tcell_agent 1.1.11 → 2.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (164) hide show
  1. checksums.yaml +4 -4
  2. data/bin/tcell_agent +26 -14
  3. data/lib/tcell_agent.rb +16 -10
  4. data/lib/tcell_agent/agent.rb +78 -97
  5. data/lib/tcell_agent/agent/route_manager.rb +0 -16
  6. data/lib/tcell_agent/agent/static_agent.rb +9 -30
  7. data/lib/tcell_agent/authlogic.rb +3 -6
  8. data/lib/tcell_agent/config/unknown_options.rb +4 -7
  9. data/lib/tcell_agent/configuration.rb +39 -118
  10. data/lib/tcell_agent/devise.rb +25 -27
  11. data/lib/tcell_agent/hooks/login_fraud.rb +30 -33
  12. data/lib/tcell_agent/instrument_servers.rb +25 -0
  13. data/lib/tcell_agent/instrumentation.rb +12 -10
  14. data/lib/tcell_agent/instrumentation/cmdi.rb +29 -25
  15. data/lib/tcell_agent/instrumentation/lfi.rb +84 -0
  16. data/lib/tcell_agent/instrumentation/monkey_patches/file.rb +25 -0
  17. data/lib/tcell_agent/instrumentation/monkey_patches/io.rb +131 -0
  18. data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb +102 -0
  19. data/lib/tcell_agent/logger.rb +50 -114
  20. data/lib/tcell_agent/patches.rb +6 -7
  21. data/lib/tcell_agent/policies/appfirewall_policy.rb +26 -0
  22. data/lib/tcell_agent/policies/command_injection_policy.rb +28 -0
  23. data/lib/tcell_agent/policies/dataloss_policy.rb +44 -44
  24. data/lib/tcell_agent/policies/headers_policy.rb +25 -0
  25. data/lib/tcell_agent/policies/http_redirect_policy.rb +13 -79
  26. data/lib/tcell_agent/policies/js_agent_policy.rb +27 -0
  27. data/lib/tcell_agent/policies/local_file_access.rb +28 -0
  28. data/lib/tcell_agent/policies/login_policy.rb +43 -0
  29. data/lib/tcell_agent/policies/patches_policy.rb +27 -0
  30. data/lib/tcell_agent/policies/policies_manager.rb +68 -0
  31. data/lib/tcell_agent/policies/policy_polling.rb +58 -0
  32. data/lib/tcell_agent/policies/policy_types.rb +14 -0
  33. data/lib/tcell_agent/policies/system_enablements.rb +27 -0
  34. data/lib/tcell_agent/rails/auth/authlogic.rb +43 -68
  35. data/lib/tcell_agent/rails/auth/devise.rb +20 -23
  36. data/lib/tcell_agent/rails/auth/doorkeeper.rb +63 -74
  37. data/lib/tcell_agent/rails/csrf_exception.rb +2 -2
  38. data/lib/tcell_agent/rails/dlp.rb +35 -19
  39. data/lib/tcell_agent/rails/dlp_handler.rb +1 -2
  40. data/lib/tcell_agent/rails/js_agent_insert.rb +12 -13
  41. data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +4 -25
  42. data/lib/tcell_agent/rails/middleware/context_middleware.rb +2 -12
  43. data/lib/tcell_agent/rails/middleware/global_middleware.rb +0 -1
  44. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +14 -34
  45. data/lib/tcell_agent/rails/on_start.rb +32 -31
  46. data/lib/tcell_agent/rails/routes.rb +10 -9
  47. data/lib/tcell_agent/rails/routes/grape.rb +4 -12
  48. data/lib/tcell_agent/rails/routes/route_id.rb +3 -1
  49. data/lib/tcell_agent/rails/settings_reporter.rb +23 -36
  50. data/lib/tcell_agent/rails/start_agent_after_initializers.rb +12 -0
  51. data/lib/tcell_agent/rails/tcell_body_proxy.rb +6 -4
  52. data/lib/tcell_agent/rust/agent_config.rb +49 -0
  53. data/lib/tcell_agent/rust/{libtcellagent-alpine-1.3.2.so → libtcellagent-4.18.0.dylib} +0 -0
  54. data/lib/tcell_agent/rust/{libtcellagent-1.3.2.so → libtcellagent-4.18.0.so} +0 -0
  55. data/lib/tcell_agent/rust/libtcellagent-alpine-4.18.0.so +0 -0
  56. data/lib/tcell_agent/rust/models.rb +0 -55
  57. data/lib/tcell_agent/rust/native_agent.rb +531 -0
  58. data/lib/tcell_agent/rust/native_agent_response.rb +42 -0
  59. data/lib/tcell_agent/rust/native_library.rb +68 -0
  60. data/lib/tcell_agent/rust/tcellagent-4.18.0.dll +0 -0
  61. data/lib/tcell_agent/sensor_events/agent_setting_event.rb +12 -0
  62. data/lib/tcell_agent/sensor_events/{app_config.rb → app_config_setting_event.rb} +0 -6
  63. data/lib/tcell_agent/sensor_events/dlp.rb +2 -6
  64. data/lib/tcell_agent/sensor_events/sensor.rb +0 -62
  65. data/lib/tcell_agent/sensor_events/server_agent.rb +13 -18
  66. data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +0 -108
  67. data/lib/tcell_agent/sensor_events/util/utils.rb +0 -2
  68. data/lib/tcell_agent/servers/passenger.rb +1 -28
  69. data/lib/tcell_agent/servers/puma.rb +3 -21
  70. data/lib/tcell_agent/servers/rails_server.rb +1 -1
  71. data/lib/tcell_agent/servers/thin.rb +2 -2
  72. data/lib/tcell_agent/servers/unicorn.rb +19 -80
  73. data/lib/tcell_agent/servers/webrick.rb +1 -1
  74. data/lib/tcell_agent/settings_reporter.rb +24 -24
  75. data/lib/tcell_agent/sinatra.rb +14 -16
  76. data/lib/tcell_agent/tcell_context.rb +41 -15
  77. data/lib/tcell_agent/utils/headers.rb +14 -0
  78. data/lib/tcell_agent/version.rb +1 -1
  79. data/spec/lib/tcell_agent/config/unknown_options_spec.rb +0 -18
  80. data/spec/lib/tcell_agent/configuration_spec.rb +4 -140
  81. data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +46 -173
  82. data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb +504 -0
  83. data/spec/lib/tcell_agent/instrumentation/cmdi/kernel_cmdi_spec.rb +435 -0
  84. data/spec/lib/tcell_agent/instrumentation/cmdi_spec.rb +201 -0
  85. data/spec/lib/tcell_agent/instrumentation/lfi/file_lfi_spec.rb +326 -0
  86. data/spec/lib/tcell_agent/instrumentation/lfi/io_lfi_spec.rb +562 -0
  87. data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb +264 -0
  88. data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb +150 -0
  89. data/spec/lib/tcell_agent/patches_spec.rb +25 -43
  90. data/spec/lib/tcell_agent/policies/appfirewall_policy_spec.rb +183 -0
  91. data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +57 -0
  92. data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +84 -773
  93. data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +161 -0
  94. data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +9 -9
  95. data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +243 -198
  96. data/spec/lib/tcell_agent/policies/js_agent_policy_spec.rb +75 -0
  97. data/spec/lib/tcell_agent/policies/login_policy_spec.rb +165 -33
  98. data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +84 -277
  99. data/spec/lib/tcell_agent/policies/policies_manager_spec.rb +104 -0
  100. data/spec/lib/tcell_agent/policies/policy_polling_spec.rb +6 -0
  101. data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +56 -0
  102. data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb +9 -18
  103. data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb +13 -30
  104. data/spec/lib/tcell_agent/rails/logger_spec.rb +27 -7
  105. data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +17 -12
  106. data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +14 -14
  107. data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +0 -35
  108. data/spec/lib/tcell_agent/settings_reporter_spec.rb +127 -153
  109. data/spec/spec_helper.rb +1 -1
  110. data/spec/support/builders.rb +104 -0
  111. data/spec/support/force_logger_mocking.rb +38 -0
  112. data/spec/support/resources/lfi_sample_file.txt +2 -0
  113. data/spec/support/static_agent_overrides.rb +0 -15
  114. metadata +64 -74
  115. data/lib/tcell_agent/agent/event_processor.rb +0 -326
  116. data/lib/tcell_agent/agent/fork_pipe_manager.rb +0 -113
  117. data/lib/tcell_agent/agent/policy_manager.rb +0 -219
  118. data/lib/tcell_agent/agent/policy_types.rb +0 -30
  119. data/lib/tcell_agent/api.rb +0 -91
  120. data/lib/tcell_agent/appsensor/injections_reporter.rb +0 -24
  121. data/lib/tcell_agent/config/child_process_events.rb +0 -8
  122. data/lib/tcell_agent/instrumentation/cmdi/backtick.rb +0 -10
  123. data/lib/tcell_agent/instrumentation/cmdi/exec.rb +0 -14
  124. data/lib/tcell_agent/instrumentation/cmdi/popen.rb +0 -28
  125. data/lib/tcell_agent/instrumentation/cmdi/spawn.rb +0 -11
  126. data/lib/tcell_agent/instrumentation/cmdi/system.rb +0 -11
  127. data/lib/tcell_agent/policies/http_tx_policy.rb +0 -60
  128. data/lib/tcell_agent/policies/login_fraud_policy.rb +0 -45
  129. data/lib/tcell_agent/policies/rust_policies.rb +0 -110
  130. data/lib/tcell_agent/rails.rb +0 -40
  131. data/lib/tcell_agent/rust/libtcellagent-1.3.2.dylib +0 -0
  132. data/lib/tcell_agent/rust/tcellagent-1.3.2.dll +0 -0
  133. data/lib/tcell_agent/rust/whisperer.rb +0 -308
  134. data/lib/tcell_agent/sensor_events/appsensor_event.rb +0 -52
  135. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +0 -45
  136. data/lib/tcell_agent/sensor_events/command_injection.rb +0 -75
  137. data/lib/tcell_agent/sensor_events/honeytokens.rb +0 -16
  138. data/lib/tcell_agent/sensor_events/login_fraud.rb +0 -60
  139. data/lib/tcell_agent/sensor_events/metrics.rb +0 -123
  140. data/lib/tcell_agent/sensor_events/patches.rb +0 -21
  141. data/lib/tcell_agent/start_background_thread.rb +0 -55
  142. data/lib/tcell_agent/system_info.rb +0 -11
  143. data/lib/tcell_agent/utils/io.rb +0 -38
  144. data/lib/tcell_agent/utils/passwords.rb +0 -28
  145. data/lib/tcell_agent/utils/queue_with_timeout.rb +0 -142
  146. data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +0 -100
  147. data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +0 -535
  148. data/spec/lib/tcell_agent/agent/static_agent_spec.rb +0 -133
  149. data/spec/lib/tcell_agent/api/api_spec.rb +0 -39
  150. data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +0 -187
  151. data/spec/lib/tcell_agent/cmdi_spec.rb +0 -736
  152. data/spec/lib/tcell_agent/instrumentation_spec.rb +0 -225
  153. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +0 -517
  154. data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +0 -22
  155. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +0 -293
  156. data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +0 -198
  157. data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +0 -180
  158. data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +0 -116
  159. data/spec/lib/tcell_agent/rust/models_spec.rb +0 -120
  160. data/spec/lib/tcell_agent/rust/whisperer_spec.rb +0 -704
  161. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +0 -45
  162. data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +0 -272
  163. data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +0 -52
  164. data/spec/lib/tcell_agent/utils/passwords_spec.rb +0 -143
@@ -1,225 +0,0 @@
1
- require 'spec_helper'
2
-
3
- module TCellAgent
4
- class MockAgent < Agent
5
- end
6
- end
7
-
8
- module TCellAgent
9
- module Instrumentation
10
- describe Instrumentation do
11
- before(:each) do
12
- configuration = double(
13
- 'configuration',
14
- {
15
- 'app_id' => 'app_id',
16
- 'api_key' => 'api_key',
17
- 'allow_payloads' => true,
18
- 'js_agent_api_base_url' => 'http://api.tcell.com/',
19
- 'js_agent_url' => 'https://jsagent.tcell.io/tcellagent.min.js',
20
- 'max_csp_header_bytes' => nil,
21
- 'event_time_limit_seconds' => 15,
22
- 'event_batch_size_limit' => 50,
23
- 'preload_policy_filename' => nil,
24
- 'cache_filename_with_app_id' => '/tcellagent_src/tcell/cache/tcell_agent.cache',
25
- 'agent_home_owner' => nil
26
- }
27
- )
28
- expect(TCellAgent).to receive(:configuration).and_return(configuration).at_most(10)
29
- end
30
-
31
- context 'Body - SessionId Filters' do
32
- it 'Tests Redaction and Events in Body' do
33
- action = TCellAgent::Policies::DataLossPolicy::FilterActions.new
34
- action.body_redact = true
35
- action.action_id = 5
36
- policy_json_two = {
37
- 'policy_id' => 'x1a1',
38
- 'data' => {
39
- 'session_id_protections' => { 'body' => ['redact'], 'log' => ['event'] }
40
- }
41
- }
42
- session_id_policy = TCellAgent::Policies::DataLossPolicy.from_json(policy_json_two)
43
- mock_agent = MockAgent.new(-1)
44
- mock_agent.policies[TCellAgent::PolicyTypes::DATALOSS] = session_id_policy
45
- TCellAgent.set_thread_agent(mock_agent)
46
-
47
- context = TCellData.new
48
- context.session_id = 'tim123123my'
49
-
50
- body = 'this is about tim123123my 3123123.'
51
- TCellAgent.empty_event_queue
52
- context.filter_body!(body)
53
- expect(body).to eq('this is about [redacted] 3123123.')
54
- expect(TCellAgent.event_queue.length).to eq(1)
55
- TCellAgent.set_thread_agent(nil)
56
- end
57
- it 'Tests Events in Body' do
58
- action = TCellAgent::Policies::DataLossPolicy::FilterActions.new
59
- action.body_redact = true
60
- action.action_id = 5
61
- policy_json_two = {
62
- 'policy_id' => 'x1a1',
63
- 'data' => {
64
- 'session_id_protections' => { 'body' => ['event'], 'log' => ['redact'] }
65
- }
66
- }
67
- session_id_policy = TCellAgent::Policies::DataLossPolicy.from_json(policy_json_two)
68
- mock_agent = MockAgent.new(-1)
69
- mock_agent.policies[TCellAgent::PolicyTypes::DATALOSS] = session_id_policy
70
- TCellAgent.set_thread_agent(mock_agent)
71
-
72
- context = TCellData.new
73
- context.session_id = 'tim123123my'
74
-
75
- body = 'this is about tim123123my 3123123.'
76
- TCellAgent.empty_event_queue
77
- context.filter_body!(body)
78
- expect(body).to eq('this is about tim123123my 3123123.')
79
- expect(TCellAgent.event_queue.length).to eq(1)
80
- TCellAgent.set_thread_agent(nil)
81
- end
82
- end
83
- context 'Log - SessionId Filters' do
84
- it 'Tests Redaction and Events in Body' do
85
- action = TCellAgent::Policies::DataLossPolicy::FilterActions.new
86
- action.body_redact = true
87
- action.action_id = 5
88
- policy_json_two = {
89
- 'policy_id' => 'x1a1',
90
- 'data' => {
91
- 'session_id_protections' => { 'body' => ['redact'], 'log' => ['redact'] }
92
- }
93
- }
94
- session_id_policy = TCellAgent::Policies::DataLossPolicy.from_json(policy_json_two)
95
- mock_agent = MockAgent.new(-1)
96
- mock_agent.policies[TCellAgent::PolicyTypes::DATALOSS] = session_id_policy
97
- TCellAgent.set_thread_agent(mock_agent)
98
-
99
- context = TCellData.new
100
- context.session_id = 'tim123123my'
101
-
102
- body = 'this is about tim123123my 3123123.'
103
- TCellAgent.empty_event_queue
104
- context.filter_log(body)
105
- expect(body).to eq('this is about [redacted] 3123123.')
106
- expect(TCellAgent.event_queue.length).to eq(1)
107
- TCellAgent.set_thread_agent(nil)
108
- end
109
- it 'Tests Events Only' do
110
- action = TCellAgent::Policies::DataLossPolicy::FilterActions.new
111
- action.body_redact = true
112
- action.action_id = 5
113
- policy_json_two = {
114
- 'policy_id' => 'x1a1',
115
- 'data' => {
116
- 'session_id_protections' => { 'body' => ['redact'], 'log' => ['event'] }
117
- }
118
- }
119
- session_id_policy = TCellAgent::Policies::DataLossPolicy.from_json(policy_json_two)
120
- mock_agent = MockAgent.new(-1)
121
- mock_agent.policies[TCellAgent::PolicyTypes::DATALOSS] = session_id_policy
122
- TCellAgent.set_thread_agent(mock_agent)
123
-
124
- context = TCellData.new
125
- context.session_id = 'tim123123my'
126
-
127
- body = 'this is about tim123123my 3123123.'
128
- TCellAgent.empty_event_queue
129
- context.filter_log(body)
130
- expect(body).to eq('this is about tim123123my 3123123.')
131
- expect(TCellAgent.event_queue.length).to eq(1)
132
- TCellAgent.set_thread_agent(nil)
133
- end
134
- end
135
- context 'Body - Database Filters' do
136
- it 'Tests Redaction and Events in Body' do
137
- action = TCellAgent::Policies::DataLossPolicy::FilterActions.new
138
- action.body_redact = true
139
- action.action_id = 5
140
- context = TCellData.new
141
- context.add_response_db_filter('timmy', action, 'don', 'sam', 'tim', 'fred')
142
- context.add_response_db_filter('timmy23', action, 'don', 'sam', 'tim', 'fred')
143
- context.add_response_db_filter('3123123', action, 'don', 'sam', 'tim', 'fred')
144
- context.add_response_db_filter('tim123my', action, 'don', 'sam', 'tim', 'fred')
145
- context.add_response_db_filter('timmy1', action, 'don', 'sam', 'tim', 'fred')
146
- context.add_response_db_filter('tim123123my', action, 'don', 'sam', 'tim', 'fred')
147
- context.add_response_db_filter('ti21312mmy', action, 'don', 'sam', 'tim', 'fred')
148
- context.add_response_db_filter('ti123123mmy', action, 'don', 'sam', 'tim', 'fred')
149
- context.add_response_db_filter(10_233_234, action, 'don', 'sam', 'tim', 'fred')
150
- context.add_response_db_filter(true, action, 'don', 'sam', 'tim', 'fred')
151
- body = 'this is about timmy1 3123123.'
152
- TCellAgent.empty_event_queue
153
- context.filter_body!(body)
154
- expect(body).to eq('this is about [redacted] [redacted].')
155
- expect(TCellAgent.event_queue.length).to eq(2)
156
- end
157
- it 'Tests Event Only Match in Body' do
158
- action = TCellAgent::Policies::DataLossPolicy::FilterActions.new
159
- action.body_event = true
160
- action.action_id = 5
161
- context = TCellData.new
162
- context.add_response_db_filter('timmy', action, 'don', 'sam', 'tim', 'fred')
163
- context.add_response_db_filter('timmy23', action, 'don', 'sam', 'tim', 'fred')
164
- context.add_response_db_filter('3123123', action, 'don', 'sam', 'tim', 'fred')
165
- context.add_response_db_filter('tim123my', action, 'don', 'sam', 'tim', 'fred')
166
- context.add_response_db_filter('timmy1', action, 'don', 'sam', 'tim', 'fred')
167
- context.add_response_db_filter('tim123123my', action, 'don', 'sam', 'tim', 'fred')
168
- context.add_response_db_filter('ti21312mmy', action, 'don', 'sam', 'tim', 'fred')
169
- context.add_response_db_filter('ti123123mmy', action, 'don', 'sam', 'tim', 'fred')
170
- context.add_response_db_filter(10_233_234, action, 'don', 'sam', 'tim', 'fred')
171
- context.add_response_db_filter(true, action, 'don', 'sam', 'tim', 'fred')
172
- body = 'this is about timmy1 3123123.'
173
- TCellAgent.empty_event_queue
174
- context.filter_body!(body)
175
- expect(body).to eq('this is about timmy1 3123123.')
176
- expect(TCellAgent.event_queue.length).to eq(3) # timmy, timmy1, 3123123
177
- end
178
- end
179
- context 'Log - Database Filters' do
180
- it 'Tests Redaction and Events' do
181
- action = TCellAgent::Policies::DataLossPolicy::FilterActions.new
182
- action.log_redact = true
183
- action.action_id = 5
184
- context = TCellData.new
185
- context.add_response_db_filter('timmy', action, 'don', 'sam', 'tim', 'fred')
186
- context.add_response_db_filter('timmy23', action, 'don', 'sam', 'tim', 'fred')
187
- context.add_response_db_filter('3123123', action, 'don', 'sam', 'tim', 'fred')
188
- context.add_response_db_filter('tim123my', action, 'don', 'sam', 'tim', 'fred')
189
- context.add_response_db_filter('timmy1', action, 'don', 'sam', 'tim', 'fred')
190
- context.add_response_db_filter('tim123123my', action, 'don', 'sam', 'tim', 'fred')
191
- context.add_response_db_filter('ti21312mmy', action, 'don', 'sam', 'tim', 'fred')
192
- context.add_response_db_filter('ti123123mmy', action, 'don', 'sam', 'tim', 'fred')
193
- context.add_response_db_filter(10_233_234, action, 'don', 'sam', 'tim', 'fred')
194
- context.add_response_db_filter(true, action, 'don', 'sam', 'tim', 'fred')
195
- body = 'this is about timmy1 3123123.'
196
- TCellAgent.empty_event_queue
197
- context.filter_log(body)
198
- expect(body).to eq('this is about [redacted] [redacted].')
199
- expect(TCellAgent.event_queue.length).to eq(2)
200
- end
201
- it 'Tests Report-Only and Events' do
202
- action = TCellAgent::Policies::DataLossPolicy::FilterActions.new
203
- action.log_event = true
204
- action.action_id = 5
205
- context = TCellData.new
206
- context.add_response_db_filter('timmy', action, 'don', 'sam', 'tim', 'fred')
207
- context.add_response_db_filter('timmy23', action, 'don', 'sam', 'tim', 'fred')
208
- context.add_response_db_filter('3123123', action, 'don', 'sam', 'tim', 'fred')
209
- context.add_response_db_filter('tim123my', action, 'don', 'sam', 'tim', 'fred')
210
- context.add_response_db_filter('timmy1', action, 'don', 'sam', 'tim', 'fred')
211
- context.add_response_db_filter('tim123123my', action, 'don', 'sam', 'tim', 'fred')
212
- context.add_response_db_filter('ti21312mmy', action, 'don', 'sam', 'tim', 'fred')
213
- context.add_response_db_filter('ti123123mmy', action, 'don', 'sam', 'tim', 'fred')
214
- context.add_response_db_filter(10_233_234, action, 'don', 'sam', 'tim', 'fred')
215
- context.add_response_db_filter(true, action, 'don', 'sam', 'tim', 'fred')
216
- body = 'this is about timmy1 3123123.'
217
- TCellAgent.empty_event_queue
218
- context.filter_log(body)
219
- expect(body).to eq('this is about timmy1 3123123.')
220
- expect(TCellAgent.event_queue.length).to eq(3) # timmy, timmy1, 3123123
221
- end
222
- end
223
- end
224
- end
225
- end
@@ -1,517 +0,0 @@
1
- require 'spec_helper'
2
-
3
- module TCellAgent
4
- module Policies
5
- describe RustPolicies do
6
- everything_enabled_policy_json = {
7
- 'appsensor' => {
8
- 'policy_id' => '01a1',
9
- 'version' => 2,
10
- 'data' => {
11
- 'options' => {
12
- 'uri_options' => {
13
- 'collect_full_uri' => true
14
- },
15
- 'payloads' => {
16
- 'send_payloads' => true,
17
- 'send_blacklist' => {
18
- 'ssn' => ['*'],
19
- 'password' => ['*']
20
- },
21
- 'send_whitelist' => {},
22
- 'log_payloads' => true,
23
- 'log_blacklist' => {},
24
- 'log_whitelist' => {
25
- 'username' => ['*']
26
- }
27
- }
28
- },
29
- 'sensors' => {
30
- 'req_size' => {
31
- 'limit' => 1024,
32
- 'exclude_routes' => ['2300']
33
- },
34
- 'resp_size' => {
35
- 'limit' => 2048,
36
- 'exclude_routes' => ['2323']
37
- },
38
- 'resp_codes' => {
39
- 'series_400_enabled' => true,
40
- 'series_500_enabled' => true
41
- },
42
- 'xss' => {
43
- 'libinjection' => true,
44
- 'patterns' => %w[1 2 8],
45
- 'exclusions' => {
46
- 'bob' => ['*']
47
- }
48
- },
49
- 'sqli' => {
50
- 'libinjection' => true,
51
- 'exclude_headers' => true,
52
- 'patterns' => ['1']
53
- },
54
- 'fpt' => {
55
- 'patterns' => %w[1 2],
56
- 'exclude_forms' => true,
57
- 'exclude_cookies' => true,
58
- 'exclusions' => {
59
- 'somethingcommon' => ['form']
60
- }
61
- },
62
- 'cmdi' => {
63
- 'patterns' => %w[1 2]
64
- },
65
- 'nullbyte' => {
66
- 'patterns' => %w[1 2]
67
- },
68
- 'retr' => {
69
- 'patterns' => %w[1 2]
70
- },
71
- 'ua' => {
72
- 'empty_enabled' => true
73
- },
74
- 'errors' => {
75
- 'csrf_exception_enabled' => true,
76
- 'sql_exception_enabled' => true
77
- },
78
- 'database' => {
79
- 'large_result' => {
80
- 'limit' => 10
81
- }
82
- }
83
- }
84
- }
85
- },
86
- 'regex' => {
87
- 'data' => {
88
- 'patterns' => [
89
- {
90
- 'id' => 'tc-xss-1',
91
- 'pattern' => '(?:<(script))',
92
- 'sensor' => 'xss',
93
- 'title' => 'Basic Injection'
94
- },
95
- {
96
- 'safe_pattern' => '^[a-zA-Z0-9_\\s\\r\\n\\t]*$',
97
- 'pattern' => '(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])',
98
- 'sensor' => 'sqli',
99
- 'id' => 'tc-sqli-1',
100
- 'title' => 'Conditional Attempts'
101
- }
102
- ],
103
- 'version' => 1_518_546_622_571
104
- },
105
- 'policy_id' => 'f3a313b0-10eb-11e8-8080-808080808080',
106
- 'version' => 1
107
- }
108
- }
109
-
110
- describe '#update_policies' do
111
- before(:each) do
112
- configuration = double(
113
- 'configuration',
114
- {
115
- 'app_id' => 'app_id',
116
- 'api_key' => 'api_key',
117
- 'allow_payloads' => true,
118
- 'js_agent_api_base_url' => 'http://api.tcell.com/',
119
- 'js_agent_url' => 'https://jsagent.tcell.io/tcellagent.min.js',
120
- 'max_csp_header_bytes' => nil
121
- }
122
- )
123
- expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
124
- @rust_policies = RustPolicies.new
125
- end
126
-
127
- context 'with v2 policy' do
128
- context 'that is missing a policy id' do
129
- it 'should have appfirewall disabled' do
130
- logger = double('logger')
131
-
132
- expect(TCellAgent).to receive(:logger).and_return(logger)
133
- expect(logger).to receive(:error).with(
134
- 'Error updating policies: Failed to decode appsensor policy: missing field `policy_id`'
135
- )
136
-
137
- @rust_policies.update_policies(
138
- {
139
- 'appsensor' => {
140
- 'version' => 2,
141
- 'data' => {}
142
- }
143
- }
144
- )
145
-
146
- expect(@rust_policies.appfirewall_enabled).to eq(false)
147
- end
148
- end
149
-
150
- context 'that is missing a version id' do
151
- it 'should have appfirewall disabled' do
152
- logger = double('logger')
153
-
154
- expect(TCellAgent).to receive(:logger).and_return(logger)
155
- expect(logger).to receive(:error).with(
156
- 'Error updating policies: Failed to decode appsensor policy: missing field `version`'
157
- )
158
-
159
- @rust_policies.update_policies(
160
- {
161
- 'appsensor' => {
162
- 'policy_id' => '01a1',
163
- 'data' => {}
164
- }
165
- }
166
- )
167
-
168
- expect(@rust_policies.appfirewall_enabled).to eq(false)
169
- end
170
- end
171
-
172
- context 'that has no sensors' do
173
- it 'should have all sensors disabled' do
174
- expect(TCellAgent).to_not receive(:logger)
175
-
176
- policy_json_empty = {
177
- 'appsensor' => {
178
- 'policy_id' => '01a1',
179
- 'version' => 2,
180
- 'data' => {
181
- }
182
- }
183
- }
184
-
185
- @rust_policies.update_policies(policy_json_empty)
186
-
187
- expect(@rust_policies.appfirewall_enabled).to eq(false)
188
- end
189
- end
190
-
191
- context 'that has empty sensors' do
192
- it 'should have all sensors disabled' do
193
- expect(TCellAgent).to_not receive(:logger)
194
-
195
- policy_json_empty = {
196
- 'appsensor' => {
197
- 'policy_id' => '01a1',
198
- 'version' => 2,
199
- 'data' => {
200
- 'sensors' => {}
201
- }
202
- }
203
- }
204
-
205
- @rust_policies.update_policies(policy_json_empty)
206
-
207
- expect(@rust_policies.appfirewall_enabled).to eq(true)
208
- end
209
- end
210
-
211
- context 'that only has xss enabled' do
212
- it 'should be enabled' do
213
- expect(TCellAgent).to_not receive(:logger)
214
-
215
- policy_json = {
216
- 'appsensor' => {
217
- 'policy_id' => '01a1',
218
- 'version' => 2,
219
- 'data' => {
220
- 'sensors' => {
221
- 'xss' => {
222
- 'libinjection' => true,
223
- 'patterns' => %w[1 2 8],
224
- 'exclusions' => {
225
- 'bob' => ['*']
226
- }
227
- }
228
- }
229
- }
230
- }
231
- }
232
-
233
- @rust_policies.update_policies(policy_json)
234
-
235
- expect(@rust_policies.appfirewall_enabled).to eq(true)
236
- end
237
- end
238
-
239
- context 'that has everything enabled' do
240
- it 'should be enabled' do
241
- expect(TCellAgent).to_not receive(:logger)
242
-
243
- @rust_policies.update_policies(everything_enabled_policy_json)
244
-
245
- expect(@rust_policies.appfirewall_enabled).to eq(true)
246
- end
247
- end
248
- end
249
- end
250
-
251
- describe '#check_appfirewall_injections' do
252
- context 'with everything enabled policy' do
253
- before(:each) do
254
- configuration = double(
255
- 'configuration',
256
- {
257
- 'enabled' => true,
258
- 'app_id' => 'app_id',
259
- 'api_key' => 'api_key',
260
- 'allow_payloads' => true,
261
- 'js_agent_api_base_url' => 'http://api.tcell.com/',
262
- 'js_agent_url' => 'https://jsagent.tcell.io/tcellagent.min.js',
263
- 'max_csp_header_bytes' => nil
264
- }
265
- )
266
- expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
267
- @rust_policies = RustPolicies.new
268
- @rust_policies.update_policies(everything_enabled_policy_json)
269
- @meta_data = TCellAgent::MetaData.new(
270
- 'GET',
271
- '192.168.1.1',
272
- '12345',
273
- 'session_id',
274
- 'user_id',
275
- 'transaction_id',
276
- 'http://test.com/?some_param=present'
277
- )
278
- @meta_data.user_agent = 'Mozilla'
279
- @meta_data.response_code = 200
280
- end
281
-
282
- context 'csrf exception' do
283
- context 'nil csrf exception' do
284
- it 'should not send an event' do
285
- expect(TCellAgent).to_not receive(:send_event)
286
-
287
- @meta_data.csrf_exception_name = nil
288
- @rust_policies.check_appfirewall_injections(
289
- @meta_data
290
- )
291
- end
292
- end
293
-
294
- context 'empty csrf exception' do
295
- it 'should not send an event' do
296
- expect(TCellAgent).to_not receive(:send_event)
297
-
298
- @meta_data.csrf_exception_name = ''
299
- @rust_policies.check_appfirewall_injections(
300
- @meta_data
301
- )
302
- end
303
- end
304
-
305
- context 'one csrf exception' do
306
- it 'should send a csrf exception event' do
307
- expect(TCellAgent).to receive(:send_event).with(
308
- {
309
- 'event_type' => 'as',
310
- 'dp' => 'excsrf',
311
- 'param' => 'ActionController::InvalidAuthenticityToken',
312
- 'm' => 'GET',
313
- 'rid' => '12345',
314
- 'full_uri' => 'http://test.com/?some_param=present',
315
- 'uri' => 'http://test.com/?some_param=',
316
- 'uid' => 'user_id',
317
- 'sid' => 'session_id',
318
- 'remote_addr' => '192.168.1.1'
319
- }
320
- )
321
-
322
- @meta_data.csrf_exception_name = 'ActionController::InvalidAuthenticityToken'
323
- @rust_policies.check_appfirewall_injections(
324
- @meta_data
325
- )
326
- end
327
- end
328
- end
329
-
330
- context 'sql exception' do
331
- context 'empty sql exceptions' do
332
- it 'should not send an event' do
333
- expect(TCellAgent).to_not receive(:send_event)
334
-
335
- @meta_data.sql_exceptions = []
336
- @rust_policies.check_appfirewall_injections(
337
- @meta_data
338
- )
339
- end
340
- end
341
-
342
- context 'one sql exception' do
343
- it 'should send one event' do
344
- logger = double('logger')
345
-
346
- expect(TCellAgent).to receive(:logger).and_return(logger)
347
- expect(logger).to receive(:info)
348
- expect(TCellAgent).to receive(:send_event).with(
349
- {
350
- 'event_type' => 'as',
351
- 'dp' => 'exsql',
352
- 'param' => 'ActiveRecord::StatementInvalid',
353
- 'm' => 'GET',
354
- 'rid' => '12345',
355
- 'full_uri' => 'http://test.com/?some_param=present',
356
- 'uri' => 'http://test.com/?some_param=',
357
- 'uid' => 'user_id',
358
- 'sid' => 'session_id',
359
- 'remote_addr' => '192.168.1.1',
360
- 'payload' => 'exception message goes here'
361
- }
362
- )
363
-
364
- @meta_data.sql_exceptions = [{
365
- 'exception_name' => 'ActiveRecord::StatementInvalid',
366
- 'exception_payload' => 'exception message goes here'
367
- }]
368
- @rust_policies.check_appfirewall_injections(
369
- @meta_data
370
- )
371
- end
372
- end
373
-
374
- context 'multiple sql exception' do
375
- it 'should send multiple event' do
376
- logger = double('logger')
377
-
378
- expect(TCellAgent).to receive(:logger).and_return(logger).twice
379
- expect(logger).to receive(:info).twice
380
- expect(TCellAgent).to receive(:send_event).with(
381
- {
382
- 'event_type' => 'as',
383
- 'dp' => 'exsql',
384
- 'param' => 'ActiveRecord::StatementInvalid',
385
- 'm' => 'GET',
386
- 'rid' => '12345',
387
- 'full_uri' => 'http://test.com/?some_param=present',
388
- 'uri' => 'http://test.com/?some_param=',
389
- 'uid' => 'user_id',
390
- 'sid' => 'session_id',
391
- 'remote_addr' => '192.168.1.1',
392
- 'payload' => 'exception message goes here'
393
- }
394
- )
395
- expect(TCellAgent).to receive(:send_event).with(
396
- {
397
- 'event_type' => 'as',
398
- 'dp' => 'exsql',
399
- 'param' => 'ActiveRecord::StatementInvalid',
400
- 'm' => 'GET',
401
- 'rid' => '12345',
402
- 'full_uri' => 'http://test.com/?some_param=present',
403
- 'uri' => 'http://test.com/?some_param=',
404
- 'uid' => 'user_id',
405
- 'sid' => 'session_id',
406
- 'remote_addr' => '192.168.1.1',
407
- 'payload' => 'second exception message goes here'
408
- }
409
- )
410
-
411
- @meta_data.sql_exceptions = [
412
- {
413
- 'exception_name' => 'ActiveRecord::StatementInvalid',
414
- 'exception_payload' => 'exception message goes here'
415
- },
416
- {
417
- 'exception_name' => 'ActiveRecord::StatementInvalid',
418
- 'exception_payload' => 'second exception message goes here'
419
- }
420
- ]
421
- @rust_policies.check_appfirewall_injections(
422
- @meta_data
423
- )
424
- end
425
- end
426
- end
427
-
428
- context 'db max result' do
429
- context 'nil db max result' do
430
- it 'should not send an event' do
431
- expect(TCellAgent).to_not receive(:send_event)
432
-
433
- @meta_data.database_result_sizes = nil
434
- @rust_policies.check_appfirewall_injections(
435
- @meta_data
436
- )
437
- end
438
- end
439
-
440
- context 'empty db max result' do
441
- it 'should not send an event' do
442
- expect(TCellAgent).to_not receive(:send_event)
443
-
444
- @meta_data.database_result_sizes = []
445
- @rust_policies.check_appfirewall_injections(
446
- @meta_data
447
- )
448
- end
449
- end
450
-
451
- context 'one db max result' do
452
- it 'should send one event' do
453
- expect(TCellAgent).to receive(:send_event).with(
454
- {
455
- 'event_type' => 'as',
456
- 'dp' => 'dbmaxrows',
457
- 'm' => 'GET',
458
- 'meta' => { 'rows' => 1001 },
459
- 'rid' => '12345',
460
- 'full_uri' => 'http://test.com/?some_param=present',
461
- 'uri' => 'http://test.com/?some_param=',
462
- 'uid' => 'user_id',
463
- 'sid' => 'session_id',
464
- 'remote_addr' => '192.168.1.1'
465
- }
466
- )
467
-
468
- @meta_data.database_result_sizes = [1001]
469
- @rust_policies.check_appfirewall_injections(
470
- @meta_data
471
- )
472
- end
473
- end
474
-
475
- context 'multiple db max results' do
476
- it 'should send multiple event' do
477
- expect(TCellAgent).to receive(:send_event).with(
478
- {
479
- 'event_type' => 'as',
480
- 'dp' => 'dbmaxrows',
481
- 'm' => 'GET',
482
- 'meta' => { 'rows' => 1001 },
483
- 'rid' => '12345',
484
- 'full_uri' => 'http://test.com/?some_param=present',
485
- 'uri' => 'http://test.com/?some_param=',
486
- 'uid' => 'user_id',
487
- 'sid' => 'session_id',
488
- 'remote_addr' => '192.168.1.1'
489
- }
490
- )
491
- expect(TCellAgent).to receive(:send_event).with(
492
- {
493
- 'event_type' => 'as',
494
- 'dp' => 'dbmaxrows',
495
- 'm' => 'GET',
496
- 'meta' => { 'rows' => 1002 },
497
- 'rid' => '12345',
498
- 'full_uri' => 'http://test.com/?some_param=present',
499
- 'uri' => 'http://test.com/?some_param=',
500
- 'uid' => 'user_id',
501
- 'sid' => 'session_id',
502
- 'remote_addr' => '192.168.1.1'
503
- }
504
- )
505
-
506
- @meta_data.database_result_sizes = [1001, 1002]
507
- @rust_policies.check_appfirewall_injections(
508
- @meta_data
509
- )
510
- end
511
- end
512
- end
513
- end
514
- end
515
- end
516
- end
517
- end