RubyGems - tcell_agent - Versions diffs - 1.1.12 → 2.2.0 - Mend

tcell_agent 1.1.12 → 2.2.0

Files changed (169) hide show

checksums.yaml +5 -5
data/bin/tcell_agent +45 -137
data/lib/tcell_agent.rb +12 -14
data/lib/tcell_agent/agent.rb +108 -97
data/lib/tcell_agent/agent/route_manager.rb +0 -16
data/lib/tcell_agent/agent/static_agent.rb +9 -30
data/lib/tcell_agent/config_initializer.rb +66 -0
data/lib/tcell_agent/configuration.rb +69 -345
data/lib/tcell_agent/hooks/login_fraud.rb +30 -33
data/lib/tcell_agent/instrument_servers.rb +23 -0
data/lib/tcell_agent/instrumentation.rb +12 -10
data/lib/tcell_agent/instrumentation/cmdi.rb +29 -25
data/lib/tcell_agent/instrumentation/lfi.rb +84 -0
data/lib/tcell_agent/instrumentation/monkey_patches/file.rb +25 -0
data/lib/tcell_agent/instrumentation/monkey_patches/io.rb +131 -0
data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb +102 -0
data/lib/tcell_agent/logger.rb +49 -114
data/lib/tcell_agent/patches.rb +6 -7
data/lib/tcell_agent/policies/appfirewall_policy.rb +26 -0
data/lib/tcell_agent/policies/command_injection_policy.rb +28 -0
data/lib/tcell_agent/policies/dataloss_policy.rb +44 -44
data/lib/tcell_agent/policies/headers_policy.rb +25 -0
data/lib/tcell_agent/policies/http_redirect_policy.rb +13 -79
data/lib/tcell_agent/policies/js_agent_policy.rb +27 -0
data/lib/tcell_agent/policies/local_file_access.rb +28 -0
data/lib/tcell_agent/policies/login_policy.rb +43 -0
data/lib/tcell_agent/policies/patches_policy.rb +27 -0
data/lib/tcell_agent/policies/policies_manager.rb +68 -0
data/lib/tcell_agent/policies/policy_polling.rb +58 -0
data/lib/tcell_agent/policies/policy_types.rb +14 -0
data/lib/tcell_agent/policies/system_enablements.rb +27 -0
data/lib/tcell_agent/rails/auth/authlogic.rb +46 -75
data/lib/tcell_agent/rails/auth/authlogic_helper.rb +20 -0
data/lib/tcell_agent/rails/auth/devise.rb +100 -105
data/lib/tcell_agent/rails/auth/devise_helper.rb +29 -0
data/lib/tcell_agent/rails/auth/doorkeeper.rb +62 -76
data/lib/tcell_agent/{userinfo.rb → rails/auth/userinfo.rb} +0 -0
data/lib/tcell_agent/rails/csrf_exception.rb +2 -10
data/lib/tcell_agent/rails/dlp.rb +35 -23
data/lib/tcell_agent/rails/dlp_handler.rb +1 -2
data/lib/tcell_agent/rails/js_agent_insert.rb +12 -13
data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +4 -25
data/lib/tcell_agent/rails/middleware/context_middleware.rb +2 -12
data/lib/tcell_agent/rails/middleware/global_middleware.rb +1 -2
data/lib/tcell_agent/rails/middleware/headers_middleware.rb +14 -34
data/lib/tcell_agent/{rails.rb → rails/railties/tcell_agent_railties.rb} +11 -16
data/lib/tcell_agent/rails/railties/tcell_agent_unicorn_railties.rb +8 -0
data/lib/tcell_agent/rails/routes.rb +10 -12
data/lib/tcell_agent/rails/routes/grape.rb +4 -14
data/lib/tcell_agent/rails/routes/route_id.rb +3 -1
data/lib/tcell_agent/rails/settings_reporter.rb +23 -36
data/lib/tcell_agent/rails/tcell_body_proxy.rb +5 -4
data/lib/tcell_agent/rust/agent_config.rb +60 -0
data/lib/tcell_agent/rust/{libtcellagent-alpine-1.3.2.so → libtcellagent-5.0.2.dylib} +0 -0
data/lib/tcell_agent/rust/{libtcellagent-1.3.2.so → libtcellagent-5.0.2.so} +0 -0
data/lib/tcell_agent/rust/libtcellagent-alpine-5.0.2.so +0 -0
data/lib/tcell_agent/rust/models.rb +6 -52
data/lib/tcell_agent/rust/native_agent.rb +549 -0
data/lib/tcell_agent/rust/native_agent_response.rb +42 -0
data/lib/tcell_agent/rust/native_library.rb +69 -0
data/lib/tcell_agent/rust/tcellagent-5.0.2.dll +0 -0
data/lib/tcell_agent/sensor_events/agent_setting_event.rb +12 -0
data/lib/tcell_agent/sensor_events/{app_config.rb → app_config_setting_event.rb} +0 -6
data/lib/tcell_agent/sensor_events/dlp.rb +2 -6
data/lib/tcell_agent/sensor_events/sensor.rb +0 -62
data/lib/tcell_agent/sensor_events/server_agent.rb +13 -18
data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +0 -108
data/lib/tcell_agent/sensor_events/util/utils.rb +0 -2
data/lib/tcell_agent/servers/passenger.rb +1 -28
data/lib/tcell_agent/servers/puma.rb +3 -21
data/lib/tcell_agent/servers/rails_server.rb +1 -2
data/lib/tcell_agent/servers/thin.rb +2 -2
data/lib/tcell_agent/servers/unicorn.rb +19 -80
data/lib/tcell_agent/servers/webrick.rb +1 -2
data/lib/tcell_agent/settings_reporter.rb +11 -90
data/lib/tcell_agent/sinatra.rb +14 -16
data/lib/tcell_agent/tcell_context.rb +40 -14
data/lib/tcell_agent/utils/headers.rb +14 -0
data/lib/tcell_agent/version.rb +1 -1
data/spec/lib/tcell_agent/configuration_spec.rb +55 -346
data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +46 -173
data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb +504 -0
data/spec/lib/tcell_agent/instrumentation/cmdi/kernel_cmdi_spec.rb +435 -0
data/spec/lib/tcell_agent/instrumentation/cmdi_spec.rb +201 -0
data/spec/lib/tcell_agent/instrumentation/lfi/file_lfi_spec.rb +326 -0
data/spec/lib/tcell_agent/instrumentation/lfi/io_lfi_spec.rb +562 -0
data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb +264 -0
data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb +150 -0
data/spec/lib/tcell_agent/patches_spec.rb +25 -43
data/spec/lib/tcell_agent/policies/appfirewall_policy_spec.rb +183 -0
data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +57 -0
data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +84 -773
data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +161 -0
data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +9 -9
data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +243 -198
data/spec/lib/tcell_agent/policies/js_agent_policy_spec.rb +75 -0
data/spec/lib/tcell_agent/policies/login_policy_spec.rb +165 -33
data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +84 -277
data/spec/lib/tcell_agent/policies/policies_manager_spec.rb +104 -0
data/spec/lib/tcell_agent/policies/policy_polling_spec.rb +6 -0
data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +56 -0
data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb +9 -18
data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb +13 -30
data/spec/lib/tcell_agent/rails/logger_spec.rb +27 -7
data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +17 -12
data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +14 -14
data/spec/lib/tcell_agent/rust/agent_config_spec.rb +27 -0
data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +0 -35
data/spec/lib/tcell_agent/settings_reporter_spec.rb +56 -155
data/spec/spec_helper.rb +1 -1
data/spec/support/builders.rb +103 -0
data/spec/support/force_logger_mocking.rb +38 -0
data/spec/support/resources/lfi_sample_file.txt +2 -0
data/spec/support/static_agent_overrides.rb +0 -15
metadata +72 -83
data/lib/tcell_agent/agent/event_processor.rb +0 -326
data/lib/tcell_agent/agent/fork_pipe_manager.rb +0 -113
data/lib/tcell_agent/agent/policy_manager.rb +0 -219
data/lib/tcell_agent/agent/policy_types.rb +0 -30
data/lib/tcell_agent/api.rb +0 -91
data/lib/tcell_agent/appsensor/injections_reporter.rb +0 -24
data/lib/tcell_agent/authlogic.rb +0 -26
data/lib/tcell_agent/config/child_process_events.rb +0 -8
data/lib/tcell_agent/config/unknown_options.rb +0 -123
data/lib/tcell_agent/devise.rb +0 -35
data/lib/tcell_agent/instrumentation/cmdi/backtick.rb +0 -10
data/lib/tcell_agent/instrumentation/cmdi/exec.rb +0 -14
data/lib/tcell_agent/instrumentation/cmdi/popen.rb +0 -28
data/lib/tcell_agent/instrumentation/cmdi/spawn.rb +0 -11
data/lib/tcell_agent/instrumentation/cmdi/system.rb +0 -11
data/lib/tcell_agent/policies/http_tx_policy.rb +0 -60
data/lib/tcell_agent/policies/login_fraud_policy.rb +0 -45
data/lib/tcell_agent/policies/rust_policies.rb +0 -110
data/lib/tcell_agent/rails/on_start.rb +0 -41
data/lib/tcell_agent/rust/libtcellagent-1.3.2.dylib +0 -0
data/lib/tcell_agent/rust/tcellagent-1.3.2.dll +0 -0
data/lib/tcell_agent/rust/whisperer.rb +0 -308
data/lib/tcell_agent/sensor_events/appsensor_event.rb +0 -52
data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +0 -45
data/lib/tcell_agent/sensor_events/command_injection.rb +0 -75
data/lib/tcell_agent/sensor_events/honeytokens.rb +0 -16
data/lib/tcell_agent/sensor_events/login_fraud.rb +0 -60
data/lib/tcell_agent/sensor_events/metrics.rb +0 -123
data/lib/tcell_agent/sensor_events/patches.rb +0 -21
data/lib/tcell_agent/start_background_thread.rb +0 -55
data/lib/tcell_agent/system_info.rb +0 -11
data/lib/tcell_agent/utils/io.rb +0 -38
data/lib/tcell_agent/utils/passwords.rb +0 -28
data/lib/tcell_agent/utils/queue_with_timeout.rb +0 -142
data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +0 -100
data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +0 -535
data/spec/lib/tcell_agent/agent/static_agent_spec.rb +0 -133
data/spec/lib/tcell_agent/api/api_spec.rb +0 -39
data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +0 -187
data/spec/lib/tcell_agent/cmdi_spec.rb +0 -736
data/spec/lib/tcell_agent/config/unknown_options_spec.rb +0 -213
data/spec/lib/tcell_agent/instrumentation_spec.rb +0 -225
data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +0 -517
data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +0 -22
data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +0 -293
data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +0 -198
data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +0 -180
data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +0 -116
data/spec/lib/tcell_agent/rust/models_spec.rb +0 -120
data/spec/lib/tcell_agent/rust/whisperer_spec.rb +0 -704
data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +0 -45
data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +0 -272
data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +0 -52
data/spec/lib/tcell_agent/utils/passwords_spec.rb +0 -143

data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb ADDED

@@ -0,0 +1,504 @@
+require 'spec_helper'
+describe IO do
+  describe '.binread' do
+    before(:each) do
+      native_agent = double('native_agent')
+      @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+        native_agent, {}
+      )
+    end
+    context 'empty name' do
+      it 'should raise an error' do
+        expect do
+          IO.binread
+        end.to raise_error(ArgumentError)
+        expect do
+          IO.binread(nil)
+        end.to raise_error(TypeError)
+        expect do
+          IO.binread('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'name starts with a | operator' do
+      context 'with an empty or invalid command' do
+        it 'should raise an error' do
+          expect do
+            IO.binread('|')
+          end.to raise_error(Errno::ENOENT)
+          expect do
+            IO.binread('|invalid command')
+          end.to raise_error(Errno::ENOENT)
+          expect do
+            IO.binread('|invalid command', 10)
+          end.to raise_error(Errno::ENOENT)
+          expect do
+            IO.binread('|invalid command', 10, 20)
+          end.to raise_error(Errno::ENOENT)
+        end
+      end
+      context 'with a valid command' do
+        it 'should execute the command' do
+          expect(IO.binread('|echo test')).to eq("test\n")
+        end
+      end
+      context 'with a non blocked command present' do
+        before(:each) do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+        end
+        context 'with command injection disabled' do
+          it 'should execute the command' do
+            expect(@command_injection_policy.enabled).to eq(false)
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_call_original
+            expect(@command_injection_policy).to_not receive(:block_command?)
+            expect(IO.binread('|echo test')).to eq("test\n")
+          end
+        end
+        context 'with command injection enabled' do
+          it 'should execute the command' do
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+            expect(IO.binread('|echo test')).to eq("test\n")
+          end
+        end
+      end
+      context 'with a blocked command present' do
+        context 'with command injection enabled' do
+          it 'should raise a RuntimeError' do
+            allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+            expect do
+              IO.binread('|echo test')
+            end.to raise_error(RuntimeError)
+          end
+        end
+      end
+    end
+  end
+  describe '.popen' do
+    before(:each) do
+      native_agent = double('native_agent')
+      @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+        native_agent, {}
+      )
+    end
+    context 'empty command' do
+      it 'should raise an error' do
+        expect do
+          IO.popen
+        end.to raise_error(ArgumentError)
+        expect do
+          IO.popen(nil)
+        end.to raise_error(TypeError)
+        expect do
+          IO.popen('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'non existent command' do
+      it 'should return nil' do
+        expect do
+          IO.popen('foobar')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'with a valid command' do
+      it 'should execute command' do
+        expect(IO.popen('echo test').read).to eq("test\n")
+      end
+    end
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(@command_injection_policy.enabled).to eq(false)
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_call_original
+          expect(@command_injection_policy).to_not receive(:block_command?)
+          IO.popen('echo test')
+        end
+      end
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+          IO.popen('echo test')
+        end
+      end
+    end
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+          expect do
+            IO.popen('echo test')
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+    context 'with env' do
+      before(:each) do
+        @env = { 'TCELL_VAR' => 'enabled' }
+      end
+      context 'with string command' do
+        it 'should execute the command' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, 'echo', 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, 'echo', 'w+', :unsetenv_others => true)
+        end
+      end
+      context 'with string command and arguments' do
+        it 'should parse the command' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, 'echo test')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, 'echo test', 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, 'echo test', :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, 'echo test', 'w+', :unsetenv_others => true)
+        end
+      end
+      context 'with array command' do
+        it 'should parse the command properly' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, [%w[echo argv0]], 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, [%w[echo argv0]], :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, [%w[echo argv0]], 'w+', :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, ['echo'], 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, ['echo'], :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo')
+          IO.popen(@env, ['echo'], 'w+', :unsetenv_others => true)
+        end
+      end
+      context 'with array command and arguments' do
+        it 'should parse the command properly' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [%w[echo argv0], 'test'])
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [%w[echo argv0], 'test'], 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [%w[echo argv0], 'test'], :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [%w[echo argv0], 'test'], 'w+', :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, %w[echo test])
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, %w[echo test], 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, %w[echo test], :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, %w[echo test], 'w+', :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([@env, 'echo', 'test', :unsetenv_others => true], 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(@env, [@env, 'echo', 'test', :unsetenv_others => true], 'w+', :err => %i[child out])
+        end
+      end
+    end
+    context 'without env' do
+      context 'with array command and arguments' do
+        it 'should parse the command properly' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([%w[echo argv0], 'test'])
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([%w[echo argv0], 'test'], 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([%w[echo argv0], 'test'], :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen([%w[echo argv0], 'test'], 'w+', :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(%w[echo test])
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(%w[echo test], 'w+')
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(%w[echo test], :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with('echo test')
+          IO.popen(%w[echo test], 'w+', :unsetenv_others => true)
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with(
+            "echo -size 320x85 canvas:none -font Bookman-DemiItalic -draw \"text 25,60 'Magick'\""
+          )
+          IO.popen(
+            [%w[echo argv0],
+             '-size',
+             '320x85',
+             'canvas:none',
+             '-font',
+             'Bookman-DemiItalic',
+             '-draw',
+             "\"text 25,60 \'Magick\'\""],
+            :unsetenv_others => true
+          )
+        end
+      end
+    end
+  end
+  describe '.read' do
+    before(:each) do
+      native_agent = double('native_agent')
+      @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+        native_agent, {}
+      )
+    end
+    context 'empty name' do
+      it 'should raise an error' do
+        expect do
+          IO.read
+        end.to raise_error(ArgumentError)
+        expect do
+          IO.read(nil)
+        end.to raise_error(TypeError)
+        expect do
+          IO.read('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'name starts with a | operator' do
+      context 'with an empty or invalid command' do
+        it 'should raise an error' do
+          expect do
+            IO.read('|')
+          end.to raise_error(Errno::ENOENT)
+          expect do
+            IO.read('|invalid command')
+          end.to raise_error(Errno::ENOENT)
+          expect do
+            IO.read('|invalid command', 10)
+          end.to raise_error(Errno::ENOENT)
+          expect do
+            IO.read('|invalid command', 10, 20)
+          end.to raise_error(Errno::ENOENT)
+        end
+      end
+      context 'with a valid command' do
+        it 'should execute the command' do
+          expect(IO.read('|echo test')).to eq("test\n")
+        end
+      end
+      context 'with a non blocked command present' do
+        before(:each) do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+        end
+        context 'with command injection disabled' do
+          it 'should execute the command' do
+            expect(@command_injection_policy.enabled).to eq(false)
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_call_original
+            expect(@command_injection_policy).to_not receive(:block_command?)
+            expect(IO.read('|echo test')).to eq("test\n")
+          end
+        end
+        context 'with command injection enabled' do
+          it 'should execute the command' do
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).and_return(false)
+            expect(IO.read('|echo test')).to eq("test\n")
+          end
+        end
+      end
+      context 'with a blocked command present' do
+        context 'with command injection enabled' do
+          it 'should raise a RuntimeError' do
+            allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).and_return(true)
+            expect do
+              IO.read('|echo test')
+            end.to raise_error(RuntimeError)
+          end
+        end
+      end
+    end
+  end
+  describe '.readlines' do
+    before(:each) do
+      native_agent = double('native_agent')
+      @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+        native_agent, {}
+      )
+    end
+    context 'empty name' do
+      it 'should raise an error' do
+        expect do
+          IO.readlines
+        end.to raise_error(ArgumentError)
+        expect do
+          IO.readlines(nil)
+        end.to raise_error(TypeError)
+        expect do
+          IO.readlines('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'name starts with a | operator' do
+      context 'with an empty or invalid command' do
+        it 'should raise an error' do
+          expect do
+            IO.readlines('|')
+          end.to raise_error(Errno::ENOENT)
+          expect do
+            IO.readlines('|invalid command')
+          end.to raise_error(Errno::ENOENT)
+          expect do
+            IO.readlines('|invalid command', 10)
+          end.to raise_error(Errno::ENOENT)
+        end
+      end
+      context 'with a valid command' do
+        it 'should execute the command' do
+          expect(IO.readlines('|echo test')[0]).to eq("test\n")
+        end
+      end
+      context 'with a non blocked command present' do
+        before(:each) do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+        end
+        context 'with command injection disabled' do
+          it 'should execute the command' do
+            expect(@command_injection_policy.enabled).to eq(false)
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_call_original
+            expect(@command_injection_policy).to_not receive(:block_command?)
+            expect(IO.readlines('|echo test')[0]).to eq("test\n")
+          end
+        end
+        context 'with command injection enabled' do
+          it 'should execute the command' do
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).and_return(false)
+            expect(IO.readlines('|echo test')[0]).to eq("test\n")
+          end
+        end
+      end
+      context 'with a blocked command present' do
+        context 'with command injection enabled' do
+          it 'should raise a RuntimeError' do
+            allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+            expect do
+              IO.readlines('|echo test')
+            end.to raise_error(RuntimeError)
+          end
+        end
+      end
+    end
+  end
+end