tcell_agent 1.1.12 → 2.0.0

data/lib/tcell_agent/instrumentation.rb

@@ -1,5 +1,4 @@
 # See the file "LICENSE" for the full license governing this code.
-require 'tcell_agent/logger'
 require 'tcell_agent/configuration'
 require 'tcell_agent/version'
 require 'date'
@@ -64,7 +63,7 @@ module TCellAgent
     class TCellData
       attr_accessor :transaction_id, :session_id, :hmac_session_id, :user_id,
                     :password, :route_id, :path, :uri, :fullpath, :context_filters_by_term,
-                    :database_filters, :ip_address, :user_agent, :request_method,
+                    :database_filters, :remote_address, :user_agent, :request_method,
                     :path_parameters, :patches_blocking_triggered, :grape_mount_endpoint,
                     :referrer, :csrf_exception_name, :sql_exceptions, :database_result_sizes
 
@@ -209,23 +208,26 @@ module TCellAgent
         "<#{self.class.name} transaction_id: #{transaction_id} session_id: #{session_id} " \
         "hmac_session_id: #{hmac_session_id} user_id: #{user_id} route_id: #{route_id} " \
         "uri: #{uri} context_filters_by_term: #{context_filters_by_term} " \
-        "database_filters: #{database_filters} ip_address: #{ip_address} user_agent: #{user_agent} " \
+        "database_filters: #{database_filters} remote_address: #{remote_address} user_agent: #{user_agent} " \
         "request_method: #{@request_method} path_parameters: #{@path_parameters}>"
       end
     end
 
-    def self.instrument_frameworks
-      require 'tcell_agent/authlogic' if defined?(Authlogic)
-      require 'tcell_agent/devise' if defined?(Devise)
-      require 'tcell_agent/rails' if defined?(Rails)
-      require 'tcell_agent/sinatra' if defined?(Sinatra)
+    # Note: mock for tests
+    def self.get_safe_block_logger
+      unless defined?(@safe_block_logger)
+        @safe_block_logger = TCellAgent::ModuleLogger.new(TCellAgent.logger, name)
+      end
+
+      @safe_block_logger
     end
 
     def self.safe_block(message, &block)
       block.call
     rescue StandardError => ex
-      TCellAgent.logger.debug "Exception in safe_block #{message}: #{ex.class} happened, message is #{ex.message}"
-      TCellAgent.logger.debug(ex.backtrace)
+      logger = get_safe_block_logger
+      logger.error("Error #{message} (#{ex.class}): #{ex.message}")
+      logger.exception(ex)
     end
 
     def self.safe_block_no_log(_message, &block)

data/lib/tcell_agent/instrumentation/cmdi.rb

@@ -1,4 +1,4 @@
-require 'tcell_agent/agent/policy_types'
+require 'tcell_agent/policies/policy_types'
 require 'tcell_agent/utils/strings'
 require 'tcell_agent/configuration'
 
@@ -7,13 +7,13 @@ module TCellAgent
     def self.block_command?(cmd)
       TCellAgent::Instrumentation.safe_block('Checking Command Injection Policy') do
         if TCellAgent::Utils::Strings.present?(cmd)
-          rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-          if rust_policies && rust_policies.cmdi_enabled
+          command_injection_policy = TCellAgent.policy(TCellAgent::PolicyTypes::COMMANDINJECTION)
+          if command_injection_policy.enabled
             request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
               Thread.current.object_id, {}
             )
             tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
-            return rust_policies.block_command?(cmd, tcell_context)
+            return command_injection_policy.block_command?(cmd, tcell_context)
           end
         end
       end
@@ -41,16 +41,20 @@ module TCellAgent
 
       cmd
     end
-  end
-end
 
-if TCellAgent.configuration.should_instrument_cmdi_exec?
-  require('tcell_agent/instrumentation/cmdi/exec')
-else
-  TCellAgent.logger.debug('Disabling cmdi Kernel::exec instrumentation')
-end
+    def self.parse_command_from_open(*args)
+      cmd = ''
+
+      TCellAgent::Instrumentation.safe_block('CMDI Parsing *args') do
+        unless args.empty?
+          args_copy = Array.new(args)
+          first_arg = args_copy.shift
 
-require('tcell_agent/instrumentation/cmdi/backtick')
-require('tcell_agent/instrumentation/cmdi/system')
-require('tcell_agent/instrumentation/cmdi/spawn')
-require('tcell_agent/instrumentation/cmdi/popen')
+          cmd = first_arg[1..-1] if first_arg && first_arg[0] == '|'
+        end
+      end
+
+      cmd
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/lfi.rb

@@ -0,0 +1,73 @@
+require 'tcell_agent/policies/policy_types'
+require 'tcell_agent/utils/strings'
+require 'tcell_agent/configuration'
+
+module TCellAgent
+  module Instrumentation
+    module Lfi
+      def self.block_file_access?(path, mode)
+        TCellAgent::Instrumentation.safe_block('Checking Local Files Policy') do
+          if TCellAgent::Utils::Strings.present?(path)
+            lfi_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LFI)
+
+            request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
+              Thread.current.object_id, {}
+            )
+
+            tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
+            return lfi_policy.block_file_access?(path, mode, tcell_context)
+          end
+        end
+
+        false
+      end
+
+      def self.extract_path_mode(*args)
+        path = ''
+        mode = ''
+
+        return ['', ''] if args.empty?
+
+        TCellAgent::Instrumentation.safe_block('LFI Parsing *args') do
+          args_copy = Array.new(args)
+          path = args_copy.shift
+          mode = args_copy.shift || 'r'
+        end
+
+        if path && path.to_s[0] != '|'
+          [File.expand_path(path).to_s, convert_mode(mode)]
+        else
+          ['', '']
+        end
+      end
+
+      def self.extract_path_mode_argf
+        path = ''
+        mode = 'Read'
+
+        TCellAgent::Instrumentation.safe_block('LFI Parsing ARGF') do
+          if ARGF.eof? && !ARGV.empty?
+            argv_copy = Array.new(ARGV)
+            path = argv_copy.shift
+          else
+            path = ARGF.filename
+          end
+        end
+
+        path = File.expand_path(path) unless path.nil?
+        [path.to_s, mode]
+      end
+
+      def self.convert_mode(mode)
+        if mode.is_a? String
+          return 'ReadWrite' if mode.include? '+'
+          return 'Write' if (mode.include? 'w') || (mode.include? 'a')
+        elsif mode.is_a? Numeric
+          return 'ReadWrite' if (mode & ::File::RDWR) != 0
+          return 'Write' if (mode & ::File::WRONLY) != 0
+        end
+        'Read'
+      end
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/file.rb

@@ -0,0 +1,25 @@
+class File
+  class << self
+    alias_method :tcell_original_new, :new
+    def new(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_new(*args, &block)
+    end
+
+    alias_method :tcell_original_open, :open
+    def open(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_open(*args, &block)
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/io.rb

@@ -0,0 +1,123 @@
+class IO
+  class << self
+    alias_method :tcell_original_binread, :binread
+    def binread(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if path && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+      cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+      if cmd && TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+
+      tcell_original_binread(*args, &block)
+    end
+
+    alias_method :tcell_original_binwrite, :binwrite
+    def binwrite(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Write'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_binwrite(*args, &block)
+    end
+
+    alias_method :tcell_original_foreach, :foreach
+    def foreach(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_foreach(*args, &block)
+    end
+
+    alias_method :tcell_original_popen, :popen
+    def popen(*args, &block)
+      unless args.empty?
+        cmd = ''
+
+        TCellAgent::Instrumentation.safe_block('CMDI Parsing popen *args') do
+          args_copy = Array.new(args)
+          args_copy.shift if args_copy.first.is_a?(Hash)
+          args_copy.pop if args_copy.last.is_a?(Hash)
+
+          cmd = if args_copy.first.is_a?(String)
+                  args_copy.shift
+                else
+                  TCellAgent::Cmdi.parse_command(*args_copy.shift)
+                end
+        end
+
+        if TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_popen(*args, &block)
+    end
+
+    alias_method :tcell_original_read, :read
+    def read(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if path && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+      if cmd && TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+      tcell_original_read(*args, &block)
+    end
+
+    alias_method :tcell_original_readlines, :readlines
+    def readlines(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if path && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+      if cmd && TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+
+      tcell_original_readlines(*args, &block)
+    end
+
+    alias_method :tcell_original_sysopen, :sysopen
+    def sysopen(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_sysopen(*args, &block)
+    end
+
+    alias_method :tcell_original_write, :write
+    def write(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Write'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_write(*args, &block)
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb

@@ -0,0 +1,159 @@
+module Kernel
+  class << self
+    alias_method :tcell_original_1_open, :open
+    def open(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if path && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+      if cmd && TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+
+      tcell_original_1_open(*args, &block)
+    end
+
+    alias_method :tcell_original_1_gets, :gets
+    def gets(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_1_gets(*args, &block)
+    end
+
+    alias_method :tcell_original_readline, :readline
+    def readline(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_readline(*args, &block)
+    end
+
+    alias_method :tcell_original_1_spawn, :spawn
+    def spawn(*args)
+      cmd = TCellAgent::Cmdi.parse_command(*args)
+      if TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+
+      tcell_original_1_spawn(*args)
+    end
+
+    alias_method :tcell_original_1_system, :system
+    def system(*args)
+      cmd = TCellAgent::Cmdi.parse_command(*args)
+      if TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+
+      tcell_original_1_system(*args)
+    end
+  end
+
+  alias_method :tcell_original_backtick, :`
+  def `(cmd)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_backtick(cmd)
+  end
+
+  alias_method :tcell_original_2_open, :open
+  def open(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+    if path && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+    if cmd && TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_2_open(*args, &block)
+  end
+
+  alias_method :tcell_original_2_gets, :gets
+  def gets(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+    if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    tcell_original_2_gets(*args, &block)
+  end
+
+  alias_method :tcell_original_readline, :readline
+  def readline(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+    if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    tcell_original_readline(*args, &block)
+  end
+
+  alias_method :tcell_original_2_spawn, :spawn
+  def spawn(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_2_spawn(*args)
+  end
+
+  alias_method :tcell_original_2_system, :system
+  def system(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_2_system(*args)
+  end
+end
+
+if TCellAgent.configuration.should_instrument_cmdi_exec?
+  module Kernel
+    class << self
+      alias_method :tcell_original_exec, :exec
+      def exec(*args)
+        cmd = TCellAgent::Cmdi.parse_command(*args)
+        if TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+
+        tcell_original_exec(*args)
+      end
+    end
+
+    alias_method :tcell_original_exec, :exec
+
+    private
+
+    def exec(*args)
+      cmd = TCellAgent::Cmdi.parse_command(*args)
+      if TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+
+      tcell_original_exec(*args)
+    end
+  end
+else
+  TCellAgent.logger.debug('Disabling cmdi Kernel::exec instrumentation', 'TCellAgent::Cmdi')
+end