tcell_agent 2.3.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 15b359f97c96e28cf58ee258ebd6cc0112b31656165271012b8c804a406a2904
-  data.tar.gz: cd73c079ce0bd4f063a7c32571ae9e57155bdcd86fa4fd81a9738c97acec3d49
+  metadata.gz: fff25fa4bd2400f1d20a402195e1523f047165a7e1f8b5d0b268174c51060d38
+  data.tar.gz: 9db1a3680edbc8fda323cfede15dbe294637d6bfe3763566a6fe5a55986ea047
 SHA512:
-  metadata.gz: 7dca586b7699c1bc013b1b5a07034087b8f45322cc30439b3d29e7ab16dfe8b8e85ae07d39738135020628e590bfb1b3a9b154bb6c954c99123102a4df19240a
-  data.tar.gz: 937109bc1a6b08d05cd3442e31ed6d4d2d4763ce7954d76cb65c26159c501c0e73fb68a2451c45b1b04e02fd15f3d0ab0564c29c59bf90fa4dc38db1472ea125
+  metadata.gz: 9dd315c9a05c09aef2e12d9808b5f792fd293375efa3d2531cba22c1df78d38ee87d4d0bb284e75fee643379ebcda9069ddff22a5b3e6b0c1a04d38fff795a2a
+  data.tar.gz: 3687803fa5c02436b44e08d75ac3665bf2e9583559525aad45f743c41ef1fb195c10b5e8fef9b8fadd134f890513e590314558fd474841662e4c4e4c66a0ddd6

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (C) 2015 tCell.io, Inc. - All Rights Reserved
+Copyright (C) 2020 Rapid7, Inc. - All Rights Reserved
 Proprietary and confidential
 
-http://choosealicense.com/licenses/no-license/
+https://docs.rapid7.com/tcell/ruby-agent-install/

data/bin/tcell_agent

@@ -9,7 +9,7 @@ options = {}
 def yesno(default = true)
   begin
     system('stty raw -echo')
-    str = STDIN.getc
+    str = $stdin.getc
   ensure
     system('stty -raw echo')
   end
@@ -33,8 +33,6 @@ global = OptionParser.new do |opts|
     Kernel.exit(1)
   end
 
-  opts.on('test', 'Run diagnostics and test event sending') do |_v|
-  end
   opts.separator ''
   opts.separator subtext
 end
@@ -53,15 +51,11 @@ subcommands = {
 
 global.order!
 command = ARGV.shift
-deprecated_commands = %w[setup loglevel preload demomode enable disable]
 if command.nil?
   puts global
   Kernel.exit(1)
 elsif subcommands[command]
   subcommands[command].order!
-elsif !deprecated_commands.include?(command)
-  puts global
-  Kernel.exit(1)
 end
 
 if command == 'setup'
@@ -87,9 +81,9 @@ if command == 'setup'
     end
   end
   print 'Enter your API Key (ie gAABAAAA...): '
-  api_key = STDIN.gets.chomp
+  api_key = $stdin.gets.chomp
   print 'Enter your App ID (ie MyApp-Fdk4j): '
-  app_id = STDIN.gets.chomp
+  app_id = $stdin.gets.chomp
   config_hash = {
     'version' => 1,
     'applications' => [
@@ -176,10 +170,11 @@ elsif command == 'demomode'
   puts 'done.'
 
 elsif command == 'test'
-  Dir[Dir.pwd + '/config/initializers/*.rb'].sort.each do |f|
+  Dir["#{Dir.pwd}/config/initializers/*.rb"].sort.each do |f|
     begin
       require f
-    rescue NameError # rubocop: disable Lint/HandleExceptions
+    rescue NameError
+      # do nothing
     rescue StandardError => e
       puts "[ERROR] Loading initializers failed. #{e}"
     end

data/lib/tcell_agent/agent.rb

@@ -56,19 +56,25 @@ module TCellAgent
       require 'tcell_agent/instrumentation/cmdi'
       require 'tcell_agent/instrumentation/lfi'
 
+      variant = if RUBY_VERSION.start_with?('3')
+                  'ruby_3'
+                else
+                  'ruby_2'
+                end
+
       if TCellAgent.configuration.should_instrument?('io')
         module_logger.info('Instrumenting Ruby Class: IO')
-        require 'tcell_agent/instrumentation/monkey_patches/io'
+        require "tcell_agent/instrumentation/monkey_patches/#{variant}/io"
       end
 
       if TCellAgent.configuration.should_instrument?('file')
         module_logger.info('Instrumenting Ruby Class: File')
-        require 'tcell_agent/instrumentation/monkey_patches/file'
+        require "tcell_agent/instrumentation/monkey_patches/#{variant}/file"
       end
 
       if TCellAgent.configuration.should_instrument?('kernel') # rubocop:disable Style/GuardClause
         module_logger.info('Instrumenting Ruby Module: Kernel')
-        require 'tcell_agent/instrumentation/monkey_patches/kernel'
+        require "tcell_agent/instrumentation/monkey_patches/#{variant}/kernel"
       end
     end
 
@@ -100,18 +106,18 @@ module TCellAgent
       @native_agent.send_sanitized_events(
         [event]
       )
-    rescue StandardError => standard_error
-      module_logger.error("Error sending event: (#{standard_error.class}) #{standard_error.message}")
-      module_logger.exception(standard_error)
+    rescue StandardError => e
+      module_logger.error("Error sending event: (#{e.class}) #{e.message}")
+      module_logger.exception(e)
     end
 
     def report_metrics(request_time, tcell_context)
       @native_agent.report_metrics(
         request_time, tcell_context
       )
-    rescue StandardError => standard_error
-      module_logger.error("Error reporting metric: (#{standard_error.class}) #{standard_error.message}")
-      module_logger.exception(standard_error)
+    rescue StandardError => e
+      module_logger.error("Error reporting metric: (#{e.class}) #{e.message}")
+      module_logger.exception(e)
     end
 
     def start(server_name)
@@ -135,12 +141,11 @@ module TCellAgent
 
       module_logger.info("Started thread agent: #{server_name}")
       TCellAgent.report_settings
-      TCellAgent::Instrumentation::Rails.send_framework_info
       TCellAgent::Instrumentation::Rails.send_settings
-    rescue StandardError => standard_error
+    rescue StandardError => e
       TCellAgent.configuration.enabled = false
-      module_logger.error("Error starting agent: (#{standard_error.class}) #{standard_error.message}")
-      module_logger.exception(standard_error)
+      module_logger.error("Error starting agent: (#{e.class}) #{e.message}")
+      module_logger.exception(e)
     end
   end
 end

data/lib/tcell_agent/config_initializer.rb

@@ -58,9 +58,5 @@ module TCellAgent
     def enable_intercept_requests=(bool)
       @disabled_instrumentation << 'intercept_requests' unless TCellAgent.configuration.to_bool(bool)
     end
-
-    def get_config_file_path
-      super
-    end
   end
 end

data/lib/tcell_agent/configuration.rb

@@ -85,7 +85,8 @@ module TCellAgent
           app_data = config['applications'][0]
           @disable_all = to_bool(app_data.fetch('disable_all', @disable_all))
         end
-      rescue StandardError # rubocop:disable Lint/HandleExceptions
+      rescue StandardError
+        # do nothing
       end
     end
 
@@ -108,9 +109,8 @@ module TCellAgent
       @password_hmac_key = apps['password_hmac_key']
 
       # proxy config
-      proxy_config = apps['proxy_config'] || {}
-      @reverse_proxy = proxy_config['reverse_proxy']
-      @reverse_proxy_ip_address_header = proxy_config['reverse_proxy_ip_address_header']
+      @reverse_proxy = apps['reverse_proxy']
+      @reverse_proxy_ip_address_header = apps['reverse_proxy_ip_address_header']
 
       # endpoint config
       endpoint = native_agent_config_response['endpoint_config'] || {}

data/lib/tcell_agent/hooks/login_fraud.rb

@@ -3,7 +3,7 @@ require 'tcell_agent/agent'
 module TCellAgent
   module Hooks
     module LoginFraud
-      # Note: mock out in tests
+      # NOTE: mock out in tests
       def self.get_logger
         unless defined?(@login_fraud_logger)
           @login_fraud_logger = TCellAgent::ModuleLogger.new(TCellAgent.logger, name)

data/lib/tcell_agent/instrumentation.rb

@@ -65,7 +65,8 @@ module TCellAgent
                     :password, :route_id, :path, :uri, :fullpath, :context_filters_by_term,
                     :database_filters, :remote_address, :user_agent, :request_method,
                     :path_parameters, :patches_blocking_triggered, :grape_mount_endpoint,
-                    :referrer, :csrf_exception_name, :sql_exceptions, :database_result_sizes
+                    :referrer, :csrf_exception_name, :sql_exceptions, :database_result_sizes,
+                    :reverse_proxy_header_value
 
       def self.filterx(sanitize_string, event_flag, replace_flag, term)
         send_event = false
@@ -91,26 +92,31 @@ module TCellAgent
 
       def valid_term?(term)
         return true if !term.nil? && term != '' && term.to_s.length >= 5
+
         false
       end
 
       def add_response_db_filter(term, action_obj, database, schema, table, field)
         return unless valid_term?(term)
+
         context_filters_by_term[term.to_s].add(ContextFilter.new.for_database(database, schema, table, field, action_obj))
       end
 
       def add_filter_for_request_parameter(term, rule, parameter_name)
         return unless valid_term?(term)
+
         context_filters_by_term[term.to_s].add(ContextFilter.new.for_request('form', parameter_name, rule))
       end
 
       def add_filter_for_header_value(term, rule, header_name)
         return unless valid_term?(term)
+
         context_filters_by_term[term.to_s].add(ContextFilter.new.for_request('header', header_name, rule))
       end
 
       def add_filter_for_cookie_value(term, rule, cookie_name)
         return unless valid_term?(term)
+
         context_filters_by_term[term.to_s].add(ContextFilter.new.for_request('cookie', cookie_name, rule))
       end
 
@@ -139,6 +145,7 @@ module TCellAgent
           send_flag = TCellData.filterx(body, !event_filters.empty?, !replace_filters.empty?, term)
           send_flag ||= TCellData.filterx(body, !event_filters.empty?, !replace_filters.empty?, CGI.escapeHTML(term))
           next unless send_flag
+
           (replace_filters + event_filters).each do |filter|
             base_event = TCellAgent::SensorEvents::DlpEvent.new(
               route_id,
@@ -183,6 +190,7 @@ module TCellAgent
           event_filters = (context_filters.select { |context_filter| (context_filter.rule.log_redact != true && context_filter.rule.log_event == true) })
           send_flag = TCellData.filterx(log_msg, !event_filters.empty?, !replace_filters.empty?, term)
           next unless send_flag
+
           (replace_filters + event_filters).each do |filter|
             base_event = TCellAgent::SensorEvents::DlpEvent.new(
               route_id,
@@ -213,7 +221,7 @@ module TCellAgent
       end
     end
 
-    # Note: mock for tests
+    # NOTE: mock for tests
     def self.get_safe_block_logger
       unless defined?(@safe_block_logger)
         @safe_block_logger = TCellAgent::ModuleLogger.new(TCellAgent.logger, name)
@@ -224,15 +232,15 @@ module TCellAgent
 
     def self.safe_block(message, &block)
       block.call
-    rescue StandardError => ex
+    rescue StandardError => e
       logger = get_safe_block_logger
-      logger.error("Error #{message} (#{ex.class}): #{ex.message}")
-      logger.exception(ex)
+      logger.error("Error #{message} (#{e.class}): #{e.message}")
+      logger.exception(e)
     end
 
     def self.safe_block_no_log(_message, &block)
       block.call
-    rescue StandardError # rubocop:disable Lint/HandleExceptions
+    rescue StandardError
       # do nothing
     end
   end

data/lib/tcell_agent/instrumentation/cmdi.rb

@@ -56,5 +56,37 @@ module TCellAgent
 
       cmd
     end
+
+    def self.raise_if_block(cmd)
+      return unless TCellAgent::Cmdi.block_command?(cmd)
+
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    def self.default_cmdi_handler(args)
+      cmd = TCellAgent::Cmdi.parse_command(*args)
+
+      raise_if_block(cmd)
+    end
+
+    def self.popen_cmdi_handler(args)
+      return if args.empty?
+
+      cmd = ''
+
+      TCellAgent::Instrumentation.safe_block('CMDI Parsing popen *args') do
+        args_copy = Array.new(args)
+        args_copy.shift if args_copy.first.is_a?(Hash)
+        args_copy.pop if args_copy.last.is_a?(Hash)
+
+        cmd = if args_copy.first.is_a?(String)
+                args_copy.shift
+              else
+                TCellAgent::Cmdi.parse_command(*args_copy.shift)
+              end
+      end
+
+      raise_if_block(cmd)
+    end
   end
 end

data/lib/tcell_agent/instrumentation/lfi.rb

@@ -5,6 +5,8 @@ require 'tcell_agent/configuration'
 module TCellAgent
   module Instrumentation
     module Lfi
+      extend TCellAgent::ModuleLoggerAccess
+
       def self.block_file_access?(path, mode)
         TCellAgent::Instrumentation.safe_block('Checking Local Files Policy') do
           if TCellAgent::Utils::Strings.present?(path)
@@ -54,17 +56,27 @@ module TCellAgent
         mode = 'Read'
 
         TCellAgent::Instrumentation.safe_block('LFI Parsing ARGF') do
-          if ARGF.eof? && !ARGV.empty?
-            argv_copy = Array.new(ARGV)
-            path = argv_copy.shift
-          else
-            path = ARGF.filename
-          end
+          begin
+            return ['', ''] if ARGF.file == $stdin
 
-          if path && path.to_s[0] != '|'
-            [File.expand_path(path.to_s), mode]
-          else
+            if ARGF.eof? && !ARGV.empty?
+              argv_copy = Array.new(ARGV)
+              path = argv_copy.shift
+            else
+              path = ARGF.filename
+            end
+
+            if path && path.to_s[0] != '|'
+              [File.expand_path(path.to_s), mode]
+            else
+              ['', '']
+            end
+          rescue Errno::ENOENT
+            module_logger.debug('LFI Parsing ARGF: attempted to read a non-existent file')
             ['', '']
+          rescue Errno::EISDIR
+            module_logger.debug('LFI Parsing ARGF: attempted to read a directory')
+            [ARGF.filename, mode]
           end
         end
       end
@@ -79,6 +91,40 @@ module TCellAgent
         end
         'Read'
       end
+
+      def self.raise_if_block(path, mode)
+        return unless block_file_access?(path, mode)
+
+        raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+      end
+
+      def self.default_open_handler(args, override_mode = '')
+        path, mode = extract_path_mode(*args)
+
+        mode = override_mode unless override_mode.empty?
+
+        raise_if_block(path, mode)
+      end
+
+      def self.argf_open_handler
+        path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+        raise_if_block(path, mode)
+      end
+
+      def self.cmdi_open_handler(args, override_mode = '')
+        path, mode = extract_path_mode(*args)
+
+        mode = override_mode unless override_mode.empty?
+
+        raise_if_block(path, mode)
+
+        return unless path.empty?
+
+        cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+
+        TCellAgent::Cmdi.raise_if_block(cmd) if cmd
+      end
     end
   end
 end

data/lib/tcell_agent/instrumentation/monkey_patches/ruby_2/file.rb

@@ -0,0 +1,21 @@
+class File
+  class << self
+    if TCellAgent.configuration.should_instrument?('File::new')
+      alias_method :tcell_original_new, :new
+      def new(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args)
+
+        tcell_original_new(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('File::open')
+      alias_method :tcell_original_open, :open
+      def open(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args)
+
+        tcell_original_open(*args, &block)
+      end
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/monkey_patches/ruby_2/io.rb

@@ -0,0 +1,75 @@
+class IO
+  class << self
+    if TCellAgent.configuration.should_instrument?('IO::binread')
+      alias_method :tcell_original_binread, :binread
+      def binread(*args, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args)
+
+        tcell_original_binread(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::binwrite')
+      alias_method :tcell_original_binwrite, :binwrite
+      def binwrite(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Write')
+
+        tcell_original_binwrite(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::foreach')
+      alias_method :tcell_original_foreach, :foreach
+      def foreach(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Read')
+
+        tcell_original_foreach(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::popen')
+      alias_method :tcell_original_popen, :popen
+      def popen(*args, &block)
+        TCellAgent::Cmdi.popen_cmdi_handler(args)
+
+        tcell_original_popen(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::read')
+      alias_method :tcell_original_read, :read
+      def read(*args, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args, 'Read')
+
+        tcell_original_read(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::readlines')
+      alias_method :tcell_original_readlines, :readlines
+      def readlines(*args, &block)
+        TCellAgent::Instrumentation::Lfi.cmdi_open_handler(args, 'Read')
+
+        tcell_original_readlines(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::sysopen')
+      alias_method :tcell_original_sysopen, :sysopen
+      def sysopen(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args)
+
+        tcell_original_sysopen(*args, &block)
+      end
+    end
+
+    if TCellAgent.configuration.should_instrument?('IO::write')
+      alias_method :tcell_original_write, :write
+      def write(*args, &block)
+        TCellAgent::Instrumentation::Lfi.default_open_handler(args, 'Write')
+
+        tcell_original_write(*args, &block)
+      end
+    end
+  end
+end