tcell_agent 0.2.29.rc2 → 0.2.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. checksums.yaml +4 -4
  2. data/bin/tcell_agent +16 -4
  3. data/lib/tcell_agent/agent/event_processor.rb +2 -8
  4. data/lib/tcell_agent/agent/fork_pipe_manager.rb +0 -2
  5. data/lib/tcell_agent/agent/policy_manager.rb +12 -18
  6. data/lib/tcell_agent/api.rb +50 -27
  7. data/lib/tcell_agent/appsensor/injections_reporter.rb +7 -5
  8. data/lib/tcell_agent/appsensor/sensor.rb +8 -4
  9. data/lib/tcell_agent/config/unknown_options.rb +116 -0
  10. data/lib/tcell_agent/configuration.rb +17 -20
  11. data/lib/tcell_agent/instrumentation.rb +0 -1
  12. data/lib/tcell_agent/logger.rb +17 -21
  13. data/lib/tcell_agent/patches/block_rule.rb +43 -8
  14. data/lib/tcell_agent/patches/meta_data.rb +2 -1
  15. data/lib/tcell_agent/patches/sensors_matcher.rb +2 -1
  16. data/lib/tcell_agent/policies/appsensor/database_sensor.rb +5 -2
  17. data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +10 -3
  18. data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +8 -3
  19. data/lib/tcell_agent/policies/appsensor/request_size_sensor.rb +1 -1
  20. data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +7 -2
  21. data/lib/tcell_agent/policies/appsensor/size_sensor.rb +7 -3
  22. data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +3 -5
  23. data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +6 -2
  24. data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +3 -5
  25. data/lib/tcell_agent/policies/appsensor_policy.rb +11 -6
  26. data/lib/tcell_agent/policies/content_security_policy.rb +19 -14
  27. data/lib/tcell_agent/rails/dlp.rb +1 -1
  28. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +10 -7
  29. data/lib/tcell_agent/rails/on_start.rb +0 -1
  30. data/lib/tcell_agent/sensor_events/appsensor_event.rb +7 -5
  31. data/lib/tcell_agent/sinatra.rb +3 -6
  32. data/lib/tcell_agent/start_background_thread.rb +0 -7
  33. data/lib/tcell_agent/utils/strings.rb +18 -0
  34. data/lib/tcell_agent/version.rb +1 -1
  35. data/spec/lib/tcell_agent/api/api_spec.rb +1 -1
  36. data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +1 -1
  37. data/spec/lib/tcell_agent/config/unknown_options_spec.rb +188 -0
  38. data/spec/lib/tcell_agent/configuration_spec.rb +56 -0
  39. data/spec/lib/tcell_agent/patches/block_rule_spec.rb +110 -16
  40. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb +226 -293
  41. data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +32 -4
  42. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +11 -0
  43. data/spec/lib/tcell_agent/utils/strings_spec.rb +50 -0
  44. data/spec/support/static_agent_overrides.rb +1 -1
  45. data/tcell_agent.gemspec +1 -3
  46. metadata +9 -37
  47. data/lib/tcell_agent/rails/tracing.rb +0 -22
  48. data/spec/integration/puma.rb +0 -195
data/spec/lib/tcell_agent/configuration_spec.rb CHANGED
@@ -178,6 +178,62 @@ module TCellAgent
178
178
  end
179
179
  end
180
180
 
181
+ describe "#allow_unencrypted_appfirewall_payloads" do
182
+ context "setting it via config" do
183
+ context "using allow_unencrypted_appsensor_payloads" do
184
+ it "should be true" do
185
+ allow_unencrypted_appfirewall_payloads_enabled = double(
186
+ "no_data_ex",
187
+ read: {
188
+ version: 1,
189
+ applications: [
190
+ app_id: "app_id",
191
+ api_key: "api_key",
192
+ allow_unencrypted_appsensor_payloads: true
193
+ ]
194
+ }.to_json
195
+ )
196
+ expect(File).to receive(:file?).with(
197
+ File.join(Dir.getwd, "config/tcell_agent.config")
198
+ ).and_return(true)
199
+ expect(File).to receive(:open).with(
200
+ File.join(Dir.getwd, "config/tcell_agent.config")
201
+ ).and_return(allow_unencrypted_appfirewall_payloads_enabled)
202
+
203
+ configuration = Configuration.new
204
+
205
+ expect(configuration.allow_unencrypted_appfirewall_payloads).to eq(true)
206
+ end
207
+ end
208
+
209
+ context "using allow_unencrypted_appfirewall_payloads" do
210
+ it "should be true" do
211
+ allow_unencrypted_appfirewall_payloads_enabled = double(
212
+ "no_data_ex",
213
+ read: {
214
+ version: 1,
215
+ applications: [
216
+ app_id: "app_id",
217
+ api_key: "api_key",
218
+ allow_unencrypted_appfirewall_payloads: true
219
+ ]
220
+ }.to_json
221
+ )
222
+ expect(File).to receive(:file?).with(
223
+ File.join(Dir.getwd, "config/tcell_agent.config")
224
+ ).and_return(true)
225
+ expect(File).to receive(:open).with(
226
+ File.join(Dir.getwd, "config/tcell_agent.config")
227
+ ).and_return(allow_unencrypted_appfirewall_payloads_enabled)
228
+
229
+ configuration = Configuration.new
230
+
231
+ expect(configuration.allow_unencrypted_appfirewall_payloads).to eq(true)
232
+ end
233
+ end
234
+ end
235
+ end
236
+
181
237
  end
182
238
 
183
239
  end
data/spec/lib/tcell_agent/patches/block_rule_spec.rb CHANGED
@@ -30,11 +30,10 @@ module TCellAgent
30
30
  it "should return nil" do
31
31
  logger = double("logger")
32
32
  expect(TCellAgent).to receive(:logger).and_return(logger)
33
- expect(logger).to receive(:error).with("Patches Policy block rule cannot be global. Specify either ips and/or route ids")
33
+ expect(logger).to receive(:error).with("Patches Policy block rule cannot be global. Specify either ips and/or route ids or blocked paths")
34
34
 
35
35
  expect(BlockRule.from_json({"action" => "block_403s"})).to eq(nil)
36
36
  end
37
-
38
37
  end
39
38
 
40
39
  context "with all the fields provided" do
@@ -42,6 +41,7 @@ module TCellAgent
42
41
  policy_json = {
43
42
  "ips" => ["1.1.1.1", "1.3.3.3"],
44
43
  "rids" => ["1396482959514716287","1396482959514716237"],
44
+ "paths" => [{"exact" => "/index/"}, {"starts_with" => "/admin"}],
45
45
  "sensor_matches" => {
46
46
  "xss" => {}
47
47
  },
@@ -56,9 +56,10 @@ module TCellAgent
56
56
  expect(block_rule.sensors_matcher.injections_matcher.enabled).to eq(true)
57
57
  expect(block_rule.sensors_matcher.injections_matcher.sensors.size).to eq(1)
58
58
  expect(block_rule.sensors_matcher.injections_matcher.sensors[0].active_pattern_ids).to eq(Set.new)
59
+ expect(block_rule.exact_blocked_paths).to eq(Set.new(["/index", "/index/"]))
60
+ expect(block_rule.starts_with_blocked_paths).to eq(["/admin"])
59
61
  end
60
62
  end
61
-
62
63
  end
63
64
 
64
65
  describe "#block?" do
@@ -82,7 +83,9 @@ module TCellAgent
82
83
  Set.new,
83
84
  Set.new(["route_id"]),
84
85
  SensorsMatcher.new(injections_matcher),
85
- "block_403s"
86
+ "block_403s",
87
+ Set.new,
88
+ []
86
89
  )
87
90
 
88
91
  expect(injections_matcher).to receive(:enabled).and_return(false)
@@ -104,7 +107,9 @@ module TCellAgent
104
107
  Set.new,
105
108
  Set.new(["route_id"]),
106
109
  SensorsMatcher.new(injections_matcher),
107
- "block_403s"
110
+ "block_403s",
111
+ Set.new,
112
+ []
108
113
  )
109
114
 
110
115
  expect(injections_matcher).to receive(:enabled).and_return(true)
@@ -126,7 +131,9 @@ module TCellAgent
126
131
  Set.new,
127
132
  Set.new(["route_id"]),
128
133
  SensorsMatcher.new(injections_matcher),
129
- "block_403s"
134
+ "block_403s",
135
+ Set.new,
136
+ []
130
137
  )
131
138
 
132
139
  expect(injections_matcher).to receive(:enabled).and_return(true)
@@ -153,7 +160,9 @@ module TCellAgent
153
160
  Set.new,
154
161
  Set.new(["route_id"]),
155
162
  SensorsMatcher.new(injections_matcher),
156
- "block_403s"
163
+ "block_403s",
164
+ Set.new,
165
+ []
157
166
  )
158
167
 
159
168
  expect(injections_matcher).to_not receive(:enabled)
@@ -175,7 +184,9 @@ module TCellAgent
175
184
  Set.new,
176
185
  Set.new(["route_id"]),
177
186
  SensorsMatcher.new(injections_matcher),
178
- "block_403s"
187
+ "block_403s",
188
+ Set.new,
189
+ []
179
190
  )
180
191
 
181
192
  expect(injections_matcher).to_not receive(:enabled)
@@ -196,7 +207,9 @@ module TCellAgent
196
207
  Set.new,
197
208
  Set.new(["route_id"]),
198
209
  SensorsMatcher.new(injections_matcher),
199
- "block_403s"
210
+ "block_403s",
211
+ Set.new,
212
+ []
200
213
  )
201
214
 
202
215
  expect(injections_matcher).to_not receive(:enabled)
@@ -222,7 +235,9 @@ module TCellAgent
222
235
  Set.new(["2.2.2.2"]),
223
236
  Set.new(["route_id"]),
224
237
  SensorsMatcher.new(injections_matcher),
225
- "block_403s"
238
+ "block_403s",
239
+ Set.new,
240
+ []
226
241
  )
227
242
 
228
243
  expect(injections_matcher).to_not receive(:enabled)
@@ -246,7 +261,9 @@ module TCellAgent
246
261
  Set.new(["1.1.1.1"]),
247
262
  Set.new(["route_id"]),
248
263
  SensorsMatcher.new(injections_matcher),
249
- "block_403s"
264
+ "block_403s",
265
+ Set.new,
266
+ []
250
267
  )
251
268
 
252
269
  expect(injections_matcher).to receive(:enabled).and_return(false)
@@ -268,7 +285,9 @@ module TCellAgent
268
285
  Set.new(["1.1.1.1"]),
269
286
  Set.new(["route_id"]),
270
287
  SensorsMatcher.new(injections_matcher),
271
- "block_403s"
288
+ "block_403s",
289
+ Set.new,
290
+ []
272
291
  )
273
292
 
274
293
  expect(injections_matcher).to receive(:enabled).and_return(true)
@@ -290,7 +309,9 @@ module TCellAgent
290
309
  Set.new(["1.1.1.1"]),
291
310
  Set.new(["route_id"]),
292
311
  SensorsMatcher.new(injections_matcher),
293
- "block_403s"
312
+ "block_403s",
313
+ Set.new,
314
+ []
294
315
  )
295
316
 
296
317
  expect(injections_matcher).to receive(:enabled).and_return(true)
@@ -317,7 +338,9 @@ module TCellAgent
317
338
  Set.new(["1.1.1.1"]),
318
339
  Set.new(["route_id"]),
319
340
  SensorsMatcher.new(injections_matcher),
320
- "block_403s"
341
+ "block_403s",
342
+ Set.new,
343
+ []
321
344
  )
322
345
 
323
346
  expect(injections_matcher).to_not receive(:enabled)
@@ -339,7 +362,9 @@ module TCellAgent
339
362
  Set.new(["1.1.1.1"]),
340
363
  Set.new(["route_id"]),
341
364
  SensorsMatcher.new(injections_matcher),
342
- "block_403s"
365
+ "block_403s",
366
+ Set.new,
367
+ []
343
368
  )
344
369
 
345
370
  expect(injections_matcher).to_not receive(:enabled)
@@ -360,7 +385,9 @@ module TCellAgent
360
385
  Set.new(["1.1.1.1"]),
361
386
  Set.new(["route_id"]),
362
387
  SensorsMatcher.new(injections_matcher),
363
- "block_403s"
388
+ "block_403s",
389
+ Set.new,
390
+ []
364
391
  )
365
392
 
366
393
  expect(injections_matcher).to_not receive(:enabled)
@@ -373,6 +400,73 @@ module TCellAgent
373
400
  end
374
401
  end
375
402
  end
403
+
404
+ context "with blocked paths" do
405
+ context "without ips" do
406
+ context "matching paths" do
407
+ it "should block" do
408
+ injections_matcher = double("injections_matcher")
409
+
410
+ meta_data = TCellAgent::Patches::MetaData.new
411
+ meta_data.remote_address = "1.1.1.1"
412
+ meta_data.route_id = "route_id"
413
+
414
+ block_rule = BlockRule.new(
415
+ Set.new(["1.1.1.1"]),
416
+ Set.new(["route_id"]),
417
+ SensorsMatcher.new(injections_matcher),
418
+ "block_403s",
419
+ Set.new(["/index", "/index/"]),
420
+ ["/admin"]
421
+ )
422
+
423
+ expect(injections_matcher).to_not receive(:enabled)
424
+
425
+ meta_data.path = "/index"
426
+ expect(block_rule.block?(meta_data)).to eq(true)
427
+
428
+ meta_data.path = "/index/"
429
+ expect(block_rule.block?(meta_data)).to eq(true)
430
+
431
+ meta_data.path = "/admin"
432
+ expect(block_rule.block?(meta_data)).to eq(true)
433
+
434
+ meta_data.path = "/admin/users"
435
+ expect(block_rule.block?(meta_data)).to eq(true)
436
+ end
437
+ end
438
+
439
+ context "not matching blocking paths" do
440
+ it "should not block" do
441
+ injections_matcher = double("injections_matcher")
442
+
443
+ meta_data = TCellAgent::Patches::MetaData.new
444
+ meta_data.remote_address = "1.1.1.1"
445
+ meta_data.route_id = "route_id"
446
+
447
+ block_rule = BlockRule.new(
448
+ Set.new(["1.1.1.1"]),
449
+ Set.new(["route_id"]),
450
+ SensorsMatcher.new(injections_matcher),
451
+ "block_403s",
452
+ Set.new(["/index", "/index/"]),
453
+ ["/admin"]
454
+ )
455
+
456
+ expect(injections_matcher).to_not receive(:enabled)
457
+
458
+ meta_data.path = "/index/subpath"
459
+ expect(block_rule.block?(meta_data)).to eq(false)
460
+
461
+ meta_data.path = "/welcome"
462
+ expect(block_rule.block?(meta_data)).to eq(false)
463
+
464
+ meta_data.path = "/welcome/"
465
+ expect(block_rule.block?(meta_data)).to eq(false)
466
+ end
467
+ end
468
+ end
469
+ end
376
470
  end
377
471
 
378
472
  end
data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb CHANGED
@@ -41,53 +41,166 @@ module TCellAgent
41
41
  end
42
42
 
43
43
  context "with log_payloads enabled" do
44
- context "with allow_unencrypted_appfirewall_payloads_logging disabled" do
45
- it "should not log" do
46
- policy = PayloadsPolicy.from_json({
47
- "payloads" => {
48
- "log_payloads" => true
49
- }
50
- })
51
-
52
- configuration = double("configuration")
53
-
54
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
55
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
56
- false
57
- )
58
- expect(TCellAgent).to_not receive(:appfirewall_payloads_logger)
59
-
60
- policy.log(
61
- "xss",
62
- @meta,
63
- TCellAgent::Utils::Params::GET_PARAM,
64
- "password",
65
- "alert()",
66
- {"l" => "query"},
67
- "pattern"
68
- )
44
+ context "with no blacklist" do
45
+ context "with no whitelist" do
46
+ it "should log the value" do
47
+ policy = PayloadsPolicy.from_json({
48
+ "payloads" => {
49
+ "log_payloads" => true
50
+ }
51
+ })
52
+ configuration = double("configuration", "enabled" => true)
53
+ appfirewall_payloads_logger = double("appfirewall_payloads_logger")
54
+
55
+ expect(TCellAgent).to receive(:configuration).and_return(configuration).exactly(3).times
56
+ expect(configuration).to receive(:appfirewall_payloads_logger).and_return(
57
+ appfirewall_payloads_logger
58
+ ).exactly(2).times
59
+ expect_any_instance_of(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(
60
+ :post_process
61
+ )
62
+ expect(appfirewall_payloads_logger).to receive(:info).with({
63
+ "event_type" => "as",
64
+ "dp" => "xss",
65
+ "param" => "password",
66
+ "remote_addr" => "remote_address",
67
+ "m" => "get",
68
+ "pattern" => "pattern",
69
+ "meta" => {"l" => "query"},
70
+ "rid" => "route_id"
71
+ }.to_json)
72
+
73
+ policy.log(
74
+ "xss",
75
+ @meta,
76
+ TCellAgent::Utils::Params::GET_PARAM,
77
+ "password",
78
+ "alert()",
79
+ {"l" => "query"},
80
+ "pattern"
81
+ )
82
+ end
83
+ end
84
+
85
+ context "with a whitelist" do
86
+ context "that does not specify locations for the param" do
87
+ it "should not log" do
88
+ policy = PayloadsPolicy.from_json({
89
+ "payloads" => {
90
+ "log_payloads" => true,
91
+ "log_whitelist" => {
92
+ "username" => ["*"]
93
+ }
94
+ }
95
+ })
96
+
97
+ expect(TCellAgent).to_not receive(:configuration)
98
+
99
+ policy.log(
100
+ "xss",
101
+ @meta,
102
+ TCellAgent::Utils::Params::GET_PARAM,
103
+ "password",
104
+ "alert()",
105
+ {"l" => "query"},
106
+ "pattern"
107
+ )
108
+ end
109
+ end
110
+
111
+ context "that specifies locations for the param" do
112
+ context "param location does not match specified location do" do
113
+ it "should not log" do
114
+ policy = PayloadsPolicy.from_json({
115
+ "payloads" => {
116
+ "log_payloads" => true,
117
+ "log_whitelist" => {
118
+ "username" => ["*"],
119
+ "password" => ["cookie"]
120
+ }
121
+ }
122
+ })
123
+
124
+ expect(TCellAgent).to_not receive(:configuration)
125
+
126
+ policy.log(
127
+ "xss",
128
+ @meta,
129
+ TCellAgent::Utils::Params::GET_PARAM,
130
+ "password",
131
+ "alert()",
132
+ {"l" => "query"},
133
+ "pattern"
134
+ )
135
+ end
136
+ end
137
+
138
+ context "param location matches the specified location in the whitelist" do
139
+ it "should log the value" do
140
+ policy = PayloadsPolicy.from_json({
141
+ "payloads" => {
142
+ "log_payloads" => true,
143
+ "log_whitelist" => {
144
+ "username" => ["*"],
145
+ "PASSWORD" => ["form"]
146
+ }
147
+ }
148
+ })
149
+ configuration = double("configuration", "enabled" => true)
150
+ appfirewall_payloads_logger = double("appfirewall_payloads_logger")
151
+
152
+ expect(TCellAgent).to receive(:configuration).and_return(configuration).exactly(3).times
153
+ expect(configuration).to receive(:appfirewall_payloads_logger).and_return(
154
+ appfirewall_payloads_logger
155
+ ).exactly(2).times
156
+ expect_any_instance_of(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(
157
+ :post_process
158
+ )
159
+ expect(appfirewall_payloads_logger).to receive(:info).with({
160
+ "event_type" => "as",
161
+ "dp" => "xss",
162
+ "param" => "password",
163
+ "remote_addr" => "remote_address",
164
+ "m" => "get",
165
+ "pattern" => "pattern",
166
+ "meta" => {"l" => "query"},
167
+ "rid" => "route_id",
168
+ }.to_json)
169
+
170
+ policy.log(
171
+ "xss",
172
+ @meta,
173
+ TCellAgent::Utils::Params::GET_PARAM,
174
+ "password",
175
+ "alert()",
176
+ {"l" => "query"},
177
+ "pattern"
178
+ )
179
+ end
180
+ end
181
+ end
69
182
  end
70
183
  end
71
184
 
72
- context "with allow_unencrypted_appfirewall_payloads_logging enabled" do
73
- context "with no blacklist" do
185
+ context "with a blacklist" do
186
+ context "that does not specify locations for the param" do
74
187
  context "with no whitelist" do
75
188
  it "should log the value" do
76
189
  policy = PayloadsPolicy.from_json({
77
190
  "payloads" => {
78
- "log_payloads" => true
191
+ "log_payloads" => true,
192
+ "log_blacklist" => {
193
+ "username" => ["*"]
194
+ }
79
195
  }
80
196
  })
81
- configuration = double("configuration")
197
+ configuration = double("configuration", "enabled" => true)
82
198
  appfirewall_payloads_logger = double("appfirewall_payloads_logger")
83
199
 
84
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
85
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
86
- true
87
- )
88
- expect(TCellAgent).to receive(:appfirewall_payloads_logger).and_return(
200
+ expect(TCellAgent).to receive(:configuration).and_return(configuration).exactly(3).times
201
+ expect(configuration).to receive(:appfirewall_payloads_logger).and_return(
89
202
  appfirewall_payloads_logger
90
- )
203
+ ).exactly(2).times
91
204
  expect_any_instance_of(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(
92
205
  :post_process
93
206
  )
@@ -120,18 +233,16 @@ module TCellAgent
120
233
  policy = PayloadsPolicy.from_json({
121
234
  "payloads" => {
122
235
  "log_payloads" => true,
236
+ "log_blacklist" => {
237
+ "username" => ["*"]
238
+ },
123
239
  "log_whitelist" => {
124
240
  "username" => ["*"]
125
241
  }
126
242
  }
127
243
  })
128
- configuration = double("configuration")
129
244
 
130
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
131
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
132
- true
133
- )
134
- expect(TCellAgent).to_not receive(:appfirewall_payloads_logger)
245
+ expect(TCellAgent).to_not receive(:configuration)
135
246
 
136
247
  policy.log(
137
248
  "xss",
@@ -146,24 +257,21 @@ module TCellAgent
146
257
  end
147
258
 
148
259
  context "that specifies locations for the param" do
149
- context "param location does not match specified location do" do
260
+ context "param location does not match specified location" do
150
261
  it "should not log" do
151
262
  policy = PayloadsPolicy.from_json({
152
263
  "payloads" => {
153
264
  "log_payloads" => true,
154
- "log_whitelist" => {
265
+ "log_blacklist" => {
155
266
  "username" => ["*"],
267
+ },
268
+ "log_whitelist" => {
156
269
  "password" => ["cookie"]
157
270
  }
158
271
  }
159
272
  })
160
- configuration = double("configuration")
161
273
 
162
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
163
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
164
- true
165
- )
166
- expect(TCellAgent).to_not receive(:appfirewall_payloads_logger)
274
+ expect(TCellAgent).to_not receive(:configuration)
167
275
 
168
276
  policy.log(
169
277
  "xss",
@@ -177,27 +285,27 @@ module TCellAgent
177
285
  end
178
286
  end
179
287
 
180
- context "param location matches the specified location in the whitelist" do
288
+ context "param location matches the specified location" do
181
289
  it "should log the value" do
182
290
  policy = PayloadsPolicy.from_json({
183
291
  "payloads" => {
184
292
  "log_payloads" => true,
185
- "log_whitelist" => {
293
+ "log_blacklist" => {
186
294
  "username" => ["*"],
295
+ },
296
+ "log_whitelist" => {
187
297
  "PASSWORD" => ["form"]
188
298
  }
189
- }
299
+ },
300
+ "uri_options" => {"collect_full_uri" => true}
190
301
  })
191
- configuration = double("configuration")
302
+ configuration = double("configuration", "enabled" => true)
192
303
  appfirewall_payloads_logger = double("appfirewall_payloads_logger")
193
304
 
194
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
195
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
196
- true
197
- )
198
- expect(TCellAgent).to receive(:appfirewall_payloads_logger).and_return(
305
+ expect(TCellAgent).to receive(:configuration).and_return(configuration).exactly(3).times
306
+ expect(configuration).to receive(:appfirewall_payloads_logger).and_return(
199
307
  appfirewall_payloads_logger
200
- )
308
+ ).exactly(2).times
201
309
  expect_any_instance_of(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(
202
310
  :post_process
203
311
  )
@@ -210,6 +318,7 @@ module TCellAgent
210
318
  "pattern" => "pattern",
211
319
  "meta" => {"l" => "query"},
212
320
  "rid" => "route_id",
321
+ "full_uri" => "location"
213
322
  }.to_json)
214
323
 
215
324
  policy.log(
@@ -227,249 +336,73 @@ module TCellAgent
227
336
  end
228
337
  end
229
338
 
230
- context "with a blacklist" do
231
- context "that does not specify locations for the param" do
232
- context "with no whitelist" do
233
- it "should log the value" do
234
- policy = PayloadsPolicy.from_json({
235
- "payloads" => {
236
- "log_payloads" => true,
237
- "log_blacklist" => {
238
- "username" => ["*"]
239
- }
339
+ context "that specifies locations for the param" do
340
+ context "param location does not match specified location" do
341
+ it "should log the value" do
342
+ policy = PayloadsPolicy.from_json({
343
+ "payloads" => {
344
+ "log_payloads" => true,
345
+ "log_blacklist" => {
346
+ "password" => ["cookie"],
240
347
  }
241
- })
242
- configuration = double("configuration")
243
- appfirewall_payloads_logger = double("appfirewall_payloads_logger")
244
-
245
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
246
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
247
- true
248
- )
249
- expect(TCellAgent).to receive(:appfirewall_payloads_logger).and_return(
250
- appfirewall_payloads_logger
251
- )
252
- expect_any_instance_of(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(
253
- :post_process
254
- )
255
- expect(appfirewall_payloads_logger).to receive(:info).with({
256
- "event_type" => "as",
257
- "dp" => "xss",
258
- "param" => "password",
259
- "remote_addr" => "remote_address",
260
- "m" => "get",
261
- "pattern" => "pattern",
262
- "meta" => {"l" => "query"},
263
- "rid" => "route_id"
264
- }.to_json)
265
-
266
- policy.log(
267
- "xss",
268
- @meta,
269
- TCellAgent::Utils::Params::GET_PARAM,
270
- "password",
271
- "alert()",
272
- {"l" => "query"},
273
- "pattern"
274
- )
275
- end
276
- end
277
-
278
- context "with a whitelist" do
279
- context "that does not specify locations for the param" do
280
- it "should not log" do
281
- policy = PayloadsPolicy.from_json({
282
- "payloads" => {
283
- "log_payloads" => true,
284
- "log_blacklist" => {
285
- "username" => ["*"]
286
- },
287
- "log_whitelist" => {
288
- "username" => ["*"]
289
- }
290
- }
291
- })
292
- configuration = double("configuration")
293
-
294
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
295
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
296
- true
297
- )
298
- expect(TCellAgent).to_not receive(:appfirewall_payloads_logger)
299
-
300
- policy.log(
301
- "xss",
302
- @meta,
303
- TCellAgent::Utils::Params::GET_PARAM,
304
- "password",
305
- "alert()",
306
- {"l" => "query"},
307
- "pattern"
308
- )
309
- end
310
- end
348
+ },
349
+ "uri_options" => {"collect_full_uri" => false}
350
+ })
351
+ configuration = double("configuration", "enabled" => true)
352
+ appfirewall_payloads_logger = double("appfirewall_payloads_logger")
311
353
 
312
- context "that specifies locations for the param" do
313
- context "param location does not match specified location" do
314
- it "should not log" do
315
- policy = PayloadsPolicy.from_json({
316
- "payloads" => {
317
- "log_payloads" => true,
318
- "log_blacklist" => {
319
- "username" => ["*"],
320
- },
321
- "log_whitelist" => {
322
- "password" => ["cookie"]
323
- }
324
- }
325
- })
326
- configuration = double("configuration")
327
-
328
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
329
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
330
- true
331
- )
332
- expect(TCellAgent).to_not receive(:appfirewall_payloads_logger)
333
-
334
- policy.log(
335
- "xss",
336
- @meta,
337
- TCellAgent::Utils::Params::GET_PARAM,
338
- "password",
339
- "alert()",
340
- {"l" => "query"},
341
- "pattern"
342
- )
343
- end
344
- end
354
+ expect(TCellAgent).to receive(:configuration).and_return(configuration).exactly(3).times
355
+ expect(configuration).to receive(:appfirewall_payloads_logger).and_return(
356
+ appfirewall_payloads_logger
357
+ ).exactly(2).times
358
+ expect_any_instance_of(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(
359
+ :post_process
360
+ )
361
+ expect(appfirewall_payloads_logger).to receive(:info).with({
362
+ "event_type" => "as",
363
+ "dp" => "xss",
364
+ "param" => "password",
365
+ "remote_addr" => "remote_address",
366
+ "m" => "get",
367
+ "pattern" => "pattern",
368
+ "meta" => {"l" => "query"},
369
+ "rid" => "route_id"
370
+ }.to_json)
345
371
 
346
- context "param location matches the specified location" do
347
- it "should log the value" do
348
- policy = PayloadsPolicy.from_json({
349
- "payloads" => {
350
- "log_payloads" => true,
351
- "log_blacklist" => {
352
- "username" => ["*"],
353
- },
354
- "log_whitelist" => {
355
- "PASSWORD" => ["form"]
356
- }
357
- }
358
- })
359
- configuration = double("configuration")
360
- appfirewall_payloads_logger = double("appfirewall_payloads_logger")
361
-
362
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
363
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
364
- true
365
- )
366
- expect(TCellAgent).to receive(:appfirewall_payloads_logger).and_return(
367
- appfirewall_payloads_logger
368
- )
369
- expect_any_instance_of(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(
370
- :post_process
371
- )
372
- expect(appfirewall_payloads_logger).to receive(:info).with({
373
- "event_type" => "as",
374
- "dp" => "xss",
375
- "param" => "password",
376
- "remote_addr" => "remote_address",
377
- "m" => "get",
378
- "pattern" => "pattern",
379
- "meta" => {"l" => "query"},
380
- "rid" => "route_id"
381
- }.to_json)
382
-
383
- policy.log(
384
- "xss",
385
- @meta,
386
- TCellAgent::Utils::Params::GET_PARAM,
387
- "password",
388
- "alert()",
389
- {"l" => "query"},
390
- "pattern"
391
- )
392
- end
393
- end
394
- end
372
+ policy.log(
373
+ "xss",
374
+ @meta,
375
+ TCellAgent::Utils::Params::GET_PARAM,
376
+ "password",
377
+ "alert()",
378
+ {"l" => "query"},
379
+ "pattern"
380
+ )
395
381
  end
396
382
  end
397
383
 
398
- context "that specifies locations for the param" do
399
- context "param location does not match specified location" do
400
- it "should log the value" do
401
- policy = PayloadsPolicy.from_json({
402
- "payloads" => {
403
- "log_payloads" => true,
404
- "log_blacklist" => {
405
- "password" => ["cookie"],
406
- }
407
- }
408
- })
409
- configuration = double("configuration")
410
- appfirewall_payloads_logger = double("appfirewall_payloads_logger")
411
-
412
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
413
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
414
- true
415
- )
416
- expect(TCellAgent).to receive(:appfirewall_payloads_logger).and_return(
417
- appfirewall_payloads_logger
418
- )
419
- expect_any_instance_of(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(
420
- :post_process
421
- )
422
- expect(appfirewall_payloads_logger).to receive(:info).with({
423
- "event_type" => "as",
424
- "dp" => "xss",
425
- "param" => "password",
426
- "remote_addr" => "remote_address",
427
- "m" => "get",
428
- "pattern" => "pattern",
429
- "meta" => {"l" => "query"},
430
- "rid" => "route_id"
431
- }.to_json)
432
-
433
- policy.log(
434
- "xss",
435
- @meta,
436
- TCellAgent::Utils::Params::GET_PARAM,
437
- "password",
438
- "alert()",
439
- {"l" => "query"},
440
- "pattern"
441
- )
442
- end
443
- end
444
-
445
- context "param location matches the specified location" do
446
- it "should not log" do
447
- policy = PayloadsPolicy.from_json({
448
- "payloads" => {
449
- "log_payloads" => true,
450
- "log_blacklist" => {
451
- "password" => ["form"],
452
- }
384
+ context "param location matches the specified location" do
385
+ it "should not log" do
386
+ policy = PayloadsPolicy.from_json({
387
+ "payloads" => {
388
+ "log_payloads" => true,
389
+ "log_blacklist" => {
390
+ "password" => ["form"],
453
391
  }
454
- })
455
- configuration = double("configuration")
392
+ }
393
+ })
456
394
 
457
- expect(TCellAgent).to receive(:configuration).and_return(configuration)
458
- expect(configuration).to receive(:allow_unencrypted_appfirewall_payloads_logging).and_return(
459
- true
460
- )
461
- expect(TCellAgent).to_not receive(:appfirewall_payloads_logger)
395
+ expect(TCellAgent).to_not receive(:configuration)
462
396
 
463
- policy.log(
464
- "xss",
465
- @meta,
466
- TCellAgent::Utils::Params::GET_PARAM,
467
- "password",
468
- "alert()",
469
- {"l" => "query"},
470
- "pattern"
471
- )
472
- end
397
+ policy.log(
398
+ "xss",
399
+ @meta,
400
+ TCellAgent::Utils::Params::GET_PARAM,
401
+ "password",
402
+ "alert()",
403
+ {"l" => "query"},
404
+ "pattern"
405
+ )
473
406
  end
474
407
  end
475
408
  end