contrast-agent 3.8.4

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -0,0 +1,73 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Provider
+          # Determine if there are any passwords hardcoded into the sourcecode
+          # of the application. A constant is a password if:
+          # 1) the name contains a PASSWORD_FIELD_NAMES value
+          # 2) the name does not contain a NON_PASSWORD_PARTIAL_NAMES value
+          # 3) the value is a String
+          # 4) the value is not solely alphanumeric and '.' or '_' * note that
+          #     mixing the characters counts as a violation of this rule
+          class HardcodedPassword
+            include Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule
+
+            NAME = 'hardcoded-password'
+            def rule_id
+              NAME
+            end
+
+            # These are names, determined by the security team (Matt & Ar), that
+            # indicate a field is likely to be a password or secret token of some
+            # sort.
+            PASSWORD_FIELD_NAMES = %w[PASSWORD PASSKEY PASSPHRASE SECRET].cs__freeze
+
+            # These are markers whose presence indicates that a field is more
+            # likely to be a descriptor or requirement than an actual password.
+            # We should ignore fields that contain them.
+            NON_PASSWORD_PARTIAL_NAMES = %w[DATE FORGOT FORM ENCODE PATTERN PREFIX PROP SUFFIX URL BASE FILE URI].cs__freeze
+
+            # If the constant looks like a password and it doesn't look like a
+            # password descriptor, it passes for this rule
+            def name_passes? constant_string
+              PASSWORD_FIELD_NAMES.any? { |name| constant_string.index(name) } &&
+                  NON_PASSWORD_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
+            end
+
+            # If the value is a string, it passes for this rule
+            def value_type_passes? value
+              value.is_a?(String)
+            end
+
+            # If the value probably isn't a property name, it passes for this
+            # rule
+            def value_passes? value
+              !probably_property_name?(value)
+            end
+
+            # If a field name matches an expected password field, we'll check it's
+            # value to see if it looks like a placeholder. For our purposes,
+            # placeholders will be any non-empty String conforming to the patterns
+            # below. We do combine the patterns with [\._] as in Ruby these two
+            # characters are probably more likely to appear together in a
+            # default placeholder than in a password. Note this is opposite of
+            # the behavior in Java
+            PROPERTY_NAME_PATTERN = /^[a-z]+[\.\_][\.\_a-z]*[a-z]+$/.cs__freeze
+            def probably_property_name? value
+              value.match?(PROPERTY_NAME_PATTERN)
+            end
+
+            REDACTED_MARKER = ' = "**REDACTED**"'
+            def redacted_marker
+              REDACTED_MARKER
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -0,0 +1,121 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/core_extensions/module'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Provider
+          # Hardcoded rules detect if any secret value has been written directly into the
+          # sourcecode of the application. To use this base class, a provider must
+          # implement four methods
+          # 1) name_passes? : does the constant name match a given value set
+          # 2) value_type_passes? : does the type of the value of the constant match the
+          #    type given
+          # 3) value_passes? : does the value of the constant match a given value set
+          # 4) redacted_marker : the value to plug in for the obfuscated value
+          module HardcodedValueRule
+            include Contrast::Components::Interface
+            access_component :contrast_service, :logging, :analysis
+
+            def disabled?
+              !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
+            end
+
+            COMMON_CONSTANTS = %i[
+              CONTRAST_ASSESS_POLICY_STATUS
+              VERSION
+            ].cs__freeze
+            def analyze clazz
+              return if disabled?
+
+              # we only want the constants explicitly defined in this class, not
+              # those of its ancestor(s)
+              constants = clazz.cs__constants(false)
+
+              # if there are no constants, let's just leave
+              return unless constants&.any?
+
+              constants.each do |constant|
+                next if COMMON_CONSTANTS.include?(constant)
+
+                # if this class autoloads its constant, get the hell away from it
+                # I mean it! Don't even think about it.
+                #
+                # Autoload means this constant (usually [always?] a class or
+                # module) won't be required until something in the application
+                # tries to load it. We CANNOT be that thing. We'll just have to
+                # wait until it's loaded, at which point we'll be handed it
+                # again.
+                next if clazz.cs__autoload?(constant)
+
+                # constant comes to us as a symbol. that sucks. we need to do
+                # some string methods on it, so stringify it.
+                constant_string = constant.to_s
+
+                # if this is another class or a module, move on
+                next unless constant_name?(constant_string)
+
+                next unless name_passes?(constant_string)
+
+                value = clazz.cs__const_get(constant, false)
+
+                # if the constant isn't holding a string, skip it
+                next unless value_type_passes?(value)
+
+                # if it looks like a placeholder / pointer to a config, skip it
+                next unless value_passes?(value)
+
+                report_finding(clazz, constant_string)
+              end
+            end
+
+            # Constants can be variable or classes defined in the given
+            # class. We ONLY want the variables, which should be defined in
+            # the MACRO_CASE (upper case & underscore format)
+            CONSTANT_NAME_PATTERN = /^[A-Z_]+$/.cs__freeze
+            def constant_name? constant
+              constant.match?(CONSTANT_NAME_PATTERN)
+            end
+
+            # The name of the field
+            CONSTANT_NAME_KEY = 'name'
+            # The code line, recreated, with the password obfuscated
+            CODE_SOURCE_KEY = 'codeSource'
+            # The constant name
+            SOURCE_KEY = 'source'
+
+            def report_finding clazz, constant_string
+              class_name = clazz.cs__name
+
+              finding = Contrast::Api::Dtm::Finding.new
+              finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
+              finding.session_id = Contrast::Agent::FeatureState.instance.current_session_id
+
+              finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
+
+              finding.properties[SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(class_name)
+              finding.properties[CONSTANT_NAME_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string)
+              finding.properties[CODE_SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string + redacted_marker)
+
+              hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
+              finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)
+              finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
+
+              activity = Contrast::Api::Dtm::Activity.new
+              activity.finding_tags = Contrast::Utils::StringUtils.protobuf_safe_string(ASSESS.tags)
+              activity.findings << finding
+
+              CONTRAST_SERVICE.queue_message activity
+            rescue StandardError => e
+              logger.error(e, 'Unable to build a finding for Hardcoded Rule')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/redos.rb

@@ -0,0 +1,68 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        # A regexp is only vulnerable to REDOS if it's going to run
+        # with pathologically bad performance.
+        # We report a vulnerability if the regexp is liable to run
+        # with quadratic time for some input.
+        # This vastly errs on the side of false positives.
+        class Redos < Contrast::Agent::Assess::Rule::Base
+          class << self
+            NAME = 'redos'
+            def name
+              NAME
+            end
+
+            def regexp_complexity_check context, trigger_node, source, object, ret, invoked, *args
+              # we can arrive here either from:
+              #   regexp =~ string
+              #   string =~ regexp
+              #   regexp.match string
+              #
+              # so object/args[0] can be string/regexp or regexp/string.
+              regexp = object.is_a?(Regexp) ? object : args[0]
+              string = object.is_a?(String) ? object : args[0]
+
+              # (1) regexp must be exploitable
+              return unless regexp_vulnerable?(regexp)
+
+              # (2) regexp must evaluate against user input
+              if trigger_node.violated?(string) # rubocop:disable Style/GuardClause
+                Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, source, object, ret, invoked + 1, args)
+              end
+            end
+
+            protected
+
+            VULNERABLE_PATTERN = /[\[(].*?[\[(].*?[\])][*+?].*?[\])][*+?]/.cs__freeze
+
+            # Does the regexp
+            # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
+            def regexp_vulnerable? regexp
+              # A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
+              # A level is defined as any set of opening and closing control characters immediately followed by a multi match control character.
+              # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS,
+              # or MULTI_MATCH_CHARS that is not immediately preceded by an escaping \ character.
+              # OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
+
+              # Nota bene about Regexp#to_s:  it doesn't necessarily give you the original Regexp back
+              # (in the sense of `my_str == Regexp.new(my_str).to_s`), it gives you a Regexp that
+              # will have the same functional characteristics as the original.
+              # Regexp#inspect gives you a "more nicely formatted" version than #to_s.
+              # Regexp#source will give you the original source.
+              # TODO RUBY-683, would we ever get a hit on one but not the other?
+
+              # Use #match? because it doesn't fill out global variables
+              # in the way match or =~ do.
+              VULNERABLE_PATTERN.match? regexp.source
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response_scanning_rule.rb

@@ -0,0 +1,47 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        # Those rules which function by scanning the Response body in order to
+        # detect vulnerabilities. These rules should each have their own
+        # Contrast::Agent::Assess::RuleResponseWatcher.
+        #
+        # Note: Most have been moved to the Service, as they typically watch
+        #   the Request or Response bodies, parsing out vulnerabilities
+        #   therein. CSRF is an exception to this as the rule requires a change
+        #   to the Response body to function.
+        class ResponseScanningRule < Contrast::Agent::Assess::Rule::Base
+          def watcher
+            # raise(
+            #     NotImplementedError,
+            #     'A child rule should have overridden the watcher method')
+          end
+
+          def stream_safe?
+            false
+          end
+
+          def generate_hash finding
+            Contrast::Utils::HashDigest.generate_response_hash(finding)
+          end
+
+          def postfilter context
+            findings = watcher.postfilter(context) if watcher && context
+            return unless findings
+
+            if findings.is_a?(Array)
+              findings.each do |finding|
+                send_report(finding) if finding
+              end
+            else
+              send_report(findings)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response_watcher.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        # A watcher focused on the Response body, parsing out vulnerabilities
+        # therein.
+        #
+        # Note: Most have been moved to the Service, as they typically watch
+        #   the Request or Response bodies, parsing out vulnerabilities
+        #   therein. CSRF is an exception to this as the rule requires a change
+        #   to the Response body to function.
+        class ResponseWatcher < Contrast::Agent::Assess::Rule::Watcher
+          def postfilter context
+            return unless supports?(context)
+            return unless vulnerable?(context)
+
+            build_finding(context)
+          end
+
+          def vulnerable? _context
+            raise(
+                NotImplementedError,
+                'A child rule should have overridden the vulnerable? method')
+          end
+
+          def build_finding _context
+            Contrast::Api::Dtm::Finding.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/watcher.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        # Watchers are how those Rules which do not act on dataflow function.
+        #
+        # Note: Most have been moved to the Service, as they typically watch
+        #   the Request or Response bodies, parsing out vulnerabilities
+        #   therein. CSRF is an exception to this as the rule requires a change
+        #   to the Response body to function.
+        class Watcher
+          def supports? context
+            return false if context.request.static_request?
+            return false unless context.response
+            return false if undesired_response_code? context.response.response_code
+            return false if undesired_response_type? context.response.content_type
+
+            true
+          end
+
+          UNDESIRED_RESPONSE_CODES = [301, 302, 307, 404, 410, 500].cs__freeze
+          def undesired_response_code? code
+            UNDESIRED_RESPONSE_CODES.include?(code)
+          end
+
+          def undesired_response_type? _type
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/tag.rb

@@ -0,0 +1,151 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      # A Tag represents a range in a given piece of data. It is used by the
+      # Agent to determine if a vulnerable dataflow has occurred.
+      class Tag
+        attr_reader :length,    # length of tagged text within string
+                    :start_idx, # start of range
+                    :end_idx    # end of range (calculated from start + length)
+
+        # Initialize a new tag
+        # length : the length of the string described with this tag
+        # start_idx : (default: 0) the starting position in the string for this tag
+        def initialize length, start_idx = 0
+          update_range(start_idx, start_idx + length)
+        end
+
+        # Return true if the tag covers the given position in the string
+        def covers? idx
+          idx >= start_idx && idx < end_idx
+        end
+
+        # Return true if the tag is above the given position in the string
+        def above? idx
+          idx < start_idx
+        end
+
+        # Return the range that this tag covers
+        def range
+          start_idx...end_idx
+        end
+
+        # Return if a given tag overlaps this one
+        def overlaps? other
+          return true if @start_idx <  other.start_idx && @end_idx >= other.start_idx  # we start below other & end in it
+          return true if @start_idx >= other.start_idx && @end_idx <= other.end_idx    # we start and end in other
+          return true if @start_idx <= other.end_idx   && @end_idx >  other.end_idx    # we start in other & end above it
+        end
+
+        def shift idx
+          update_range(@start_idx + idx, @end_idx + idx)
+        end
+
+        def shift_end idx
+          update_range(@start_idx, @end_idx + idx)
+        end
+
+        def update_start start_idx
+          update_range(start_idx, @end_idx)
+        end
+
+        def update_end end_idx
+          update_range(@start_idx, end_idx)
+        end
+
+        def repurpose start_idx, end_idx
+          update_range(start_idx, end_idx)
+        end
+
+        # Given a tag, merge its ranges with this one
+        # such that the lowest start and highest end
+        # become the values of this tag
+        #
+        # Returns true if the other tag was merged into
+        # this tag
+        def merge other
+          return unless overlaps?(other)
+
+          start = other.start_idx < @start_idx ? other.start_idx : @start_idx
+          finish = other.end_idx > @end_idx ? other.end_idx : @end_idx
+          update_range(start, finish)
+        end
+
+        # Modification to tracked String can change the position and length of the tracked tag
+        # shift : negative value moves left
+        def copy_modified shift
+          start = start_idx + shift
+          # Tags cannot start below 0
+          new_start_idx = start >= 0 ? start : 0
+          # If a tag were to go negative, cut off the negative portion from length
+          new_length = start >= 0 ? length : (length + start)
+          Contrast::Agent::Assess::Tag.new(new_length, new_start_idx)
+        end
+
+        def str_val
+          @_str_val ||= "[#{ start_idx },#{ end_idx }]"
+        end
+        alias_method :to_s, :str_val
+
+        BELOW = 'BELOW'
+        LOW_SPAN = 'LOW_SPAN'
+        WITHIN = 'WITHIN'
+        WITHOUT = 'WITHOUT'
+        HIGH_SPAN = 'HIGH_SPAN'
+        ABOVE = 'ABOVE'
+
+        # The tag is ______ the range
+        # rrrrrrr == self.range, the range of the tag
+        def compare_range start, stop
+          # r starts and stops below
+          # rrrrrrrrrrrrr
+          #               start       stop
+          return BELOW     if @start_idx <  start && @end_idx <= start
+          # r starts below and finishes within
+          # rrrrrrrrrrrrr
+          #    start       stop
+          return LOW_SPAN  if @start_idx <  start && @end_idx > start && @end_idx <= stop
+          # r is between start and stop
+          #        rrrrrrrrrrrrrrr
+          # start                   stop
+          return WITHIN    if @start_idx >= start && @start_idx < stop && @end_idx <= stop
+          # r starts below and finishes above stop
+          #  rrrrrrrrrrrrrrrrrrrrrrrr
+          #     start       stop
+          return WITHOUT   if @start_idx <  start && @end_idx > stop
+          # r starts within and finishes above stop
+          #           rrrrrrrrrrrrr
+          #   start       stop
+          return HIGH_SPAN if @start_idx >= start && @start_idx < stop && @end_idx > stop
+
+          # starts and stops above
+          #                   rrrrrrrrrrrrr
+          #  start       stop
+          ABOVE
+        end
+
+        private
+
+        # Update range should be how start and end index of tags are changed,
+        # as it includes validation
+        #
+        # Note that we allow start_idx == end_idx b/c this is how we determine
+        # if a tag range is 'covered' in trigger detection
+        ERROR_NEGATIVE_START = 'Unable to set start idx negative'
+        ERROR_END_BEFORE_START = 'Unable to set start idx after end idx'
+        def update_range start_idx, end_idx
+          raise(ArgumentError, ERROR_NEGATIVE_START) if start_idx.negative?
+          raise(ArgumentError, ERROR_END_BEFORE_START) if end_idx < start_idx
+
+          @start_idx = start_idx
+          @end_idx = end_idx
+          @length = @end_idx - @start_idx
+          @_str_val = nil
+        end
+      end
+    end
+  end
+end