threatstack-agent-ruby 0.2.1 → 0.2.2

data/lib/events/models/dependency_event.rb

@@ -24,11 +24,9 @@ module Threatstack
         logger.debug 'Creating dependency event...'
         args[:event_type] = DEPENDENCIES
         begin
-          root_dir = self.app_root_dir
-          gemfile_path = File.join(root_dir, 'Gemfile')
-          lockfile_path = File.join(root_dir, 'Gemfile.lock')
-          logger.debug "Root Dir: #{root_dir}"
-          @name = File.basename root_dir
+          gemfile_path = File.join(ROOT_DIR, 'Gemfile')
+          lockfile_path = File.join(ROOT_DIR, 'Gemfile.lock')
+          @name = File.basename ROOT_DIR
           # build dependency list
           @dependencies = Bundler::Definition.build(gemfile_path, lockfile_path, nil).
             dependencies.each_with_object({}) do |dep, obj|
@@ -66,17 +64,6 @@ module Threatstack
         super args
       end
 
-      # Returns the root directory of the currently running app
-      def app_root_dir
-        return Bundler.root if defined?(Bundler)
-
-        return ENV['RAILS_ROOT'] if defined?(ENV['RAILS_ROOT']) && ENV['RAILS_ROOT'].to_s.strip.length != 0
-
-        return Rails.root if defined?(Rails) && Rails.root.to_s.strip.length != 0
-
-        Dir.pwd
-      end
-
       def to_hash
         hash = to_core_hash
         hash[:module_name] = AGENT_NAME

data/lib/instrumentation/common.rb

@@ -28,7 +28,7 @@ module Threatstack
     end
 
     def self.create_attack_event(payload, type, location, request, headers, backtrace)
-      is_blocked = (type == SQLI && BLOCK_SQLI) || (type == XSS && BLOCK_XSS)
+      is_blocked = (type == SQLI && BLOCK_SQLI) || (type == XSS && BLOCK_XSS) || (type == PATH_TRAVERSAL && BLOCK_PATH_TRAVERSAL)
       data = {
         :timestamp => Time.now.utc.strftime('%FT%T.%3NZ'),
         :module_name => AGENT_NAME,
@@ -92,6 +92,16 @@ module Threatstack
       end
     end
 
+    def self.extract_instrumentation_params(params)
+      module_name = params[:target_class].to_s.downcase
+      method_name = params[:method_name].downcase
+      called_by = params[:caller_loc] ? params[:caller_loc].first : nil
+      file_path = called_by ? called_by.absolute_path : nil
+      line_num = called_by ? called_by.lineno : nil
+      args = params[:args] ? params[:args] : []
+      return module_name, method_name, file_path, line_num, args
+    end
+
     def self.drop_sensitive_fields(obj)
       return obj if DROP_FIELDS.nil?
 
@@ -127,7 +137,7 @@ module Threatstack
         return false
       end
       match = (Libinjection.libinjection_sqli(param, param.length, '') === 1 ? true : false)
-      @@logger.send(match ? :warn : :debug, "SQLI Check #{match ? 'positive' : 'negative'} for: #{name}") unless name.nil?
+      @@logger.send(match ? :warn : :debug, "SQLI Check #{match ? 'POSITIVE' : 'negative'} for: #{name}=#{param}") unless name.nil?
       match
     end
 
@@ -138,7 +148,21 @@ module Threatstack
       end
 
       match = (Libinjection.libinjection_xss(param, param.length) === 1 ? true : false)
-      @@logger.send(match ? :warn : :debug, "XSS Check #{match ? 'positive' : 'negative'} for: #{name}") unless name.nil?
+      @@logger.send(match ? :warn : :debug, "XSS Check #{match ? 'POSITIVE' : 'negative'} for: #{name}=#{param}") unless name.nil?
+      match
+    end
+
+    def self.check_pathtraversal_payload(param, name = nil)
+      # exit early if path traversal checking is disabled
+      return false unless DETECT_PATH_TRAVERSAL
+
+      if param.nil? || !param.kind_of?(String)
+        @@logger.debug "Path Traversal Check skipped for: #{name}" unless name.nil?
+        return false
+      end
+
+      match = (Libinjection.libinjection_pathtraversal(param, param.length) === 1 ? true : false)
+      @@logger.send(match ? :warn : :debug, "Path Traversal Check #{match ? 'POSITIVE' : 'negative'} for: #{name}=#{param}") unless name.nil?
       match
     end
 
@@ -152,10 +176,11 @@ module Threatstack
       flattened = flatten params
 
       # check each parameter value for dangerous payloads
-      sqli_found, xss_found = false, false
+      sqli_found, xss_found, pathtraversal_found = false
       flattened.each do |key, val|
         sqli_found = check_sqli_payload(val, key) unless sqli_found
         xss_found = check_xss_payload(val, key) unless xss_found
+        pathtraversal_found = check_pathtraversal_payload(val, key) unless pathtraversal_found
       end
 
       # whether or not to include the payload in the event
@@ -164,9 +189,10 @@ module Threatstack
       # create the according attack event if the checks above returned positive
       create_attack_event(payload, SQLI, location, request, headers, backtrace) if sqli_found
       create_attack_event(payload, XSS, location, request, headers, backtrace) if xss_found
+      create_attack_event(payload, PATH_TRAVERSAL, location, request, headers, backtrace) if pathtraversal_found
 
       # return results
-      { :sqli => sqli_found, :xss => xss_found }
+      { :sqli => sqli_found, :xss => xss_found, :path_traversal => pathtraversal_found }
     end
   end
 end

data/lib/instrumentation/frameworks/kernel.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require_relative '../common.rb'
+require_relative '../instrumenter.rb'
+require_relative '../../utils/logger'
+
+module Threatstack
+  module Instrumentation
+    module Frameworks
+      module TSKernel
+        @@logger = Threatstack::Utils::TSLogger.create 'KernelINST'
+
+        # methods to wrap
+        METHOD_NAMES = ['exec', 'system', '`'].freeze
+
+        def self.wrap_methods
+          # executed every time a wrapped method is called
+          on_method_call = Proc.new do |params|
+            module_name, method_name, file_path, line_num, args = Threatstack::Instrumentation.extract_instrumentation_params params
+            # special case for ` method emulation
+            if method_name == '`' && !file_path.nil? && file_path =~ /.*\/kernel\/agnostics\.rb$/
+              called_by = params[:caller_loc][1]
+              file_path = called_by ? called_by.absolute_path : nil
+            end
+
+            # create and queue the event
+            Threatstack::Instrumentation.create_instrumentation_event(module_name, method_name, file_path, line_num, args)
+          end
+          @@logger.info "Instrumenting Kernel methods: #{METHOD_NAMES}"
+          instrumenter = Threatstack::Instrumentation::Instrumenter.instance
+          METHOD_NAMES.each do |method_name|
+            instrumenter.wrap_class_method(Kernel, method_name, &on_method_call)
+            instrumenter.wrap_instance_method(Kernel, method_name, &on_method_call)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/instrumentation/frameworks/rails.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require 'json'
+
+require_relative '../../constants'
+require_relative '../../exceptions/request_blocked_error'
+require_relative '../../utils/logger'
+require_relative '../common'
+
+module Threatstack
+  module Instrumentation
+    module Frameworks
+      module TSRails
+        @@logger = Threatstack::Utils::TSLogger.create 'RailsINST'
+
+        def self.patch_action_controller
+          @@logger.info 'Looking for Rails gem'
+          return unless defined?(::Rails) && defined?(::Rails::VERSION)
+          return unless defined?(ActionController) && defined?(ActionController::Base)
+
+          @@logger.info "Rails #{Rails::VERSION::MAJOR.to_s} gem found, instrumenting ActionController"
+          ActionController::Base.class_eval do
+            include Threatstack::Instrumentation::Frameworks::TSRails::TSActionController
+          end
+          @@logger.info 'Rails instrumentation done'
+        end
+
+        def self.load_application_config
+          return nil unless Gem.loaded_specs.key?('rails') && defined?(Rails)
+          return Rails.configuration if Rails.respond_to?(:configuration)
+          return Rails.application.config if Rails.respond_to?(:application) && Rails.application.respond_to?(:config)
+          return nil
+        end
+
+        def self.report_application_config
+          @@logger.info 'Checking Rails application config'
+          config = self.load_application_config
+          if config.nil?
+            @@logger.warn 'Rails config not found, skipping config check'
+            return
+          end
+          @@logger.info 'Rails config loaded, relaying relevant values to server'
+          # only send relevant props to the server
+          filtered = { :force_ssl => config.force_ssl }
+          Threatstack::Instrumentation.create_instrumentation_event('rails', 'configuration',
+                                                                    Threatstack::Constants::ROOT_DIR, 0, [filtered])
+        end
+
+        module TSActionController
+          include Threatstack::Constants
+          @@logger = Threatstack::Utils::TSLogger.create 'RailsINST'
+
+          def process_action(*args, &block)
+            # we need the headers hack below because Rails adds a lot of internal headers
+            headers = request.headers.each_with_object({}) do |(k, v), obj|
+              obj[k] = v if CGI_VARIABLES.include?(k.to_s) || k =~ /^HTTP_/
+            end
+            @@logger.debug("Incoming request: #{{ :headers => headers, :path => request.path_parameters,
+                                                  :query => Threatstack::Instrumentation.drop_sensitive_fields(request.query_parameters),
+                                                  :body => Threatstack::Instrumentation.drop_sensitive_fields(request.request_parameters) }}")
+            backtrace = caller.join("\n")
+
+            # check path/query/body parameters
+            path_res = Threatstack::Instrumentation.check_parameters(request.path_parameters, 'path', request, headers, backtrace)
+            query_res = Threatstack::Instrumentation.check_parameters(request.query_parameters, 'query', request, headers, backtrace)
+            body_res = Threatstack::Instrumentation.check_parameters(request.request_parameters, 'body', request, headers, backtrace)
+
+            @@logger.debug "RequestStats -- Path: #{path_res}, Query: #{query_res}, Body: #{body_res}"
+            sqli_found = (path_res[:sqli] || query_res[:sqli] || body_res[:sqli])
+            xss_found = (path_res[:xss] || query_res[:xss] || body_res[:xss])
+            pathtraversal_found = (path_res[:path_traversal] || query_res[:path_traversal] || body_res[:path_traversal])
+            # raise an exception if any attack payloads were detected and blocking is enabled
+            if (BLOCK_SQLI && sqli_found) || (BLOCK_XSS && xss_found) || (BLOCK_PATH_TRAVERSAL && pathtraversal_found)
+              raise Threatstack::Exceptions::RequestBlockedError, REQUEST_BLOCKED
+            end
+
+            # continue processing the request normally if no issues were found
+            super(*args, &block)
+          end
+
+          def render(*args, &block)
+            caller_loc = caller_locations(1, 10) ? caller_locations(1, 10).first : nil
+            file_path = caller_loc ? caller_loc.absolute_path : nil
+            line_num = caller_loc ? caller_loc.lineno : nil
+            # report back all parameters
+            Threatstack::Instrumentation.create_instrumentation_event('rails', 'render', file_path, line_num, args)
+            # continue processing the request
+            super(*args, &block)
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/instrumentation/frameworks/random.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require_relative '../common.rb'
+require_relative '../instrumenter.rb'
+require_relative '../../utils/logger'
+
+module Threatstack
+  module Instrumentation
+    module Frameworks
+      module TSRandom
+        @@logger = Threatstack::Utils::TSLogger.create 'RandomINST'
+
+        # methods to wrap
+        METHOD_NAMES = ['rand'].freeze
+
+        def self.wrap_methods
+          # executed every time a wrapped method is called
+          on_method_call = Proc.new do |params|
+            module_name, method_name, file_path, line_num, args = Threatstack::Instrumentation.extract_instrumentation_params params
+            # create and queue the event
+            Threatstack::Instrumentation.create_instrumentation_event(module_name, method_name, file_path, line_num, args)
+          end
+          @@logger.info "Instrumenting Random methods: #{METHOD_NAMES}"
+          instrumenter = Threatstack::Instrumentation::Instrumenter.instance
+          METHOD_NAMES.each do |method_name|
+            # Random lib
+            instrumenter.wrap_class_method(Random, method_name, &on_method_call)
+            instrumenter.wrap_instance_method(Random, method_name, &on_method_call)
+            # Kernel lib
+            instrumenter.wrap_class_method(Kernel, method_name, &on_method_call)
+            instrumenter.wrap_instance_method(Kernel, method_name, &on_method_call)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/instrumentation/instrumenter.rb

@@ -9,6 +9,7 @@ module Threatstack
       include Singleton
 
       @@logger = Threatstack::Utils::TSLogger.create 'Instrumenter'
+      CLASS_SUFFIX = 'class'
 
       if RUBY_VERSION < '1.9'
         def normalize_method_name(method)
@@ -20,8 +21,8 @@ module Threatstack
         end
       end
 
-      def self.define_callback(klass, method, &block)
-        backup_name = get_backup_name method
+      def self.define_callback(klass, method, suffix = nil, &block)
+        backup_name = get_backup_name(method, suffix)
         outer_block = block
         Proc.new do |*args, &block|
           @@logger.debug "Wrapped method called: #{klass}.#{method}"
@@ -38,76 +39,144 @@ module Threatstack
         if is_class_method?(klass, method)
           wrap_class_method(klass, method, &block)
         elsif is_instance_method?(klass, method)
-          @@logger.debug "Wrapping instance method: #{klass}.#{method}"
           wrap_instance_method(klass, method, &block)
+        elsif klass.respond_to?(method, true)
+          wrap_class_method(klass, method, &block)
         else
           raise "#{klass}.#{method} is not a class nor instance method"
         end
       end
 
       def wrap_class_method(klass, method, &block)
-        @@logger.debug "Wrapping class method: #{klass}.#{method}"
+        @@logger.debug "Attempting wrap of class method: #{klass}.#{method}"
         original_name = method.to_sym
-        backup_name = get_backup_name method
-        wrapped_name = get_wrapped_name method
+        backup_name = get_backup_name(original_name, CLASS_SUFFIX)
+        wrapped_name = get_wrapped_name(original_name, CLASS_SUFFIX)
+
+        if method_exists?(klass, backup_name)
+          msg = "#{klass}.#{method} already instrumented"
+          @@logger.error msg
+          raise msg
+        end
 
+        @@logger.debug "Wrapping class method: #{klass}.#{method}"
         klass.singleton_class.instance_eval do
           alias_method backup_name, original_name
 
-          p = Instrumenter.define_callback(klass, method, &block)
+          p = Instrumenter.define_callback(klass, original_name, CLASS_SUFFIX, &block)
           define_method(wrapped_name, p)
 
           private wrapped_name
 
-          method_kind = nil
+          visibility = nil
           if public_method_defined? original_name
-            method_kind = :public
+            visibility = :public
           elsif protected_method_defined? original_name
-            method_kind = :protected
+            visibility = :protected
           elsif private_method_defined? original_name
-            method_kind = :private
+            visibility = :private
           end
 
           alias_method original_name, wrapped_name
-          __send__(method_kind, original_name)
+          __send__(visibility, original_name)
           private backup_name
         end
       end
 
       def wrap_instance_method(klass, method, &block)
-        @@logger.debug "Wrapping instance method: #{klass}.#{method}"
-        backup_name = get_backup_name method
-        wrapped_name = get_wrapped_name method
+        @@logger.debug "Attempting wrap of instance method: #{klass}.#{method}"
+        original_name = method.to_sym
+        backup_name = get_backup_name original_name
+        wrapped_name = get_wrapped_name original_name
 
-        private_methods = klass.private_instance_methods(false)
-        if private_methods.include?(backup_name)
-          @@logger.debug "#{klass}.#{method} already instrumented"
-          return backup_name
+        if method_exists?(klass, backup_name)
+          msg = "#{klass}.#{method} already instrumented"
+          @@logger.error msg
+          raise msg
         end
 
-        p = Instrumenter.define_callback(klass, method, &block)
+        @@logger.debug "Wrapping instance method: #{klass}.#{method}"
+        p = Instrumenter.define_callback(klass, original_name, nil, &block)
         visibility = nil
         klass.class_eval do
-          alias_method backup_name, method
+          alias_method backup_name, original_name
 
           define_method(wrapped_name, p)
 
-          if public_method_defined?(method)
+          if public_method_defined?(original_name)
             visibility = :public
-          elsif protected_method_defined?(method)
+          elsif protected_method_defined?(original_name)
             visibility = :protected
-          elsif private_method_defined?(method)
+          elsif private_method_defined?(original_name)
             visibility = :private
           end
 
-          alias_method method, wrapped_name
+          alias_method original_name, wrapped_name
           private backup_name
           private wrapped_name
-          __send__(visibility, method)
+          __send__(visibility, original_name)
         end
         backup_name
       end
 
+      def unwrap_method(klass, method)
+        original_name = method.to_sym
+        inst_backup_name = get_backup_name(original_name)
+        class_backup_name = get_backup_name(original_name, CLASS_SUFFIX)
+        # unwrap instance methods of that name
+        if is_instance_method?(klass, inst_backup_name)
+          unwrap_instance_method(klass, original_name)
+        end
+        # unwrap class methods of that name
+        if is_class_method?(klass, class_backup_name)
+          unwrap_class_method(klass, original_name)
+        end
+      end
+
+      def unwrap_class_method(klass, method)
+        @@logger.debug "Unwrapping class method: #{klass}.#{method}"
+        original_name = method.to_sym
+        backup_name = get_backup_name(original_name, CLASS_SUFFIX)
+        visibility = nil
+
+        klass.singleton_class.instance_eval do
+          if public_method_defined?(original_name)
+            visibility = :public
+          elsif protected_method_defined?(original_name)
+            visibility = :protected
+          elsif private_method_defined?(original_name)
+            visibility = :private
+          end
+          unless visibility.nil?
+            alias_method original_name, backup_name
+            __send__(visibility, original_name)
+            remove_method backup_name
+          end
+        end
+      end
+
+      def unwrap_instance_method(klass, method)
+        @@logger.debug "Unwrapping instance method: #{klass}.#{method}"
+        original_name = method.to_sym
+        backup_name = get_backup_name original_name
+        visibility = nil
+
+        klass.class_eval do
+          if public_method_defined?(original_name)
+            visibility = :public
+          elsif protected_method_defined?(original_name)
+            visibility = :protected
+          elsif private_method_defined?(original_name)
+            visibility = :private
+          end
+          unless visibility.nil?
+            alias_method original_name, backup_name
+            __send__(visibility, original_name)
+            remove_method backup_name
+          end
+        end
+      end
+
       def self.get_backup_name(method, suffix = nil)
         "ts_#{method}_backup#{suffix ? "_#{suffix}" : ''}".to_sym
       end
@@ -125,19 +194,31 @@ module Threatstack
       end
 
       def is_instance_method?(klass, method)
+        return false unless klass.respond_to?(:instance_methods)
         method = normalize_method_name(method)
         klass.instance_methods.include?(method) || klass.private_instance_methods.include?(method)
       end
 
       def is_class_method?(klass, method)
         method = normalize_method_name(method)
-        klass.singleton_methods.include? method
+        klass.singleton_methods.include?(method) || klass.respond_to?(method, true)
       end
 
       def method_exists?(obj, method)
-        return true if is_class_method?(obj, method)
-        return false unless obj.respond_to?(:instance_methods)
-        is_instance_method?(obj, method)
+        msg = "Method exists? #{obj}.#{method} =>"
+        if obj.nil? || method.nil?
+          @@logger.debug "#{msg} nil"
+          return false
+        end
+        if is_class_method?(obj, method)
+          @@logger.debug "#{msg} class method"
+          return true
+        end
+        if is_instance_method?(obj, method)
+          @@logger.debug "#{msg} instance method"
+          return true
+        end
+        false
       end
     end
   end