tcell_agent 2.0.0 → 2.5.0

data/lib/tcell_agent/instrumentation/monkey_patches/ruby_2/io.rb

@@ -0,0 +1,75 @@
+class IO
+  class << self
+    if TCellAgent.configuration.should_instrument?('IO::binread')
+      alias_method :tcell_original_binread, :binread
+      def binread(*args, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args)
+
+        tcell_original_binread(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::binwrite')
+      alias_method :tcell_original_binwrite, :binwrite
+      def binwrite(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Write')
+
+        tcell_original_binwrite(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::foreach')
+      alias_method :tcell_original_foreach, :foreach
+      def foreach(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Read')
+
+        tcell_original_foreach(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::popen')
+      alias_method :tcell_original_popen, :popen
+      def popen(*args, &block)
+        TCellAgent::Cmdi.popen_cmdi_handler(args)
+
+        tcell_original_popen(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::read')
+      alias_method :tcell_original_read, :read
+      def read(*args, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args, 'Read')
+
+        tcell_original_read(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::readlines')
+      alias_method :tcell_original_readlines, :readlines
+      def readlines(*args, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args, 'Read')
+
+        tcell_original_readlines(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::sysopen')
+      alias_method :tcell_original_sysopen, :sysopen
+      def sysopen(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args)
+
+        tcell_original_sysopen(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::write')
+      alias_method :tcell_original_write, :write
+      def write(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Write')
+
+        tcell_original_write(*args, &block)
+      end
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/ruby_2/kernel.rb

@@ -0,0 +1,80 @@
+module Kernel
+  private
+
+  if TCellAgent.configuration.should_instrument?('Kernel#`')
+    alias_method :tcell_original_backtick, :`
+    def `(cmd)
+      TCellAgent::Cmdi.raise_if_block(cmd)
+
+      tcell_original_backtick(cmd)
+    end
+
+    module_function :`
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#exec')
+    alias_method :tcell_original_exec, :exec
+    def exec(*args)
+      TCellAgent::Cmdi.default_cmdi_handler(args)
+
+      tcell_original_exec(*args)
+    end
+
+    module_function :exec
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#gets')
+    alias_method :tcell_original_gets, :gets
+    def gets(*args, &block)
+      TCellAgent::Instrumentation::Lfi.argf_open_handler
+
+      tcell_original_gets(*args, &block)
+    end
+
+    module_function :gets
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#open')
+    alias_method :tcell_original_open, :open
+    def open(*args, &block)
+      TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args)
+
+      tcell_original_open(*args, &block)
+    end
+
+    module_function :open
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#readline')
+    alias_method :tcell_original_readline, :readline
+    def readline(*args, &block)
+      TCellAgent::Instrumentation::Lfi.argf_open_handler
+
+      tcell_original_readline(*args, &block)
+    end
+
+    module_function :readline
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#spawn')
+    alias_method :tcell_original_spawn, :spawn
+    def spawn(*args)
+      TCellAgent::Cmdi.default_cmdi_handler(args)
+
+      tcell_original_spawn(*args)
+    end
+
+    module_function :spawn
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#system')
+    alias_method :tcell_original_system, :system
+    def system(*args)
+      TCellAgent::Cmdi.default_cmdi_handler(args)
+
+      tcell_original_system(*args)
+    end
+
+    module_function :system
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/ruby_3/file.rb

@@ -0,0 +1,21 @@
+class File
+  class << self
+    if TCellAgent.configuration.should_instrument?('File::new')
+      alias_method :tcell_original_new, :new
+      def new(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args)
+
+        tcell_original_new(*args, **kwargs, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('File::open')
+      alias_method :tcell_original_open, :open
+      def open(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args)
+
+        tcell_original_open(*args, **kwargs, &block)
+      end
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/ruby_3/io.rb

@@ -0,0 +1,75 @@
+class IO
+  class << self
+    if TCellAgent.configuration.should_instrument?('IO::binread')
+      alias_method :tcell_original_binread, :binread
+      def binread(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args)
+
+        tcell_original_binread(*args, **kwargs, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::binwrite')
+      alias_method :tcell_original_binwrite, :binwrite
+      def binwrite(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Write')
+
+        tcell_original_binwrite(*args, **kwargs, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::foreach')
+      alias_method :tcell_original_foreach, :foreach
+      def foreach(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Read')
+
+        tcell_original_foreach(*args, **kwargs, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::popen')
+      alias_method :tcell_original_popen, :popen
+      def popen(*args, **kwargs, &block)
+        TCellAgent::Cmdi.popen_cmdi_handler(args)
+
+        tcell_original_popen(*args, **kwargs, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::read')
+      alias_method :tcell_original_read, :read
+      def read(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args, 'Read')
+
+        tcell_original_read(*args, **kwargs, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::readlines')
+      alias_method :tcell_original_readlines, :readlines
+      def readlines(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args, 'Read')
+
+        tcell_original_readlines(*args, **kwargs, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::sysopen')
+      alias_method :tcell_original_sysopen, :sysopen
+      def sysopen(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args)
+
+        tcell_original_sysopen(*args, **kwargs, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::write')
+      alias_method :tcell_original_write, :write
+      def write(*args, **kwargs, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Write')
+
+        tcell_original_write(*args, **kwargs, &block)
+      end
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/ruby_3/kernel.rb

@@ -0,0 +1,80 @@
+module Kernel
+  private
+
+  if TCellAgent.configuration.should_instrument?('Kernel#`')
+    alias_method :tcell_original_backtick, :`
+    def `(cmd)
+      TCellAgent::Cmdi.raise_if_block(cmd)
+
+      tcell_original_backtick(cmd)
+    end
+
+    module_function :`
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#exec')
+    alias_method :tcell_original_exec, :exec
+    def exec(*args)
+      TCellAgent::Cmdi.default_cmdi_handler(args)
+
+      tcell_original_exec(*args)
+    end
+
+    module_function :exec
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#gets')
+    alias_method :tcell_original_gets, :gets
+    def gets(*args, **kwargs, &block)
+      TCellAgent::Instrumentation::Lfi.argf_open_handler
+
+      tcell_original_gets(*args, **kwargs, &block)
+    end
+
+    module_function :gets
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#open')
+    alias_method :tcell_original_open, :open
+    def open(*args, **kwargs, &block)
+      TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args)
+
+      tcell_original_open(*args, **kwargs, &block)
+    end
+
+    module_function :open
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#readline')
+    alias_method :tcell_original_readline, :readline
+    def readline(*args, **kwargs, &block)
+      TCellAgent::Instrumentation::Lfi.argf_open_handler
+
+      tcell_original_readline(*args, **kwargs, &block)
+    end
+
+    module_function :readline
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#spawn')
+    alias_method :tcell_original_spawn, :spawn
+    def spawn(*args, **kwargs)
+      TCellAgent::Cmdi.default_cmdi_handler(args)
+
+      tcell_original_spawn(*args, **kwargs)
+    end
+
+    module_function :spawn
+  end
+
+  if TCellAgent.configuration.should_instrument?('Kernel#system')
+    alias_method :tcell_original_system, :system
+    def system(*args, **kwargs)
+      TCellAgent::Cmdi.default_cmdi_handler(args)
+
+      tcell_original_system(*args, **kwargs)
+    end
+
+    module_function :system
+  end
+end

data/lib/tcell_agent/instrumentation.rb

@@ -65,7 +65,8 @@ module TCellAgent
                     :password, :route_id, :path, :uri, :fullpath, :context_filters_by_term,
                     :database_filters, :remote_address, :user_agent, :request_method,
                     :path_parameters, :patches_blocking_triggered, :grape_mount_endpoint,
-                    :referrer, :csrf_exception_name, :sql_exceptions, :database_result_sizes
+                    :referrer, :csrf_exception_name, :sql_exceptions, :database_result_sizes,
+                    :reverse_proxy_header_value
 
       def self.filterx(sanitize_string, event_flag, replace_flag, term)
         send_event = false
@@ -91,26 +92,31 @@ module TCellAgent
 
       def valid_term?(term)
         return true if !term.nil? && term != '' && term.to_s.length >= 5
+
         false
       end
 
       def add_response_db_filter(term, action_obj, database, schema, table, field)
         return unless valid_term?(term)
+
         context_filters_by_term[term.to_s].add(ContextFilter.new.for_database(database, schema, table, field, action_obj))
       end
 
       def add_filter_for_request_parameter(term, rule, parameter_name)
         return unless valid_term?(term)
+
         context_filters_by_term[term.to_s].add(ContextFilter.new.for_request('form', parameter_name, rule))
       end
 
       def add_filter_for_header_value(term, rule, header_name)
         return unless valid_term?(term)
+
         context_filters_by_term[term.to_s].add(ContextFilter.new.for_request('header', header_name, rule))
       end
 
       def add_filter_for_cookie_value(term, rule, cookie_name)
         return unless valid_term?(term)
+
         context_filters_by_term[term.to_s].add(ContextFilter.new.for_request('cookie', cookie_name, rule))
       end
 
@@ -139,6 +145,7 @@ module TCellAgent
           send_flag = TCellData.filterx(body, !event_filters.empty?, !replace_filters.empty?, term)
           send_flag ||= TCellData.filterx(body, !event_filters.empty?, !replace_filters.empty?, CGI.escapeHTML(term))
           next unless send_flag
+
           (replace_filters + event_filters).each do |filter|
             base_event = TCellAgent::SensorEvents::DlpEvent.new(
               route_id,
@@ -183,6 +190,7 @@ module TCellAgent
           event_filters = (context_filters.select { |context_filter| (context_filter.rule.log_redact != true && context_filter.rule.log_event == true) })
           send_flag = TCellData.filterx(log_msg, !event_filters.empty?, !replace_filters.empty?, term)
           next unless send_flag
+
           (replace_filters + event_filters).each do |filter|
             base_event = TCellAgent::SensorEvents::DlpEvent.new(
               route_id,
@@ -213,7 +221,7 @@ module TCellAgent
       end
     end
 
-    # Note: mock for tests
+    # NOTE: mock for tests
     def self.get_safe_block_logger
       unless defined?(@safe_block_logger)
         @safe_block_logger = TCellAgent::ModuleLogger.new(TCellAgent.logger, name)
@@ -224,15 +232,15 @@ module TCellAgent
 
     def self.safe_block(message, &block)
       block.call
-    rescue StandardError => ex
+    rescue StandardError => e
       logger = get_safe_block_logger
-      logger.error("Error #{message} (#{ex.class}): #{ex.message}")
-      logger.exception(ex)
+      logger.error("Error #{message} (#{e.class}): #{e.message}")
+      logger.exception(e)
     end
 
     def self.safe_block_no_log(_message, &block)
       block.call
-    rescue StandardError # rubocop:disable Lint/HandleExceptions
+    rescue StandardError
       # do nothing
     end
   end

data/lib/tcell_agent/logger.rb

@@ -14,7 +14,6 @@ module TCellAgent
     def initialize(logger, module_name)
       @logger = logger
       @module_name = module_name
-      @module_name = "#{TCellAgent.configuration.log_tag} #{module_name}" if TCellAgent.configuration.log_tag
     end
 
     %i[exception debug info warn error].each do |method_name|
@@ -32,13 +31,13 @@ module TCellAgent
     end
   end
 
-  # Note: since the agent waits until native agent
+  # NOTE: since the agent waits until native agent
   # is available, this is only used in errors
   # throwned while the agent is instrumenting or starting up
   # so it's ok to send those to STDOUT always
   class RubyLogger
     def initialize
-      @logger = Logger.new(STDOUT)
+      @logger = Logger.new(STDOUT) # rubocop:disable Style/GlobalStdStream
     end
 
     def exception(module_name, exception)
@@ -80,7 +79,7 @@ module TCellAgent
     @native_logger
   end
 
-  def self.native_agent=(native_agent)
+  def self.native_logger=(native_agent)
     @native_logger = NativeLogger.new(native_agent)
   end
 end

data/lib/tcell_agent/policies/command_injection_policy.rb

@@ -15,7 +15,7 @@ module TCellAgent
       end
 
       def block_command?(command, tcell_context)
-        return false unless @enabled
+        return false unless @enabled && tcell_context
 
         response = @native_agent.apply_cmdi(
           command, tcell_context

data/lib/tcell_agent/policies/dataloss_policy.rb

@@ -110,24 +110,22 @@ module TCellAgent
 
       def get_actions_for_request(context, variable, route_id = nil)
         return nil if context.nil? || variable.nil?
+
         route_id = '*' if route_id.nil?
         if context != RequestProtectionManager::COOKIE
           variable = variable.downcase
         end
         actions = Set.new
         if @request_filter_actions.key?(context)
-          if @request_filter_actions[context].key?(route_id)
-            if @request_filter_actions[context][route_id].key?(variable)
-              actions.merge(@request_filter_actions[context][route_id][variable])
-            end
+          if @request_filter_actions[context].key?(route_id) && @request_filter_actions[context][route_id].key?(variable)
+            actions.merge(@request_filter_actions[context][route_id][variable])
           end
-          if route_id != '*' && @request_filter_actions[context].key?('*')
-            if @request_filter_actions[context]['*'].key?(variable)
-              actions.merge(@request_filter_actions[context]['*'][variable])
-            end
+          if route_id != '*' && @request_filter_actions[context].key?('*') && @request_filter_actions[context]['*'].key?(variable)
+            actions.merge(@request_filter_actions[context]['*'][variable])
           end
         end
         return nil if actions.size <= 0
+
         actions
       end
 
@@ -136,12 +134,16 @@ module TCellAgent
         actions = Set.new
         [database, '*'].each do |d|
           next if @database_actions.key?(d) == false
+
           [schema, '*'].each do |s|
             next if @database_actions[d].key?(s) == false
+
             [table, '*'].each do |t|
               next if @database_actions[d][s].key?(t) == false
+
               [field, '*'].each do |f|
                 next if @database_actions[d][s][t].key?(f) == false
+
                 route_id_rules = @database_actions[d][s][t][f]
                 if route_id_rules.key?(route_id)
                   actions.merge(@database_actions[d][s][t][f][route_id])
@@ -154,6 +156,7 @@ module TCellAgent
           end
         end
         return nil if actions.empty?
+
         actions
       end
 
@@ -240,8 +243,10 @@ module TCellAgent
             end
 
             next unless context && @request_filter_actions.key?(context) && variables && options
+
             filter_actions = DataLossPolicy.actions_from_json(options)
             next if filter_actions.nil?
+
             @enabled = true
             filter_actions.action_id = rule_id
             variables.each do |variable|
@@ -258,8 +263,10 @@ module TCellAgent
         end
 
         return unless data_json.key?('db_protections')
+
         protections = data_json['db_protections']
         return unless protections
+
         protections.each do |protection_json|
           scope = protection_json.fetch('scope', nil)
           databases = protection_json.fetch('databases', ['*'])

data/lib/tcell_agent/policies/headers_policy.rb

@@ -14,10 +14,10 @@ module TCellAgent
         @enabled = enablements['headers'] || false
       end
 
-      def get_headers(tcell_context)
+      def get_headers(content_type, tcell_context)
         return [] unless @enabled
 
-        response = @native_agent.get_headers(tcell_context)
+        response = @native_agent.get_headers(content_type, tcell_context)
         response['headers'] || []
       end
     end

data/lib/tcell_agent/policies/patches_policy.rb

@@ -17,10 +17,14 @@ module TCellAgent
       def block_request?(appsensor_meta)
         return false unless @enabled
 
-        response = @native_agent.apply_patches(
-          appsensor_meta
-        )
-        !response['apply_response'].nil? && response['apply_response']['status'] == 'Blocked'
+        quick_check_response = @native_agent.apply_suspicious_quick_check(appsensor_meta)
+
+        if quick_check_response == 1
+          response = @native_agent.apply_patches(appsensor_meta)
+          return !response['apply_response'].nil? && response['apply_response']['status'] == 'Blocked'
+        end
+
+        quick_check_response == 2
       end
     end
   end

data/lib/tcell_agent/policies/policies_manager.rb

@@ -47,6 +47,7 @@ module TCellAgent
       TCellAgent::Instrumentation.safe_block('Setting DLP policy') do
         dlp_api_identifier = TCellAgent::Policies::DataLossPolicy.api_identifier
         return unless policies_json.key?(dlp_api_identifier)
+
         @policies[dlp_api_identifier] = TCellAgent::Policies::DataLossPolicy.new(
           policies_json[dlp_api_identifier]
         )

data/lib/tcell_agent/policies/policy_polling.rb

@@ -20,6 +20,7 @@ module TCellAgent
 
       @policy_polling_worker_mutex.synchronize do
         return if policy_polling_running?
+
         start_policy_polling_loop(native_agent)
       end
     end
@@ -44,9 +45,9 @@ module TCellAgent
               policies_and_enablements['enablements'],
               policies_and_enablements['policies']
             )
-          rescue StandardError => standard_error
-            module_logger.error("Error in polling policies: #{standard_error.message}")
-            module_logger.exception(standard_error)
+          rescue StandardError => e
+            module_logger.error("Error in polling policies: #{e.message}")
+            module_logger.exception(e)
           end
 
           # TODO(ralba): this might need to be changed to see how it affects performance