contrast-agent 3.8.4

data/lib/contrast/agent/patching/policy/policy.rb

@@ -0,0 +1,138 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'json'
+cs__scoped_require 'contrast'
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/agent/patching/policy/module_policy'
+cs__scoped_require 'contrast/agent/patching/policy/method_policy'
+
+module Contrast
+  module Agent
+    module Patching
+      module Policy
+        # This is just a holder for our policy. Takes the policy JSON and
+        # converts it into hashes that we can access nicely
+        # @abstract
+        class Policy
+          include Singleton
+          include Contrast::Components::Interface
+
+          # Indicates the folder in `resources` where this policy lives.
+          def self.policy_folder
+            raise(NotImplementedError, 'specify policy_folder for patching')
+          end
+
+          # Indicates is this feature has been disabled by the configuration,
+          # read at startup, and therefore can never be enabled.
+          def disabled_globally?
+            raise(NotImplementedError, 'specify disabled_globally? conditions for patching')
+          end
+
+          def node_type
+            raise(NotImplementedError, 'specify the concrete node type for this poilcy')
+          end
+
+          access_component :logging, :analysis
+
+          attr_accessor :providers, :tracked_classes
+          attr_reader :sources, :propagators, :triggers, :patched_names
+
+          SOURCES_KEY =          'sources'
+          PROPAGATION_KEY =      'propagators'
+          RULES_KEY = 'rules'
+          TRIGGERS_KEY = 'triggers'
+          TRACKED_CLASSES_KEY = 'tracked_classes'
+
+          def self.policy_json
+            File.join(policy_folder, 'policy.json').cs__freeze
+          end
+
+          def initialize
+            @sources = []
+            @propagators = []
+            @triggers = []
+            @providers = {}
+            @tracked_classes = []
+            @patched_names = Set.new
+
+            json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
+            from_hash_string(json)
+          end
+
+          # Our policy for patching rules is a 'dope ass' JSON file. Rather than
+          # hard code in a bunch of things to monkey patch, we let the JSON file
+          # define the conditions in which modifications are applied.
+          # This let's us be flexible and extensible.
+          def from_hash_string string
+            # The default behavior of the agent is to load the policy on startup,
+            # as at this point we do not know in which mode we'll be run.
+            #
+            # If the configuration file explicitly disables a feature, we know
+            # that we will not ever be able to enable it, so in that case, we
+            # can skip policy loading.
+            return if disabled_globally?
+
+            policy_data = JSON.parse(string)
+
+            policy_data[RULES_KEY].each do |rule_hash|
+              rule_hash[TRIGGERS_KEY].each do |trigger_hash|
+                trigger_node = node_type.new(trigger_hash, rule_hash)
+                add_node(trigger_node)
+              end
+            end
+          end
+
+          def add_node node, node_type = :trigger
+            unless node
+              logger.error(nil, 'Node was nil when adding node to policy')
+              return
+            end
+
+            begin
+              node.validate
+            rescue ArgumentError => e
+              logger.error(e, e.message)
+              return
+            end
+
+            case node_type
+            when :source
+              @sources << node
+            when :propagator
+              @propagators << node
+            when :trigger
+              @triggers << node
+            when :dynamic_source
+              module_names << node.class_name
+              @sources << node
+            else
+              logger.error(nil, "Invalid node_type: #{ node_type } provided when adding node to policy")
+            end
+          end
+
+          def module_names
+            @_module_names ||= begin
+              m = Set.new
+              tracked_classes.each { |tracked| m << tracked }
+              sources.each { |source| m << source.class_name }
+              propagators.each { |propagator| m << propagator.class_name }
+              triggers.each { |trigger| m << trigger.class_name }
+              m
+            end
+          end
+
+          def find_triggers_by_rule rule_id
+            triggers.select { |trigger| trigger.rule_id == rule_id }
+          end
+
+          def find_node rule_id, class_name, method_name, instance_method
+            find_triggers_by_rule(rule_id).find do |node|
+              node.class_name == class_name && node.method_name == method_name && node.instance_method == instance_method
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -0,0 +1,80 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Patching
+      module Policy
+        # This class functions to translate our policy.json into an actionable
+        # Ruby object, allowing for dynamic patching over hardcoded patching.
+        #
+        # @abstract
+        class PolicyNode
+          attr_accessor :class_name, :instance_method, :method_name, :method_visibility
+          attr_reader :properties
+
+          def node_class
+            raise NotImplementedError, 'specify the type of the feature for which this node patches'
+          end
+
+          def feature
+            raise NotImplementedError, 'specify the name of the feature for which this node patches'
+          end
+
+          def initialize policy_hash = {}
+            @class_name = policy_hash[JSON_CLASS_NAME]
+            @instance_method = policy_hash[JSON_INSTANCE_METHOD]
+            @method_name = policy_hash[JSON_METHOD_NAME]
+            @method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
+            @properties = policy_hash[JSON_PROPERTIES]
+            symbolize
+          end
+
+          def id
+            @_id ||= "#{ feature }:#{ node_class }:#{ class_name }#{ instance_method? ? '#' : '.' }#{ method_name }"
+          end
+
+          # Don't let nodes be created that will be missing things we need
+          # later on. Really, if they don't have these things, they couldn't have
+          # done their jobs anyway.
+          def validate
+            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.") unless class_name
+            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper method name. Unable to create.") unless method_name
+            raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_name value. Unable to create.") unless method_name.is_a?(Symbol)
+            raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_visibility value. Unable to create.") unless method_visibility.is_a?(Symbol)
+          end
+
+          # just turns this into a ruby-ism
+          def instance_method?
+            instance_method
+          end
+
+          def private?
+            @method_visibility == :private
+          end
+
+          def public?
+            @method_visibility == :public
+          end
+
+          private
+
+          # Convert strings to symbols here, once, to avoid doing so on every
+          # comparison at runtime
+          def symbolize
+            @method_name = @method_name.to_sym if @method_name
+            @method_visibility = @method_visibility.to_sym if @method_visibility
+          end
+
+          # The keys used to read from policy.json to create the individual
+          # policy nodes. These are common across node types
+          JSON_CLASS_NAME = 'class_name'
+          JSON_INSTANCE_METHOD = 'instance_method'
+          JSON_METHOD_NAME = 'method_name'
+          JSON_METHOD_VISIBILITY = 'method_visibility'
+          JSON_PROPERTIES = 'properties'
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/patching/policy/policy_unpatcher.rb

@@ -0,0 +1,28 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/assess/class_reverter'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    module Patching
+      module Policy
+        # This is how we unpatch out of our customer's code. It provides a way
+        # to remove ourselves from those modules which have since had their
+        # definition of the patched method revoked, such as when running with
+        # FactoryBot
+        module PolicyUnpatcher
+          include Contrast::Components::Interface
+          access_component :logging
+
+          def self.revert_conflicting_patches
+            logger.debug_with_time("\t\tRunning reversions") do
+              Contrast::Agent::Assess::ClassReverter.unpatch!
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -0,0 +1,81 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/agent/patching/policy/policy_node'
+
+module Contrast
+  module Agent
+    module Patching
+      module Policy
+        # This class functions to translate our policy.json into an actionable
+        # Ruby object, allowing for dynamic patching over hardcoded patching,
+        # specifically for those methods which result in the trigger of an
+        # attack (indicate points in the application where uncontrolled user
+        # input attempted to or did do damage).
+        class TriggerNode < PolicyNode
+          JSON_NAME = 'name'
+          JSON_NODES = 'nodes'
+          JSON_APPLICATOR = 'applicator'
+          JSON_APPLICATOR_METHOD = 'applicator_method'
+          JSON_REQUIRED_PROPS = 'required_properties'
+          JSON_OPTIONAL_PROPS = 'optional_properties'
+          JSON_ON_EXCEPTION = 'on_exception'
+
+          attr_reader :rule_id
+          attr_accessor :applicator_method, :applicator, :on_exception, :required_properties, :optional_properties
+
+          def initialize trigger_hash = {}, rule_hash = {}
+            super(trigger_hash)
+            @rule_id = rule_hash[JSON_NAME]
+            @on_exception = rule_hash[JSON_ON_EXCEPTION] # returns nil in most cases
+            @required_properties = rule_hash[JSON_REQUIRED_PROPS]
+            @optional_properties = rule_hash[JSON_OPTIONAL_PROPS]
+            @applicator = class_from_string(rule_hash[JSON_APPLICATOR])
+            # if a unique applicator method is defined for this method (rare case), preference getting that one.
+            # otherwise, fall back to the normal applicator method for this rule
+            @applicator_method = (trigger_hash[JSON_APPLICATOR_METHOD] || rule_hash[JSON_APPLICATOR_METHOD]).to_sym
+          end
+
+          NODE = 'Trigger'
+          def node_class
+            NODE
+          end
+
+          def validate
+            super
+            unless applicator.public_methods(false).any? { |method| method == applicator_method }
+              raise(ArgumentError,
+                    "#{ id } did not have a proper applicator method: #{ applicator } does not respond to #{ applicator_method }. Unable to create.")
+            end
+            if (required_properties & optional_properties).any?
+              raise(ArgumentError, "#{ rule_id } had overlapping elements between required and optional properties. Unable to create.")
+            end
+            if (properties.keys - (required_properties | optional_properties)).any?
+              raise(ArgumentError, "#{ id } had an unexpected property. Unable to create.")
+            end
+            raise(ArgumentError, "#{ id } did not have a required property. Unable to create.") if (required_properties - properties.keys).any?
+
+            validate_rule
+          end
+
+          def validate_rule
+            raise(ArgumentError, 'Unknown rule did not have a proper name. Unable to create.') unless rule_id
+            raise(ArgumentError, "#{ id } did not have a proper applicator. Unable to create.") unless applicator
+            raise(ArgumentError, "#{ id } did not have a proper applicator method. Unable to create.") unless applicator_method
+            raise(ArgumentError, "#{ id } did not have a proper set of required properties. Unable to create.") unless required_properties
+            raise(ArgumentError, "#{ id } did not have a proper set of optional properties. Unable to create.") unless optional_properties
+          end
+
+          private
+
+          def class_from_string str
+            return unless str
+
+            Object.cs__const_get(str)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/policy.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/patching/policy/policy'
+
+# classes required by patches in the policy
+cs__scoped_require 'contrast/core_extensions/protect/applies_command_injection_rule'
+cs__scoped_require 'contrast/core_extensions/protect/applies_deserialization_rule'
+cs__scoped_require 'contrast/core_extensions/protect/applies_no_sqli_rule'
+cs__scoped_require 'contrast/core_extensions/protect/applies_path_traversal_rule'
+cs__scoped_require 'contrast/core_extensions/protect/applies_sqli_rule'
+cs__scoped_require 'contrast/core_extensions/protect/applies_xxe_rule'
+cs__scoped_require 'contrast/agent/protect/policy/trigger_node'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This is just a holder for our policy. Takes the policy JSON and
+        # converts it into hashes that we can access nicely
+        class Policy < Contrast::Agent::Patching::Policy::Policy
+          def self.policy_folder
+            'protect'
+          end
+
+          def disabled_globally?
+            PROTECT.forcibly_disabled?
+          end
+
+          def node_type
+            Contrast::Agent::Protect::Policy::TriggerNode
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/trigger_node.rb

@@ -0,0 +1,23 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/patching/policy/trigger_node'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This class functions to translate our policy.json into an actionable
+        # Ruby object, allowing for dynamic patching over hardcoded patching,
+        # specifically for those methods which result in the trigger of an
+        # attack (indicate points in the application where uncontrolled user
+        # input can do damage).
+        class TriggerNode < Contrast::Agent::Patching::Policy::TriggerNode
+          def feature
+            'Protect'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule.rb

@@ -0,0 +1,58 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      # This is the base module for our assess rule classes. It is intended to
+      # facilitate the patching of the application for Protect functionality.
+      # Any class under this namespace should be required here, providing a
+      # single point of require for this functionality.
+      module Rule
+      end
+    end
+  end
+end
+
+# The classes required for All Rasp Rules
+cs__scoped_require 'contrast/agent/protect/rule/base'
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
+# The classes required for the XSS Rasp Rule
+cs__scoped_require 'contrast/agent/protect/rule/xss'
+
+# The classes required for the SQLI
+cs__scoped_require 'contrast/agent/protect/rule/default_scanner'
+cs__scoped_require 'contrast/agent/protect/rule/sqli'
+cs__scoped_require 'contrast/agent/protect/rule/sqli/default_sql_scanner'
+cs__scoped_require 'contrast/agent/protect/rule/sqli/mysql_sql_scanner'
+cs__scoped_require 'contrast/agent/protect/rule/sqli/postgres_sql_scanner'
+cs__scoped_require 'contrast/agent/protect/rule/sqli/sqlite_sql_scanner'
+
+# The classes required for Path Traversal
+cs__scoped_require 'contrast/agent/protect/rule/path_traversal'
+
+# The classes required for Command Injection
+cs__scoped_require 'contrast/agent/protect/rule/cmd_injection'
+
+# The classes required for CSRF
+cs__scoped_require 'contrast/agent/protect/rule/csrf'
+cs__scoped_require 'contrast/agent/protect/rule/csrf/csrf_evaluator'
+cs__scoped_require 'contrast/agent/protect/rule/csrf/csrf_token_injector'
+
+# The classes required for XXE
+cs__scoped_require 'contrast/agent/protect/rule/xxe'
+cs__scoped_require 'contrast/agent/protect/rule/xxe/entity_wrapper'
+
+# The classes required for Untrusted Deserialization
+cs__scoped_require 'contrast/agent/protect/rule/deserialization'
+
+# The classes required for the NoSQLi
+cs__scoped_require 'contrast/agent/protect/rule/no_sqli'
+cs__scoped_require 'contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner'
+
+# The classes required for Http Method Tampering
+cs__scoped_require 'contrast/agent/protect/rule/http_method_tampering'
+
+# The classes required for Unsafe File Upload
+cs__scoped_require 'contrast/agent/protect/rule/unsafe_file_upload'