contrast-agent 3.9.1 → 3.12.0

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -0,0 +1,54 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/sqli'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the SQL Injection rule. It is called from
+        # our patches of the targeted methods in which the execution of String
+        # based SQL queries occur. It is responsible for deciding if the infilter
+        # methods of the rule should be invoked.
+        class AppliesSqliRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          DATABASE_MYSQL =    'MySQL'
+          DATABASE_SQLITE =   'SQLite3'
+          DATABASE_PG =       'PostgreSQL'
+
+          class << self
+            def invoke _method, _exception, properties, _object, args
+              database = properties['database']
+              return unless database
+
+              index = properties[Contrast::Utils::ObjectShare::INDEX]
+              return unless valid_input?(index, args)
+              return if skip_analysis?
+
+              sql = args[index]
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::Sqli::NAME
+            end
+
+            private
+
+            def valid_input? index, args
+              return false unless args && args.length > index
+
+              sql = args[index]
+              sql && !sql.empty?
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/xxe'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+cs__scoped_require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the XXE rule. It is called from our patches
+        # of the targeted methods in which XML parsing and entity resolution
+        # occurs. It is responsible for deciding if the infilter methods of the
+        # rule should be invoked.
+        module AppliesXxeRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            def apply_rule method, _exception, _properties, object, args
+              xml = args[0]
+              xxe_check(method, xml, object)
+            end
+
+            # IO is tricky. If we can't rewind it, we can't fix it back to the
+            # original state. To be safe, we'll skip non-rewindable IO objects.
+            def apply_rule__io method, _exception, _properties, object, args
+              need_rewind = false
+              potential_xml = args[0]
+              return unless potential_xml&.respond_to?(:rewind)
+
+              xml = potential_xml.read
+              need_rewind = true
+              xxe_check(method, xml, object)
+            ensure
+              potential_xml.rewind if need_rewind
+            end
+
+            # Oga's Lexer is a special case b/c the information we need is on the
+            # object itself -- specifically in the @data instance variable
+            def apply_rule__lexer method, _exception, _properties, object, _args
+              return unless valid_data_input?(object)
+
+              data = object.instance_variable_get(DATA_KEY)
+              xxe_check(method, data, object)
+            ensure
+              data.rewind if data&.cs__respond_to?(:rewind)
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::Xxe::NAME
+            end
+
+            private
+
+            DATA_KEY = '@data'.to_sym
+            def valid_data_input? object
+              object.instance_variable_defined?(DATA_KEY) &&
+                  object.instance_variable_get(DATA_KEY)
+            end
+
+            NOKOGIRI_MARKER = 'Nokogiri::'
+            PARSER_NOKOGIRI = 'Nokogiri'
+            OX_MARKER = 'Ox' # breaks marker pattern b/c Ox is entire classname
+            PARSER_OX = 'Ox'
+            OGA_MARKER = 'Oga::'
+            PARSER_OGA = 'Oga'
+            # Given an object, determine the XML parser type that it represents.
+            #
+            # @param object[Object] the parsing instance or Module
+            # @return [String] the name of the parser
+            def determine_parser object
+              clazz = object.is_a?(Module) ? object : object.cs__class
+              name = clazz.cs__name
+
+              if name.start_with?(NOKOGIRI_MARKER)
+                PARSER_NOKOGIRI
+              elsif name.start_with?(OX_MARKER)
+                PARSER_OX
+              elsif name.start_with?(OGA_MARKER)
+                PARSER_OGA
+              end
+            end
+
+            # Given an xml, convert it to a String and pass it to the rule for
+            # analysis.
+            #
+            # @param method [Symbol] the name of the method doing this work.
+            # @param xml [Object] the container of the XML to be checked.
+            # @param potential_parser [Object] the entity that may be an XML
+            #   parser.
+            # @raise [Contrast::SecurityException] Security exception if an XXE
+            #   attack is found and the rule is in block mode.
+            def xxe_check method, xml, potential_parser
+              return if skip_analysis?
+              return unless xml
+
+              parser = determine_parser(potential_parser)
+              return unless parser
+
+              if xml.cs__is_a?(String)
+                rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, parser, xml)
+              elsif xml.cs__respond_to?(:each_line)
+                xml.each_line do |line|
+                  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, parser, line)
+                end
+              elsif xml.cs__respond_to?(:each)
+                xml.each do |chunk|
+                  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, parser, chunk)
+                end
+              end
+            rescue Contrast::SecurityException => e
+              raise e
+            rescue StandardError => e
+              parser ||= Contrast::Utils::ObjectShare::UNKNOWN
+              logger.error(
+                  'Error applying xxe',
+                  e,
+                  module: potential_parser.cs__class.cs__name,
+                  method: method, parser: parser)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/policy.rb

@@ -4,12 +4,12 @@
 cs__scoped_require 'contrast/agent/patching/policy/policy'
 
 # classes required by patches in the policy
-cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_command_injection_rule'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_deserialization_rule'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_no_sqli_rule'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_path_traversal_rule'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_sqli_rule'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_xxe_rule'
+cs__scoped_require 'contrast/agent/protect/policy/applies_command_injection_rule'
+cs__scoped_require 'contrast/agent/protect/policy/applies_deserialization_rule'
+cs__scoped_require 'contrast/agent/protect/policy/applies_no_sqli_rule'
+cs__scoped_require 'contrast/agent/protect/policy/applies_path_traversal_rule'
+cs__scoped_require 'contrast/agent/protect/policy/applies_sqli_rule'
+cs__scoped_require 'contrast/agent/protect/policy/applies_xxe_rule'
 cs__scoped_require 'contrast/agent/protect/policy/trigger_node'
 
 module Contrast

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is the base of our Protect Applicators. It lays out the
+        # form of the Applicator, which will override specific implementations
+        # in order to properly invoke its Rule.
+        module RuleApplicator
+          include Contrast::Components::Interface
+
+          access_component :analysis, :logging
+
+          def apply_rule method, exception, properties, object, args
+            invoke(method, exception, properties, object, args)
+          rescue Contrast::SecurityException => e
+            raise e
+          rescue StandardError => e
+            logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method, rule: name)
+          end
+
+          protected
+
+          def invoke _method, _exception, _properties, _object, _args
+            raise NotImplementedError, 'This is abstract, override it.'
+          end
+
+          def name
+            raise NotImplementedError, 'This is abstract, override it.'
+          end
+
+          def rule
+            PROTECT.rule name
+          end
+
+          def skip_analysis?
+            context = Contrast::Agent::REQUEST_TRACKER.current
+            return true unless context&.app_loaded?
+            return true unless rule&.enabled?
+
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule.rb

@@ -35,11 +35,6 @@ cs__scoped_require 'contrast/agent/protect/rule/path_traversal'
 # The classes required for Command Injection
 cs__scoped_require 'contrast/agent/protect/rule/cmd_injection'
 
-# The classes required for CSRF
-cs__scoped_require 'contrast/agent/protect/rule/csrf'
-cs__scoped_require 'contrast/agent/protect/rule/csrf/csrf_evaluator'
-cs__scoped_require 'contrast/agent/protect/rule/csrf/csrf_token_injector'
-
 # The classes required for XXE
 cs__scoped_require 'contrast/agent/protect/rule/xxe'
 cs__scoped_require 'contrast/agent/protect/rule/xxe/entity_wrapper'

data/lib/contrast/agent/protect/rule/base.rb

@@ -14,21 +14,20 @@ module Contrast
         class Base
           include Contrast::Components::Interface
 
-          access_component :logging, :analysis, :settings, :scope
+          access_component :agent, :analysis, :logging, :scope, :settings
 
           UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
             user_input.input_type = :UNKNOWN
           end.cs__freeze
 
           BLOCKING_MODES = Set.new(%i[BLOCK BLOCK_AT_PERIMETER]).cs__freeze
-          PREFILTER_MODES = Set.new(%i[BLOCK_AT_PERIMETER]).cs__freeze
           POSTFILTER_MODES = Set.new(%i[BLOCK PERMIT MONITOR]).cs__freeze
           STACK_COLLECTION_RESULTS = Set.new(%i[BLOCKED MONITORED]).cs__freeze
 
           attr_reader :mode
 
           def initialize default_mode = :NO_ACTION
-            SETTINGS.protect_rules[name] = self
+            PROTECT.rules[name] = self
             @mode = mode_from_settings || default_mode
           end
 
@@ -41,9 +40,10 @@ module Contrast
 
           def enabled?
             # 1. it is not enabled because protect is not enabled
+            return false unless AGENT.enabled?
             return false unless PROTECT.enabled?
 
-            rule_configs = Contrast::Agent::FeatureState.instance.protect_rule_config
+            rule_configs = PROTECT.rule_config
             unless rule_configs.nil?
               # 2. it is not enabled because it is in the list of disabled protect rules
               disabled_rules = rule_configs.disabled_rules
@@ -59,7 +59,6 @@ module Contrast
             @mode != :NO_ACTION
           end
 
-          # this rule is excluded if any of the given exclusions have a protection rule that matches this rule name
           def excluded? exclusions
             Array(exclusions).any? do |ex|
               ex.protection_rule?(name)
@@ -140,8 +139,8 @@ module Contrast
           end
 
           def mode_from_settings
-            SETTINGS.protect_rule_mode(name).tap do |mode|
-              logger.debug("rule #{ name } mode = #{ mode }")
+            PROTECT.rule_mode(name).tap do |mode|
+              logger.trace('Retrieving rule mode', rule: name, mode: mode)
             end
           end
 
@@ -155,7 +154,7 @@ module Contrast
           # @return [Boolean] if an exclusion was applicable to this request
           #   for this rule
           def protect_excluded_by_code?
-            exclusions = Contrast::Agent::FeatureState.instance.code_exclusions
+            exclusions = SETTINGS.code_exclusions
             return false unless exclusions
 
             for_rule = exclusions.select { |ex| ex.protection_rule?(name) }
@@ -215,7 +214,7 @@ module Contrast
             return unless sample
             return unless STACK_COLLECTION_RESULTS.include?(result&.response)
 
-            stack = Contrast::Utils::StackTraceUtils.build(ignore: true, class_lookup: true, depth: 50)
+            stack = Contrast::Utils::StackTraceUtils.build_protect_stack_array
             return unless stack
 
             sample.stack_trace_elements += stack
@@ -259,39 +258,22 @@ module Contrast
           end
 
           def log_rule_matched _context, ia_result, response, _matched_string = nil
-            return unless ia_result
-
-            # Log to agent logger
-            message = if ia_result
-                        log_msg(ia_result, true)
-                      else
-                        "An effective attack was detected against #{ name }."
-                      end
-
-            logger.debug([response, message].join)
+            logger.debug('A successful attack was detected',
+                         rule: name,
+                         type: ia_result&.input_type,
+                         name: ia_result&.key,
+                         input: ia_result&.value,
+                         result: response)
           end
 
           private
 
           def log_rule_probed _context, ia_result
-            message = if ia_result
-                        log_msg(ia_result, false)
-                      else
-                        "An unsuccessful attack was detected against #{ name }"
-                      end
-
-            logger.debug(message)
-          end
-
-          def log_msg ia_result, matched
-            key = ia_result.key ? ia_result.key.to_s + ' ' : ''
-            val = ia_result.value.to_s
-            typ = ia_result.input_type.to_s
-            if matched
-              "The #{ typ } #{ key } had a value that successfully exploited #{ name } - #{ val }."
-            else
-              "The #{ typ } #{ key } had a value that matched a signature for, but did not successfully exploit, #{ name } - #{ val }."
-            end
+            logger.debug('An unsuccessful attack was detected',
+                         rule: name,
+                         type: ia_result&.input_type,
+                         name: ia_result&.key,
+                         input: ia_result&.value)
           end
         end
       end

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base'
+
 module Contrast
   module Agent
     module Protect
@@ -56,7 +58,7 @@ module Contrast
 
           # Allows for the InputAnalysis from service to be extracted early
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.debug("checking: #{ name } vectors=#{ ia_results.length } in '#{ potential_attack_string }'")
+            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
 
             result = nil
             ia_results.each do |ia_result|

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/at_exit_hook'
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
 cs__scoped_require 'contrast/utils/stack_trace_utils'
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/components/interface'
@@ -12,7 +14,7 @@ module Contrast
         # The Ruby implementation of the Protect Command Injection rule.
         class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Components::Interface
-          access_component :logging, :contrast_service
+          access_component :app_context, :logging
 
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
@@ -27,8 +29,8 @@ module Contrast
             ia_results = gather_ia_results(context)
             return nil if ia_results.empty?
 
-            if Contrast::Agent::FeatureState.instance.in_new_process?
-              logger.debug('Running cmd-injection infilter within new process - creating new context')
+            if APP_CONTEXT.in_new_process?
+              logger.trace('Running cmd-injection infilter within new process - creating new context')
               context = Contrast::Agent::RequestContext.new(context.request.rack_request)
               Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
             end
@@ -38,18 +40,16 @@ module Contrast
             return nil unless result
 
             append_to_activity(context, result)
-            if %I[exec `].include?(method)
-              # TODO: RUBY-737
-              # Kernel#exec replaces the current process and does not go through at_exit hooks
-              # Kernel#` runs as a subshell - messages appended here do not seem to be present in the original process?
-              CONTRAST_SERVICE.send_message(context.activity)
-            end
-
             return unless blocked?
 
             raise Contrast::SecurityException.new(
                 self,
                 "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
+          ensure
+            # Kernel#exec replaces the current process and does not go through
+            # at_exit hooks. Kernel#` runs as a subshell - messages appended
+            # here do not seem to be present in the original process.
+            Contrast::Agent::AtExitHook.on_exit if %i[exec `].include?(method.to_sym)
           end
 
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
@@ -66,7 +66,7 @@ module Contrast
           # Because results are not necessarily on the context across
           # processes; extract early and pass into the method
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.debug("checking: #{ name } in '#{ potential_attack_string }'")
+            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
             result = super(context, potential_attack_string, ia_results, **kwargs)
             if result.nil? && potential_attack_string
               result = find_probable_attacker(
@@ -128,9 +128,6 @@ module Contrast
                 result,
                 potential_attack_string,
                 **kwargs)
-            return nil if result.nil?
-
-            log_rule_matched(context, most_likely, mode, potential_attack_string)
             result
           end
 
@@ -147,7 +144,7 @@ module Contrast
           # @return [Boolean] if the agent should report all command
           #   executions.
           def report_any_command_execution?
-            Contrast::Agent::FeatureState.instance.report_any_command_execution?
+            PROTECT.report_any_command_execution?
           end
         end
       end