tcell_agent 1.1.12 → 2.2.0

data/lib/tcell_agent/hooks/login_fraud.rb

@@ -1,47 +1,44 @@
 require 'tcell_agent/agent'
-require 'tcell_agent/sensor_events/login_fraud'
 
 module TCellAgent
   module Hooks
     module LoginFraud
+      # Note: mock out in tests
+      def self.get_logger
+        unless defined?(@login_fraud_logger)
+          @login_fraud_logger = TCellAgent::ModuleLogger.new(TCellAgent.logger, name)
+        end
+
+        @login_fraud_logger
+      end
+
       def self.report_login_event(status,
                                   env_or_header_keys,
                                   tcell_data,
                                   user_id,
                                   password,
                                   user_valid)
-        if TCellAgent.configuration.enabled &&
-           TCellAgent.configuration.should_intercept_requests?
-          login_fraud_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
-
-          if login_fraud_policy && login_fraud_policy.enabled
-            if tcell_data
-              if ![TCellAgent::Hooks::V1::Login::LOGIN_FAILURE,
-                   TCellAgent::Hooks::V1::Login::LOGIN_SUCCESS].include?(status)
-                TCellAgent.logger.error("Unkown login status: #{status}")
+        return unless TCellAgent.configuration.should_intercept_requests? && tcell_data
 
-              elsif (status == TCellAgent::Hooks::V1::Login::LOGIN_FAILURE) &&
-                    login_fraud_policy.login_failed_enabled
-                TCellAgent.send_event(
-                  TCellAgent::SensorEvents::LoginFailure.new(env_or_header_keys,
-                                                             tcell_data,
-                                                             user_id,
-                                                             password,
-                                                             user_valid)
-                )
+        login_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LOGINFRAUD)
 
-              elsif (status == TCellAgent::Hooks::V1::Login::LOGIN_SUCCESS) &&
-                    login_fraud_policy.login_success_enabled
-                TCellAgent.send_event(
-                  TCellAgent::SensorEvents::LoginSuccess.new(env_or_header_keys,
-                                                             tcell_data,
-                                                             user_id,
-                                                             password,
-                                                             user_valid)
-                )
-              end
-            end
-          end
+        if ![TCellAgent::Hooks::V1::Login::LOGIN_FAILURE,
+             TCellAgent::Hooks::V1::Login::LOGIN_SUCCESS].include?(status)
+          get_logger.error("Unkown login status: #{status}")
+        elsif status == TCellAgent::Hooks::V1::Login::LOGIN_FAILURE
+          login_policy.report_login_failure(
+            user_id,
+            password,
+            env_or_header_keys,
+            user_valid,
+            tcell_data
+          )
+        elsif status == TCellAgent::Hooks::V1::Login::LOGIN_SUCCESS
+          login_policy.report_login_success(
+            user_id,
+            env_or_header_keys,
+            tcell_data
+          )
         end
       end
     end
@@ -91,9 +88,9 @@ if defined?(TCellAgent::Hooks::V1::Login)
           tcell_data = TCellAgent::Instrumentation::TCellData.new
           tcell_data.user_agent = user_agent
           tcell_data.referrer = referrer
-          tcell_data.ip_address = remote_address
+          tcell_data.remote_address = remote_address
           tcell_data.path = document_uri
-          tcell_data.hmac_session_id = TCellAgent::SensorEvents::Util.hmac(session_id)
+          tcell_data.session_id = session_id
 
           TCellAgent::Hooks::LoginFraud.report_login_event(status,
                                                            header_keys,

data/lib/tcell_agent/instrument_servers.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+tcell_server = ENV['TCELL_AGENT_SERVER']
+
+if tcell_server && tcell_server == 'mock'
+  TCellAgent.thread_agent.instrument_built_ins
+end
+
+if (tcell_server && tcell_server == 'webrick') || defined?(Rails::Server)
+  require('tcell_agent/servers/rails_server')
+
+elsif (tcell_server && tcell_server == 'thin') || defined?(Thin)
+  require('tcell_agent/servers/thin')
+
+elsif (tcell_server && tcell_server == 'puma') || defined?(Puma)
+  require('tcell_agent/servers/puma')
+
+elsif (tcell_server && tcell_server == 'unicorn') || defined?(Unicorn)
+  require('tcell_agent/servers/unicorn')
+
+elsif (tcell_server && tcell_server == 'passenger') || defined?(PhusionPassenger)
+  require('tcell_agent/servers/passenger')
+end

data/lib/tcell_agent/instrumentation.rb

@@ -1,5 +1,4 @@
 # See the file "LICENSE" for the full license governing this code.
-require 'tcell_agent/logger'
 require 'tcell_agent/configuration'
 require 'tcell_agent/version'
 require 'date'
@@ -64,7 +63,7 @@ module TCellAgent
     class TCellData
       attr_accessor :transaction_id, :session_id, :hmac_session_id, :user_id,
                     :password, :route_id, :path, :uri, :fullpath, :context_filters_by_term,
-                    :database_filters, :ip_address, :user_agent, :request_method,
+                    :database_filters, :remote_address, :user_agent, :request_method,
                     :path_parameters, :patches_blocking_triggered, :grape_mount_endpoint,
                     :referrer, :csrf_exception_name, :sql_exceptions, :database_result_sizes
 
@@ -209,23 +208,26 @@ module TCellAgent
         "<#{self.class.name} transaction_id: #{transaction_id} session_id: #{session_id} " \
         "hmac_session_id: #{hmac_session_id} user_id: #{user_id} route_id: #{route_id} " \
         "uri: #{uri} context_filters_by_term: #{context_filters_by_term} " \
-        "database_filters: #{database_filters} ip_address: #{ip_address} user_agent: #{user_agent} " \
+        "database_filters: #{database_filters} remote_address: #{remote_address} user_agent: #{user_agent} " \
         "request_method: #{@request_method} path_parameters: #{@path_parameters}>"
       end
     end
 
-    def self.instrument_frameworks
-      require 'tcell_agent/authlogic' if defined?(Authlogic)
-      require 'tcell_agent/devise' if defined?(Devise)
-      require 'tcell_agent/rails' if defined?(Rails)
-      require 'tcell_agent/sinatra' if defined?(Sinatra)
+    # Note: mock for tests
+    def self.get_safe_block_logger
+      unless defined?(@safe_block_logger)
+        @safe_block_logger = TCellAgent::ModuleLogger.new(TCellAgent.logger, name)
+      end
+
+      @safe_block_logger
     end
 
     def self.safe_block(message, &block)
       block.call
     rescue StandardError => ex
-      TCellAgent.logger.debug "Exception in safe_block #{message}: #{ex.class} happened, message is #{ex.message}"
-      TCellAgent.logger.debug(ex.backtrace)
+      logger = get_safe_block_logger
+      logger.error("Error #{message} (#{ex.class}): #{ex.message}")
+      logger.exception(ex)
     end
 
     def self.safe_block_no_log(_message, &block)

data/lib/tcell_agent/instrumentation/cmdi.rb

@@ -1,4 +1,4 @@
-require 'tcell_agent/agent/policy_types'
+require 'tcell_agent/policies/policy_types'
 require 'tcell_agent/utils/strings'
 require 'tcell_agent/configuration'
 
@@ -7,13 +7,13 @@ module TCellAgent
     def self.block_command?(cmd)
       TCellAgent::Instrumentation.safe_block('Checking Command Injection Policy') do
         if TCellAgent::Utils::Strings.present?(cmd)
-          rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-          if rust_policies && rust_policies.cmdi_enabled
+          command_injection_policy = TCellAgent.policy(TCellAgent::PolicyTypes::COMMANDINJECTION)
+          if command_injection_policy.enabled
             request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
               Thread.current.object_id, {}
             )
             tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
-            return rust_policies.block_command?(cmd, tcell_context)
+            return command_injection_policy.block_command?(cmd, tcell_context)
           end
         end
       end
@@ -25,32 +25,36 @@ module TCellAgent
       cmd = ''
 
       TCellAgent::Instrumentation.safe_block('CMDI Parsing *args') do
-        unless args.empty?
-          args_copy = Array.new(args)
-          args_copy.shift if args_copy.first.is_a?(Hash)
-          args_copy.pop if args_copy.last.is_a?(Hash)
-
-          if args_copy.first.is_a?(Array)
-            cmd_n_argv0 = args_copy.shift
-            args_copy.unshift(cmd_n_argv0.first)
-          end
+        return cmd if args.nil? || args.empty?
+
+        args_copy = Array.new(args)
+        args_copy.shift if args_copy.first.is_a?(Hash)
+        args_copy.pop if args_copy.last.is_a?(Hash)
 
-          cmd = args_copy.join(' ')
+        if args_copy.first.is_a?(Array)
+          cmd_n_argv0 = args_copy.shift
+          args_copy.unshift(cmd_n_argv0.first)
         end
+
+        cmd = args_copy.join(' ')
       end
 
       cmd
     end
-  end
-end
 
-if TCellAgent.configuration.should_instrument_cmdi_exec?
-  require('tcell_agent/instrumentation/cmdi/exec')
-else
-  TCellAgent.logger.debug('Disabling cmdi Kernel::exec instrumentation')
-end
+    def self.parse_command_from_open(*args)
+      cmd = ''
+
+      TCellAgent::Instrumentation.safe_block('CMDI Parsing *args') do
+        return cmd if args.nil? || args.empty?
+
+        args_copy = Array.new(args)
+        first_arg = args_copy.shift
+
+        cmd = first_arg[1..-1] if first_arg && (first_arg.is_a? String) && first_arg[0] == '|'
+      end
 
-require('tcell_agent/instrumentation/cmdi/backtick')
-require('tcell_agent/instrumentation/cmdi/system')
-require('tcell_agent/instrumentation/cmdi/spawn')
-require('tcell_agent/instrumentation/cmdi/popen')
+      cmd
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/lfi.rb

@@ -0,0 +1,84 @@
+require 'tcell_agent/policies/policy_types'
+require 'tcell_agent/utils/strings'
+require 'tcell_agent/configuration'
+
+module TCellAgent
+  module Instrumentation
+    module Lfi
+      def self.block_file_access?(path, mode)
+        TCellAgent::Instrumentation.safe_block('Checking Local Files Policy') do
+          if TCellAgent::Utils::Strings.present?(path)
+            lfi_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LFI)
+
+            request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
+              Thread.current.object_id, {}
+            )
+
+            tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
+            return lfi_policy.block_file_access?(path, mode, tcell_context)
+          end
+        end
+
+        false
+      end
+
+      def self.extract_path_mode(*args)
+        path = ''
+        mode = ''
+
+        TCellAgent::Instrumentation.safe_block('LFI Parsing *args') do
+          return ['', ''] if args.nil? || args.empty?
+
+          args_copy = Array.new(args)
+          path = args_copy.shift
+          mode = args_copy.shift || 'r'
+
+          if path && path.to_s[0] != '|'
+            path = File.expand_path(path.to_s)
+
+            mode = if mode && mode.is_a?(Hash)
+                     convert_mode(mode[:mode])
+                   else
+                     convert_mode(mode)
+                   end
+
+            [path, mode]
+          else
+            ['', '']
+          end
+        end
+      end
+
+      def self.extract_path_mode_argf
+        path = ''
+        mode = 'Read'
+
+        TCellAgent::Instrumentation.safe_block('LFI Parsing ARGF') do
+          if ARGF.eof? && !ARGV.empty?
+            argv_copy = Array.new(ARGV)
+            path = argv_copy.shift
+          else
+            path = ARGF.filename
+          end
+
+          if path && path.to_s[0] != '|'
+            [File.expand_path(path.to_s), mode]
+          else
+            ['', '']
+          end
+        end
+      end
+
+      def self.convert_mode(mode)
+        if mode.is_a? String
+          return 'ReadWrite' if mode.include? '+'
+          return 'Write' if (mode.include? 'w') || (mode.include? 'a')
+        elsif mode.is_a? Numeric
+          return 'ReadWrite' if (mode & ::File::RDWR) != 0
+          return 'Write' if (mode & ::File::WRONLY) != 0
+        end
+        'Read'
+      end
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/file.rb

@@ -0,0 +1,25 @@
+class File
+  class << self
+    alias_method :tcell_original_new, :new
+    def new(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_new(*args, &block)
+    end
+
+    alias_method :tcell_original_open, :open
+    def open(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_open(*args, &block)
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/io.rb

@@ -0,0 +1,131 @@
+class IO
+  class << self
+    alias_method :tcell_original_binread, :binread
+    def binread(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if !path.strip.empty? && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      if path.empty?
+        cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+        if cmd && TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_binread(*args, &block)
+    end
+
+    alias_method :tcell_original_binwrite, :binwrite
+    def binwrite(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Write'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_binwrite(*args, &block)
+    end
+
+    alias_method :tcell_original_foreach, :foreach
+    def foreach(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_foreach(*args, &block)
+    end
+
+    alias_method :tcell_original_popen, :popen
+    def popen(*args, &block)
+      unless args.empty?
+        cmd = ''
+
+        TCellAgent::Instrumentation.safe_block('CMDI Parsing popen *args') do
+          args_copy = Array.new(args)
+          args_copy.shift if args_copy.first.is_a?(Hash)
+          args_copy.pop if args_copy.last.is_a?(Hash)
+
+          cmd = if args_copy.first.is_a?(String)
+                  args_copy.shift
+                else
+                  TCellAgent::Cmdi.parse_command(*args_copy.shift)
+                end
+        end
+
+        if TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_popen(*args, &block)
+    end
+
+    alias_method :tcell_original_read, :read
+    def read(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if !path.strip.empty? && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      if path.empty?
+        cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+        if cmd && TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_read(*args, &block)
+    end
+
+    alias_method :tcell_original_readlines, :readlines
+    def readlines(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Read'
+
+      if !path.strip.empty? && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      if path.empty?
+        cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+        if cmd && TCellAgent::Cmdi.block_command?(cmd)
+          raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_readlines(*args, &block)
+    end
+
+    alias_method :tcell_original_sysopen, :sysopen
+    def sysopen(*args, &block)
+      path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_sysopen(*args, &block)
+    end
+
+    alias_method :tcell_original_write, :write
+    def write(*args, &block)
+      path, _mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+      mode = 'Write'
+
+      if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      tcell_original_write(*args, &block)
+    end
+  end
+end