Merge pull request #33 from newrelic/dev

Release v0.6.0

Changelog.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## [v0.6.0] - 2024-15-01
+### Changes
+* Added exclusion based filtering of RXSS events.
+* Added ws headers NR-CSEC-ENTITY-GUID and NR-CSEC-ENTITY-NAME.
+* Added Support for PUT, PATCH and DELETE http requests type. NR-175410
+* Added Support for FastHttp framework.
+* Implemented API to send important logs to Security Engine.
+* Added support for warning messages in case of missing security wrappers
+* Updated jsonVersion to 1.1.1 in security events.
+* Updated example/test application directory.
+* Updated unit test-cases for mongo.
+* Updated file access hook and sent absolute file path.
+### Changes
+* Incorrect query type for mongo findAndModify case.
+* Fixed empty complete request ID for lastleg .
+* Incorrect server protocol in case of grpc.
+* Nil query for sql prepared statement for MAC environment.
+* Fixed for NPE in case of outbound request.
+
+
 ## [v0.5.1] - 2023-11-16
 ### Bug Fixes
 * Added required changes for backward compatibility with APM agent.

README.md

@@ -38,6 +38,7 @@ For the latest version of the agent, Go 1.17+ is required.
 * labstack/echo
 * julienschmidt/httprouter
 * micro/go-micro
+* valyala/fasthttp
 
 ### Databases
 

examples/sample-vulnerable-application/README.md

@@ -0,0 +1,28 @@
+#### examples/sample-vulnerable-application
+sample-vulnerable-application is a vulnerable web application designed for demo and reference.
+#### WARNING!
+---
+sample-vulnerable-application is a vulnerable web application.
+
+**Use it for demo purposes only, run it only on test environment.**
+
+#### Setup
+```
+git clone https://github.com/newrelic/csec-go-agent.git
+cd examples/sample-vulnerable-application
+
+```
+#### Install dependency packages
+
+```
+go mod init test
+go mod download 
+```
+
+#### Run application
+```
+go run main.go
+```
+
+#### Accessing the application :
+The application can be accessed at `http://HOST_MACHINE_IP:8000`

examples/server/main.go → examples/sample-vulnerable-application/main.go

@@ -1,6 +1,6 @@
 // Copyright 2023 New Relic Corporation. All rights reserved.
 // SPDX-License-Identifier: New Relic Pre-Release
-
+// warning! sample-vulnerable-application is a vulnerable web application.Use it for demo purposes only, run it only on test environment
 package main
 
 import (

instrumentation/csec_antchfx_htmlquery/go.mod

@@ -3,5 +3,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_antchfx_htmlquery
 go 1.17
 
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

instrumentation/csec_antchfx_jsonquery/go.mod

@@ -3,5 +3,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_antchfx_jsonquery
 go 1.17
 
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

instrumentation/csec_antchfx_xmlquery/go.mod

@@ -3,5 +3,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_antchfx_xmlquery
 go 1.17
 
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

instrumentation/csec_antchfx_xpath/go.mod

@@ -3,5 +3,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_antchfx_xpath
 go 1.16
 
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

instrumentation/csec_augustoroman_v8/go.mod

@@ -3,5 +3,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_augustoroman_v8
 go 1.17
 
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

instrumentation/csec_grpc/go.mod

@@ -3,7 +3,7 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_grpc
 go 1.17
 
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 	google.golang.org/grpc v1.58.3
 	google.golang.org/protobuf v1.31.0
 	github.com/golang/protobuf v1.5.3

instrumentation/csec_grpc/main.go

@@ -51,11 +51,12 @@ func (k *SecGrpcServe) secServe(l net.Listener) error {
 }
 
 func init() {
+	secIntercept.InitGrpsFuzzRestClient(SecGrpcFuzz{})
+
 	if !secIntercept.IsAgentInitializedForHook() || secIntercept.IsForceDisable() || !secIntercept.IsHookingoIsSupported() {
 		return
 	}
 
 	e := secIntercept.HookWrapInterface((*grpc.Server).Serve, (*SecGrpcServe).secServe, (*SecGrpcServe).secServe_s)
 	secIntercept.IsHookedLog("(*grpc.Server).Serve", e)
-	secIntercept.InitGrpsFuzzRestClient(SecGrpcFuzz{})
 }

instrumentation/csec_grpc/sec_grpc_fuzz.go

@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"strings"
 
+	secUtils "github.com/newrelic/csec-go-agent/internal/security_utils"
 	secConfig "github.com/newrelic/csec-go-agent/security_config"
 	secevent "github.com/newrelic/csec-go-agent/security_event_generation"
 	sechandler "github.com/newrelic/csec-go-agent/security_handlers"
@@ -24,11 +25,12 @@ type SecGrpcFuzz struct {
 
 func (grpcFuzz SecGrpcFuzz) ExecuteFuzzRequest(fuzzRequest *sechandler.FuzzRequrestHandler, caseType string, fuzzId string) {
 	fuzzRequestID := fmt.Sprintf("%v", fuzzRequest.Headers[secIntercept.NR_CSEC_FUZZ_REQUEST_ID])
-
+	sechandler.FuzzHandler.AppendCompletedRequestIds(fuzzId, "")
 	var grpcBody []interface{}
 	err := json.Unmarshal([]byte(fuzzRequest.Body), &grpcBody)
 	if err != nil {
 		logger.Debugln("ERROR: error in unmarshal gRPC body : ", err.Error(), fuzzRequest.Body)
+		secIntercept.SendLogMessage("ERROR: error in unmarshal gRPC body : "+err.Error(), "csec_grpc")
 		secevent.SendFuzzFailEvent(fuzzRequestID)
 		return
 	}
@@ -55,6 +57,7 @@ func (grpcFuzz SecGrpcFuzz) ExecuteFuzzRequest(fuzzRequest *sechandler.FuzzRequr
 
 	if err != nil {
 		logger.Errorln("ERROR: Failed to create fuzz client : ", secConfig.GlobalInfo.ApplicationInfo.ServerIp, gPort, err.Error())
+		secIntercept.SendLogMessage("ERROR: Failed to create fuzz client : "+secConfig.GlobalInfo.ApplicationInfo.ServerIp+gPort+err.Error(), "csec_grpc")
 		secevent.SendFuzzFailEvent(fuzzRequestID)
 	}
 
@@ -63,7 +66,6 @@ func (grpcFuzz SecGrpcFuzz) ExecuteFuzzRequest(fuzzRequest *sechandler.FuzzRequr
 		url = url[1:]
 	}
 
-	sechandler.FuzzHandler.AppendCompletedRequestIds(fuzzId, "")
 	tmp := fmt.Sprintf("%s: %s", "nr-csec-parent-id", fuzzId)
 	headers = append(headers, tmp)
 
@@ -89,7 +91,7 @@ func (grpcFuzz SecGrpcFuzz) ExecuteFuzzRequest(fuzzRequest *sechandler.FuzzRequr
 }
 
 func getFuzzClient(protocol, url, serverName string) (*grpc.ClientConn, error) {
-	if protocol == "https" {
+	if secUtils.CaseInsensitiveEquals(protocol, "https") {
 		return getHttpsClient(url, serverName)
 	} else {
 		return getHttpClient(url)

instrumentation/csec_ldap_v3/go.mod

@@ -2,5 +2,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_ldap_v3
 
 go 1.17
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

instrumentation/csec_mongodb_mongo/csec_mongodb_mongo_test.go

@@ -33,7 +33,6 @@ func TestMongoInsertOneHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -63,7 +62,6 @@ func TestMongoInsertManyHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -92,7 +90,6 @@ func TestMongoFindHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -130,7 +127,6 @@ func TestMongoFindOneHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -163,7 +159,6 @@ func TestMongoFindOneAndReplaceHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -192,7 +187,6 @@ func TestMongoFindOneAndUpdateHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -222,7 +216,6 @@ func TestMongoFindOneAndDeleteHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -251,7 +244,6 @@ func TestMongoUpdateOneHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -280,7 +272,6 @@ func TestMongoUpdateManyHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -310,7 +301,6 @@ func TestMongoReplaceOneHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -340,7 +330,6 @@ func TestMongoDeleteOneHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll
@@ -369,7 +358,6 @@ func TestMongoDeleteManyHook(t *testing.T) {
 	secConfig.RegisterListener()
 
 	mt := ConnectMongoDB(t)
-	defer mt.Close()
 
 	mt.Run("success", func(mt *mtest.T) {
 		userCollection = mt.Coll

instrumentation/csec_mongodb_mongo/go.mod

@@ -2,5 +2,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_mongodb_mongo
 
 go 1.16
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

instrumentation/csec_robertkrimen_otto/go.mod

@@ -2,5 +2,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_robertkrimen_otto
 
 go 1.17
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

instrumentation/csec_valyala_fasthttp/go.mod

@@ -3,5 +3,5 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_valyala_fasthttp
 go 1.17
 
 require (
-	github.com/newrelic/csec-go-agent v0.5.1
+	github.com/newrelic/csec-go-agent v0.6.0
 )

internal/security_logs/initLogging.go

@@ -12,15 +12,15 @@ var initLogger = DefaultLogger(true)
 
 func init_initLogger(initlogFileName, logFilepath string, pid int) {
 
-	rotateFileHook, writer, err := NewRotateFileHook(RotateFileConfig{
+	rotateFileHook, writer, isDefault, _ := NewRotateFileHook(RotateFileConfig{
 		Filename:        filepath.Join(logFilepath, initlogFileName),
 		Filepath:        logFilepath,
 		MaxSize:         50, // megabytes
 		MaxBackups:      2,
 		BaseLogFilename: initlogFileName,
 	})
 
-	UpdateLogger(writer, "INFO", pid, initLogger, rotateFileHook, err)
+	UpdateLogger(writer, "INFO", pid, initLogger, rotateFileHook, isDefault)
 }
 
 func InitLogger() *logFile {

internal/security_logs/logger.go

@@ -46,10 +46,12 @@ func DefaultLogger(iscache1 bool) *logFile {
 
 func (f *logFile) fire(level string, msg ...interface{}) {
 	logm := fmt.Sprintln(msg...)
-
 	if level == "ERROR" {
 		errLevel := fmt.Sprintf("\x1b[%dm%s\x1b[0m", 31, "ERROR")
 		logm = fmt.Sprintf(" [%s] %s", errLevel, logm)
+	} else if level == "WARN" {
+		errLevel := fmt.Sprintf("\x1b[%dm%s\x1b[0m", 33, "WARN")
+		logm = fmt.Sprintf(" [%s] %s", errLevel, logm)
 	} else {
 		logm = fmt.Sprintf(" [%s] %s", level, logm)
 	}
@@ -104,6 +106,6 @@ func (f *logFile) cleanCache() {
 	f.cache = make([]interface{}, 0)
 }
 
-func (f *logFile) IsDebug() bool{
+func (f *logFile) IsDebug() bool {
 	return f.isDebugMode
-}
+}

internal/security_logs/logging.go

@@ -16,19 +16,20 @@ var agentLogger = DefaultLogger(false)
 var isInitilized = false
 var errorBuffer = secUtils.NewCring(5)
 
-func Init(logFileName, initlogFileName, logFilepath string, pid int) {
+func Init(logFileName, initlogFileName, logFilepath string, pid int) error {
 	isInitilized = true
-	rotateFileHook, writer, err := NewRotateFileHook(RotateFileConfig{
+	rotateFileHook, writer, isDefault, err := NewRotateFileHook(RotateFileConfig{
 		Filename:        filepath.Join(logFilepath, logFileName),
 		Filepath:        logFilepath,
 		MaxSize:         50, // megabytes
 		MaxBackups:      2,
 		BaseLogFilename: logFileName,
 	})
 
-	UpdateLogger(writer, "INFO", pid, agentLogger, rotateFileHook, err)
+	UpdateLogger(writer, "INFO", pid, agentLogger, rotateFileHook, isDefault)
 
 	init_initLogger(initlogFileName, logFilepath, pid)
+	return err
 }
 
 func SetLogLevel(level string) {

internal/security_logs/rotateFileHook.go

@@ -57,20 +57,20 @@ func (config *RotateFileConfig) createLogDir() (io.Writer, error) {
 
 }
 
-func NewRotateFileHook(config RotateFileConfig) (*RotateFileHook, io.Writer, bool) {
+func NewRotateFileHook(config RotateFileConfig) (*RotateFileHook, io.Writer, bool, error) {
 	logfile, err := config.createLogDir()
-	idDefault := false
+	isDefault := false
 	if err != nil {
 		fmt.Println(err)
 		logfile = os.Stdout
-		idDefault = true
+		isDefault = true
 	}
 
 	hook := RotateFileHook{
 		Config: config,
 	}
 
-	return &hook, logfile, idDefault
+	return &hook, logfile, isDefault, err
 }
 
 func (hook *RotateFileHook) Fire(logMessege, mode string, isDefault bool) string {