tcell_agent 0.2.29 → 0.4.0

data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb

@@ -54,94 +54,145 @@ module TCellAgent
             let(:request2) { Rack::MockRequest.new( withTCellMiddleware( app2 )) }
             let(:agent) { ::TCellAgent::Agent.new }
             context "XSS" do
-              before(:each) do
-                TCellAgent.thread_agent.processPolicyJson({"appsensor"=>{
-                  "policy_id"=>"153ed270",
-                  "data"=>{
-                    "options"=>{
-                      "xss"=>true,
-                      "sqli"=>true,
-                      "cmdi"=>true,
+              context "with allow_payloads = false" do
+                before(:each) do
+                  old_uap = TCellAgent.configuration.allow_payloads
+                  TCellAgent.configuration.allow_payloads = false
+                  TCellAgent.thread_agent.processPolicyJson({"appsensor"=>{
+                    "policy_id" => "153ed270",
+                    "version" => 2,
+                    "data" => {
+                      "options" => {
+                        "payloads" => {
+                          "send_payloads" => true,
+                          "log_payloads" => false
+                        }
+                      },
+                      "sensors" => {
+                        "xss" => {
+                          "patterns" => ["1", "2", "8"]
+                        }
+                      }
                     }
-                  }
-                }}, cache=false) 
-                TCellAgent.empty_event_queue
-              end
-              it "alerts on get xss payload" do
-                response = request.get("/foo?xyz=%3CSCRIPT%3Ealert(1)%3C%2Fscript%3E", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
-                expected_as = {
-                  "event_type"=>"as",
-                  "dp"=>"xss",
-                  "param"=>"xyz",
-                  "remote_addr"=>"1.3.3.4",
-                  "m"=>"GET",
-                  "pattern"=>"1",
-                  "uri"=>"http://example.org/foo?xyz=",
-                  "meta"=>{"l" => "query"}}
-                expect(TCellAgent.event_queue).to include(expected_as)
-              end
-              it "alerts on post xss payload" do
-                response = request.post("/foo", :input => "x=<SCRIPT>alert(1)</SCRIPT>", 'REMOTE_ADDR' => '1.2.3.4,3.4.5.6')
-                expected_as = {
-                  "event_type"=>"as",
-                  "dp"=>"xss",
-                  "param"=>"x",
-                  "remote_addr"=>"1.2.3.4",
-                  "m"=>"POST",
-                  "pattern"=>"1",
-                  "uri"=>"http://example.org/foo",
-                  "meta"=>{"l" => "body"}}
-                expect(TCellAgent.event_queue).to include(expected_as)
-              end #/it
-              it "alerts on get xss payload with route_id" do
-                response = request2.get("/foo?xyz=%3Cscript%3Ealert(1)%3C%2Fscript%3E")
-                expected_as = {
-                  "event_type"=>"as",
-                  "dp"=>"xss",
-                  "param"=>"xyz",
-                  "rid"=>"myrouteid",
-                  "m"=>"GET",
-                  "pattern"=>"1",
-                  "uri"=>"http://example.org/foo?xyz=",
-                  "meta"=>{"l" => "query"}}
-                expect(TCellAgent.event_queue).to include(expected_as)
+                  }}, cache=false)
+                  TCellAgent.empty_event_queue
+                  TCellAgent.configuration.allow_payloads = old_uap
+                end
+                it "alerts on get xss payload" do
+                  response = request.get("/foo?xyz=%3CSCRIPT%3Ealert(1)%3C%2Fscript%3E", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
+                  expected_as = {
+                    "event_type"=>"as",
+                    "dp"=>"xss",
+                    "param"=>"xyz",
+                    "remote_addr"=>"1.3.3.4",
+                    "m"=>"GET",
+                    "pattern"=>"1",
+                    "uri"=>"http://example.org/foo?xyz=",
+                    "meta"=>{"l" => "query"}}
+                  expect(TCellAgent.event_queue).to include(expected_as)
+                end
+
+                it "alerts on post xss payload" do
+                  response = request.post("/foo", :input => "x=<SCRIPT>alert(1)</SCRIPT>", 'REMOTE_ADDR' => '1.2.3.4,3.4.5.6')
+                  expected_as = {
+                    "event_type"=>"as",
+                    "dp"=>"xss",
+                    "param"=>"x",
+                    "remote_addr"=>"1.2.3.4",
+                    "m"=>"POST",
+                    "pattern"=>"1",
+                    "uri"=>"http://example.org/foo",
+                    "meta"=>{"l" => "body"}}
+                  expect(TCellAgent.event_queue).to include(expected_as)
+                end #/it
+
+                it "alerts on get xss payload with route_id" do
+                  response = request2.get("/foo?xyz=%3Cscript%3Ealert(1)%3C%2Fscript%3E")
+                  expected_as = {
+                    "event_type"=>"as",
+                    "dp"=>"xss",
+                    "param"=>"xyz",
+                    "rid"=>"myrouteid",
+                    "m"=>"GET",
+                    "pattern"=>"1",
+                    "uri"=>"http://example.org/foo?xyz=",
+                    "meta"=>{"l" => "query"}}
+                  expect(TCellAgent.event_queue).to include(expected_as)
+                end
               end
-              it "checks that payload is sent in xss with route_id" do
-                old_uap = TCellAgent.configuration.allow_unencrypted_appfirewall_payloads
-                TCellAgent.configuration.allow_unencrypted_appfirewall_payloads = true
-                response = request2.get("/foo?xyz=%3Cscript%3Ealert(1)%3C%2Fscript%3E")
-                expected_as = {
-                  "event_type"=>"as",
-                  "dp"=>"xss",
-                  "param"=>"xyz",
-                  "rid"=>"myrouteid",
-                  "m"=>"GET",
-                  "pattern"=>"1",
-                  "uri"=>"http://example.org/foo?xyz=",
-                  "payload"=>"<script>alert(1)</script>",
-                  "meta"=>{"l" => "query"}}
-                TCellAgent.configuration.allow_unencrypted_appfirewall_payloads= old_uap
-                expect(TCellAgent.event_queue).to include(expected_as)
+
+              context "with allow_payloads = true" do
+                before(:each) do
+                  old_uap = TCellAgent.configuration.allow_payloads
+                  TCellAgent.configuration.allow_payloads = true
+                  TCellAgent.thread_agent.processPolicyJson({"appsensor"=>{
+                    "policy_id" => "153ed270",
+                    "version" => 2,
+                    "data" => {
+                      "options" => {
+                        "payloads" => {
+                          "send_payloads" => true,
+                          "log_payloads" => false
+                        }
+                      },
+                      "sensors" => {
+                        "xss" => {
+                          "patterns" => ["1", "2", "8"]
+                        }
+                      }
+                    }
+                  }}, cache=false)
+                  TCellAgent.empty_event_queue
+                  TCellAgent.configuration.allow_payloads = old_uap
+                end
+
+                it "checks that payload is sent in xss with route_id" do
+                  response = request2.get("/foo?xyz=%3Cscript%3Ealert(1)%3C%2Fscript%3E")
+                  expected_as = {
+                    "event_type"=>"as",
+                    "dp"=>"xss",
+                    "param"=>"xyz",
+                    "rid"=>"myrouteid",
+                    "m"=>"GET",
+                    "pattern"=>"1",
+                    "uri"=>"http://example.org/foo?xyz=",
+                    "payload"=>"<script>alert(1)</script>",
+                    "meta"=>{"l" => "query"}}
+
+                  expect(TCellAgent.event_queue).to include(expected_as)
+                end
               end
 
-            end #/conext
+            end
+
             context "SQL Injection" do
               before(:each) do
                 TCellAgent.thread_agent.processPolicyJson({"appsensor"=>{
                   "policy_id"=>"153ed270",
+                  "version" => 2,
                   "data"=>{
-                    "options"=>{
-                      "xss"=>true,
-                      "sqli"=>true,
-                      "cmdi"=>true,
+                    "sensors" => {
+                      "xss" => {
+                        "patterns" => ["1"]
+                      },
+                      "sqli" => {
+                        "patterns" => ["1"]
+                      },
+                      "cmdi" => {
+                        "patterns" => ["1"]
+                      }
                     }
                   }
                 }}, cache=false) 
                 TCellAgent.empty_event_queue
               end
+
               it "alerts on get sqli payload" do
+                old_uap = TCellAgent.configuration.allow_payloads
+                TCellAgent.configuration.allow_payloads = false
                 # ' OR '3'='3
                 response = request.get("/foo?xyz=abds&def=%27%20OR%20%273%27%3D%273", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
+                TCellAgent.configuration.allow_payloads = old_uap
                 expected_as = {
                   "event_type"=>"as",
                   "dp"=>"sqli",
@@ -153,22 +204,29 @@ module TCellAgent
                   "meta"=>{"l" => "query"}}
                 expect(TCellAgent.event_queue).to include(expected_as)
               end
-            end #/conext
+            end
+
             context "File Path Traversal" do
-              before(:each) do
+              it "alerts on most obvious payload" do
                 TCellAgent.thread_agent.processPolicyJson({"appsensor"=>{
                   "policy_id"=>"153ed270",
+                  "version" => 2,
                   "data"=>{
-                    "options"=>{
-                      "xss"=>true,
-                      "fpt"=>true,
-                      "cmdi"=>true,
+                    "options" => {
+                      "payloads" => {
+                        "send_payloads" => false,
+                        "log_payloads" => false
+                      }
+                    },
+                    "sensors" => {
+                      "fpt" => {
+                        "patterns" => ["1", "2", "3"]
+                      }
                     }
                   }
                 }}, cache=false) 
                 TCellAgent.empty_event_queue
-              end
-              it "alerts on most obvious payload" do
+
                 response = request.get("/foo?xyz=/ETC/PASSWD", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
                 expected_as = {
                   "event_type"=>"as",
@@ -181,9 +239,27 @@ module TCellAgent
                   "meta"=>{"l" => "query"}}
                 expect(TCellAgent.event_queue).to include(expected_as)
               end
+
               it "checks that payload is sent" do
-                old_uap = TCellAgent.configuration.allow_unencrypted_appfirewall_payloads
-                TCellAgent.configuration.allow_unencrypted_appfirewall_payloads = true
+                TCellAgent.thread_agent.processPolicyJson({"appsensor"=>{
+                  "policy_id"=>"153ed270",
+                  "version" => 2,
+                  "data"=>{
+                    "options" => {
+                      "payloads" => {
+                        "send_payloads" => true,
+                        "log_payloads" => false
+                      }
+                    },
+                    "sensors" => {
+                      "fpt" => {
+                        "patterns" => ["1", "2", "3"]
+                      }
+                    }
+                  }
+                }}, cache=false) 
+                TCellAgent.empty_event_queue
+
                 response = request.get("/foo?xyz=/etc/passwd", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
                 expected_as = {
                   "event_type"=>"as",
@@ -195,12 +271,12 @@ module TCellAgent
                   "uri"=>"http://example.org/foo?xyz=",
                   "payload"=>"/etc/passwd",
                   "meta"=>{"l" => "query"}}
-                TCellAgent.configuration.allow_unencrypted_appfirewall_payloads = old_uap
                 expect(TCellAgent.event_queue).to include(expected_as)
               end
-            end #/conext
-          end #/context
-        end #/describe
+            end
+          end
+
+        end
 
 
       end

data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb

@@ -7,89 +7,57 @@ module TCellAgent
       describe TCellBodyProxy do
 
         context "#close" do
-          context "missing appsensor policy" do
-            context "zero content length" do
-              it "should not call appsensor policy" do
-                tcell_body_proxy = TCellBodyProxy.new(
-                  Rack::BodyProxy.new(["body"]) { },
-                  true,
-                  nil, nil, nil, nil)
-
-                tcell_body_proxy.content_length = 0
-
-                expect(TCellAgent::Instrumentation).to receive(:safe_block).with(
-                  "Handling Response Size Length"
-                ).and_call_original
-
-                tcell_body_proxy.close
-              end
-            end
-
-            context "non zerno content length" do
-              it "should not call appsensor policy" do
-                tcell_body_proxy = TCellBodyProxy.new(
-                  Rack::BodyProxy.new(["body"]) { },
-                  true,
-                  nil, nil, nil, nil)
-
-                tcell_body_proxy.content_length = 512
-
-                expect(TCellAgent::Instrumentation).to receive(:safe_block).with(
-                  "Handling Response Size Length"
-                ).and_call_original
-
-                tcell_body_proxy.close
-              end
-            end
+          before(:each) do
+            @appsensor_meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new(
+              "get",
+              "remote_address",
+              "route_id",
+              "session_id",
+              "user_id",
+              "transaction_id")
           end
 
-          context "with appsensor policy" do
-            context "zero content length" do
-              it "should not call appsensor policy" do
-                appsensor_policy = double("appsensor_policy")
-                appsensor_meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new
-
-                tcell_body_proxy = TCellBodyProxy.new(
-                  Rack::BodyProxy.new(["body"]) { },
-                  true,
-                  nil, nil, nil, nil)
-                tcell_body_proxy.appsensor_policy = appsensor_policy
-                tcell_body_proxy.appsensor_meta = appsensor_meta
+          context "zero content length" do
+            it "appsensor_meta event should be enqueued for processing" do
+              tcell_body_proxy = TCellBodyProxy.new(
+                Rack::BodyProxy.new(["body"]) { },
+                true,
+                nil, nil, nil, nil)
+              tcell_body_proxy.appsensor_meta = @appsensor_meta
 
-                tcell_body_proxy.content_length = 0
+              tcell_body_proxy.content_length = 0
 
-                expect(TCellAgent::Instrumentation).to receive(:safe_block).with(
-                  "Handling Response Size Length"
-                ).and_call_original
-                expect(appsensor_policy).to_not receive(:check_response_size)
+              expect(TCellAgent::Instrumentation).to receive(:safe_block).with(
+                "Running AppSensor deferred due to streaming"
+              ).and_call_original
+              expect(TCellAgent).to receive(:send_event).with(
+                @appsensor_meta
+              )
 
-                tcell_body_proxy.close
-              end
+              tcell_body_proxy.close
             end
+          end
 
-            context "non zerno content length" do
-              it "should not call appsensor policy" do
-                appsensor_policy = double("appsensor_policy")
-                appsensor_meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new
-
-                tcell_body_proxy = TCellBodyProxy.new(
-                  Rack::BodyProxy.new(["body"]) { },
-                  true,
-                  nil, nil, nil, nil)
-                tcell_body_proxy.appsensor_policy = appsensor_policy
-                tcell_body_proxy.appsensor_meta = appsensor_meta
+          context "non zero content length" do
+            it "appsensor_meta event should be enqueued for processing" do
+              tcell_body_proxy = TCellBodyProxy.new(
+                Rack::BodyProxy.new(["body"]) { },
+                true,
+                nil, nil, nil, nil)
+              tcell_body_proxy.appsensor_meta = @appsensor_meta
 
-                tcell_body_proxy.content_length = 512
+              tcell_body_proxy.content_length = 512
 
-                expect(TCellAgent::Instrumentation).to receive(:safe_block).with(
-                  "Handling Response Size Length"
-                ).and_call_original
-                expect(appsensor_policy).to receive(:check_response_size).with(appsensor_meta)
+              expect(TCellAgent::Instrumentation).to receive(:safe_block).with(
+                "Running AppSensor deferred due to streaming"
+              ).and_call_original
+              expect(TCellAgent).to receive(:send_event).with(
+                @appsensor_meta
+              )
 
-                tcell_body_proxy.close
+              tcell_body_proxy.close
 
-                expect(appsensor_meta.response_content_bytes_len).to eq(512)
-              end
+              expect(@appsensor_meta.response_content_bytes_len).to eq(512)
             end
           end
         end