tcell_agent 0.2.2

data/lib/tcell_agent/sensor_events/util/utils.rb

@@ -0,0 +1,21 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require 'logger'
+require 'cgi'
+require 'uri'
+require 'openssl'
+
+module TCellAgent
+  module SensorEvents
+    module Util
+      def self.jhash(str)
+        str.each_char.reduce(0) do |result, char|
+          [((result << 5) - result) + char.ord].pack('L').unpack('l').first
+        end 
+      end
+      def self.calculateRouteId(method, path, params=nil)
+        jhash("#{method}|#{path}")
+      end
+    end
+  end
+end

data/lib/tcell_agent/sinatra.rb

@@ -0,0 +1,41 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require 'sinatra/base'
+require 'sinatra'
+require 'tcell_agent/agent'
+require 'tcell_agent/instrumentation'
+
+module TCellAgent
+    class Sinatra::Response
+      include Sinatra
+      alias_method :original_finish, :finish
+      def finish
+        status, headers, response = original_finish
+        
+        TCellAgent::Instrumentation.safe_block("Setting CSP Headers") {
+          content_security_policy = TCellAgent.policy(TCellAgent::PolicyTypes::CSP)
+          if content_security_policy
+            content_security_policy.each(
+              nil, 
+              nil, 
+              nil) do | header_pair | 
+              headers[header_pair["name"]] = header_pair["value"]
+            end
+          end
+        }
+
+        TCellAgent::Instrumentation.safe_block("Setting Secure Headers") {
+          secure_headers_policy = TCellAgent.policy(TCellAgent::PolicyTypes::SecureHeaders)
+          if secure_headers_policy
+            secure_headers_policy.headers.each do | secure_header |
+              headers[secure_header.name] = secure_header.value
+            end
+          end
+        }
+
+        [status, headers, response]
+      end
+    end
+end
+
+

data/lib/tcell_agent/start_background_thread.rb

@@ -0,0 +1,63 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require 'tcell_agent/logger'
+require 'tcell_agent/agent'
+require 'tcell_agent/configuration'
+
+agent = ::TCellAgent::Agent.new(Process.pid)
+TCellAgent.thread_agent = agent
+
+# creates a fork and pipes a string from parent to child
+if File.basename($0) != 'rake'
+  if (File.basename($0) == 'rails' && 
+     ((defined?(Thin) && (Rack::Handler.default == Rack::Handler::Thin)) ||
+      (defined?(WEBrick) && (Rack::Handler.default == Rack::Handler::WEBrick))))
+    TCellAgent.logger.debug("Initializing background thread: Thin")
+    begin
+        TCellAgent.thread_agent = agent
+        agent.start
+    rescue Exception => e
+      TCellAgent.logger.error("Could not start worker.", e.message)
+    end
+  elsif defined?(Puma) && defined?(Puma.cli_config) && Puma.cli_config.options[:workers] > 1
+      agent.start_event_processor(false)
+      # preload app
+      TCellAgent.logger.debug("Initializing background thread: Puma Preload")
+      puma_worker_start = Proc.new do
+        begin
+            agent = TCellAgent::Agent.new(Process.pid)
+            TCellAgent.thread_agent = agent
+            agent.start
+        rescue Exception => e
+          TCellAgent.logger.error("Could not start worker.", e.message)
+        end
+      end
+      Puma.cli_config.options[:before_worker_boot].push(puma_worker_start)
+  elsif defined?(Unicorn) && Unicorn::HttpServer::LISTENERS.length == 0
+      agent.start_event_processor(false)
+      TCellAgent.logger.debug("Initializing background thread: Unicorn Preload")
+      class Unicorn::HttpServer
+        alias old_init_worker_process init_worker_process
+        def init_worker_process(work)
+            begin
+                agent = TCellAgent::Agent.new(Process.pid)
+                TCellAgent.thread_agent = agent
+                agent.start
+            rescue Exception => e
+              TCellAgent.logger.error("Could not start worker.", e.message)
+            end
+            return old_init_worker_process(work)
+        end
+      end
+  else
+    TCellAgent.logger.debug("Initializing background thread (no-preload).")
+    begin
+        TCellAgent.thread_agent = agent
+        agent.start
+    rescue Exception => e
+      TCellAgent.logger.error("Could not start worker.", e.message)
+    end
+  end
+end
+
+

data/lib/tcell_agent/userinfo.rb

@@ -0,0 +1,8 @@
+module TCellAgent
+  class UserInformation
+    # Devise
+    def self.getUserFromRequest(request)
+       return nil
+    end
+  end
+end

data/lib/tcell_agent/utils/queue_with_timeout.rb

@@ -0,0 +1,60 @@
+# See the file "LICENSE" for the full license governing this code.
+
+require "tcell_agent/logger"
+require 'thread'
+require 'logger'
+
+module TCellAgent
+  class QueueWithTimeout
+    def initialize
+      @mutex = Mutex.new
+      @queue = []
+      @response_time_table = {}
+      @recieved = ConditionVariable.new
+    end
+   
+    def <<(x)
+      @mutex.synchronize do
+        @queue << x
+        @recieved.signal
+      end
+    end
+    def add_response_time(route_id, response_time)
+      @mutex.synchronize do
+        if (route_id == nil || route_id == "")
+          route_id = "?"
+        end
+        @response_time_table[route_id] = @response_time_table.fetch(route_id,{})
+        @response_time_table[route_id]["c"] = @response_time_table[route_id].fetch("c",0) + 1
+        @response_time_table[route_id]["mx"] = [@response_time_table[route_id].fetch("mx",0), response_time].max
+        @response_time_table[route_id]["mn"] = [@response_time_table[route_id].fetch("mn",response_time), response_time].min
+        @response_time_table[route_id]["t"] = ((@response_time_table[route_id].fetch("t",0)*(@response_time_table[route_id]["c"]-1)) + response_time) / @response_time_table[route_id]["c"]
+      end
+    end
+    def length
+      return @queue.length
+    end
+    def get_response_time_table
+      return @response_time_table
+    end
+    def reset_response_time_table
+      @mutex.synchronize do
+        @response_time_table = {}
+      end
+    end
+    def pop(non_block = false)
+      pop_with_timeout(non_block ? 0 : nil)
+    end
+   
+    def pop_with_timeout(timeout = nil)
+      @mutex.synchronize do
+        if @queue.empty?
+          @recieved.wait(@mutex, timeout) if timeout != 0
+          #if we're still empty after the timeout, raise exception
+          raise ThreadError, "queue empty" if @queue.empty?
+        end
+        @queue.shift
+      end
+    end
+  end
+end

data/lib/tcell_agent/version.rb

@@ -0,0 +1,5 @@
+# See the file "LICENSE" for the full license governing this code.
+
+module TCellAgent
+  VERSION = "0.2.2"
+end

data/spec/controllers/application_controller.rb

@@ -0,0 +1,12 @@
+describe 'GET /' do
+  context 'Get homepage' do
+    it 'Adds CSP Headers' do
+      
+      user = create(:user)
+
+      post :create, session: { email: user.email, password: 'invalid' }
+
+      expect(response).to render_template(:new)
+      expect(flash[:notice]).to match(/^Email and password do not match/)
+    end
+  end

data/spec/lib/tcell_agent/api/api_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+require 'addressable/template'
+
+
+module TCellAgent
+  class TCellApi
+    describe "successful POST on /user/create" do
+      it "should redirect to dashboard" do
+        tapi = TCellApi.new
+        TCellAgent.configuration.app_id = "test-appid"
+        TCellAgent.configuration.api_key = "test-apikey"
+        
+        def checkreq(req)
+          return '{"result":{"csp-headers":{"app_id":"testapp-Becwu","policy_id":' \
+          '"acf60560-4e76-11e5-874c-7d71d425b275","headers":[{"name":"Content-Security-Policy-Report-Only",' \
+          '"value":"font-src \'none\'; script-src \'self\'; reflected-xss block; ' \
+          'style-src \'self\'; connect-src' \
+          ' \'none\'" ,"report-uri":"http://localhost:3000/csp/cab5e750e66d614bd46fd07a7078db1e74b4f427b2a135b2c96eca684a642707"}]}}}'
+        end
+        uri_template =
+          Addressable::Template.new "https://api.tcell.io/api/v1/app/{app}/update"
+        stub_request(:any, uri_template).
+          to_return(lambda { |request| {
+            :body => checkreq(request),  :status => 200,
+            :headers => { 'Content-Tyoe' => 'application/json' }
+          } })
+
+        #  to_return(:body => resbody,
+        result = tapi.pollAPI
+        TCellAgent.configuration.app_id = nil
+        TCellAgent.configuration.api_key = nil
+        expect(result["csp-headers"]["app_id"]).to eq("testapp-Becwu")
+      end
+    end
+  end
+end

data/spec/lib/tcell_agent/appsensor_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+module TCellAgent
+    describe AppSensor do
+        
+        context "Safe String" do
+          it "Tests Generally Safe Strings" do
+            expect(AppSensor.generallySafe("abc def")).to eq(true)
+            expect(AppSensor.generallySafe("abc d\">ef")).to eq(false)
+            expect(AppSensor.generallySafe("abc \0>ef")).to eq(false)
+          end
+        end
+        context "XSS Detection Test" do
+          it "Tests Standard XSS Probes" do
+            expect(AppSensor.isXss("abc def")).to eq(false)
+            expect(AppSensor.isXss("O'Reilly")).to eq(false)
+
+            expect(AppSensor.isXss("abc\"><script>")).to eq(true)
+            expect(AppSensor.isXss("<script>")).to eq(true)
+            expect(AppSensor.isXss("O'><img src='x' onerror='alert(1)'>Reilly")).to eq(true)
+            expect(AppSensor.isXss("O'><img/src='x' onerror='alert(1)'>Reilly")).to eq(true)
+            expect(AppSensor.isXss("\"><script>alert(/XSSPOSED/);</script>")).to eq(true)
+          end
+        end
+        context "SQLi Detection Test" do
+          it "Tests Standard XSS Probes" do
+            expect(AppSensor.isSqli("abc def")).to eq(false)
+            expect(AppSensor.isSqli("555--")).to eq(false)
+            expect(AppSensor.isSqli("555--666")).to eq(false)
+            expect(AppSensor.isSqli("I should order by friday")).to eq(false)
+            expect(AppSensor.isSqli('b<img src="a"><script>alert(1)</script>')).to eq(false)
+
+            expect(AppSensor.isSqli("a\" OR \"5\"= \"5")).to eq(true)
+            expect(AppSensor.isSqli("a' OR '5'= '5")).to eq(true)
+            expect(AppSensor.isSqli("a';--")).to eq(true)
+            expect(AppSensor.isSqli("a'--")).to eq(true)
+            #expect(AppSensor.isSqli("4 OR 3=3--")).to eq(true)
+            expect(AppSensor.isSqli("10 OrDeR By 10--")).to eq(true)
+          end
+        end
+        context "Cmd Injection Test" do
+          it "Tests for null character" do
+            expect(AppSensor.isCmdi("bob.txt echo 'hi'")).to eq(false)
+            expect(AppSensor.isCmdi("bob.txt; echo 'hi'")).to eq(true)
+          end
+        end
+        context "Path Traversal Test" do
+          it "Tests for path traversal" do
+            expect(AppSensor.isPathTraversal("bob.txt echo 'hi'")).to eq(false)
+            expect(AppSensor.isPathTraversal("3/.5")).to eq(false)
+            expect(AppSensor.isPathTraversal("../../../test.config")).to eq(true)
+            expect(AppSensor.isPathTraversal("/etc/passwd")).to eq(true)
+          end
+        end
+        context "String Characters Test" do
+          it "Tests for null character" do
+            expect(AppSensor.containsReturnChars("abc def")).to eq(false)
+            expect(AppSensor.containsReturnChars("abc\x0adef")).to eq(true)
+            expect(AppSensor.containsReturnChars("abc\x0a\x0ddef")).to eq(true)
+            expect(AppSensor.containsReturnChars("abc\x0ddef")).to eq(true)
+            expect(AppSensor.containsReturnChars("abc\x00 def")).to eq(false)
+          end
+        end
+        
+    end
+end

data/spec/lib/tcell_agent/policies/add_script_tag_policy_spec.rb

@@ -0,0 +1,37 @@
+require 'spec_helper'
+
+module TCellAgent
+    module Policies
+        describe AddScriptTagPolicy do
+            policy_json_empty = {
+                "policy_id"=>"01a1",
+                "data"=>{
+                }
+            }
+
+            policy_json_one = {
+                "policy_id"=>"01a1",
+                "data"=>{
+                  "js_agent_api_key"=>"000-000-1"
+                }
+            }
+
+            empty_policy = AddScriptTagPolicy.fromJson(policy_json_empty)
+            context "test empty agent" do
+              it "enabled is false" do
+                expect(empty_policy.policy_id).to eq("01a1")
+                expect(empty_policy.enabled).to eq(false)
+              end
+            end
+
+            from_json = AddScriptTagPolicy.fromJson(policy_json_one)
+            context "tests xss is true and enabled true" do
+              it "returns true" do
+                expect(from_json.policy_id).to eq("01a1")
+                expect(from_json.enabled).to eq(true)
+                expect(from_json.js_agent_api_key).to eq("000-000-1")
+              end
+            end
+        end
+    end
+end

data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+module TCellAgent
+    module Policies
+        describe AppSensorPolicy do
+            policy_json_empty = {
+                "policy_id"=>"01a1",
+                "data"=>{
+                  "options"=>{}
+                }
+            }
+
+            policy_json_one = {
+                "policy_id"=>"01a1",
+                "data"=>{
+                  "options"=>{
+                      "xss"=>true
+                  }
+                }
+            }
+
+            empty_policy = AppSensorPolicy.fromJson(policy_json_empty)
+            context "test empty agent" do
+              it "enabled is false" do
+                expect(empty_policy.policy_id).to eq("01a1")
+                expect(empty_policy.enabled).to eq(false)
+              end
+            end
+
+            from_json = AppSensorPolicy.fromJson(policy_json_one)
+            context "tests xss is true and enabled true" do
+              it "returns true" do
+                expect(from_json.policy_id).to eq("01a1")
+                expect(from_json.enabled).to eq(true)
+                expect(from_json.option_enabled?("xss")).to eq(true)
+              end
+            end
+        end
+    end
+end

data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper'
+
+module TCellAgent
+    module Policies
+        describe ClickjackingPolicy do
+            content_security_policy_json = {
+                "policy_id"=>"00a1",
+                "headers"=>[
+                    {"name"=>"csp", "value"=>"csp header value"}
+                ]
+            }
+            csp_from_json = ClickjackingPolicy.fromJson(content_security_policy_json)
+            context "initialized with 3 items" do
+              it "returns true" do
+                expect(csp_from_json.policy_id).to eq("00a1")
+                expect(csp_from_json.headers[0].type).to eq("csp")
+                expect(csp_from_json.headers[0].value).to eq("csp header value")
+              end
+            end
+            context "headers match up appropriately" do
+              it "returns content-security-policy headers" do
+                expect(ClickjackingPolicy.cspHeadersForType("csp")).to match_array(["Content-Security-Policy"])#,"X-Content-Security-Policy","X-WebKit-CSP"])
+              end
+            end
+        end
+        describe ContentSecurityPolicy do
+            content_security_policy_json = {
+                "policy_id"=>"01a1",
+                "headers"=>[
+                    {"name"=>"csp-header-is-bad", "value"=>"csp header value"}
+                ]
+            }
+            csp_policy = ClickjackingPolicy.fromJson(content_security_policy_json)
+            context "csp header example, invalid header" do
+                it "returns false" do
+                    expect(csp_policy.headers.length).to eq(0)
+                end
+            end
+        end
+        describe ClickjackingPolicy do
+            content_security_policy_json = {
+                "policy_id"=>"01a1",
+                "headers"=>[
+                    {"name"=>"csp", "value"=>"value123\\nabc"}
+                ]
+            }
+            csp_policy = ClickjackingPolicy.fromJson(content_security_policy_json)
+            context "secure header, value is bad" do
+                it "returns false" do
+                    expect(csp_policy.headers.length).to eq(0)
+                end
+            end
+        end
+        describe ClickjackingPolicy do
+            content_security_policy_json = {
+                "policy_id"=>"01a1",
+                "headers"=>[
+                    {"name"=>"csp", "value"=>"value normal", "report-uri"=>"https://example.com/abcdde"}
+                ]
+            }
+            csp_policy = ClickjackingPolicy.fromJson(content_security_policy_json)
+            context "secure header, report-uri seperate" do
+                it "returns false" do
+                    expect(csp_policy.headers.length).to eq(1)
+                    expect(csp_policy.headers[0].value).to eq("value normal; report-uri https://example.com/abcdde")
+                    expect(csp_policy.headers[0].value("1","2","3")).to eq("value normal; report-uri https://example.com/abcdde?tid=1&sid=2&uid=3")
+                end
+            end
+        end
+    end
+end