8 @@ module TCellAgent
35
38
 
36
39
  return if tcell_data && @excluded_route_ids.fetch(tcell_data.route_id, false)
37
40
 
38
- send_event("exsql", tcell_data)
39
- end
40
-
41
- def send_event(detection_point, tcell_data)
42
- event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
43
- tcell_data.uri,
44
- detection_point,
45
- tcell_data.request_method,
46
- tcell_data.ip_address,
47
- nil,
48
- tcell_data.route_id,
49
- nil,
50
- tcell_data.transaction_id,
51
- tcell_data.session_id,
52
- tcell_data.user_id,
53
- nil
54
- )
55
-
56
- TCellAgent.send_event(event)
41
+ meta = nil
42
+ send_event_from_tcell_data(tcell_data, "exsql", exception.class.name, meta)
57
43
  end
58
44
 
59
45
  def to_s
@@ -0,0 +1,143 @@
1
+ require 'tcell_agent/utils/params'
2
+
3
+ module TCellAgent
4
+ module Policies
5
+
6
+ class PayloadsPolicy
7
+ PARAM_TYPE_MAP = {
8
+ TCellAgent::Utils::Params::GET_PARAM => "form",
9
+ TCellAgent::Utils::Params::POST_PARAM => "form",
10
+ TCellAgent::Utils::Params::JSON_PARAM => "form",
11
+ TCellAgent::Utils::Params::COOKIE_PARAM => "cookie"
12
+ }
13
+
14
+ attr_accessor :send_payloads, :send_blacklist, :send_whitelist, :use_send_whitelist,
15
+ :log_payloads, :log_blacklist, :log_whitelist, :use_log_whitelist
16
+
17
+ def initialize
18
+ @send_payloads = false
19
+ @log_payloads = false
20
+
21
+ @send_blacklist = {}
22
+ @log_blacklist = {}
23
+ @send_whitelist = {}
24
+ @log_whitelist = {}
25
+
26
+ @use_send_whitelist = false
27
+ @use_log_whitelist = false
28
+ end
29
+
30
+ def apply(dp, appsensor_meta, type_of_param, vuln_param, vuln_value, meta, pattern)
31
+ payload = nil
32
+
33
+ if @send_payloads && TCellAgent.configuration.allow_unencrypted_appfirewall_payloads
34
+
35
+ blacklisted_locations = @send_blacklist[vuln_param.downcase]
36
+ param_location = PARAM_TYPE_MAP[type_of_param]
37
+
38
+ if blacklisted_locations &&
39
+ ( blacklisted_locations.include?(param_location) ||
40
+ blacklisted_locations.include?("*") )
41
+ payload = "BLACKLISTED"
42
+
43
+ elsif use_send_whitelist
44
+ whitelisted_locations = @send_whitelist[vuln_param.downcase]
45
+ if whitelisted_locations &&
46
+ ( whitelisted_locations.include?(param_location) ||
47
+ whitelisted_locations.include?("*") )
48
+
49
+ payload = vuln_value
50
+
51
+ else
52
+ payload = "NOT_WHITELISTED"
53
+ end
54
+
55
+ else
56
+ payload = vuln_value
57
+ end
58
+
59
+ end
60
+
61
+ log(dp, appsensor_meta, type_of_param, vuln_param, vuln_value, meta, pattern)
62
+
63
+ payload
64
+ end
65
+
66
+ def log(dp, appsensor_meta, type_of_param, vuln_param, vuln_value, meta, pattern)
67
+ if @log_payloads && TCellAgent.configuration.allow_unencrypted_appfirewall_payloads_logging
68
+ blacklisted_locations = @log_blacklist[vuln_param.downcase]
69
+ param_location = PARAM_TYPE_MAP[type_of_param]
70
+
71
+ if !blacklisted_locations ||
72
+ ( !blacklisted_locations.include?(param_location) &&
73
+ !blacklisted_locations.include?("*") )
74
+
75
+ whitelisted_locations = @log_whitelist[vuln_param.downcase]
76
+ if !use_log_whitelist ||
77
+ (whitelisted_locations && (whitelisted_locations.include?(param_location) ||
78
+ whitelisted_locations.include?("*")))
79
+
80
+ event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
81
+ appsensor_meta.location,
82
+ dp,
83
+ appsensor_meta.method,
84
+ appsensor_meta.remote_address,
85
+ vuln_param,
86
+ appsensor_meta.route_id,
87
+ meta,
88
+ appsensor_meta.session_id,
89
+ appsensor_meta.user_id,
90
+ vuln_value,
91
+ pattern
92
+ )
93
+ event.post_process
94
+ TCellAgent.appfirewall_payloads_logger.info(event.to_json)
95
+ end
96
+ end
97
+ end
98
+ end
99
+
100
+ def self.from_json(policy_json)
101
+ policy = PayloadsPolicy.new
102
+
103
+ if policy_json
104
+ payloads_json = policy_json.fetch("payloads", {})
105
+ policy.send_payloads = payloads_json.fetch("send_payloads", false)
106
+ policy.log_payloads = payloads_json.fetch("log_payloads", false)
107
+
108
+ if policy.send_payloads
109
+ payloads_json.fetch("send_blacklist", {}).each do |param_name, locations|
110
+ policy.send_blacklist[param_name.downcase] = Set.new(locations)
111
+ end
112
+
113
+ send_whitelist = payloads_json["send_whitelist"]
114
+ if send_whitelist
115
+ send_whitelist.each do |param_name, locations|
116
+ policy.send_whitelist[param_name.downcase] = Set.new(locations)
117
+ end
118
+ policy.use_send_whitelist = true
119
+ end
120
+ end
121
+
122
+ if policy.log_payloads
123
+ payloads_json.fetch("log_blacklist", {}).each do |param_name, locations|
124
+ policy.log_blacklist[param_name.downcase] = Set.new(locations)
125
+ end
126
+
127
+ log_whitelist = payloads_json["log_whitelist"]
128
+ if log_whitelist
129
+ log_whitelist.each do |param_name, locations|
130
+ policy.log_whitelist[param_name.downcase] = Set.new(locations)
131
+ end
132
+
133
+ policy.use_log_whitelist = true
134
+ end
135
+ end
136
+ end
137
+
138
+ policy
139
+ end
140
+ end
141
+
142
+ end
143
+ end
@@ -51,7 +51,9 @@ module TCellAgent
51
51
  end
52
52
 
53
53
  if dp
54
- send_event(appsensor_meta, dp, response_code.to_s, nil)
54
+ param = payload = pattern = nil
55
+ meta = { code: response_code }
56
+ send_event(appsensor_meta, dp, param, meta, payload, pattern)
55
57
  end
56
58
 
57
59
  def to_s
@@ -4,7 +4,7 @@ module TCellAgent
4
4
  module Policies
5
5
 
6
6
  class Sensor
7
- def send_event(appsensor_meta, detection_point, parameter, data, payload=nil, pattern=nil)
7
+ def send_event(appsensor_meta, detection_point, parameter, meta, payload, pattern)
8
8
  event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
9
9
  appsensor_meta.location,
10
10
  detection_point,
@@ -12,7 +12,7 @@ module TCellAgent
12
12
  appsensor_meta.remote_address,
13
13
  parameter,
14
14
  appsensor_meta.route_id,
15
- data,
15
+ meta,
16
16
  appsensor_meta.session_id,
17
17
  appsensor_meta.user_id,
18
18
  payload,
@@ -21,6 +21,25 @@ module TCellAgent
21
21
 
22
22
  TCellAgent.send_event(event)
23
23
  end
24
+
25
+ def send_event_from_tcell_data(tcell_data, detection_point, parameter, meta)
26
+ payload = pattern = nil
27
+ event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
28
+ tcell_data.uri,
29
+ detection_point,
30
+ tcell_data.request_method,
31
+ tcell_data.ip_address,
32
+ parameter,
33
+ tcell_data.route_id,
34
+ meta,
35
+ tcell_data.hmac_session_id,
36
+ tcell_data.user_id,
37
+ payload,
38
+ pattern
39
+ )
40
+
41
+ TCellAgent.send_event(event)
42
+ end
24
43
  end
25
44
 
26
45
  end
@@ -29,7 +29,9 @@ module TCellAgent
29
29
  end
30
30
 
31
31
  if content_length && content_length > @limit
32
- send_event(appsensor_meta, @dp_code, content_length.to_s, nil)
32
+ param = payload = pattern = nil
33
+ meta = { "sz" => content_length }
34
+ send_event(appsensor_meta, @dp_code, param, meta, payload, pattern)
33
35
  end
34
36
  end
35
37
 
@@ -1,3 +1,4 @@
1
+ require 'libinjection/libinjection'
1
2
  require 'tcell_agent/policies/appsensor/injection_sensor'
2
3
 
3
4
  module TCellAgent
@@ -19,6 +20,14 @@ module TCellAgent
19
20
  @libinjection = policy_json.fetch("libinjection", false)
20
21
  end
21
22
  end
23
+
24
+ def find_vulnerability(param_name, param_value)
25
+ if @libinjection && Libinjection.is_sqli(param_value) == 1
26
+ return {"param" => param_name, "value" => param_value, "pattern" => "li"}
27
+ end
28
+
29
+ super(param_name, param_value)
30
+ end
22
31
  end
23
32
 
24
33
  end
@@ -30,11 +30,7 @@ module TCellAgent
30
30
 
31
31
  user_agent = appsensor_meta.user_agent
32
32
  if !user_agent || user_agent.strip == ""
33
- send_event(
34
- appsensor_meta,
35
- DP_CODE,
36
- nil,
37
- nil)
33
+ send_event(appsensor_meta, DP_CODE, nil, nil, nil, nil)
38
34
  end
39
35
  end
40
36
 
@@ -1,6 +1,6 @@
1
+ require 'libinjection/libinjection'
1
2
  require 'tcell_agent/policies/appsensor/injection_sensor'
2
3
 
3
-
4
4
  module TCellAgent
5
5
  module Policies
6
6
 
@@ -20,6 +20,14 @@ module TCellAgent
20
20
  @libinjection = policy_json.fetch("libinjection", false)
21
21
  end
22
22
  end
23
+
24
+ def find_vulnerability(param_name, param_value)
25
+ if @libinjection && Libinjection.is_xss(param_value) == 1
26
+ return {"param" => param_name, "value" => param_value, "pattern" => "li"}
27
+ end
28
+
29
+ super(param_name, param_value)
30
+ end
23
31
  end
24
32
 
25
33
  end
@@ -5,6 +5,7 @@ require 'tcell_agent/policies/appsensor/fpt_sensor'
5
5
  require 'tcell_agent/policies/appsensor/login_sensor'
6
6
  require 'tcell_agent/policies/appsensor/misc_sensor'
7
7
  require 'tcell_agent/policies/appsensor/nullbyte_sensor'
8
+ require 'tcell_agent/policies/appsensor/payloads_policy'
8
9
  require 'tcell_agent/policies/appsensor/request_size_sensor'
9
10
  require 'tcell_agent/policies/appsensor/response_codes_sensor'
10
11
  require 'tcell_agent/policies/appsensor/response_size_sensor'
@@ -12,6 +13,7 @@ require 'tcell_agent/policies/appsensor/retr_sensor'
12
13
  require 'tcell_agent/policies/appsensor/sqli_sensor'
13
14
  require 'tcell_agent/policies/appsensor/user_agent_sensor'
14
15
  require 'tcell_agent/policies/appsensor/xss_sensor'
16
+ require 'tcell_agent/utils/params'
15
17
 
16
18
 
17
19
  module TCellAgent
@@ -49,17 +51,19 @@ module TCellAgent
49
51
  "database" => DatabaseSensor
50
52
  }
51
53
 
52
- attr_accessor :policy_id, :options, :enabled
54
+ attr_accessor :policy_id, :options, :payloads_policy, :enabled
53
55
 
54
56
  def initialize
55
57
  @policy_id = nil
56
58
  @options = Hash.new
57
59
  @enabled = false
60
+ @payloads_policy = PayloadsPolicy.new
58
61
  end
59
62
 
60
63
  def process_meta_event(appsensor_meta)
61
64
  return unless @enabled
62
65
 
66
+ check_user_agent(appsensor_meta)
63
67
  check_request_size(appsensor_meta)
64
68
  check_response_size(appsensor_meta)
65
69
  check_response_code(appsensor_meta)
@@ -76,6 +80,14 @@ module TCellAgent
76
80
  end
77
81
  end
78
82
 
83
+ def check_user_agent(appsensor_meta)
84
+ TCellAgent::Instrumentation.safe_block("AppSensor Checking User Agent") do
85
+ if self.options.has_key?("ua")
86
+ self.options["ua"].check(appsensor_meta)
87
+ end
88
+ end
89
+ end
90
+
79
91
  def check_request_size(appsensor_meta)
80
92
  TCellAgent::Instrumentation.safe_block("AppSensor Testing Response Size") do
81
93
  if self.options.has_key?("req_size")
@@ -101,66 +113,65 @@ module TCellAgent
101
113
  end
102
114
 
103
115
  def check_param_for_injections(param_type, appsensor_meta, param_name, param_value)
104
- return if @options["xss"].check(param_type, appsensor_meta, param_name, param_value)
105
- return if @options["sqli"].check(param_type, appsensor_meta, param_name, param_value)
116
+ return if @options["xss"].check(param_type, appsensor_meta, param_name, param_value, @payloads_policy)
117
+ return if @options["sqli"].check(param_type, appsensor_meta, param_name, param_value, @payloads_policy)
106
118
  if InjectionSensor::COOKIE_PARAM != param_type
107
- return if @options["cmdi"].check(param_type, appsensor_meta, param_name, param_value)
119
+ return if @options["cmdi"].check(param_type, appsensor_meta, param_name, param_value, @payloads_policy)
108
120
  end
109
121
  if InjectionSensor::COOKIE_PARAM != param_type
110
- return if @options["fpt"].check(param_type, appsensor_meta, param_name, param_value)
122
+ return if @options["fpt"].check(param_type, appsensor_meta, param_name, param_value, @payloads_policy)
111
123
  end
112
124
  if InjectionSensor::COOKIE_PARAM != param_type
113
- return if @options["nullbyte"].check(param_type, appsensor_meta, param_name, param_value)
125
+ return if @options["nullbyte"].check(param_type, appsensor_meta, param_name, param_value, @payloads_policy)
114
126
  end
115
127
  if InjectionSensor::POST_PARAM != param_type && InjectionSensor::JSON_PARAM != param_type
116
- return if @options["retr"].check(param_type, appsensor_meta, param_name, param_value)
128
+ return if @options["retr"].check(param_type, appsensor_meta, param_name, param_value, @payloads_policy)
117
129
  end
118
130
  end
119
131
 
120
132
  def check_params_for_injections(appsensor_meta)
121
- path_param_type =
122
- if (appsensor_meta.method || "get").to_s.downcase == "get"
123
- InjectionSensor::GET_PARAM
124
- else
125
- InjectionSensor::POST_PARAM
126
- end
127
133
 
128
- (appsensor_meta.path_parameters || {}).each do |param_name, param_value|
134
+ TCellAgent::Utils::Params.flatten(appsensor_meta.path_parameters || {}).each do |param_name, param_value|
129
135
  TCellAgent::Instrumentation.safe_block("AppSensor Check Path Params injections") do
136
+ param_name = param_name[-1]
130
137
  next if param_name == :controller || param_name == :action
131
- check_param_for_injections(path_param_type, appsensor_meta, param_name.to_s, param_value)
138
+ check_param_for_injections(InjectionSensor::URI_PARAM, appsensor_meta, param_name.to_s, param_value)
132
139
  end
133
140
  end
134
141
 
135
- (appsensor_meta.get_dict || {}).each do |param_name, param_value|
142
+ TCellAgent::Utils::Params.flatten(appsensor_meta.get_dict || {}).each do |param_name, param_value|
136
143
  TCellAgent::Instrumentation.safe_block("AppSensor Check GET var injections") do
144
+ param_name = param_name[-1]
137
145
  check_param_for_injections(InjectionSensor::GET_PARAM, appsensor_meta, param_name, param_value)
138
146
  end
139
147
  end
140
148
 
141
149
  (appsensor_meta.post_dict || {}).each do |param_name, param_value|
142
150
  TCellAgent::Instrumentation.safe_block("AppSensor Check POST var injections") do
151
+ param_name = param_name[-1]
143
152
  check_param_for_injections(InjectionSensor::POST_PARAM, appsensor_meta, param_name, param_value)
144
153
  end
145
154
  end
146
155
 
147
156
  (appsensor_meta.body_dict || {}).each do |param_name, param_value|
148
157
  TCellAgent::Instrumentation.safe_block("AppSensor Check JSON var injections") do
158
+ param_name = param_name[-1]
149
159
  check_param_for_injections(InjectionSensor::JSON_PARAM, appsensor_meta, param_name, param_value)
150
160
  end
151
161
  end
152
162
 
153
- (appsensor_meta.cookie_dict || {}).each do |param_name, param_value|
163
+ TCellAgent::Utils::Params.flatten(appsensor_meta.cookie_dict || {}).each do |param_name, param_value|
154
164
  TCellAgent::Instrumentation.safe_block("AppSensor Check COOKIE var injections") do
165
+ param_name = param_name[-1]
155
166
  check_param_for_injections(InjectionSensor::COOKIE_PARAM, appsensor_meta, param_name, param_value)
156
167
  end
157
168
  end
158
169
  end
159
170
 
160
- def csrf_rejected(tcell_data)
171
+ def csrf_rejected(tcell_data, exception_class)
161
172
  TCellAgent::Instrumentation.safe_block("AppSensor CSRF Exception processing") do
162
173
  if self.options.has_key?("errors")
163
- self.options["errors"].csrf_rejected(tcell_data)
174
+ self.options["errors"].csrf_rejected(tcell_data, exception_class)
164
175
  end
165
176
  end
166
177
  end
@@ -198,6 +209,9 @@ module TCellAgent
198
209
 
199
210
  else
200
211
  sensor_policy.enabled = true
212
+ sensor_policy.payloads_policy = PayloadsPolicy.from_json(
213
+ data_json.fetch("options", {})
214
+ )
201
215
 
202
216
  DETECTION_POINTS_V2.each do |sensor_name, sensor_class|
203
217
  settings = sensors_json.fetch(sensor_name, {})
@@ -217,6 +231,13 @@ module TCellAgent
217
231
 
218
232
  else
219
233
  sensor_policy.enabled = true
234
+ sensor_policy.payloads_policy = PayloadsPolicy.from_json({
235
+ "payloads" => {
236
+ "send_payloads" => true,
237
+ "log_payloads" => true
238
+ }
239
+ })
240
+
220
241
  DETECTION_POINTS_V1.each do |sensor_name|
221
242
  if "req_res_size" == sensor_name
222
243
  enabled = options_json.fetch(sensor_name, false)
@@ -41,7 +41,7 @@ module TCellAgent
41
41
  end
42
42
  return true
43
43
  end
44
- def enforce(target_url, current_host, current_path, method, route_id, status_code, remote_addr, session_id=nil)
44
+ def enforce(target_url, current_host, current_path, method, route_id, status_code, remote_addr, hmac_session_id=nil)
45
45
  if @enabled == false
46
46
  return nil
47
47
  end
@@ -51,7 +51,17 @@ module TCellAgent
51
51
  return nil
52
52
  end
53
53
  begin
54
- event = TCellAgent::SensorEvents::TCellRedirectSensorEvent.new(host, current_host, current_path, method, route_id, status_code, remote_addr, session_id, nil)
54
+ event = TCellAgent::SensorEvents::TCellRedirectSensorEvent.new(
55
+ host,
56
+ current_host,
57
+ current_path,
58
+ method,
59
+ route_id,
60
+ status_code,
61
+ remote_addr,
62
+ hmac_session_id,
63
+ nil)
64
+
55
65
  TCellAgent.send_event(event)
56
66
  rescue Exception => ie
57
67
  TCellAgent.logger.error("uncaught exception while creating redirect event: #{ie.message}")
@@ -14,7 +14,7 @@ module TCellAgent
14
14
  if appsensor_policy
15
15
  tcell_data = request.env[TCellAgent::Instrumentation::TCELL_ID]
16
16
  if tcell_data
17
- appsensor_policy.csrf_rejected(tcell_data)
17
+ appsensor_policy.csrf_rejected(tcell_data, ActionController::InvalidAuthenticityToken)
18
18
  end
19
19
  end
20
20
  end