tcell_agent 0.2.21 → 0.2.22

data/lib/tcell_agent/instrumentation.rb

@@ -33,7 +33,7 @@ module TCellAgent
       end
       def create_hash_value
           "#{self.type}#{self.context}#{self.parameter}#{self.database}#{self.schema}#{self.table}#{self.field}#{self.rule}".hash
-      end 
+      end
       def eql?(other_key)
         self.hash == other_key.hash
       end
@@ -62,7 +62,7 @@ module TCellAgent
     class TCellData
       attr_accessor :transaction_id, :session_id, :hmac_session_id, :user_id, :route_id,
         :uri, :context_filters_by_term, :database_filters, :ip_address, :user_agent, :request_method,
-        :path_parameters
+        :path_parameters, :ip_blocking_triggered, :grape_mount_endpoint
 
       def self.filterx(sanitize_string, event_flag, replace_flag, term)
         send_event = false
@@ -79,6 +79,7 @@ module TCellAgent
         return send_event
       end
       def initialize
+        @ip_blocking_triggered = false
         @context_filters_by_term = Hash.new{|h,k| h[k] = Set.new}
       end
       def is_valid_term?(term)

data/lib/tcell_agent/logger.rb

@@ -40,17 +40,24 @@ module TCellAgent
       return Logger::FATAL
     end
 
-    return Logger::ERROR
+    return Logger::INFO
   end
 
   def self.appfirewall_payloads_logger
     if TCellAgent.configuration.enabled == false
       return @null_logger
     end
+
     if defined?(@paylods_logger) && @logger_pid == Process.pid
       return @payloads_logger
     end
 
+    if TCellAgent.configuration.appfirewall_payloads_logger
+      @logger_pid = Process.pid
+      @payloads_logger = TCellAgent.configuration.appfirewall_payloads_logger
+      return @payloads_logger
+    end
+
     if TCellAgent.configuration.allow_unencrypted_appfirewall_payloads_logging
       TCellAgent::Utils::IO.create_directory(
         File.dirname(TCellAgent.configuration.appfirewall_payloads_log_filename),
@@ -78,14 +85,23 @@ module TCellAgent
     if TCellAgent.configuration.enabled == false
       return @null_logger
     end
+
     if defined?(@logger) && @logger_pid == Process.pid
       return @logger
     end
 
+    if TCellAgent.configuration.logger
+      @logger_pid = Process.pid
+      @logger = TCellAgent.configuration.logger
+      return @logger
+    end
+
     @logger_pid = Process.pid
-    logging_options = TCellAgent.configuration.logging_options
+    logging_options = TCellAgent.configuration.logging_options || {}
+
+    use_default_setting = !logging_options.has_key?(:enabled) && !logging_options.has_key?("enabled")
 
-    if logging_options && (logging_options[:enabled] || logging_options["enabled"])
+    if use_default_setting || logging_options[:enabled] || logging_options["enabled"]
       logging_file = TCellAgent.configuration.log_filename
       logging_directory = File.dirname(logging_file)
       TCellAgent::Utils::IO.create_directory(logging_directory, TCellAgent.configuration.agent_home_owner.to_s)

data/lib/tcell_agent/patches.rb

@@ -0,0 +1,26 @@
+module TCellAgent
+  module Instrumentation
+
+    module Patches
+      def self.block?(request)
+        TCellAgent::Instrumentation.safe_block("Checking for block rules") do
+          patches_policy = TCellAgent.policy(TCellAgent::PolicyTypes::Patches)
+
+          if patches_policy && patches_policy.enabled
+            meta_data = TCellAgent::Patches::MetaData.build(request)
+            resp = patches_policy.apply(meta_data)
+
+            if resp
+              request.env[TCellAgent::Instrumentation::TCELL_ID].ip_blocking_triggered = true
+
+              return resp
+            end
+          end
+        end
+
+        nil
+      end
+    end
+
+  end
+end

data/lib/tcell_agent/patches/block_rule.rb

@@ -0,0 +1,58 @@
+require 'tcell_agent/patches/sensors_matcher'
+
+module TCellAgent
+  module Patches
+
+    class BlockRule
+      ACTIONS_TO_RESPONSES = {
+        "block_403s" => 403
+      }
+
+      attr_accessor :ips, :rids, :sensors_matcher, :action
+
+      def initialize(ips, rids, sensors_matcher, action)
+        @ips = ips
+        @rids = rids
+        @sensors_matcher = sensors_matcher
+        @action = action
+      end
+
+      def resp
+        ACTIONS_TO_RESPONSES[@action]
+      end
+
+      def block?(meta_data)
+        return false unless @ips.empty? || @ips.include?(meta_data.remote_address)
+
+        return false unless @rids.empty? || @rids.include?(meta_data.route_id)
+
+        return @sensors_matcher.any_matches?(meta_data)
+      end
+
+      def self.from_json(rule_json)
+        action = rule_json.fetch("action", "block_403s")
+
+        if ACTIONS_TO_RESPONSES.has_key?(action)
+          ips = Set.new(rule_json.fetch("ips", []))
+          rids = Set.new(rule_json.fetch("rids", []))
+
+          if ips.empty? && rids.empty?
+            TCellAgent.logger.error("Patches Policy block rule cannot be global. Specify either ips and/or route ids")
+
+            return nil
+          end
+
+          sensors_matcher = SensorsMatcher.from_json(rule_json.fetch("sensor_matches", {}))
+
+          return BlockRule.new(ips, rids, sensors_matcher, action)
+
+        else
+          TCellAgent.logger.error("Patches Policy action not supported: #{action}")
+
+          return nil
+        end
+      end
+    end
+
+  end
+end

data/lib/tcell_agent/patches/meta_data.rb

@@ -0,0 +1,54 @@
+# encoding: utf-8
+# See the file "LICENSE" for the full license governing this code.
+
+require 'tcell_agent/appsensor/meta_data'
+require 'tcell_agent/rails/better_ip'
+require 'tcell_agent/utils/params'
+
+module TCellAgent
+  module Patches
+
+    class MetaData < TCellAgent::AppSensor::MetaData
+
+      class << self
+        def build(request)
+          meta_event = MetaData.new
+
+          meta_event.remote_address = TCellAgent::Utils::Rails.better_ip(request)
+          meta_event.method = request.request_method
+          meta_event.user_agent = request.env['HTTP_USER_AGENT']
+          meta_event.get_dict = request.GET
+          meta_event.cookie_dict = request.cookies
+
+          meta_event.post_dict = request.POST
+
+          meta_event.path_parameters = request.env[TCellAgent::Instrumentation::TCELL_ID].path_parameters
+
+          meta_event.route_id = request.env[TCellAgent::Instrumentation::TCELL_ID].route_id
+          meta_event.transaction_id = request.env[TCellAgent::Instrumentation::TCELL_ID].transaction_id
+          meta_event.session_id = request.env[TCellAgent::Instrumentation::TCELL_ID].hmac_session_id
+          meta_event.user_id = request.env[TCellAgent::Instrumentation::TCELL_ID].user_id
+
+          meta_event.request_content_len = (request.content_length || "0").to_i
+          meta_event.set_body_dict(
+            meta_event.request_content_len,
+            request.content_type,
+            request.body.gets
+          )
+
+          meta_event
+        end
+      end
+
+      attr_accessor :remote_address, :method, :location, :route_id, :session_id, :user_id, :transaction_id,
+        :request_content_len, :user_agent
+
+      def initialize
+        super
+
+        @request_content_len = 0
+        @user_agent = nil
+      end
+    end
+  end
+end

data/lib/tcell_agent/patches/sensors_matcher.rb

@@ -0,0 +1,30 @@
+require 'tcell_agent/appsensor/injections_matcher'
+
+module TCellAgent
+  module Patches
+
+    class SensorsMatcher
+      attr_accessor :injections_matcher
+
+      def initialize(injections_matcher)
+        @injections_matcher = injections_matcher
+      end
+
+      def any_matches?(meta_data)
+        return true unless @injections_matcher.enabled
+
+        @injections_matcher.each_injection(meta_data) do |injection_attempt|
+          return true
+        end
+
+        return false
+      end
+
+      def self.from_json(sensor_matcher_json)
+        injections_matcher = TCellAgent::AppSensor::InjectionsMatcher.from_json(2, sensor_matcher_json)
+        SensorsMatcher.new(injections_matcher)
+      end
+    end
+
+  end
+end

data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb

@@ -13,6 +13,10 @@ module TCellAgent
         )
       end
 
+      def applicable_for_param_type?(param_type)
+        InjectionSensor::COOKIE_PARAM != param_type
+      end
+
     end
 
   end

data/lib/tcell_agent/policies/appsensor/database_sensor.rb

@@ -1,9 +1,9 @@
-require 'tcell_agent/policies/appsensor/sensor'
+require 'tcell_agent/appsensor/sensor'
 
 module TCellAgent
   module Policies
 
-    class DatabaseSensor < Sensor
+    class DatabaseSensor
 
       DP_CODE="dbmaxrows"
 
@@ -34,7 +34,11 @@ module TCellAgent
         if number_of_records > @max_rows
           param = nil
           meta = { "rows" => number_of_records }
-          send_event_from_tcell_data(tcell_data, DP_CODE, param, meta)
+          TCellAgent::AppSensor::Sensor.send_event_from_tcell_data(
+            tcell_data,
+            DP_CODE,
+            param,
+            meta)
         end
       end
 

data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb

@@ -13,6 +13,10 @@ module TCellAgent
         )
       end
 
+      def applicable_for_param_type?(param_type)
+        InjectionSensor::COOKIE_PARAM != param_type
+      end
+
     end
 
   end

data/lib/tcell_agent/policies/appsensor/injection_sensor.rb

@@ -1,10 +1,25 @@
-require 'tcell_agent/policies/appsensor/sensor'
 require 'tcell_agent/utils/params'
+require 'tcell_agent/appsensor/sensor'
 
 
 module TCellAgent
   module Policies
-    class InjectionSensor < Sensor
+
+    class InjectionAttempt
+
+      attr_accessor :type_of_param, :detection_point, :param_name, :param_value, :pattern
+
+      def initialize(type_of_param, detection_point, vuln_results)
+        @type_of_param = type_of_param
+        @param_name = vuln_results["param"]
+        @param_value = vuln_results["value"]
+        @pattern = vuln_results["pattern"]
+        @detection_point = detection_point
+      end
+
+    end
+
+    class InjectionSensor
       GET_PARAM = TCellAgent::Utils::Params::GET_PARAM
       POST_PARAM = TCellAgent::Utils::Params::POST_PARAM
       JSON_PARAM = TCellAgent::Utils::Params::JSON_PARAM
@@ -21,7 +36,7 @@ module TCellAgent
 
       attr_accessor :enabled, :detection_point, :exclude_headers, :exclude_forms,
         :exclude_cookies, :exclusions, :active_pattern_ids, :v1_compatability_enabled,
-        :rule_manager, :excluded_route_ids
+        :excluded_route_ids
 
 
       def initialize(detection_point, policy_json=nil)
@@ -31,9 +46,9 @@ module TCellAgent
         @exclude_forms = false
         @exclude_cookies = false
         @exclusions = {}
-        @active_pattern_ids = {}
+        @active_pattern_ids = Set.new
         @v1_compatability_enabled = false
-        @rule_manager = AppSensorRuleManager.new
+        @rule_manager = AppSensorRuleManager.instance
         @excluded_route_ids = {}
 
         if policy_json
@@ -42,22 +57,20 @@ module TCellAgent
           @exclude_forms = policy_json.fetch("exclude_forms", false)
           @exclude_cookies = policy_json.fetch("exclude_cookies", false)
           @v1_compatability_enabled = policy_json.fetch("v1_compatability_enabled", false)
-          @rule_manager = policy_json.fetch("rule_manager", AppSensorRuleManager.new)
 
-          policy_json.fetch("exclude_routes", []).each do |excluded_route|
-            @excluded_route_ids[excluded_route] = true
-          end
-
-          policy_json.fetch("patterns", []).each do |pattern|
-            @active_pattern_ids[pattern] = true
-          end
+          @excluded_route_ids = Set.new(policy_json.fetch("exclude_routes", []))
+          @active_pattern_ids = Set.new(policy_json.fetch("patterns", []))
 
           policy_json.fetch("exclusions", {}).each do |common_word, locations|
-            @exclusions[common_word] = locations
+            @exclusions[common_word] = Set.new(locations)
           end
         end
       end
 
+      def applicable_for_param_type?(param_type)
+        true
+      end
+
       def get_ruleset
         @rule_manager.get_ruleset_for(@detection_point)
       end
@@ -69,10 +82,10 @@ module TCellAgent
         rules.check_violation(param_name, param_value, @active_pattern_ids, @v1_compatability_enabled)
       end
 
-      def check(type_of_param, appsensor_meta, param_name, param_value, payloads_policy)
+      def get_injection_attempt(type_of_param, appsensor_meta, param_name, param_value)
         return false unless @enabled
 
-        return false if @excluded_route_ids.fetch(appsensor_meta.route_id, false)
+        return false if @excluded_route_ids.include?(appsensor_meta.route_id)
 
         if @exclude_forms &&
             (GET_PARAM == type_of_param ||
@@ -89,29 +102,10 @@ module TCellAgent
         vuln_results = find_vulnerability(param_name, param_value)
 
         if vuln_results
-          vuln_param = vuln_results["param"]
-
-          if vuln_param
-            meta = {"l" => PARAM_TYPE_TO_L[type_of_param]}
-            pattern = vuln_results["pattern"]
-
-            payload = payloads_policy.apply(
-              @detection_point,
-              appsensor_meta,
-              type_of_param,
-              vuln_param,
-              vuln_results["value"],
-              meta,
-              pattern
-            )
-
-            send_event(appsensor_meta, @detection_point, vuln_param, meta, payload, pattern)
-
-            return true
-          end
+          InjectionAttempt.new(type_of_param, @detection_point, vuln_results)
+        else
+          false
         end
-
-        return false
       end
 
       def to_s

data/lib/tcell_agent/policies/appsensor/misc_sensor.rb

@@ -1,9 +1,9 @@
-require 'tcell_agent/policies/appsensor/sensor'
+require 'tcell_agent/appsensor/sensor'
 
 module TCellAgent
   module Policies
 
-    class MiscSensor < Sensor
+    class MiscSensor
 
       attr_accessor :enabled, :csrf_exception_enabled, :sql_exception_enabled, :excluded_route_ids
 
@@ -30,7 +30,7 @@ module TCellAgent
         return if tcell_data && @excluded_route_ids.fetch(tcell_data.route_id, false)
 
         meta = nil
-        send_event_from_tcell_data(tcell_data, "excsrf", exception_class.name, meta)
+        TCellAgent::AppSensor::Sensor.send_event_from_tcell_data(tcell_data, "excsrf", exception_class.name, meta)
       end
 
       def sql_exception_detected(tcell_data, exception)
@@ -39,7 +39,7 @@ module TCellAgent
         return if tcell_data && @excluded_route_ids.fetch(tcell_data.route_id, false)
 
         meta = nil
-        send_event_from_tcell_data(tcell_data, "exsql", exception.class.name, meta)
+        TCellAgent::AppSensor::Sensor.send_event_from_tcell_data(tcell_data, "exsql", exception.class.name, meta)
       end
 
       def to_s