tcell_agent 2.1.1 → 2.4.0

data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb

@@ -15,12 +15,12 @@ describe 'Kernel' do
   end
 
   before(:all) do
-    @new_file_name = '/tmp/' + SecureRandom.uuid
+    @new_file_name = NEW_FILE_NAME
     @new_pathname = Pathname.new(@new_file_name)
   end
   describe '#open and ::open' do
     context 'empty path' do
-      it 'should raise an error' do
+      it 'raises an error' do
         expect do
           Kernel.open
         end.to raise_error(ArgumentError)
@@ -41,7 +41,7 @@ describe 'Kernel' do
         end.to raise_error(Errno::ENOENT)
       end
     end
-    context 'with a non-existent file, with filename not blocked for read/write' do
+    context 'with filename not blocked for read/write' do
       before do |test|
         unless test.metadata[:skip_before]
           expect(TCellAgent).to receive(:policy).with(
@@ -52,59 +52,84 @@ describe 'Kernel' do
         end
       end
 
-      it 'should still be able to execute OS commands', :skip_before do
+      it 'executes OS commands', :skip_before do
         result = Kernel.open('|echo test').read
         expect(result).to eq "test\n"
 
         result = open('|echo test').read
         expect(result).to eq "test\n"
       end
-      context 'with a pathname filename with mode w' do
-        it 'should create the file' do
-          Kernel.open(@new_pathname, 'w')
-          expect(File.exist?(@new_pathname)).to be_truthy
-          File.delete(@new_pathname)
 
-          open(@new_pathname, 'w')
-          expect(File.exist?(@new_pathname)).to be_truthy
-          File.delete(@new_pathname)
-        end
+      it 'creates the file when passed a pathname' do
+        Kernel.open(@new_pathname, 'w')
+        expect(File.exist?(@new_pathname)).to be_truthy
+        File.delete(@new_pathname)
+
+        open(@new_pathname, 'w')
+        expect(File.exist?(@new_pathname)).to be_truthy
+        File.delete(@new_pathname)
       end
-      context 'with a filename with mode w' do
-        it 'should create the file' do
-          Kernel.open(@new_file_name, 'w')
-          expect(File.exist?(@new_file_name)).to be_truthy
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w')
-          expect(File.exist?(@new_file_name)).to be_truthy
-          File.delete(@new_file_name)
-        end
+      it 'creates the file when passed a string' do
+        Kernel.open(@new_file_name, 'w')
+        expect(File.exist?(@new_file_name)).to be_truthy
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w')
+        expect(File.exist?(@new_file_name)).to be_truthy
+        File.delete(@new_file_name)
       end
-      context 'with a filename and mode w and file permissions 644' do
-        it 'should create the file with the correct permissions' do
-          Kernel.open(@new_file_name, 'w', 0o644)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w', 0o644)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
-          File.delete(@new_file_name)
-        end
+      it 'creates the file with the permission 644' do
+        Kernel.open(@new_file_name, 'w', 0o644)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w', 0o644)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+        File.delete(@new_file_name)
       end
-      context 'with a filename and mode w and file permissions 777' do
-        it 'should create the file with the correct permissions 755' do
-          Kernel.open(@new_file_name, 'w', 0o777)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w', 0o777)
+      it 'creates the file with the permission 755' do
+        Kernel.open(@new_file_name, 'w', 0o777)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w', 0o777)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+        File.delete(@new_file_name)
+      end
+
+      context 'using mode, perm, binmode', :skip_before do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
+          expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
+        end
+
+        after :each do
           expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
-          File.delete(@new_file_name)
+          expect(@result.binmode?).to eq true
+
+          File.delete(NEW_FILE_NAME) if File.exist?(NEW_FILE_NAME)
         end
+
+        test_ruby2_ruby3_keywords(Kernel,
+                                  'open',
+                                  [NEW_FILE_NAME, 'w', 0o755],
+                                  { :binmode => true },
+                                  nil)
+
+        test_ruby2_ruby3_keywords(Object,
+                                  'open',
+                                  [NEW_FILE_NAME, 'w', 0o755],
+                                  { :binmode => true },
+                                  nil)
       end
     end
-    context 'with a non-existent file, with filename blocked for read/write' do
+    context 'with filename blocked for read/write' do
       before do |test|
         unless test.metadata[:skip_before]
           expect(TCellAgent).to receive(:policy).with(
@@ -115,45 +140,39 @@ describe 'Kernel' do
         end
       end
 
-      it 'should still be able to execute OS commands', :skip_before do
+      it 'executes OS commands', :skip_before do
         result = Kernel.open('|echo test').read
         expect(result).to eq "test\n"
 
         result = open('|echo test').read
         expect(result).to eq "test\n"
       end
-      context 'with a filename with mode w' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'w')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'w')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'w')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'w')
+        end.to raise_error(IOError)
       end
-      context 'with a filename and mode w' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'w')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'w')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'w')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'w')
+        end.to raise_error(IOError)
       end
-      context 'with a filename and mode a' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'a')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'a')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'a')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'a')
+        end.to raise_error(IOError)
       end
     end
   end
@@ -184,7 +203,7 @@ describe 'Kernel' do
       end
     end
     context 'with a filename blocked for read/write' do
-      it 'should not be able to read the file' do
+      it 'raises an IOError' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy)
@@ -211,7 +230,7 @@ describe 'Kernel' do
 
   describe '::readline and #readline' do
     context 'with a filename not blocked for read/write' do
-      it 'should be able to read the file' do
+      it 'reads the file' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy, @local_files_policy, @local_files_policy)
@@ -236,7 +255,7 @@ describe 'Kernel' do
       end
     end
     context 'with a filename blocked for read' do
-      it 'should not be able to read the file' do
+      it 'raises an IOError' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy)

data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 module TCellAgent
   module Instrumentation
     module Lfi
-      describe 'extract path and mode' do
+      describe '.extract_path_mode' do
         context 'with path' do
           it 'should extract the path correctly' do
             args = '/path-to-file'
@@ -34,51 +34,91 @@ module TCellAgent
               args = '/path-to-file', 'r'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Read')
+
+              args = '/path-to-file', { :mode => 'r' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
             end
             it 'should return Write for mode w' do
               args = '/path-to-file', 'w'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => 'w' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
             end
             it 'should return Write for mode a' do
               args = '/path-to-file', 'a'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => 'a' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
             end
             it 'should return ReadWrite for mode r+' do
               args = '/path-to-file', 'r+'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'r+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
             end
             it 'should return ReadWrite for mode w+' do
               args = '/path-to-file', 'w+'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'w+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
             end
             it 'should return ReadWrite for mode a+' do
               args = '/path-to-file', 'a+'
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => 'a+' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
             end
             it 'should return Read for mode ::File::RDONLY (0)' do
               args = '/path-to-file', ::File::RDONLY
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Read')
+
+              args = '/path-to-file', { :mode => ::File::RDONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
             end
             it 'should return Write for mode ::File::WRONLY (1)' do
               args = '/path-to-file', ::File::WRONLY
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => ::File::WRONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
             end
             it 'should return ReadWrite for mode ::File::RDWR (2)' do
               args = '/path-to-file', ::File::RDWR
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('ReadWrite')
+
+              args = '/path-to-file', { :mode => ::File::RDWR }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('ReadWrite')
             end
             it 'should return Write for mode ::File::CREAT | ::File::EXCL | ::File::WRONLY (2561)' do
               args = '/path-to-file', ::File::CREAT | ::File::EXCL | ::File::WRONLY
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Write')
+
+              args = '/path-to-file', { :mode => ::File::CREAT | ::File::EXCL | ::File::WRONLY }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Write')
             end
           end
           context 'with an invalid mode' do
@@ -87,11 +127,16 @@ module TCellAgent
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Read')
             end
-            it 'should return Read when mode is a hash' do
+            it 'should return Read when mode is an empty hash' do
               args = '/path-to-file', {}
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
               expect(mode).to eq('Read')
             end
+            it 'should return Read when mode is a hash without a :mode key' do
+              args = '/path-to-file', { :placeholder => 'testing' }
+              _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+              expect(mode).to eq('Read')
+            end
             it 'should return Read when mode is an array' do
               args = '/path-to-file', []
               _path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
@@ -100,6 +145,79 @@ module TCellAgent
           end
         end
       end
+
+      describe '.raise_if_block' do
+        context 'when passed a blocked path' do
+          it 'raises an error' do
+            expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
+              '/blocked', 'Read'
+            ).and_return(true)
+
+            expect do
+              TCellAgent::Instrumentation::Lfi.raise_if_block('/blocked', 'Read')
+            end.to raise_error(IOError)
+          end
+        end
+        context 'when passed a path not blocked' do
+          it 'returns nil' do
+            expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
+              '/not-blocked', 'Read'
+            ).and_return(false)
+
+            expect(TCellAgent::Instrumentation::Lfi.raise_if_block('/not-blocked', 'Read')).to eq nil
+          end
+        end
+      end
+
+      describe '.default_open_handler' do
+        it 'calls .raise_if_block' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'Read'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
+        end
+
+        it 'replaces the mode with override_mode' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode).with(
+            '/placeholder'
+          ).and_return(['/placeholder', 'Read'])
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'ReadWrite'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'ReadWrite')).to eq nil
+        end
+      end
+
+      describe '.argf_open_handler' do
+        it 'calls .extract_path_mode_argf' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode_argf).and_return(
+            ['/placeholder', 'Read']
+          )
+
+          expect(TCellAgent::Instrumentation::Lfi.argf_open_handler).to eq nil
+        end
+      end
+      describe '.cmdi_open_handler' do
+        it 'behaves the similarly to default_open_handler' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'Read'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
+        end
+
+        it 'raises an error if command is blocked' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with(
+            'ls'
+          ).and_return(true)
+
+          expect do
+            TCellAgent::Instrumentation::Lfi.cmdi_open_handler('|ls')
+          end.to raise_error(RuntimeError)
+        end
+      end
     end
   end
 end

data/spec/lib/tcell_agent/patches_spec.rb

@@ -94,7 +94,8 @@ module TCellAgent
               'session_id',
               'user_id',
               'transaction_id',
-              'http://test.com/'
+              'http://test.com/',
+              '0.0.0.0'
             )
             meta_data.get_dict = { 'paramater' => '<script>' }
             tcell_context = TCellAgent::Instrumentation::TCellData.new

data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -44,7 +43,7 @@ module TCellAgent
             expect(@policy.enabled).to eq(true)
 
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'Content-Security-Policy',
                  'value' => "frame-ancestors 'none'; report-uri https://input.tcell-preview.io/csp/430d?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id" }]