tcell_agent 2.3.0 → 2.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/LICENSE +2 -2
- data/bin/tcell_agent +6 -11
- data/lib/tcell_agent/agent.rb +18 -13
- data/lib/tcell_agent/config_initializer.rb +2 -5
- data/lib/tcell_agent/configuration.rb +4 -4
- data/lib/tcell_agent/hooks/login_fraud.rb +1 -1
- data/lib/tcell_agent/instrumentation/cmdi.rb +32 -0
- data/lib/tcell_agent/instrumentation/lfi.rb +55 -9
- data/lib/tcell_agent/instrumentation/monkey_patches/ruby_2/file.rb +21 -0
- data/lib/tcell_agent/instrumentation/monkey_patches/ruby_2/io.rb +75 -0
- data/lib/tcell_agent/instrumentation/monkey_patches/ruby_2/kernel.rb +80 -0
- data/lib/tcell_agent/instrumentation/monkey_patches/ruby_3/file.rb +21 -0
- data/lib/tcell_agent/instrumentation/monkey_patches/ruby_3/io.rb +75 -0
- data/lib/tcell_agent/instrumentation/monkey_patches/ruby_3/kernel.rb +80 -0
- data/lib/tcell_agent/instrumentation.rb +14 -6
- data/lib/tcell_agent/logger.rb +2 -2
- data/lib/tcell_agent/policies/dataloss_policy.rb +15 -8
- data/lib/tcell_agent/policies/headers_policy.rb +2 -2
- data/lib/tcell_agent/policies/patches_policy.rb +8 -4
- data/lib/tcell_agent/policies/policies_manager.rb +1 -0
- data/lib/tcell_agent/policies/policy_polling.rb +4 -3
- data/lib/tcell_agent/rails/auth/doorkeeper.rb +1 -0
- data/lib/tcell_agent/rails/better_ip.rb +7 -19
- data/lib/tcell_agent/rails/dlp/process_request.rb +5 -0
- data/lib/tcell_agent/rails/dlp.rb +48 -48
- data/lib/tcell_agent/rails/dlp_handler.rb +9 -10
- data/lib/tcell_agent/rails/js_agent_insert.rb +2 -3
- data/lib/tcell_agent/rails/middleware/context_middleware.rb +2 -1
- data/lib/tcell_agent/rails/middleware/global_middleware.rb +1 -5
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +1 -0
- data/lib/tcell_agent/rails/routes/grape.rb +2 -1
- data/lib/tcell_agent/rails/settings_reporter.rb +3 -6
- data/lib/tcell_agent/rails/tcell_body_proxy.rb +4 -6
- data/lib/tcell_agent/routes/table.rb +3 -0
- data/lib/tcell_agent/rust/agent_config.rb +18 -0
- data/lib/tcell_agent/rust/{libtcellagent-alpine-6.2.1.so → libtcellagent-alpine.so} +0 -0
- data/lib/tcell_agent/rust/{tcellagent-6.2.1.dll → libtcellagent-x64.dll} +0 -0
- data/lib/tcell_agent/rust/{libtcellagent-6.2.1.dylib → libtcellagent.dylib} +0 -0
- data/lib/tcell_agent/rust/{libtcellagent-6.2.1.so → libtcellagent.so} +0 -0
- data/lib/tcell_agent/rust/native_agent.rb +51 -59
- data/lib/tcell_agent/rust/native_library.rb +7 -10
- data/lib/tcell_agent/sensor_events/server_agent.rb +3 -100
- data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +1 -0
- data/lib/tcell_agent/servers/puma.rb +25 -8
- data/lib/tcell_agent/servers/rack_puma_handler.rb +13 -3
- data/lib/tcell_agent/servers/webrick.rb +14 -4
- data/lib/tcell_agent/settings_reporter.rb +0 -14
- data/lib/tcell_agent/sinatra.rb +1 -0
- data/lib/tcell_agent/tcell_context.rb +15 -6
- data/lib/tcell_agent/utils/headers.rb +0 -1
- data/lib/tcell_agent/utils/strings.rb +2 -2
- data/lib/tcell_agent/version.rb +1 -1
- data/spec/cruby_spec_helper.rb +26 -0
- data/spec/lib/tcell_agent/instrument_servers_spec.rb +42 -7
- data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb +2 -2
- data/spec/lib/tcell_agent/instrumentation/lfi/file_lfi_spec.rb +211 -272
- data/spec/lib/tcell_agent/instrumentation/lfi/io_lfi_spec.rb +207 -223
- data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb +89 -70
- data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb +73 -0
- data/spec/lib/tcell_agent/patches_spec.rb +2 -1
- data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +1 -2
- data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +5 -6
- data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +21 -2
- data/spec/lib/tcell_agent/policies/policies_manager_spec.rb +1 -1
- data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +13 -8
- data/spec/lib/tcell_agent/rails/better_ip_spec.rb +9 -11
- data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb +6 -6
- data/spec/lib/tcell_agent/rails/dlp_spec.rb +1 -0
- data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb +10 -2
- data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +2 -1
- data/spec/lib/tcell_agent/rails/routes/route_id_spec.rb +4 -4
- data/spec/lib/tcell_agent/settings_reporter_spec.rb +2 -16
- data/spec/lib/tcell_agent/tcell_context_spec.rb +6 -5
- data/spec/spec_helper.rb +3 -1
- data/spec/support/builders.rb +2 -1
- data/spec/support/server_mocks/{puma_mock.rb → puma_mock_1.rb} +5 -1
- data/spec/support/server_mocks/puma_mock_2.rb +26 -0
- data/spec/support/server_mocks/puma_mock_3.rb +22 -0
- data/spec/support/shared_spec.rb +29 -0
- data/tcell_agent.gemspec +14 -14
- metadata +29 -21
- data/Rakefile +0 -18
- data/lib/tcell_agent/instrumentation/monkey_patches/file.rb +0 -25
- data/lib/tcell_agent/instrumentation/monkey_patches/io.rb +0 -131
- data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb +0 -102
@@ -15,12 +15,12 @@ describe 'Kernel' do
|
|
15
15
|
end
|
16
16
|
|
17
17
|
before(:all) do
|
18
|
-
@new_file_name =
|
18
|
+
@new_file_name = NEW_FILE_NAME
|
19
19
|
@new_pathname = Pathname.new(@new_file_name)
|
20
20
|
end
|
21
21
|
describe '#open and ::open' do
|
22
22
|
context 'empty path' do
|
23
|
-
it '
|
23
|
+
it 'raises an error' do
|
24
24
|
expect do
|
25
25
|
Kernel.open
|
26
26
|
end.to raise_error(ArgumentError)
|
@@ -41,7 +41,7 @@ describe 'Kernel' do
|
|
41
41
|
end.to raise_error(Errno::ENOENT)
|
42
42
|
end
|
43
43
|
end
|
44
|
-
context 'with
|
44
|
+
context 'with filename not blocked for read/write' do
|
45
45
|
before do |test|
|
46
46
|
unless test.metadata[:skip_before]
|
47
47
|
expect(TCellAgent).to receive(:policy).with(
|
@@ -52,59 +52,84 @@ describe 'Kernel' do
|
|
52
52
|
end
|
53
53
|
end
|
54
54
|
|
55
|
-
it '
|
55
|
+
it 'executes OS commands', :skip_before do
|
56
56
|
result = Kernel.open('|echo test').read
|
57
57
|
expect(result).to eq "test\n"
|
58
58
|
|
59
59
|
result = open('|echo test').read
|
60
60
|
expect(result).to eq "test\n"
|
61
61
|
end
|
62
|
-
context 'with a pathname filename with mode w' do
|
63
|
-
it 'should create the file' do
|
64
|
-
Kernel.open(@new_pathname, 'w')
|
65
|
-
expect(File.exist?(@new_pathname)).to be_truthy
|
66
|
-
File.delete(@new_pathname)
|
67
62
|
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
63
|
+
it 'creates the file when passed a pathname' do
|
64
|
+
Kernel.open(@new_pathname, 'w')
|
65
|
+
expect(File.exist?(@new_pathname)).to be_truthy
|
66
|
+
File.delete(@new_pathname)
|
67
|
+
|
68
|
+
open(@new_pathname, 'w')
|
69
|
+
expect(File.exist?(@new_pathname)).to be_truthy
|
70
|
+
File.delete(@new_pathname)
|
72
71
|
end
|
73
|
-
context 'with a filename with mode w' do
|
74
|
-
it 'should create the file' do
|
75
|
-
Kernel.open(@new_file_name, 'w')
|
76
|
-
expect(File.exist?(@new_file_name)).to be_truthy
|
77
|
-
File.delete(@new_file_name)
|
78
72
|
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
73
|
+
it 'creates the file when passed a string' do
|
74
|
+
Kernel.open(@new_file_name, 'w')
|
75
|
+
expect(File.exist?(@new_file_name)).to be_truthy
|
76
|
+
File.delete(@new_file_name)
|
77
|
+
|
78
|
+
open(@new_file_name, 'w')
|
79
|
+
expect(File.exist?(@new_file_name)).to be_truthy
|
80
|
+
File.delete(@new_file_name)
|
83
81
|
end
|
84
|
-
context 'with a filename and mode w and file permissions 644' do
|
85
|
-
it 'should create the file with the correct permissions' do
|
86
|
-
Kernel.open(@new_file_name, 'w', 0o644)
|
87
|
-
expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
|
88
|
-
File.delete(@new_file_name)
|
89
82
|
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
83
|
+
it 'creates the file with the permission 644' do
|
84
|
+
Kernel.open(@new_file_name, 'w', 0o644)
|
85
|
+
expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
|
86
|
+
File.delete(@new_file_name)
|
87
|
+
|
88
|
+
open(@new_file_name, 'w', 0o644)
|
89
|
+
expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
|
90
|
+
File.delete(@new_file_name)
|
94
91
|
end
|
95
|
-
context 'with a filename and mode w and file permissions 777' do
|
96
|
-
it 'should create the file with the correct permissions 755' do
|
97
|
-
Kernel.open(@new_file_name, 'w', 0o777)
|
98
|
-
expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
|
99
|
-
File.delete(@new_file_name)
|
100
92
|
|
101
|
-
|
93
|
+
it 'creates the file with the permission 755' do
|
94
|
+
Kernel.open(@new_file_name, 'w', 0o777)
|
95
|
+
expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
|
96
|
+
File.delete(@new_file_name)
|
97
|
+
|
98
|
+
open(@new_file_name, 'w', 0o777)
|
99
|
+
expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
|
100
|
+
File.delete(@new_file_name)
|
101
|
+
end
|
102
|
+
|
103
|
+
context 'using mode, perm, binmode', :skip_before do
|
104
|
+
before(:each) do
|
105
|
+
expect(TCellAgent).to receive(:policy).with(
|
106
|
+
TCellAgent::PolicyTypes::LFI
|
107
|
+
).and_return(@local_files_policy)
|
108
|
+
expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
|
109
|
+
expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
|
110
|
+
end
|
111
|
+
|
112
|
+
after :each do
|
102
113
|
expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
|
103
|
-
|
114
|
+
expect(@result.binmode?).to eq true
|
115
|
+
|
116
|
+
File.delete(NEW_FILE_NAME) if File.exist?(NEW_FILE_NAME)
|
104
117
|
end
|
118
|
+
|
119
|
+
test_ruby2_ruby3_keywords(Kernel,
|
120
|
+
'open',
|
121
|
+
[NEW_FILE_NAME, 'w', 0o755],
|
122
|
+
{ :binmode => true },
|
123
|
+
nil)
|
124
|
+
|
125
|
+
test_ruby2_ruby3_keywords(Object,
|
126
|
+
'open',
|
127
|
+
[NEW_FILE_NAME, 'w', 0o755],
|
128
|
+
{ :binmode => true },
|
129
|
+
nil)
|
105
130
|
end
|
106
131
|
end
|
107
|
-
context 'with
|
132
|
+
context 'with filename blocked for read/write' do
|
108
133
|
before do |test|
|
109
134
|
unless test.metadata[:skip_before]
|
110
135
|
expect(TCellAgent).to receive(:policy).with(
|
@@ -115,45 +140,39 @@ describe 'Kernel' do
|
|
115
140
|
end
|
116
141
|
end
|
117
142
|
|
118
|
-
it '
|
143
|
+
it 'executes OS commands', :skip_before do
|
119
144
|
result = Kernel.open('|echo test').read
|
120
145
|
expect(result).to eq "test\n"
|
121
146
|
|
122
147
|
result = open('|echo test').read
|
123
148
|
expect(result).to eq "test\n"
|
124
149
|
end
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
end.to raise_error(IOError)
|
150
|
+
it 'raises an IOError' do
|
151
|
+
expect do
|
152
|
+
Kernel.open(@new_file_name, 'w')
|
153
|
+
end.to raise_error(IOError)
|
130
154
|
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
end
|
155
|
+
expect do
|
156
|
+
open(@new_file_name, 'w')
|
157
|
+
end.to raise_error(IOError)
|
135
158
|
end
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
end.to raise_error(IOError)
|
159
|
+
it 'raises an IOError' do
|
160
|
+
expect do
|
161
|
+
Kernel.open(@new_file_name, 'w')
|
162
|
+
end.to raise_error(IOError)
|
141
163
|
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
end
|
164
|
+
expect do
|
165
|
+
open(@new_file_name, 'w')
|
166
|
+
end.to raise_error(IOError)
|
146
167
|
end
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
end.to raise_error(IOError)
|
168
|
+
it 'raises an IOError' do
|
169
|
+
expect do
|
170
|
+
Kernel.open(@new_file_name, 'a')
|
171
|
+
end.to raise_error(IOError)
|
152
172
|
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
end
|
173
|
+
expect do
|
174
|
+
open(@new_file_name, 'a')
|
175
|
+
end.to raise_error(IOError)
|
157
176
|
end
|
158
177
|
end
|
159
178
|
end
|
@@ -184,7 +203,7 @@ describe 'Kernel' do
|
|
184
203
|
end
|
185
204
|
end
|
186
205
|
context 'with a filename blocked for read/write' do
|
187
|
-
it '
|
206
|
+
it 'raises an IOError' do
|
188
207
|
expect(TCellAgent).to receive(:policy).with(
|
189
208
|
TCellAgent::PolicyTypes::LFI
|
190
209
|
).and_return(@local_files_policy, @local_files_policy)
|
@@ -211,7 +230,7 @@ describe 'Kernel' do
|
|
211
230
|
|
212
231
|
describe '::readline and #readline' do
|
213
232
|
context 'with a filename not blocked for read/write' do
|
214
|
-
it '
|
233
|
+
it 'reads the file' do
|
215
234
|
expect(TCellAgent).to receive(:policy).with(
|
216
235
|
TCellAgent::PolicyTypes::LFI
|
217
236
|
).and_return(@local_files_policy, @local_files_policy, @local_files_policy, @local_files_policy)
|
@@ -236,7 +255,7 @@ describe 'Kernel' do
|
|
236
255
|
end
|
237
256
|
end
|
238
257
|
context 'with a filename blocked for read' do
|
239
|
-
it '
|
258
|
+
it 'raises an IOError' do
|
240
259
|
expect(TCellAgent).to receive(:policy).with(
|
241
260
|
TCellAgent::PolicyTypes::LFI
|
242
261
|
).and_return(@local_files_policy, @local_files_policy)
|
@@ -145,6 +145,79 @@ module TCellAgent
|
|
145
145
|
end
|
146
146
|
end
|
147
147
|
end
|
148
|
+
|
149
|
+
describe '.raise_if_block' do
|
150
|
+
context 'when passed a blocked path' do
|
151
|
+
it 'raises an error' do
|
152
|
+
expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
|
153
|
+
'/blocked', 'Read'
|
154
|
+
).and_return(true)
|
155
|
+
|
156
|
+
expect do
|
157
|
+
TCellAgent::Instrumentation::Lfi.raise_if_block('/blocked', 'Read')
|
158
|
+
end.to raise_error(IOError)
|
159
|
+
end
|
160
|
+
end
|
161
|
+
context 'when passed a path not blocked' do
|
162
|
+
it 'returns nil' do
|
163
|
+
expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
|
164
|
+
'/not-blocked', 'Read'
|
165
|
+
).and_return(false)
|
166
|
+
|
167
|
+
expect(TCellAgent::Instrumentation::Lfi.raise_if_block('/not-blocked', 'Read')).to eq nil
|
168
|
+
end
|
169
|
+
end
|
170
|
+
end
|
171
|
+
|
172
|
+
describe '.default_open_handler' do
|
173
|
+
it 'calls .raise_if_block' do
|
174
|
+
expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
|
175
|
+
'/placeholder', 'Read'
|
176
|
+
).and_return(nil)
|
177
|
+
|
178
|
+
expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
|
179
|
+
end
|
180
|
+
|
181
|
+
it 'replaces the mode with override_mode' do
|
182
|
+
expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode).with(
|
183
|
+
'/placeholder'
|
184
|
+
).and_return(['/placeholder', 'Read'])
|
185
|
+
expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
|
186
|
+
'/placeholder', 'ReadWrite'
|
187
|
+
).and_return(nil)
|
188
|
+
|
189
|
+
expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'ReadWrite')).to eq nil
|
190
|
+
end
|
191
|
+
end
|
192
|
+
|
193
|
+
describe '.argf_open_handler' do
|
194
|
+
it 'calls .extract_path_mode_argf' do
|
195
|
+
expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode_argf).and_return(
|
196
|
+
['/placeholder', 'Read']
|
197
|
+
)
|
198
|
+
|
199
|
+
expect(TCellAgent::Instrumentation::Lfi.argf_open_handler).to eq nil
|
200
|
+
end
|
201
|
+
end
|
202
|
+
describe '.cmdi_open_handler' do
|
203
|
+
it 'behaves the similarly to default_open_handler' do
|
204
|
+
expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
|
205
|
+
'/placeholder', 'Read'
|
206
|
+
).and_return(nil)
|
207
|
+
|
208
|
+
expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
|
209
|
+
end
|
210
|
+
|
211
|
+
it 'raises an error if command is blocked' do
|
212
|
+
expect(TCellAgent::Cmdi).to receive(:block_command?).with(
|
213
|
+
'ls'
|
214
|
+
).and_return(true)
|
215
|
+
|
216
|
+
expect do
|
217
|
+
TCellAgent::Instrumentation::Lfi.cmdi_open_handler('|ls')
|
218
|
+
end.to raise_error(RuntimeError)
|
219
|
+
end
|
220
|
+
end
|
148
221
|
end
|
149
222
|
end
|
150
223
|
end
|
@@ -1,4 +1,3 @@
|
|
1
|
-
|
2
1
|
require 'spec_helper'
|
3
2
|
|
4
3
|
module TCellAgent
|
@@ -44,7 +43,7 @@ module TCellAgent
|
|
44
43
|
expect(@policy.enabled).to eq(true)
|
45
44
|
|
46
45
|
expect(
|
47
|
-
@policy.get_headers(@tcell_context)
|
46
|
+
@policy.get_headers('text/html', @tcell_context)
|
48
47
|
).to eq(
|
49
48
|
[{ 'name' => 'Content-Security-Policy',
|
50
49
|
'value' => "frame-ancestors 'none'; report-uri https://input.tcell-preview.io/csp/430d?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id" }]
|
@@ -1,4 +1,3 @@
|
|
1
|
-
|
2
1
|
require 'spec_helper'
|
3
2
|
|
4
3
|
module TCellAgent
|
@@ -23,7 +22,7 @@ module TCellAgent
|
|
23
22
|
expect(native_agent).to_not receive(:get_headers)
|
24
23
|
|
25
24
|
tcell_context = double('tcell_context')
|
26
|
-
policy.get_headers(tcell_context)
|
25
|
+
policy.get_headers('text/html', tcell_context)
|
27
26
|
end
|
28
27
|
end
|
29
28
|
|
@@ -65,7 +64,7 @@ module TCellAgent
|
|
65
64
|
expect(@policy.enabled).to eq(true)
|
66
65
|
|
67
66
|
expect(
|
68
|
-
@policy.get_headers(@tcell_context)
|
67
|
+
@policy.get_headers('text/html', @tcell_context)
|
69
68
|
).to eq(
|
70
69
|
[{ 'name' => 'Content-Security-Policy', 'value' => 'test321' }]
|
71
70
|
)
|
@@ -92,7 +91,7 @@ module TCellAgent
|
|
92
91
|
expect(@policy.enabled).to eq(true)
|
93
92
|
|
94
93
|
expect(
|
95
|
-
@policy.get_headers(@tcell_context)
|
94
|
+
@policy.get_headers('text/html', @tcell_context)
|
96
95
|
).to eq(
|
97
96
|
[{ 'name' => 'Content-Security-Policy',
|
98
97
|
'value' => 'normalvalue; report-uri https://www.example.com/xys?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
|
@@ -121,7 +120,7 @@ module TCellAgent
|
|
121
120
|
expect(@policy.enabled).to eq(true)
|
122
121
|
|
123
122
|
expect(
|
124
|
-
@policy.get_headers(@tcell_context)
|
123
|
+
@policy.get_headers('text/html', @tcell_context)
|
125
124
|
).to eq(
|
126
125
|
[{ 'name' => 'Content-Security-Policy',
|
127
126
|
'value' => 'normalvalue; report-uri https://www.example.com/1234567?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
|
@@ -150,7 +149,7 @@ module TCellAgent
|
|
150
149
|
expect(@policy.enabled).to eq(true)
|
151
150
|
|
152
151
|
expect(
|
153
|
-
@policy.get_headers(@tcell_context)
|
152
|
+
@policy.get_headers('text/html', @tcell_context)
|
154
153
|
).to eq([])
|
155
154
|
end
|
156
155
|
end
|
@@ -78,6 +78,8 @@ module TCellAgent
|
|
78
78
|
meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
|
79
79
|
'remote_address', nil
|
80
80
|
).build
|
81
|
+
expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
|
82
|
+
expect(@native_agent).not_to receive(:apply_patches).with(any_args)
|
81
83
|
resp = @policy.block_request?(meta_data)
|
82
84
|
expect(resp).to eq(false)
|
83
85
|
end
|
@@ -88,6 +90,8 @@ module TCellAgent
|
|
88
90
|
meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
|
89
91
|
'remote_address', ''
|
90
92
|
).build
|
93
|
+
expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
|
94
|
+
expect(@native_agent).not_to receive(:apply_patches).with(any_args)
|
91
95
|
resp = @policy.block_request?(meta_data)
|
92
96
|
expect(resp).to eq(false)
|
93
97
|
end
|
@@ -98,20 +102,35 @@ module TCellAgent
|
|
98
102
|
meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
|
99
103
|
'remote_address', '2.2.2.2'
|
100
104
|
).build
|
105
|
+
expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
|
106
|
+
expect(@native_agent).not_to receive(:apply_patches).with(any_args)
|
101
107
|
resp = @policy.block_request?(meta_data)
|
102
108
|
expect(resp).to eq(false)
|
103
109
|
end
|
104
110
|
end
|
105
111
|
|
106
|
-
context 'request comes from
|
107
|
-
it 'should
|
112
|
+
context 'request comes from blocked ip' do
|
113
|
+
it 'should block request' do
|
108
114
|
meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
|
109
115
|
'remote_address', '1.1.1.1'
|
110
116
|
).build
|
117
|
+
expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args).and_return(2)
|
118
|
+
expect(@native_agent).not_to receive(:apply_patches).with(any_args)
|
111
119
|
resp = @policy.block_request?(meta_data)
|
112
120
|
expect(resp).to eq(true)
|
113
121
|
end
|
114
122
|
end
|
123
|
+
|
124
|
+
context 'request comes from suspcious ip' do
|
125
|
+
it 'should call apply_patches' do
|
126
|
+
meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
|
127
|
+
'remote_address', '1.1.1.1'
|
128
|
+
).build
|
129
|
+
expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args).and_return(1)
|
130
|
+
expect(@native_agent).to receive(:apply_patches).with(any_args).and_return('Blocked Response')
|
131
|
+
@policy.block_request?(meta_data)
|
132
|
+
end
|
133
|
+
end
|
115
134
|
end
|
116
135
|
end
|
117
136
|
end
|
@@ -6,7 +6,7 @@ module TCellAgent
|
|
6
6
|
assert_policy_state = proc do |policies, state|
|
7
7
|
expect(policies.keys.size).to eq(10)
|
8
8
|
|
9
|
-
policies.
|
9
|
+
policies.each_value do |policy|
|
10
10
|
next if policy.instance_of?(TCellAgent::Policies::LoginPolicy)
|
11
11
|
next if policy.instance_of?(TCellAgent::Policies::SystemEnablements)
|
12
12
|
|
@@ -1,4 +1,3 @@
|
|
1
|
-
|
2
1
|
require 'spec_helper'
|
3
2
|
|
4
3
|
module TCellAgent
|
@@ -16,13 +15,7 @@ module TCellAgent
|
|
16
15
|
).update_attribute(
|
17
16
|
'route_id', 'route-id'
|
18
17
|
).build
|
19
|
-
end
|
20
|
-
|
21
|
-
after(:each) do
|
22
|
-
TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
|
23
|
-
end
|
24
18
|
|
25
|
-
it 'should return csp header' do
|
26
19
|
enablements = @native_agent.update_policies(
|
27
20
|
{
|
28
21
|
'secure-headers' => {
|
@@ -41,14 +34,26 @@ module TCellAgent
|
|
41
34
|
|
42
35
|
@policy = HeadersPolicy.new(@native_agent, enablements)
|
43
36
|
expect(@policy.enabled).to eq(true)
|
37
|
+
end
|
44
38
|
|
39
|
+
after(:each) do
|
40
|
+
TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
|
41
|
+
end
|
42
|
+
|
43
|
+
it 'should return csp header' do
|
45
44
|
expect(
|
46
|
-
@policy.get_headers(@tcell_context)
|
45
|
+
@policy.get_headers('text/html', @tcell_context)
|
47
46
|
).to eq(
|
48
47
|
[{ 'name' => 'X-Content-Type-Options',
|
49
48
|
'value' => 'nosniff' }]
|
50
49
|
)
|
51
50
|
end
|
51
|
+
|
52
|
+
it 'should not return csp header on json' do
|
53
|
+
expect(
|
54
|
+
@policy.get_headers('application/json', @tcell_context)
|
55
|
+
).to eq([])
|
56
|
+
end
|
52
57
|
end
|
53
58
|
end
|
54
59
|
end
|
@@ -4,37 +4,34 @@ module TCellAgent
|
|
4
4
|
module Utils
|
5
5
|
describe '.better_ip' do
|
6
6
|
context 'with reverse_proxy off' do
|
7
|
-
it '
|
7
|
+
it 'returns null' do
|
8
8
|
configuration = double('configuration')
|
9
9
|
request = double('request', :ip => '127.0.0.0')
|
10
10
|
|
11
11
|
expect(TCellAgent).to receive(:configuration).and_return(configuration)
|
12
12
|
expect(configuration).to receive(:reverse_proxy).and_return(false)
|
13
|
-
expect(Rails.
|
13
|
+
expect(Rails.reverse_proxy_header(request)).to eq(nil)
|
14
14
|
end
|
15
15
|
end
|
16
16
|
|
17
17
|
context 'with reverse_proxy on' do
|
18
18
|
context 'with empty reverse_proxy_ip_address_header' do
|
19
|
-
it '
|
19
|
+
it 'returns null' do
|
20
20
|
configuration = double('configuration')
|
21
21
|
request = double('request', :ip => '127.0.0.0')
|
22
|
-
env = double('env')
|
23
22
|
|
24
23
|
expect(TCellAgent).to receive(:configuration).and_return(configuration)
|
25
24
|
expect(configuration).to receive(:reverse_proxy).and_return(true)
|
26
25
|
expect(TCellAgent).to receive(:configuration).and_return(configuration)
|
27
26
|
expect(configuration).to receive(:reverse_proxy_ip_address_header).and_return('')
|
28
|
-
expect(request).to
|
29
|
-
expect(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR').and_return('')
|
30
|
-
expect(Rails.better_ip(request)).to eq('127.0.0.0')
|
27
|
+
expect(Rails.reverse_proxy_header(request)).to eq(nil)
|
31
28
|
end
|
32
29
|
end
|
33
30
|
|
34
31
|
context "with reverse_proxy_ip_address_header that doesn't exist" do
|
35
|
-
it '
|
32
|
+
it 'returns null' do
|
36
33
|
configuration = double('configuration')
|
37
|
-
request = double('request', :ip => '127.0.0.0')
|
34
|
+
request = double('request', :ip => '127.0.0.0', :env => {})
|
38
35
|
env = double('env')
|
39
36
|
|
40
37
|
expect(TCellAgent).to receive(:configuration).and_return(configuration)
|
@@ -45,7 +42,7 @@ module TCellAgent
|
|
45
42
|
)
|
46
43
|
expect(request).to receive(:env).and_return(env)
|
47
44
|
expect(env).to receive(:[]).with('HTTP_WEIRD_HTTP_PROXY_HEADER').and_return(nil)
|
48
|
-
expect(Rails.
|
45
|
+
expect(Rails.reverse_proxy_header(request)).to eq(nil)
|
49
46
|
end
|
50
47
|
end
|
51
48
|
|
@@ -57,13 +54,14 @@ module TCellAgent
|
|
57
54
|
|
58
55
|
expect(TCellAgent).to receive(:configuration).and_return(configuration)
|
59
56
|
expect(configuration).to receive(:reverse_proxy).and_return(true)
|
57
|
+
|
60
58
|
expect(TCellAgent).to receive(:configuration).and_return(configuration)
|
61
59
|
expect(configuration).to receive(:reverse_proxy_ip_address_header).and_return(
|
62
60
|
'X-Real-IP'
|
63
61
|
)
|
64
62
|
expect(request).to receive(:env).and_return(env)
|
65
63
|
expect(env).to receive(:[]).with('HTTP_X_REAL_IP').and_return('192.168.99.100')
|
66
|
-
expect(Rails.
|
64
|
+
expect(Rails.reverse_proxy_header(request)).to eq('192.168.99.100')
|
67
65
|
end
|
68
66
|
end
|
69
67
|
end
|
@@ -1,13 +1,13 @@
|
|
1
1
|
require 'spec_helper'
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
class WrapperClass
|
6
|
-
include TCellAgent::CsrfExceptionReporter
|
3
|
+
class WrapperClass
|
4
|
+
include TCellAgent::CsrfExceptionReporter
|
7
5
|
|
8
|
-
|
9
|
-
|
6
|
+
def request; end
|
7
|
+
end
|
10
8
|
|
9
|
+
module TCellAgent
|
10
|
+
describe 'CsrfExceptionReporter' do
|
11
11
|
before(:all) do
|
12
12
|
@csrf_class = WrapperClass.new
|
13
13
|
end
|
@@ -127,10 +127,10 @@ module TCellAgent
|
|
127
127
|
end
|
128
128
|
|
129
129
|
context 'with a <HEAD> tag' do
|
130
|
-
it 'should
|
130
|
+
it 'should append script after <HEAD> tag' do
|
131
131
|
response = JSAgent.handle_js_agent_insert('SCRIPT', 'i am the <HEAD> response')
|
132
132
|
|
133
|
-
expect(response).to eq('i am the <HEAD> response')
|
133
|
+
expect(response).to eq('i am the <HEAD>SCRIPT response')
|
134
134
|
end
|
135
135
|
end
|
136
136
|
|
@@ -142,6 +142,14 @@ module TCellAgent
|
|
142
142
|
end
|
143
143
|
end
|
144
144
|
|
145
|
+
context 'with a <HEAD\n> tag' do
|
146
|
+
it 'should append script after <HEAD\n> tag' do
|
147
|
+
response = JSAgent.handle_js_agent_insert('SCRIPT', "i am the <HEAD\n> response")
|
148
|
+
|
149
|
+
expect(response).to eq("i am the <HEAD\n>SCRIPT response")
|
150
|
+
end
|
151
|
+
end
|
152
|
+
|
145
153
|
context 'with invalid parameters' do
|
146
154
|
context 'with nil response' do
|
147
155
|
it 'should return the unmodified response' do
|