tcell_agent 1.1.12 → 2.2.0

data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb

@@ -0,0 +1,264 @@
+# rubocop:disable Security/Open
+# rubocop:disable Lint/UselessAssignment
+require 'spec_helper'
+require 'securerandom'
+require 'pathname'
+
+describe 'Kernel' do
+  before do
+    native_agent = double('native_agent')
+    @local_files_policy = TCellAgent::Policies::LocalFileInclusion.new(
+      native_agent, {}
+    )
+    @filename = get_test_resource_path('lfi_sample_file.txt')
+    @file_contents = "This is line one.\nThis is line two.\n"
+  end
+
+  before(:all) do
+    @new_file_name = '/tmp/' + SecureRandom.uuid
+    @new_pathname = Pathname.new(@new_file_name)
+  end
+  describe '#open and ::open' do
+    context 'empty path' do
+      it 'should raise an error' do
+        expect do
+          Kernel.open
+        end.to raise_error(ArgumentError)
+        expect do
+          Kernel.open(nil)
+        end.to raise_error(TypeError)
+        expect do
+          Kernel.open('')
+        end.to raise_error(Errno::ENOENT)
+        expect do
+          open
+        end.to raise_error(ArgumentError)
+        expect do
+          open(nil)
+        end.to raise_error(TypeError)
+        expect do
+          open('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'with a non-existent file, with filename not blocked for read/write' do
+      before do |test|
+        unless test.metadata[:skip_before]
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy, @local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false, false)
+          expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
+        end
+      end
+
+      it 'should still be able to execute OS commands', :skip_before do
+        result = Kernel.open('|echo test').read
+        expect(result).to eq "test\n"
+
+        result = open('|echo test').read
+        expect(result).to eq "test\n"
+      end
+      context 'with a pathname filename with mode w' do
+        it 'should create the file' do
+          Kernel.open(@new_pathname, 'w')
+          expect(File.exist?(@new_pathname)).to be_truthy
+          File.delete(@new_pathname)
+
+          open(@new_pathname, 'w')
+          expect(File.exist?(@new_pathname)).to be_truthy
+          File.delete(@new_pathname)
+        end
+      end
+      context 'with a filename with mode w' do
+        it 'should create the file' do
+          Kernel.open(@new_file_name, 'w')
+          expect(File.exist?(@new_file_name)).to be_truthy
+          File.delete(@new_file_name)
+
+          open(@new_file_name, 'w')
+          expect(File.exist?(@new_file_name)).to be_truthy
+          File.delete(@new_file_name)
+        end
+      end
+      context 'with a filename and mode w and file permissions 644' do
+        it 'should create the file with the correct permissions' do
+          Kernel.open(@new_file_name, 'w', 0o644)
+          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+          File.delete(@new_file_name)
+
+          open(@new_file_name, 'w', 0o644)
+          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+          File.delete(@new_file_name)
+        end
+      end
+      context 'with a filename and mode w and file permissions 777' do
+        it 'should create the file with the correct permissions 755' do
+          Kernel.open(@new_file_name, 'w', 0o777)
+          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+          File.delete(@new_file_name)
+
+          open(@new_file_name, 'w', 0o777)
+          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+          File.delete(@new_file_name)
+        end
+      end
+    end
+    context 'with a non-existent file, with filename blocked for read/write' do
+      before do |test|
+        unless test.metadata[:skip_before]
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy, @local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(true, true)
+          expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
+        end
+      end
+
+      it 'should still be able to execute OS commands', :skip_before do
+        result = Kernel.open('|echo test').read
+        expect(result).to eq "test\n"
+
+        result = open('|echo test').read
+        expect(result).to eq "test\n"
+      end
+      context 'with a filename with mode w' do
+        it 'should raise an error' do
+          expect do
+            Kernel.open(@new_file_name, 'w')
+          end.to raise_error(IOError)
+
+          expect do
+            open(@new_file_name, 'w')
+          end.to raise_error(IOError)
+        end
+      end
+      context 'with a filename and mode w' do
+        it 'should raise an error' do
+          expect do
+            Kernel.open(@new_file_name, 'w')
+          end.to raise_error(IOError)
+
+          expect do
+            open(@new_file_name, 'w')
+          end.to raise_error(IOError)
+        end
+      end
+      context 'with a filename and mode a' do
+        it 'should raise an error' do
+          expect do
+            Kernel.open(@new_file_name, 'a')
+          end.to raise_error(IOError)
+
+          expect do
+            open(@new_file_name, 'a')
+          end.to raise_error(IOError)
+        end
+      end
+    end
+  end
+
+  describe '::gets and #gets' do
+    context 'with a filename not blocked for read/write' do
+      it 'should still be able to read the file' do
+        expect(TCellAgent).to receive(:policy).with(
+          TCellAgent::PolicyTypes::LFI
+        ).and_return(@local_files_policy, @local_files_policy, @local_files_policy, @local_files_policy)
+        expect(@local_files_policy).to receive(:block_file_access?).and_return(false, false, false, false)
+
+        copy = Array.new(ARGV)
+        ARGV.clear
+        ARGV << @filename
+        result = gets
+        result << gets
+        ARGV.replace(copy)
+        expect(result).to eq @file_contents
+
+        copy = Array.new(ARGV)
+        ARGV.clear
+        ARGV << @filename
+        result = Kernel.gets
+        result << Kernel.gets
+        ARGV.replace(copy)
+        expect(result).to eq @file_contents
+      end
+    end
+    context 'with a filename blocked for read/write' do
+      it 'should not be able to read the file' do
+        expect(TCellAgent).to receive(:policy).with(
+          TCellAgent::PolicyTypes::LFI
+        ).and_return(@local_files_policy, @local_files_policy)
+        expect(@local_files_policy).to receive(:block_file_access?).and_return(true, true)
+
+        copy = Array.new(ARGV)
+        ARGV.clear
+        ARGV << @filename
+        expect do
+          result = gets
+        end.to raise_error(IOError)
+        ARGV.replace(copy)
+
+        copy = Array.new(ARGV)
+        ARGV.clear
+        ARGV << @filename
+        expect do
+          result = Kernel.gets
+        end.to raise_error(IOError)
+        ARGV.replace(copy)
+      end
+    end
+  end
+
+  describe '::readline and #readline' do
+    context 'with a filename not blocked for read/write' do
+      it 'should be able to read the file' do
+        expect(TCellAgent).to receive(:policy).with(
+          TCellAgent::PolicyTypes::LFI
+        ).and_return(@local_files_policy, @local_files_policy, @local_files_policy, @local_files_policy)
+        expect(@local_files_policy).to receive(:block_file_access?).and_return(false, false, false, false)
+
+        copy = Array.new(ARGV)
+        ARGV.clear
+        ARGV << @filename
+        result = readline
+        result << readline
+        ARGV.replace(copy)
+        expect(result).to eq @file_contents
+
+        result = ''
+        copy = Array.new(ARGV)
+        ARGV.clear
+        ARGV << @filename
+        result = Kernel.readline
+        result << Kernel.readline
+        ARGV.replace(copy)
+        expect(result).to eq @file_contents
+      end
+    end
+    context 'with a filename blocked for read' do
+      it 'should not be able to read the file' do
+        expect(TCellAgent).to receive(:policy).with(
+          TCellAgent::PolicyTypes::LFI
+        ).and_return(@local_files_policy, @local_files_policy)
+        expect(@local_files_policy).to receive(:block_file_access?).and_return(true, true)
+
+        expect do
+          copy = Array.new(ARGV)
+          ARGV.clear
+          ARGV << @filename
+          Kernel.readline
+          ARGV.replace(copy)
+        end.to raise_error(IOError)
+        expect do
+          copy = Array.new(ARGV)
+          ARGV.clear
+          ARGV << @filename
+          Kernel.readline
+          ARGV.replace(copy)
+        end.to raise_error(IOError)
+      end
+    end
+  end
+end
+# rubocop:enable Security/Open
+# rubocop:enable Lint/UselessAssignment

data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb

@@ -0,0 +1,150 @@
+require 'spec_helper'
+
+module TCellAgent
+  module Instrumentation
+    module Lfi
+      describe '.extract_path_mode' do
+        context 'with path' do
+          it 'should extract the path correctly' do
+            args = '/path-to-file'
+            path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(args)
+            expect(path).to eq(File.expand_path('/path-to-file'))
+          end
+          it 'should default to read mode' do
+            args = '/path-to-file'
+            _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(args)
+            expect(mode).to eq('Read')
+          end
+          it 'should not expand paths starting with |' do
+            args = '|cat /etc/passwd'
+            path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(args)
+            expect(path).to eq('')
+            expect(mode).to eq('')
+          end
+          it 'should not expand paths starting with |-' do
+            args = '|-'
+            path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(args)
+            expect(path).to eq('')
+            expect(mode).to eq('')
+          end
+        end
+        context 'with path and mode' do
+          context 'with a valid mode' do
+            it 'should return Read for mode r' do
+              args = '/path-to-file', 'r'
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+
+              args = '/path-to-file', { :mode => 'r' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+            end
+            it 'should return Write for mode w' do
+              args = '/path-to-file', 'w'
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => 'w' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
+            end
+            it 'should return Write for mode a' do
+              args = '/path-to-file', 'a'
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => 'a' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
+            end
+            it 'should return ReadWrite for mode r+' do
+              args = '/path-to-file', 'r+'
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'r+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
+            end
+            it 'should return ReadWrite for mode w+' do
+              args = '/path-to-file', 'w+'
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'w+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
+            end
+            it 'should return ReadWrite for mode a+' do
+              args = '/path-to-file', 'a+'
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'a+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
+            end
+            it 'should return Read for mode ::File::RDONLY (0)' do
+              args = '/path-to-file', ::File::RDONLY
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+
+              args = '/path-to-file', { :mode => ::File::RDONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+            end
+            it 'should return Write for mode ::File::WRONLY (1)' do
+              args = '/path-to-file', ::File::WRONLY
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => ::File::WRONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
+            end
+            it 'should return ReadWrite for mode ::File::RDWR (2)' do
+              args = '/path-to-file', ::File::RDWR
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => ::File::RDWR }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
+            end
+            it 'should return Write for mode ::File::CREAT | ::File::EXCL | ::File::WRONLY (2561)' do
+              args = '/path-to-file', ::File::CREAT | ::File::EXCL | ::File::WRONLY
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => ::File::CREAT | ::File::EXCL | ::File::WRONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
+            end
+          end
+          context 'with an invalid mode' do
+            it 'should return Read when mode is a random string' do
+              args = '/path-to-file', 'mode'
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+            end
+            it 'should return Read when mode is an empty hash' do
+              args = '/path-to-file', {}
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+            end
+            it 'should return Read when mode is a hash without a :mode key' do
+              args = '/path-to-file', { :placeholder => 'testing' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+            end
+            it 'should return Read when mode is an array' do
+              args = '/path-to-file', []
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/spec/lib/tcell_agent/patches_spec.rb

@@ -4,19 +4,11 @@ module TCellAgent
   module Instrumentation
     describe '.block?' do
       before(:each) do
-        configuration = double(
-          'configuration',
-          {
-            'app_id' => 'app_id',
-            'api_key' => 'api_key',
-            'allow_payloads' => true,
-            'js_agent_api_base_url' => 'http://api.tcell.com/',
-            'js_agent_url' => 'https://jsagent.tcell.io/tcellagent.min.js',
-            'max_csp_header_bytes' => nil
-          }
+        native_agent = double('native_agent')
+        @patches_policy = TCellAgent::Policies::PatchesPolicy.new(
+          native_agent,
+          {}
         )
-        expect(TCellAgent).to receive(:configuration).and_return(configuration).at_least(:once)
-        @rust_policies = TCellAgent::Policies::RustPolicies.new
       end
 
       context 'with an unexpected error' do
@@ -24,24 +16,14 @@ module TCellAgent
           logger = double('logger')
           request = double('request')
           expect(TCellAgent).to receive(:policy).with(
-            TCellAgent::PolicyTypes::RUST
+            TCellAgent::PolicyTypes::PATCHES
           ).and_raise(StandardError.new('UNEXPECTED'))
-          expect(TCellAgent::MetaData).to_not receive(:from_request)
-          expect(TCellAgent).to receive(:logger).and_return(logger).twice
-          expect(logger).to receive(:debug).with(
-            'Exception in safe_block Checking patches blocking: StandardError happened, message is UNEXPECTED'
+          expect(TCellAgent::MetaData).to_not receive(:for_patches)
+          expect(TCellAgent::Instrumentation).to receive(:get_safe_block_logger).and_return(logger)
+          expect(logger).to receive(:error).with(
+            'Error Checking patches blocking (StandardError): UNEXPECTED'
           )
-          expect(logger).to receive(:debug) # exception stack trace
-
-          expect(Patches.block?(request)).to eq(false)
-        end
-      end
-
-      context 'with an empty patches policy' do
-        it 'should return false' do
-          request = double('request')
-          expect(TCellAgent).to receive(:policy).and_return(nil)
-          expect(TCellAgent::MetaData).to_not receive(:from_request)
+          expect(logger).to receive(:exception) # exception stack trace
 
           expect(Patches.block?(request)).to eq(false)
         end
@@ -50,10 +32,10 @@ module TCellAgent
       context 'with a disabled patches policy' do
         it 'should return false' do
           request = double('request')
-          expect(@rust_policies.patches_enabled).to eq(false)
+          expect(@patches_policy.enabled).to eq(false)
 
-          expect(TCellAgent).to receive(:policy).and_return(@rust_policies)
-          expect(TCellAgent::MetaData).to_not receive(:from_request)
+          expect(TCellAgent).to receive(:policy).and_return(@patches_policy)
+          expect(TCellAgent::MetaData).to_not receive(:for_patches)
 
           expect(Patches.block?(request)).to eq(false)
         end
@@ -65,15 +47,15 @@ module TCellAgent
           meta_data = double('meta_data')
           tcell_context = TCellAgent::Instrumentation::TCellData.new
 
-          expect(TCellAgent).to receive(:policy).and_return(@rust_policies)
-          expect(@rust_policies).to receive(:patches_enabled).and_return(true)
-          expect(@rust_policies).to receive(:block_request?).and_return(false)
+          expect(TCellAgent).to receive(:policy).and_return(@patches_policy)
+          expect(@patches_policy).to receive(:enabled).and_return(true)
+          expect(@patches_policy).to receive(:block_request?).and_return(false)
           expect(request).to receive(:env).and_return(
             {
               TCellAgent::Instrumentation::TCELL_ID => tcell_context
             }
           )
-          expect(TCellAgent::MetaData).to receive(:from_request).and_return(
+          expect(TCellAgent::MetaData).to receive(:for_patches).and_return(
             meta_data
           )
 
@@ -89,10 +71,10 @@ module TCellAgent
           tcell_context = TCellAgent::Instrumentation::TCellData.new
           expect(tcell_context.patches_blocking_triggered).to eq(false)
 
-          expect(TCellAgent).to receive(:policy).and_return(@rust_policies)
-          expect(@rust_policies).to receive(:patches_enabled).and_return(true)
-          expect(@rust_policies).to receive(:block_request?).and_return(true)
-          expect(TCellAgent::MetaData).to receive(:from_request).and_return(
+          expect(TCellAgent).to receive(:policy).and_return(@patches_policy)
+          expect(@patches_policy).to receive(:enabled).and_return(true)
+          expect(@patches_policy).to receive(:block_request?).and_return(true)
+          expect(TCellAgent::MetaData).to receive(:for_patches).and_return(
             meta_data
           )
           expect(request).to receive(:env).and_return({ TCellAgent::Instrumentation::TCELL_ID => tcell_context })
@@ -119,10 +101,10 @@ module TCellAgent
 
             expect(tcell_context.patches_blocking_triggered).to eq(false)
 
-            expect(TCellAgent).to receive(:policy).and_return(@rust_policies)
-            expect(@rust_policies).to receive(:patches_enabled).and_return(true)
-            expect(@rust_policies).to receive(:block_request?).and_return(true)
-            expect(TCellAgent::MetaData).to receive(:from_request).and_return(
+            expect(TCellAgent).to receive(:policy).and_return(@patches_policy)
+            expect(@patches_policy).to receive(:enabled).and_return(true)
+            expect(@patches_policy).to receive(:block_request?).and_return(true)
+            expect(TCellAgent::MetaData).to receive(:for_patches).and_return(
               meta_data
             )
             expect(request).to receive(:env).and_return({ TCellAgent::Instrumentation::TCELL_ID => tcell_context })