tcell_agent 1.1.12 → 2.0.0

data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb

@@ -1,22 +0,0 @@
-require 'spec_helper'
-
-module TCellAgent
-  module Policies
-    describe HttpTxPolicy do
-      http_tx_policy_json = {
-        'policy_id' => '01a1',
-        'types' => {
-          'firehose' => { 'enabled' => true }
-        }
-      }
-      http_tx_from_json = HttpTxPolicy.from_json(http_tx_policy_json)
-      context 'initialized with 3 items' do
-        it 'returns true' do
-          expect(http_tx_from_json.policy_id).to eq('01a1')
-          expect(http_tx_from_json.firehose['enabled']).to eq(true)
-          expect(http_tx_from_json.firehose['lite']).to eq(false)
-        end
-      end
-    end
-  end
-end

data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb

@@ -1,293 +0,0 @@
-require 'spec_helper'
-require 'rack/test'
-require 'rack'
-
-module TCellAgent
-  module Instrumentation
-    module Rails
-      module Middleware
-        regex_policy = {
-          'data' => {
-            'patterns' => [
-              {
-                'id' => 'tc-xss-1',
-                'pattern' => '(?:<(script|iframe|embed|frame|frameset|' \
-                             'object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))',
-                'sensor' => 'xss',
-                'title' => 'Basic Injection'
-              },
-
-              {
-                'id' => 'tc-sqli-1',
-                'pattern' => "(?:(?:\\d[\"'`\u00b4\u2019\u2018]\\s+" \
-                             "[\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin" \
-                             "\\s*?[\"'`\u00b4\u2019\u2018]|(/\\*)+[\"'`" \
-                             "\u00b4\u2019\u2018]+\\s?(?:--|#|/\\*|\\{)?)|" \
-                             "(?:[\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|" \
-                             'like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d"' \
-                             "'`\u00b4\u2019\u2018])|(?:[\"'`\u00b4\u2019\u2018]" \
-                             "\\s*?[^\\w\\s]?=\\s*?[\"'`\u00b4\u2019\u2018])|(?:[\"'`" \
-                             "\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\"'`\u00b4\u2019\u2018])" \
-                             "|(?:[\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`" \
-                             "\u00b4\u2019\u2018(].*?$)|(?:[\"'`\u00b4\u2019\u2018]\\s*?[!=|]" \
-                             "[\\d\\s!=]+.*?\\d+$)|(?:[\"'`\u00b4\u2019\u2018]\\s*?" \
-                             "like\\W+[\\w\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)" \
-                             "|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\u00b4\u2019\u2018" \
-                             "][<>~]+[\"'`\u00b4\u2019\u2018]))",
-                'sensor' => 'sqli',
-                'title' => 'Basic Injection'
-              },
-
-              {
-                'id' => 'tc-fpt-2',
-                'pattern' => '(?:%c0%ae/)|(?:(?:/|\\\\)(conf|usr|etc|proc|opt|s?bin' \
-                             '|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|' \
-                             '%[a-z_-]{3,}%)(?:/|\\\\))|(?:(?:/|\\\\)inetpub|localstart\\.asp|' \
-                             'boot\\.ini)',
-                'sensor' => 'fpt',
-                'title' => 'Common System Probing'
-              }
-            ],
-            'version' => 1_518_546_622_571
-          },
-          'policy_id' => 'f3a313b0-10eb-11e8-8080-808080808080',
-          'version' => 1
-        }
-
-        class MockAppsensorRackApp
-          attr_reader :request_body
-
-          def initialize(route_id = nil)
-            @route_id = route_id
-            @request_headers = {}
-          end
-
-          def call(env)
-            @env = env
-            Rack::Request.new(env)
-            response_headers = { 'Content-Type' => 'text/html' }
-            env['tcell.request_data'].transaction_id = 'a-b-c-d-e-f'
-            env['tcell.request_data'].route_id = @route_id
-            [200, response_headers, ['OK']]
-          end
-
-          def [](key)
-            @env[key]
-          end
-        end
-
-        describe HeadersMiddleware do
-          let(:app) { MockAppsensorRackApp.new }
-          let(:app2) { MockAppsensorRackApp.new('myrouteid') }
-
-          subject { with_tcell_middleware(app) }
-
-          context 'Appsensor Middleware' do
-            before(:each) do
-              TCellAgent.configuration = TCellAgent::Configuration.new
-              TCellAgent.configuration.read_config_from_file(get_test_resource_path('normal_config.json'))
-            end
-            let(:request) { Rack::MockRequest.new(subject) }
-            let(:request2) { Rack::MockRequest.new(with_tcell_middleware(app2)) }
-            let(:agent) { ::TCellAgent::Agent.new }
-
-            context 'XSS' do
-              context 'with allow_payloads = false' do
-                before(:each) do
-                  old_uap = TCellAgent.configuration.allow_payloads
-                  TCellAgent.configuration.allow_payloads = true
-                  TCellAgent.thread_agent.process_policy_json(
-                    {
-                      'regex' => regex_policy,
-                      'appsensor' => {
-                        'policy_id' => '153ed270',
-                        'version' => 2,
-                        'data' => {
-                          'options' => {
-                            'payloads' => {
-                              'send_payloads' => true,
-                              'log_payloads' => false
-                            }
-                          },
-                          'sensors' => {
-                            'xss' => {
-                              'dynamic_patterns' => ['tc-xss-1'],
-                              'patterns' => ['1']
-                            }
-                          }
-                        }
-                      }
-                    },
-                    false
-                  )
-
-                  TCellAgent.empty_event_queue
-                  TCellAgent.configuration.allow_payloads = old_uap
-                end
-
-                it 'alerts on get xss payload' do
-                  request.get('/foo?xyz=%3CSCRIPT%3Ealert(1)%3C%2Fscript%3E', 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
-                  expected_as = {
-                    'event_type' => 'as',
-                    'dp' => 'xss',
-                    'param' => 'xyz',
-                    'remote_addr' => '1.3.3.4',
-                    'm' => 'GET',
-                    'pattern' => 'tc-xss-1',
-                    'uri' => 'http://example.org/foo?xyz=',
-                    'meta' => {
-                      'l' => 'query',
-                      'h' => [],
-                      'num_headers' => 1,
-                      'summary' => [{ 'n' => 'content-length', 's' => 1 }]
-                    },
-                    'payload' => '<SCRIPT>alert(1)</script>'
-                  }
-                  expect(TCellAgent.event_queue).to include(expected_as)
-                end
-
-                it 'alerts on post xss payload' do
-                  request.post('/foo', :input => 'x=<SCRIPT>alert(1)</SCRIPT>', 'REMOTE_ADDR' => '1.2.3.4,3.4.5.6')
-                  expected_as = {
-                    'event_type' => 'as',
-                    'dp' => 'xss',
-                    'param' => 'x',
-                    'remote_addr' => '1.2.3.4',
-                    'm' => 'POST',
-                    'pattern' => 'tc-xss-1',
-                    'uri' => 'http://example.org/foo',
-                    'meta' => {
-                      'l' => 'body',
-                      'h' => [],
-                      'num_headers' => 1,
-                      'summary' => [{ 'n' => 'content-length', 's' => 2 }]
-                    },
-                    'payload' => '<SCRIPT>alert(1)</SCRIPT>'
-                  }
-                  expect(TCellAgent.event_queue).to include(expected_as)
-                end
-
-                it 'alerts on get xss payload with route_id' do
-                  request2.get('/foo?xyz=%3Cscript%3Ealert(1)%3C%2Fscript%3E')
-                  expected_as = {
-                    'event_type' => 'as',
-                    'dp' => 'xss',
-                    'param' => 'xyz',
-                    'rid' => 'myrouteid',
-                    'm' => 'GET',
-                    'pattern' => 'tc-xss-1',
-                    'uri' => 'http://example.org/foo?xyz=',
-                    'meta' => {
-                      'l' => 'query',
-                      'h' => [],
-                      'num_headers' => 1,
-                      'summary' => [{ 'n' => 'content-length', 's' => 1 }]
-                    },
-                    'payload' => '<script>alert(1)</script>'
-                  }
-                  expect(TCellAgent.event_queue).to include(expected_as)
-                end
-              end
-            end
-
-            context 'SQL Injection' do
-              before(:each) do
-                TCellAgent.thread_agent.process_policy_json(
-                  {
-                    'regex' => regex_policy,
-                    'appsensor' => {
-                      'policy_id' => '153ed270',
-                      'version' => 2,
-                      'data' => {
-                        'sensors' => {
-                          'sqli' => {
-                            'dynamic_patterns' => ['tc-sqli-1'],
-                            'patterns' => ['1']
-                          }
-                        }
-                      }
-                    }
-                  },
-                  false
-                )
-                TCellAgent.empty_event_queue
-              end
-
-              it 'alerts on get sqli payload' do
-                old_uap = TCellAgent.configuration.allow_payloads
-                TCellAgent.configuration.allow_payloads = false
-                # ' OR '3'='3
-                request.get('/foo?xyz=abds&def=%27%20OR%20%273%27%3D%273', 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
-                TCellAgent.configuration.allow_payloads = old_uap
-                expected_as = {
-                  'event_type' => 'as',
-                  'dp' => 'sqli',
-                  'param' => 'def',
-                  'remote_addr' => '1.3.3.4',
-                  'm' => 'GET',
-                  'pattern' => 'tc-sqli-1',
-                  'uri' => 'http://example.org/foo?xyz=&def=',
-                  'meta' => {
-                    'l' => 'query',
-                    'h' => [],
-                    'num_headers' => 1,
-                    'summary' => [{ 'n' => 'content-length', 's' => 1 }]
-                  }
-                }
-                expect(TCellAgent.event_queue).to include(expected_as)
-              end
-            end
-
-            context 'File Path Traversal' do
-              it 'alerts on most obvious payload' do
-                TCellAgent.thread_agent.process_policy_json(
-                  {
-                    'regex' => regex_policy,
-                    'appsensor' => {
-                      'policy_id' => '153ed270',
-                      'version' => 2,
-                      'data' => {
-                        'options' => {
-                          'payloads' => {
-                            'send_payloads' => false,
-                            'log_payloads' => false
-                          }
-                        },
-                        'sensors' => {
-                          'fpt' => {
-                            'dynamic_patterns' => ['tc-fpt-2'],
-                            'patterns' => ['2']
-                          }
-                        }
-                      }
-                    }
-                  },
-                  false
-                )
-                TCellAgent.empty_event_queue
-
-                request.get('/foo?xyz=/ETC/PASSWD', 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
-                expected_as = {
-                  'event_type' => 'as',
-                  'dp' => 'fpt',
-                  'param' => 'xyz',
-                  'remote_addr' => '1.3.3.4',
-                  'm' => 'GET',
-                  'pattern' => 'tc-fpt-2',
-                  'uri' => 'http://example.org/foo?xyz=',
-                  'meta' => {
-                    'l' => 'query',
-                    'h' => [],
-                    'num_headers' => 1,
-                    'summary' => [{ 'n' => 'content-length', 's' => 1 }]
-                  }
-                }
-                expect(TCellAgent.event_queue).to include(expected_as)
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb

@@ -1,198 +0,0 @@
-require 'spec_helper'
-require 'rack/test'
-require 'rack'
-
-require 'tcell_agent/rails/dlp/process_request'
-
-module TCellAgent
-  module Instrumentation
-    module Rails
-      module Middleware
-        class MockDLPRackApp
-          attr_reader :request_body
-
-          def initialize(body = 'OK', route_id = nil, session_id = nil)
-            @route_id = route_id
-            @session_id = session_id
-            @request_headers = {}
-            @body = body
-          end
-
-          def loop_params_hash(method, param_hash, _prefix, &block)
-            param_hash.each do |param_name, param_value|
-              if param_value && param_value.is_a?(Hash)
-                loop_params_hash(method, param_value, 'hash', &block)
-              elsif !param_value || !param_value.instance_of?(String) || param_value == ''
-                next
-              else
-                yield(method, param_name, param_value)
-              end
-            end
-          end
-
-          def for_params(request, &block)
-            get_params = request.GET
-            loop_params_hash('get', get_params, nil, &block) if get_params
-            post_params = request.POST
-            loop_params_hash('post', post_params, nil, &block) if post_params
-          end
-
-          def call(env)
-            @env = env
-            rack_request = Rack::Request.new(env)
-            response_headers = { 'Content-Type' => 'text/html' }
-            env['tcell.request_data'].transaction_id = 'a-b-c-d-e-f'
-            env['tcell.request_data'].session_id = @session_id
-            env['tcell.request_data'].route_id = @route_id
-            tcell_context = env['tcell.request_data']
-            dlp_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DATALOSS)
-            if dlp_policy
-              action_objs = dlp_policy.get_actions_for_table('*', '*', 'tablex', 'columnb', tcell_context.route_id)
-              if action_objs
-                action_objs.each do |action_obj|
-                  tcell_context.add_response_db_filter('secretvalue', action_obj, 'databx', '*', 'tablex', 'columnb')
-                end
-              end
-              TCellAgent::DLP.handle_request_dlp_parameters(rack_request)
-              # if tcell_context && dlp_policy && dlp_policy.actions_for_form_parameter?
-              #  for_params(rack_request) { |method, param_name, param_value|
-              #    actions = dlp_policy.get_actions_for_form_parameter(param_name, tcell_context.route_id)
-              #    if actions
-              #      actions.each { |action|
-              #        puts action.action_id
-              #        tcell_context.add_filter_for_request_parameter(param_value, action, param_name)
-              #      }
-              #    end
-              #  }
-              # end
-            end
-            tcell_context.filter_body!(@body)
-            [200, response_headers, [@body]]
-          end
-
-          def [](key)
-            @env[key]
-          end
-        end
-
-        describe HeadersMiddleware do
-          let(:app) { MockDLPRackApp.new }
-          let(:app2) { MockDLPRackApp.new('My secretvalue othervalue test', 'myrouteid', 'plainsessionid') }
-
-          subject { with_tcell_middleware(app) }
-
-          context 'DLP Middleware' do
-            before(:each) do
-              TCellAgent.configuration = TCellAgent::Configuration.new
-              TCellAgent.configuration.read_config_from_file(get_test_resource_path('normal_config.json'))
-            end
-            let(:request) { Rack::MockRequest.new(subject) }
-            let(:request2) { Rack::MockRequest.new(with_tcell_middleware(app2)) }
-            let(:agent) { ::TCellAgent::Agent.new }
-            context 'Event' do
-              before(:each) do
-                TCellAgent.thread_agent.process_policy_json(
-                  {
-                    'dlp' => {
-                      'policy_id' => 'x1a1',
-                      'data' => {
-                        'db_protections' => [
-                          {
-                            'scope' => 'route',
-                            'route_ids' => ['myrouteid'],
-                            'databases' => ['*'],
-                            'schemas' => ['*'],
-                            'tables' => ['tablex'],
-                            'fields' => ['columnb'],
-                            'id' => '323213',
-                            'actions' => {
-                              'log' => ['redact'],
-                              'body' => ['redact']
-                            }
-                          }
-                        ]
-                      }
-                    }
-                  },
-                  false
-                )
-                TCellAgent.empty_event_queue
-              end
-              it 'redacts body' do
-                response = request2.get(
-                  '/some/path2?x=abc',
-                  'CONTENT_TYPE' => 'text/html',
-                  'REMOTE_ADDR' => '1.3.3.4,3.4.5.6'
-                )
-                expect(response.body).to eq('My [redacted] othervalue test')
-                # expect(response['Location']).to eq("https://www.google.com")
-                expected_as = {
-                  'event_type' => 'dlp',
-                  'rid' => 'myrouteid',
-                  'found_in' => 'body',
-                  'rule' => '323213',
-                  'type' => 'db',
-                  'db' => 'databx',
-                  'schema' => '*',
-                  'table' => 'tablex',
-                  'field' => 'columnb',
-                  'uri' => 'http://example.org/some/path2?x='
-                }
-                expect(TCellAgent.event_queue).to include(expected_as)
-              end
-            end
-
-            context 'Event for request dlp' do
-              before(:each) do
-                TCellAgent.thread_agent.process_policy_json(
-                  {
-                    'dlp' => {
-                      'policy_id' => 'x1a1',
-                      'data' => {
-                        'request_protections' => [
-                          {
-                            'variable_context' => 'form',
-                            'scope' => 'route',
-                            'route_ids' => ['myrouteid'],
-                            'variables' => ['test333'],
-                            'id' => '08080808',
-                            'actions' => {
-                              'log' => ['redact'],
-                              'body' => ['event']
-                            }
-                          }
-                        ]
-                      }
-                    }
-                  },
-                  false
-                )
-                TCellAgent.empty_event_queue
-              end
-
-              it 'redacts body' do
-                response = request2.get(
-                  '/some/path2?test333=othervalue',
-                  'CONTENT_TYPE' => 'text/html',
-                  'REMOTE_ADDR' => '1.3.3.4,3.4.5.6'
-                )
-                expect(response.body).to eq('My secretvalue othervalue test')
-                expected_as = {
-                  'event_type' => 'dlp',
-                  'rid' => 'myrouteid',
-                  'found_in' => 'body',
-                  'rule' => '08080808',
-                  'type' => 'req',
-                  'context' => 'form',
-                  'variable' => 'test333',
-                  'uri' => 'http://example.org/some/path2?test333='
-                }
-                expect(TCellAgent.event_queue).to include(expected_as)
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end