tcell_agent 2.3.0 → 2.5.1

data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb

@@ -15,12 +15,12 @@ describe 'Kernel' do
   end
 
   before(:all) do
-    @new_file_name = '/tmp/' + SecureRandom.uuid
+    @new_file_name = NEW_FILE_NAME
     @new_pathname = Pathname.new(@new_file_name)
   end
   describe '#open and ::open' do
     context 'empty path' do
-      it 'should raise an error' do
+      it 'raises an error' do
         expect do
           Kernel.open
         end.to raise_error(ArgumentError)
@@ -41,7 +41,7 @@ describe 'Kernel' do
         end.to raise_error(Errno::ENOENT)
       end
     end
-    context 'with a non-existent file, with filename not blocked for read/write' do
+    context 'with filename not blocked for read/write' do
       before do |test|
         unless test.metadata[:skip_before]
           expect(TCellAgent).to receive(:policy).with(
@@ -52,59 +52,84 @@ describe 'Kernel' do
         end
       end
 
-      it 'should still be able to execute OS commands', :skip_before do
+      it 'executes OS commands', :skip_before do
         result = Kernel.open('|echo test').read
         expect(result).to eq "test\n"
 
         result = open('|echo test').read
         expect(result).to eq "test\n"
       end
-      context 'with a pathname filename with mode w' do
-        it 'should create the file' do
-          Kernel.open(@new_pathname, 'w')
-          expect(File.exist?(@new_pathname)).to be_truthy
-          File.delete(@new_pathname)
 
-          open(@new_pathname, 'w')
-          expect(File.exist?(@new_pathname)).to be_truthy
-          File.delete(@new_pathname)
-        end
+      it 'creates the file when passed a pathname' do
+        Kernel.open(@new_pathname, 'w')
+        expect(File.exist?(@new_pathname)).to be_truthy
+        File.delete(@new_pathname)
+
+        open(@new_pathname, 'w')
+        expect(File.exist?(@new_pathname)).to be_truthy
+        File.delete(@new_pathname)
       end
-      context 'with a filename with mode w' do
-        it 'should create the file' do
-          Kernel.open(@new_file_name, 'w')
-          expect(File.exist?(@new_file_name)).to be_truthy
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w')
-          expect(File.exist?(@new_file_name)).to be_truthy
-          File.delete(@new_file_name)
-        end
+      it 'creates the file when passed a string' do
+        Kernel.open(@new_file_name, 'w')
+        expect(File.exist?(@new_file_name)).to be_truthy
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w')
+        expect(File.exist?(@new_file_name)).to be_truthy
+        File.delete(@new_file_name)
       end
-      context 'with a filename and mode w and file permissions 644' do
-        it 'should create the file with the correct permissions' do
-          Kernel.open(@new_file_name, 'w', 0o644)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w', 0o644)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
-          File.delete(@new_file_name)
-        end
+      it 'creates the file with the permission 644' do
+        Kernel.open(@new_file_name, 'w', 0o644)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w', 0o644)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+        File.delete(@new_file_name)
       end
-      context 'with a filename and mode w and file permissions 777' do
-        it 'should create the file with the correct permissions 755' do
-          Kernel.open(@new_file_name, 'w', 0o777)
-          expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
-          File.delete(@new_file_name)
 
-          open(@new_file_name, 'w', 0o777)
+      it 'creates the file with the permission 755' do
+        Kernel.open(@new_file_name, 'w', 0o777)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+        File.delete(@new_file_name)
+
+        open(@new_file_name, 'w', 0o777)
+        expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+        File.delete(@new_file_name)
+      end
+
+      context 'using mode, perm, binmode', :skip_before do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
+          expect(TCellAgent::Cmdi).not_to receive(:parse_command_from_open)
+        end
+
+        after :each do
           expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
-          File.delete(@new_file_name)
+          expect(@result.binmode?).to eq true
+
+          File.delete(NEW_FILE_NAME) if File.exist?(NEW_FILE_NAME)
         end
+
+        test_ruby2_ruby3_keywords(Kernel,
+                                  'open',
+                                  [NEW_FILE_NAME, 'w', 0o755],
+                                  { :binmode => true },
+                                  nil)
+
+        test_ruby2_ruby3_keywords(Object,
+                                  'open',
+                                  [NEW_FILE_NAME, 'w', 0o755],
+                                  { :binmode => true },
+                                  nil)
       end
     end
-    context 'with a non-existent file, with filename blocked for read/write' do
+    context 'with filename blocked for read/write' do
       before do |test|
         unless test.metadata[:skip_before]
           expect(TCellAgent).to receive(:policy).with(
@@ -115,45 +140,39 @@ describe 'Kernel' do
         end
       end
 
-      it 'should still be able to execute OS commands', :skip_before do
+      it 'executes OS commands', :skip_before do
         result = Kernel.open('|echo test').read
         expect(result).to eq "test\n"
 
         result = open('|echo test').read
         expect(result).to eq "test\n"
       end
-      context 'with a filename with mode w' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'w')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'w')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'w')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'w')
+        end.to raise_error(IOError)
       end
-      context 'with a filename and mode w' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'w')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'w')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'w')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'w')
+        end.to raise_error(IOError)
       end
-      context 'with a filename and mode a' do
-        it 'should raise an error' do
-          expect do
-            Kernel.open(@new_file_name, 'a')
-          end.to raise_error(IOError)
+      it 'raises an IOError' do
+        expect do
+          Kernel.open(@new_file_name, 'a')
+        end.to raise_error(IOError)
 
-          expect do
-            open(@new_file_name, 'a')
-          end.to raise_error(IOError)
-        end
+        expect do
+          open(@new_file_name, 'a')
+        end.to raise_error(IOError)
       end
     end
   end
@@ -184,7 +203,7 @@ describe 'Kernel' do
       end
     end
     context 'with a filename blocked for read/write' do
-      it 'should not be able to read the file' do
+      it 'raises an IOError' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy)
@@ -211,7 +230,7 @@ describe 'Kernel' do
 
   describe '::readline and #readline' do
     context 'with a filename not blocked for read/write' do
-      it 'should be able to read the file' do
+      it 'reads the file' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy, @local_files_policy, @local_files_policy)
@@ -236,7 +255,7 @@ describe 'Kernel' do
       end
     end
     context 'with a filename blocked for read' do
-      it 'should not be able to read the file' do
+      it 'raises an IOError' do
         expect(TCellAgent).to receive(:policy).with(
           TCellAgent::PolicyTypes::LFI
         ).and_return(@local_files_policy, @local_files_policy)

data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb

@@ -145,6 +145,79 @@ module TCellAgent
           end
         end
       end
+
+      describe '.raise_if_block' do
+        context 'when passed a blocked path' do
+          it 'raises an error' do
+            expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
+              '/blocked', 'Read'
+            ).and_return(true)
+
+            expect do
+              TCellAgent::Instrumentation::Lfi.raise_if_block('/blocked', 'Read')
+            end.to raise_error(IOError)
+          end
+        end
+        context 'when passed a path not blocked' do
+          it 'returns nil' do
+            expect(TCellAgent::Instrumentation::Lfi).to receive(:block_file_access?).with(
+              '/not-blocked', 'Read'
+            ).and_return(false)
+
+            expect(TCellAgent::Instrumentation::Lfi.raise_if_block('/not-blocked', 'Read')).to eq nil
+          end
+        end
+      end
+
+      describe '.default_open_handler' do
+        it 'calls .raise_if_block' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'Read'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
+        end
+
+        it 'replaces the mode with override_mode' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode).with(
+            '/placeholder'
+          ).and_return(['/placeholder', 'Read'])
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'ReadWrite'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'ReadWrite')).to eq nil
+        end
+      end
+
+      describe '.argf_open_handler' do
+        it 'calls .extract_path_mode_argf' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:extract_path_mode_argf).and_return(
+            ['/placeholder', 'Read']
+          )
+
+          expect(TCellAgent::Instrumentation::Lfi.argf_open_handler).to eq nil
+        end
+      end
+      describe '.cmdi_open_handler' do
+        it 'behaves the similarly to default_open_handler' do
+          expect(TCellAgent::Instrumentation::Lfi).to receive(:raise_if_block).with(
+            '/placeholder', 'Read'
+          ).and_return(nil)
+
+          expect(TCellAgent::Instrumentation::Lfi.default_open_handler(['/placeholder'], 'Read')).to eq nil
+        end
+
+        it 'raises an error if command is blocked' do
+          expect(TCellAgent::Cmdi).to receive(:block_command?).with(
+            'ls'
+          ).and_return(true)
+
+          expect do
+            TCellAgent::Instrumentation::Lfi.cmdi_open_handler('|ls')
+          end.to raise_error(RuntimeError)
+        end
+      end
     end
   end
 end

data/spec/lib/tcell_agent/patches_spec.rb

@@ -94,7 +94,8 @@ module TCellAgent
               'session_id',
               'user_id',
               'transaction_id',
-              'http://test.com/'
+              'http://test.com/',
+              '0.0.0.0'
             )
             meta_data.get_dict = { 'paramater' => '<script>' }
             tcell_context = TCellAgent::Instrumentation::TCellData.new

data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -44,7 +43,7 @@ module TCellAgent
             expect(@policy.enabled).to eq(true)
 
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'Content-Security-Policy',
                  'value' => "frame-ancestors 'none'; report-uri https://input.tcell-preview.io/csp/430d?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id" }]

data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -23,7 +22,7 @@ module TCellAgent
             expect(native_agent).to_not receive(:get_headers)
 
             tcell_context = double('tcell_context')
-            policy.get_headers(tcell_context)
+            policy.get_headers('text/html', tcell_context)
           end
         end
 
@@ -65,7 +64,7 @@ module TCellAgent
             expect(@policy.enabled).to eq(true)
 
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'Content-Security-Policy', 'value' => 'test321' }]
             )
@@ -92,7 +91,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq(
                 [{ 'name' => 'Content-Security-Policy',
                    'value' => 'normalvalue; report-uri https://www.example.com/xys?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
@@ -121,7 +120,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq(
                 [{ 'name' => 'Content-Security-Policy',
                    'value' => 'normalvalue; report-uri https://www.example.com/1234567?sid=ab7074d0bf86c2884766d88b6ad9de4a&rid=route-id' }]
@@ -150,7 +149,7 @@ module TCellAgent
               expect(@policy.enabled).to eq(true)
 
               expect(
-                @policy.get_headers(@tcell_context)
+                @policy.get_headers('text/html', @tcell_context)
               ).to eq([])
             end
           end

data/spec/lib/tcell_agent/policies/patches_policy_spec.rb

@@ -78,6 +78,8 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', nil
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
@@ -88,6 +90,8 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', ''
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
@@ -98,20 +102,35 @@ module TCellAgent
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', '2.2.2.2'
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(false)
             end
           end
 
-          context 'request comes from non-blocked ip' do
-            it 'should not block request' do
+          context 'request comes from blocked ip' do
+            it 'should block request' do
               meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
                 'remote_address', '1.1.1.1'
               ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args).and_return(2)
+              expect(@native_agent).not_to receive(:apply_patches).with(any_args)
               resp = @policy.block_request?(meta_data)
               expect(resp).to eq(true)
             end
           end
+
+          context 'request comes from suspcious ip' do
+            it 'should call apply_patches' do
+              meta_data = TCellAgent::Tests::MetaDataBuilder.new.update_attribute(
+                'remote_address', '1.1.1.1'
+              ).build
+              expect(@native_agent).to receive(:apply_suspicious_quick_check).with(any_args).and_return(1)
+              expect(@native_agent).to receive(:apply_patches).with(any_args).and_return('Blocked Response')
+              @policy.block_request?(meta_data)
+            end
+          end
         end
       end
     end

data/spec/lib/tcell_agent/policies/policies_manager_spec.rb

@@ -6,7 +6,7 @@ module TCellAgent
       assert_policy_state = proc do |policies, state|
         expect(policies.keys.size).to eq(10)
 
-        policies.values.each do |policy|
+        policies.each_value do |policy|
           next if policy.instance_of?(TCellAgent::Policies::LoginPolicy)
           next if policy.instance_of?(TCellAgent::Policies::SystemEnablements)
 

data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb

@@ -1,4 +1,3 @@
-
 require 'spec_helper'
 
 module TCellAgent
@@ -16,13 +15,7 @@ module TCellAgent
             ).update_attribute(
               'route_id', 'route-id'
             ).build
-          end
-
-          after(:each) do
-            TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
-          end
 
-          it 'should return csp header' do
             enablements = @native_agent.update_policies(
               {
                 'secure-headers' => {
@@ -41,14 +34,26 @@ module TCellAgent
 
             @policy = HeadersPolicy.new(@native_agent, enablements)
             expect(@policy.enabled).to eq(true)
+          end
 
+          after(:each) do
+            TCellAgent::Rust::NativeAgent.free_agent(@native_agent.agent_ptr)
+          end
+
+          it 'should return csp header' do
             expect(
-              @policy.get_headers(@tcell_context)
+              @policy.get_headers('text/html', @tcell_context)
             ).to eq(
               [{ 'name' => 'X-Content-Type-Options',
                  'value' => 'nosniff' }]
             )
           end
+
+          it 'should not return csp header on json' do
+            expect(
+              @policy.get_headers('application/json', @tcell_context)
+            ).to eq([])
+          end
         end
       end
     end

data/spec/lib/tcell_agent/rails/better_ip_spec.rb

@@ -4,37 +4,34 @@ module TCellAgent
   module Utils
     describe '.better_ip' do
       context 'with reverse_proxy off' do
-        it 'should return the normal ip' do
+        it 'returns null' do
           configuration = double('configuration')
           request = double('request', :ip => '127.0.0.0')
 
           expect(TCellAgent).to receive(:configuration).and_return(configuration)
           expect(configuration).to receive(:reverse_proxy).and_return(false)
-          expect(Rails.better_ip(request)).to eq('127.0.0.0')
+          expect(Rails.reverse_proxy_header(request)).to eq(nil)
         end
       end
 
       context 'with reverse_proxy on' do
         context 'with empty reverse_proxy_ip_address_header' do
-          it 'should return normal ip' do
+          it 'returns null' do
             configuration = double('configuration')
             request = double('request', :ip => '127.0.0.0')
-            env = double('env')
 
             expect(TCellAgent).to receive(:configuration).and_return(configuration)
             expect(configuration).to receive(:reverse_proxy).and_return(true)
             expect(TCellAgent).to receive(:configuration).and_return(configuration)
             expect(configuration).to receive(:reverse_proxy_ip_address_header).and_return('')
-            expect(request).to receive(:env).and_return(env)
-            expect(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR').and_return('')
-            expect(Rails.better_ip(request)).to eq('127.0.0.0')
+            expect(Rails.reverse_proxy_header(request)).to eq(nil)
           end
         end
 
         context "with reverse_proxy_ip_address_header that doesn't exist" do
-          it 'should return normal ip' do
+          it 'returns null' do
             configuration = double('configuration')
-            request = double('request', :ip => '127.0.0.0')
+            request = double('request', :ip => '127.0.0.0', :env => {})
             env = double('env')
 
             expect(TCellAgent).to receive(:configuration).and_return(configuration)
@@ -45,7 +42,7 @@ module TCellAgent
             )
             expect(request).to receive(:env).and_return(env)
             expect(env).to receive(:[]).with('HTTP_WEIRD_HTTP_PROXY_HEADER').and_return(nil)
-            expect(Rails.better_ip(request)).to eq('127.0.0.0')
+            expect(Rails.reverse_proxy_header(request)).to eq(nil)
           end
         end
 
@@ -57,13 +54,14 @@ module TCellAgent
 
             expect(TCellAgent).to receive(:configuration).and_return(configuration)
             expect(configuration).to receive(:reverse_proxy).and_return(true)
+
             expect(TCellAgent).to receive(:configuration).and_return(configuration)
             expect(configuration).to receive(:reverse_proxy_ip_address_header).and_return(
               'X-Real-IP'
             )
             expect(request).to receive(:env).and_return(env)
             expect(env).to receive(:[]).with('HTTP_X_REAL_IP').and_return('192.168.99.100')
-            expect(Rails.better_ip(request)).to eq('192.168.99.100')
+            expect(Rails.reverse_proxy_header(request)).to eq('192.168.99.100')
           end
         end
       end

data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb

@@ -1,13 +1,13 @@
 require 'spec_helper'
 
-module TCellAgent
-  describe 'CsrfExceptionReporter' do
-    class WrapperClass
-      include TCellAgent::CsrfExceptionReporter
+class WrapperClass
+  include TCellAgent::CsrfExceptionReporter
 
-      def request; end
-    end
+  def request; end
+end
 
+module TCellAgent
+  describe 'CsrfExceptionReporter' do
     before(:all) do
       @csrf_class = WrapperClass.new
     end

data/spec/lib/tcell_agent/rails/dlp_spec.rb

@@ -4,6 +4,7 @@ module TCellAgent
   module DLP
     class SomeColumn
       attr_accessor :name
+
       def initialize(name = nil)
         @name = name
       end

data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb

@@ -127,10 +127,10 @@ module TCellAgent
         end
 
         context 'with a <HEAD> tag' do
-          it 'should not append script after <HEAD> tag' do
+          it 'should append script after <HEAD> tag' do
             response = JSAgent.handle_js_agent_insert('SCRIPT', 'i am the <HEAD> response')
 
-            expect(response).to eq('i am the <HEAD> response')
+            expect(response).to eq('i am the <HEAD>SCRIPT response')
           end
         end
 
@@ -142,6 +142,14 @@ module TCellAgent
           end
         end
 
+        context 'with a <HEAD\n> tag' do
+          it 'should append script after <HEAD\n> tag' do
+            response = JSAgent.handle_js_agent_insert('SCRIPT', "i am the <HEAD\n> response")
+
+            expect(response).to eq("i am the <HEAD\n>SCRIPT response")
+          end
+        end
+
         context 'with invalid parameters' do
           context 'with nil response' do
             it 'should return the unmodified response' do

data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb

@@ -13,7 +13,8 @@ module TCellAgent
               'session_id',
               'user_id',
               'transaction_id',
-              'http://test.com/'
+              'http://test.com/',
+              '0.0.0.0'
             )
           end