tcell_agent 0.2.2

data/lib/tcell_agent/rails/middleware/global_middleware.rb

@@ -0,0 +1,53 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require 'rails'
+require 'uri'
+require 'tcell_agent/logger'
+require 'tcell_agent/agent'
+require 'tcell_agent/sensor_events/sensor'
+require 'tcell_agent/sensor_events/app_sensor'
+require 'tcell_agent/sensor_events/server_agent'
+require 'tcell_agent/sensor_events/util/sanitizer_utilities'
+require 'tcell_agent/sensor_events/util/redirect_utils'
+
+require 'tcell_agent/rails/routes'
+
+require 'tcell_agent/userinfo'
+require 'cgi'
+
+require 'tcell_agent/instrumentation'
+
+module TCellAgent
+  module Instrumentation
+    module Rails
+      module Middleware
+
+        class GlobalMiddleware
+
+          def initialize(app)
+            @app = app
+          end
+
+          def call(env)
+            request = Rack::Request.new(env)
+            TCellAgent::Instrumentation.safe_block("Setting session_id & user_id") {
+              if request.session
+                env[TCellAgent::Instrumentation::Rails::Middleware::TCELL_ID].session_id = request.session["session_id"]
+                env[TCellAgent::Instrumentation::Rails::Middleware::TCELL_ID].user_id = TCellAgent::UserInformation.getUserFromRequest(request)
+              end
+            }
+            TCellAgent::Instrumentation.safe_block("Setting hmac_session_id") {
+              hmac_key = TCellAgent::SensorEvents::Util.getHmacKey()
+              if request.env[TCellAgent::Instrumentation::Rails::Middleware::TCELL_ID].session_id
+                env[TCellAgent::Instrumentation::Rails::Middleware::TCELL_ID].hmac_session_id = TCellAgent::SensorEvents::Util.hmac(request.env["tcell.request_data"].session_id, hmac_key)
+              end
+            }
+            response = @app.call(env)            
+            response
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/tcell_agent/rails/middleware/headers_middleware.rb

@@ -0,0 +1,176 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require 'rails'
+require 'uri'
+require 'tcell_agent/logger'
+require 'tcell_agent/agent'
+require 'tcell_agent/sensor_events/sensor'
+require 'tcell_agent/sensor_events/app_sensor'
+require 'tcell_agent/sensor_events/server_agent'
+require 'tcell_agent/sensor_events/util/sanitizer_utilities'
+require 'tcell_agent/sensor_events/util/redirect_utils'
+
+require 'tcell_agent/rails/routes'
+
+require 'tcell_agent/userinfo'
+require 'cgi'
+
+require 'tcell_agent/instrumentation'
+
+module TCellAgent
+  module Instrumentation
+    module Rails
+      module Middleware
+
+        class HeadersMiddleware
+
+          def initialize(app)
+            @app = app
+          end
+
+          def call(env)
+            
+            request = Rack::Request.new(env)
+            response = @app.call(env)
+            status, headers, active_response = response
+            TCellAgent::Instrumentation.safe_block("Handling Request") {
+              tcell_response = response
+              tcell_response = self._handle_appsensor(request, tcell_response)
+              tcell_response = self._handle_redirect(request, tcell_response)
+              tcell_response = self._set_csp_header(request, tcell_response) 
+              tcell_response = self._set_clickjacking_header(request, tcell_response)
+              tcell_response = self._set_secure_headers(request, tcell_response)
+              response = tcell_response
+            }
+            response
+          end
+
+          def _set_csp_header(request, response)
+            TCellAgent::Instrumentation.safe_block("Setting CSP Headers") {
+              status, headers, active_response = response
+
+              content_security_policy = TCellAgent.policy(TCellAgent::PolicyTypes::CSP)
+
+              if content_security_policy
+                content_security_policy.each(
+                  request.env["tcell.request_data"].transaction_id, 
+                  request.env["tcell.request_data"].hmac_session_id, 
+                  request.env["tcell.request_data"].user_id) do | header_pair | 
+                  headers[header_pair["name"]] = header_pair["value"]
+                end
+              end
+              response = [status, headers, active_response]
+            }
+            response
+          end
+
+          def _set_clickjacking_header(request, response)
+            TCellAgent::Instrumentation.safe_block("Setting Clickjacking Headers") {
+              status, headers, active_response = response
+              clickjacking_policy = TCellAgent.policy(TCellAgent::PolicyTypes::Clickjacking)
+
+              if clickjacking_policy
+                  clickjacking_policy.each(
+                    request.env["tcell.request_data"].transaction_id, 
+                    request.env["tcell.request_data"].hmac_session_id, 
+                    request.env["tcell.request_data"].user_id) do | header_pair | 
+                  header_name = header_pair["name"]
+                  header_value = header_pair["value"]
+                  if (headers.has_key?header_name)
+                    headers[header_name] = headers[header_name] + "," + header_value
+                  else
+                    headers[header_name] = header_value
+                  end
+                end
+              end #if
+
+              response = [status, headers, active_response]
+            }
+            response
+          end
+
+          def _set_secure_headers(request, response)
+            TCellAgent::Instrumentation.safe_block("Setting Secure Headers") {
+              status, headers, active_response = response
+
+              secure_headers_policy = TCellAgent.policy(TCellAgent::PolicyTypes::SecureHeaders)
+              if secure_headers_policy
+                secure_headers_policy.headers.each do | secure_header |
+                  headers[secure_header.name] = secure_header.value
+                end
+              end
+              response = [status, headers, active_response]
+            }
+            response
+          end
+
+          def _handle_redirect(request, response)
+            TCellAgent::Instrumentation.safe_block("Handling Redirect Headers") {
+              status, headers, active_response = response
+
+              http_redirect_policy = TCellAgent.policy(TCellAgent::PolicyTypes::HttpRedirect)
+              if http_redirect_policy && headers.has_key?("Location")
+                local_uri = URI.parse(request.url)
+                new_location = http_redirect_policy.enforce(
+                  headers["Location"], 
+                  local_uri.host, 
+                  request.fullpath, 
+                  request.request_method,
+                  status, 
+                  request.ip)
+                # Enforcement
+                if (new_location)
+                  headers["Location"] = new_location
+                end
+              end
+              response = [status, headers, active_response]
+            }
+            response
+          end
+
+          def _handle_appsensor(request, response)
+            TCellAgent::Instrumentation.safe_block("Handling AppSensor") {
+              status_code, response_headers, response_body = response
+              appsensor_policy = TCellAgent.policy(TCellAgent::PolicyTypes::AppSensor)
+
+              if (!(response_body.is_a?(Array)) && !(response_body.is_a?(Rack::BodyProxy)))
+                return response
+              end
+              rack_response = Rack::Response.new(response)
+              if appsensor_policy && appsensor_policy.enabled
+                event = TCellAgent::SensorEvents::TCellAppSensorEventProcessor.new                
+                event.request_headers = request.env
+                event.request_content_length = (request.content_length || "0").to_i
+                event.request_body = request.body
+                event.response_content_length = (rack_response.length || "0").to_i
+                event.remote_addr = request.ip
+                event.uri = request.fullpath
+                event.get_params = request.GET
+                event.post_params = request.POST
+                event.cookies = request.cookies
+
+                #status, headers, active_response = response
+                #if active_response.class != ActionDispatch::Response
+                #  return response
+                #end
+
+                event.status_code = status_code
+                event.response_headers = response_headers
+                event.response_body = response_body
+
+                event.route_id = request.env["tcell.request_data"].route_id
+                event.transaction_id = request.env["tcell.request_data"].transaction_id
+                event.session_id = request.env["tcell.request_data"].hmac_session_id
+                event.user_id = request.env["tcell.request_data"].user_id
+
+                TCellAgent.send_event(event)
+              end
+            }
+            response
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/tcell_agent/rails/routes.rb

@@ -0,0 +1,130 @@
+
+module TCellAgent
+  class Engine < Rails::Engine
+    ActiveSupport.on_load(:action_controller) do
+      ActionController::Base.class_eval do
+        around_filter :tell_around_filter_routes
+        def tell_around_filter_routes 
+          begin 
+            TCellAgent::Instrumentation.safe_block("Determining Rails Route ID") {
+              route = Rails.application.routes.router.recognize(request) { |route, _| route }.first
+              if route
+                route_path = route[2].path.spec
+                tcell_context = request.env[TCellAgent::Instrumentation::Rails::Middleware::TCELL_ID]
+                tcell_context.route_id = TCellAgent::SensorEvents::Util.calculateRouteId(request.method.downcase, route_path)
+              end
+            }
+            yield
+          end
+        end
+      end
+    end
+  end
+end
+
+
+
+module TCellAgent
+  module Instrumentation
+    module Rails
+      def self.route_path_from_route(route)
+        if (::Rails::VERSION::MAJOR == 4)
+          begin
+            route_path = "#{route[2].path.spec}"
+            if (route_path.end_with?("(.:format)"))
+              route_path = route_path.chomp("(.:format)")
+            end
+            return route_path
+          rescue Exception => inner_excetion
+            TCellAgent.logger.debug("Could not figure out path #{inner_excetion.message}")
+          end
+        end
+        nil
+      end
+      def self.route_from_request(rails_request)
+        if (rails_request.env["action_dispatch.request_id"] == nil)
+          return nil
+        end
+        if (::Rails::VERSION::MAJOR == 4)
+          begin
+            recognized = ::Rails.application.routes.router.recognize(rails_request) { |route, _| route }
+            if recognized
+              return recognized.first
+            end
+          rescue Exception => inner_excetion
+            TCellAgent.logger.debug("Could not figure out path #{inner_excetion.message}")
+          end
+        end
+        nil
+      end
+      def self.route_id_from_request(active_request)
+        route = route_from_request(active_request)
+        if route != nil
+          route_path = route_path_from_route(route)
+          if route_path != nil
+            return TCellAgent::SensorEvents::Util.calculateRouteId(active_request.request_method.downcase, route_path)
+          end
+        end
+        nil
+      end
+      def self.get_routes
+      end
+      if (::Rails::VERSION::MAJOR == 3)
+        ActionDispatch::Routing::RouteSet.class_eval do
+            alias_method :original_add_route, :add_route
+            def add_route(app, conditions = {}, requirements = {}, defaults = {}, name = nil, anchor = true)
+              methods = ['GET','POST','PUT','DELETE','HEAD',
+                         'PATCH','TRACE','CONNECT','OPTIONS']
+              route = original_add_route(app, conditions, requirements, defaults, name, anchor)
+              if (route.constraints.has_key? :request_method)                  
+                  route_path = "#{route.path.spec}"
+                  if (route_path.end_with?("(.:format)"))
+                    route_path = route_path.chomp("(.:format)")
+                  end
+                  route_destination = route.defaults.to_json.to_s
+                  route_params =  route.path.required_names
+                  route_methods = methods.select {|x| route.verb.match(x) }
+                  route_methods.each { |route_method|
+                    route_id = TCellAgent::SensorEvents::Util.calculateRouteId(route_method.downcase, route.path.spec)
+                    TCellAgent.send_event(
+                      TCellAgent::SensorEvents::AppRoutesSensorEvent.new(
+                        route_path, route_method, route_id, nil, route_destination
+                      )
+                    )
+                  }
+              end
+              route
+            end
+        end
+      end
+      if (::Rails::VERSION::MAJOR == 4)
+        ActionDispatch::Journey::Routes.class_eval do
+          alias_method :original_add_route, :add_route
+          def add_route(app, path, conditions, defaults, name = nil)
+          methods = ['GET','POST','PUT','DELETE','HEAD',
+                     'PATCH','TRACE','CONNECT','OPTIONS']
+          route = original_add_route(app, path, conditions, defaults, name)
+          if (route.constraints.has_key? :request_method)
+              route_path = "#{route.path.spec}"
+              if (route_path.end_with?("(.:format)"))
+                route_path = route_path.chomp("(.:format)")
+              end
+              route_destination = route.defaults.to_json.to_s
+              route_params =  route.path.required_names
+              route_methods = methods.select {|x| route.verb.match(x) }
+              route_methods.each { |route_method|
+                route_id = TCellAgent::SensorEvents::Util.calculateRouteId(route_method.downcase, route.path.spec)
+                TCellAgent.send_event(
+                  TCellAgent::SensorEvents::AppRoutesSensorEvent.new(
+                    route_path, route_method, route_id, nil, route_destination
+                  )
+                )
+              }
+            end
+            route
+          end
+        end
+      end #endif rails version = 4
+    end
+  end
+end

data/lib/tcell_agent/rails/settings_reporter.rb

@@ -0,0 +1,40 @@
+require 'rails'
+require 'tcell_agent'
+require 'tcell_agent/sensor_events/app_config'
+require 'tcell_agent/sensor_events/server_agent'
+
+module TCellAgent
+  module Instrumentation
+    module Rails
+      def self.send_framework_info
+        if (TCellAgent.configuration.exp_config_settings)
+          version = ::Rails.version
+          TCellAgent.send_event(TCellAgent::SensorEvents::ServerAgentAppFrameworkEvent.new(
+                      "Rails", version
+                    ))
+        end
+      end
+      def self.send_settings(application)
+        if (TCellAgent.configuration.exp_config_settings)
+          # Defaults to true
+          csrf_protection = application.config.action_controller.allow_forgery_protection || true
+          TCellAgent.send_event(TCellAgent::SensorEvents::AppConfigSettingEvent.new(
+                      "Rails", "core", "", "csrf_protection", csrf_protection
+                    ))
+
+          # Defaults to false if nil
+          mass_assignment_allowed = application.config.action_controller.permit_all_parameters || false
+          TCellAgent.send_event(TCellAgent::SensorEvents::AppConfigSettingEvent.new(
+                      "Rails", "core", "", "mass_assignment_allowed", mass_assignment_allowed
+                    ))
+
+          # Defaults to never
+          session_expire = application.config.session_options[:expire_after] || -1
+          TCellAgent.send_event(TCellAgent::SensorEvents::AppConfigSettingEvent.new(
+                      "Rails", "session", "", "timeout", session_expire
+                    ))
+        end
+      end
+    end
+  end
+end

data/lib/tcell_agent/sensor_events/app_config.rb

@@ -0,0 +1,16 @@
+require 'tcell_agent/sensor_events/sensor'        
+
+module TCellAgent
+    module SensorEvents
+        class AppConfigSettingEvent < TCellSensorEvent
+            def initialize(package, section, prefix, name, value)
+                super("app_config_setting")
+                self["package"] = package
+                self["section"] = section
+                self["prefix"] = prefix
+                self["name"] = name
+                self["value"] = value.to_s
+            end
+        end
+    end
+end

data/lib/tcell_agent/sensor_events/app_sensor.rb

@@ -0,0 +1,240 @@
+# encoding: utf-8
+# See the file "LICENSE" for the full license governing this code.
+
+require 'tcell_agent/sensor_events/util/sanitizer_utilities'
+require 'tcell_agent/sensor_events/sensor'
+
+require 'tcell_agent/agent'
+require 'tcell_agent/agent/policy_types'
+
+require 'tcell_agent/policies/appsensor_policy'
+require 'tcell_agent/appsensor'
+
+require 'tcell_agent/instrumentation'
+
+# Some Rules Originate from ModSecurity
+#   ModSecurity for Apache 2.x, http://www.modsecurity.org/
+#   Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) 
+
+module TCellAgent
+    module SensorEvents
+        class TCellAppSensorEvent < TCellSensorEvent
+            def initialize(location, detection_point, remote_addr, param, route_id, data=nil, transaction_id=nil, session_id=nil, user_id=nil)
+                super("as")
+                self["dp"] = detection_point
+                self["param"] = param
+                self["remote_addr"] = remote_addr
+                if (route_id)
+                    self["rou"] = route_id
+                end
+                @raw_location = location
+                @user_id = user_id
+                @transaction_id = transaction_id
+                @raw_session_id = session_id
+            end
+            def post_process
+                self["loc"] = Util.strip_uri_values(@raw_location)
+                if @user_id
+                    self["uid"] = @user_id.to_s
+                end
+                if @transaction_id
+                    self["tid"] = @transaction_id
+                end
+                if @raw_session_id
+                    hmac_key = Util.getHmacKey()
+                    self["sid"] = Util.hmac(@raw_session_id, hmac_key)
+                end
+            end
+        end
+        class TCellAppSensorEventProcessor < TCellSensorEvent
+            attr_accessor :request_headers, :request_body, :remote_addr, 
+                            :uri, :get_params, :post_params, :cookies,
+                            :request_content_length, :request_content_type
+            attr_accessor :status_code, :response_headers, :response_body,
+                            :response_content_length,
+                            :route_id, :transaction_id, :session_id, :user_id
+            def initialize
+                @request_content_length=0
+                @response_content_length = 0
+                @send = false
+            end
+            def appsensor_event(dp, param, data)
+                TCellAgent::Instrumentation.safe_block("AppSensor Sending Event") {
+                    event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
+                        @uri,
+                        dp,
+                        @remote_addr,
+                        param,
+                        @route_id,
+                        data=nil,
+                        transaction_id=@transaction_id,
+                        session_id=@session_id,
+                        user_id=@user_id)
+                    @sensor_triggered = true
+                    TCellAgent.send_event(event)
+                }
+            end
+            def for_params
+                if @get_params
+                    @get_params.each do |param_name, param_value|
+                        if !param_value || !param_value.instance_of?(String) || param_value == ""
+                            next
+                        end
+                        yield('get', param_name, param_value)
+                    end
+                end
+                if @post_params
+                    @post_params.each do |param_name, param_value|
+                        if !param_value || !param_value.instance_of?(String) || param_value == ""
+                            next
+                        end
+                        yield('post', param_name, param_value)
+                    end
+                end
+            end
+
+            def for_get_params
+                if @get_params
+                    @get_params.each do |param_name, param_value|
+                        if !param_value || !param_value.instance_of?(String) || param_value == ""
+                            next
+                        end
+                        yield('get', param_name, param_value)
+                    end
+                end
+            end
+
+            def test_response_size
+                if (@response_content_length && @response_content_length > TCellAgent::Policies::AppSensorPolicy::MAX_NORMAL_RESPONSE_BYTES)
+                    appsensor_event(TCellAgent::Policies::AppSensorPolicy::DP_UNUSUAL_RESPONSE_SIZE, response_content_length.to_s, nil)
+                end
+                request_size = 0
+                if @request_body
+                    if @request_body.kind_of?(StringIO)
+                        request_size = @request_body.size
+                    else
+                        request_size = @request_content_length
+                    end
+                end
+                if (request_size > TCellAgent::Policies::AppSensorPolicy::MAX_NORMAL_REQUEST_BYTES)
+                    appsensor_event(TCellAgent::Policies::AppSensorPolicy::DP_UNUSUAL_REQUEST_SIZE,request_size.to_s, nil)
+                end
+            end
+
+            def test_response_code
+                @status_code = @status_code.to_i
+                if @status_code == 200
+                    return
+                end
+                series = @status_code.to_i / 100
+                dp = nil
+                if (@status_code == 401)
+                    dp = "s401"
+                elsif (@status_code == 403)
+                    dp = "s403"
+                elsif (@status_code == 404)
+                    dp = "s404"
+                elsif (series == 4)
+                    dp = "s4xx"
+                elsif (@status_code == 500)
+                    dp = "s500"
+                elsif (series == 5)
+                    dp = "s5xx"
+                end
+                if (dp)
+                    appsensor_event(dp, @status_code.to_s, nil)
+                end
+            end
+
+            def post_process
+                appsensor_policy = TCellAgent.policy(TCellAgent::PolicyTypes::AppSensor)
+                if (!appsensor_policy || !appsensor_policy.enabled)
+                    return
+                end
+
+                @sensor_triggered = false;
+
+                if (appsensor_policy.option_enabled?("req_res_size"))
+                    TCellAgent::Instrumentation.safe_block("AppSensor Testing Response Size") {
+                        test_response_size
+                    }
+                end
+
+
+                if (!@sensor_triggered && appsensor_policy.option_enabled?("resp_codes"))
+                    TCellAgent::Instrumentation.safe_block("AppSensor Resting Response Code") {
+                        test_response_code
+                    }
+                end
+
+                if (!@sensor_triggered && appsensor_policy.option_enabled?("xss"))
+                    TCellAgent::Instrumentation.safe_block("AppSensor Testing for XSS") {
+                        for_params { | param_type, param_name, param_value |
+                            if (TCellAgent::AppSensor.isXss(param_value))
+                                appsensor_event("xss", param_name, nil)
+                                return
+                            end
+                        }
+                    }
+                end
+                
+                if (!@sensor_triggered && appsensor_policy.option_enabled?("cmdi"))
+                    TCellAgent::Instrumentation.safe_block("AppSensor Testing for CMDI") {
+                        for_params { | param_type, param_name, param_value |
+                            if (TCellAgent::AppSensor.isCmdi(param_value))
+                                appsensor_event("cmdi", param_name, nil)
+                                return
+                            end
+                        }
+                    }
+                end
+
+                if (!@sensor_triggered && appsensor_policy.option_enabled?("sqli"))
+                    TCellAgent::Instrumentation.safe_block("AppSensor Testing for SQLI") {
+                        for_params { | param_type, param_name, param_value |
+                            if (TCellAgent::AppSensor.isSqli(param_value))
+                                appsensor_event("sqli", param_name, nil)
+                                return
+                            end
+                        }
+                    }
+                end
+
+                if (!@sensor_triggered && appsensor_policy.option_enabled?("retr"))
+                    TCellAgent::Instrumentation.safe_block("AppSensor Testing for Return Chars") {
+                        for_get_params { | param_type, param_name, param_value |
+                            if (TCellAgent::AppSensor.containsReturnChars(param_value))
+                                appsensor_event("retr", param_name, nil)
+                                return
+                            end
+                        }
+                    }
+                end
+
+                if (!@sensor_triggered && appsensor_policy.option_enabled?("null"))
+                    TCellAgent::Instrumentation.safe_block("AppSensor Testing for Null") {
+                        for_params { | param_type, param_name, param_value |
+                            if (TCellAgent::AppSensor.containsNull(param_value))
+                                appsensor_event("null", param_name, nil)
+                                return
+                            end
+                        }
+                    }
+                end
+
+                if (!@sensor_triggered && appsensor_policy.option_enabled?("null"))
+                    TCellAgent::Instrumentation.safe_block("AppSensor Testing for File path traversal") {
+                        for_params { | param_type, param_name, param_value |
+                            if (TCellAgent::AppSensor.isPathTraversal(param_value))
+                                appsensor_event("null", param_name, nil)
+                                return
+                            end
+                        }
+                    }
+                end
+
+            end
+
+        end
+    end
+end