tcell_agent 1.1.12 → 2.0.0

data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb

@@ -0,0 +1,504 @@
+require 'spec_helper'
+
+describe IO do
+  describe '.binread' do
+    before(:each) do
+      native_agent = double('native_agent')
+      @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+        native_agent, {}
+      )
+    end
+    context 'empty name' do
+      it 'should raise an error' do
+        expect do
+          IO.binread
+        end.to raise_error(ArgumentError)
+        expect do
+          IO.binread(nil)
+        end.to raise_error(TypeError)
+        expect do
+          IO.binread('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'name starts with a | operator' do
+      context 'with an empty or invalid command' do
+        it 'should raise an error' do
+          expect do
+            IO.binread('|')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            IO.binread('|invalid command')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            IO.binread('|invalid command', 10)
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            IO.binread('|invalid command', 10, 20)
+          end.to raise_error(Errno::ENOENT)
+        end
+      end
+      context 'with a valid command' do
+        it 'should execute the command' do
+          expect(IO.binread('|echo test')).to eq("test\n")
+        end
+      end
+      context 'with a non blocked command present' do
+        before(:each) do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+        end
+        context 'with command injection disabled' do
+          it 'should execute the command' do
+            expect(@command_injection_policy.enabled).to eq(false)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_call_original
+            expect(@command_injection_policy).to_not receive(:block_command?)
+
+            expect(IO.binread('|echo test')).to eq("test\n")
+          end
+        end
+
+        context 'with command injection enabled' do
+          it 'should execute the command' do
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+
+            expect(IO.binread('|echo test')).to eq("test\n")
+          end
+        end
+      end
+
+      context 'with a blocked command present' do
+        context 'with command injection enabled' do
+          it 'should raise a RuntimeError' do
+            allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+            expect do
+              IO.binread('|echo test')
+            end.to raise_error(RuntimeError)
+          end
+        end
+      end
+    end
+  end
+  describe '.popen' do
+    before(:each) do
+      native_agent = double('native_agent')
+      @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+        native_agent, {}
+      )
+    end
+
+    context 'empty command' do
+      it 'should raise an error' do
+        expect do
+          IO.popen
+        end.to raise_error(ArgumentError)
+        expect do
+          IO.popen(nil)
+        end.to raise_error(TypeError)
+        expect do
+          IO.popen('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'non existent command' do
+      it 'should return nil' do
+        expect do
+          IO.popen('foobar')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'with a valid command' do
+      it 'should execute command' do
+        expect(IO.popen('echo test').read).to eq("test\n")
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(@command_injection_policy.enabled).to eq(false)
+
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_call_original
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          IO.popen('echo test')
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+
+          IO.popen('echo test')
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+          expect do
+            IO.popen('echo test')
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+
+    context 'with env' do
+      before(:each) do
+        @env = { 'TCELL_VAR' => 'enabled' }
+      end
+
+      context 'with string command' do
+        it 'should execute the command' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, 'echo', 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, 'echo', 'w+', :unsetenv_others => true)
+        end
+      end
+
+      context 'with string command and arguments' do
+        it 'should parse the command' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, 'echo test')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, 'echo test', 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, 'echo test', :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, 'echo test', 'w+', :unsetenv_others => true)
+        end
+      end
+
+      context 'with array command' do
+        it 'should parse the command properly' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, [%w[echo argv0]], 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, [%w[echo argv0]], :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, [%w[echo argv0]], 'w+', :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, ['echo'], 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, ['echo'], :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, ['echo'], 'w+', :unsetenv_others => true)
+        end
+      end
+
+      context 'with array command and arguments' do
+        it 'should parse the command properly' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [%w[echo argv0], 'test'])
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [%w[echo argv0], 'test'], 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [%w[echo argv0], 'test'], :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [%w[echo argv0], 'test'], 'w+', :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, %w[echo test])
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, %w[echo test], 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, %w[echo test], :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, %w[echo test], 'w+', :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([@env, 'echo', 'test', :unsetenv_others => true], 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [@env, 'echo', 'test', :unsetenv_others => true], 'w+', :err => %i[child out])
+        end
+      end
+    end
+
+    context 'without env' do
+      context 'with array command and arguments' do
+        it 'should parse the command properly' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([%w[echo argv0], 'test'])
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([%w[echo argv0], 'test'], 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([%w[echo argv0], 'test'], :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([%w[echo argv0], 'test'], 'w+', :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(%w[echo test])
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(%w[echo test], 'w+')
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(%w[echo test], :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(%w[echo test], 'w+', :unsetenv_others => true)
+
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with(
+            "echo -size 320x85 canvas:none -font Bookman-DemiItalic -draw \"text 25,60 'Magick'\""
+          )
+          IO.popen(
+            [%w[echo argv0],
+             '-size',
+             '320x85',
+             'canvas:none',
+             '-font',
+             'Bookman-DemiItalic',
+             '-draw',
+             "\"text 25,60 \'Magick\'\""],
+            :unsetenv_others => true
+          )
+        end
+      end
+    end
+  end
+  describe '.read' do
+    before(:each) do
+      native_agent = double('native_agent')
+      @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+        native_agent, {}
+      )
+    end
+    context 'empty name' do
+      it 'should raise an error' do
+        expect do
+          IO.read
+        end.to raise_error(ArgumentError)
+        expect do
+          IO.read(nil)
+        end.to raise_error(TypeError)
+        expect do
+          IO.read('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'name starts with a | operator' do
+      context 'with an empty or invalid command' do
+        it 'should raise an error' do
+          expect do
+            IO.read('|')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            IO.read('|invalid command')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            IO.read('|invalid command', 10)
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            IO.read('|invalid command', 10, 20)
+          end.to raise_error(Errno::ENOENT)
+        end
+      end
+      context 'with a valid command' do
+        it 'should execute the command' do
+          expect(IO.read('|echo test')).to eq("test\n")
+        end
+      end
+      context 'with a non blocked command present' do
+        before(:each) do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+        end
+        context 'with command injection disabled' do
+          it 'should execute the command' do
+            expect(@command_injection_policy.enabled).to eq(false)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_call_original
+            expect(@command_injection_policy).to_not receive(:block_command?)
+
+            expect(IO.read('|echo test')).to eq("test\n")
+          end
+        end
+
+        context 'with command injection enabled' do
+          it 'should execute the command' do
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).and_return(false)
+
+            expect(IO.read('|echo test')).to eq("test\n")
+          end
+        end
+      end
+
+      context 'with a blocked command present' do
+        context 'with command injection enabled' do
+          it 'should raise a RuntimeError' do
+            allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).and_return(true)
+
+            expect do
+              IO.read('|echo test')
+            end.to raise_error(RuntimeError)
+          end
+        end
+      end
+    end
+  end
+  describe '.readlines' do
+    before(:each) do
+      native_agent = double('native_agent')
+      @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+        native_agent, {}
+      )
+    end
+    context 'empty name' do
+      it 'should raise an error' do
+        expect do
+          IO.readlines
+        end.to raise_error(ArgumentError)
+        expect do
+          IO.readlines(nil)
+        end.to raise_error(TypeError)
+        expect do
+          IO.readlines('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'name starts with a | operator' do
+      context 'with an empty or invalid command' do
+        it 'should raise an error' do
+          expect do
+            IO.readlines('|')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            IO.readlines('|invalid command')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            IO.readlines('|invalid command', 10)
+          end.to raise_error(Errno::ENOENT)
+        end
+      end
+      context 'with a valid command' do
+        it 'should execute the command' do
+          expect(IO.readlines('|echo test')[0]).to eq("test\n")
+        end
+      end
+      context 'with a non blocked command present' do
+        before(:each) do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+        end
+        context 'with command injection disabled' do
+          it 'should execute the command' do
+            expect(@command_injection_policy.enabled).to eq(false)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_call_original
+            expect(@command_injection_policy).to_not receive(:block_command?)
+
+            expect(IO.readlines('|echo test')[0]).to eq("test\n")
+          end
+        end
+
+        context 'with command injection enabled' do
+          it 'should execute the command' do
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).and_return(false)
+
+            expect(IO.readlines('|echo test')[0]).to eq("test\n")
+          end
+        end
+      end
+
+      context 'with a blocked command present' do
+        context 'with command injection enabled' do
+          it 'should raise a RuntimeError' do
+            allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+            expect do
+              IO.readlines('|echo test')
+            end.to raise_error(RuntimeError)
+          end
+        end
+      end
+    end
+  end
+end