tcell_agent 2.3.0 → 2.4.0

data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb

@@ -15,12 +15,12 @@ describe 'Kernel' do
   end
 
   before(:all) do
-    @new_file_name = '/tmp/' + SecureRandom.uuid
+    @new_file_name = NEW_FILE_NAME
     @new_pathname = Pathname.new(@new_file_name)
   end
   describe '#open and ::open' do
     context 'empty path' do
-      it 'should raise an error' do
+      it 'raises an error' do
         expect do
           Kernel.open
         end.to raise_error(ArgumentError)
@@ -41,7 +41,7 @@ describe 'Kernel' do
         end.to raise_error(Errno::ENOENT)
       end
     end
-    context 'with a non-existent file, with filename not blocked for read/write' do
+    context 'with filename not blocked for read/write' do
       before do |test|
         unless test.metadata[:skip_before]
           expect(TCellAgent).to receive(:policy).with(
@@ -52,59 +52,84 @@ describe 'Kernel' do
         end
       end
 
-      it 'should still be able to execute OS commands', :skip_before do
+      it 'executes OS commands', :skip_before do
         result = Kernel.open('|echo test').read
         expect(result).to eq "test\n"
 
         result = open('|echo test').read
         expect(result).to eq "test\n"
       end
-      context 'with a pathname filename with mode w' do
-        it 'should create the file' do
-          Kernel.open(@new_pathname, 'w')
-          expect(File.exist?(@new_pathname)).to be_truthy
-          File.delete(@new_pathname)
 
-          open(@new_pathname, 'w')
-          expect(File.exist?(@new_pathname)).to be_truthy
-          File.delete(@new_pathname)
-        end
+      it 'creates the file when passed a pathname' do
+        Kernel.open(@new_pathname, 'w')
+        expect(File.exist?(@new_pathname)).to be_truthy
+        File.delete(@new_pathname)
+
+        open(@new_pathname, 'w')
+        expect(File.exist?(@new_pathname)).to be_truthy
+        File.delete(@new_pathname)
       end
-      context 'with a filename with mode w' do
-        it 'should create the file' do
-          Kernel.open(@new_file_name, 'w')
-          expect(File.exist?(@new_file_name)).to be_truthy
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w')
-          expect(File.exist?(@new_file_name)).to be_truthy
-          File.delete(@new_file_name)
-        end
+      it 'creates the file when passed a string' do
+        Kernel.open(@new_file_name, 'w')
+        expect(File.exist?(@new_file_name)).to be_truthy
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w')
+        expect(File.exist?(@new_file_name)).to be_truthy
+        File.delete(@new_file_name)
       end
-      context 'with a filename and mode w and file permissions 644' do
-        it 'should create the file with the correct permissions' do
-          Kernel.open(@new_file_name, 'w', 0o644)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w', 0o644)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
-          File.delete(@new_file_name)
-        end
+      it 'creates the file with the permission 644' do
+        Kernel.open(@new_file_name, 'w', 0o644)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w', 0o644)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+        File.delete(@new_file_name)
       end
-      context 'with a filename and mode w and file permissions 777' do
-        it 'should create the file with the correct permissions 755' do
-          Kernel.open(@new_file_name, 'w', 0o777)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w', 0o777)
+      it 'creates the file with the permission 755' do
+        Kernel.open(@new_file_name, 'w', 0o777)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w', 0o777)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+        File.delete(@new_file_name)
+      end
+
+      context 'using mode, perm, binmode', :skip_before do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
+          expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
+        end
+
+        after :each do
           expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
-          File.delete(@new_file_name)
+          expect(@result.binmode?).to eq true
+
+          File.delete(NEW_FILE_NAME) if File.exist?(NEW_FILE_NAME)
         end
+
+        test_ruby2_ruby3_keywords(Kernel,
+                                  'open',
+                                  [NEW_FILE_NAME, 'w', 0o755],
+                                  { :binmode => true },
+                                  nil)
+
+        test_ruby2_ruby3_keywords(Object,
+                                  'open',
+                                  [NEW_FILE_NAME, 'w', 0o755],
+                                  { :binmode => true },
+                                  nil)
       end
     end
-    context 'with a non-existent file, with filename blocked for read/write' do
+    context 'with filename blocked for read/write' do
       before do |test|
         unless test.metadata[:skip_before]
           expect(TCellAgent).to receive(:policy).with(
@@ -115,45 +140,39 @@ describe 'Kernel' do
         end
       end
 
-      it 'should still be able to execute OS commands', :skip_before do
+      it 'executes OS commands', :skip_before do
         result = Kernel.open('|echo test').read
         expect(result).to eq "test\n"
 
         result = open('|echo test').read
         expect(result).to eq "test\n"
       end
-      context 'with a filename with mode w' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'w')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'w')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'w')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'w')
+        end.to raise_error(IOError)
       end
-      context 'with a filename and mode w' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'w')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'w')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'w')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'w')
+        end.to raise_error(IOError)
       end
-      context 'with a filename and mode a' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'a')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'a')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'a')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'a')
+        end.to raise_error(IOError)
       end
     end
   end
@@ -184,7 +203,7 @@ describe 'Kernel' do
       end
     end
     context 'with a filename blocked for read/write' do
-      it 'should not be able to read the file' do
+      it 'raises an IOError' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy)
@@ -211,7 +230,7 @@ describe 'Kernel' do
 
   describe '::readline and #readline' do
     context 'with a filename not blocked for read/write' do
-      it 'should be able to read the file' do
+      it 'reads the file' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy, @local_files_policy, @local_files_policy)
@@ -236,7 +255,7 @@ describe 'Kernel' do
       end
     end
     context 'with a filename blocked for read' do
-      it 'should not be able to read the file' do
+      it 'raises an IOError' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy)

data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb

@@ -145,6 +145,79 @@ module TCellAgent
           end
         end
       end
+
+      describe '.raise_if_block' do
+        context 'when passed a blocked path' do
+          it 'raises an error' do
+            expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
+              '/blocked', 'Read'
+            ).and_return(true)
+
+            expect do
+              TCellAgent::Instrumentation::Lfi.raise_if_block('/blocked', 'Read')
+            end.to raise_error(IOError)
+          end
+        end
+        context 'when passed a path not blocked' do
+          it 'returns nil' do
+            expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
+              '/not-blocked', 'Read'
+            ).and_return(false)
+
+            expect(TCellAgent::Instrumentation::Lfi.raise_if_block('/not-blocked', 'Read')).to eq nil
+          end
+        end
+      end
+
+      describe '.default_open_handler' do
+        it 'calls .raise_if_block' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'Read'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
+        end
+
+        it 'replaces the mode with override_mode' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode).with(
+            '/placeholder'
+          ).and_return(['/placeholder', 'Read'])
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'ReadWrite'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'ReadWrite')).to eq nil
+        end
+      end
+
+      describe '.argf_open_handler' do
+        it 'calls .extract_path_mode_argf' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode_argf).and_return(
+            ['/placeholder', 'Read']
+          )
+
+          expect(TCellAgent::Instrumentation::Lfi.argf_open_handler).to eq nil
+        end
+      end
+      describe '.cmdi_open_handler' do
+        it 'behaves the similarly to default_open_handler' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'Read'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
+        end
+
+        it 'raises an error if command is blocked' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with(
+            'ls'
+          ).and_return(true)
+
+          expect do
+            TCellAgent::Instrumentation::Lfi.cmdi_open_handler('|ls')
+          end.to raise_error(RuntimeError)
+        end
+      end
     end
   end
 end

data/spec/lib/tcell_agent/patches_spec.rb

@@ -94,7 +94,8 @@ module TCellAgent
               'session_id',
               'user_id',
               'transaction_id',
-              'http://test.com/'
+              'http://test.com/',
+              '0.0.0.0'
             )
             meta_data.get_dict = { 'paramater' => '<script>' }
             tcell_context = TCellAgent::Instrumentation::TCellData.new

data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -44,7 +43,7 @@ module TCellAgent
             expect(@policy.enabled).to eq(true)
 
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'Content-Security-Policy',
                  'value' => "frame-ancestors 'none'; report-uri https://input.tcell-preview.io/csp/430d?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id" }]

data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -23,7 +22,7 @@ module TCellAgent
             expect(native_agent).to_not receive(:get_headers)
 
             tcell_context = double('tcell_context')
-            policy.get_headers(tcell_context)
+            policy.get_headers('text/html', tcell_context)
           end
         end
 
@@ -65,7 +64,7 @@ module TCellAgent
             expect(@policy.enabled).to eq(true)
 
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'Content-Security-Policy', 'value' => 'test321' }]
             )
@@ -92,7 +91,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq(
                 [{ 'name' => 'Content-Security-Policy',
                    'value' => 'normalvalue; report-uri https://www.example.com/xys?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
@@ -121,7 +120,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq(
                 [{ 'name' => 'Content-Security-Policy',
                    'value' => 'normalvalue; report-uri https://www.example.com/1234567?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
@@ -150,7 +149,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq([])
             end
           end

data/spec/lib/tcell_agent/policies/patches_policy_spec.rb

@@ -78,6 +78,8 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', nil
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
@@ -88,6 +90,8 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', ''
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
@@ -98,20 +102,35 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', '2.2.2.2'
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
           end
 
-          context 'request comes from non-blocked ip' do
-            it 'should not block request' do
+          context 'request comes from blocked ip' do
+            it 'should block request' do
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', '1.1.1.1'
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args).and_return(2)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(true)
             end
           end
+
+          context 'request comes from suspcious ip' do
+            it 'should call apply_patches' do
+              meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
+                'remote_address', '1.1.1.1'
+              ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args).and_return(1)
+              expect(@native_agent).to receive(:apply_patches).with(any_args).and_return('Blocked Response')
+              @policy.block_request?(meta_data)
+            end
+          end
         end
       end
     end

data/spec/lib/tcell_agent/policies/policies_manager_spec.rb

@@ -6,7 +6,7 @@ module TCellAgent
       assert_policy_state = proc do |policies, state|
         expect(policies.keys.size).to eq(10)
 
-        policies.values.each do |policy|
+        policies.each_value do |policy|
           next if policy.instance_of?(TCellAgent::Policies::LoginPolicy)
           next if policy.instance_of?(TCellAgent::Policies::SystemEnablements)