contrast-agent 3.8.4 → 6.9.0

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

@@ -0,0 +1,97 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/deserialization'
+require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Deserialization rule. It is called from
+        # our patches of the targeted methods in which deserialization occurs.
+        # It is responsible for deciding if the infilter methods of the rule
+        # should be invoked.
+        module AppliesDeserializationRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            # Calls the actual rule for this applicator, if required. Most rules
+            # invoke this from within their apply_rule method after doing
+            # whatever transformations they need to get into this common format.
+            #
+            # @param _method [Symbol] the name of the method for which this rule
+            #   is invoked
+            # @param _exception [Exception] any exception raised; used for rules
+            #   like Padding Oracle Attack (now defunct), which determine if the
+            #   number and type of exceptions are an attack
+            # @param _properties [Hash] set of extra information provided by the
+            #   applicator in an attempt to build a better story for the user
+            # @param _object [Object] the thing on which the triggering method
+            #   was invoked
+            # @param args [Array<Object>] the arguments passed to the triggering
+            #   method at invocation
+            def invoke _method, _exception, _properties, _object, args
+              return unless valid_input?(args)
+              return if skip_analysis?
+
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
+              # add rescue here
+            end
+
+            # Calls the actual rule for this applicator, if required, when the
+            # triggering method is called from Marshal.load when it has been
+            # prepended.
+            #
+            # @param arg [Object] the argument passed to the triggering method
+            #   at invocation
+            def prepended_invoke arg
+              return unless arg&.cs__is_a?(String)
+              return if skip_analysis?
+
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, arg)
+              # add rescue here
+            end
+
+            # Allow the rule to check if the given input is an attempt to
+            # deserialize something in a way that will result in a command
+            # execution
+            #
+            # @param command [String] user input that potentially contains a
+            #   Gadget, a Module that results in code execution on
+            #   deserialization, and some form of command.
+            def apply_deserialization_command_check command
+              return unless command
+              return if skip_analysis?
+
+              rule.check_command_scope(command)
+              # add rescue here
+            end
+
+            protected
+
+            def rule_name
+              Contrast::Agent::Protect::Rule::Deserialization::NAME
+            end
+
+            private
+
+            # Determine if the rule would care about the arguments passed in
+            # this method invocation. Required b/c Ruby doesn't do type
+            # checking on its method signatures.
+            #
+            # @param args [Array<Object>] the arguments provided to the
+            #   instrumented method
+            # @return [Boolean]
+            def valid_input? args
+              return false unless args&.any?
+
+              input = args[0]
+              input.cs__is_a?(String)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -0,0 +1,69 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the NoSQL Injection rule. It is called from
+        # our patches of the targeted methods in which the execution of String
+        # based NoSQL queries occur. It is responsible for deciding if the
+        # infilter methods of the rule should be invoked.
+        module AppliesNoSqliRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+          DATABASE_NOSQL = 'MongoDB'
+          class << self
+            def invoke method, _exception, properties, _object, args
+              return unless valid_input?(args)
+              return if skip_analysis?
+
+              database = properties['database']
+              operations = args[0]
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if operations.is_a?(Array)
+                operations.each do |m|
+                  handle_operation(context, database, method, m)
+                end
+              else
+                handle_operation(context, database, method, operations)
+              end
+            end
+
+            protected
+
+            def rule_name
+              Contrast::Agent::Protect::Rule::NoSqli::NAME
+            end
+
+            private
+
+            def valid_input? args
+              return false unless args
+              return false unless args.cs__is_a?(Array) && args.any?
+
+              args[0]
+            end
+
+            def handle_operation context, database, _action, operation
+              data = extract_mongo_data(operation)
+              return unless data && !data.empty?
+
+              rule.infilter(context, database, data)
+            end
+
+            def extract_mongo_data operation
+              if operation.cs__respond_to?(:selector)
+                operation.selector
+              elsif operation.cs__respond_to?(:documents)
+                operation.documents
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -0,0 +1,138 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
+require 'contrast/agent/protect/policy/rule_applicator'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Path Traversal rule. It is called from
+        # our patches of the targeted methods in which File or IO access occur.
+        # It is responsible for deciding if the infilter methods of the rule
+        # should be invoked.
+        module AppliesPathTraversalRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            def invoke method, _exception, properties, object, args
+              return unless args&.any?
+
+              path = args[0]
+              return unless path.is_a?(String)
+              return if skip_analysis?
+
+              action = properties['action']
+              write_marker = write?(action, *args)
+              possible_write = write_marker && possible_write?(write_marker)
+
+              # Invoke semantic rules from here, not in a separate protect policy
+              invoke_semantic_rules(path, possible_write, object, method)
+              path_traversal_rule(path, possible_write, object, method)
+
+              # If the action was copy, we need to handle the write half of it.
+              # We handled read in line above.
+              return unless action == COPY
+              return unless args.length > 1
+
+              dst = args[1]
+              return unless dst.is_a?(String)
+
+              invoke_semantic_rules(dst, true, object, method)
+              path_traversal_rule(dst, true, object, method)
+            end
+
+            protected
+
+            def rule_name
+              Contrast::Agent::Protect::Rule::PathTraversal::NAME
+            end
+
+            private
+
+            def possible_write? input
+              input.cs__respond_to?(:to_s) && input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
+            end
+
+            READ = 'read'
+            WRITE = 'write'
+            COPY = 'copy'
+            def write? action, *args
+              return false if action == READ
+              return false if action == COPY
+              return true if action == WRITE
+
+              write_marker = args.length > 1 ? args[1] : nil
+              write_marker && possible_write?(write_marker)
+            end
+
+            # @raise [Contrast::SecurityException] re-raises if some attack is blocked and raised from the infilter
+            def path_traversal_rule path, possible_write, object, method
+              return unless applies_to?(path, possible_write: possible_write)
+
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
+            rescue Contrast::SecurityException => e
+              raise(e)
+            rescue StandardError => e
+              logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
+            end
+
+            # @raise [Contrast::SecurityException] re-raises if some attack is blocked and raised from the infilter
+            def invoke_semantic_rules path, possible_write, object, method
+              return unless applies_to?(path, possible_write: possible_write)
+
+              rule.sub_rules.each do |sub_rule|
+                sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
+              end
+            rescue Contrast::SecurityException => e
+              raise(e)
+            rescue StandardError => e
+              logger.error('Error applying path traversal semantic rule', e,
+                           module: object.cs__class.cs__name,
+                           method: method)
+            end
+
+            CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
+            def safer_abs_paths
+              @_safer_abs_paths ||= begin
+                pwd = ENV['PWD']
+                if pwd
+                  tmp = CS__SAFER_REL_PATHS.map { |r| "#{ pwd }/#{ r }" }
+                  gems = ENV['GEM_PATH']
+                  tmp += gems.split(Contrast::Utils::ObjectShare::COLON) if gems
+                  tmp.map!(&:downcase)
+                  tmp
+                else
+                  []
+                end
+              end
+            end
+
+            def applies_to? path, possible_write: false
+              # any possible write is a potential risk
+              return true if possible_write
+
+              # any path that moves 'up' is a potential risk
+              return true if path.index(Contrast::Utils::ObjectShare::PARENT_PATH)
+
+              path = path.downcase
+              if path.start_with?(Contrast::Utils::ObjectShare::SLASH)
+                safer_abs_paths.each do |prefix|
+                  return false if path.start_with?(prefix)
+                end
+              else
+                CS__SAFER_REL_PATHS.each do |prefix|
+                  return false if path.start_with?(prefix)
+                end
+              end
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -0,0 +1,55 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/sqli'
+require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the SQL Injection rule. It is called from
+        # our patches of the targeted methods in which the execution of String
+        # based SQL queries occur. It is responsible for deciding if the infilter
+        # methods of the rule should be invoked.
+        class AppliesSqliRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          DATABASE_MYSQL =    'MySQL'
+          DATABASE_SQLITE =   'SQLite3'
+          DATABASE_PG =       'PostgreSQL'
+
+          class << self
+            def invoke _method, _exception, properties, _object, args
+              database = properties['database']
+              return unless database
+
+              index = properties[Contrast::Utils::ObjectShare::INDEX]
+              return unless valid_input?(index, args)
+              return if skip_analysis?
+
+              sql = args[index]
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
+              rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
+            end
+
+            protected
+
+            def rule_name
+              Contrast::Agent::Protect::Rule::Sqli::NAME
+            end
+
+            private
+
+            def valid_input? index, args
+              return false unless args && args.length > index
+
+              sql = args[index]
+              sql && !sql.empty?
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -0,0 +1,125 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/xxe'
+require 'contrast/agent/protect/policy/rule_applicator'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the XXE rule. It is called from our patches
+        # of the targeted methods in which XML parsing and entity resolution
+        # occurs. It is responsible for deciding if the infilter methods of the
+        # rule should be invoked.
+        module AppliesXxeRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            def apply_rule method, _exception, _properties, object, args
+              xml = args[0]
+              xxe_check(method, xml, object)
+            end
+
+            # IO is tricky. If we can't rewind it, we can't fix it back to the
+            # original state. To be safe, we'll skip non-rewindable IO objects.
+            def apply_rule__io method, _exception, _properties, object, args
+              need_rewind = false
+              potential_xml = args[0]
+              return unless potential_xml.cs__respond_to?(:rewind)
+
+              xml = potential_xml.read
+              need_rewind = true
+              xxe_check(method, xml, object)
+            ensure
+              potential_xml.rewind if need_rewind
+            end
+
+            # Oga's Lexer is a special case b/c the information we need is on the
+            # object itself -- specifically in the @data instance variable
+            def apply_rule__lexer method, _exception, _properties, object, _args
+              return unless valid_data_input?(object)
+
+              data = object.instance_variable_get(DATA_KEY)
+              xxe_check(method, data, object)
+            ensure
+              data.rewind if data&.cs__respond_to?(:rewind)
+            end
+
+            protected
+
+            def rule_name
+              Contrast::Agent::Protect::Rule::Xxe::NAME
+            end
+
+            private
+
+            DATA_KEY = :@data
+            def valid_data_input? object
+              object.instance_variable_defined?(DATA_KEY) && object.instance_variable_get(DATA_KEY)
+            end
+
+            NOKOGIRI_MARKER = 'Nokogiri::'
+            PARSER_NOKOGIRI = 'Nokogiri'
+            OX_MARKER = 'Ox' # breaks marker pattern b/c Ox is entire classname
+            PARSER_OX = 'Ox'
+            OGA_MARKER = 'Oga::'
+            PARSER_OGA = 'Oga'
+            # Given an object, determine the XML parser type that it represents.
+            #
+            # @param object[Object] the parsing instance or Module
+            # @return [String] the name of the parser
+            def determine_parser object
+              clazz = object.is_a?(Module) ? object : object.cs__class
+              name = clazz.cs__name
+
+              if name.start_with?(NOKOGIRI_MARKER)
+                PARSER_NOKOGIRI
+              elsif name.start_with?(OX_MARKER)
+                PARSER_OX
+              elsif name.start_with?(OGA_MARKER)
+                PARSER_OGA
+              end
+            end
+
+            # Given an xml, convert it to a String and pass it to the rule for
+            # analysis.
+            #
+            # @param method [Symbol] the name of the method doing this work.
+            # @param xml [Object] the container of the XML to be checked.
+            # @param potential_parser [Object] the entity that may be an XML
+            #   parser.
+            # @raise [Contrast::SecurityException] Security exception if an XXE
+            #   attack is found and the rule is in block mode.
+            def xxe_check method, xml, potential_parser
+              return if skip_analysis?
+              return unless xml
+
+              parser = determine_parser(potential_parser)
+              return unless parser
+
+              if xml.cs__is_a?(String)
+                rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, parser, xml)
+              elsif xml.cs__respond_to?(:each_line)
+                xml.each_line do |line|
+                  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, parser, line)
+                end
+              elsif xml.cs__respond_to?(:each)
+                xml.each do |chunk|
+                  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, parser, chunk)
+                end
+              end
+            rescue Contrast::SecurityException => e
+              raise(e)
+            rescue StandardError => e
+              parser ||= Contrast::Utils::ObjectShare::UNKNOWN
+              logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,
+                                                    parser: parser)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/policy.rb

@@ -1,16 +1,16 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/patching/policy/policy'
+require 'contrast/agent/patching/policy/policy'
 
 # classes required by patches in the policy
-cs__scoped_require 'contrast/core_extensions/protect/applies_command_injection_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_deserialization_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_no_sqli_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_path_traversal_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_sqli_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_xxe_rule'
-cs__scoped_require 'contrast/agent/protect/policy/trigger_node'
+require 'contrast/agent/protect/policy/applies_command_injection_rule'
+require 'contrast/agent/protect/policy/applies_deserialization_rule'
+require 'contrast/agent/protect/policy/applies_no_sqli_rule'
+require 'contrast/agent/protect/policy/applies_path_traversal_rule'
+require 'contrast/agent/protect/policy/applies_sqli_rule'
+require 'contrast/agent/protect/policy/applies_xxe_rule'
+require 'contrast/agent/protect/policy/trigger_node'
 
 module Contrast
   module Agent
@@ -24,7 +24,7 @@ module Contrast
           end
 
           def disabled_globally?
-            PROTECT.forcibly_disabled?
+            ::Contrast::PROTECT.forcibly_disabled?
           end
 
           def node_type

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -0,0 +1,102 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is the base of our Protect Applicators. It lays out the
+        # form of the Applicator, which will override specific implementations
+        # in order to properly invoke its Rule.
+        module RuleApplicator
+          include Contrast::Components::Logger::InstanceMethods
+
+          # Calls the actual invocation for this applicator, if required. Will
+          # attempt to transform the data as required prior to invocation and
+          # provides a common interface for those rules that have the same
+          # implementation regardless of the method patched.
+          #
+          # For those methods with different transformations depending on the
+          # method instrumented, variations of this method, including an
+          # indication of for which instrumented method they apply, will exist.
+          #
+          # @param method [Symbol] the name of the method for which this rule
+          #   is invoked
+          # @param exception [Exception] any exception raised; used for rules
+          #   like Padding Oracle Attack (now defunct), which determine if the
+          #   number and type of exceptions are an attack
+          # @param properties [Hash] set of extra information provided by the
+          #   applicator in an attempt to build a better story for the user
+          # @param object [Object] the thing on which the triggering method was
+          #   invoked
+          # @param args [Array<Object>] the arguments passed to the triggering
+          #   method at invocation
+          # @raise [Contrast::SecurityException] on block, will pass the
+          #   exception from the rule
+          def apply_rule method, exception, properties, object, args
+            invoke(method, exception, properties, object, args)
+          rescue Contrast::SecurityException => e
+            raise(e)
+          rescue StandardError => e
+            logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
+                                                           rule: rule_name)
+          end
+
+          protected
+
+          # Calls the actual rule for this applicator, if required. Most rules
+          # invoke this from within their apply_rule method after doing
+          # whatever transformations they need to get into this common format.
+          #
+          # @param _method [Symbol] the name of the method for which this rule
+          #   is invoked
+          # @param _exception [Exception] any exception raised; used for rules
+          #   like Padding Oracle Attack (now defunct), which determine if the
+          #   number and type of exceptions are an attack
+          # @param _properties [Hash] set of extra information provided by the
+          #   applicator in an attempt to build a better story for the user
+          # @param _object [Object] the thing on which the triggering method
+          #   was invoked
+          # @param _args [Array<Object>] the arguments passed to the triggering
+          #   method at invocation
+          # @raise [NoMethodError] This is abstract method
+          def invoke _method, _exception, _properties, _object, _args
+            raise(NoMethodError, 'This is abstract, override it.')
+          end
+
+          # The name of the rule, as expected by the Contrast UI.
+          #
+          # @return [String]
+          # @raise [NoMethodError] This is abstract method
+          def rule_name
+            raise(NoMethodError, 'This is abstract, override it.')
+          end
+
+          # The rule for which this applicator applies. It'll be a concrete
+          # sub-class of Contrast::Agent::Protect::Rule::Base, found based on
+          # the value of Contrast::Agent::Protect::Policy::RuleApplicator#name.
+          #
+          # @return [Contrast::Agent::Protect::Rule::Base]
+          def rule
+            ::Contrast::PROTECT.rule(rule_name)
+          end
+
+          # Should we skip analysis for this rule for this method invocation?
+          # This allows us to short circuit in those cases for which the rule
+          # will not apply.
+          #
+          # @return [Boolean]
+          def skip_analysis?
+            context = Contrast::Agent::REQUEST_TRACKER.current
+            return true unless context&.app_loaded?
+            return true unless rule&.enabled?
+
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/trigger_node.rb

@@ -1,7 +1,7 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/patching/policy/trigger_node'
+require 'contrast/agent/patching/policy/trigger_node'
 
 module Contrast
   module Agent