contrast-agent 3.9.0 → 3.11.0

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -15,8 +15,8 @@ module Contrast
           include Contrast::Components::Interface
           access_component :scope
 
-          attr_accessor :class_name, :instance_method, :method_name, :method_scope, :method_visibility
-          attr_reader :properties
+          attr_accessor :class_name, :instance_method, :method_name, :method_visibility
+          attr_reader :properties, :method_scope
 
           def node_class
             raise NotImplementedError, 'specify the type of the feature for which this node patches'
@@ -60,14 +60,6 @@ module Contrast
             instance_method
           end
 
-          def private?
-            @method_visibility == :private
-          end
-
-          def public?
-            @method_visibility == :public
-          end
-
           private
 
           # Convert strings to symbols here, once, to avoid doing so on every

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -15,16 +15,13 @@ module Contrast
         # input attempted to or did do damage).
         class TriggerNode < PolicyNode
           JSON_NAME = 'name'
-          JSON_NODES = 'nodes'
           JSON_APPLICATOR = 'applicator'
           JSON_APPLICATOR_METHOD = 'applicator_method'
           JSON_REQUIRED_PROPS = 'required_properties'
           JSON_OPTIONAL_PROPS = 'optional_properties'
-          JSON_SCOPE = 'scope'
           JSON_ON_EXCEPTION = 'on_exception'
 
-          attr_reader :rule_id
-          attr_accessor :applicator_method, :applicator, :on_exception, :required_properties, :optional_properties
+          attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties, :rule_id
 
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)

data/lib/contrast/agent/protect/rule/base.rb

@@ -14,14 +14,13 @@ module Contrast
         class Base
           include Contrast::Components::Interface
 
-          access_component :logging, :analysis, :settings, :scope
+          access_component :analysis, :logging, :scope, :settings
 
           UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
             user_input.input_type = :UNKNOWN
           end.cs__freeze
 
           BLOCKING_MODES = Set.new(%i[BLOCK BLOCK_AT_PERIMETER]).cs__freeze
-          PREFILTER_MODES = Set.new(%i[BLOCK_AT_PERIMETER]).cs__freeze
           POSTFILTER_MODES = Set.new(%i[BLOCK PERMIT MONITOR]).cs__freeze
           STACK_COLLECTION_RESULTS = Set.new(%i[BLOCKED MONITORED]).cs__freeze
 
@@ -59,7 +58,6 @@ module Contrast
             @mode != :NO_ACTION
           end
 
-          # this rule is excluded if any of the given exclusions have a protection rule that matches this rule name
           def excluded? exclusions
             Array(exclusions).any? do |ex|
               ex.protection_rule?(name)
@@ -141,7 +139,7 @@ module Contrast
 
           def mode_from_settings
             SETTINGS.protect_rule_mode(name).tap do |mode|
-              logger.debug("rule #{ name } mode = #{ mode }")
+              logger.trace('Retrieving rule mode', rule: name, mode: mode)
             end
           end
 
@@ -215,7 +213,7 @@ module Contrast
             return unless sample
             return unless STACK_COLLECTION_RESULTS.include?(result&.response)
 
-            stack = Contrast::Utils::StackTraceUtils.build(ignore: true, class_lookup: true, depth: 50)
+            stack = Contrast::Utils::StackTraceUtils.build_protect_stack_array
             return unless stack
 
             sample.stack_trace_elements += stack
@@ -259,39 +257,22 @@ module Contrast
           end
 
           def log_rule_matched _context, ia_result, response, _matched_string = nil
-            return unless ia_result
-
-            # Log to agent logger
-            message = if ia_result
-                        log_msg(ia_result, true)
-                      else
-                        "An effective attack was detected against #{ name }."
-                      end
-
-            logger.debug([response, message].join)
+            logger.debug('A successful attack was detected',
+                         rule: name,
+                         type: ia_result&.input_type,
+                         name: ia_result&.key,
+                         input: ia_result&.value,
+                         result: response)
           end
 
           private
 
           def log_rule_probed _context, ia_result
-            message = if ia_result
-                        log_msg(ia_result, false)
-                      else
-                        "An unsuccessful attack was detected against #{ name }"
-                      end
-
-            logger.debug(message)
-          end
-
-          def log_msg ia_result, matched
-            key = ia_result.key ? ia_result.key.to_s + ' ' : ''
-            val = ia_result.value.to_s
-            typ = ia_result.input_type.to_s
-            if matched
-              "The #{ typ } #{ key } had a value that successfully exploited #{ name } - #{ val }."
-            else
-              "The #{ typ } #{ key } had a value that matched a signature for, but did not successfully exploit, #{ name } - #{ val }."
-            end
+            logger.debug('An unsuccessful attack was detected',
+                         rule: name,
+                         type: ia_result&.input_type,
+                         name: ia_result&.key,
+                         input: ia_result&.value)
           end
         end
       end

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base'
+
 module Contrast
   module Agent
     module Protect
@@ -56,7 +58,7 @@ module Contrast
 
           # Allows for the InputAnalysis from service to be extracted early
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.debug("checking: #{ name } vectors=#{ ia_results.length } in '#{ potential_attack_string }'")
+            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
 
             result = nil
             ia_results.each do |ia_result|

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/at_exit_hook'
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
 cs__scoped_require 'contrast/utils/stack_trace_utils'
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/components/interface'
@@ -12,7 +14,7 @@ module Contrast
         # The Ruby implementation of the Protect Command Injection rule.
         class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Components::Interface
-          access_component :logging, :contrast_service
+          access_component :logging
 
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
@@ -28,7 +30,7 @@ module Contrast
             return nil if ia_results.empty?
 
             if Contrast::Agent::FeatureState.instance.in_new_process?
-              logger.debug('Running cmd-injection infilter within new process - creating new context')
+              logger.trace('Running cmd-injection infilter within new process - creating new context')
               context = Contrast::Agent::RequestContext.new(context.request.rack_request)
               Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
             end
@@ -38,18 +40,16 @@ module Contrast
             return nil unless result
 
             append_to_activity(context, result)
-            if %I[exec `].include?(method)
-              # TODO: RUBY-737
-              # Kernel#exec replaces the current process and does not go through at_exit hooks
-              # Kernel#` runs as a subshell - messages appended here do not seem to be present in the original process?
-              CONTRAST_SERVICE.send_message(context.activity)
-            end
-
             return unless blocked?
 
             raise Contrast::SecurityException.new(
                 self,
                 "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
+          ensure
+            # Kernel#exec replaces the current process and does not go through
+            # at_exit hooks. Kernel#` runs as a subshell - messages appended
+            # here do not seem to be present in the original process.
+            Contrast::Agent::AtExitHook.on_exit if %i[exec `].include?(method.to_sym)
           end
 
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
@@ -66,7 +66,7 @@ module Contrast
           # Because results are not necessarily on the context across
           # processes; extract early and pass into the method
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.debug("checking: #{ name } in '#{ potential_attack_string }'")
+            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
             result = super(context, potential_attack_string, ia_results, **kwargs)
             if result.nil? && potential_attack_string
               result = find_probable_attacker(
@@ -128,9 +128,6 @@ module Contrast
                 result,
                 potential_attack_string,
                 **kwargs)
-            return nil if result.nil?
-
-            log_rule_matched(context, most_likely, mode, potential_attack_string)
             result
           end
 

data/lib/contrast/agent/protect/rule/csrf.rb

@@ -2,9 +2,10 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'rack'
-cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/agent/protect/rule/base'
 cs__scoped_require 'contrast/agent/request'
 cs__scoped_require 'contrast/agent/response'
+cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/utils/stack_trace_utils'
 cs__scoped_require 'contrast/utils/timer'
 

data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb

@@ -13,31 +13,34 @@ class Contrast::Agent::Protect::Rule::Csrf::CsrfEvaluator # rubocop:disable Styl
 
   def can_ignore_check? request
     if !form_submittable_method?(request)
-      logger.debug("Ignoring method #{ request.request_method } for URI #{ request.uri }")
+      logger.trace('Ignoring method', method: request.request_method, uri: request.uri)
       true
     elsif ajax_request?(request)
-      logger.debug("Ignoring Ajax request for URI #{ request.uri }")
+      logger.trace('Ignoring Ajax request', uri: request.uri)
       true
     elsif empty_post?(request)
-      logger.debug("Ignoring empty POST request for URI #{ request.uri }")
+      logger.trace('Ignoring empty POST', uri: request.uri)
       true
     elsif !form_content_type?(request)
-      logger.debug("Ignoring POST request with Content-Type #{ request.content_type } for URI #{ request.uri }")
+      logger.trace(
+          'Ignoring POST request because of Content-Type',
+          content_type: request.content_type,
+          uri: request.uri)
       true
     elsif request.static_request?
-      logger.debug("Ignoring static request for URI #{ request.uri }")
+      logger.trace('Ignoring static request', uri: request.uri)
       true
     elsif origin_is_referer?(request)
-      logger.debug("Ignoring equivalent origin-referer for URI #{ request.uri }")
+      logger.trace('Ignoring equivalent origin-referer', uri: request.uri)
       true
     elsif login_page?(request)
-      logger.debug("Ignoring possible login page for URI #{ request.uri }")
+      logger.trace('Ignoring possible login page', uri: request.uri)
       true
     else
       false
     end
   rescue StandardError => e
-    logger.warn(e, 'Unable to determine if CSRF can be ignored')
+    logger.debug('Unable to determine if CSRF can be ignored', e)
   end
 
   POST_METHOD = 'POST'
@@ -51,12 +54,6 @@ class Contrast::Agent::Protect::Rule::Csrf::CsrfEvaluator # rubocop:disable Styl
     !requested_with.nil? && !requested_with.empty?
   end
 
-  USER_AGENT = 'USER-AGENT'
-  def empty_user_agent? request
-    agent = request.header_value(USER_AGENT)
-    agent.nil? || agent.empty?
-  end
-
   def empty_post? request
     request.request_body_str.empty? && (request.query_string.nil? || request.query_string.empty?)
   end

data/lib/contrast/agent/protect/rule/default_scanner.rb

@@ -35,7 +35,6 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
     @_token_boundaries ||= scan_token_boundaries(query)
   end
 
-  CANARY = "select * from tbl where bar='bar';#' and pwd='sec3r3t'; # CANARY"
   def scan_token_boundaries query
     boundaries = []
     return boundaries unless query && !query.empty?
@@ -268,24 +267,12 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
     true
   end
 
-  # Does this language let the user redefine the escape character
-  # We assume no by default
-  def redefines_escape_char?
-    false
-  end
-
   # Is the character provided an escape character?
   # By default, we'll assume
   def escape_char? char
     char == Contrast::Utils::ObjectShare::BACK_SLASH
   end
 
-  # Does this language support string escape sequences?
-  # We assume no by default
-  def support_string_escape_sequence?
-    false
-  end
-
   # Is this the start of a string escape sequence?
   # Since escape sequences aren't supported, the answer is always false
   def escape_sequence_start? _char

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base'
+
 module Contrast
   module Agent
     module Protect

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect
@@ -16,8 +18,6 @@ module Contrast
 
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-
-            logger.debug("#{ name } postfilter...")
             return if normal_request?(context)
 
             # The only way to be here in postfilter with a result is if the rule mode was MONITOR

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -1,9 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# This could be useful for making patterns maybe?
-# https://github.com/cr0hn/nosqlinjection_wordlists
-# https://www.owasp.org/index.php/Testing_for_NoSQL_injection
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect
@@ -70,7 +69,8 @@ module Contrast
               begin
                 potential_attack_string = JSON.generate(potential_attack_string).to_s
               rescue JSON::GeneratorError
-                logger.debug("Error in JSON::generate from input #{ potential_attack_string }")
+                logger.trace('Error in JSON::generate', input: potential_attack_string)
+                nil
               end
             end
             super(context, potential_attack_string, **kwargs)

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -1,8 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/utils/stack_trace_utils'
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
 cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/stack_trace_utils'
 
 module Contrast
   module Agent
@@ -12,7 +13,7 @@ module Contrast
         # Protect rule.
         class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Components::Interface
-          access_component :logging, :agent
+          access_component :agent
 
           NAME = 'path-traversal'
           SYSTEM_PATHS = %w[
@@ -28,8 +29,6 @@ module Contrast
             /windows/repair/
           ].cs__freeze
 
-          KNOWN_SECURITY_BYPASS_MARKERS = ['::$DATA', '::$Index', '', '\x00'].cs__freeze
-
           def name
             NAME
           end
@@ -121,6 +120,8 @@ module Contrast
             false
           end
 
+          # TODO: RUBY-318
+          # KNOWN_SECURITY_BYPASS_MARKERS = ['::$DATA', '::$Index', '', '\x00'].cs__freeze
           def contains_known_attack_signatures? input
             utf8 = Contrast::Utils::StringUtils.force_utf8(input)
             _ = CGI.unescape(utf8)

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
 cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_sqli_rule'
 
 module Contrast

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect

data/lib/contrast/agent/protect/rule/xss.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base'
 cs__scoped_require 'contrast/utils/timer'
 
 module Contrast
@@ -11,7 +12,6 @@ module Contrast
         # of unsafe external entity resolution.
         class Xxe < Contrast::Agent::Protect::Rule::Base
           NAME = 'xxe'
-          EXPLOIT_CHARACTERS = Contrast::Utils::ObjectShare::EMPTY_ARRAY
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
 
@@ -19,6 +19,14 @@ module Contrast
             NAME
           end
 
+          # Given an xml, evaluate it for an XXE attack.
+          #
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param framework [Object] the name of the Parser being used.
+          # @param xml [Object] the container of the XML to be checked.
+          # @raise [Contrast::SecurityException] Security exception if an XXE
+          #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
             result = find_attacker(context, xml, framework: framework)
             return nil unless result
@@ -31,12 +39,10 @@ module Contrast
 
           protected
 
-          def find_attacker context, xml, **kwargs
+          def find_attacker context, xml, **_kwargs
             return nil unless xml
             return nil if protect_excluded_by_code?
 
-            logger.debug("checking: #{ name } in '#{ kwargs[:framework] }'")
-
             xxe_details, last_idx = build_details(xml)
             return nil unless xxe_details