tcell_agent 1.1.11 → 2.1.2

data/lib/tcell_agent/instrumentation.rb

@@ -1,5 +1,4 @@
 # See the file "LICENSE" for the full license governing this code.
-require 'tcell_agent/logger'
 require 'tcell_agent/configuration'
 require 'tcell_agent/version'
 require 'date'
@@ -64,7 +63,7 @@ module TCellAgent
     class TCellData
       attr_accessor :transaction_id, :session_id, :hmac_session_id, :user_id,
                     :password, :route_id, :path, :uri, :fullpath, :context_filters_by_term,
-                    :database_filters, :ip_address, :user_agent, :request_method,
+                    :database_filters, :remote_address, :user_agent, :request_method,
                     :path_parameters, :patches_blocking_triggered, :grape_mount_endpoint,
                     :referrer, :csrf_exception_name, :sql_exceptions, :database_result_sizes
 
@@ -209,23 +208,26 @@ module TCellAgent
         "<#{self.class.name} transaction_id: #{transaction_id} session_id: #{session_id} " \
         "hmac_session_id: #{hmac_session_id} user_id: #{user_id} route_id: #{route_id} " \
         "uri: #{uri} context_filters_by_term: #{context_filters_by_term} " \
-        "database_filters: #{database_filters} ip_address: #{ip_address} user_agent: #{user_agent} " \
+        "database_filters: #{database_filters} remote_address: #{remote_address} user_agent: #{user_agent} " \
         "request_method: #{@request_method} path_parameters: #{@path_parameters}>"
       end
     end
 
-    def self.instrument_frameworks
-      require 'tcell_agent/authlogic' if defined?(Authlogic)
-      require 'tcell_agent/devise' if defined?(Devise)
-      require 'tcell_agent/rails' if defined?(Rails)
-      require 'tcell_agent/sinatra' if defined?(Sinatra)
+    # Note: mock for tests
+    def self.get_safe_block_logger
+      unless defined?(@safe_block_logger)
+        @safe_block_logger = TCellAgent::ModuleLogger.new(TCellAgent.logger, name)
+      end
+
+      @safe_block_logger
     end
 
     def self.safe_block(message, &block)
       block.call
     rescue StandardError => ex
-      TCellAgent.logger.debug "Exception in safe_block #{message}: #{ex.class} happened, message is #{ex.message}"
-      TCellAgent.logger.debug(ex.backtrace)
+      logger = get_safe_block_logger
+      logger.error("Error #{message} (#{ex.class}): #{ex.message}")
+      logger.exception(ex)
     end
 
     def self.safe_block_no_log(_message, &block)

data/lib/tcell_agent/instrumentation/cmdi.rb

@@ -1,4 +1,4 @@
-require 'tcell_agent/agent/policy_types'
+require 'tcell_agent/policies/policy_types'
 require 'tcell_agent/utils/strings'
 require 'tcell_agent/configuration'
 
@@ -7,13 +7,13 @@ module TCellAgent
     def self.block_command?(cmd)
       TCellAgent::Instrumentation.safe_block('Checking Command Injection Policy') do
         if TCellAgent::Utils::Strings.present?(cmd)
-          rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-          if rust_policies && rust_policies.cmdi_enabled
+          command_injection_policy = TCellAgent.policy(TCellAgent::PolicyTypes::COMMANDINJECTION)
+          if command_injection_policy.enabled
             request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
               Thread.current.object_id, {}
             )
             tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
-            return rust_policies.block_command?(cmd, tcell_context)
+            return command_injection_policy.block_command?(cmd, tcell_context)
           end
         end
       end
@@ -25,32 +25,36 @@ module TCellAgent
       cmd = ''
 
       TCellAgent::Instrumentation.safe_block('CMDI Parsing *args') do
-        unless args.empty?
-          args_copy = Array.new(args)
-          args_copy.shift if args_copy.first.is_a?(Hash)
-          args_copy.pop if args_copy.last.is_a?(Hash)
-
-          if args_copy.first.is_a?(Array)
-            cmd_n_argv0 = args_copy.shift
-            args_copy.unshift(cmd_n_argv0.first)
-          end
+        return cmd if args.nil? || args.empty?
+
+        args_copy = Array.new(args)
+        args_copy.shift if args_copy.first.is_a?(Hash)
+        args_copy.pop if args_copy.last.is_a?(Hash)
 
-          cmd = args_copy.join(' ')
+        if args_copy.first.is_a?(Array)
+          cmd_n_argv0 = args_copy.shift
+          args_copy.unshift(cmd_n_argv0.first)
         end
+
+        cmd = args_copy.join(' ')
       end
 
       cmd
     end
-  end
-end
 
-if TCellAgent.configuration.should_instrument_cmdi_exec?
-  require('tcell_agent/instrumentation/cmdi/exec')
-else
-  TCellAgent.logger.debug('Disabling cmdi Kernel::exec instrumentation')
-end
+    def self.parse_command_from_open(*args)
+      cmd = ''
+
+      TCellAgent::Instrumentation.safe_block('CMDI Parsing *args') do
+        return cmd if args.nil? || args.empty?
+
+        args_copy = Array.new(args)
+        first_arg = args_copy.shift
+
+        cmd = first_arg[1..-1] if first_arg && (first_arg.is_a? String) && first_arg[0] == '|'
+      end
 
-require('tcell_agent/instrumentation/cmdi/backtick')
-require('tcell_agent/instrumentation/cmdi/system')
-require('tcell_agent/instrumentation/cmdi/spawn')
-require('tcell_agent/instrumentation/cmdi/popen')
+      cmd
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/lfi.rb

@@ -0,0 +1,84 @@
+require 'tcell_agent/policies/policy_types'
+require 'tcell_agent/utils/strings'
+require 'tcell_agent/configuration'
+
+module TCellAgent
+  module Instrumentation
+    module Lfi
+      def self.block_file_access?(path, mode)
+        TCellAgent::Instrumentation.safe_block('Checking Local Files Policy') do
+          if TCellAgent::Utils::Strings.present?(path)
+            lfi_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LFI)
+
+            request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
+              Thread.current.object_id, {}
+            )
+
+            tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
+            return lfi_policy.block_file_access?(path, mode, tcell_context)
+          end
+        end
+
+        false
+      end
+
+      def self.extract_path_mode(*args)
+        path = ''
+        mode = ''
+
+        TCellAgent::Instrumentation.safe_block('LFI Parsing *args') do
+          return ['', ''] if args.nil? || args.empty?
+
+          args_copy = Array.new(args)
+          path = args_copy.shift
+          mode = args_copy.shift || 'r'
+
+          if path && path.to_s[0] != '|'
+            path = File.expand_path(path.to_s)
+
+            mode = if mode && mode.is_a?(Hash)
+                     convert_mode(mode[:mode])
+                   else
+                     convert_mode(mode)
+                   end
+
+            [path, mode]
+          else
+            ['', '']
+          end
+        end
+      end
+
+      def self.extract_path_mode_argf
+        path = ''
+        mode = 'Read'
+
+        TCellAgent::Instrumentation.safe_block('LFI Parsing ARGF') do
+          if ARGF.eof? && !ARGV.empty?
+            argv_copy = Array.new(ARGV)
+            path = argv_copy.shift
+          else
+            path = ARGF.filename
+          end
+
+          if path && path.to_s[0] != '|'
+            [File.expand_path(path.to_s), mode]
+          else
+            ['', '']
+          end
+        end
+      end
+
+      def self.convert_mode(mode)
+        if mode.is_a? String
+          return 'ReadWrite' if mode.include? '+'
+          return 'Write' if (mode.include? 'w') || (mode.include? 'a')
+        elsif mode.is_a? Numeric
+          return 'ReadWrite' if (mode & ::File::RDWR) != 0
+          return 'Write' if (mode & ::File::WRONLY) != 0
+        end
+        'Read'
+      end
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/file.rb

@@ -0,0 +1,25 @@
+class File
+  class << self
+    alias_method :tcell_original_new, :new
+    def new(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_new(*args, &block)
+    end
+
+    alias_method :tcell_original_open, :open
+    def open(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_open(*args, &block)
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/io.rb

@@ -0,0 +1,131 @@
+class IO
+  class << self
+    alias_method :tcell_original_binread, :binread
+    def binread(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if !path.strip.empty? && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      if path.empty?
+        cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+        if cmd && TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_binread(*args, &block)
+    end
+
+    alias_method :tcell_original_binwrite, :binwrite
+    def binwrite(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Write'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_binwrite(*args, &block)
+    end
+
+    alias_method :tcell_original_foreach, :foreach
+    def foreach(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_foreach(*args, &block)
+    end
+
+    alias_method :tcell_original_popen, :popen
+    def popen(*args, &block)
+      unless args.empty?
+        cmd = ''
+
+        TCellAgent::Instrumentation.safe_block('CMDI Parsing popen *args') do
+          args_copy = Array.new(args)
+          args_copy.shift if args_copy.first.is_a?(Hash)
+          args_copy.pop if args_copy.last.is_a?(Hash)
+
+          cmd = if args_copy.first.is_a?(String)
+                  args_copy.shift
+                else
+                  TCellAgent::Cmdi.parse_command(*args_copy.shift)
+                end
+        end
+
+        if TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_popen(*args, &block)
+    end
+
+    alias_method :tcell_original_read, :read
+    def read(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if !path.strip.empty? && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      if path.empty?
+        cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+        if cmd && TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_read(*args, &block)
+    end
+
+    alias_method :tcell_original_readlines, :readlines
+    def readlines(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if !path.strip.empty? && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      if path.empty?
+        cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+        if cmd && TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_readlines(*args, &block)
+    end
+
+    alias_method :tcell_original_sysopen, :sysopen
+    def sysopen(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_sysopen(*args, &block)
+    end
+
+    alias_method :tcell_original_write, :write
+    def write(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Write'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_write(*args, &block)
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb

@@ -0,0 +1,102 @@
+module Kernel
+  private
+
+  alias_method :tcell_original_backtick, :`
+  alias_method :tcell_original_exec, :exec
+  alias_method :tcell_original_open, :open
+  alias_method :tcell_original_gets, :gets
+  alias_method :tcell_original_readline, :readline
+  alias_method :tcell_original_spawn, :spawn
+  alias_method :tcell_original_system, :system
+
+  class << self
+    alias_method :tcell_original_exec, :exec
+    alias_method :tcell_original_open, :open
+    alias_method :tcell_original_gets, :gets
+    alias_method :tcell_original_readline, :readline
+    alias_method :tcell_original_spawn, :spawn
+    alias_method :tcell_original_system, :system
+  end
+
+  def `(cmd)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_backtick(cmd)
+  end
+
+  if TCellAgent.configuration.should_instrument_cmdi_exec?
+    def exec(*args)
+      cmd = TCellAgent::Cmdi.parse_command(*args)
+      if TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+
+      tcell_original_exec(*args)
+    end
+  end
+
+  def gets(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+    if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    tcell_original_gets(*args, &block)
+  end
+
+  def open(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+    if !path.strip.empty? && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    if path.empty?
+      cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+      if cmd && TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+    end
+
+    tcell_original_open(*args, &block)
+  end
+
+  def readline(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+    if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    tcell_original_readline(*args, &block)
+  end
+
+  def spawn(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_spawn(*args)
+  end
+
+  def system(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_system(*args)
+  end
+
+  module_function :`
+  module_function :exec
+  module_function :gets
+  module_function :open
+  module_function :readline
+  module_function :spawn
+  module_function :system
+end