tcell_agent 0.2.29 → 0.4.0

data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb

@@ -4,219 +4,169 @@ module TCellAgent
   module AppSensor
 
     describe InjectionsReporter do
-
-      describe "#check" do
-        before(:each) do
-          @payloads_policy = double("payloads_policy")
-          @injections_matcher = double("injections_matcher")
-          @injections_reporter = InjectionsReporter.new(@injections_matcher, @payloads_policy, false)
-
-          @appsensor_meta = TCellAgent::SensorEvents::AppSensorMetaEvent.new
-          @appsensor_meta.remote_address = "remote_address"
-          @appsensor_meta.method = "get"
-          @appsensor_meta.location = "location"
-          @appsensor_meta.route_id = "route_id"
-          @appsensor_meta.session_id = "session_id"
-          @appsensor_meta.user_id = "user_id"
-          @appsensor_meta.transaction_id = "transaction_id"
-        end
-
-        context "no matches" do
-          it "should not send any events" do
-            expect(@injections_matcher).to receive(:each_injection)
-            expect(@payloads_policy).to_not receive(:apply)
+      describe ".report_and_log" do
+        context "with nil events" do
+          it "should do nothing" do
             expect(TCellAgent).to_not receive(:send_event)
+            expect(TCellAgent).to_not receive(:logger)
 
-            @injections_reporter.check(@appsensor_meta)
+            InjectionsReporter.report_and_log(nil)
           end
         end
 
-        context "with one GET injection match" do
-          it "should send the appropriate event" do
-            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
-              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
-                InjectionsReporter::GET_PARAM,
-                "xss",
-                {
-                  "param" => "dirty",
-                  "value" => "<script>",
-                  "pattern" => "pattern_id"
-                }
-              )
-
-              block.call(injection_attempt)
-            end
-            expect(@payloads_policy).to receive(:apply).with(
-              "xss", {}, InjectionsReporter::GET_PARAM, "dirty", "<script>", {"l"=>"query"}, "pattern_id"
-            )
-            expect(TCellAgent).to receive(:send_event).with(
-              {
-                "event_type"=>"as",
-                "dp"=>"xss",
-                "param"=>"dirty",
-                "remote_addr"=>"remote_address",
-                "m"=>"get",
-                "pattern"=>"pattern_id",
-                "meta"=>{"l"=>"query"},
-                "rid"=>"route_id"
-              }
-            )
-
-            @injections_reporter.check(@appsensor_meta)
+        context "with empty events" do
+          it "should do nothing" do
+            expect(TCellAgent).to_not receive(:send_event)
+            expect(TCellAgent).to_not receive(:logger)
+
+            InjectionsReporter.report_and_log([])
           end
         end
 
-        context "with one POST injection match" do
-          it "should send the appropriate event" do
-            @appsensor_meta.method = "post"
-
-            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
-              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
-                InjectionsReporter::POST_PARAM,
-                "xss",
-                {
-                  "param" => "dirty",
-                  "value" => "<script>",
-                  "pattern" => "pattern_id"
-                }
-              )
-
-              block.call(injection_attempt)
-            end
-            expect(@payloads_policy).to receive(:apply).with(
-              "xss", {}, InjectionsReporter::POST_PARAM, "dirty", "<script>", {"l"=>"body"}, "pattern_id"
-            )
-            expect(TCellAgent).to receive(:send_event).with(
-              {
-                "event_type"=>"as",
-                "dp"=>"xss",
-                "param"=>"dirty",
-                "remote_addr"=>"remote_address",
-                "m"=>"post",
-                "pattern"=>"pattern_id",
-                "meta"=>{"l"=>"body"},
-                "rid"=>"route_id"
-              }
-            )
-
-            @injections_reporter.check(@appsensor_meta)
+        context "with one event" do
+          it "should send the event" do
+            events = [{
+                "pattern" => "1",
+                "method" => "request_method",
+                "uri" => "abosolute_uri",
+                "parameter" => "avatar",
+                "meta" => {"l" => "body"},
+                "session_id" => "session_id",
+                "route_id" => "route_id",
+                "detection_point" => "xss",
+                "user_id" => "user_id"
+            }]
+
+            expect(TCellAgent).to_not receive(:logger)
+
+            expect(TCellAgent).to receive(:send_event).with({
+              "event_type" => "as",
+              "dp" => "xss",
+              "param" => "avatar",
+              "m" => "request_method",
+              "pattern" => "1",
+              "meta" => {"l" => "body"},
+              "rid" => "route_id",
+              "uri" => "abosolute_uri",
+              "uid" => "user_id",
+              "sid" => "session_id"
+            })
+
+            InjectionsReporter.report_and_log(events)
           end
         end
 
-        context "with one JSON injection match" do
-          it "should send the appropriate event" do
-            @appsensor_meta.method = "post"
-
-            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
-              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
-                InjectionsReporter::JSON_PARAM,
-                "xss",
-                {
-                  "param" => "dirty",
-                  "value" => "<script>",
-                  "pattern" => "pattern_id"
-                }
-              )
-
-              block.call(injection_attempt)
-            end
-            expect(@payloads_policy).to receive(:apply).with(
-              "xss", {}, InjectionsReporter::JSON_PARAM, "dirty", "<script>", {"l"=>"body"}, "pattern_id"
-            )
-            expect(TCellAgent).to receive(:send_event).with(
-              {
-                "event_type"=>"as",
-                "dp"=>"xss",
-                "param"=>"dirty",
-                "remote_addr"=>"remote_address",
-                "m"=>"post",
-                "pattern"=>"pattern_id",
-                "meta"=>{"l"=>"body"},
-                "rid"=>"route_id"
-              }
-            )
-
-            @injections_reporter.check(@appsensor_meta)
+        context "with one event with full payload" do
+          it "should send and log the event" do
+            events = [{
+                "pattern" => "1",
+                "method" => "request_method",
+                "uri" => "abosolute_uri",
+                "parameter" => "avatar",
+                "meta" => {"l" => "body"},
+                "session_id" => "session_id",
+                "route_id" => "route_id",
+                "detection_point" => "xss",
+                "user_id" => "user_id",
+                "full_payload" => "full_payload"
+            }]
+
+            logger = double("logger")
+
+            expect(TCellAgent).to receive(:logger).and_return(logger)
+            expect(logger).to receive(:info).with(/"payload":"full_payload"/)
+
+            expect(TCellAgent).to receive(:send_event).with({
+              "event_type" => "as",
+              "dp" => "xss",
+              "param" => "avatar",
+              "m" => "request_method",
+              "pattern" => "1",
+              "meta" => {"l" => "body"},
+              "rid" => "route_id",
+              "uri" => "abosolute_uri",
+              "uid" => "user_id",
+              "sid" => "session_id"
+            })
+
+            InjectionsReporter.report_and_log(events)
           end
         end
 
-        context "with one URI injection match" do
-          it "should send the appropriate event" do
-            @appsensor_meta.method = "get"
-
-            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
-              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
-                InjectionsReporter::URI_PARAM,
-                "xss",
-                {
-                  "param" => "dirty",
-                  "value" => "<script>",
-                  "pattern" => "pattern_id"
-                }
-              )
-
-              block.call(injection_attempt)
-            end
-            expect(@payloads_policy).to receive(:apply).with(
-              "xss", {}, InjectionsReporter::URI_PARAM, "dirty", "<script>", {"l"=>"uri"}, "pattern_id"
-            )
-            expect(TCellAgent).to receive(:send_event).with(
-              {
-                "event_type"=>"as",
-                "dp"=>"xss",
-                "param"=>"dirty",
-                "remote_addr"=>"remote_address",
-                "m"=>"get",
-                "pattern"=>"pattern_id",
-                "meta"=>{"l"=>"uri"},
-                "rid"=>"route_id"
-              }
-            )
-
-            @injections_reporter.check(@appsensor_meta)
+        context "with one event with payload" do
+          it "should send the event" do
+            events = [{
+                "pattern" => "1",
+                "method" => "request_method",
+                "uri" => "abosolute_uri",
+                "parameter" => "avatar",
+                "meta" => {"l" => "body"},
+                "session_id" => "session_id",
+                "route_id" => "route_id",
+                "detection_point" => "xss",
+                "user_id" => "user_id",
+                "payload" => "payload"
+            }]
+
+            expect(TCellAgent).to_not receive(:logger)
+
+            expect(TCellAgent).to receive(:send_event).with({
+              "event_type" => "as",
+              "dp" => "xss",
+              "param" => "avatar",
+              "m" => "request_method",
+              "pattern" => "1",
+              "meta" => {"l" => "body"},
+              "rid" => "route_id",
+              "uri" => "abosolute_uri",
+              "uid" => "user_id",
+              "sid" => "session_id",
+              "payload" => "payload"
+            })
+
+            InjectionsReporter.report_and_log(events)
           end
         end
 
-        context "with one COOKIE injection match" do
-          it "should send the appropriate event" do
-            @appsensor_meta.method = "get"
-
-            expect(@injections_matcher).to receive(:each_injection) do |md, &block|
-              injection_attempt = TCellAgent::Policies::InjectionAttempt.new(
-                InjectionsReporter::COOKIE_PARAM,
-                "xss",
-                {
-                  "param" => "dirty",
-                  "value" => "<script>",
-                  "pattern" => "pattern_id"
-                }
-              )
-
-              block.call(injection_attempt)
-            end
-            expect(@payloads_policy).to receive(:apply).with(
-              "xss", {}, InjectionsReporter::COOKIE_PARAM, "dirty", "<script>", {"l"=>"cookie"}, "pattern_id"
-            )
-            expect(TCellAgent).to receive(:send_event).with(
-              {
-                "event_type"=>"as",
-                "dp"=>"xss",
-                "param"=>"dirty",
-                "remote_addr"=>"remote_address",
-                "m"=>"get",
-                "pattern"=>"pattern_id",
-                "meta"=>{"l"=>"cookie"},
-                "rid"=>"route_id"
-              }
-            )
-
-            @injections_reporter.check(@appsensor_meta)
+        context "with one event with payload and full payload" do
+          it "should send and log the event" do
+            events = [{
+                "pattern" => "1",
+                "method" => "request_method",
+                "uri" => "abosolute_uri",
+                "parameter" => "avatar",
+                "meta" => {"l" => "body"},
+                "session_id" => "session_id",
+                "route_id" => "route_id",
+                "detection_point" => "xss",
+                "user_id" => "user_id",
+                "payload" => "payload",
+                "full_payload" => "full_payload"
+            }]
+
+            logger = double("logger")
+
+            expect(TCellAgent).to receive(:logger).and_return(logger)
+            expect(logger).to receive(:info).with(/"payload":"full_payload"/)
+
+            expect(TCellAgent).to receive(:send_event).with({
+              "event_type" => "as",
+              "dp" => "xss",
+              "param" => "avatar",
+              "m" => "request_method",
+              "pattern" => "1",
+              "meta" => {"l" => "body"},
+              "rid" => "route_id",
+              "uri" => "abosolute_uri",
+              "uid" => "user_id",
+              "sid" => "session_id",
+              "payload" => "payload"
+            })
+
+            InjectionsReporter.report_and_log(events)
           end
         end
-
       end
-
     end
-
   end
 end

data/spec/lib/tcell_agent/appsensor/meta_data_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper'
+
+module TCellAgent
+  module AppSensor
+
+    describe MetaData do
+      describe "#set_headers_dict" do
+        it "should set all headers that start with http and skip cookies" do
+          method = remote_address = route_id = session_id = user_id = transaction_id = nil
+
+          meta = MetaData.new(method, remote_address, route_id, session_id, user_id, transaction_id)
+          meta.set_headers_dict({
+            "rack.version" => [1, 2],
+            "REQUEST_METHOD" => "POST",
+            "SERVER_NAME" => "www.example.com",
+            "HTTP_USER_AGENT" => "Mozilla",
+            "HTTP_MY_CUSTOM_HTTP_HEADER" => "my value"
+          })
+
+
+          expect(meta.headers_dict).to eq({
+            "user-agent" => "Mozilla",
+            "my-custom-http-header" => "my value"
+          })
+        end
+
+        it "should set all headers that start with http and include content_length and content_type" do
+          method = remote_address = route_id = session_id = user_id = transaction_id = nil
+
+          meta = MetaData.new(method, remote_address, route_id, session_id, user_id, transaction_id)
+          meta.set_headers_dict({
+            "REQUEST_METHOD" => "POST",
+            "HTTP_VERSION" => "HTTP/1.1",
+            "HTTP_CONNECTION" => "keep-alive",
+            "CONTENT_LENGTH" => "85",
+            "HTTP_CACHE_CONTROL" => "max-age=0",
+            "HTTP_ORIGIN" => "http://192.168.99.100:3000",
+            "HTTP_UPGRADE_INSECURE_REQUESTS" => "1",
+            "HTTP_USER_AGENT" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5)",
+            "CONTENT_TYPE" => "application/x-www-form-urlencoded",
+            "HTTP_ACCEPT" => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+            "HTTP_ACCEPT_ENCODING" => "gzip, deflate",
+            "HTTP_ACCEPT_LANGUAGE" => "en-US,en;q=0.8",
+            "HTTP_MY_CUSTOM_HTTP_HEADER" => "my value"
+          })
+
+
+          expect(meta.headers_dict).to eq({
+            "version" => "HTTP/1.1",
+            "connection" => "keep-alive",
+            "content-length" => "85",
+            "cache-control" => "max-age=0",
+            "origin" => "http://192.168.99.100:3000",
+            "upgrade-insecure-requests" => "1",
+            "user-agent" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5)",
+            "content-type" => "application/x-www-form-urlencoded",
+            "accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+            "accept-encoding" => "gzip, deflate",
+            "accept-language" => "en-US,en;q=0.8",
+            "my-custom-http-header" => "my value"
+          })
+        end
+      end
+    end
+
+  end
+end

data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb

@@ -7,16 +7,6 @@ module TCellAgent
       # since rule manager is a singleton, load default rules so rest of the specs work properly
       AppSensorRuleManager.instance.load_default_rules_file
     end
-    describe "#initialize" do
-      context "loading default baserules" do
-        it "should initialize all the sensors" do
-          rule_manager = AppSensorRuleManager.instance
-          rule_manager.load_rules_file(get_test_resource_path("baserules.json"))
-
-          expect(rule_manager.rule_info.empty?).to eq(false)
-        end
-      end
-    end
 
     describe "#load_rules_file" do
       context "with nonexistent file" do