tcell_agent 2.0.0 → 2.5.0

data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb

@@ -2,6 +2,7 @@
 # rubocop:disable Lint/UselessAssignment
 require 'spec_helper'
 require 'securerandom'
+require 'pathname'
 
 describe 'Kernel' do
   before do
@@ -14,11 +15,12 @@ describe 'Kernel' do
   end
 
   before(:all) do
-    @new_file_name = '/tmp/' + SecureRandom.uuid
+    @new_file_name = NEW_FILE_NAME
+    @new_pathname = Pathname.new(@new_file_name)
   end
   describe '#open and ::open' do
     context 'empty path' do
-      it 'should raise an error' do
+      it 'raises an error' do
         expect do
           Kernel.open
         end.to raise_error(ArgumentError)
@@ -39,106 +41,138 @@ describe 'Kernel' do
         end.to raise_error(Errno::ENOENT)
       end
     end
-    context 'with a filename not blocked for read/write' do
+    context 'with filename not blocked for read/write' do
       before do |test|
         unless test.metadata[:skip_before]
           expect(TCellAgent).to receive(:policy).with(
             TCellAgent::PolicyTypes::LFI
           ).and_return(@local_files_policy, @local_files_policy)
           expect(@local_files_policy).to receive(:block_file_access?).and_return(false, false)
+          expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
         end
       end
 
-      it 'should still be able to execute OS commands', :skip_before do
+      it 'executes OS commands', :skip_before do
         result = Kernel.open('|echo test').read
         expect(result).to eq "test\n"
 
         result = open('|echo test').read
         expect(result).to eq "test\n"
       end
-      context 'with a nonexistent filename with mode w' do
-        it 'should create the file' do
-          Kernel.open(@new_file_name, 'w')
-          expect(File.exist?(@new_file_name)).to be_truthy
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w')
-          expect(File.exist?(@new_file_name)).to be_truthy
-          File.delete(@new_file_name)
-        end
+      it 'creates the file when passed a pathname' do
+        Kernel.open(@new_pathname, 'w')
+        expect(File.exist?(@new_pathname)).to be_truthy
+        File.delete(@new_pathname)
+
+        open(@new_pathname, 'w')
+        expect(File.exist?(@new_pathname)).to be_truthy
+        File.delete(@new_pathname)
       end
-      context 'with a filename and mode w and file permissions 644' do
-        it 'should create the file with the correct permissions' do
-          Kernel.open(@new_file_name, 'w', 0o644)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w', 0o644)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
-          File.delete(@new_file_name)
-        end
+      it 'creates the file when passed a string' do
+        Kernel.open(@new_file_name, 'w')
+        expect(File.exist?(@new_file_name)).to be_truthy
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w')
+        expect(File.exist?(@new_file_name)).to be_truthy
+        File.delete(@new_file_name)
+      end
+
+      it 'creates the file with the permission 644' do
+        Kernel.open(@new_file_name, 'w', 0o644)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w', 0o644)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+        File.delete(@new_file_name)
       end
-      context 'with a filename and mode w and file permissions 777' do
-        it 'should create the file with the correct permissions 755' do
-          Kernel.open(@new_file_name, 'w', 0o777)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w', 0o777)
+      it 'creates the file with the permission 755' do
+        Kernel.open(@new_file_name, 'w', 0o777)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w', 0o777)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+        File.delete(@new_file_name)
+      end
+
+      context 'using mode, perm, binmode', :skip_before do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
+          expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
+        end
+
+        after :each do
           expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
-          File.delete(@new_file_name)
+          expect(@result.binmode?).to eq true
+
+          File.delete(NEW_FILE_NAME) if File.exist?(NEW_FILE_NAME)
         end
+
+        test_ruby2_ruby3_keywords(Kernel,
+                                  'open',
+                                  [NEW_FILE_NAME, 'w', 0o755],
+                                  { :binmode => true },
+                                  nil)
+
+        test_ruby2_ruby3_keywords(Object,
+                                  'open',
+                                  [NEW_FILE_NAME, 'w', 0o755],
+                                  { :binmode => true },
+                                  nil)
       end
     end
-    context 'with a filename blocked for read/write' do
+    context 'with filename blocked for read/write' do
       before do |test|
         unless test.metadata[:skip_before]
           expect(TCellAgent).to receive(:policy).with(
             TCellAgent::PolicyTypes::LFI
           ).and_return(@local_files_policy, @local_files_policy)
           expect(@local_files_policy).to receive(:block_file_access?).and_return(true, true)
+          expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
         end
       end
 
-      it 'should still be able to execute OS commands', :skip_before do
+      it 'executes OS commands', :skip_before do
         result = Kernel.open('|echo test').read
         expect(result).to eq "test\n"
 
         result = open('|echo test').read
         expect(result).to eq "test\n"
       end
-      context 'with a nonexistent filename with mode w' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'w')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'w')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'w')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'w')
+        end.to raise_error(IOError)
       end
-      context 'with a filename and mode w' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'w')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'w')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'w')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'w')
+        end.to raise_error(IOError)
       end
-      context 'with a filename and mode a' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'a')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'a')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'a')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'a')
+        end.to raise_error(IOError)
       end
     end
   end
@@ -169,7 +203,7 @@ describe 'Kernel' do
       end
     end
     context 'with a filename blocked for read/write' do
-      it 'should not be able to read the file' do
+      it 'raises an IOError' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy)
@@ -196,7 +230,7 @@ describe 'Kernel' do
 
   describe '::readline and #readline' do
     context 'with a filename not blocked for read/write' do
-      it 'should be able to read the file' do
+      it 'reads the file' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy, @local_files_policy, @local_files_policy)
@@ -221,7 +255,7 @@ describe 'Kernel' do
       end
     end
     context 'with a filename blocked for read' do
-      it 'should not be able to read the file' do
+      it 'raises an IOError' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy)

data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 module TCellAgent
   module Instrumentation
     module Lfi
-      describe 'extract path and mode' do
+      describe '.extract_path_mode' do
         context 'with path' do
           it 'should extract the path correctly' do
             args = '/path-to-file'
@@ -34,51 +34,91 @@ module TCellAgent
               args = '/path-to-file', 'r'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Read')
+
+              args = '/path-to-file', { :mode => 'r' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
             end
             it 'should return Write for mode w' do
               args = '/path-to-file', 'w'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => 'w' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
             end
             it 'should return Write for mode a' do
               args = '/path-to-file', 'a'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => 'a' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
             end
             it 'should return ReadWrite for mode r+' do
               args = '/path-to-file', 'r+'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'r+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
             end
             it 'should return ReadWrite for mode w+' do
               args = '/path-to-file', 'w+'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'w+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
             end
             it 'should return ReadWrite for mode a+' do
               args = '/path-to-file', 'a+'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'a+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
             end
             it 'should return Read for mode ::File::RDONLY (0)' do
               args = '/path-to-file', ::File::RDONLY
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Read')
+
+              args = '/path-to-file', { :mode => ::File::RDONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
             end
             it 'should return Write for mode ::File::WRONLY (1)' do
               args = '/path-to-file', ::File::WRONLY
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => ::File::WRONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
             end
             it 'should return ReadWrite for mode ::File::RDWR (2)' do
               args = '/path-to-file', ::File::RDWR
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => ::File::RDWR }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
             end
             it 'should return Write for mode ::File::CREAT | ::File::EXCL | ::File::WRONLY (2561)' do
               args = '/path-to-file', ::File::CREAT | ::File::EXCL | ::File::WRONLY
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => ::File::CREAT | ::File::EXCL | ::File::WRONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
             end
           end
           context 'with an invalid mode' do
@@ -87,11 +127,16 @@ module TCellAgent
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Read')
             end
-            it 'should return Read when mode is a hash' do
+            it 'should return Read when mode is an empty hash' do
               args = '/path-to-file', {}
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Read')
             end
+            it 'should return Read when mode is a hash without a :mode key' do
+              args = '/path-to-file', { :placeholder => 'testing' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+            end
             it 'should return Read when mode is an array' do
               args = '/path-to-file', []
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
@@ -100,6 +145,79 @@ module TCellAgent
           end
         end
       end
+
+      describe '.raise_if_block' do
+        context 'when passed a blocked path' do
+          it 'raises an error' do
+            expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
+              '/blocked', 'Read'
+            ).and_return(true)
+
+            expect do
+              TCellAgent::Instrumentation::Lfi.raise_if_block('/blocked', 'Read')
+            end.to raise_error(IOError)
+          end
+        end
+        context 'when passed a path not blocked' do
+          it 'returns nil' do
+            expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
+              '/not-blocked', 'Read'
+            ).and_return(false)
+
+            expect(TCellAgent::Instrumentation::Lfi.raise_if_block('/not-blocked', 'Read')).to eq nil
+          end
+        end
+      end
+
+      describe '.default_open_handler' do
+        it 'calls .raise_if_block' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'Read'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
+        end
+
+        it 'replaces the mode with override_mode' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode).with(
+            '/placeholder'
+          ).and_return(['/placeholder', 'Read'])
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'ReadWrite'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'ReadWrite')).to eq nil
+        end
+      end
+
+      describe '.argf_open_handler' do
+        it 'calls .extract_path_mode_argf' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode_argf).and_return(
+            ['/placeholder', 'Read']
+          )
+
+          expect(TCellAgent::Instrumentation::Lfi.argf_open_handler).to eq nil
+        end
+      end
+      describe '.cmdi_open_handler' do
+        it 'behaves the similarly to default_open_handler' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'Read'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
+        end
+
+        it 'raises an error if command is blocked' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with(
+            'ls'
+          ).and_return(true)
+
+          expect do
+            TCellAgent::Instrumentation::Lfi.cmdi_open_handler('|ls')
+          end.to raise_error(RuntimeError)
+        end
+      end
     end
   end
 end

data/spec/lib/tcell_agent/patches_spec.rb

@@ -94,7 +94,8 @@ module TCellAgent
               'session_id',
               'user_id',
               'transaction_id',
-              'http://test.com/'
+              'http://test.com/',
+              '0.0.0.0'
             )
             meta_data.get_dict = { 'paramater' => '<script>' }
             tcell_context = TCellAgent::Instrumentation::TCellData.new

data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -44,7 +43,7 @@ module TCellAgent
             expect(@policy.enabled).to eq(true)
 
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'Content-Security-Policy',
                  'value' => "frame-ancestors 'none'; report-uri https://input.tcell-preview.io/csp/430d?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id" }]

data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -23,7 +22,7 @@ module TCellAgent
             expect(native_agent).to_not receive(:get_headers)
 
             tcell_context = double('tcell_context')
-            policy.get_headers(tcell_context)
+            policy.get_headers('text/html', tcell_context)
           end
         end
 
@@ -65,7 +64,7 @@ module TCellAgent
             expect(@policy.enabled).to eq(true)
 
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'Content-Security-Policy', 'value' => 'test321' }]
             )
@@ -92,7 +91,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq(
                 [{ 'name' => 'Content-Security-Policy',
                    'value' => 'normalvalue; report-uri https://www.example.com/xys?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
@@ -121,7 +120,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq(
                 [{ 'name' => 'Content-Security-Policy',
                    'value' => 'normalvalue; report-uri https://www.example.com/1234567?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
@@ -150,7 +149,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq([])
             end
           end

data/spec/lib/tcell_agent/policies/patches_policy_spec.rb

@@ -78,6 +78,8 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', nil
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
@@ -88,6 +90,8 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', ''
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
@@ -98,20 +102,35 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', '2.2.2.2'
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
           end
 
-          context 'request comes from non-blocked ip' do
-            it 'should not block request' do
+          context 'request comes from blocked ip' do
+            it 'should block request' do
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', '1.1.1.1'
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args).and_return(2)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(true)
             end
           end
+
+          context 'request comes from suspcious ip' do
+            it 'should call apply_patches' do
+              meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
+                'remote_address', '1.1.1.1'
+              ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args).and_return(1)
+              expect(@native_agent).to receive(:apply_patches).with(any_args).and_return('Blocked Response')
+              @policy.block_request?(meta_data)
+            end
+          end
         end
       end
     end

data/spec/lib/tcell_agent/policies/policies_manager_spec.rb

@@ -6,7 +6,7 @@ module TCellAgent
       assert_policy_state = proc do |policies, state|
         expect(policies.keys.size).to eq(10)
 
-        policies.values.each do |policy|
+        policies.each_value do |policy|
           next if policy.instance_of?(TCellAgent::Policies::LoginPolicy)
           next if policy.instance_of?(TCellAgent::Policies::SystemEnablements)
 

data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -16,13 +15,7 @@ module TCellAgent
             ).update_attribute(
               'route_id', 'route-id'
             ).build
-          end
-
-          after(:each) do
-            TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
-          end
 
-          it 'should return csp header' do
             enablements = @native_agent.update_policies(
               {
                 'secure-headers' => {
@@ -41,14 +34,26 @@ module TCellAgent
 
             @policy = HeadersPolicy.new(@native_agent, enablements)
             expect(@policy.enabled).to eq(true)
+          end
 
+          after(:each) do
+            TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
+          end
+
+          it 'should return csp header' do
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'X-Content-Type-Options',
                  'value' => 'nosniff' }]
             )
           end
+
+          it 'should not return csp header on json' do
+            expect(
+              @policy.get_headers('application/json', @tcell_context)
+            ).to eq([])
+          end
         end
       end
     end