tcell_agent 1.1.12 → 2.2.0

data/spec/lib/tcell_agent/instrumentation/cmdi/kernel_cmdi_spec.rb

@@ -0,0 +1,435 @@
+require 'spec_helper'
+
+describe Kernel do
+  before(:each) do
+    native_agent = double('native_agent')
+    @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+      native_agent, {}
+    )
+  end
+
+  describe '.backtick' do
+    context 'empty command' do
+      it 'should raise Errno::ENOENT' do
+        expect do
+          ``
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(false)
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          `echo test`
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+
+          `echo test`
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+          expect do
+            `echo test`
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+
+  describe '%x methods' do
+    context 'empty command' do
+      it 'should raise RuntimeError' do
+        expect do
+          ``
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(false)
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          `echo test`
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+
+          `echo test`
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+          expect do
+            `echo test`
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+
+  describe '::open and #open' do
+    context 'empty command' do
+      it 'should raise an error' do
+        expect do
+          Kernel.open
+        end.to raise_error(ArgumentError)
+        expect do
+          Kernel.open(nil)
+        end.to raise_error(TypeError)
+        expect do
+          Kernel.open('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'name starts with a | operator' do
+      context 'with an empty or invalid command' do
+        it 'should raise an error' do
+          expect do
+            Kernel.open('|')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            Kernel.open('|invalid command')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            Kernel.open('|invalid command', 10)
+          end.to raise_error(Errno::ENOENT)
+        end
+      end
+      context 'with a valid command' do
+        it 'should execute the command' do
+          expect(Kernel.open('|echo test').read).to eq("test\n")
+        end
+      end
+      context 'with a non blocked command present' do
+        before(:each) do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+        end
+        context 'with command injection disabled' do
+          it 'should execute the command' do
+            expect(@command_injection_policy.enabled).to eq(false)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_call_original
+            expect(@command_injection_policy).to_not receive(:block_command?)
+
+            expect(Kernel.open('|echo test').read).to eq("test\n")
+          end
+        end
+
+        context 'with command injection enabled' do
+          it 'should execute the command' do
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+
+            expect(Kernel.open('|echo test').read).to eq("test\n")
+          end
+        end
+      end
+
+      context 'with a blocked command present' do
+        context 'with command injection enabled' do
+          it 'should raise a RuntimeError' do
+            allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+            expect do
+              Kernel.open('|echo test')
+            end.to raise_error(RuntimeError)
+          end
+        end
+      end
+    end
+  end
+  describe '.spawn and Kernel.spawn' do
+    context 'empty command' do
+      it 'should raise an error' do
+        expect do
+          spawn
+        end.to raise_error(ArgumentError)
+        expect do
+          Kernel.spawn
+        end.to raise_error(ArgumentError)
+        expect do
+          spawn(nil)
+        end.to raise_error(TypeError)
+        expect do
+          Kernel.spawn(nil)
+        end.to raise_error(TypeError)
+        expect do
+          spawn('')
+        end.to raise_error(Errno::ENOENT)
+        expect do
+          Kernel.spawn('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'non existent command' do
+      it 'should raise error' do
+        expect do
+          spawn('foobar')
+        end.to raise_error(Errno::ENOENT)
+        expect do
+          Kernel.spawn('foobar')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'with a valid command' do
+      it 'should execute command' do
+        pid = spawn('echo test > /dev/null 2>&1')
+        expect(pid).to_not be_nil
+
+        pid = spawn(RbConfig.ruby, "-e'Hello World!'", '>', '/dev/null', '2>&1')
+        expect(pid).to_not be_nil
+
+        pid = Kernel.spawn('echo test > /dev/null 2>&1')
+        expect(pid).to_not be_nil
+
+        pid = Kernel.spawn(RbConfig.ruby, "-e'Hello World!'", '>', '/dev/null', '2>&1')
+        expect(pid).to_not be_nil
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(false, false)
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          spawn('echo test > /dev/null 2>&1')
+          Kernel.spawn('echo test > /dev/null 2>&1')
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test > /dev/null 2>&1', nil).and_return(false, false)
+
+          spawn('echo test > /dev/null 2>&1')
+          Kernel.spawn('echo test > /dev/null 2>&1')
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true, true)
+
+          expect do
+            spawn('echo test')
+          end.to raise_error(RuntimeError)
+          expect do
+            Kernel.spawn('echo test')
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+
+  describe '.system and Kernel.system' do
+    context 'empty command' do
+      it 'should raise an error' do
+        expect do
+          system
+        end.to raise_error(ArgumentError)
+        expect do
+          Kernel.system
+        end.to raise_error(ArgumentError)
+        expect do
+          system(nil)
+        end.to raise_error(TypeError)
+        expect do
+          Kernel.system(nil)
+        end.to raise_error(TypeError)
+        expect(system('')).to be_nil
+        expect(Kernel.system('')).to be_nil
+      end
+    end
+
+    context 'non existent command' do
+      it 'should return nil' do
+        expect(system('foobar')).to be_nil
+        expect(Kernel.system('foobar')).to be_nil
+      end
+    end
+
+    context 'with a valid command' do
+      it 'should execute command' do
+        pid = system('echo test > /dev/null 2>&1')
+        expect(pid).to eq(true)
+
+        pid = system(RbConfig.ruby, "-e'Hello World!'", '>', '/dev/null', '2>&1')
+        expect(pid).to eq(true)
+
+        pid = Kernel.system('echo test > /dev/null 2>&1')
+        expect(pid).to eq(true)
+
+        pid = Kernel.system(RbConfig.ruby, "-e'Hello World!'", '>', '/dev/null', '2>&1')
+        expect(pid).to eq(true)
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(false, false)
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          system('echo test > /dev/null 2>&1')
+          Kernel.system('echo test > /dev/null 2>&1')
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test > /dev/null 2>&1', nil).and_return(false, false)
+
+          system('echo test > /dev/null 2>&1')
+          Kernel.system('echo test > /dev/null 2>&1')
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true, true)
+
+          expect do
+            system('echo test')
+          end.to raise_error(RuntimeError)
+          expect do
+            Kernel.system('echo test')
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+
+  describe '.exec' do
+    # can only test this case since exec replaces current process with new process
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true, true)
+
+          expect do
+            exec('echo test')
+          end.to raise_error(RuntimeError)
+          expect do
+            Kernel.exec('echo test')
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+end

data/spec/lib/tcell_agent/instrumentation/cmdi_spec.rb

@@ -0,0 +1,201 @@
+require 'spec_helper'
+
+module TCellAgent
+  module Cmdi
+    describe '.parse_command' do
+      context 'with env' do
+        before(:each) do
+          @env = { 'TCELL_VAR' => 'enabled' }
+        end
+
+        context 'with string command' do
+          it 'should parse the command properly' do
+            cmd = TCellAgent::Cmdi.parse_command(@env, 'echo')
+            expect(cmd).to eq('echo')
+
+            cmd = TCellAgent::Cmdi.parse_command(@env, 'echo', :unsetenv_others => true)
+            expect(cmd).to eq('echo')
+          end
+        end
+
+        context 'with string command and arguments' do
+          it 'should parse the command' do
+            cmd = TCellAgent::Cmdi.parse_command(@env, 'echo', 'test', :unsetenv_others => true)
+            expect(cmd).to eq('echo test')
+
+            cmd = TCellAgent::Cmdi.parse_command(@env, 'echo', 'test', 'one', :unsetenv_others => true)
+            expect(cmd).to eq('echo test one')
+
+            cmd = TCellAgent::Cmdi.parse_command(
+              @env,
+              'magick',
+              '-size',
+              '320x85',
+              'canvas:none',
+              '-font',
+              'Bookman-DemiItalic',
+              '-draw',
+              "\"text 25,60 \'Magick\'\"",
+              :unsetenv_others => true
+            )
+            expect(cmd).to eq(
+              "magick -size 320x85 canvas:none -font Bookman-DemiItalic -draw \"text 25,60 'Magick'\""
+            )
+          end
+        end
+
+        context 'with array command' do
+          it 'should parse the command properly' do
+            cmd = TCellAgent::Cmdi.parse_command(@env, %w[echo argv0], :unsetenv_others => true)
+            expect(cmd).to eq('echo')
+          end
+        end
+
+        context 'with array command and arguments' do
+          it 'should parse the command properly' do
+            cmd = TCellAgent::Cmdi.parse_command(@env, %w[echo argv0], 'test', :unsetenv_others => true)
+            expect(cmd).to eq('echo test')
+
+            cmd = TCellAgent::Cmdi.parse_command(@env, %w[echo argv0], 'test', 'one', :unsetenv_others => true)
+            expect(cmd).to eq('echo test one')
+
+            cmd = TCellAgent::Cmdi.parse_command(
+              @env,
+              %w[magick argv0],
+              '-size',
+              '320x85',
+              'canvas:none',
+              '-font',
+              'Bookman-DemiItalic',
+              '-draw',
+              "\"text 25,60 \'Magick\'\"",
+              :unsetenv_others => true
+            )
+            expect(cmd).to eq(
+              "magick -size 320x85 canvas:none -font Bookman-DemiItalic -draw \"text 25,60 'Magick'\""
+            )
+          end
+        end
+      end
+
+      context 'without env' do
+        context 'with string command' do
+          it 'should parse the command properly' do
+            cmd = TCellAgent::Cmdi.parse_command('echo')
+            expect(cmd).to eq('echo')
+
+            cmd = TCellAgent::Cmdi.parse_command('echo', :unsetenv_others => true)
+            expect(cmd).to eq('echo')
+          end
+        end
+
+        context 'with string command and arguments' do
+          it 'should parse the command' do
+            cmd = TCellAgent::Cmdi.parse_command('echo', 'test', :unsetenv_others => true)
+            expect(cmd).to eq('echo test')
+
+            cmd = TCellAgent::Cmdi.parse_command('echo', 'test', 'one', :unsetenv_others => true)
+            expect(cmd).to eq('echo test one')
+
+            cmd = TCellAgent::Cmdi.parse_command(
+              'magick',
+              '-size',
+              '320x85',
+              'canvas:none',
+              '-font',
+              'Bookman-DemiItalic',
+              '-draw',
+              "\"text 25,60 \'Magick\'\"",
+              :unsetenv_others => true
+            )
+            expect(cmd).to eq(
+              "magick -size 320x85 canvas:none -font Bookman-DemiItalic -draw \"text 25,60 'Magick'\""
+            )
+          end
+        end
+
+        context 'with array command' do
+          it 'should parse the command properly' do
+            cmd = TCellAgent::Cmdi.parse_command(%w[echo argv0], :unsetenv_others => true)
+            expect(cmd).to eq('echo')
+          end
+        end
+
+        context 'with array command and arguments' do
+          it 'should parse the command properly' do
+            cmd = TCellAgent::Cmdi.parse_command(%w[echo argv0], 'test', :unsetenv_others => true)
+            expect(cmd).to eq('echo test')
+
+            cmd = TCellAgent::Cmdi.parse_command(%w[echo argv0], 'test', 'one', :unsetenv_others => true)
+            expect(cmd).to eq('echo test one')
+
+            cmd = TCellAgent::Cmdi.parse_command(
+              %w[magick argv0],
+              '-size',
+              '320x85',
+              'canvas:none',
+              '-font',
+              'Bookman-DemiItalic',
+              '-draw',
+              "\"text 25,60 \'Magick\'\"",
+              :unsetenv_others => true
+            )
+            expect(cmd).to eq(
+              "magick -size 320x85 canvas:none -font Bookman-DemiItalic -draw \"text 25,60 'Magick'\""
+            )
+          end
+        end
+      end
+    end
+    describe '.parse_command_from_open' do
+      context 'with empty parameters' do
+        it 'should not return a command' do
+          cmd = TCellAgent::Cmdi.parse_command_from_open
+          expect(cmd).to eq('')
+        end
+      end
+      context 'with empty array' do
+        it 'should not return a command' do
+          args = []
+          cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+          expect(cmd).to eq('')
+        end
+      end
+      context 'with a string command' do
+        context 'with an empty string' do
+          it 'should return an empty string' do
+            cmd = TCellAgent::Cmdi.parse_command_from_open('')
+            expect(cmd).to eq('')
+          end
+        end
+        context 'with an empty command' do
+          it 'should return an empty string' do
+            cmd = TCellAgent::Cmdi.parse_command_from_open('|')
+            expect(cmd).to eq('')
+          end
+        end
+        context 'with a non-empty command' do
+          it 'should parse the command properly' do
+            cmd = TCellAgent::Cmdi.parse_command_from_open('|echo')
+            expect(cmd).to eq('echo')
+
+            cmd = TCellAgent::Cmdi.parse_command_from_open('|ls -l /tmp')
+            expect(cmd).to eq('ls -l /tmp')
+          end
+        end
+      end
+      context 'with a filename argument' do
+        it 'should not return a command' do
+          cmd = TCellAgent::Cmdi.parse_command_from_open('/tmp')
+          expect(cmd).to eq('')
+        end
+      end
+      context 'with a non-string first argument' do
+        it 'should return an empty string' do
+          cmd = TCellAgent::Cmdi.parse_command_from_open({})
+          expect(cmd).to eq('')
+        end
+      end
+    end
+  end
+end