threatstack-agent-ruby 0.2.1 → 0.2.2

data/ext/libinjection/libinjection_pathtraversal_data.h

@@ -0,0 +1,240 @@
+
+#ifndef LIBINJECTION_PATH_TRAVERSAL_DATA_H
+#define LIBINJECTION_PATH_TRAVERSAL_DATA_H
+
+const char *const path_traversal_payloads[] = {
+    "\\access_log",
+    "%2faccess_log",
+    "%5caccess_log",
+    "/access_log",
+    "\\access.log",
+    "%2faccess.log",
+    "%5caccess.log",
+    "/access.log",
+    "\\error_log",
+    "%2ferror_log",
+    "%5cerror_log",
+    "/error_log",
+    "\\error.log",
+    "%2ferror.log",
+    "%5cerror.log",
+    "/error.log",
+    "\\license.log",
+    "%2flicense.log",
+    "%5clicense.log",
+    "/license.log",
+    "\\license_log",
+    "%2flicense_log",
+    "%5clicense_log",
+    "/license_log",
+    "\\login.log",
+    "%2flogin.log",
+    "%5clogin.log",
+    "/login.log",
+    "\\login_log",
+    "%2flogin_log",
+    "%5clogin_log",
+    "/login_log",
+    "\\system.log",
+    "%2fsystem.log",
+    "%5csystem.log",
+    "/system.log",
+    "\\system_log",
+    "%2fsystem_log",
+    "%5csystem_log",
+    "/system_log",
+    "\\stats.log",
+    "%2fstats.log",
+    "%5cstats.log",
+    "/stats.log",
+    "\\stats_log",
+    "%2fstats_log",
+    "%5cstats_log",
+    "/stats_log",
+    "\\.bash_history",
+    "%2f.bash_history",
+    "%5c.bash_history",
+    "/.bash_history",
+    "\\.sh_history",
+    "%2f.sh_history",
+    "%5c.sh_history",
+    "/.sh_history",
+    "\\php.ini",
+    "%2fphp.ini",
+    "%5cphp.ini",
+    "/php.ini",
+    "\\my.cnf",
+    "%2fmy.cnf",
+    "%5cmy.cnf",
+    "/my.cnf",
+    "\\my.ini",
+    "%2fmy.ini",
+    "%5cmy.ini",
+    "/my.ini",
+    "\\boot.ini",
+    "%2fboot.ini",
+    "%5cboot.ini",
+    "/boot.ini",
+    "\\win.ini",
+    "%2fwin.ini",
+    "%5cwin.ini",
+    "/win.ini",
+    "\\httpd.conf",
+    "%2fhttpd.conf",
+    "%5chttpd.conf",
+    "/httpd.conf",
+    "\\vhosts.conf",
+    "%2fvhosts.conf",
+    "%5cvhosts.conf",
+    "/vhosts.conf",
+    "\\nginx.conf",
+    "%2fnginx.conf",
+    "%5cnginx.conf",
+    "/nginx.conf",
+    "\\apache2.conf",
+    "%2fapache2.conf",
+    "%5capache2.conf",
+    "/apache2.conf",
+    "\\pureftpd",
+    "%2fpureftpd",
+    "%5cpureftpd",
+    "/pureftpd",
+    "\\pure-ftpd",
+    "%2fpure-ftpd",
+    "%5cpure-ftpd",
+    "/pure-ftpd",
+    "etc/hosts",
+    "etc\\hosts",
+    "etc%2fhosts",
+    "etc%5chosts",
+    "etc%c0%afhosts",
+    "etc/passwd",
+    "etc\\passwd",
+    "etc%2fpasswd",
+    "etc%5cpasswd",
+    "etc%c0%afpasswd",
+    "etc/shadow",
+    "etc\\shadow",
+    "etc%2fshadow",
+    "etc%5cshadow",
+    "etc%c0%afshadow",
+    "\\system32\\drivers\\hosts",
+    "/system32/drivers/hosts",
+    "\\data\\hostname.err",
+    "\\data\\mysql-bin.log",
+    "\\data\\mysql.err",
+    "\\data\\mysql.log",
+    "\\php4\\sessions\\",
+    "\\php5\\sessions\\",
+    "\\php\\sessions\\",
+    "\\windows\\repair\\sam",
+    "\\windows\\temp\\",
+    ".htaccess",
+    "/etc/apache2/sites-available/default",
+    "/etc/apache2/sites-enabled/000-default",
+    "/etc/chrootusers",
+    "/etc/crontab",
+    "/etc/fstab",
+    "/etc/ftpchroot",
+    "/etc/ftphosts",
+    "/etc/group",
+    "/etc/inittab",
+    "/etc/issue",
+    "/etc/issue",
+    "/etc/logrotate.d/ftp",
+    "/etc/logrotate.d/proftpd",
+    "/etc/logrotate.d/vsftpd.log",
+    "/etc/master.passwd",
+    "/etc/motd",
+    "/etc/nginx/sites-available/default",
+    "/etc/nginx/sites-enabled/default",
+    "/etc/pam.d/proftpd",
+    "/etc/phpmyadmin/config.inc.php",
+    "/etc/proftp.conf",
+    "/etc/proftpd/modules.conf",
+    "/etc/protpd/proftpd.conf",
+    "/etc/redhat-release",
+    "/etc/release",
+    "/etc/security/environ",
+    "/etc/security/group",
+    "/etc/security/limits",
+    "/etc/security/passwd",
+    "/etc/security/user",
+    "/etc/ssh/sshd_config",
+    "/etc/sysconfig/network-scripts/ifcfg-eth0",
+    "/etc/vhcs2/proftpd/proftpd.conf",
+    "/etc/vsftpd.chroot_list",
+    "/etc/vsftpd.conf",
+    "/etc/vsftpd/vsftpd.conf",
+    "/etc/wu-ftpd/ftpaccess",
+    "/etc/wu-ftpd/ftphosts",
+    "/etc/wu-ftpd/ftpusers",
+    "php://input",
+    "/proc/cmdline",
+    "/proc/self/",
+    "/proc/version",
+    "/root/.bash_history",
+    "/tmp/sess_",
+    "/usr/lib/security/mkuser.default",
+    "/usr/local/cpanel/logs",
+    "/usr/sbin/pure-config.pl",
+    "/var/adm/lastlog",
+    "/var/adm/log/xferlog",
+    "/var/adm/messages",
+    "/var/adm/utmpx",
+    "/var/adm/wtmpx",
+    "/var/cpanel/cpanel.config",
+    "/var/db/shadow/hash",
+    "/session/sess_",
+    "/var/log/authlog",
+    "/var/log/auth.log",
+    "/var/log/exim_mainlog",
+    "/var/log/exim/mainlog",
+    "/var/log/exim_paniclog",
+    "/var/log/exim/paniclog",
+    "/var/log/exim_rejectlog",
+    "/var/log/exim/rejectlog",
+    "/var/log/ftplog",
+    "/var/log/ftp-proxy",
+    "/var/log/kernel.log",
+    "/var/log/lastlog",
+    "/var/log/maillog",
+    "/var/log/mail.log",
+    "/var/log/messages",
+    "/var/log/mysqlderror.log",
+    "/var/log/mysql.log",
+    "/var/log/mysql/mysql-bin.log",
+    "/var/log/mysql/mysql.log",
+    "/var/log/mysql/mysql-slow.log",
+    "/var/log/proftpd",
+    "/var/log/secure.log",
+    "/var/log/syslog",
+    "/var/log/vsftpd.log",
+    "/var/log/wtmp",
+    "/var/log/xferlog",
+    "/var/mail/apache",
+    "/var/mail/nobody",
+    "/var/mail/www",
+    "/var/mail/www-data",
+    "/var/mysql.log",
+    "/var/run/utmp",
+    "/var/www/config.php",
+    "\\xampp\\filezillaftp\\filezilla server.xml",
+    "\\xampp\\filezillaftp\\server.xml",
+    "\\xampp\\filezillaftp\\logs",
+    "\\xampp\\mercurymail\\logs",
+    "\\xampp\\mercurymail\\mercury.ini",
+    "\\xampp\\mysql\\data\\mysql.err",
+    "\\xampp\\phpmyadmin\\config.inc",
+    "\\xampp\\phpmyadmin\\phpinfo.php",
+    "\\xampp\\sendmail\\sendmail.ini",
+    "\\xampp\\sendmail\\sendmail.log",
+    "\\xampp\\tomcat\\conf\\tomcat-users.xml",
+    "\\xampp\\tomcat\\conf\\web.xml",
+    "\\xampp\\webalizer\\webalizer.conf",
+    "\\xampp\\webdav\\webdav.txt",
+};
+
+#define path_traversal_payloads_size (sizeof (path_traversal_payloads) / sizeof (const char *))
+
+#endif

data/ext/libinjection/libinjection_wrap.c

@@ -2119,6 +2119,41 @@ fail:
 }
 
 
+SWIGINTERN VALUE
+_wrap_libinjection_pathtraversal(int argc, VALUE *argv, VALUE self) {
+  char *arg1 = (char *) 0 ;
+  size_t arg2 ;
+  int res1 ;
+  char *buf1 = 0 ;
+  int alloc1 = 0 ;
+  size_t val2 ;
+  int ecode2 = 0 ;
+  int result;
+  VALUE vresult = Qnil;
+  
+  if ((argc < 2) || (argc > 2)) {
+    rb_raise(rb_eArgError, "wrong # of arguments(%d for 2)",argc); SWIG_fail;
+  }
+  res1 = SWIG_AsCharPtrAndSize(argv[0], &buf1, NULL, &alloc1);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), Ruby_Format_TypeError( "", "char const *","libinjection_pathtraversal", 1, argv[0] ));
+  }
+  arg1 = (char *)(buf1);
+  ecode2 = SWIG_AsVal_size_t(argv[1], &val2);
+  if (!SWIG_IsOK(ecode2)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode2), Ruby_Format_TypeError( "", "size_t","libinjection_pathtraversal", 2, argv[1] ));
+  } 
+  arg2 = (size_t)(val2);
+  result = (int)libinjection_pathtraversal((char const *)arg1,arg2);
+  vresult = SWIG_From_int((int)(result));
+  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
+  return vresult;
+fail:
+  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
+  return Qnil;
+}
+
+
 
 /* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
 
@@ -2389,5 +2424,6 @@ SWIGEXPORT void Init_libinjection(void) {
   rb_define_module_function(mLibinjection, "libinjection_version", _wrap_libinjection_version, -1);
   rb_define_module_function(mLibinjection, "libinjection_sqli", _wrap_libinjection_sqli, -1);
   rb_define_module_function(mLibinjection, "libinjection_xss", _wrap_libinjection_xss, -1);
+  rb_define_module_function(mLibinjection, "libinjection_pathtraversal", _wrap_libinjection_pathtraversal, -1);
 }
 

data/lib/constants.rb

@@ -20,6 +20,16 @@ module Threatstack
       TRUTHY.include?(val.to_s.downcase)
     end
 
+    def self.app_root_dir
+      return Bundler.root if defined?(Bundler)
+
+      return ENV['RAILS_ROOT'] if defined?(ENV['RAILS_ROOT']) && ENV['RAILS_ROOT'].to_s.strip.length != 0
+
+      return Rails.root if defined?(Rails) && Rails.root.to_s.strip.length != 0
+
+      Dir.pwd
+    end
+
     TRUTHY = ['true', '1', 'yes'].freeze
 
     # AGENT
@@ -29,14 +39,18 @@ module Threatstack
     AGENT_ID = self.env('AGENT_ID', '')
     ## autogenerated Id for this agent instance
     AGENT_INSTANCE_ID = SecureRandom.uuid
-    ## whether or not the agent is disabled
+    ## whether or not the agent is disabled, defaults to false
     DISABLED = self.is_truthy('DISABLED')
-    ## whether or not initialization is done manually by calling
+    ## whether or not initialization is done manually, defaults to false
     MANUAL_INIT = self.is_truthy('MANUAL_INIT')
-    ## whether or not requests containing XSS payloads should be blocked
+    ## whether or not requests containing XSS payloads should be blocked, defaults to false
     BLOCK_XSS = self.is_truthy('BLOCK_XSS')
-    ## whether or not requests containing SQLI payloads should be blocked
+    ## whether or not requests containing SQLI payloads should be blocked, defaults to false
     BLOCK_SQLI = self.is_truthy('BLOCK_SQLI')
+    ## whether or not requests containing Path Traversal payloads should be blocked, defaults to false
+    BLOCK_PATH_TRAVERSAL = self.is_truthy('BLOCK_PATH_TRAVERSAL')
+    ## whether or not requests should be checked for Path Traversal payloads, defaults to true
+    DETECT_PATH_TRAVERSAL = self.is_truthy('DETECT_PATH_TRAVERSAL', true)
     ## specifies which user fields should be omitted from event payloads
     DROP_FIELDS = self.env('DROP_FIELDS', false) ? self.env('DROP_FIELDS').split(',').each_with_object({}) do |val, h|
       h[val] = true
@@ -49,6 +63,8 @@ module Threatstack
     JOB_INTERVAL = Integer(self.env('SUBMISSION_INTERVAL', 10))
     ## max number of events per request
     EVENTS_PER_REQ = Integer(self.env('EVENTS_PER_REQ', 1000))
+    ## max number of events to keep in memory
+    MAX_QUEUED_EVENTS = Integer(self.env('MAX_QUEUED_EVENTS', 1000))
     ## base url
     APPSEC_BASE_URL = self.env('API_COLLECTOR_URL', 'https://appsec-sensors.threatstack.com')
     ## event collector path
@@ -76,12 +92,16 @@ module Threatstack
     # Strings
     XSS = 'xss'
     SQLI = 'sqli'
+    PATH_TRAVERSAL = 'path_traversal'
     REQUEST_BLOCKED = 'Request blocked'
     DETECTED_NOT_BLOCKED = 'Detected not blocked'
     CGI_VARIABLES = Set.new(%w[ AUTH_TYPE CONTENT_LENGTH CONTENT_TYPE GATEWAY_INTERFACE HTTPS PATH_INFO
                                 PATH_TRANSLATED REMOTE_ADDR REMOTE_HOST REMOTE_IDENT REMOTE_USER
                                 REQUEST_METHOD SCRIPT_NAME SERVER_NAMESERVER_PORT SERVER_PROTOCOL
                                 SERVER_SOFTWARE]).freeze
+
+    # Utils
+    ROOT_DIR = self.app_root_dir
   end
 end
 
@@ -99,12 +119,16 @@ module Threatstack
       APPSEC SENSOR URL: #{APPSEC_BASE_URL}
              BLOCK SQLI: #{BLOCK_SQLI}
               BLOCK XSS: #{BLOCK_XSS}
+   BLOCK PATH TRAVERSAL: #{BLOCK_PATH_TRAVERSAL}
+  DETECT PATH TRAVERSAL: #{DETECT_PATH_TRAVERSAL}
             DROP FIELDS: #{DROP_FIELDS}
         SUBMIT INTERVAL: #{JOB_INTERVAL}
          EVENTS PER REQ: #{EVENTS_PER_REQ}
+      MAX QUEUED EVENTS: #{MAX_QUEUED_EVENTS}
               LOG LEVEL: #{LOG_LEVEL}
              LOG COLORS: #{LOG_COLORS}
             MANUAL INIT: #{MANUAL_INIT}
-          REDACTED TEXT: #{REDACTED}"""
+          REDACTED TEXT: #{REDACTED}
+               ROOT DIR: #{ROOT_DIR}"""
   end
 end

data/lib/control.rb

@@ -4,8 +4,9 @@ require 'thread'
 
 require_relative './events/models/environment_event'
 require_relative './events/models/dependency_event'
-require_relative './instrumentation/rails'
-require_relative './instrumentation/kernel'
+require_relative './instrumentation/frameworks/rails'
+require_relative './instrumentation/frameworks/kernel'
+require_relative './instrumentation/frameworks/random'
 require_relative './jobs/event_submitter'
 require_relative './jobs/delayed_job'
 require_relative './utils/logger'
@@ -26,21 +27,29 @@ module Threatstack
       logger = Threatstack::Utils::TSLogger.create 'MainAgent'
       logger.info 'Initializing Threatstack Ruby agent'
 
-      # patch Rails ActionController
+      ############################## Instrumentation ##############################
+      ## patch Rails ActionController
       logger.info 'Instrumenting Rails...'
-      Threatstack::Instrumentation::TSRails.patch_action_controller
+      Threatstack::Instrumentation::Frameworks::TSRails.patch_action_controller
       logger.info 'Done instrumenting Rails'
 
-      # patch Kernel methods
+      ## patch Kernel methods
       logger.info 'Instrumenting Kernel methods...'
-      Threatstack::Instrumentation::TSKernel.wrap_methods
+      Threatstack::Instrumentation::Frameworks::TSKernel.wrap_methods
       logger.info 'Done instrumenting Kernel methods'
 
+      ## patch Kernel methods
+      logger.info 'Instrumenting Random methods...'
+      Threatstack::Instrumentation::Frameworks::TSRandom.wrap_methods
+      logger.info 'Done instrumenting Random methods'
+
+      ############################## Event Submitter ##############################
       # Start EventSubmitter asynchronously
       logger.info 'Starting Event Submitter...'
       Threatstack::Jobs::EventSubmitter.instance.start
       logger.info 'Started Event Submitter'
 
+      ##############################  Delayed Tasks  ##############################
       # Gather environment and dependency info asynchronously
       Threatstack::Jobs::DelayedJob.new(logger, 5) do
         dep_event = Threatstack::Events::DependencyEvent.new
@@ -49,6 +58,10 @@ module Threatstack
         # submit environment event
         Threatstack::Jobs::EventSubmitter.instance.queue_event Threatstack::Events::EnvironmentEvent.new
       end
+      # Report Rails config once it's loaded
+      Threatstack::Jobs::DelayedJob.new('DelayedConfig', 20) do
+        Threatstack::Instrumentation::Frameworks::TSRails.report_application_config
+      end
 
       logger.info 'Initialization done for agent'
     end

data/lib/events/event_accumulator.rb

@@ -2,7 +2,9 @@
 
 require 'singleton'
 
+require_relative '../constants'
 require_relative '../utils/logger'
+require_relative '../utils/capped_queue'
 
 module Threatstack
   module Events
@@ -10,21 +12,28 @@ module Threatstack
     class EventAccumulator
       include Singleton
 
-      attr_reader :events
-
       def initialize
-        @events = []
+        @events = Threatstack::Utils::CappedQueue.new Threatstack::Constants::MAX_QUEUED_EVENTS
         @logger = Threatstack::Utils::TSLogger.create 'EventAccumulator'
       end
 
+      def total_events
+        @events.length
+      end
+
       def add_event(event)
-        @logger.debug "Adding event - New Total: #{@events.length + 1}"
         @events.push(event)
+        @logger.debug "Added event - New Total: #{@events.length}"
+      end
+
+      def remove_event
+        @events.shift
       end
 
-      def remove_events(num = 1)
-        @logger.debug "Removing #{num} event(s) - New Total: #{@events.length - num}"
-        @events.shift(num)
+      def remove_events(num)
+        ev = @events.shift(num)
+        @logger.debug "Removed #{ev.length} event(s) - New Total: #{@events.length}"
+        ev
       end
 
       def clear_events