Module: TCellAgent::Instrumentation::Lfi

Extended by:
ModuleLoggerAccess
Defined in:
lib/tcell_agent/instrumentation/lfi.rb

Class Method Summary collapse

Methods included from ModuleLoggerAccess

module_logger

Class Method Details

.argf_open_handlerObject 



109
110
111
112
113
 
# File 'lib/tcell_agent/instrumentation/lfi.rb', line 109

def self.argf_open_handler
  path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf

  raise_if_block(path, mode)
end

.block_file_access?(path, mode) ⇒ Boolean

Returns:

  • (Boolean) 


10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
# File 'lib/tcell_agent/instrumentation/lfi.rb', line 10

def self.block_file_access?(path, mode)
  TCellAgent::Instrumentation.safe_block('Checking Local Files Policy') do
    if TCellAgent::Utils::Strings.present?(path)
      lfi_policy = TCellAgent.policy(TCellAgent::PolicyTypes::LFI)

      request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
        Thread.current.object_id, {}
      )

      tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
      return lfi_policy.block_file_access?(path, mode, tcell_context)
    end
  end

  false
end

.cmdi_open_handler(args, override_mode = '') ⇒ Object 



115
116
117
118
119
120
121
122
123
124
125
126
127
 
# File 'lib/tcell_agent/instrumentation/lfi.rb', line 115

def self.cmdi_open_handler(args, override_mode = '')
  path, mode = extract_path_mode(*args)

  mode = override_mode unless override_mode.empty?

  raise_if_block(path, mode)

  return unless path.empty?

  cmd = TCellAgent::Cmdi.parse_command_from_open(*args)

  TCellAgent::Cmdi.raise_if_block(cmd) if cmd
end

.convert_mode(mode) ⇒ Object 



84
85
86
87
88
89
90
91
92
93
 
# File 'lib/tcell_agent/instrumentation/lfi.rb', line 84

def self.convert_mode(mode)
  if mode.is_a? String
    return 'ReadWrite' if mode.include? '+'
    return 'Write' if (mode.include? 'w') || (mode.include? 'a')
  elsif mode.is_a? Numeric
    return 'ReadWrite' if (mode & ::File::RDWR) != 0
    return 'Write' if (mode & ::File::WRONLY) != 0
  end
  'Read'
end

.default_open_handler(args, override_mode = '') ⇒ Object 



101
102
103
104
105
106
107
 
# File 'lib/tcell_agent/instrumentation/lfi.rb', line 101

def self.default_open_handler(args, override_mode = '')
  path, mode = extract_path_mode(*args)

  mode = override_mode unless override_mode.empty?

  raise_if_block(path, mode)
end

.extract_path_mode(*args) ⇒ Object 



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/tcell_agent/instrumentation/lfi.rb', line 27

def self.extract_path_mode(*args)
  path = ''
  mode = ''

  TCellAgent::Instrumentation.safe_block('LFI Parsing *args') do
    return ['', ''] if args.nil? || args.empty?

    args_copy = Array.new(args)
    path = args_copy.shift
    mode = args_copy.shift || 'r'

    if path && path.to_s[0] != '|'
      path = File.expand_path(path.to_s)

      mode = if mode && mode.is_a?(Hash)
               convert_mode(mode[:mode])
             else
               convert_mode(mode)
             end

      [path, mode]
    else
      ['', '']
    end
  end
end

.extract_path_mode_argfObject 



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'lib/tcell_agent/instrumentation/lfi.rb', line 54

def self.extract_path_mode_argf
  path = ''
  mode = 'Read'

  TCellAgent::Instrumentation.safe_block('LFI Parsing ARGF') do
    begin
      return ['', ''] if ARGF.file == $stdin

      if ARGF.eof? && !ARGV.empty?
        argv_copy = Array.new(ARGV)
        path = argv_copy.shift
      else
        path = ARGF.filename
      end

      if path && path.to_s[0] != '|'
        [File.expand_path(path.to_s), mode]
      else
        ['', '']
      end
    rescue Errno::ENOENT
      module_logger.debug('LFI Parsing ARGF: attempted to read a non-existent file')
      ['', '']
    rescue Errno::EISDIR
      module_logger.debug('LFI Parsing ARGF: attempted to read a directory')
      [ARGF.filename, mode]
    end
  end
end

.raise_if_block(path, mode) ⇒ Object

Raises:

  • (IOError) 


95
96
97
98
99
 
# File 'lib/tcell_agent/instrumentation/lfi.rb', line 95

def self.raise_if_block(path, mode)
  return unless block_file_access?(path, mode)

  raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
end