From 0edf5faf83410f24652216902014e3753bbc978c Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Mon, 5 Feb 2024 14:20:37 +0530 Subject: [PATCH 1/9] update log file permission --- internal/security_logs/rotateFileHook.go | 12 +++++++----- security_event_generation/event_generation_utils.go | 6 +++--- security_intercept/intercept.go | 2 +- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/internal/security_logs/rotateFileHook.go b/internal/security_logs/rotateFileHook.go index ebbc23a..a7fb1bf 100644 --- a/internal/security_logs/rotateFileHook.go +++ b/internal/security_logs/rotateFileHook.go @@ -38,21 +38,22 @@ func (config *RotateFileConfig) createLogDir() (io.Writer, error) { return nil, err } - err = os.Chmod(config.Filepath, 0777) + err = os.Chmod(config.Filepath, 0770) if err != nil { return nil, err } - err = os.Chmod(filepath.Dir(config.Filepath), 0777) + err = os.Chmod(filepath.Dir(config.Filepath), 0770) if err != nil { return nil, err } - logfile, err := os.OpenFile(config.Filename, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0777) + logfile, err := os.OpenFile(config.Filename, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0660) if err != nil { return nil, err } + logfile.Chmod(0660) return logfile, nil } @@ -106,7 +107,7 @@ func (hook *RotateFileHook) logrollover() error { pid := secUtils.IntToString(os.Getpid()) if !secUtils.IsFileExist(lockFile) { - err := os.WriteFile(lockFile, []byte(pid), 777) + err := os.WriteFile(lockFile, []byte(pid), 0660) if err != nil { return err } @@ -137,7 +138,8 @@ func (hook *RotateFileHook) filerollover() error { } timeStamp := time.Now().Unix() - rolloverLogFile, err := os.OpenFile(hook.Config.Filename+"."+strconv.FormatInt(timeStamp, 10), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0777) + rolloverLogFile, err := os.OpenFile(hook.Config.Filename+"."+strconv.FormatInt(timeStamp, 10), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0660) + rolloverLogFile.Chmod(0660) if err != nil { return err } diff --git a/security_event_generation/event_generation_utils.go b/security_event_generation/event_generation_utils.go index e78c47e..0724a59 100644 --- a/security_event_generation/event_generation_utils.go +++ b/security_event_generation/event_generation_utils.go @@ -250,14 +250,14 @@ func populateStatusLogs(service, process map[string]interface{}) { logger.Errorln(err) return } - err = os.Chmod(statusFilePath, 0777) + err = os.Chmod(statusFilePath, 0770) if err != nil { SendLogMessage(err.Error(), "populateStatusLogs", "SEVERE") logger.Errorln(err) return } statusFilePath1 := filepath.Join(statusFilePath, fmt.Sprintf("go-security-collector-status-%s.log", secConfig.GlobalInfo.ApplicationInfo.GetAppUUID())) - f, err := os.OpenFile(statusFilePath1, os.O_RDWR|os.O_CREATE, 0777) + f, err := os.OpenFile(statusFilePath1, os.O_RDWR|os.O_CREATE, 0660) if err != nil { SendLogMessage(err.Error(), "populateStatusLogs", "SEVERE") logger.Errorln(err) @@ -306,7 +306,7 @@ func wsStatus() string { } func isLogAccessible(fileName string) string { - file, err := os.OpenFile(fileName, os.O_WRONLY, 0777) + file, err := os.OpenFile(fileName, os.O_WRONLY, 0660) if err == nil { defer file.Close() return "OK" diff --git a/security_intercept/intercept.go b/security_intercept/intercept.go index e502fbc..c3356f9 100644 --- a/security_intercept/intercept.go +++ b/security_intercept/intercept.go @@ -575,7 +575,7 @@ func createFuzzFile(fuzzheaders string) (tmpFiles []string) { tmpFiles = append(tmpFiles, fileName) dir := filepath.Dir(fileName) if dir != "" { - err := os.MkdirAll(dir, os.ModePerm) + err := os.MkdirAll(dir, 0770) if err != nil { logger.Debugln("Error while creating file : ", err.Error()) } From fe0754090d4226d4dec599bf83051b80587943df Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Mon, 5 Feb 2024 16:00:08 +0530 Subject: [PATCH 2/9] update snapshots file permission --- security_event_generation/event_generation_utils.go | 1 + 1 file changed, 1 insertion(+) diff --git a/security_event_generation/event_generation_utils.go b/security_event_generation/event_generation_utils.go index 0724a59..04d26ca 100644 --- a/security_event_generation/event_generation_utils.go +++ b/security_event_generation/event_generation_utils.go @@ -258,6 +258,7 @@ func populateStatusLogs(service, process map[string]interface{}) { } statusFilePath1 := filepath.Join(statusFilePath, fmt.Sprintf("go-security-collector-status-%s.log", secConfig.GlobalInfo.ApplicationInfo.GetAppUUID())) f, err := os.OpenFile(statusFilePath1, os.O_RDWR|os.O_CREATE, 0660) + f.Chmod(0660) if err != nil { SendLogMessage(err.Error(), "populateStatusLogs", "SEVERE") logger.Errorln(err) From 6b408fdc0539509f13cf04565b82c98591235a4b Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Mon, 19 Feb 2024 10:47:48 +0530 Subject: [PATCH 3/9] Added handling to send data api endpoint --- security_config/global_config.go | 21 +++++++++++++++++++ security_event_generation/event_generation.go | 12 +++++++++++ .../event_generation_utils.go | 4 ++-- security_intercept/intercept.go | 17 +++++++++++++++ 4 files changed, 52 insertions(+), 2 deletions(-) diff --git a/security_config/global_config.go b/security_config/global_config.go index e2aca69..43c423d 100644 --- a/security_config/global_config.go +++ b/security_config/global_config.go @@ -20,6 +20,8 @@ var SecureWS secUtils.SecureWSiface type Info_struct struct { EventData eventData + ApiData []Urlmappings + ApiDataMutex sync.Mutex EnvironmentInfo EnvironmentInfo ApplicationInfo runningApplicationInfo InstrumentationData Instrumentation @@ -131,6 +133,19 @@ func (info *Info_struct) SetBodyLimit(bodyLimit int) { return } +func (info *Info_struct) GetApiData() interface{} { + info.ApiDataMutex.Lock() + defer info.ApiDataMutex.Unlock() + return info.ApiData +} + +func (info *Info_struct) SetApiData(data Urlmappings) { + info.ApiDataMutex.Lock() + defer info.ApiDataMutex.Unlock() + info.ApiData = append(info.ApiData, data) + return +} + type metaData struct { linkingMetadata interface{} accountID string @@ -360,6 +375,12 @@ func (e *EventStats) IncreaseEventErrorCount() { } } +type Urlmappings struct { + Method string `json:"method"` + Path string `json:"path"` + Handler string `json:"handler"` +} + type EnvironmentInfo struct { ID string NodeId string diff --git a/security_event_generation/event_generation.go b/security_event_generation/event_generation.go index 07591c9..2ed3296 100644 --- a/security_event_generation/event_generation.go +++ b/security_event_generation/event_generation.go @@ -43,6 +43,7 @@ func InitHcScheduler() { logging.EndStage("5", "Security agent components started") SendSecHealthCheck() sendBufferLogMessage() + sendUrlMappingEvent() t := time.NewTicker(5 * time.Minute) for { select { @@ -251,6 +252,17 @@ func SendFuzzFailEvent(fuzzHeader string) { } } +func sendUrlMappingEvent() { + var urlMappingBeen UrlMappingBeen + urlMappingBeen.EventType = "sec-application-url-mapping" + urlMappingBeen.ApplicationIdentifiers = getApplicationIdentifiers("sec-application-url-mapping") + urlMappingBeen.Mappings = secConfig.GlobalInfo.GetApiData() + _, err := sendEvent(urlMappingBeen, "", "") + if err != nil { + logger.Errorln(err) + } +} + func SendVulnerableEvent(req *secUtils.Info_req, category string, args interface{}, vulnerabilityDetails secUtils.VulnerabilityDetails, eventId string) *secUtils.EventTracker { var tmp_event eventJson diff --git a/security_event_generation/event_generation_utils.go b/security_event_generation/event_generation_utils.go index d4f0856..d20d0ca 100644 --- a/security_event_generation/event_generation_utils.go +++ b/security_event_generation/event_generation_utils.go @@ -176,8 +176,8 @@ type IASTDataRequestBeen struct { type UrlMappingBeen struct { ApplicationIdentifiers - EventType string `json:"eventType"` - Mappings []Urlmappings `json:"mappings"` + EventType string `json:"eventType"` + Mappings interface{} `json:"mappings"` } type Urlmappings struct { diff --git a/security_intercept/intercept.go b/security_intercept/intercept.go index bb6b6f9..a31e596 100644 --- a/security_intercept/intercept.go +++ b/security_intercept/intercept.go @@ -726,6 +726,8 @@ func SendEvent(caseType string, data ...interface{}) interface{} { httpresponseHandler(data...) case "OUTBOUND": return outboundcallHandler(data[0]) + case "API_END_POINTS": + apiEndPointsHandler(data...) case "GRPC": grpcRequestHandler(data...) case "GRPC_INFO": @@ -853,7 +855,22 @@ func grpcRequestHandler(data ...interface{}) { } else { secConfig.Secure.AssociateGrpcQueryParam(data[0], "", "v2") } +} +func apiEndPointsHandler(data ...interface{}) { + if data == nil || !isAgentInitialized() { + return + } + if len(data) >= 3 { + method, _ := data[0].(string) + path, _ := data[1].(string) + handler, _ := data[2].(string) + secConfig.GlobalInfo.SetApiData(secConfig.Urlmappings{ + Path: path, + Method: method, + Handler: handler, + }) + } } func grpcInfoHandler(data ...interface{}) { From 44dca69c1741e6f43d824e518b5ff78580355f40 Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Thu, 7 Mar 2024 10:21:15 +0530 Subject: [PATCH 4/9] Minor fix for api endpoint --- security_intercept/intercept.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security_intercept/intercept.go b/security_intercept/intercept.go index a31e596..0488635 100644 --- a/security_intercept/intercept.go +++ b/security_intercept/intercept.go @@ -862,8 +862,8 @@ func apiEndPointsHandler(data ...interface{}) { return } if len(data) >= 3 { - method, _ := data[0].(string) - path, _ := data[1].(string) + path, _ := data[0].(string) + method, _ := data[1].(string) handler, _ := data[2].(string) secConfig.GlobalInfo.SetApiData(secConfig.Urlmappings{ Path: path, From 14f9754a4ab2da0bfb8d5f9829c46f643a7ed695 Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Mon, 18 Mar 2024 17:18:47 +0530 Subject: [PATCH 5/9] minor fir for init logs --- internal/security_logs/initLogging.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/security_logs/initLogging.go b/internal/security_logs/initLogging.go index 3a76554..49d39d2 100644 --- a/internal/security_logs/initLogging.go +++ b/internal/security_logs/initLogging.go @@ -28,7 +28,7 @@ func InitLogger() *logFile { } func EndStage(stageId, logs interface{}) { - print := fmt.Sprintf("[STEP-%s] %s", stageId, logs) + print := fmt.Sprintf("[STEP-%s] => %s", stageId, logs) PrintInitlog(print) } func PrintInitlog(logs interface{}) { From d1ba82128addf93d32bd973f9480bc293d8c255a Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Mon, 18 Mar 2024 17:25:16 +0530 Subject: [PATCH 6/9] minor for empty api-end points reporting --- security_config/global_config.go | 2 +- security_event_generation/event_generation.go | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/security_config/global_config.go b/security_config/global_config.go index 43c423d..1db6778 100644 --- a/security_config/global_config.go +++ b/security_config/global_config.go @@ -133,7 +133,7 @@ func (info *Info_struct) SetBodyLimit(bodyLimit int) { return } -func (info *Info_struct) GetApiData() interface{} { +func (info *Info_struct) GetApiData() []Urlmappings { info.ApiDataMutex.Lock() defer info.ApiDataMutex.Unlock() return info.ApiData diff --git a/security_event_generation/event_generation.go b/security_event_generation/event_generation.go index 2ed3296..2307a23 100644 --- a/security_event_generation/event_generation.go +++ b/security_event_generation/event_generation.go @@ -256,6 +256,10 @@ func sendUrlMappingEvent() { var urlMappingBeen UrlMappingBeen urlMappingBeen.EventType = "sec-application-url-mapping" urlMappingBeen.ApplicationIdentifiers = getApplicationIdentifiers("sec-application-url-mapping") + mappings := secConfig.GlobalInfo.GetApiData() + if len(mappings) <= 0 { + return + } urlMappingBeen.Mappings = secConfig.GlobalInfo.GetApiData() _, err := sendEvent(urlMappingBeen, "", "") if err != nil { From 7419c80edff77d4f5e6f87215ad5612c1f96d497 Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Tue, 26 Mar 2024 16:14:41 +0530 Subject: [PATCH 7/9] Update protobuf version --- instrumentation/csec_grpc/go.mod | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/instrumentation/csec_grpc/go.mod b/instrumentation/csec_grpc/go.mod index bfee295..89fac08 100644 --- a/instrumentation/csec_grpc/go.mod +++ b/instrumentation/csec_grpc/go.mod @@ -3,9 +3,8 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_grpc go 1.17 require ( -github.com/newrelic/csec-go-agent v1.0.0 google.golang.org/grpc v1.58.3 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 github.com/golang/protobuf v1.5.3 ) From c3d1a3104acc758c028be201a9aa303874ef56db Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Tue, 26 Mar 2024 16:25:37 +0530 Subject: [PATCH 8/9] Update changelog file --- Changelog.md | 9 +++++++++ internal/security_utils/config.go | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 27b3249..fae1604 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,14 @@ # Changelog +## [v1.1.0] - 2024-03-26 +### Features +* Functionality to report API endpoints of the application +### Bug fixes +* Updated permissions for file/directory created by security agent +### Miscellaneous chores +* Bumped google.golang.org/protobuf from v1.32.0 to v1.33.0 +* Improved logging. + ## [v1.0.0] - 2024-02-07 ### Changes * Added env variable to print logs on stdout. diff --git a/internal/security_utils/config.go b/internal/security_utils/config.go index 13dc552..5218d80 100644 --- a/internal/security_utils/config.go +++ b/internal/security_utils/config.go @@ -4,8 +4,8 @@ package security_utils const ( - CollectorVersion = "1.0.0" + CollectorVersion = "1.1.0" JsonVersion = "1.1.1" CollectorType = "GOLANG" - BuildNumber = "157" + BuildNumber = "158" ) From 299212a2decbe4292d7ca49186c6bfbd5b520831 Mon Sep 17 00:00:00 2001 From: Aayush garg Date: Tue, 26 Mar 2024 16:28:04 +0530 Subject: [PATCH 9/9] update agent version --- instrumentation/csec_grpc/go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/instrumentation/csec_grpc/go.mod b/instrumentation/csec_grpc/go.mod index 89fac08..d27be12 100644 --- a/instrumentation/csec_grpc/go.mod +++ b/instrumentation/csec_grpc/go.mod @@ -3,6 +3,7 @@ module github.com/newrelic/csec-go-agent/instrumentation/csec_grpc go 1.17 require ( + github.com/newrelic/csec-go-agent v1.1.0 google.golang.org/grpc v1.58.3 google.golang.org/protobuf v1.33.0 github.com/golang/protobuf v1.5.3