RubyGems - tcell_agent - Versions diffs - 0.4.0 → 1.0.0 - Mend

tcell_agent 0.4.0 → 1.0.0

Files changed (199) hide show

checksums.yaml +4 -4
data/Rakefile +9 -22
data/bin/tcell_agent +127 -132
data/lib/tcell_agent/agent/event_processor.rb +23 -22
data/lib/tcell_agent/agent/fork_pipe_manager.rb +7 -7
data/lib/tcell_agent/agent/policy_manager.rb +20 -15
data/lib/tcell_agent/agent/policy_types.rb +5 -11
data/lib/tcell_agent/agent/static_agent.rb +5 -1
data/lib/tcell_agent/agent.rb +6 -4
data/lib/tcell_agent/api.rb +7 -9
data/lib/tcell_agent/appsensor/meta_data.rb +11 -4
data/lib/tcell_agent/authlogic.rb +3 -3
data/lib/tcell_agent/cmdi.rb +6 -4
data/lib/tcell_agent/config/unknown_options.rb +3 -1
data/lib/tcell_agent/configuration.rb +47 -49
data/lib/tcell_agent/devise.rb +2 -2
data/lib/tcell_agent/hooks/login_fraud.rb +58 -29
data/lib/tcell_agent/instrumentation.rb +11 -10
data/lib/tcell_agent/logger.rb +2 -2
data/lib/tcell_agent/patches/meta_data.rb +9 -13
data/lib/tcell_agent/patches.rb +7 -10
data/lib/tcell_agent/policies/clickjacking_policy.rb +4 -5
data/lib/tcell_agent/policies/content_security_policy.rb +6 -12
data/lib/tcell_agent/policies/dataloss_policy.rb +2 -2
data/lib/tcell_agent/policies/http_redirect_policy.rb +2 -2
data/lib/tcell_agent/policies/policy.rb +0 -2
data/lib/tcell_agent/policies/rust_policies.rb +90 -0
data/lib/tcell_agent/policies/secure_headers_policy.rb +2 -2
data/lib/tcell_agent/rails/auth/authlogic.rb +42 -24
data/lib/tcell_agent/rails/auth/devise.rb +44 -23
data/lib/tcell_agent/rails/auth/doorkeeper.rb +33 -15
data/lib/tcell_agent/rails/better_ip.rb +1 -1
data/lib/tcell_agent/rails/csrf_exception.rb +2 -2
data/lib/tcell_agent/rails/dlp/process_request.rb +1 -1
data/lib/tcell_agent/rails/dlp.rb +6 -6
data/lib/tcell_agent/rails/dlp_handler.rb +1 -1
data/lib/tcell_agent/rails/js_agent_insert.rb +1 -1
data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +1 -1
data/lib/tcell_agent/rails/middleware/context_middleware.rb +3 -2
data/lib/tcell_agent/rails/middleware/headers_middleware.rb +10 -9
data/lib/tcell_agent/rails/routes/grape.rb +6 -6
data/lib/tcell_agent/rails/routes.rb +8 -11
data/lib/tcell_agent/rust/libtcellagent-0.11.1.dylib +0 -0
data/lib/tcell_agent/rust/{libtcellagent-0.6.1.so → libtcellagent-0.11.1.so} +0 -0
data/lib/tcell_agent/rust/models.rb +16 -0
data/lib/tcell_agent/rust/tcellagent-0.11.1.dll +0 -0
data/lib/tcell_agent/rust/whisperer.rb +119 -48
data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +17 -20
data/lib/tcell_agent/sensor_events/command_injection.rb +50 -5
data/lib/tcell_agent/sensor_events/login_fraud.rb +34 -18
data/lib/tcell_agent/sensor_events/patches.rb +21 -0
data/lib/tcell_agent/sensor_events/server_agent.rb +3 -3
data/lib/tcell_agent/sensor_events/util/utils.rb +4 -3
data/lib/tcell_agent/servers/puma.rb +2 -2
data/lib/tcell_agent/servers/unicorn.rb +1 -1
data/lib/tcell_agent/utils/passwords.rb +28 -0
data/lib/tcell_agent/version.rb +1 -1
data/lib/tcell_agent.rb +1 -5
data/spec/apps/rails-3.2/config/tcell_agent.config +15 -0
data/spec/apps/rails-3.2/log/development.log +0 -0
data/spec/apps/rails-3.2/log/test.log +12 -0
data/spec/apps/rails-4.1/log/test.log +0 -0
data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +46 -45
data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +276 -164
data/spec/lib/tcell_agent/agent/static_agent_spec.rb +44 -47
data/spec/lib/tcell_agent/api/api_spec.rb +16 -16
data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +131 -116
data/spec/lib/tcell_agent/appsensor/meta_data_spec.rb +55 -51
data/spec/lib/tcell_agent/cmdi_spec.rb +413 -436
data/spec/lib/tcell_agent/config/unknown_options_spec.rb +145 -128
data/spec/lib/tcell_agent/configuration_spec.rb +165 -169
data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +144 -153
data/spec/lib/tcell_agent/instrumentation_spec.rb +84 -85
data/spec/lib/tcell_agent/patches_spec.rb +70 -111
data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +313 -244
data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +28 -28
data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +643 -513
data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +55 -102
data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +111 -134
data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +141 -146
data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +8 -8
data/spec/lib/tcell_agent/policies/login_policy_spec.rb +15 -17
data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +231 -559
data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +27 -27
data/spec/lib/tcell_agent/rails/better_ip_spec.rb +30 -34
data/spec/lib/tcell_agent/rails/logger_spec.rb +50 -49
data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +182 -199
data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +110 -84
data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +107 -85
data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +68 -40
data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +81 -67
data/spec/lib/tcell_agent/rails/responses_spec.rb +33 -37
data/spec/lib/tcell_agent/rails/routes/grape_spec.rb +116 -121
data/spec/lib/tcell_agent/rails/routes/route_id_spec.rb +25 -28
data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +87 -85
data/spec/lib/tcell_agent/rails_spec.rb +1 -6
data/spec/lib/tcell_agent/rust/models_spec.rb +112 -0
data/spec/lib/tcell_agent/rust/whisperer_spec.rb +502 -179
data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +44 -33
data/spec/lib/tcell_agent/sensor_events/dlp_spec.rb +4 -4
data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +183 -169
data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +25 -25
data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +17 -20
data/spec/lib/tcell_agent/utils/params_spec.rb +28 -28
data/spec/lib/tcell_agent/utils/passwords_spec.rb +143 -0
data/spec/lib/tcell_agent/utils/strings_spec.rb +35 -35
data/spec/lib/tcell_agent_spec.rb +8 -8
data/spec/spec_helper.rb +4 -4
data/spec/support/middleware_helper.rb +10 -10
data/spec/support/static_agent_overrides.rb +16 -12
data/tcell_agent.gemspec +17 -33
metadata +43 -198
data/LICENSE_libinjection +0 -32
data/Readme.txt +0 -7
data/ext/libinjection/extconf.rb +0 -3
data/ext/libinjection/libinjection.h +0 -65
data/ext/libinjection/libinjection_html5.c +0 -847
data/ext/libinjection/libinjection_html5.h +0 -54
data/ext/libinjection/libinjection_sqli.c +0 -2317
data/ext/libinjection/libinjection_sqli.h +0 -295
data/ext/libinjection/libinjection_sqli_data.h +0 -9004
data/ext/libinjection/libinjection_wrap.c +0 -3525
data/ext/libinjection/libinjection_xss.c +0 -531
data/ext/libinjection/libinjection_xss.h +0 -21
data/lib/tcell_agent/appsensor/injections_matcher.rb +0 -155
data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb +0 -49
data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb +0 -67
data/lib/tcell_agent/appsensor/rules/baserules.json +0 -467
data/lib/tcell_agent/patches/block_rule.rb +0 -93
data/lib/tcell_agent/patches/sensors_matcher.rb +0 -31
data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb +0 -23
data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb +0 -23
data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +0 -117
data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb +0 -26
data/lib/tcell_agent/policies/appsensor/retr_sensor.rb +0 -22
data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb +0 -34
data/lib/tcell_agent/policies/appsensor/xss_sensor.rb +0 -34
data/lib/tcell_agent/policies/appsensor_policy.rb +0 -49
data/lib/tcell_agent/policies/command_injection_policy.rb +0 -196
data/lib/tcell_agent/policies/honeytokens_policy.rb +0 -69
data/lib/tcell_agent/policies/patches_policy.rb +0 -84
data/lib/tcell_agent/rust/libtcellagent-0.6.1.dylib +0 -0
data/lib/tcell_agent/rust/tcellagent-0.6.1.dll +0 -0
data/spec/apps/rails-3.2/Gemfile +0 -25
data/spec/apps/rails-3.2/Gemfile.lock +0 -126
data/spec/apps/rails-3.2/Rakefile +0 -7
data/spec/apps/rails-3.2/app/assets/images/rails.png +0 -0
data/spec/apps/rails-3.2/app/assets/javascripts/application.js +0 -15
data/spec/apps/rails-3.2/app/assets/stylesheets/application.css +0 -13
data/spec/apps/rails-3.2/app/controllers/application_controller.rb +0 -3
data/spec/apps/rails-3.2/app/controllers/t_cell_app_controller.rb +0 -5
data/spec/apps/rails-3.2/app/helpers/application_helper.rb +0 -2
data/spec/apps/rails-3.2/app/views/layouts/application.html.erb +0 -14
data/spec/apps/rails-3.2/app/views/t_cell_app/index.html.erb +0 -1
data/spec/apps/rails-3.2/config/application.rb +0 -63
data/spec/apps/rails-3.2/config/boot.rb +0 -6
data/spec/apps/rails-3.2/config/environment.rb +0 -5
data/spec/apps/rails-3.2/config/environments/test.rb +0 -37
data/spec/apps/rails-3.2/config/routes.rb +0 -11
data/spec/apps/rails-3.2/config.ru +0 -4
data/spec/apps/rails-4.1/Gemfile +0 -7
data/spec/apps/rails-4.1/Gemfile.lock +0 -114
data/spec/apps/rails-4.1/Rakefile +0 -6
data/spec/apps/rails-4.1/app/assets/javascripts/application.js +0 -16
data/spec/apps/rails-4.1/app/assets/stylesheets/application.css +0 -15
data/spec/apps/rails-4.1/app/controllers/application_controller.rb +0 -5
data/spec/apps/rails-4.1/app/controllers/t_cell_app_controller.rb +0 -5
data/spec/apps/rails-4.1/app/helpers/application_helper.rb +0 -2
data/spec/apps/rails-4.1/app/views/layouts/application.html.erb +0 -14
data/spec/apps/rails-4.1/app/views/t_cell_app/index.html.erb +0 -1
data/spec/apps/rails-4.1/config/application.rb +0 -24
data/spec/apps/rails-4.1/config/boot.rb +0 -4
data/spec/apps/rails-4.1/config/environment.rb +0 -5
data/spec/apps/rails-4.1/config/environments/test.rb +0 -41
data/spec/apps/rails-4.1/config/initializers/assets.rb +0 -8
data/spec/apps/rails-4.1/config/initializers/backtrace_silencers.rb +0 -7
data/spec/apps/rails-4.1/config/initializers/cookies_serializer.rb +0 -3
data/spec/apps/rails-4.1/config/initializers/filter_parameter_logging.rb +0 -4
data/spec/apps/rails-4.1/config/initializers/inflections.rb +0 -16
data/spec/apps/rails-4.1/config/initializers/mime_types.rb +0 -4
data/spec/apps/rails-4.1/config/initializers/session_store.rb +0 -3
data/spec/apps/rails-4.1/config/initializers/wrap_parameters.rb +0 -14
data/spec/apps/rails-4.1/config/locales/en.yml +0 -23
data/spec/apps/rails-4.1/config/routes.rb +0 -12
data/spec/apps/rails-4.1/config/secrets.yml +0 -22
data/spec/apps/rails-4.1/config.ru +0 -4
data/spec/controllers/application_controller.rb +0 -12
data/spec/lib/tcell_agent/appsensor/injections_matcher_spec.rb +0 -522
data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +0 -23
data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_set_spec.rb +0 -159
data/spec/lib/tcell_agent/patches/block_rule_spec.rb +0 -458
data/spec/lib/tcell_agent/patches/sensors_matcher_spec.rb +0 -35
data/spec/lib/tcell_agent/policies/appsensor/cmdi_sensor_spec.rb +0 -139
data/spec/lib/tcell_agent/policies/appsensor/fpt_sensor_spec.rb +0 -139
data/spec/lib/tcell_agent/policies/appsensor/nullbyte_sensor_spec.rb +0 -167
data/spec/lib/tcell_agent/policies/appsensor/retr_sensor_spec.rb +0 -139
data/spec/lib/tcell_agent/policies/appsensor/sqli_sensor_spec.rb +0 -246
data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +0 -882
data/spec/lib/tcell_agent/policies/honeytokens_policy_spec.rb +0 -22

data/ext/libinjection/libinjection_xss.c DELETED Viewed

@@ -1,531 +0,0 @@
-#include "libinjection.h"
-#include "libinjection_xss.h"
-#include "libinjection_html5.h"
-#include <assert.h>
-#include <stdio.h>
-typedef enum attribute {
-    TYPE_NONE
-    , TYPE_BLACK     /* ban always */
-    , TYPE_ATTR_URL   /* attribute value takes a URL-like object */
-    , TYPE_STYLE
-    , TYPE_ATTR_INDIRECT  /* attribute *name* is given in *value* */
-} attribute_t;
-static attribute_t is_black_attr(const char* s, size_t len);
-static int is_black_tag(const char* s, size_t len);
-static int is_black_url(const char* s, size_t len);
-static int cstrcasecmp_with_null(const char *a, const char *b, size_t n);
-static int html_decode_char_at(const char* src, size_t len, size_t* consumed);
-static int htmlencode_startswith(const char* prefix, const char *src, size_t n);
-typedef struct stringtype {
-    const char* name;
-    attribute_t atype;
-} stringtype_t;
-static const int gsHexDecodeMap[256] = {
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    0,   1,   2,   3,   4,   5,   6,   7,   8,   9, 256, 256,
-    256, 256, 256, 256, 256,  10,  11,  12,  13,  14,  15, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256,  10,  11,  12,  13,  14,  15, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-    256, 256, 256, 256
-};
-static int html_decode_char_at(const char* src, size_t len, size_t* consumed)
-{
-    int val = 0;
-    size_t i;
-    int ch;
-    if (len == 0 || src == NULL) {
-        *consumed = 0;
-        return -1;
-    }
-    *consumed = 1;
-    if (*src != '&' || len < 2) {
-        return (unsigned char)(*src);
-    }
-    if (*(src+1) != '#') {
-        /* normally this would be for named entities
-         * but for this case we don't actually care
-         */
-        return '&';
-    }
-    if (*(src+2) == 'x' || *(src+2) == 'X') {
-        ch = (unsigned char) (*(src+3));
-        ch = gsHexDecodeMap[ch];
-        if (ch == 256) {
-            /* degenerate case  '&#[?]' */
-            return '&';
-        }
-        val = ch;
-        i = 4;
-        while (i < len) {
-            ch = (unsigned char) src[i];
-            if (ch == ';') {
-                *consumed = i + 1;
-                return val;
-            }
-            ch = gsHexDecodeMap[ch];
-            if (ch == 256) {
-                *consumed = i;
-                return val;
-            }
-            val = (val * 16) + ch;
-            if (val > 0x1000FF) {
-                return '&';
-            }
-            ++i;
-        }
-        *consumed = i;
-        return val;
-    } else {
-        i = 2;
-        ch = (unsigned char) src[i];
-        if (ch < '0' || ch > '9') {
-            return '&';
-        }
-        val = ch - '0';
-        i += 1;
-        while (i < len) {
-            ch = (unsigned char) src[i];
-            if (ch == ';') {
-                *consumed = i + 1;
-                return val;
-            }
-            if (ch < '0' || ch > '9') {
-                *consumed = i;
-                return val;
-            }
-            val = (val * 10) + (ch - '0');
-            if (val > 0x1000FF) {
-                return '&';
-            }
-            ++i;
-        }
-        *consumed = i;
-        return val;
-    }
-}
-/*
- * view-source:
- * data:
- * javascript:
- */
-static stringtype_t BLACKATTR[] = {
-    { "ACTION", TYPE_ATTR_URL }     /* form */
-    , { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
-    , { "BY", TYPE_ATTR_URL }         /* SVG */
-    , { "BACKGROUND", TYPE_ATTR_URL } /* IE6, O11 */
-    , { "DATAFORMATAS", TYPE_BLACK }  /* IE */
-    , { "DATASRC", TYPE_BLACK }       /* IE */
-    , { "DYNSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
-    , { "FILTER", TYPE_STYLE }        /* Opera, SVG inline style */
-    , { "FORMACTION", TYPE_ATTR_URL } /* HTML 5 */
-    , { "FOLDER", TYPE_ATTR_URL }     /* Only on A tags, IE-only */
-    , { "FROM", TYPE_ATTR_URL }       /* SVG */
-    , { "HANDLER", TYPE_ATTR_URL }    /* SVG Tiny, Opera */
-    , { "HREF", TYPE_ATTR_URL }
-    , { "LOWSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
-    , { "POSTER", TYPE_ATTR_URL }     /* Opera 10,11 */
-    , { "SRC", TYPE_ATTR_URL }
-    , { "STYLE", TYPE_STYLE }
-    , { "TO", TYPE_ATTR_URL }         /* SVG */
-    , { "VALUES", TYPE_ATTR_URL }     /* SVG */
-    , { "XLINK:HREF", TYPE_ATTR_URL }
-    , { NULL, TYPE_NONE }
-};
-/* xmlns */
-/* `xml-stylesheet` > <eval>, <if expr=> */
-/*
-  static const char* BLACKATTR[] = {
-  "ATTRIBUTENAME",
-  "BACKGROUND",
-  "DATAFORMATAS",
-  "HREF",
-  "SCROLL",
-  "SRC",
-  "STYLE",
-  "SRCDOC",
-  NULL
-  };
-*/
-static const char* BLACKTAG[] = {
-    "APPLET"
-    /*    , "AUDIO" */
-    , "BASE"
-    , "COMMENT"  /* IE http://html5sec.org/#38 */
-    , "EMBED"
-    /*   ,  "FORM" */
-    , "FRAME"
-    , "FRAMESET"
-    , "HANDLER" /* Opera SVG, effectively a script tag */
-    , "IFRAME"
-    , "IMPORT"
-    , "ISINDEX"
-    , "LINK"
-    , "LISTENER"
-    /*    , "MARQUEE" */
-    , "META"
-    , "NOSCRIPT"
-    , "OBJECT"
-    , "SCRIPT"
-    , "STYLE"
-    /*    , "VIDEO" */
-    , "VMLFRAME"
-    , "XML"
-    , "XSS"
-    , NULL
-};
-static int cstrcasecmp_with_null(const char *a, const char *b, size_t n)
-{
-    char ca;
-    char cb;
-    /* printf("Comparing to %s %.*s\n", a, (int)n, b); */
-    while (n-- > 0) {
-        cb = *b++;
-        if (cb == '\0') continue;
-        ca = *a++;
-        if (cb >= 'a' && cb <= 'z') {
-            cb -= 0x20;
-        }
-        /* printf("Comparing %c vs %c with %d left\n", ca, cb, (int)n); */
-        if (ca != cb) {
-            return 1;
-        }
-    }
-    if (*a == 0) {
-        /* printf(" MATCH \n"); */
-        return 0;
-    } else {
-        return 1;
-    }
-}
-/*
- * Does an HTML encoded  binary string (const char*, length) start with
- * a all uppercase c-string (null terminated), case insensitive!
- *
- * also ignore any embedded nulls in the HTML string!
- *
- * return 1 if match / starts with
- * return 0 if not
- */
-static int htmlencode_startswith(const char *a, const char *b, size_t n)
-{
-    size_t consumed;
-    int cb;
-    int first = 1;
-    /* printf("Comparing %s with %.*s\n", a,(int)n,b); */
-    while (n > 0) {
-        if (*a == 0) {
-            /* printf("Match EOL!\n"); */
-            return 1;
-        }
-        cb = html_decode_char_at(b, n, &consumed);
-        b += consumed;
-        n -= consumed;
-        if (first && cb <= 32) {
-            /* ignore all leading whitespace and control characters */
-            continue;
-        }
-        first = 0;
-        if (cb == 0) {
-            /* always ignore null characters in user input */
-            continue;
-        }
-        if (cb == 10) {
-            /* always ignore vertical tab characters in user input */
-            /* who allows this?? */
-            continue;
-        }
-        if (cb >= 'a' && cb <= 'z') {
-            /* upcase */
-            cb -= 0x20;
-        }
-        if (*a != (char) cb) {
-            /* printf("    %c != %c\n", *a, cb); */
-            /* mismatch */
-            return 0;
-        }
-        a++;
-    }
-    return (*a == 0) ? 1 : 0;
-}
-static int is_black_tag(const char* s, size_t len)
-{
-    const char** black;
-    if (len < 3) {
-        return 0;
-    }
-    black = BLACKTAG;
-    while (*black != NULL) {
-        if (cstrcasecmp_with_null(*black, s, len) == 0) {
-            /* printf("Got black tag %s\n", *black); */
-            return 1;
-        }
-        black += 1;
-    }
-    /* anything SVG related */
-    if ((s[0] == 's' || s[0] == 'S') &&
-        (s[1] == 'v' || s[1] == 'V') &&
-        (s[2] == 'g' || s[2] == 'G')) {
-        /*        printf("Got SVG tag \n"); */
-        return 1;
-    }
-    /* Anything XSL(t) related */
-    if ((s[0] == 'x' || s[0] == 'X') &&
-        (s[1] == 's' || s[1] == 'S') &&
-        (s[2] == 'l' || s[2] == 'L')) {
-        /*      printf("Got XSL tag\n"); */
-        return 1;
-    }
-    return 0;
-}
-static attribute_t is_black_attr(const char* s, size_t len)
-{
-    stringtype_t* black;
-    if (len < 2) {
-        return TYPE_NONE;
-    }
-    /* JavaScript on.* */
-    if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) {
-        /* printf("Got JavaScript on- attribute name\n"); */
-        return TYPE_BLACK;
-    }
-    if (len >= 5) {
-        /* XMLNS can be used to create arbitrary tags */
-        if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) {
-            /*      printf("Got XMLNS and XLINK tags\n"); */
-            return TYPE_BLACK;
-        }
-    }
-    black = BLACKATTR;
-    while (black->name != NULL) {
-        if (cstrcasecmp_with_null(black->name, s, len) == 0) {
-            /*      printf("Got banned attribute name %s\n", black->name); */
-            return black->atype;
-        }
-        black += 1;
-    }
-    return TYPE_NONE;
-}
-static int is_black_url(const char* s, size_t len)
-{
-    static const char* data_url = "DATA";
-    static const char* viewsource_url = "VIEW-SOURCE";
-    /* obsolete but interesting signal */
-    static const char* vbscript_url = "VBSCRIPT";
-    /* covers JAVA, JAVASCRIPT, + colon */
-    static const char* javascript_url = "JAVA";
-    /* skip whitespace */
-    while (len > 0 && (*s <= 32 || *s >= 127)) {
-        /*
-         * HEY: this is a signed character.
-         *  We are intentionally skipping high-bit characters too
-         *  since they are not ASCII, and Opera sometimes uses UTF-8 whitespace.
-         *
-         * Also in EUC-JP some of the high bytes are just ignored.
-         */
-        ++s;
-        --len;
-    }
-    if (htmlencode_startswith(data_url, s, len)) {
-        return 1;
-    }
-    if (htmlencode_startswith(viewsource_url, s, len)) {
-        return 1;
-    }
-    if (htmlencode_startswith(javascript_url, s, len)) {
-        return 1;
-    }
-    if (htmlencode_startswith(vbscript_url, s, len)) {
-        return 1;
-    }
-    return 0;
-}
-int libinjection_is_xss(const char* s, size_t len, int flags)
-{
-    h5_state_t h5;
-    attribute_t attr = TYPE_NONE;
-    libinjection_h5_init(&h5, s, len, (enum html5_flags) flags);
-    while (libinjection_h5_next(&h5)) {
-        if (h5.token_type != ATTR_VALUE) {
-            attr = TYPE_NONE;
-        }
-        if (h5.token_type == DOCTYPE) {
-            return 1;
-        } else if (h5.token_type == TAG_NAME_OPEN) {
-            if (is_black_tag(h5.token_start, h5.token_len)) {
-                return 1;
-            }
-        } else if (h5.token_type == ATTR_NAME) {
-            attr = is_black_attr(h5.token_start, h5.token_len);
-        } else if (h5.token_type == ATTR_VALUE) {
-            /*
-             * IE6,7,8 parsing works a bit differently so
-             * a whole <script> or other black tag might be hiding
-             * inside an attribute value under HTML 5 parsing
-             * See http://html5sec.org/#102
-             * to avoid doing a full reparse of the value, just
-             * look for "<".  This probably need adjusting to
-             * handle escaped characters
-             */
-            /*
-              if (memchr(h5.token_start, '<', h5.token_len) != NULL) {
-              return 1;
-              }
-            */
-            switch (attr) {
-            case TYPE_NONE:
-                break;
-            case TYPE_BLACK:
-                return 1;
-            case TYPE_ATTR_URL:
-                if (is_black_url(h5.token_start, h5.token_len)) {
-                    return 1;
-                }
-                break;
-            case TYPE_STYLE:
-                return 1;
-            case TYPE_ATTR_INDIRECT:
-                /* an attribute name is specified in a _value_ */
-                if (is_black_attr(h5.token_start, h5.token_len)) {
-                    return 1;
-                }
-                break;
-/*
-  default:
-  assert(0);
-*/
-            }
-            attr = TYPE_NONE;
-        } else if (h5.token_type == TAG_COMMENT) {
-            /* IE uses a "`" as a tag ending char */
-            if (memchr(h5.token_start, '`', h5.token_len) != NULL) {
-                return 1;
-            }
-            /* IE conditional comment */
-            if (h5.token_len > 3) {
-                if (h5.token_start[0] == '[' &&
-                    (h5.token_start[1] == 'i' || h5.token_start[1] == 'I') &&
-                    (h5.token_start[2] == 'f' || h5.token_start[2] == 'F')) {
-                    return 1;
-                }
-                if ((h5.token_start[0] == 'x' || h5.token_start[0] == 'X') &&
-                    (h5.token_start[1] == 'm' || h5.token_start[1] == 'M') &&
-                    (h5.token_start[2] == 'l' || h5.token_start[2] == 'L')) {
-                    return 1;
-                }
-            }
-            if (h5.token_len > 5) {
-                /*  IE <?import pseudo-tag */
-                if (cstrcasecmp_with_null("IMPORT", h5.token_start, 6) == 0) {
-                    return 1;
-                }
-                /*  XML Entity definition */
-                if (cstrcasecmp_with_null("ENTITY", h5.token_start, 6) == 0) {
-                    return 1;
-                }
-            }
-        }
-    }
-    return 0;
-}
-/*
- * wrapper
- */
-int libinjection_xss(const char* s, size_t len)
-{
-    if (libinjection_is_xss(s, len, DATA_STATE)) {
-        return 1;
-    }
-    if (libinjection_is_xss(s, len, VALUE_NO_QUOTE)) {
-        return 1;
-    }
-    if (libinjection_is_xss(s, len, VALUE_SINGLE_QUOTE)) {
-        return 1;
-    }
-    if (libinjection_is_xss(s, len, VALUE_DOUBLE_QUOTE)) {
-        return 1;
-    }
-    if (libinjection_is_xss(s, len, VALUE_BACK_QUOTE)) {
-        return 1;
-    }
-    return 0;
-}

data/ext/libinjection/libinjection_xss.h DELETED Viewed

@@ -1,21 +0,0 @@
-#ifndef LIBINJECTION_XSS
-#define LIBINJECTION_XSS
-#ifdef __cplusplus
-extern "C" {
-#endif
-/**
- * HEY THIS ISN'T DONE
- */
-/* pull in size_t */
-#include <string.h>
-  int libinjection_is_xss(const char* s, size_t len, int flags);
-#ifdef __cplusplus
-}
-#endif
-#endif

data/lib/tcell_agent/appsensor/injections_matcher.rb DELETED Viewed

@@ -1,155 +0,0 @@
-require 'tcell_agent/policies/appsensor/cmdi_sensor'
-require 'tcell_agent/policies/appsensor/fpt_sensor'
-require 'tcell_agent/policies/appsensor/nullbyte_sensor'
-require 'tcell_agent/policies/appsensor/retr_sensor'
-require 'tcell_agent/policies/appsensor/sqli_sensor'
-require 'tcell_agent/policies/appsensor/xss_sensor'
-require 'tcell_agent/utils/params'
-module TCellAgent
-  module AppSensor
-    class InjectionsMatcher
-      GET_PARAM = TCellAgent::Utils::Params::GET_PARAM
-      POST_PARAM = TCellAgent::Utils::Params::POST_PARAM
-      JSON_PARAM = TCellAgent::Utils::Params::JSON_PARAM
-      COOKIE_PARAM = TCellAgent::Utils::Params::COOKIE_PARAM
-      URI_PARAM = TCellAgent::Utils::Params::URI_PARAM
-      HEADER_PARAM = TCellAgent::Utils::Params::HEADER_PARAM
-      DETECTION_POINTS_V2 = {
-        "xss" => TCellAgent::Policies::XssSensor,
-        "sqli" => TCellAgent::Policies::SqliSensor,
-        "cmdi" => TCellAgent::Policies::CmdiSensor,
-        "fpt" => TCellAgent::Policies::FptSensor,
-        "nullbyte" => TCellAgent::Policies::NullbyteSensor,
-        "retr" => TCellAgent::Policies::RetrSensor
-      }
-      attr_accessor :enabled, :sensors
-      def initialize(sensors)
-        @sensors = sensors
-        @enabled = sensors.size > 0
-      end
-      def each_injection(meta_data)
-        return unless @enabled
-        meta_data.flattened_path_parameters.each do |param_name, param_value|
-          TCellAgent::Instrumentation.safe_block("AppSensor Check Path Params injections") do
-            param_name = param_name[-1]
-            injection_attempt =
-              check_param_for_injections(URI_PARAM, meta_data, param_name, param_value)
-            yield(injection_attempt) if injection_attempt
-          end
-        end
-        meta_data.flattened_get_dict.each do |param_name, param_value|
-          TCellAgent::Instrumentation.safe_block("AppSensor Check GET var injections") do
-            param_name = param_name[-1]
-            injection_attempt =
-              check_param_for_injections(GET_PARAM, meta_data, param_name, param_value)
-            yield(injection_attempt) if injection_attempt
-          end
-        end
-        meta_data.flattened_post_dict.each do |param_name, param_value|
-          TCellAgent::Instrumentation.safe_block("AppSensor Check POST var injections") do
-            param_name = param_name[-1]
-            injection_attempt =
-              check_param_for_injections(POST_PARAM, meta_data, param_name, param_value)
-            yield(injection_attempt) if injection_attempt
-          end
-        end
-        meta_data.flattened_body_dict.each do |param_name, param_value|
-          TCellAgent::Instrumentation.safe_block("AppSensor Check JSON var injections") do
-            param_name = param_name[-1]
-            injection_attempt = check_param_for_injections(JSON_PARAM, meta_data, param_name, param_value)
-            yield(injection_attempt) if injection_attempt
-          end
-        end
-        meta_data.flattened_cookie_dict.each do |param_name, param_value|
-          TCellAgent::Instrumentation.safe_block("AppSensor Check COOKIE var injections") do
-            param_name = param_name[-1]
-            injection_attempt =
-              check_param_for_injections(COOKIE_PARAM, meta_data, param_name, param_value)
-            yield(injection_attempt) if injection_attempt
-          end
-        end
-        meta_data.flattened_headers_dict.each do |param_name, param_value|
-          TCellAgent::Instrumentation.safe_block("AppSensor Check HEADER var injections") do
-            param_name = param_name[-1]
-            injection_attempt =
-              check_param_for_injections(HEADER_PARAM, meta_data, param_name, param_value)
-            yield(injection_attempt) if injection_attempt
-          end
-        end
-      end
-      def check_param_for_injections(param_type, appsensor_meta, param_name, param_value)
-        @sensors.each do |sensor|
-          next unless sensor.applicable_for_param_type?(param_type)
-          injection_attempt = sensor.get_injection_attempt(param_type, appsensor_meta, param_name, param_value)
-          return injection_attempt if injection_attempt
-        end
-        return nil
-      end
-      def self.from_json(version, sensors_json)
-        sensors_json = sensors_json || {}
-        sensors = []
-        if version == 1
-          options_json = sensors_json.fetch("options", {})
-          (options_json || {}).each do |sensor_key, enabled|
-            next unless enabled
-            if sensor_key == "null"
-              sensor_key = "nullbyte"
-            end
-            clazz = DETECTION_POINTS_V2[sensor_key]
-            next unless clazz
-            sensors.push(clazz.new(
-              {
-                "enabled" => enabled,
-                "v1_compatability_enabled" => true
-              }
-            ))
-          end
-        elsif version == 2
-          sensors_json.each do |sensor_key, settings|
-            clazz = DETECTION_POINTS_V2[sensor_key]
-            next unless clazz
-            updated_settings = {"enabled" => true}.merge(settings)
-            if updated_settings["enabled"]
-              sensors.push(clazz.new(updated_settings))
-            end
-          end
-        end
-        InjectionsMatcher.new(sensors)
-      end
-    end
-  end
-end