tcell_agent 0.4.0 → 1.0.0

data/lib/tcell_agent/patches/sensors_matcher.rb

@@ -1,31 +0,0 @@
-require 'tcell_agent/appsensor/injections_matcher'
-
-module TCellAgent
-  module Patches
-
-    class SensorsMatcher
-      attr_accessor :injections_matcher
-
-      def initialize(injections_matcher)
-        @injections_matcher = injections_matcher
-      end
-
-      def any_matches?(meta_data)
-        return true unless @injections_matcher.enabled
-
-        @injections_matcher.each_injection(meta_data) do |injection_attempt|
-          return true
-        end
-
-        return false
-      end
-
-      def self.from_json(sensor_matcher_json)
-        injections_matcher =
-          TCellAgent::AppSensor::InjectionsMatcher.from_json(2, sensor_matcher_json)
-        SensorsMatcher.new(injections_matcher)
-      end
-    end
-
-  end
-end

data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb

@@ -1,23 +0,0 @@
-require 'tcell_agent/policies/appsensor/injection_sensor'
-
-
-module TCellAgent
-  module Policies
-
-    class CmdiSensor < InjectionSensor
-
-      def initialize(policy_json=nil)
-        super(
-          "cmdi",
-          policy_json
-        )
-      end
-
-      def applicable_for_param_type?(param_type)
-        InjectionSensor::COOKIE_PARAM != param_type
-      end
-
-    end
-
-  end
-end

data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb

@@ -1,23 +0,0 @@
-require 'tcell_agent/policies/appsensor/injection_sensor'
-
-
-module TCellAgent
-  module Policies
-
-    class FptSensor < InjectionSensor
-
-      def initialize(policy_json=nil)
-        super(
-          "fpt",
-          policy_json
-        )
-      end
-
-      def applicable_for_param_type?(param_type)
-        InjectionSensor::COOKIE_PARAM != param_type
-      end
-
-    end
-
-  end
-end

data/lib/tcell_agent/policies/appsensor/injection_sensor.rb

@@ -1,117 +0,0 @@
-require 'tcell_agent/utils/params'
-
-
-module TCellAgent
-  module Policies
-
-    class InjectionAttempt
-
-      attr_accessor :type_of_param, :detection_point, :param_name, :param_value, :pattern
-
-      def initialize(type_of_param, detection_point, vuln_results)
-        @type_of_param = type_of_param
-        @param_name = vuln_results["param"]
-        @param_value = vuln_results["value"]
-        @pattern = vuln_results["pattern"]
-        @detection_point = detection_point
-      end
-
-    end
-
-    class InjectionSensor
-      GET_PARAM = TCellAgent::Utils::Params::GET_PARAM
-      POST_PARAM = TCellAgent::Utils::Params::POST_PARAM
-      JSON_PARAM = TCellAgent::Utils::Params::JSON_PARAM
-      COOKIE_PARAM = TCellAgent::Utils::Params::COOKIE_PARAM
-      URI_PARAM = TCellAgent::Utils::Params::URI_PARAM
-      HEADER_PARAM = TCellAgent::Utils::Params::HEADER_PARAM
-
-      attr_accessor :enabled, :detection_point, :exclude_headers, :exclude_forms,
-        :exclude_cookies, :exclusions, :active_pattern_ids, :v1_compatability_enabled,
-        :excluded_route_ids
-
-
-      def initialize(detection_point, policy_json=nil)
-        @enabled = false
-        @detection_point = detection_point
-        @exclude_headers = false
-        @exclude_forms = false
-        @exclude_cookies = false
-        @exclusions = {}
-        @active_pattern_ids = Set.new
-        @v1_compatability_enabled = false
-        @rule_manager = AppSensorRuleManager.instance
-        @excluded_route_ids = {}
-
-        if policy_json
-          @enabled = policy_json.fetch("enabled", false)
-          @exclude_headers = policy_json.fetch("exclude_headers", false)
-          @exclude_forms = policy_json.fetch("exclude_forms", false)
-          @exclude_cookies = policy_json.fetch("exclude_cookies", false)
-          @v1_compatability_enabled = policy_json.fetch("v1_compatability_enabled", false)
-
-          @excluded_route_ids = Set.new(policy_json.fetch("exclude_routes", []))
-          @active_pattern_ids = Set.new(policy_json.fetch("patterns", []))
-
-          policy_json.fetch("exclusions", {}).each do |common_word, locations|
-            @exclusions[common_word] = Set.new(locations)
-          end
-        end
-      end
-
-      def applicable_for_param_type?(param_type)
-        true
-      end
-
-      def get_ruleset
-        @rule_manager.get_ruleset_for(@detection_point)
-      end
-
-      def find_vulnerability(param_name, param_value)
-        rules = get_ruleset
-        return nil unless rules
-
-        rules.check_violation(param_name, param_value, @active_pattern_ids, @v1_compatability_enabled)
-      end
-
-      def get_injection_attempt(type_of_param, appsensor_meta, param_name, param_value)
-        return false unless @enabled
-
-        return false if @excluded_route_ids.include?(appsensor_meta.route_id)
-
-        if @exclude_forms &&
-            (GET_PARAM == type_of_param ||
-             POST_PARAM == type_of_param ||
-             JSON_PARAM == type_of_param ||
-             URI_PARAM == type_of_param)
-          return false
-        end
-
-        if @exclude_cookies && COOKIE_PARAM == type_of_param
-          return false
-        end
-
-        if @exclude_headers && HEADER_PARAM == type_of_param
-          return false
-        end
-
-        vuln_results = find_vulnerability(param_name, param_value)
-
-        if vuln_results
-          InjectionAttempt.new(type_of_param, @detection_point, vuln_results)
-        else
-          false
-        end
-      end
-
-      def to_s
-        "<#{self.class.name} enabled: #{@enabled} dp: #{@detection_point} " +
-        "exclude_headers: #{@exclude_headers} exclude_forms: #{exclude_forms} " +
-        "exclude_cookies: #{exclude_cookies} v1_compatability_enabled: #{@v1_compatability_enabled} " +
-        "active_pattern_ids: #{@active_pattern_ids} exclusions: #{exclusions} " +
-        "excluded_route_ids: #{@excluded_route_ids}>"
-      end
-    end
-
-  end
-end

data/lib/tcell_agent/policies/appsensor/nullbyte_sensor.rb

@@ -1,26 +0,0 @@
-require 'tcell_agent/policies/appsensor/injection_sensor'
-
-module TCellAgent
-  module Policies
-
-    class NullbyteSensor < InjectionSensor
-
-      def initialize(policy_json=nil)
-        super(
-          "null",
-          policy_json
-        )
-      end
-
-      def get_ruleset
-        @rule_manager.get_ruleset_for("nullbyte")
-      end
-
-      def applicable_for_param_type?(param_type)
-        InjectionSensor::COOKIE_PARAM != param_type
-      end
-
-    end
-
-  end
-end

data/lib/tcell_agent/policies/appsensor/retr_sensor.rb

@@ -1,22 +0,0 @@
-require 'tcell_agent/policies/appsensor/injection_sensor'
-
-module TCellAgent
-  module Policies
-
-    class RetrSensor < InjectionSensor
-
-      def initialize(policy_json=nil)
-        super(
-          "retr",
-          policy_json
-        )
-      end
-
-      def applicable_for_param_type?(param_type)
-        InjectionSensor::POST_PARAM != param_type && InjectionSensor::JSON_PARAM != param_type
-      end
-
-    end
-
-  end
-end

data/lib/tcell_agent/policies/appsensor/sqli_sensor.rb

@@ -1,34 +0,0 @@
-require 'libinjection/libinjection'
-require 'tcell_agent/policies/appsensor/injection_sensor'
-
-module TCellAgent
-  module Policies
-
-    class SqliSensor < InjectionSensor
-
-      attr_accessor :libinjection
-
-      def initialize(policy_json=nil)
-        super(
-          "sqli",
-          policy_json
-        )
-
-        @libinjection = false
-
-        if policy_json
-          @libinjection = policy_json.fetch("libinjection", false)
-        end
-      end
-
-      def find_vulnerability(param_name, param_value)
-        if @libinjection && Libinjection.is_sqli(param_value) == 1
-          return {"param" => param_name, "value" => param_value, "pattern" => "li"}
-        end
-
-        super(param_name, param_value)
-      end
-    end
-
-  end
-end

data/lib/tcell_agent/policies/appsensor/xss_sensor.rb

@@ -1,34 +0,0 @@
-require 'libinjection/libinjection'
-require 'tcell_agent/policies/appsensor/injection_sensor'
-
-module TCellAgent
-  module Policies
-
-    class XssSensor < InjectionSensor
-
-      attr_accessor :libinjection
-
-      def initialize(policy_json=nil)
-        super(
-          "xss",
-          policy_json
-        )
-
-        @libinjection = false
-
-        if policy_json
-          @libinjection = policy_json.fetch("libinjection", false)
-        end
-      end
-
-      def find_vulnerability(param_name, param_value)
-        if @libinjection && Libinjection.is_xss(param_value) == 1
-          return {"param" => param_name, "value" => param_value, "pattern" => "li"}
-        end
-
-        super(param_name, param_value)
-      end
-    end
-
-  end
-end

data/lib/tcell_agent/policies/appsensor_policy.rb

@@ -1,49 +0,0 @@
-require 'tcell_agent/instrumentation'
-require 'tcell_agent/appsensor/injections_reporter'
-require 'tcell_agent/rust/models'
-require 'tcell_agent/rust/whisperer'
-require 'tcell_agent/policies/policy'
-
-
-module TCellAgent
-  module Policies
-
-    class AppSensorPolicy < Policy
-      attr_reader :appfirewall_enabled, :appfirewall_ptr
-
-      def initialize(appfirewall_enabled=false, appfirewall_ptr=nil)
-        @appfirewall_ptr = appfirewall_ptr
-        @appfirewall_enabled = appfirewall_enabled
-      end
-
-      def process_meta_event(appsensor_meta)
-        return unless @appfirewall_enabled && @appfirewall_ptr
-
-        TCellAgent::Instrumentation.safe_block("AppSensor inspection") do
-          request_response = TCellAgent::Rust::Models.create_request_response(appsensor_meta)
-          whisper = TCellAgent::Rust::Whisperer.apply_appfirewall(@appfirewall_ptr, request_response)
-          TCellAgent::AppSensor::InjectionsReporter.report_and_log(whisper["apply_response"])
-        end
-      end
-
-      def free_native_memory
-        TCellAgent::Rust::Whisperer.free_appfirewall(@appfirewall_ptr) if @appfirewall_ptr
-      end
-
-      def self.from_json(policy_json)
-        return nil unless policy_json
-
-        whisper = TCellAgent::Rust::Whisperer.init_appfirewall(
-          policy_json, TCellAgent.configuration.allow_payloads
-        )
-        if whisper["error"]
-          TCellAgent.logger.debug("Error initializing AppFirewall Policy: #{whisper['error']}")
-          return AppSensorPolicy.new
-        else
-          return AppSensorPolicy.new(whisper["enabled"], whisper["policy_ptr"])
-        end
-      end
-    end
-
-  end
-end

data/lib/tcell_agent/policies/command_injection_policy.rb

@@ -1,196 +0,0 @@
-require 'tcell_agent/rust/whisperer'
-require 'tcell_agent/sensor_events/command_injection'
-require 'tcell_agent/policies/policy'
-
-
-module TCellAgent
-  module Policies
-
-    class CommandRule
-      IGNORE = "ignore"
-      REPORT = "report"
-      BLOCK = "block"
-
-      attr_reader :rule_id, :action, :command
-
-      def initialize(policy_json)
-        @rule_id = nil
-        @action = nil
-        @command = nil
-
-        if policy_json
-          @rule_id = policy_json["rule_id"]
-          @action = policy_json["action"]
-          @command = policy_json["command"]
-        end
-      end
-
-      def ignore?
-        @action == IGNORE
-      end
-
-      def report?
-        @action == REPORT
-      end
-
-      def block?
-        @action == BLOCK
-      end
-
-      def valid?
-        !!@rule_id && [IGNORE, REPORT, BLOCK].include?(@action)
-      end
-    end
-
-    class CommandInjectionPolicy < Policy
-      attr_accessor :policy_id, :version, :enabled, :overall_action, :command_rules, :compound_statement_rule,
-        :collect_full_commandline
-
-      def initialize
-        @enabled = false
-        @version = nil
-        @policy_id = nil
-        @overall_action = nil
-        @command_rules = {}
-        @compound_statement_rule = nil
-        @collect_full_commandline = false
-      end
-
-      def self.from_json(policy_json)
-        return nil unless policy_json
-        policy_json = policy_json.deep_dup
-
-        policy_id = policy_json["policy_id"]
-
-        raise "Policy ID missing" unless policy_id
-
-        command_injection_policy = CommandInjectionPolicy.new
-        command_injection_policy.policy_id = policy_id
-        command_injection_policy.version = policy_json["version"]
-
-        if 1 != command_injection_policy.version
-          TCellAgent.logger.error("Command Injection not supported: #{command_injection_policy.version}")
-          return command_injection_policy
-        end
-
-        policy_data = policy_json["data"]
-        command_rules = {}
-        overall_action = nil
-        compound_statement_rule = nil
-        if policy_data
-          command_injection_policy.collect_full_commandline = !!policy_data["collect_full_commandline"]
-
-          (policy_data["command_rules"] or []).each do |command_rule_policy|
-            command_rule = CommandRule.new(command_rule_policy)
-            if command_rule.valid?
-              command = command_rule.command
-              if command
-                if command_rules.has_key?(command)
-                  TCellAgent.logger.warn(
-                    "CommandInjectionPolicy multiple rules for one " +
-                    "command (dropping rule): #{command} #{command_rule.action}"
-                  )
-                else
-                  command_rules[command] = command_rule
-                end
-              elsif !command_rule.ignore?
-                overall_action = command_rule
-              end
-            end
-          end
-
-          compound_statement_rules = policy_data["compound_statement_rules"]
-          if compound_statement_rules && compound_statement_rules.size > 0
-            compound_statement_rule = CommandRule.new(compound_statement_rules[0])
-            if !compound_statement_rule.valid? || compound_statement_rule.ignore?
-              compound_statement_rule = nil
-            end
-          end
-
-          command_injection_policy.command_rules = command_rules
-          command_injection_policy.overall_action = overall_action
-          command_injection_policy.compound_statement_rule = compound_statement_rule
-          command_injection_policy.enabled = !overall_action.nil? || !compound_statement_rule.nil? || command_rules.size > 0
-        end
-
-        command_injection_policy
-      end
-
-      def block?(cmd, tcell_context)
-        return false unless @enabled
-
-        commands = parse_cmd(cmd).fetch('commands', [])
-
-        command_injection_match_events = []
-        block_command = false
-
-        if commands.size > 1 && !!@compound_statement_rule
-          if !@compound_statement_rule.ignore?
-            command_injection_match_events.push(
-              TCellAgent::SensorEvents::CommandInjectionMatchEvent.new(
-                @compound_statement_rule.rule_id, @compound_statement_rule.command
-              )
-            )
-            block_command = block_command || @compound_statement_rule.block?
-          end
-        end
-
-        commands.each do |command_info|
-          command = command_info["command"]
-          command_rule = command_rules[command] || @overall_action
-          if command_rule && !command_rule.ignore?
-            command_injection_match_events.push(
-              TCellAgent::SensorEvents::CommandInjectionMatchEvent.new(
-                command_rule.rule_id,
-                command
-              )
-            )
-            block_command = block_command || command_rule.block?
-          end
-        end
-
-        if command_injection_match_events.size > 0
-          method, remote_address, route_id, session_id, user_id, full_commandline = nil
-          if tcell_context
-            method = tcell_context.request_method
-            remote_address = tcell_context.ip_address
-            route_id = tcell_context.route_id
-            session_id = tcell_context.hmac_session_id
-            user_id = tcell_context.user_id
-          end
-
-          if @collect_full_commandline
-            full_commandline = cmd
-          end
-
-          TCellAgent.send_event(
-            TCellAgent::SensorEvents::CommandInjectionEvent.new(
-              commands,
-              block_command,
-              command_injection_match_events,
-              method=method,
-              remote_address=remote_address,
-              route_id=route_id,
-              session_id=session_id,
-              user_id=user_id,
-              full_commandline=full_commandline
-            )
-          )
-        end
-
-        block_command
-      end
-
-      private
-        def parse_cmd(cmd)
-          TCellAgent::Instrumentation.safe_block("Call Rust Parse Command") do
-            require "tcell_agent/rust/whisperer"
-
-            return TCellAgent::Rust::Whisperer.parse_cmd(cmd)
-          end
-
-          return {}
-        end
-    end
-  end
-end

data/lib/tcell_agent/policies/honeytokens_policy.rb

@@ -1,69 +0,0 @@
-# See the file "LICENSE" for the full license governing this code.
-
-#String sh_policy_string = ""
-#+"{"
-#+"\"policy_id\":\"00a1\","
-#+"\"token_salt\":\"salt123\","
-#+"\"tokens\": ["
-#+"              {\"type\":\"cred\", \"id\":\"deny\", \"token\":\"abcdefgh\"}"
-#+"             ]"
-#+"}";
-require 'pbkdf2'
-require 'openssl'
-require 'tcell_agent/policies/policy'
-
-
-module TCellAgent
-    module Policies
-        class HoneytokensPolicy < Policy
-            attr_accessor :policy_id
-            attr_accessor :token_salt
-            attr_accessor :cred_tokens
-
-            def id_for_credentialstring(credential_string)
-                if cred_tokens
-                    credential_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha512'), token_salt, credential_string)
-                    if cred_tokens.has_key?(credential_hmac)
-                        return cred_tokens[credential_hmac]
-                    end
-                end
-                return nil
-            end
-
-            def self.from_json(policy_json)
-                if (!policy_json) 
-                    return nil
-                end
-
-                honeytokens_policy = HoneytokensPolicy.new
-                if policy_json.has_key?("policy_id")
-                    honeytokens_policy.policy_id = policy_json["policy_id"]
-                else
-                    raise "Policy ID missing"
-                end
-
-                if policy_json.has_key?("token_salt")
-                    honeytokens_policy.token_salt = policy_json["token_salt"]
-                else
-                    raise "Token Salt missing"
-                end
-
-                if policy_json.has_key?("tokens")
-                    tokens = policy_json["tokens"]
-                    tokens.each do |token|
-                        if (token.has_key?("type") && token.has_key?("id") && token.has_key?("token"))
-                            if (token["type"] == "cred")
-                                if honeytokens_policy.cred_tokens == nil
-                                    honeytokens_policy.cred_tokens = {}
-                                end
-                                honeytokens_policy.cred_tokens[token["token"]] = token["id"]
-                            end
-                        end
-                    end
-                end
-
-                return honeytokens_policy
-            end
-        end
-    end
-end