tcell_agent 0.2.21 → 0.2.22
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/tcell_agent.rb +1 -0
- data/lib/tcell_agent/api.rb +3 -2
- data/lib/tcell_agent/appsensor/injections_matcher.rb +137 -0
- data/lib/tcell_agent/appsensor/injections_reporter.rb +67 -0
- data/lib/tcell_agent/appsensor/meta_data.rb +71 -0
- data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb +5 -2
- data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb +1 -1
- data/lib/tcell_agent/appsensor/sensor.rb +48 -0
- data/lib/tcell_agent/configuration.rb +15 -2
- data/lib/tcell_agent/instrumentation.rb +3 -2
- data/lib/tcell_agent/logger.rb +19 -3
- data/lib/tcell_agent/patches.rb +26 -0
- data/lib/tcell_agent/patches/block_rule.rb +58 -0
- data/lib/tcell_agent/patches/meta_data.rb +54 -0
- data/lib/tcell_agent/patches/sensors_matcher.rb +30 -0
- data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb +4 -0
- data/lib/tcell_agent/policies/appsensor/database_sensor.rb +7 -3
- data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb +4 -0
- data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +32 -38
- data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +4 -4
- data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb +4 -0
- data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +3 -1
- data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +3 -3
- data/lib/tcell_agent/policies/appsensor/retr_sensor.rb +4 -0
- data/lib/tcell_agent/policies/appsensor/size_sensor.rb +9 -3
- data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +3 -3
- data/lib/tcell_agent/policies/appsensor_policy.rb +55 -131
- data/lib/tcell_agent/policies/content_security_policy.rb +148 -137
- data/lib/tcell_agent/policies/patches_policy.rb +41 -13
- data/lib/tcell_agent/rails.rb +11 -109
- data/lib/tcell_agent/rails/auth/devise.rb +5 -1
- data/lib/tcell_agent/rails/dlp.rb +5 -2
- data/lib/tcell_agent/rails/dlp/process_request.rb +88 -0
- data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +1 -1
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +3 -13
- data/lib/tcell_agent/rails/on_start.rb +5 -101
- data/lib/tcell_agent/rails/routes.rb +240 -81
- data/lib/tcell_agent/rails/routes/grape.rb +113 -0
- data/lib/tcell_agent/rails/routes/route_id.rb +29 -0
- data/lib/tcell_agent/sensor_events/app_config.rb +21 -13
- data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +7 -26
- data/lib/tcell_agent/servers/passenger.rb +10 -0
- data/lib/tcell_agent/start_background_thread.rb +82 -0
- data/lib/tcell_agent/utils/params.rb +1 -1
- data/lib/tcell_agent/version.rb +1 -1
- data/spec/lib/tcell_agent/appsensor/injections_matcher_spec.rb +504 -0
- data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +222 -0
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +7 -13
- data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb +18 -18
- data/spec/lib/tcell_agent/patches/block_rule_spec.rb +381 -0
- data/spec/lib/tcell_agent/patches/sensors_matcher_spec.rb +35 -0
- data/spec/lib/tcell_agent/patches_spec.rb +156 -0
- data/spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb +21 -10
- data/spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb +20 -9
- data/spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb +44 -9
- data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +4 -4
- data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +13 -13
- data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +5 -5
- data/spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb +20 -9
- data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +24 -14
- data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +243 -241
- data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +128 -200
- data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +126 -55
- data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +485 -24
- data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +5 -0
- data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +4 -2
- data/spec/lib/tcell_agent/rails/routes/grape_spec.rb +294 -0
- data/spec/lib/tcell_agent/rails/routes/route_id_spec.rb +80 -0
- data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +182 -0
- metadata +30 -7
- data/lib/tcell_agent/policies/appsensor/login_sensor.rb +0 -39
- data/lib/tcell_agent/policies/appsensor/sensor.rb +0 -46
- data/lib/tcell_agent/rails/path_parameters_setter.rb +0 -43
- data/spec/lib/tcell_agent/policies/appsensor/login_sensor_spec.rb +0 -104
@@ -0,0 +1,222 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
module TCellAgent
|
4
|
+
module AppSensor
|
5
|
+
|
6
|
+
describe InjectionsReporter do
|
7
|
+
|
8
|
+
describe "#check" do
|
9
|
+
before(:each) do
|
10
|
+
@payloads_policy = double("payloads_policy")
|
11
|
+
@injections_matcher = double("injections_matcher")
|
12
|
+
@injections_reporter = InjectionsReporter.new(@injections_matcher, @payloads_policy)
|
13
|
+
|
14
|
+
@appsensor_meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new
|
15
|
+
@appsensor_meta.remote_address = "remote_address"
|
16
|
+
@appsensor_meta.method = "get"
|
17
|
+
@appsensor_meta.location = "location"
|
18
|
+
@appsensor_meta.route_id = "route_id"
|
19
|
+
@appsensor_meta.session_id = "session_id"
|
20
|
+
@appsensor_meta.user_id = "user_id"
|
21
|
+
@appsensor_meta.transaction_id = "transaction_id"
|
22
|
+
end
|
23
|
+
|
24
|
+
context "no matches" do
|
25
|
+
it "should not send any events" do
|
26
|
+
expect(@injections_matcher).to receive(:each_injection)
|
27
|
+
expect(@payloads_policy).to_not receive(:apply)
|
28
|
+
expect(TCellAgent).to_not receive(:send_event)
|
29
|
+
|
30
|
+
@injections_reporter.check(@appsensor_meta)
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
context "with one GET injection match" do
|
35
|
+
it "should send the appropriate event" do
|
36
|
+
expect(@injections_matcher).to receive(:each_injection) do |md, &block|
|
37
|
+
injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
|
38
|
+
InjectionsReporter::GET_PARAM,
|
39
|
+
"xss",
|
40
|
+
{
|
41
|
+
"param" => "dirty",
|
42
|
+
"value" => "<script>",
|
43
|
+
"pattern" => "pattern_id"
|
44
|
+
}
|
45
|
+
)
|
46
|
+
|
47
|
+
block.call(injection_attempt)
|
48
|
+
end
|
49
|
+
expect(@payloads_policy).to receive(:apply).with(
|
50
|
+
"xss", {}, InjectionsReporter::GET_PARAM, "dirty", "<script>", {"l"=>"query"}, "pattern_id"
|
51
|
+
)
|
52
|
+
expect(TCellAgent).to receive(:send_event).with(
|
53
|
+
{
|
54
|
+
"event_type"=>"as",
|
55
|
+
"dp"=>"xss",
|
56
|
+
"param"=>"dirty",
|
57
|
+
"remote_addr"=>"remote_address",
|
58
|
+
"m"=>"get",
|
59
|
+
"pattern"=>"pattern_id",
|
60
|
+
"meta"=>{"l"=>"query"},
|
61
|
+
"rid"=>"route_id"
|
62
|
+
}
|
63
|
+
)
|
64
|
+
|
65
|
+
@injections_reporter.check(@appsensor_meta)
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
context "with one POST injection match" do
|
70
|
+
it "should send the appropriate event" do
|
71
|
+
@appsensor_meta.method = "post"
|
72
|
+
|
73
|
+
expect(@injections_matcher).to receive(:each_injection) do |md, &block|
|
74
|
+
injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
|
75
|
+
InjectionsReporter::POST_PARAM,
|
76
|
+
"xss",
|
77
|
+
{
|
78
|
+
"param" => "dirty",
|
79
|
+
"value" => "<script>",
|
80
|
+
"pattern" => "pattern_id"
|
81
|
+
}
|
82
|
+
)
|
83
|
+
|
84
|
+
block.call(injection_attempt)
|
85
|
+
end
|
86
|
+
expect(@payloads_policy).to receive(:apply).with(
|
87
|
+
"xss", {}, InjectionsReporter::POST_PARAM, "dirty", "<script>", {"l"=>"body"}, "pattern_id"
|
88
|
+
)
|
89
|
+
expect(TCellAgent).to receive(:send_event).with(
|
90
|
+
{
|
91
|
+
"event_type"=>"as",
|
92
|
+
"dp"=>"xss",
|
93
|
+
"param"=>"dirty",
|
94
|
+
"remote_addr"=>"remote_address",
|
95
|
+
"m"=>"post",
|
96
|
+
"pattern"=>"pattern_id",
|
97
|
+
"meta"=>{"l"=>"body"},
|
98
|
+
"rid"=>"route_id"
|
99
|
+
}
|
100
|
+
)
|
101
|
+
|
102
|
+
@injections_reporter.check(@appsensor_meta)
|
103
|
+
end
|
104
|
+
end
|
105
|
+
|
106
|
+
context "with one JSON injection match" do
|
107
|
+
it "should send the appropriate event" do
|
108
|
+
@appsensor_meta.method = "post"
|
109
|
+
|
110
|
+
expect(@injections_matcher).to receive(:each_injection) do |md, &block|
|
111
|
+
injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
|
112
|
+
InjectionsReporter::JSON_PARAM,
|
113
|
+
"xss",
|
114
|
+
{
|
115
|
+
"param" => "dirty",
|
116
|
+
"value" => "<script>",
|
117
|
+
"pattern" => "pattern_id"
|
118
|
+
}
|
119
|
+
)
|
120
|
+
|
121
|
+
block.call(injection_attempt)
|
122
|
+
end
|
123
|
+
expect(@payloads_policy).to receive(:apply).with(
|
124
|
+
"xss", {}, InjectionsReporter::JSON_PARAM, "dirty", "<script>", {"l"=>"body"}, "pattern_id"
|
125
|
+
)
|
126
|
+
expect(TCellAgent).to receive(:send_event).with(
|
127
|
+
{
|
128
|
+
"event_type"=>"as",
|
129
|
+
"dp"=>"xss",
|
130
|
+
"param"=>"dirty",
|
131
|
+
"remote_addr"=>"remote_address",
|
132
|
+
"m"=>"post",
|
133
|
+
"pattern"=>"pattern_id",
|
134
|
+
"meta"=>{"l"=>"body"},
|
135
|
+
"rid"=>"route_id"
|
136
|
+
}
|
137
|
+
)
|
138
|
+
|
139
|
+
@injections_reporter.check(@appsensor_meta)
|
140
|
+
end
|
141
|
+
end
|
142
|
+
|
143
|
+
context "with one URI injection match" do
|
144
|
+
it "should send the appropriate event" do
|
145
|
+
@appsensor_meta.method = "get"
|
146
|
+
|
147
|
+
expect(@injections_matcher).to receive(:each_injection) do |md, &block|
|
148
|
+
injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
|
149
|
+
InjectionsReporter::URI_PARAM,
|
150
|
+
"xss",
|
151
|
+
{
|
152
|
+
"param" => "dirty",
|
153
|
+
"value" => "<script>",
|
154
|
+
"pattern" => "pattern_id"
|
155
|
+
}
|
156
|
+
)
|
157
|
+
|
158
|
+
block.call(injection_attempt)
|
159
|
+
end
|
160
|
+
expect(@payloads_policy).to receive(:apply).with(
|
161
|
+
"xss", {}, InjectionsReporter::URI_PARAM, "dirty", "<script>", {"l"=>"uri"}, "pattern_id"
|
162
|
+
)
|
163
|
+
expect(TCellAgent).to receive(:send_event).with(
|
164
|
+
{
|
165
|
+
"event_type"=>"as",
|
166
|
+
"dp"=>"xss",
|
167
|
+
"param"=>"dirty",
|
168
|
+
"remote_addr"=>"remote_address",
|
169
|
+
"m"=>"get",
|
170
|
+
"pattern"=>"pattern_id",
|
171
|
+
"meta"=>{"l"=>"uri"},
|
172
|
+
"rid"=>"route_id"
|
173
|
+
}
|
174
|
+
)
|
175
|
+
|
176
|
+
@injections_reporter.check(@appsensor_meta)
|
177
|
+
end
|
178
|
+
end
|
179
|
+
|
180
|
+
context "with one COOKIE injection match" do
|
181
|
+
it "should send the appropriate event" do
|
182
|
+
@appsensor_meta.method = "get"
|
183
|
+
|
184
|
+
expect(@injections_matcher).to receive(:each_injection) do |md, &block|
|
185
|
+
injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
|
186
|
+
InjectionsReporter::COOKIE_PARAM,
|
187
|
+
"xss",
|
188
|
+
{
|
189
|
+
"param" => "dirty",
|
190
|
+
"value" => "<script>",
|
191
|
+
"pattern" => "pattern_id"
|
192
|
+
}
|
193
|
+
)
|
194
|
+
|
195
|
+
block.call(injection_attempt)
|
196
|
+
end
|
197
|
+
expect(@payloads_policy).to receive(:apply).with(
|
198
|
+
"xss", {}, InjectionsReporter::COOKIE_PARAM, "dirty", "<script>", {"l"=>"cookie"}, "pattern_id"
|
199
|
+
)
|
200
|
+
expect(TCellAgent).to receive(:send_event).with(
|
201
|
+
{
|
202
|
+
"event_type"=>"as",
|
203
|
+
"dp"=>"xss",
|
204
|
+
"param"=>"dirty",
|
205
|
+
"remote_addr"=>"remote_address",
|
206
|
+
"m"=>"get",
|
207
|
+
"pattern"=>"pattern_id",
|
208
|
+
"meta"=>{"l"=>"cookie"},
|
209
|
+
"rid"=>"route_id"
|
210
|
+
}
|
211
|
+
)
|
212
|
+
|
213
|
+
@injections_reporter.check(@appsensor_meta)
|
214
|
+
end
|
215
|
+
end
|
216
|
+
|
217
|
+
end
|
218
|
+
|
219
|
+
end
|
220
|
+
|
221
|
+
end
|
222
|
+
end
|
@@ -3,10 +3,15 @@ require 'spec_helper'
|
|
3
3
|
module TCellAgent
|
4
4
|
|
5
5
|
describe AppSensorRuleManager do
|
6
|
+
after(:each) do
|
7
|
+
# since rule manager is a singleton, load default rules so rest of the specs work properly
|
8
|
+
AppSensorRuleManager.instance.load_default_rules_file
|
9
|
+
end
|
6
10
|
describe "#initialize" do
|
7
11
|
context "loading default baserules" do
|
8
12
|
it "should initialize all the sensors" do
|
9
|
-
rule_manager = AppSensorRuleManager.
|
13
|
+
rule_manager = AppSensorRuleManager.instance
|
14
|
+
rule_manager.load_rules_file(get_test_resource_path("baserules.json"))
|
10
15
|
|
11
16
|
expect(rule_manager.rule_info.empty?).to eq(false)
|
12
17
|
end
|
@@ -16,24 +21,13 @@ module TCellAgent
|
|
16
21
|
describe "#load_rules_file" do
|
17
22
|
context "with nonexistent file" do
|
18
23
|
it "should do nothing" do
|
19
|
-
rule_manager = AppSensorRuleManager.
|
24
|
+
rule_manager = AppSensorRuleManager.instance
|
20
25
|
rule_manager.load_rules_file("non-existent-file.json")
|
21
26
|
|
22
27
|
expect(rule_manager.rule_info.empty?).to eq(true)
|
23
28
|
end
|
24
29
|
end
|
25
30
|
end
|
26
|
-
|
27
|
-
describe "#load_default_rules_file" do
|
28
|
-
it "should attempt to load default rules file" do
|
29
|
-
expect_any_instance_of(AppSensorRuleManager).to receive(:load_rules_file).with(
|
30
|
-
/tcell_agent\/appsensor\/rules\/baserules.json/
|
31
|
-
)
|
32
|
-
|
33
|
-
rule_manager = AppSensorRuleManager.new()
|
34
|
-
rule_manager.load_default_rules_file()
|
35
|
-
end
|
36
|
-
end
|
37
31
|
end
|
38
32
|
|
39
33
|
end
|
@@ -27,7 +27,7 @@ module TCellAgent
|
|
27
27
|
it "should add the pattern" do
|
28
28
|
rule_set = AppSensorRuleSet.new
|
29
29
|
rule_set.add_pattern_from_dict({
|
30
|
-
"id" => 1,
|
30
|
+
"id" => "1",
|
31
31
|
"common" => "<(iframe)",
|
32
32
|
"ruby" => "<(script)"
|
33
33
|
})
|
@@ -37,7 +37,7 @@ module TCellAgent
|
|
37
37
|
|
38
38
|
arp = rule_set.patterns[0]
|
39
39
|
expect(arp.enabled).to eq(true)
|
40
|
-
expect(arp.pattern_id).to eq(1)
|
40
|
+
expect(arp.pattern_id).to eq("1")
|
41
41
|
expect(arp.pattern_regex).to_not eq(nil)
|
42
42
|
expect("<script".match(arp.pattern_regex).captures).to eq(["script"])
|
43
43
|
end
|
@@ -47,7 +47,7 @@ module TCellAgent
|
|
47
47
|
it "should add the pattern" do
|
48
48
|
rule_set = AppSensorRuleSet.new
|
49
49
|
rule_set.add_pattern_from_dict({
|
50
|
-
"id" => 1,
|
50
|
+
"id" => "1",
|
51
51
|
"common" => "<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound)"
|
52
52
|
})
|
53
53
|
|
@@ -56,7 +56,7 @@ module TCellAgent
|
|
56
56
|
|
57
57
|
arp = rule_set.patterns[0]
|
58
58
|
expect(arp.enabled).to eq(true)
|
59
|
-
expect(arp.pattern_id).to eq(1)
|
59
|
+
expect(arp.pattern_id).to eq("1")
|
60
60
|
expect(arp.pattern_regex).to_not eq(nil)
|
61
61
|
expect("<script".match(arp.pattern_regex).captures).to eq(["script"])
|
62
62
|
end
|
@@ -78,50 +78,50 @@ module TCellAgent
|
|
78
78
|
@rule_set = AppSensorRuleSet.new
|
79
79
|
@rule_set.set_safe_pattern_from_string("super_safe")
|
80
80
|
@rule_set.add_pattern_from_dict({
|
81
|
-
"id" => 1,
|
81
|
+
"id" => "1",
|
82
82
|
"common" => "<(script)"
|
83
83
|
})
|
84
84
|
@rule_set.add_pattern_from_dict({
|
85
|
-
"id" => 2,
|
85
|
+
"id" => "2",
|
86
86
|
"common" => "<(iframe)"
|
87
87
|
})
|
88
88
|
end
|
89
89
|
|
90
90
|
context "param value is nil" do
|
91
91
|
it "should return nil" do
|
92
|
-
expect(@rule_set.check_violation(nil, nil,
|
92
|
+
expect(@rule_set.check_violation(nil, nil, Set.new, true)).to eq(nil)
|
93
93
|
end
|
94
94
|
end
|
95
95
|
|
96
96
|
context "param value is empty" do
|
97
97
|
it "should return nil" do
|
98
|
-
expect(@rule_set.check_violation(nil, nil,
|
98
|
+
expect(@rule_set.check_violation(nil, nil, Set.new, true)).to eq(nil)
|
99
99
|
end
|
100
100
|
end
|
101
101
|
|
102
102
|
context "param value is present" do
|
103
103
|
context "param value matches safe pattern" do
|
104
104
|
it "should return nil" do
|
105
|
-
expect(@rule_set.check_violation("param_name", "super_safe",
|
105
|
+
expect(@rule_set.check_violation("param_name", "super_safe", Set.new, true)).to eq(nil)
|
106
106
|
end
|
107
107
|
end
|
108
108
|
|
109
109
|
context "param value does not match anything" do
|
110
110
|
it "should return nil" do
|
111
|
-
expect(@rule_set.check_violation("param_name", "weeee",
|
111
|
+
expect(@rule_set.check_violation("param_name", "weeee", Set.new, true)).to eq(nil)
|
112
112
|
end
|
113
113
|
end
|
114
114
|
|
115
115
|
context "param value matches a pattern" do
|
116
116
|
it "should return the match" do
|
117
|
-
match_data = @rule_set.check_violation("param_name", "evil <script>",
|
118
|
-
expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <script>", "pattern"=>1})
|
117
|
+
match_data = @rule_set.check_violation("param_name", "evil <script>", Set.new, true)
|
118
|
+
expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <script>", "pattern"=>"1"})
|
119
119
|
end
|
120
120
|
|
121
121
|
context "uppercasing param value still matches pattern" do
|
122
122
|
it "should return the match" do
|
123
|
-
match_data = @rule_set.check_violation("param_name", "evil <SCRIPT>",
|
124
|
-
expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <SCRIPT>", "pattern"=>1})
|
123
|
+
match_data = @rule_set.check_violation("param_name", "evil <SCRIPT>", Set.new, true)
|
124
|
+
expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <SCRIPT>", "pattern"=>"1"})
|
125
125
|
end
|
126
126
|
end
|
127
127
|
end
|
@@ -130,7 +130,7 @@ module TCellAgent
|
|
130
130
|
context "all patterns are disabled" do
|
131
131
|
context "param value contains evil pattern" do
|
132
132
|
it "should return nil" do
|
133
|
-
match_data = @rule_set.check_violation("param_name", "evil <script>",
|
133
|
+
match_data = @rule_set.check_violation("param_name", "evil <script>", Set.new, false)
|
134
134
|
expect(match_data).to eq(nil)
|
135
135
|
end
|
136
136
|
end
|
@@ -139,15 +139,15 @@ module TCellAgent
|
|
139
139
|
context "one pattern is disabled" do
|
140
140
|
context "evil param_value matches disabled pattern" do
|
141
141
|
it "should return nil" do
|
142
|
-
match_data = @rule_set.check_violation("param_name", "evil <script>",
|
142
|
+
match_data = @rule_set.check_violation("param_name", "evil <script>", Set.new(["2"]), false)
|
143
143
|
expect(match_data).to eq(nil)
|
144
144
|
end
|
145
145
|
end
|
146
146
|
|
147
147
|
context "evil param_value matches enabled pattern" do
|
148
148
|
it "should return the match" do
|
149
|
-
match_data = @rule_set.check_violation("param_name", "evil <iframe>",
|
150
|
-
expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <iframe>", "pattern"=>2})
|
149
|
+
match_data = @rule_set.check_violation("param_name", "evil <iframe>", Set.new(["2"]), false)
|
150
|
+
expect(match_data).to eq({"param"=>"param_name", "value"=>"evil <iframe>", "pattern"=>"2"})
|
151
151
|
end
|
152
152
|
end
|
153
153
|
end
|
@@ -0,0 +1,381 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
module TCellAgent
|
4
|
+
module Patches
|
5
|
+
|
6
|
+
describe "BlockRule" do
|
7
|
+
|
8
|
+
describe ".from_json" do
|
9
|
+
context "empty action provided" do
|
10
|
+
it "should return nil" do
|
11
|
+
logger = double("logger")
|
12
|
+
expect(TCellAgent).to receive(:logger).and_return(logger)
|
13
|
+
expect(logger).to receive(:error).with("Patches Policy action not supported: ")
|
14
|
+
|
15
|
+
expect(BlockRule.from_json({"action" => nil})).to eq(nil)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
context "unknown action provided" do
|
20
|
+
it "should return nil" do
|
21
|
+
logger = double("logger")
|
22
|
+
expect(TCellAgent).to receive(:logger).and_return(logger)
|
23
|
+
expect(logger).to receive(:error).with("Patches Policy action not supported: bogus")
|
24
|
+
|
25
|
+
expect(BlockRule.from_json({"action" => "bogus"})).to eq(nil)
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
context "with no ips or rids provided" do
|
30
|
+
it "should return nil" do
|
31
|
+
logger = double("logger")
|
32
|
+
expect(TCellAgent).to receive(:logger).and_return(logger)
|
33
|
+
expect(logger).to receive(:error).with("Patches Policy block rule cannot be global. Specify either ips and/or route ids")
|
34
|
+
|
35
|
+
expect(BlockRule.from_json({"action" => "block_403s"})).to eq(nil)
|
36
|
+
end
|
37
|
+
|
38
|
+
end
|
39
|
+
|
40
|
+
context "with all the fields provided" do
|
41
|
+
it "should create a block rule properly" do
|
42
|
+
policy_json = {
|
43
|
+
"ips" => ["1.1.1.1", "1.3.3.3"],
|
44
|
+
"rids" => ["1396482959514716287","1396482959514716237"],
|
45
|
+
"sensor_matches" => {
|
46
|
+
"xss" => {}
|
47
|
+
},
|
48
|
+
"action" => "block_403s"
|
49
|
+
}
|
50
|
+
|
51
|
+
block_rule = BlockRule.from_json(policy_json)
|
52
|
+
|
53
|
+
expect(block_rule.ips).to eq(Set.new(["1.1.1.1", "1.3.3.3"]))
|
54
|
+
expect(block_rule.rids).to eq(Set.new(["1396482959514716287", "1396482959514716237"]))
|
55
|
+
expect(block_rule.action).to eq("block_403s")
|
56
|
+
expect(block_rule.sensors_matcher.injections_matcher.enabled).to eq(true)
|
57
|
+
expect(block_rule.sensors_matcher.injections_matcher.sensors.size).to eq(1)
|
58
|
+
expect(block_rule.sensors_matcher.injections_matcher.sensors[0].active_pattern_ids).to eq(Set.new)
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
end
|
63
|
+
|
64
|
+
describe "#block?" do
|
65
|
+
|
66
|
+
context "with empty ips" do
|
67
|
+
context "with empty rids" do
|
68
|
+
# from_json prevents this case
|
69
|
+
end
|
70
|
+
|
71
|
+
context "with an rid" do
|
72
|
+
context "that matches the request" do
|
73
|
+
context "with empty sensors" do
|
74
|
+
it "should return true" do
|
75
|
+
injections_matcher = double("injections_matcher")
|
76
|
+
|
77
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
78
|
+
meta_data.remote_address = "1.1.1.1"
|
79
|
+
meta_data.route_id = "route_id"
|
80
|
+
|
81
|
+
block_rule = BlockRule.new(
|
82
|
+
Set.new,
|
83
|
+
Set.new(["route_id"]),
|
84
|
+
SensorsMatcher.new(injections_matcher),
|
85
|
+
"block_403s"
|
86
|
+
)
|
87
|
+
|
88
|
+
expect(injections_matcher).to receive(:enabled).and_return(false)
|
89
|
+
|
90
|
+
expect(block_rule.block?(meta_data)).to eq(true)
|
91
|
+
end
|
92
|
+
end
|
93
|
+
|
94
|
+
context "with sensors" do
|
95
|
+
context "that don't have a match" do
|
96
|
+
it "should return false" do
|
97
|
+
injections_matcher = double("injections_matcher")
|
98
|
+
|
99
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
100
|
+
meta_data.remote_address = "1.1.1.1"
|
101
|
+
meta_data.route_id = "route_id"
|
102
|
+
|
103
|
+
block_rule = BlockRule.new(
|
104
|
+
Set.new,
|
105
|
+
Set.new(["route_id"]),
|
106
|
+
SensorsMatcher.new(injections_matcher),
|
107
|
+
"block_403s"
|
108
|
+
)
|
109
|
+
|
110
|
+
expect(injections_matcher).to receive(:enabled).and_return(true)
|
111
|
+
expect(injections_matcher).to receive(:each_injection)
|
112
|
+
|
113
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
context "that have a match" do
|
118
|
+
it "should return true" do
|
119
|
+
injections_matcher = double("injections_matcher")
|
120
|
+
|
121
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
122
|
+
meta_data.remote_address = "1.1.1.1"
|
123
|
+
meta_data.route_id = "route_id"
|
124
|
+
|
125
|
+
block_rule = BlockRule.new(
|
126
|
+
Set.new,
|
127
|
+
Set.new(["route_id"]),
|
128
|
+
SensorsMatcher.new(injections_matcher),
|
129
|
+
"block_403s"
|
130
|
+
)
|
131
|
+
|
132
|
+
expect(injections_matcher).to receive(:enabled).and_return(true)
|
133
|
+
expect(injections_matcher).to receive(:each_injection) do |md, &block|
|
134
|
+
block.call(double("injection_attempt"))
|
135
|
+
end
|
136
|
+
|
137
|
+
expect(block_rule.block?(meta_data)).to eq(true)
|
138
|
+
end
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
142
|
+
|
143
|
+
context "that does not match the request" do
|
144
|
+
context "with empty sensors" do
|
145
|
+
it "should return false" do
|
146
|
+
injections_matcher = double("injections_matcher")
|
147
|
+
|
148
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
149
|
+
meta_data.remote_address = "1.1.1.1"
|
150
|
+
meta_data.route_id = "non_matching_route_id"
|
151
|
+
|
152
|
+
block_rule = BlockRule.new(
|
153
|
+
Set.new,
|
154
|
+
Set.new(["route_id"]),
|
155
|
+
SensorsMatcher.new(injections_matcher),
|
156
|
+
"block_403s"
|
157
|
+
)
|
158
|
+
|
159
|
+
expect(injections_matcher).to_not receive(:enabled)
|
160
|
+
|
161
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
162
|
+
end
|
163
|
+
end
|
164
|
+
|
165
|
+
context "with sensors" do
|
166
|
+
context "that don't have a match" do
|
167
|
+
it "should return false" do
|
168
|
+
injections_matcher = double("injections_matcher")
|
169
|
+
|
170
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
171
|
+
meta_data.remote_address = "1.1.1.1"
|
172
|
+
meta_data.route_id = "non_matching_route_id"
|
173
|
+
|
174
|
+
block_rule = BlockRule.new(
|
175
|
+
Set.new,
|
176
|
+
Set.new(["route_id"]),
|
177
|
+
SensorsMatcher.new(injections_matcher),
|
178
|
+
"block_403s"
|
179
|
+
)
|
180
|
+
|
181
|
+
expect(injections_matcher).to_not receive(:enabled)
|
182
|
+
|
183
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
184
|
+
end
|
185
|
+
end
|
186
|
+
|
187
|
+
context "that have a match" do
|
188
|
+
it "should return false" do
|
189
|
+
injections_matcher = double("injections_matcher")
|
190
|
+
|
191
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
192
|
+
meta_data.remote_address = "1.1.1.1"
|
193
|
+
meta_data.route_id = "non_matching_route_id"
|
194
|
+
|
195
|
+
block_rule = BlockRule.new(
|
196
|
+
Set.new,
|
197
|
+
Set.new(["route_id"]),
|
198
|
+
SensorsMatcher.new(injections_matcher),
|
199
|
+
"block_403s"
|
200
|
+
)
|
201
|
+
|
202
|
+
expect(injections_matcher).to_not receive(:enabled)
|
203
|
+
|
204
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
205
|
+
end
|
206
|
+
end
|
207
|
+
end
|
208
|
+
end
|
209
|
+
end
|
210
|
+
end
|
211
|
+
|
212
|
+
context "with ips" do
|
213
|
+
context "that does not match the request" do
|
214
|
+
it "should return false" do
|
215
|
+
injections_matcher = double("injections_matcher")
|
216
|
+
|
217
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
218
|
+
meta_data.remote_address = "1.1.1.1"
|
219
|
+
meta_data.route_id = "route_id"
|
220
|
+
|
221
|
+
block_rule = BlockRule.new(
|
222
|
+
Set.new(["2.2.2.2"]),
|
223
|
+
Set.new(["route_id"]),
|
224
|
+
SensorsMatcher.new(injections_matcher),
|
225
|
+
"block_403s"
|
226
|
+
)
|
227
|
+
|
228
|
+
expect(injections_matcher).to_not receive(:enabled)
|
229
|
+
|
230
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
231
|
+
end
|
232
|
+
end
|
233
|
+
|
234
|
+
context "that matches the request" do
|
235
|
+
context "with an rid" do
|
236
|
+
context "that matches the request" do
|
237
|
+
context "with empty sensors" do
|
238
|
+
it "should return true" do
|
239
|
+
injections_matcher = double("injections_matcher")
|
240
|
+
|
241
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
242
|
+
meta_data.remote_address = "1.1.1.1"
|
243
|
+
meta_data.route_id = "route_id"
|
244
|
+
|
245
|
+
block_rule = BlockRule.new(
|
246
|
+
Set.new(["1.1.1.1"]),
|
247
|
+
Set.new(["route_id"]),
|
248
|
+
SensorsMatcher.new(injections_matcher),
|
249
|
+
"block_403s"
|
250
|
+
)
|
251
|
+
|
252
|
+
expect(injections_matcher).to receive(:enabled).and_return(false)
|
253
|
+
|
254
|
+
expect(block_rule.block?(meta_data)).to eq(true)
|
255
|
+
end
|
256
|
+
end
|
257
|
+
|
258
|
+
context "with sensors" do
|
259
|
+
context "that don't have a match" do
|
260
|
+
it "should return false" do
|
261
|
+
injections_matcher = double("injections_matcher")
|
262
|
+
|
263
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
264
|
+
meta_data.remote_address = "1.1.1.1"
|
265
|
+
meta_data.route_id = "route_id"
|
266
|
+
|
267
|
+
block_rule = BlockRule.new(
|
268
|
+
Set.new(["1.1.1.1"]),
|
269
|
+
Set.new(["route_id"]),
|
270
|
+
SensorsMatcher.new(injections_matcher),
|
271
|
+
"block_403s"
|
272
|
+
)
|
273
|
+
|
274
|
+
expect(injections_matcher).to receive(:enabled).and_return(true)
|
275
|
+
expect(injections_matcher).to receive(:each_injection)
|
276
|
+
|
277
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
278
|
+
end
|
279
|
+
end
|
280
|
+
|
281
|
+
context "that have a match" do
|
282
|
+
it "should return true" do
|
283
|
+
injections_matcher = double("injections_matcher")
|
284
|
+
|
285
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
286
|
+
meta_data.remote_address = "1.1.1.1"
|
287
|
+
meta_data.route_id = "route_id"
|
288
|
+
|
289
|
+
block_rule = BlockRule.new(
|
290
|
+
Set.new(["1.1.1.1"]),
|
291
|
+
Set.new(["route_id"]),
|
292
|
+
SensorsMatcher.new(injections_matcher),
|
293
|
+
"block_403s"
|
294
|
+
)
|
295
|
+
|
296
|
+
expect(injections_matcher).to receive(:enabled).and_return(true)
|
297
|
+
expect(injections_matcher).to receive(:each_injection) do |md, &block|
|
298
|
+
block.call(double("injection_attempt"))
|
299
|
+
end
|
300
|
+
|
301
|
+
expect(block_rule.block?(meta_data)).to eq(true)
|
302
|
+
end
|
303
|
+
end
|
304
|
+
end
|
305
|
+
end
|
306
|
+
|
307
|
+
context "that does not match the request" do
|
308
|
+
context "with empty sensors" do
|
309
|
+
it "should return false" do
|
310
|
+
injections_matcher = double("injections_matcher")
|
311
|
+
|
312
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
313
|
+
meta_data.remote_address = "1.1.1.1"
|
314
|
+
meta_data.route_id = "non_matching_route_id"
|
315
|
+
|
316
|
+
block_rule = BlockRule.new(
|
317
|
+
Set.new(["1.1.1.1"]),
|
318
|
+
Set.new(["route_id"]),
|
319
|
+
SensorsMatcher.new(injections_matcher),
|
320
|
+
"block_403s"
|
321
|
+
)
|
322
|
+
|
323
|
+
expect(injections_matcher).to_not receive(:enabled)
|
324
|
+
|
325
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
326
|
+
end
|
327
|
+
end
|
328
|
+
|
329
|
+
context "with sensors" do
|
330
|
+
context "that don't have a match" do
|
331
|
+
it "should return false" do
|
332
|
+
injections_matcher = double("injections_matcher")
|
333
|
+
|
334
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
335
|
+
meta_data.remote_address = "1.1.1.1"
|
336
|
+
meta_data.route_id = "non_matching_route_id"
|
337
|
+
|
338
|
+
block_rule = BlockRule.new(
|
339
|
+
Set.new(["1.1.1.1"]),
|
340
|
+
Set.new(["route_id"]),
|
341
|
+
SensorsMatcher.new(injections_matcher),
|
342
|
+
"block_403s"
|
343
|
+
)
|
344
|
+
|
345
|
+
expect(injections_matcher).to_not receive(:enabled)
|
346
|
+
|
347
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
348
|
+
end
|
349
|
+
end
|
350
|
+
|
351
|
+
context "that have a match" do
|
352
|
+
it "should return false" do
|
353
|
+
injections_matcher = double("injections_matcher")
|
354
|
+
|
355
|
+
meta_data = TCellAgent::Patches::MetaData.new
|
356
|
+
meta_data.remote_address = "1.1.1.1"
|
357
|
+
meta_data.route_id = "non_matching_route_id"
|
358
|
+
|
359
|
+
block_rule = BlockRule.new(
|
360
|
+
Set.new(["1.1.1.1"]),
|
361
|
+
Set.new(["route_id"]),
|
362
|
+
SensorsMatcher.new(injections_matcher),
|
363
|
+
"block_403s"
|
364
|
+
)
|
365
|
+
|
366
|
+
expect(injections_matcher).to_not receive(:enabled)
|
367
|
+
|
368
|
+
expect(block_rule.block?(meta_data)).to eq(false)
|
369
|
+
end
|
370
|
+
end
|
371
|
+
end
|
372
|
+
end
|
373
|
+
end
|
374
|
+
end
|
375
|
+
end
|
376
|
+
end
|
377
|
+
|
378
|
+
end
|
379
|
+
|
380
|
+
end
|
381
|
+
end
|