tcell_agent 0.2.10 → 0.2.11

Sign up to get free protection for your applications and to get access to all the features.
Files changed (14) hide show
  1. checksums.yaml +4 -4
  2. data/lib/tcell_agent/configuration.rb +75 -10
  3. data/lib/tcell_agent/instrumentation.rb +3 -0
  4. data/lib/tcell_agent/logger.rb +2 -2
  5. data/lib/tcell_agent/rails/dlp.rb +82 -43
  6. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +5 -4
  7. data/lib/tcell_agent/sensor_events/app_sensor.rb +44 -2
  8. data/lib/tcell_agent/servers/puma.rb +7 -2
  9. data/lib/tcell_agent/version.rb +1 -1
  10. data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +1 -1
  11. data/spec/lib/tcell_agent/configuration_spec.rb +371 -0
  12. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +7 -7
  13. data/spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb +289 -0
  14. metadata +6 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 4acf90271f7e52d11433efda8b0345eac7c10267
4
- data.tar.gz: 9b409662d96c032d94aa4f4fc1dc02cea5cbd752
3
+ metadata.gz: d554725aca1909bfd60fe8c8eaea0a31d9f81db4
4
+ data.tar.gz: 49d5a1f379e3fe812f705bf8455574d14c5af44c
5
5
  SHA512:
6
- metadata.gz: 41a77673225c1970dddfb9341db54b2a7834984f5d48eb2242125ffa4d32e1869bac719027496c2aa142f09c76a450a3cf0fd252784c8dbd5c710331068e0881
7
- data.tar.gz: c6e6d7b2c23da1d4866181521a5c803589a3753873740e7bc31c9b994a41ac3982ee36283a0810d8098091c06218f52703e9363eef626edca0cad596e939067d
6
+ metadata.gz: ba72d99a1a9d4b280010f35ef9c748baa8127445afe5a24f717819a3e10655d5a179a055bf777a2f492d2114fb4a05bfad4f34f597e322085426bfc70e2720bc
7
+ data.tar.gz: d9a76ef1c4ba6037d6f13bb43fbf01895d29e625da2cc3174767e1cf1edee54d9ee4bfe2bd55441fe3587ce21db40a578a1156566cd98f6f2982d8be40bf7689
data/lib/tcell_agent/configuration.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  # See the file "LICENSE" for the full license governing this code.
2
2
  require 'fileutils'
3
3
  require 'json'
4
+ require 'yaml'
4
5
  require 'socket'
5
6
  require 'securerandom'
6
7
 
@@ -15,7 +16,7 @@ module TCellAgent
15
16
  end
16
17
 
17
18
  class Configuration
18
- attr_accessor :version, :app_id, :api_key, :hmac_key,
19
+ attr_accessor :version, :app_id, :api_key, :hmac_key,
19
20
  :tcell_api_url, :tcell_input_url,
20
21
  :logging_options,
21
22
  :fetch_policies_from_tcell, :instrument_for_events,
@@ -25,13 +26,18 @@ module TCellAgent
25
26
  :uuid,
26
27
  :company,
27
28
  :event_batch_size_limit, :event_time_limit_seconds,
28
- :default_log_filename,
29
+ :log_filename,
29
30
  :base_dir,
30
31
  :cache_filename,
31
32
  :js_agent_api_base_url,
32
33
  :js_agent_url,
33
34
  :raise_exceptions,
34
- :allow_unencrypted_appsensor_payloads
35
+ :allow_unencrypted_appsensor_payloads,
36
+ :blacklisted_params,
37
+ :whitelisted_params,
38
+ :whitelist_present,
39
+ :config_filename,
40
+ :max_data_ex_db_records_per_request
35
41
 
36
42
  attr_accessor :disable_all,
37
43
  :enabled,
@@ -79,16 +85,23 @@ module TCellAgent
79
85
  @enable_instrumentation = true
80
86
  @enable_intercept_requests = true
81
87
 
82
- @cache_filename = "tcell/cache/tcell_agent.cache"
83
- @default_log_filename = "tcell/logs/tcell_agent.log"
88
+
89
+ @agent_home_dir = File.join(Dir.getwd, "tcell")
90
+ @agent_log_dir = File.join(@agent_home_dir, "logs")
91
+ @config_filename = File.join(Dir.getwd, filename)
84
92
 
85
93
  @event_batch_size_limit = 50
86
94
  @event_time_limit_seconds = 15
87
95
 
88
96
  @raise_exceptions = false
89
97
 
98
+ @max_data_ex_db_records_per_request = 1000
99
+
90
100
  read_config_using_env
91
- read_config_from_file(filename)
101
+ read_config_from_file(@config_filename)
102
+
103
+ @cache_filename = File.join(@agent_home_dir, "cache", "tcell_agent.cache")
104
+ @log_filename = File.join(@agent_log_dir, "tcell_agent.log")
92
105
 
93
106
  # Because ENV can override this one
94
107
  env_unencrypted_firewall =
@@ -115,11 +128,13 @@ module TCellAgent
115
128
  @uuid = SecureRandom.uuid
116
129
 
117
130
  FileUtils::mkdir_p File.dirname(@cache_filename)
118
- if @logging_options and @logging_options["filename"]
131
+ if @logging_options && @logging_options["filename"]
119
132
  FileUtils::mkdir_p File.dirname(@logging_options["filename"])
120
133
  else
121
- FileUtils::mkdir_p File.dirname(@default_log_filename)
134
+ FileUtils::mkdir_p File.dirname(@log_filename)
122
135
  end
136
+
137
+ load_app_sensor_restrictions
123
138
  end
124
139
 
125
140
  def cache_filename_with_app_id
@@ -139,6 +154,10 @@ module TCellAgent
139
154
  @tcell_input_url = ENV["TCELL_INPUT_URL"]
140
155
  @demomode = ENV["TCELL_DEMOMODE"] || @demomode
141
156
 
157
+ @agent_home_dir = ENV["TCELL_AGENT_HOME"] || @agent_home_dir
158
+ @agent_log_dir = ENV["TCELL_AGENT_LOG_DIR"] || File.join(@agent_home_dir, "logs")
159
+ @config_filename = ENV["TCELL_AGENT_CONFIG"] || @config_filename
160
+
142
161
  if @demomode
143
162
  @event_batch_size_limit = 2
144
163
  @event_time_limit_seconds = 5
@@ -151,7 +170,7 @@ module TCellAgent
151
170
  if File.file?(filename)
152
171
  #puts "tCell.io: Loading from file"
153
172
  begin
154
- config_text = open(filename).read
173
+ config_text = File.open(filename).read
155
174
  config = JSON.parse(config_text)
156
175
  if (config["version"] == 1)
157
176
  # Required
@@ -189,6 +208,8 @@ module TCellAgent
189
208
  @allow_unencrypted_appsensor_payloads = app_data.fetch('allow_unencrypted_appsensor_payloads', @allow_unencrypted_appsensor_payloads)
190
209
  @allow_unencrypted_appsensor_payloads = app_data.fetch('allow_unencrypted_appfirewall_payloads', @allow_unencrypted_appsensor_payloads)
191
210
 
211
+ data_exposure = app_data.fetch('data_exposure', {})
212
+ @max_data_ex_db_records_per_request = data_exposure.fetch('max_data_ex_db_records_per_request', @max_data_ex_db_records_per_request)
192
213
 
193
214
  @host_identifier = @host_identifier || app_data.fetch("host_identifier", @host_identifier)
194
215
  if (@host_identifier == nil)
@@ -218,7 +239,7 @@ module TCellAgent
218
239
  @event_batch_size_limit = 2
219
240
  @event_time_limit_seconds = 5
220
241
  end
221
- else
242
+ else
222
243
  puts " ********* ********* ********* *********"
223
244
  puts "* tCell.io *"
224
245
  puts "* Unsupported config file version *"
@@ -233,6 +254,50 @@ module TCellAgent
233
254
  end #begin
234
255
  end # filename exist
235
256
  end #def read
257
+
258
+ def load_app_sensor_restrictions
259
+ payloads_config_filename = ENV["TCELL_AGENT_PAYLOADS_CONFIG"] || "config/tcell_agent_payloads.config"
260
+
261
+ @blacklisted_params = {
262
+ "token" => true,
263
+ "client_secret" => true,
264
+ "password" => true,
265
+ "passwd" => true,
266
+ "refresh_token" => true,
267
+ "pf.pass" => true,
268
+ "user.password" => true
269
+ }
270
+ @whitelisted_params = {}
271
+ @whitelist_present = false
272
+
273
+ if File.file?(payloads_config_filename)
274
+ begin
275
+ payloads_config = YAML.load(File.open(payloads_config_filename).read)
276
+ if payloads_config.has_key?("blacklisted")
277
+ @blacklisted_params = {}
278
+ payloads_config["blacklisted"].each do |param_name|
279
+ @blacklisted_params[param_name.downcase] = true
280
+ end
281
+ end
282
+ if payloads_config.has_key?("whitelisted")
283
+ @whitelist_present = true
284
+ payloads_config["whitelisted"].each do |param_name|
285
+ @whitelisted_params[param_name.downcase] = true
286
+ end
287
+ end
288
+
289
+ rescue Exception => e
290
+ @allow_unencrypted_appsensor_payloads = false
291
+
292
+ puts " ********* ********* ********* **********"
293
+ puts "* tCell.io *"
294
+ puts "* Could not load payloads config file *"
295
+ puts " ********* ********* ********* **********"
296
+ puts e
297
+ end
298
+ end
299
+ end
300
+
236
301
  end # class
237
302
 
238
303
  TCellAgent.configuration ||= TCellAgent::Configuration.new
data/lib/tcell_agent/instrumentation.rb CHANGED
@@ -5,6 +5,7 @@ require 'tcell_agent/logger'
5
5
  require 'tcell_agent/configuration'
6
6
  require 'tcell_agent/version'
7
7
  require 'date'
8
+ require 'cgi'
8
9
 
9
10
  module TCellAgent
10
11
  module Instrumentation
@@ -126,6 +127,7 @@ module TCellAgent
126
127
  session_id_actions.action_id
127
128
  ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
128
129
  )
130
+
129
131
  end
130
132
  end
131
133
  end
@@ -133,6 +135,7 @@ module TCellAgent
133
135
  replace_filters = (context_filters.select {|context_filter| context_filter.rule.body_redact == true })
134
136
  event_filters = (context_filters.select {|context_filter| (context_filter.rule.body_redact != true && context_filter.rule.body_event == true) })
135
137
  send_flag = TCellData.filterx(body, event_filters.length > 0, replace_filters.length > 0, term)
138
+ send_flag = send_flag || TCellData.filterx(body, event_filters.length > 0, replace_filters.length > 0, CGI.escapeHTML(term))
136
139
  if send_flag
137
140
  (replace_filters + event_filters).each { |filter|
138
141
  base_event = TCellAgent::SensorEvents::DlpEvent.new(
data/lib/tcell_agent/logger.rb CHANGED
@@ -34,7 +34,7 @@ module TCellAgent
34
34
  if logging_options && logging_options["enabled"]
35
35
  FileUtils.mkdir_p 'tcell/logs'
36
36
  level = loggingLevelFromString(logging_options["level"])
37
- logging_file = logging_options["filename"] || TCellAgent.configuration.default_log_filename
37
+ logging_file = logging_options["filename"] || TCellAgent.configuration.log_filename
38
38
  # limit the total log file to about 9 * 5 = 45 mb
39
39
  @logger = Logger.new(logging_file, shift_age=9, shift_size=5242880)
40
40
  @logger.level = level
@@ -47,7 +47,7 @@ module TCellAgent
47
47
  return @logger
48
48
  end
49
49
 
50
- logger = Logger.new(TCellAgent.configuration.default_log_filename)
50
+ logger = Logger.new(TCellAgent.configuration.log_filename)
51
51
  logger.level = Logger::ERROR
52
52
  return logger
53
53
  end
data/lib/tcell_agent/rails/dlp.rb CHANGED
@@ -51,58 +51,97 @@ require 'thread'
51
51
  require 'tcell_agent/configuration'
52
52
 
53
53
 
54
-
55
- module TCellAgent
56
- class MyRailtie < Rails::Railtie
57
- initializer 'activeservice.autoload', :after => :set_autoload_paths do |app|
58
- def database_exists?
59
- database_yaml = "#{Rails.root}/config/database.yml"
60
- File.exists?database_yaml
61
- end
62
-
63
- if (database_exists?)
64
- class ActiveRecord::Base
65
- # after_initialize do |user|
66
- # puts "You have initialized an object!"
67
- # puts "ASDF"
68
- # end
69
- after_find do |record|
70
- if TCellAgent.configuration.enabled &&
71
- TCellAgent.configuration.should_instrument? &&
72
- TCellAgent.configuration.should_intercept_requests?
73
-
74
- database_name = self.class.connection_config().fetch(:database,"*").split('/').last
75
- dlp_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DataLoss)
76
- if dlp_policy
77
- request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(Thread.current.object_id, nil)
78
- if request_env
79
- tcell_context = request_env[TCellAgent::Instrumentation::Rails::Middleware::TCELL_ID]
80
- if tcell_context
81
- model = record.class
82
- column_names = model.columns.map { |col| col.name }
83
- if (dlp_policy.database_discovery_enabled)
84
- TCellAgent.discover_database_fields(tcell_context.route_id, database_name,"*",model.table_name, column_names)
85
- end
86
- model.columns.each do |col|
87
- #puts "#{model.table_name} .. #{col.name}"
88
- action_objs = dlp_policy.get_actions_for_table(database_name, "*", model.table_name, col.name, tcell_context.route_id)
89
- if action_objs
90
- action_objs.each do |action_obj|
91
- tcell_context.add_response_db_filter(record[col.name.to_sym], action_obj, database_name, "*", model.table_name, col.name)
54
+ module TCellAgent
55
+ class MyRailtie < Rails::Railtie
56
+ initializer 'activeservice.autoload', :after => :set_autoload_paths do |app|
57
+
58
+ if defined?(ActiveRecord)
59
+ ActiveRecord::Relation.class_eval do
60
+
61
+ alias_method :original_exec_queries, :exec_queries
62
+ def exec_queries
63
+ @records = original_exec_queries
64
+
65
+ TCellAgent::Instrumentation.safe_block("Running DLP on query") do
66
+ if @records.size > 0
67
+
68
+ if TCellAgent.configuration.enabled &&
69
+ TCellAgent.configuration.should_instrument? &&
70
+ TCellAgent.configuration.should_intercept_requests?
71
+
72
+ dlp_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DataLoss)
73
+
74
+ if dlp_policy
75
+ request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(Thread.current.object_id, nil)
76
+
77
+ if request_env
78
+ tcell_context = request_env[TCellAgent::Instrumentation::Rails::Middleware::TCELL_ID]
79
+
80
+ if tcell_context
81
+ first_record = @records.first
82
+ database_name = first_record.class.connection_config().fetch(:database,"*").split('/').last
83
+ model = first_record.class
84
+ column_names = model.columns.map { |col| col.name }
85
+ table_name = model.table_name
86
+
87
+ if dlp_policy.database_discovery_enabled
88
+ TCellAgent.discover_database_fields(
89
+ tcell_context.route_id,
90
+ database_name,
91
+ "*",
92
+ table_name,
93
+ column_names
94
+ )
95
+ end
96
+
97
+ column_name_to_rules = first_record.attributes.keys.inject({}) do |memo, column_name|
98
+ memo[column_name] = dlp_policy.get_actions_for_table(
99
+ database_name,
100
+ "*",
101
+ table_name,
102
+ column_name,
103
+ tcell_context.route_id
104
+ )
105
+
106
+ memo
107
+ end
108
+
109
+ if @records.size > TCellAgent.configuration.max_data_ex_db_records_per_request
110
+ TCellAgent.logger.warn("Route (#{tcell_context.route_id}) retrieved too many records")
111
+ end
112
+
113
+ @records[0...TCellAgent.configuration.max_data_ex_db_records_per_request].each do |record|
114
+ column_name_to_rules.each do |column_name, rules|
115
+ if rules
116
+ rules.each do |rule|
117
+ tcell_context.add_response_db_filter(
118
+ record[column_name.to_sym],
119
+ rule,
120
+ database_name,
121
+ "*",
122
+ table_name,
123
+ column_name
124
+ )
125
+ end
126
+ end
127
+ end
128
+ end
129
+ end
130
+ end
92
131
  end
93
132
  end
94
133
  end
95
134
  end
135
+
136
+ @records
96
137
  end
97
- end # /if dlp_policy
98
- end # /enabled
99
- end # /after_find
100
- end # /class
101
- end
102
138
 
139
+ end
103
140
  end
141
+
104
142
  end
105
143
  end
144
+ end
106
145
 
107
146
 
108
147
 
data/lib/tcell_agent/rails/middleware/headers_middleware.rb CHANGED
@@ -145,18 +145,19 @@ module TCellAgent
145
145
  rack_response = Rack::Response.new(response)
146
146
 
147
147
  if appsensor_policy && appsensor_policy.enabled
148
- event = TCellAgent::SensorEvents::TCellAppSensorEventProcessor.new
148
+ event = TCellAgent::SensorEvents::TCellAppSensorEventProcessor.new
149
149
  event.request_headers = request.env
150
150
  event.request_content_length = (request.content_length || "0").to_i
151
151
  event.response_content_length = (rack_response.length || "0").to_i
152
+ event.request_content_type = request.content_type
152
153
  event.remote_addr = request.ip
153
- event.uri = request.fullpath
154
+ event.uri = "#{request.base_url}#{request.fullpath}"
154
155
  event.get_params = request.GET
155
156
  event.post_params = request.POST
157
+ event.request_body = request.body.gets
156
158
  event.cookies = request.cookies
157
159
  event.request_method = request.request_method
158
-
159
- request_body = request.body
160
+
160
161
  event.request_size = event.request_content_length
161
162
  #status, headers, active_response = response
162
163
  #if active_response.class != ActionDispatch::Response
data/lib/tcell_agent/sensor_events/app_sensor.rb CHANGED
@@ -54,20 +54,33 @@ module TCellAgent
54
54
  end
55
55
  end
56
56
  class TCellAppSensorEventProcessor < TCellSensorEvent
57
- attr_accessor :request_headers, :request_size, :remote_addr,
57
+ attr_accessor :request_headers, :request_size, :remote_addr,
58
58
  :uri, :get_params, :post_params, :cookies,
59
59
  :request_content_length, :request_content_type,
60
- :request_method
60
+ :request_method, :request_body
61
61
  attr_accessor :status_code, :response_headers,
62
62
  :response_content_length,
63
63
  :route_id, :transaction_id, :session_id, :user_id
64
+
64
65
  def initialize
65
66
  @request_content_length=0
66
67
  @response_content_length = 0
67
68
  @send = false
69
+ @body_params = nil
68
70
  end
71
+
69
72
  def appsensor_event(dp, param, data, payload=nil)
70
73
  TCellAgent::Instrumentation.safe_block("AppSensor Sending Event") {
74
+ unless payload.nil?
75
+ if TCellAgent.configuration.blacklisted_params.has_key?(param.downcase)
76
+ payload = "BLACKLISTED"
77
+
78
+ elsif TCellAgent.configuration.whitelist_present &&
79
+ !TCellAgent.configuration.whitelisted_params.has_key?(param.downcase)
80
+ payload = "NOT_WHITELISTED"
81
+ end
82
+ end
83
+
71
84
  event = TCellAgent::SensorEvents::TCellAppSensorEvent.new(
72
85
  @uri,
73
86
  dp,
@@ -84,6 +97,7 @@ module TCellAgent
84
97
  TCellAgent.send_event(event)
85
98
  }
86
99
  end
100
+
87
101
  def loop_params_hash(method, param_hash, prefix, &block)
88
102
  param_hash.each do |param_name, param_value|
89
103
  if param_value && param_value.is_a?(Hash)
@@ -95,6 +109,7 @@ module TCellAgent
95
109
  end
96
110
  end
97
111
  end
112
+
98
113
  def for_params(&block)
99
114
  if @get_params
100
115
  self.loop_params_hash('get', @get_params, nil, &block)
@@ -102,13 +117,40 @@ module TCellAgent
102
117
  if @post_params
103
118
  self.loop_params_hash('post', @post_params, nil, &block)
104
119
  end
120
+ if body_params.length > 0
121
+ self.loop_params_hash('body', body_params, nil, &block)
122
+ end
105
123
  end
124
+
106
125
  def for_get_params(&block)
107
126
  if @get_params
108
127
  self.loop_params_hash('get', @get_params, nil, &block)
109
128
  end
110
129
  end
111
130
 
131
+ def body_params
132
+ if @body_params
133
+ @body_params
134
+
135
+ elsif @request_content_length > 2000000
136
+ @body_params = {}
137
+
138
+ else
139
+ if @request_content_type =~ %r{application/json}i && @request_body
140
+ begin
141
+ @body_params = JSON.parse(@request_body)
142
+ rescue
143
+ TCellAgent.logger.debug("JSON body parameter parsing failed")
144
+ @body_params = {}
145
+ end
146
+ else
147
+ @body_params = {}
148
+ end
149
+
150
+ @body_params
151
+ end
152
+ end
153
+
112
154
  def test_response_size
113
155
  if (@response_content_length && @response_content_length > TCellAgent::Policies::AppSensorPolicy::MAX_NORMAL_RESPONSE_BYTES)
114
156
  appsensor_event(TCellAgent::Policies::AppSensorPolicy::DP_UNUSUAL_RESPONSE_SIZE, response_content_length.to_s, nil)
data/lib/tcell_agent/servers/puma.rb CHANGED
@@ -35,7 +35,13 @@ if defined?(Puma.cli_config)
35
35
 
36
36
  # Runs initial instrumentation only once on the master process
37
37
  puma_server_starting = Proc.new { TCellAgent.run_instrumentation("Puma Cluster Mode") }
38
- Puma.cli_config.options[:before_fork].push(puma_server_starting)
38
+
39
+ # before_fork was added in Puma v2.13.0
40
+ if Puma.cli_config.options[:before_fork]
41
+ Puma.cli_config.options[:before_fork].push(puma_server_starting)
42
+ else
43
+ Puma.cli_config.options[:before_fork] = [puma_server_starting]
44
+ end
39
45
 
40
46
  # Each puma worker still needs the agent started but no need to run
41
47
  # initial instrumentation again
@@ -58,4 +64,3 @@ if defined?(Puma.cli_config)
58
64
 
59
65
  end
60
66
  end
61
-
data/lib/tcell_agent/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # See the file "LICENSE" for the full license governing this code.
2
2
 
3
3
  module TCellAgent
4
- VERSION = "0.2.10"
4
+ VERSION = "0.2.11"
5
5
  end
data/spec/lib/tcell_agent/agent/policy_manager_spec.rb CHANGED
@@ -79,7 +79,7 @@ module TCellAgent
79
79
  end
80
80
 
81
81
  context "with 10 processes updating the cached file" do
82
- it "should update the cached file with all updates" do
82
+ xit "should update the cached file with all updates" do
83
83
  processes = 5.times.map do |process_number|
84
84
  ForkBreak::Process.new do |breakpoints|
85
85
  original_dump = JSON.method(:dump)
data/spec/lib/tcell_agent/configuration_spec.rb ADDED
@@ -0,0 +1,371 @@
1
+ require 'spec_helper'
2
+
3
+ module TCellAgent
4
+
5
+ describe Configuration do
6
+ describe "#load_app_sensor_restrictions" do
7
+ before(:each) do
8
+ @config_file = double("config", read: {
9
+ version: 1,
10
+ applications: [
11
+ {
12
+ allow_unencrypted_appsensor_payloads: true
13
+ }
14
+ ]
15
+ }.to_json)
16
+ end
17
+
18
+ context "with no payloads file present" do
19
+ it "should set blacklist to default params and whitelist to empty" do
20
+ expect(File).to receive(:file?).with(
21
+ File.join(Dir.getwd, "config/tcell_agent.config")
22
+ ).and_return(true)
23
+ expect(File).to receive(:open).with(
24
+ File.join(Dir.getwd, "config/tcell_agent.config")
25
+ ).and_return(@config_file)
26
+ expect(File).to receive(:file?).with(
27
+ "config/tcell_agent_payloads.config"
28
+ ).and_return(false)
29
+ expect(File).to_not receive(:open)
30
+ configuration = TCellAgent::Configuration.new
31
+
32
+ expect(configuration.allow_unencrypted_appsensor_payloads).to eq(true)
33
+ expect(configuration.blacklisted_params).to eq({
34
+ "token" => true,
35
+ "client_secret" => true,
36
+ "password" => true,
37
+ "passwd" => true,
38
+ "refresh_token" => true,
39
+ "pf.pass" => true,
40
+ "user.password" => true
41
+ })
42
+ expect(configuration.whitelisted_params).to eq({})
43
+ expect(configuration.whitelist_present).to eq(false)
44
+ end
45
+ end
46
+
47
+ context "with a payloads file present" do
48
+ context "with a malformed payloads file" do
49
+ it "should set blacklist to default params and whitelist to empty" do
50
+ payloads_file = double("payloads", read: "{ whitelist: { test } ")
51
+ expect(File).to receive(:file?).with(
52
+ File.join(Dir.getwd, "config/tcell_agent.config")
53
+ ).and_return(true)
54
+ expect(File).to receive(:open).with(
55
+ File.join(Dir.getwd, "config/tcell_agent.config")
56
+ ).and_return(@config_file)
57
+ expect(File).to receive(:file?).with("config/tcell_agent_payloads.config").and_return(true)
58
+ expect(File).to receive(:open).with("config/tcell_agent_payloads.config").and_return(payloads_file)
59
+ configuration = TCellAgent::Configuration.new
60
+
61
+ expect(configuration.allow_unencrypted_appsensor_payloads).to eq(false)
62
+ expect(configuration.blacklisted_params).to eq({
63
+ "token" => true,
64
+ "client_secret" => true,
65
+ "password" => true,
66
+ "passwd" => true,
67
+ "refresh_token" => true,
68
+ "pf.pass" => true,
69
+ "user.password" => true
70
+ })
71
+ expect(configuration.whitelisted_params).to eq({})
72
+ expect(configuration.whitelist_present).to eq(false)
73
+ end
74
+ end
75
+
76
+ context "with a payloads file" do
77
+ context "with empty json" do
78
+ it "should set blacklist to default params and whitelist to empty" do
79
+ payloads_file = double("payloads", read: "{}")
80
+ expect(File).to receive(:file?).with(
81
+ File.join(Dir.getwd, "config/tcell_agent.config")
82
+ ).and_return(true)
83
+ expect(File).to receive(:open).with(
84
+ File.join(Dir.getwd, "config/tcell_agent.config")
85
+ ).and_return(@config_file)
86
+ expect(File).to receive(:file?).with("config/tcell_agent_payloads.config").and_return(true)
87
+ expect(File).to receive(:open).with("config/tcell_agent_payloads.config").and_return(payloads_file)
88
+ configuration = TCellAgent::Configuration.new
89
+
90
+ expect(configuration.allow_unencrypted_appsensor_payloads).to eq(true)
91
+ expect(configuration.blacklisted_params).to eq({
92
+ "token" => true,
93
+ "client_secret" => true,
94
+ "password" => true,
95
+ "passwd" => true,
96
+ "refresh_token" => true,
97
+ "pf.pass" => true,
98
+ "user.password" => true
99
+ })
100
+ expect(configuration.whitelisted_params).to eq({})
101
+ expect(configuration.whitelist_present).to eq(false)
102
+ end
103
+ end
104
+
105
+ context "with blacklisted present" do
106
+ it "should set blacklist but whitelist is empty" do
107
+ payloads_file = double("payloads", read:{blacklisted:["passwd"]}.to_json)
108
+ expect(File).to receive(:file?).with(
109
+ File.join(Dir.getwd, "config/tcell_agent.config")
110
+ ).and_return(true)
111
+ expect(File).to receive(:open).with(
112
+ File.join(Dir.getwd, "config/tcell_agent.config")
113
+ ).and_return(@config_file)
114
+ expect(File).to receive(:file?).with("config/tcell_agent_payloads.config").and_return(true)
115
+ expect(File).to receive(:open).with("config/tcell_agent_payloads.config").and_return(payloads_file)
116
+ configuration = TCellAgent::Configuration.new
117
+
118
+ expect(configuration.allow_unencrypted_appsensor_payloads).to eq(true)
119
+ expect(configuration.blacklisted_params).to eq({"passwd" => true})
120
+ expect(configuration.whitelisted_params).to eq({})
121
+ expect(configuration.whitelist_present).to eq(false)
122
+ end
123
+ end
124
+
125
+ context "with whitelist present" do
126
+ it "should set whitelist and blacklist to default params" do
127
+ payloads_file = double("payloads", read: {whitelisted: ["passwd"]}.to_json)
128
+ expect(File).to receive(:file?).with(
129
+ File.join(Dir.getwd, "config/tcell_agent.config")
130
+ ).and_return(true)
131
+ expect(File).to receive(:open).with(
132
+ File.join(Dir.getwd, "config/tcell_agent.config")
133
+ ).and_return(@config_file)
134
+ expect(File).to receive(:file?).with("config/tcell_agent_payloads.config").and_return(true)
135
+ expect(File).to receive(:open).with("config/tcell_agent_payloads.config").and_return(payloads_file)
136
+ configuration = TCellAgent::Configuration.new
137
+
138
+ expect(configuration.allow_unencrypted_appsensor_payloads).to eq(true)
139
+ expect(configuration.blacklisted_params).to eq({
140
+ "token" => true,
141
+ "client_secret" => true,
142
+ "password" => true,
143
+ "passwd" => true,
144
+ "refresh_token" => true,
145
+ "pf.pass" => true,
146
+ "user.password" => true
147
+ })
148
+ expect(configuration.whitelisted_params).to eq({"passwd" => true})
149
+ expect(configuration.whitelist_present).to eq(true)
150
+ end
151
+ end
152
+
153
+ context "with blacklist and whitelist present" do
154
+ it "should set whitelist and blacklist" do
155
+ payloads_file = double("payloads", read: {blacklisted: ["ssn"], whitelisted: ["passwd"]}.to_json)
156
+ expect(File).to receive(:file?).with(
157
+ File.join(Dir.getwd, "config/tcell_agent.config")
158
+ ).and_return(true)
159
+ expect(File).to receive(:open).with(
160
+ File.join(Dir.getwd, "config/tcell_agent.config")
161
+ ).and_return(@config_file)
162
+ expect(File).to receive(:file?).with("config/tcell_agent_payloads.config").and_return(true)
163
+ expect(File).to receive(:open).with("config/tcell_agent_payloads.config").and_return(payloads_file)
164
+ configuration = TCellAgent::Configuration.new
165
+
166
+ expect(configuration.allow_unencrypted_appsensor_payloads).to eq(true)
167
+ expect(configuration.blacklisted_params).to eq({"ssn" => true})
168
+ expect(configuration.whitelisted_params).to eq({"passwd" => true})
169
+ expect(configuration.whitelist_present).to eq(true)
170
+ end
171
+ end
172
+ end
173
+ end
174
+
175
+ end
176
+
177
+ describe "#agent_home_dir" do
178
+ context "no TCELL_AGENT_HOME defined" do
179
+ it "should set cache file, config, and log file to defaults" do
180
+ configuration = Configuration.new
181
+
182
+ expect(configuration.cache_filename).to eq(
183
+ File.join(Dir.getwd, "tcell/cache/tcell_agent.cache")
184
+ )
185
+ expect(configuration.log_filename).to eq(
186
+ File.join(Dir.getwd, "tcell/logs/tcell_agent.log")
187
+ )
188
+ expect(configuration.config_filename).to eq(
189
+ File.join(Dir.getwd, "config/tcell_agent.config")
190
+ )
191
+ end
192
+ end
193
+
194
+ context "TCELL_AGENT_HOME defined" do
195
+ it "should set config filename to default, cache file and log file are updated" do
196
+ old_tcell_agent_home = ENV["TCELL_AGENT_HOME"]
197
+
198
+ ENV["TCELL_AGENT_HOME"] = "spec_tcell_home"
199
+
200
+ expect(FileUtils).to receive(:mkdir_p).with("spec_tcell_home/cache")
201
+ expect(FileUtils).to receive(:mkdir_p).with("spec_tcell_home/logs")
202
+
203
+ configuration = Configuration.new
204
+
205
+ expect(configuration.cache_filename).to eq(
206
+ "spec_tcell_home/cache/tcell_agent.cache"
207
+ )
208
+ expect(configuration.log_filename).to eq(
209
+ "spec_tcell_home/logs/tcell_agent.log"
210
+ )
211
+ expect(configuration.config_filename).to eq(
212
+ File.join(Dir.getwd, "config/tcell_agent.config")
213
+ )
214
+
215
+ ENV["TCELL_AGENT_HOME"] = old_tcell_agent_home
216
+ end
217
+ end
218
+
219
+ context "TCELL_AGENT_HOME and TCELL_AGENT_LOG_DIR defined" do
220
+ it "should set config filename to default, cache file and log file are updated" do
221
+ old_tcell_agent_home = ENV["TCELL_AGENT_HOME"]
222
+ old_tcell_agent_log_dir = ENV["TCELL_AGENT_LOG_DIR"]
223
+
224
+ ENV["TCELL_AGENT_HOME"] = "spec_tcell_home"
225
+ ENV["TCELL_AGENT_LOG_DIR"] = "spec_tcell_log_dir"
226
+
227
+ expect(FileUtils).to receive(:mkdir_p).with("spec_tcell_home/cache")
228
+ expect(FileUtils).to receive(:mkdir_p).with("spec_tcell_log_dir")
229
+
230
+ configuration = Configuration.new
231
+
232
+ expect(configuration.cache_filename).to eq(
233
+ "spec_tcell_home/cache/tcell_agent.cache"
234
+ )
235
+ expect(configuration.log_filename).to eq(
236
+ "spec_tcell_log_dir/tcell_agent.log"
237
+ )
238
+ expect(configuration.config_filename).to eq(
239
+ File.join(Dir.getwd, "config/tcell_agent.config")
240
+ )
241
+
242
+ ENV["TCELL_AGENT_HOME"] = old_tcell_agent_home
243
+ ENV["TCELL_AGENT_LOG_DIR"] = old_tcell_agent_log_dir
244
+ end
245
+ end
246
+
247
+ context "TCELL_AGENT_HOME, TCELL_AGENT_LOG_DIR, and TCELL_AGENT_CONFIG defined " do
248
+ it "should update config filename, cache file, and log file" do
249
+ old_tcell_agent_home = ENV["TCELL_AGENT_HOME"]
250
+ old_tcell_agent_log_dir = ENV["TCELL_AGENT_LOG_DIR"]
251
+ old_config_filename = ENV["TCELL_AGENT_CONFIG"]
252
+
253
+ ENV["TCELL_AGENT_HOME"] = "spec_tcell_home"
254
+ ENV["TCELL_AGENT_LOG_DIR"] = "spec_tcell_log_dir"
255
+ ENV["TCELL_AGENT_CONFIG"] = "spec_config/tcell_agent.config"
256
+
257
+ expect(FileUtils).to receive(:mkdir_p).with("spec_tcell_log_dir")
258
+ expect(FileUtils).to receive(:mkdir_p).with("spec_tcell_home/cache")
259
+
260
+ configuration = Configuration.new
261
+
262
+ expect(configuration.cache_filename).to eq(
263
+ "spec_tcell_home/cache/tcell_agent.cache"
264
+ )
265
+ expect(configuration.log_filename).to eq(
266
+ "spec_tcell_log_dir/tcell_agent.log"
267
+ )
268
+ expect(configuration.config_filename).to eq(
269
+ "spec_config/tcell_agent.config"
270
+ )
271
+
272
+ ENV["TCELL_AGENT_HOME"] = old_tcell_agent_home
273
+ ENV["TCELL_AGENT_LOG_DIR"] = old_tcell_agent_log_dir
274
+ ENV["TCELL_AGENT_CONFIG"] = old_config_filename
275
+ end
276
+ end
277
+ end
278
+
279
+ describe "#data_exposure" do
280
+ context "no data_exposure defined" do
281
+ it "should set max_data_ex_db_records_per_request to default" do
282
+ no_data_ex = double(
283
+ "no_data_ex",
284
+ read: {
285
+ version: 1,
286
+ applications: [
287
+ app_id: "app_id",
288
+ name: "test",
289
+ api_key: "api_key"
290
+ ]
291
+ }.to_json
292
+ )
293
+ expect(File).to receive(:file?).with(
294
+ File.join(Dir.getwd, "no_data_ex.config")
295
+ ).and_return(true)
296
+ expect(File).to receive(:open).with(
297
+ File.join(Dir.getwd, "no_data_ex.config")
298
+ ).and_return(no_data_ex)
299
+ expect(File).to receive(:file?).with(
300
+ "config/tcell_agent_payloads.config"
301
+ ).and_return(false)
302
+ configuration = Configuration.new("no_data_ex.config")
303
+
304
+ expect(configuration.max_data_ex_db_records_per_request).to eq(1000)
305
+ end
306
+ end
307
+
308
+ context "data_exposure is empty" do
309
+ it "should set max_data_ex_db_records_per_request to default" do
310
+ no_data_ex = double(
311
+ "no_data_ex",
312
+ read: {
313
+ version: 1,
314
+ applications: [
315
+ app_id: "app_id",
316
+ name: "test",
317
+ api_key: "api_key",
318
+ data_exposure: {}
319
+ ]
320
+ }.to_json
321
+ )
322
+ expect(File).to receive(:file?).with(
323
+ File.join(Dir.getwd, "no_data_ex.config")
324
+ ).and_return(true)
325
+ expect(File).to receive(:open).with(
326
+ File.join(Dir.getwd, "no_data_ex.config")
327
+ ).and_return(no_data_ex)
328
+ expect(File).to receive(:file?).with(
329
+ "config/tcell_agent_payloads.config"
330
+ ).and_return(false)
331
+ configuration = Configuration.new("no_data_ex.config")
332
+
333
+ expect(configuration.max_data_ex_db_records_per_request).to eq(1000)
334
+ end
335
+ end
336
+
337
+ context "data_exposure contains an override" do
338
+ it "should set max_data_ex_db_records_per_request to override" do
339
+ no_data_ex = double(
340
+ "no_data_ex",
341
+ read: {
342
+ version: 1,
343
+ applications: [
344
+ app_id: "app_id",
345
+ name: "test",
346
+ api_key: "api_key",
347
+ data_exposure: {
348
+ max_data_ex_db_records_per_request: 5000
349
+ }
350
+ ]
351
+ }.to_json
352
+ )
353
+ expect(File).to receive(:file?).with(
354
+ File.join(Dir.getwd, "no_data_ex.config")
355
+ ).and_return(true)
356
+ expect(File).to receive(:open).with(
357
+ File.join(Dir.getwd, "no_data_ex.config")
358
+ ).and_return(no_data_ex)
359
+ expect(File).to receive(:file?).with(
360
+ "config/tcell_agent_payloads.config"
361
+ ).and_return(false)
362
+ configuration = Configuration.new("no_data_ex.config")
363
+
364
+ expect(configuration.max_data_ex_db_records_per_request).to eq(5000)
365
+ end
366
+ end
367
+ end
368
+
369
+ end
370
+
371
+ end
data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb CHANGED
@@ -64,24 +64,24 @@ module TCellAgent
64
64
  end
65
65
  it "alerts on get xss payload" do
66
66
  response = request.get("/foo?xyz=%3Cscript%3Ealert(1)%3C%2Fscript%3E", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
67
- expected_as = {"event_type"=>"as", "dp"=>"xss", "param"=>"xyz", "remote_addr"=>"1.3.3.4", "m"=>"GET", "loc"=>"/foo?xyz=", "tid"=>"a-b-c-d-e-f"}
67
+ expected_as = {"event_type"=>"as", "dp"=>"xss", "param"=>"xyz", "remote_addr"=>"1.3.3.4", "m"=>"GET", "loc"=>"http://example.org/foo?xyz=", "tid"=>"a-b-c-d-e-f"}
68
68
  expect(TCellAgent.event_queue).to include(expected_as)
69
69
  end
70
70
  it "alerts on post xss payload" do
71
71
  response = request.post("/foo", :input => "x=<script>alert(1)</script>", 'REMOTE_ADDR' => '1.2.3.4,3.4.5.6')
72
- expected_as = {"event_type"=>"as", "dp"=>"xss", "param"=>"x", "remote_addr"=>"1.2.3.4", "m"=>"POST", "loc"=>"/foo", "tid"=>"a-b-c-d-e-f"}
72
+ expected_as = {"event_type"=>"as", "dp"=>"xss", "param"=>"x", "remote_addr"=>"1.2.3.4", "m"=>"POST", "loc"=>"http://example.org/foo", "tid"=>"a-b-c-d-e-f"}
73
73
  expect(TCellAgent.event_queue).to include(expected_as)
74
74
  end #/it
75
75
  it "alerts on get xss payload with route_id" do
76
76
  response = request2.get("/foo?xyz=%3Cscript%3Ealert(1)%3C%2Fscript%3E")
77
- expected_as = {"event_type"=>"as", "dp"=>"xss", "param"=>"xyz", "remote_addr"=>nil, "rou"=>"myrouteid", "m"=>"GET", "loc"=>"/foo?xyz=", "tid"=>"a-b-c-d-e-f"}
77
+ expected_as = {"event_type"=>"as", "dp"=>"xss", "param"=>"xyz", "remote_addr"=>nil, "rou"=>"myrouteid", "m"=>"GET", "loc"=>"http://example.org/foo?xyz=", "tid"=>"a-b-c-d-e-f"}
78
78
  expect(TCellAgent.event_queue).to include(expected_as)
79
79
  end
80
80
  it "checks that payload is sent in xss with route_id" do
81
81
  old_uap = TCellAgent.configuration.allow_unencrypted_appsensor_payloads
82
82
  TCellAgent.configuration.allow_unencrypted_appsensor_payloads = true
83
83
  response = request2.get("/foo?xyz=%3Cscript%3Ealert(1)%3C%2Fscript%3E")
84
- expected_as = {"event_type"=>"as", "dp"=>"xss", "param"=>"xyz", "remote_addr"=>nil, "rou"=>"myrouteid", "m"=>"GET", "loc"=>"/foo?xyz=", "tid"=>"a-b-c-d-e-f", "payload"=>"<script>alert(1)</script>"}
84
+ expected_as = {"event_type"=>"as", "dp"=>"xss", "param"=>"xyz", "remote_addr"=>nil, "rou"=>"myrouteid", "m"=>"GET", "loc"=>"http://example.org/foo?xyz=", "tid"=>"a-b-c-d-e-f", "payload"=>"<script>alert(1)</script>"}
85
85
  TCellAgent.configuration.allow_unencrypted_appsensor_payloads = old_uap
86
86
  expect(TCellAgent.event_queue).to include(expected_as)
87
87
  end
@@ -104,7 +104,7 @@ module TCellAgent
104
104
  it "alerts on get sqli payload" do
105
105
  # ' OR '3'='3
106
106
  response = request.get("/foo?xyz=abds&def=%27%20OR%20%273%27%3D%273", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
107
- expected_as = {"event_type"=>"as", "dp"=>"sqli", "param"=>"def", "remote_addr"=>"1.3.3.4", "m"=>"GET", "loc"=>"/foo?xyz=&def=", "tid"=>"a-b-c-d-e-f"}
107
+ expected_as = {"event_type"=>"as", "dp"=>"sqli", "param"=>"def", "remote_addr"=>"1.3.3.4", "m"=>"GET", "loc"=>"http://example.org/foo?xyz=&def=", "tid"=>"a-b-c-d-e-f"}
108
108
  expect(TCellAgent.event_queue).to include(expected_as)
109
109
  end
110
110
  end #/conext
@@ -124,14 +124,14 @@ module TCellAgent
124
124
  end
125
125
  it "alerts on most obvious payload" do
126
126
  response = request.get("/foo?xyz=/etc/passwd", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
127
- expected_as = {"event_type"=>"as", "dp"=>"fpt", "param"=>"xyz", "remote_addr"=>"1.3.3.4", "m"=>"GET", "loc"=>"/foo?xyz=", "tid"=>"a-b-c-d-e-f"}
127
+ expected_as = {"event_type"=>"as", "dp"=>"fpt", "param"=>"xyz", "remote_addr"=>"1.3.3.4", "m"=>"GET", "loc"=>"http://example.org/foo?xyz=", "tid"=>"a-b-c-d-e-f"}
128
128
  expect(TCellAgent.event_queue).to include(expected_as)
129
129
  end
130
130
  it "checks that payload is sent" do
131
131
  old_uap = TCellAgent.configuration.allow_unencrypted_appsensor_payloads
132
132
  TCellAgent.configuration.allow_unencrypted_appsensor_payloads = true
133
133
  response = request.get("/foo?xyz=/etc/passwd", 'REMOTE_ADDR' => '1.3.3.4,3.4.5.6')
134
- expected_as = {"event_type"=>"as", "dp"=>"fpt", "param"=>"xyz", "remote_addr"=>"1.3.3.4", "m"=>"GET", "loc"=>"/foo?xyz=", "tid"=>"a-b-c-d-e-f", "payload"=>"/etc/passwd"}
134
+ expected_as = {"event_type"=>"as", "dp"=>"fpt", "param"=>"xyz", "remote_addr"=>"1.3.3.4", "m"=>"GET", "loc"=>"http://example.org/foo?xyz=", "tid"=>"a-b-c-d-e-f", "payload"=>"/etc/passwd"}
135
135
  TCellAgent.configuration.allow_unencrypted_appsensor_payloads = old_uap
136
136
  expect(TCellAgent.event_queue).to include(expected_as)
137
137
  end
data/spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb ADDED
@@ -0,0 +1,289 @@
1
+ require 'spec_helper'
2
+
3
+ module TCellAgent
4
+ module SensorEvents
5
+
6
+ describe TCellAppSensorEventProcessor do
7
+
8
+ describe "#appsensor_event" do
9
+ before(:each) do
10
+ @app_sensor_event_process = TCellAppSensorEventProcessor.new
11
+ end
12
+
13
+ context "whitelist not present" do
14
+ context "a term that is blacklisted" do
15
+ it "should obfuscate the payload" do
16
+ event = double("event")
17
+ configuration = double(
18
+ "configuration",
19
+ whitelist_present: false,
20
+ raise_exceptions: true,
21
+ blacklisted_params: double("bp", {"passwd" => true, "has_key?" => true})
22
+ )
23
+
24
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
25
+ expect(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(:new).with(
26
+ nil,
27
+ "xss",
28
+ nil,
29
+ nil,
30
+ "PASSWD",
31
+ nil,
32
+ nil,
33
+ nil,
34
+ nil,
35
+ nil,
36
+ "BLACKLISTED"
37
+ ).and_return(event)
38
+ expect(TCellAgent).to receive(:send_event)
39
+
40
+ @app_sensor_event_process.appsensor_event("xss", "PASSWD", nil, "%3Cscript%3Ealert(1)%3C%2Fscript%3E")
41
+ end
42
+ end
43
+
44
+ context "a term that is not blacklisted" do
45
+ it "should not obfuscate the payload" do
46
+ event = double("event")
47
+ configuration = double(
48
+ "configuration",
49
+ whitelist_present: false,
50
+ raise_exceptions: true,
51
+ blacklisted_params: double("bp", {"has_key?" => false})
52
+ )
53
+
54
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
55
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
56
+ expect(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(:new).with(
57
+ nil,
58
+ "xss",
59
+ nil,
60
+ nil,
61
+ "PASSWD",
62
+ nil,
63
+ nil,
64
+ nil,
65
+ nil,
66
+ nil,
67
+ "%3Cscript%3Ealert(1)%3C%2Fscript%3E"
68
+ ).and_return(event)
69
+ expect(TCellAgent).to receive(:send_event)
70
+
71
+ @app_sensor_event_process.appsensor_event("xss", "PASSWD", nil, "%3Cscript%3Ealert(1)%3C%2Fscript%3E")
72
+ end
73
+ end
74
+ end
75
+
76
+ context "whitelist present" do
77
+ context "a term is whitelisted" do
78
+ context "a term that is blacklisted" do
79
+ it "should obfuscate the payload" do
80
+ event = double("event")
81
+ configuration = double(
82
+ "configuration",
83
+ whitelist_present: true,
84
+ raise_exceptions: true,
85
+ blacklisted_params: double("bp", {"passwd" => true, "has_key?" => true}),
86
+ whitelisted_params: double("wp", {"passwd" => true, "has_key?" => true})
87
+ )
88
+
89
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
90
+ expect(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(:new).with(
91
+ nil,
92
+ "xss",
93
+ nil,
94
+ nil,
95
+ "PASSWD",
96
+ nil,
97
+ nil,
98
+ nil,
99
+ nil,
100
+ nil,
101
+ "BLACKLISTED"
102
+ ).and_return(event)
103
+ expect(TCellAgent).to receive(:send_event)
104
+
105
+ @app_sensor_event_process.appsensor_event("xss", "PASSWD", nil, "%3Cscript%3Ealert(1)%3C%2Fscript%3E")
106
+ end
107
+ end
108
+
109
+ context "a term that is not blacklisted" do
110
+ it "should not obfuscate the payload" do
111
+ event = double("event")
112
+ configuration = double(
113
+ "configuration",
114
+ whitelist_present: true,
115
+ raise_exceptions: true,
116
+ blacklisted_params: double("bp", {"has_key?" => false}),
117
+ whitelisted_params: double("wp", {"passwd" => true, "has_key?" => true})
118
+ )
119
+
120
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
121
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
122
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
123
+ expect(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(:new).with(
124
+ nil,
125
+ "xss",
126
+ nil,
127
+ nil,
128
+ "PASSWD",
129
+ nil,
130
+ nil,
131
+ nil,
132
+ nil,
133
+ nil,
134
+ "%3Cscript%3Ealert(1)%3C%2Fscript%3E"
135
+ ).and_return(event)
136
+ expect(TCellAgent).to receive(:send_event)
137
+
138
+ @app_sensor_event_process.appsensor_event("xss", "PASSWD", nil, "%3Cscript%3Ealert(1)%3C%2Fscript%3E")
139
+ end
140
+ end
141
+ end
142
+
143
+ context "a term is not whitelisted" do
144
+ context "a term that is blacklisted" do
145
+ it "should obfuscate the payload" do
146
+ event = double("event")
147
+ configuration = double(
148
+ "configuration",
149
+ whitelist_present: true,
150
+ raise_exceptions: true,
151
+ blacklisted_params: double("bp", {"passwd" => true, "has_key?" => true}),
152
+ whitelisted_params: double("wp", {"has_key?" => false})
153
+ )
154
+
155
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
156
+ expect(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(:new).with(
157
+ nil,
158
+ "xss",
159
+ nil,
160
+ nil,
161
+ "PASSWD",
162
+ nil,
163
+ nil,
164
+ nil,
165
+ nil,
166
+ nil,
167
+ "BLACKLISTED"
168
+ ).and_return(event)
169
+ expect(TCellAgent).to receive(:send_event)
170
+
171
+ @app_sensor_event_process.appsensor_event("xss", "PASSWD", nil, "%3Cscript%3Ealert(1)%3C%2Fscript%3E")
172
+ end
173
+ end
174
+
175
+ context "a term that is not blacklisted" do
176
+ it "should obfuscate the payload" do
177
+ event = double("event")
178
+ configuration = double(
179
+ "configuration",
180
+ whitelist_present: true,
181
+ raise_exceptions: true,
182
+ blacklisted_params: double("bp", {"has_key?" => false}),
183
+ whitelisted_params: double("wp", {"has_key?" => false})
184
+ )
185
+
186
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
187
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
188
+ expect(TCellAgent).to receive(:configuration).and_return(configuration)
189
+ expect(TCellAgent::SensorEvents::TCellAppSensorEvent).to receive(:new).with(
190
+ nil,
191
+ "xss",
192
+ nil,
193
+ nil,
194
+ "PASSWD",
195
+ nil,
196
+ nil,
197
+ nil,
198
+ nil,
199
+ nil,
200
+ "NOT_WHITELISTED"
201
+ ).and_return(event)
202
+ expect(TCellAgent).to receive(:send_event)
203
+
204
+ @app_sensor_event_process.appsensor_event("xss", "PASSWD", nil, "%3Cscript%3Ealert(1)%3C%2Fscript%3E")
205
+ end
206
+ end
207
+ end
208
+ end
209
+ end
210
+
211
+ describe "#for_params" do
212
+ context "with body_params" do
213
+ it "should iterate over body params" do
214
+ app_sensor_event_process = TCellAppSensorEventProcessor.new
215
+ app_sensor_event_process.request_content_length = 67
216
+ app_sensor_event_process.request_content_type = "application/json"
217
+ app_sensor_event_process.request_body = {username:"tester",password:"pass"}.to_json
218
+
219
+ expect(app_sensor_event_process.body_params).to eq({"username"=>"tester","password"=>"pass"})
220
+
221
+ iterated_over = {}
222
+
223
+ app_sensor_event_process.for_params do |method, param_name, param_value|
224
+ iterated_over[param_name] = param_value
225
+ end
226
+
227
+ expect(iterated_over).to eq({"username"=>"tester", "password"=>"pass"})
228
+ end
229
+ end
230
+ end
231
+
232
+ describe "#body_params" do
233
+ context "with text/html content type" do
234
+ it "should set the body params to empty" do
235
+ app_sensor_event_process = TCellAppSensorEventProcessor.new
236
+ app_sensor_event_process.request_content_length = 67
237
+ app_sensor_event_process.request_content_type = "text/html"
238
+ app_sensor_event_process.request_body = {username:"tester",password:"pass"}.to_json
239
+
240
+ expect(app_sensor_event_process.body_params).to eq({})
241
+ end
242
+ end
243
+
244
+ context "with application/json content type" do
245
+ before(:each) do
246
+ @app_sensor_event_process = TCellAppSensorEventProcessor.new
247
+ @app_sensor_event_process.request_content_length = 67
248
+ @app_sensor_event_process.request_content_type = "application/json"
249
+ end
250
+
251
+ context "with empty request body" do
252
+ it "should set the body params to empty" do
253
+ @app_sensor_event_process.request_body = nil
254
+
255
+ expect(@app_sensor_event_process.body_params).to eq({})
256
+ end
257
+ end
258
+
259
+ context "with bad json in the body" do
260
+ it "should set the body params to empty" do
261
+ @app_sensor_event_process.request_body = '{"username":"tester""password":"pass"}'
262
+
263
+ expect(@app_sensor_event_process.body_params).to eq({})
264
+ end
265
+ end
266
+
267
+ context "with valid json in the body" do
268
+ it "should set the body params" do
269
+ @app_sensor_event_process.request_body = {username:"tester",password:"pass"}.to_json
270
+
271
+ expect(@app_sensor_event_process.body_params).to eq({"username"=>"tester","password"=>"pass"})
272
+ end
273
+ end
274
+
275
+ context "with a json body that's too big" do
276
+ it "should set the body params to empty" do
277
+ @app_sensor_event_process.request_content_length = 2000000
278
+ @app_sensor_event_process.request_body = '{"username":"tester""password":"pass"}'
279
+
280
+ expect(@app_sensor_event_process.body_params).to eq({})
281
+ end
282
+ end
283
+ end
284
+ end
285
+
286
+ end
287
+
288
+ end
289
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tcell_agent
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.10
4
+ version: 0.2.11
5
5
  platform: ruby
6
6
  authors:
7
7
  - Garrett
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-03-08 00:00:00.000000000 Z
11
+ date: 2016-04-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rest-client
@@ -234,6 +234,7 @@ files:
234
234
  - spec/lib/tcell_agent/agent/static_agent_spec.rb
235
235
  - spec/lib/tcell_agent/api/api_spec.rb
236
236
  - spec/lib/tcell_agent/appsensor_spec.rb
237
+ - spec/lib/tcell_agent/configuration_spec.rb
237
238
  - spec/lib/tcell_agent/instrumentation_spec.rb
238
239
  - spec/lib/tcell_agent/policies/appsensor_policy_spec.rb
239
240
  - spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb
@@ -252,6 +253,7 @@ files:
252
253
  - spec/lib/tcell_agent/rails_spec.rb
253
254
  - spec/lib/tcell_agent/sensor_events/dlp_spec.rb
254
255
  - spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb
256
+ - spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb
255
257
  - spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb
256
258
  - spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb
257
259
  - spec/lib/tcell_agent/utils/bounded_queue_spec.rb
@@ -338,6 +340,7 @@ test_files:
338
340
  - spec/lib/tcell_agent/agent/static_agent_spec.rb
339
341
  - spec/lib/tcell_agent/api/api_spec.rb
340
342
  - spec/lib/tcell_agent/appsensor_spec.rb
343
+ - spec/lib/tcell_agent/configuration_spec.rb
341
344
  - spec/lib/tcell_agent/instrumentation_spec.rb
342
345
  - spec/lib/tcell_agent/policies/appsensor_policy_spec.rb
343
346
  - spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb
@@ -356,6 +359,7 @@ test_files:
356
359
  - spec/lib/tcell_agent/rails_spec.rb
357
360
  - spec/lib/tcell_agent/sensor_events/dlp_spec.rb
358
361
  - spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb
362
+ - spec/lib/tcell_agent/sensor_events/tcell_app_sensor_event_processor_spec.rb
359
363
  - spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb
360
364
  - spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb
361
365
  - spec/lib/tcell_agent/utils/bounded_queue_spec.rb