contrast-agent 3.9.1 → 6.15.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.dockerignore +0 -1
- data/.flayignore +1 -0
- data/.gitignore +8 -5
- data/.gitmodules +0 -3
- data/.rspec +0 -1
- data/.rspec_parallel +6 -0
- data/.simplecov +6 -2
- data/Gemfile +1 -1
- data/LICENSE.txt +1 -1
- data/Rakefile +5 -2
- data/ext/build_funchook.rb +16 -13
- data/ext/cs__assess_array/cs__assess_array.c +50 -6
- data/ext/cs__assess_array/cs__assess_array.h +5 -1
- data/ext/cs__assess_array/extconf.rb +3 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +39 -17
- data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
- data/ext/cs__assess_basic_object/extconf.rb +3 -0
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +9 -13
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -4
- data/ext/cs__assess_fiber_track/extconf.rb +3 -0
- data/ext/cs__assess_hash/cs__assess_hash.c +46 -21
- data/ext/cs__assess_hash/cs__assess_hash.h +5 -6
- data/ext/cs__assess_hash/extconf.rb +3 -0
- data/ext/cs__assess_kernel/cs__assess_kernel.c +29 -15
- data/ext/cs__assess_kernel/cs__assess_kernel.h +3 -0
- data/ext/cs__assess_kernel/extconf.rb +3 -0
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +57 -23
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +6 -3
- data/ext/cs__assess_marshal_module/extconf.rb +3 -0
- data/ext/cs__assess_module/cs__assess_module.c +82 -22
- data/ext/cs__assess_module/cs__assess_module.h +10 -0
- data/ext/cs__assess_module/extconf.rb +3 -0
- data/ext/cs__assess_regexp/cs__assess_regexp.c +28 -9
- data/ext/cs__assess_regexp/cs__assess_regexp.h +3 -0
- data/ext/cs__assess_regexp/extconf.rb +3 -0
- data/ext/cs__assess_string/cs__assess_string.c +53 -21
- data/ext/cs__assess_string/cs__assess_string.h +7 -1
- data/ext/cs__assess_string/extconf.rb +3 -0
- data/ext/cs__assess_string_interpolation/cs__assess_string_interpolation.c +39 -0
- data/ext/cs__assess_string_interpolation/cs__assess_string_interpolation.h +13 -0
- data/ext/cs__assess_string_interpolation/extconf.rb +5 -0
- data/ext/cs__assess_test/cs__assess_test.h +9 -0
- data/ext/cs__assess_test/cs__assess_tests.c +22 -0
- data/ext/cs__assess_test/extconf.rb +5 -0
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +4 -8
- data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -2
- data/ext/cs__assess_yield_track/extconf.rb +3 -0
- data/ext/cs__common/cs__common.c +240 -4
- data/ext/cs__common/cs__common.h +68 -1
- data/ext/cs__common/extconf.rb +3 -16
- data/ext/cs__contrast_patch/cs__contrast_patch.c +162 -83
- data/ext/cs__contrast_patch/cs__contrast_patch.h +11 -15
- data/ext/cs__contrast_patch/extconf.rb +3 -0
- data/ext/cs__os_information/cs__os_information.c +34 -0
- data/ext/cs__os_information/cs__os_information.h +7 -0
- data/ext/cs__os_information/extconf.rb +5 -0
- data/ext/cs__scope/cs__scope.c +980 -0
- data/ext/cs__scope/cs__scope.h +90 -0
- data/ext/cs__scope/extconf.rb +5 -0
- data/ext/cs__tests/cs__tests.c +12 -0
- data/ext/cs__tests/cs__tests.h +3 -0
- data/ext/cs__tests/extconf.rb +5 -0
- data/ext/extconf_common.rb +4 -34
- data/lib/contrast/agent/assess/assess.rb +23 -0
- data/lib/contrast/agent/assess/contrast_object.rb +54 -0
- data/lib/contrast/agent/assess/events/event_data.rb +30 -0
- data/lib/contrast/agent/assess/finalizers/freeze.rb +15 -0
- data/lib/contrast/agent/assess/finalizers/hash.rb +107 -0
- data/lib/contrast/agent/{module_data.rb → assess/module_data.rb} +5 -4
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +23 -48
- data/lib/contrast/agent/assess/policy/patcher.rb +13 -48
- data/lib/contrast/agent/assess/policy/policy.rb +20 -23
- data/lib/contrast/agent/assess/policy/policy_node.rb +97 -200
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +50 -0
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +15 -12
- data/lib/contrast/agent/assess/policy/preshift.rb +49 -18
- data/lib/contrast/agent/assess/policy/propagation_method.rb +200 -194
- data/lib/contrast/agent/assess/policy/propagation_node.rb +49 -41
- data/lib/contrast/agent/assess/policy/propagator/append.rb +32 -15
- data/lib/contrast/agent/assess/policy/propagator/base.rb +5 -3
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +119 -0
- data/lib/contrast/agent/assess/policy/propagator/center.rb +12 -8
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +7 -3
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +33 -25
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +15 -11
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +23 -6
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +118 -0
- data/lib/contrast/agent/assess/policy/propagator/next.rb +7 -6
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +13 -6
- data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +53 -41
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +5 -3
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +7 -6
- data/lib/contrast/agent/assess/policy/propagator/select.rb +45 -36
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +44 -21
- data/lib/contrast/agent/assess/policy/propagator/split.rb +133 -147
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +7 -132
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +190 -0
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +74 -52
- data/lib/contrast/agent/assess/policy/propagator.rb +21 -18
- data/lib/contrast/agent/assess/policy/source_method.rb +126 -188
- data/lib/contrast/agent/assess/policy/source_node.rb +3 -17
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +9 -7
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +3 -5
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +103 -0
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
- data/lib/contrast/agent/assess/policy/trigger_method.rb +143 -206
- data/lib/contrast/agent/assess/policy/trigger_node.rb +144 -66
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +98 -0
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +8 -38
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +9 -7
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +6 -15
- data/lib/contrast/agent/assess/properties.rb +15 -383
- data/lib/contrast/agent/assess/property/evented.rb +58 -0
- data/lib/contrast/agent/assess/property/tagged.rb +246 -0
- data/lib/contrast/agent/assess/property/updated.rb +131 -0
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +58 -19
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +22 -17
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +93 -81
- data/lib/contrast/agent/assess/rule/provider.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +69 -0
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +121 -0
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +107 -0
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +195 -0
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +100 -0
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +34 -0
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +36 -0
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +61 -0
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +34 -0
- data/lib/contrast/agent/assess/tag.rb +84 -41
- data/lib/contrast/agent/assess/tracker.rb +70 -0
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +11 -6
- data/lib/contrast/agent/deadzone/policy/policy.rb +11 -7
- data/lib/contrast/agent/excluder/excluder.rb +306 -0
- data/lib/contrast/agent/excluder/exclusion_matcher.rb +112 -0
- data/lib/contrast/agent/hooks/at_exit_hook.rb +44 -0
- data/lib/contrast/agent/hooks/tracepoint_hook.rb +57 -0
- data/lib/contrast/agent/inventory/database_config.rb +175 -0
- data/lib/contrast/agent/inventory/dependencies.rb +52 -0
- data/lib/contrast/agent/inventory/dependency_analysis.rb +34 -0
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +120 -0
- data/lib/contrast/agent/inventory/inventory.rb +14 -0
- data/lib/contrast/agent/inventory/policy/datastores.rb +51 -0
- data/lib/contrast/agent/inventory/policy/policy.rb +5 -5
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +2 -2
- data/lib/contrast/agent/middleware/middleware.rb +214 -0
- data/lib/contrast/agent/middleware/static_analysis.rb +51 -0
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +22 -11
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +103 -52
- data/lib/contrast/agent/patching/policy/method_policy.rb +38 -62
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +117 -0
- data/lib/contrast/agent/patching/policy/module_policy.rb +27 -47
- data/lib/contrast/agent/patching/policy/patch.rb +129 -254
- data/lib/contrast/agent/patching/policy/patch_status.rb +21 -43
- data/lib/contrast/agent/patching/policy/patcher.rb +125 -159
- data/lib/contrast/agent/patching/policy/policy.rb +63 -58
- data/lib/contrast/agent/patching/policy/policy_node.rb +55 -37
- data/lib/contrast/agent/patching/policy/trigger_node.rb +32 -16
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +165 -0
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +122 -0
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +67 -0
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +97 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +72 -0
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +141 -0
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +58 -0
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +125 -0
- data/lib/contrast/agent/protect/policy/policy.rb +10 -10
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +119 -0
- data/lib/contrast/agent/protect/policy/trigger_node.rb +2 -2
- data/lib/contrast/agent/protect/rule/base.rb +274 -173
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker.rb +89 -0
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmd_injection.rb +86 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +90 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +170 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +63 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +62 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +27 -0
- data/lib/contrast/agent/protect/rule/default_scanner.rb +69 -25
- data/lib/contrast/agent/protect/rule/{deserialization.rb → deserialization/deserialization.rb} +29 -24
- data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -3
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli.rb +105 -0
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +226 -0
- data/lib/contrast/agent/protect/rule/{path_traversal.rb → path_traversal/path_traversal.rb} +48 -55
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +139 -0
- data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -3
- data/lib/contrast/agent/protect/rule/sqli/sql_sample_builder.rb +154 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli.rb +101 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +37 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +27 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb +67 -0
- data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload.rb +56 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +62 -0
- data/lib/contrast/agent/protect/rule/utils/builders.rb +111 -0
- data/lib/contrast/agent/protect/rule/utils/filters.rb +110 -0
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
- data/lib/contrast/agent/protect/rule/xss/xss.rb +50 -0
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +25 -21
- data/lib/contrast/agent/protect/rule/xxe/xxe.rb +149 -0
- data/lib/contrast/agent/protect/rule.rb +20 -27
- data/lib/contrast/agent/reactions/disable_reaction.rb +20 -0
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +71 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +86 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +97 -0
- data/lib/contrast/agent/reporting/connection_status.rb +45 -0
- data/lib/contrast/agent/reporting/details/bot_blocker_details.rb +29 -0
- data/lib/contrast/agent/reporting/details/cmd_injection_details.rb +30 -0
- data/lib/contrast/agent/reporting/details/details.rb +17 -0
- data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +35 -0
- data/lib/contrast/agent/reporting/details/no_sqli_details.rb +36 -0
- data/lib/contrast/agent/reporting/details/path_traversal_details.rb +24 -0
- data/lib/contrast/agent/reporting/details/path_traversal_semantic_analysis_details.rb +32 -0
- data/lib/contrast/agent/reporting/details/protect_rule_details.rb +17 -0
- data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb +22 -0
- data/lib/contrast/agent/reporting/details/sqli_details.rb +36 -0
- data/lib/contrast/agent/reporting/details/untrusted_deserialization_details.rb +27 -0
- data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +30 -0
- data/lib/contrast/agent/reporting/details/xss_details.rb +33 -0
- data/lib/contrast/agent/reporting/details/xss_match.rb +30 -0
- data/lib/contrast/agent/reporting/details/xxe_details.rb +36 -0
- data/lib/contrast/agent/reporting/details/xxe_match.rb +25 -0
- data/lib/contrast/agent/reporting/details/xxe_wrapper.rb +25 -0
- data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
- data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +55 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +129 -0
- data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +258 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +33 -0
- data/lib/contrast/agent/reporting/report.rb +32 -0
- data/lib/contrast/agent/reporting/reporter.rb +163 -0
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +34 -0
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +120 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +101 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +79 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +101 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +74 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +78 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +43 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +57 -0
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +37 -0
- data/lib/contrast/agent/reporting/reporting_events/application_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +44 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +55 -0
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +122 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +201 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +442 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +96 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +45 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +47 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +99 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb +65 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb +67 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range_tags.rb +105 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +126 -0
- data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +89 -0
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +48 -0
- data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +37 -0
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +83 -0
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +23 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight.rb +52 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_events/reportable_hash.rb +47 -0
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +35 -0
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +87 -0
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +59 -0
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +49 -0
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +35 -0
- data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +133 -0
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +38 -0
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +176 -0
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +57 -0
- data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb +137 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +138 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +161 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +98 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +149 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +118 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +393 -0
- data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +46 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb +14 -0
- data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +46 -0
- data/lib/contrast/agent/reporting/settings/application_settings.rb +61 -0
- data/lib/contrast/agent/reporting/settings/assess.rb +58 -0
- data/lib/contrast/agent/reporting/settings/assess_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +114 -0
- data/lib/contrast/agent/reporting/settings/bot_blocker.rb +68 -0
- data/lib/contrast/agent/reporting/settings/exclusion_base.rb +129 -0
- data/lib/contrast/agent/reporting/settings/exclusions.rb +86 -0
- data/lib/contrast/agent/reporting/settings/helpers.rb +101 -0
- data/lib/contrast/agent/reporting/settings/input_exclusion.rb +87 -0
- data/lib/contrast/agent/reporting/settings/ip_filter.rb +35 -0
- data/lib/contrast/agent/reporting/settings/keyword.rb +74 -0
- data/lib/contrast/agent/reporting/settings/log_enhancer.rb +65 -0
- data/lib/contrast/agent/reporting/settings/protect.rb +111 -0
- data/lib/contrast/agent/reporting/settings/protect_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +227 -0
- data/lib/contrast/agent/reporting/settings/reaction.rb +39 -0
- data/lib/contrast/agent/reporting/settings/rule_definition.rb +66 -0
- data/lib/contrast/agent/reporting/settings/sampling.rb +46 -0
- data/lib/contrast/agent/reporting/settings/sanitizer.rb +38 -0
- data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +118 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +65 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +95 -0
- data/lib/contrast/agent/reporting/settings/syslog.rb +205 -0
- data/lib/contrast/agent/reporting/settings/url_exclusion.rb +18 -0
- data/lib/contrast/agent/reporting/settings/validator.rb +17 -0
- data/lib/contrast/agent/reporting/settings/virtual_patch.rb +56 -0
- data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb +47 -0
- data/lib/contrast/agent/request/request.rb +189 -0
- data/lib/contrast/agent/request/request_context.rb +143 -0
- data/lib/contrast/agent/request/request_context_extend.rb +105 -0
- data/lib/contrast/agent/request/request_handler.rb +41 -0
- data/lib/contrast/agent/response/response.rb +87 -0
- data/lib/contrast/agent/scope/scope.rb +158 -0
- data/lib/contrast/agent/telemetry/base.rb +171 -0
- data/lib/contrast/agent/telemetry/client.rb +111 -0
- data/lib/contrast/agent/telemetry/event.rb +35 -0
- data/lib/contrast/agent/telemetry/exception/base.rb +61 -0
- data/lib/contrast/agent/telemetry/exception/event.rb +46 -0
- data/lib/contrast/agent/telemetry/exception/message.rb +118 -0
- data/lib/contrast/agent/telemetry/exception/message_exception.rb +86 -0
- data/lib/contrast/agent/telemetry/exception/stack_frame.rb +67 -0
- data/lib/contrast/agent/telemetry/exception.rb +19 -0
- data/lib/contrast/agent/telemetry/hash.rb +71 -0
- data/lib/contrast/agent/telemetry/identifier.rb +153 -0
- data/lib/contrast/agent/telemetry/metric_event.rb +28 -0
- data/lib/contrast/agent/telemetry/startup_metrics_event.rb +123 -0
- data/lib/contrast/agent/telemetry/telemetry.rb +109 -0
- data/lib/contrast/agent/{thread.rb → thread/thread.rb} +4 -6
- data/lib/contrast/agent/thread/thread_watcher.rb +126 -0
- data/lib/contrast/agent/thread/worker_thread.rb +42 -0
- data/lib/contrast/agent/version.rb +2 -2
- data/lib/contrast/agent.rb +96 -57
- data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
- data/lib/contrast/agent_lib/api/init.rb +95 -0
- data/lib/contrast/agent_lib/api/input_tracing.rb +265 -0
- data/lib/contrast/agent_lib/api/panic.rb +87 -0
- data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
- data/lib/contrast/agent_lib/interface.rb +245 -0
- data/lib/contrast/agent_lib/interface_base.rb +131 -0
- data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
- data/lib/contrast/agent_lib/test.rb +29 -0
- data/lib/contrast/components/agent.rb +104 -48
- data/lib/contrast/components/api.rb +159 -0
- data/lib/contrast/components/app_context.rb +125 -98
- data/lib/contrast/components/app_context_extend.rb +53 -0
- data/lib/contrast/components/assess.rb +210 -24
- data/lib/contrast/components/assess_rules.rb +54 -0
- data/lib/contrast/components/base.rb +103 -0
- data/lib/contrast/components/config/sources.rb +95 -0
- data/lib/contrast/components/config.rb +182 -60
- data/lib/contrast/components/heap_dump.rb +77 -12
- data/lib/contrast/components/inventory.rb +37 -10
- data/lib/contrast/components/logger.rb +46 -76
- data/lib/contrast/components/polling.rb +39 -0
- data/lib/contrast/components/protect.rb +142 -16
- data/lib/contrast/components/ruby_component.rb +135 -0
- data/lib/contrast/components/rule_set.rb +52 -0
- data/lib/contrast/components/sampling.rb +156 -15
- data/lib/contrast/components/scope.rb +125 -116
- data/lib/contrast/components/security_logger.rb +36 -0
- data/lib/contrast/components/settings.rb +239 -88
- data/lib/contrast/config/api_proxy_configuration.rb +27 -0
- data/lib/contrast/config/base_configuration.rb +20 -94
- data/lib/contrast/config/certification_configuration.rb +47 -0
- data/lib/contrast/config/config.rb +48 -0
- data/lib/contrast/config/diagnostics.rb +123 -0
- data/lib/contrast/config/diagnostics_tools.rb +99 -0
- data/lib/contrast/config/effective_config.rb +131 -0
- data/lib/contrast/config/effective_config_value.rb +32 -0
- data/lib/contrast/config/env_variables.rb +18 -0
- data/lib/contrast/config/exception_configuration.rb +34 -12
- data/lib/contrast/config/protect_rule_configuration.rb +45 -24
- data/lib/contrast/config/protect_rules_configuration.rb +97 -22
- data/lib/contrast/config/request_audit_configuration.rb +57 -0
- data/lib/contrast/config/server_configuration.rb +67 -15
- data/lib/contrast/config/validate.rb +140 -0
- data/lib/contrast/config/yaml_file.rb +129 -0
- data/lib/contrast/config.rb +6 -22
- data/lib/contrast/configuration.rb +241 -109
- data/lib/contrast/extension/assess/array.rb +75 -0
- data/lib/contrast/extension/assess/erb.rb +61 -0
- data/lib/contrast/extension/assess/eval_trigger.rb +47 -0
- data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +9 -21
- data/lib/contrast/extension/assess/fiber.rb +95 -0
- data/lib/contrast/extension/assess/hash.rb +33 -0
- data/lib/contrast/extension/assess/kernel.rb +124 -0
- data/lib/contrast/extension/assess/marshal.rb +80 -0
- data/lib/contrast/extension/assess/regexp.rb +71 -0
- data/lib/contrast/extension/assess/string.rb +85 -0
- data/lib/contrast/extension/assess.rb +47 -0
- data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +3 -1
- data/lib/contrast/extension/extension.rb +59 -0
- data/lib/contrast/extension/inventory.rb +21 -0
- data/lib/contrast/{extensions/ruby_core → extension}/module.rb +2 -3
- data/lib/contrast/extension/object.rb +19 -0
- data/lib/contrast/extension/protect/psych.rb +7 -0
- data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +6 -6
- data/lib/contrast/extension/thread.rb +50 -0
- data/lib/contrast/framework/base_support.rb +69 -54
- data/lib/contrast/framework/grape/support.rb +176 -0
- data/lib/contrast/framework/manager.rb +112 -60
- data/lib/contrast/framework/manager_extend.rb +50 -0
- data/lib/contrast/framework/rack/patch/session_cookie.rb +108 -0
- data/lib/contrast/framework/rack/patch/support.rb +26 -0
- data/lib/contrast/framework/rack/support.rb +23 -0
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +46 -0
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +98 -0
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
- data/lib/contrast/framework/rails/patch/support.rb +46 -0
- data/lib/contrast/framework/rails/railtie.rb +33 -0
- data/lib/contrast/framework/rails/support.rb +187 -0
- data/lib/contrast/framework/sinatra/patch/encrypted_session_cookie.rb +39 -0
- data/lib/contrast/framework/sinatra/support.rb +162 -0
- data/lib/contrast/funchook/funchook.rb +44 -0
- data/lib/contrast/logger/aliased_logging.rb +158 -0
- data/lib/contrast/logger/application.rb +84 -0
- data/lib/contrast/logger/cef_log.rb +169 -0
- data/lib/contrast/logger/format.rb +61 -0
- data/lib/contrast/logger/log.rb +90 -0
- data/lib/contrast/logger/request.rb +25 -0
- data/lib/contrast/logger/time.rb +57 -0
- data/lib/contrast/security_exception.rb +2 -2
- data/lib/contrast/tasks/config.rb +33 -0
- data/lib/contrast/utils/assess/event_limit_utils.rb +134 -0
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +155 -0
- data/lib/contrast/utils/assess/property/tagged_utils.rb +165 -0
- data/lib/contrast/utils/assess/sampling_util.rb +11 -17
- data/lib/contrast/utils/assess/source_method_utils.rb +74 -0
- data/lib/contrast/utils/assess/split_utils.rb +23 -0
- data/lib/contrast/utils/assess/tracking_util.rb +96 -18
- data/lib/contrast/utils/assess/trigger_method_utils.rb +132 -0
- data/lib/contrast/utils/class_util.rb +80 -48
- data/lib/contrast/utils/duck_utils.rb +18 -9
- data/lib/contrast/utils/env_configuration_item.rb +4 -3
- data/lib/contrast/utils/findings.rb +66 -0
- data/lib/contrast/utils/hash_digest.rb +52 -99
- data/lib/contrast/utils/hash_digest_extend.rb +129 -0
- data/lib/contrast/utils/head_dump_utils_extend.rb +74 -0
- data/lib/contrast/utils/heap_dump_util.rb +44 -88
- data/lib/contrast/utils/input_classification_base.rb +169 -0
- data/lib/contrast/utils/invalid_configuration_util.rb +31 -45
- data/lib/contrast/utils/io_util.rb +47 -51
- data/lib/contrast/utils/job_servers_running.rb +21 -11
- data/lib/contrast/utils/log_utils.rb +254 -0
- data/lib/contrast/utils/lru_cache.rb +48 -0
- data/lib/contrast/utils/metrics_hash.rb +59 -0
- data/lib/contrast/utils/middleware_utils.rb +97 -0
- data/lib/contrast/utils/net_http_base.rb +173 -0
- data/lib/contrast/utils/object_share.rb +8 -48
- data/lib/contrast/utils/os.rb +14 -24
- data/lib/contrast/utils/patching/policy/patch_utils.rb +175 -0
- data/lib/contrast/utils/patching/policy/patcher_utils.rb +54 -0
- data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +89 -0
- data/lib/contrast/utils/request_utils.rb +96 -0
- data/lib/contrast/utils/resource_loader.rb +2 -2
- data/lib/contrast/utils/response_utils.rb +79 -0
- data/lib/contrast/utils/routes_sent.rb +63 -0
- data/lib/contrast/utils/sha256_builder.rb +9 -21
- data/lib/contrast/utils/silence_maker.rb +16 -0
- data/lib/contrast/utils/stack_trace_utils.rb +68 -184
- data/lib/contrast/utils/string_utils.rb +82 -52
- data/lib/contrast/utils/tag_util.rb +58 -44
- data/lib/contrast/utils/thread_tracker.rb +27 -23
- data/lib/contrast/utils/timer.rb +20 -55
- data/lib/contrast-agent.rb +2 -2
- data/lib/contrast.rb +106 -43
- data/resources/assess/policy.json +481 -120
- data/resources/deadzone/policy.json +280 -10
- data/resources/inventory/policy.json +2 -2
- data/resources/protect/policy.json +36 -17
- data/ruby-agent.gemspec +116 -46
- data/sonar-project.properties +9 -0
- metadata +694 -317
- data/exe/contrast_service +0 -29
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +0 -47
- data/ext/cs__assess_active_record_named/cs__active_record_named.h +0 -10
- data/ext/cs__assess_active_record_named/extconf.rb +0 -2
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
- data/ext/cs__assess_regexp_track/extconf.rb +0 -2
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +0 -31
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +0 -13
- data/ext/cs__assess_string_interpolation26/extconf.rb +0 -2
- data/ext/cs__protect_kernel/cs__protect_kernel.c +0 -37
- data/ext/cs__protect_kernel/cs__protect_kernel.h +0 -11
- data/ext/cs__protect_kernel/extconf.rb +0 -2
- data/funchook/Makefile +0 -29
- data/funchook/autom4te.cache/output.0 +0 -4976
- data/funchook/autom4te.cache/requests +0 -78
- data/funchook/autom4te.cache/traces.0 +0 -364
- data/funchook/config.log +0 -490
- data/funchook/config.status +0 -1016
- data/funchook/configure +0 -4976
- data/funchook/src/Makefile +0 -70
- data/funchook/src/config.h +0 -101
- data/funchook/src/config.h.in +0 -100
- data/funchook/src/decoder.o +0 -0
- data/funchook/src/distorm.o +0 -0
- data/funchook/src/funchook.o +0 -0
- data/funchook/src/funchook_io.o +0 -0
- data/funchook/src/funchook_syscall.o +0 -0
- data/funchook/src/funchook_unix.o +0 -0
- data/funchook/src/funchook_x86.o +0 -0
- data/funchook/src/instructions.o +0 -0
- data/funchook/src/insts.o +0 -0
- data/funchook/src/libfunchook.so +0 -0
- data/funchook/src/mnemonics.o +0 -0
- data/funchook/src/operands.o +0 -0
- data/funchook/src/os_func.o +0 -0
- data/funchook/src/os_func_unix.o +0 -0
- data/funchook/src/prefix.o +0 -0
- data/funchook/src/printf_base.o +0 -0
- data/funchook/src/textdefs.o +0 -0
- data/funchook/src/wstring.o +0 -0
- data/funchook/test/Makefile +0 -43
- data/funchook/test/funchook_test +0 -0
- data/funchook/test/libfunchook_test.so +0 -0
- data/funchook/test/test_main.o +0 -0
- data/funchook/test/x86_64_test.o +0 -0
- data/lib/contrast/agent/assess/adjusted_span.rb +0 -25
- data/lib/contrast/agent/assess/contrast_event.rb +0 -399
- data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
- data/lib/contrast/agent/assess/insulator.rb +0 -53
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +0 -80
- data/lib/contrast/agent/assess/rule/base.rb +0 -72
- data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
- data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
- data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
- data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
- data/lib/contrast/agent/assess/rule/redos.rb +0 -68
- data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
- data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
- data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
- data/lib/contrast/agent/assess/rule.rb +0 -18
- data/lib/contrast/agent/assess.rb +0 -44
- data/lib/contrast/agent/at_exit_hook.rb +0 -33
- data/lib/contrast/agent/class_reopener.rb +0 -238
- data/lib/contrast/agent/disable_reaction.rb +0 -24
- data/lib/contrast/agent/exclusion_matcher.rb +0 -190
- data/lib/contrast/agent/feature_state.rb +0 -379
- data/lib/contrast/agent/logger_manager.rb +0 -116
- data/lib/contrast/agent/middleware.rb +0 -350
- data/lib/contrast/agent/protect/rule/base_service.rb +0 -88
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +0 -156
- data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
- data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
- data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -80
- data/lib/contrast/agent/protect/rule/no_sqli.rb +0 -101
- data/lib/contrast/agent/protect/rule/sqli.rb +0 -101
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +0 -20
- data/lib/contrast/agent/protect/rule/xss.rb +0 -24
- data/lib/contrast/agent/protect/rule/xxe.rb +0 -120
- data/lib/contrast/agent/railtie.rb +0 -36
- data/lib/contrast/agent/reaction_processor.rb +0 -47
- data/lib/contrast/agent/request.rb +0 -475
- data/lib/contrast/agent/request_context.rb +0 -225
- data/lib/contrast/agent/require_state.rb +0 -61
- data/lib/contrast/agent/response.rb +0 -215
- data/lib/contrast/agent/rewriter.rb +0 -245
- data/lib/contrast/agent/scope.rb +0 -125
- data/lib/contrast/agent/service_heartbeat.rb +0 -40
- data/lib/contrast/agent/settings_state.rb +0 -152
- data/lib/contrast/agent/socket_client.rb +0 -128
- data/lib/contrast/agent/tracepoint_hook.rb +0 -51
- data/lib/contrast/api/connection_status.rb +0 -49
- data/lib/contrast/api/dtm_pb.rb +0 -718
- data/lib/contrast/api/settings_pb.rb +0 -416
- data/lib/contrast/api/socket.rb +0 -43
- data/lib/contrast/api/speedracer.rb +0 -186
- data/lib/contrast/api/tcp_socket.rb +0 -31
- data/lib/contrast/api/unix_socket.rb +0 -25
- data/lib/contrast/api.rb +0 -18
- data/lib/contrast/common_agent_configuration.rb +0 -86
- data/lib/contrast/components/contrast_service.rb +0 -117
- data/lib/contrast/components/interface.rb +0 -178
- data/lib/contrast/config/agent_configuration.rb +0 -24
- data/lib/contrast/config/application_configuration.rb +0 -27
- data/lib/contrast/config/assess_configuration.rb +0 -22
- data/lib/contrast/config/assess_rules_configuration.rb +0 -18
- data/lib/contrast/config/default_value.rb +0 -16
- data/lib/contrast/config/heap_dump_configuration.rb +0 -23
- data/lib/contrast/config/inventory_configuration.rb +0 -20
- data/lib/contrast/config/logger_configuration.rb +0 -20
- data/lib/contrast/config/protect_configuration.rb +0 -20
- data/lib/contrast/config/root_configuration.rb +0 -26
- data/lib/contrast/config/ruby_configuration.rb +0 -44
- data/lib/contrast/config/sampling_configuration.rb +0 -22
- data/lib/contrast/config/service_configuration.rb +0 -22
- data/lib/contrast/delegators/application_update.rb +0 -32
- data/lib/contrast/delegators.rb +0 -9
- data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
- data/lib/contrast/extensions/framework/rack/request.rb +0 -24
- data/lib/contrast/extensions/framework/rack/response.rb +0 -23
- data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
- data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
- data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
- data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
- data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
- data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
- data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
- data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
- data/lib/contrast/extensions/ruby_core/assess/assess_extension.rb +0 -143
- data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
- data/lib/contrast/extensions/ruby_core/assess/erb.rb +0 -42
- data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
- data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
- data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
- data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
- data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
- data/lib/contrast/extensions/ruby_core/assess/string.rb +0 -75
- data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
- data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
- data/lib/contrast/extensions/ruby_core/assess.rb +0 -52
- data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
- data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
- data/lib/contrast/extensions/ruby_core/inventory.rb +0 -22
- data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
- data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
- data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
- data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
- data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
- data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
- data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
- data/lib/contrast/extensions/ruby_core/protect/psych.rb +0 -7
- data/lib/contrast/extensions/ruby_core/thread.rb +0 -31
- data/lib/contrast/framework/platform_version.rb +0 -21
- data/lib/contrast/framework/rails_support.rb +0 -88
- data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
- data/lib/contrast/framework/sinatra_support.rb +0 -94
- data/lib/contrast/framework/view_technologies_descriptor.rb +0 -20
- data/lib/contrast/internal_exception.rb +0 -8
- data/lib/contrast/tasks/service.rb +0 -95
- data/lib/contrast/utils/boolean_util.rb +0 -33
- data/lib/contrast/utils/cache.rb +0 -69
- data/lib/contrast/utils/comment_range.rb +0 -19
- data/lib/contrast/utils/data_store_util.rb +0 -23
- data/lib/contrast/utils/environment_util.rb +0 -82
- data/lib/contrast/utils/freeze_util.rb +0 -32
- data/lib/contrast/utils/gemfile_reader.rb +0 -191
- data/lib/contrast/utils/inventory_util.rb +0 -126
- data/lib/contrast/utils/performs_logging.rb +0 -152
- data/lib/contrast/utils/preflight_util.rb +0 -13
- data/lib/contrast/utils/prevent_serialization.rb +0 -52
- data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
- data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
- data/lib/contrast/utils/random_util.rb +0 -22
- data/lib/contrast/utils/ruby_ast_rewriter.rb +0 -74
- data/lib/contrast/utils/service_response_util.rb +0 -110
- data/lib/contrast/utils/service_sender_util.rb +0 -106
- data/lib/contrast/utils/sinatra_helper.rb +0 -55
- data/resources/csrf/inject.js +0 -44
- data/resources/factory-bot-spec/spec_helper.rb +0 -30
- data/resources/rubocops/kernel/catch_cop.rb +0 -37
- data/resources/rubocops/kernel/require_cop.rb +0 -37
- data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
- data/resources/rubocops/module/autoload_cop.rb +0 -37
- data/resources/rubocops/module/const_defined_cop.rb +0 -37
- data/resources/rubocops/module/const_get_cop.rb +0 -37
- data/resources/rubocops/module/const_set_cop.rb +0 -37
- data/resources/rubocops/module/constants_cop.rb +0 -37
- data/resources/rubocops/module/name_cop.rb +0 -37
- data/resources/rubocops/object/class_cop.rb +0 -37
- data/resources/rubocops/object/freeze_cop.rb +0 -37
- data/resources/rubocops/object/frozen_cop.rb +0 -37
- data/resources/rubocops/object/is_a_cop.rb +0 -37
- data/resources/rubocops/object/method_cop.rb +0 -37
- data/resources/rubocops/object/respond_to_cop.rb +0 -37
- data/resources/rubocops/object/singleton_class_cop.rb +0 -37
- data/resources/rubocops/regexp/spelling_cop.rb +0 -44
- data/resources/rubocops/thread/new_cop.rb +0 -39
- data/resources/ruby-spec/ancestors_spec.rb +0 -70
- data/resources/ruby-spec/modulo_spec.rb +0 -831
- data/resources/ruby-spec/parameters_spec.rb +0 -261
- data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
- data/service_executables/.gitkeep +0 -0
- data/service_executables/VERSION +0 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- data/shared_libraries/funchook.h +0 -123
- data/shared_libraries/libfunchook.so +0 -0
@@ -1,6 +1,11 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require 'contrast/agent/assess/policy/trigger/reflected_xss'
|
5
|
+
require 'contrast/agent/assess/policy/trigger/xpath'
|
6
|
+
require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
|
7
|
+
require 'contrast/components/logger'
|
8
|
+
|
4
9
|
module Contrast
|
5
10
|
module Agent
|
6
11
|
module Assess
|
@@ -10,18 +15,37 @@ module Contrast
|
|
10
15
|
# specifically for those methods which result in the trigger of a
|
11
16
|
# vulnerability (indicate points in the application where uncontrolled
|
12
17
|
# user input can do damage).
|
13
|
-
class TriggerNode < PolicyNode
|
18
|
+
class TriggerNode < PolicyNode # rubocop:disable Metrics/ClassLength
|
19
|
+
include Contrast::Components::Logger::InstanceMethods
|
20
|
+
|
14
21
|
JSON_BAD_VALUE = 'bad_value'
|
15
22
|
JSON_GOOD_VALUE = 'good_value'
|
16
23
|
JSON_DISALLOWED_TAGS = 'disallowed_tags'
|
17
24
|
JSON_REQUIRED_TAGS = 'required_tags'
|
18
|
-
JSON_NODES = 'nodes'
|
19
25
|
JSON_RULE_NAME = 'name'
|
20
26
|
JSON_CUSTOM_PATCH = 'custom_patch'
|
21
27
|
|
22
|
-
|
23
|
-
|
28
|
+
# Our list with rules to be collected and reported back when we have response
|
29
|
+
# from the application. Some rules rely on Content-Type validation.
|
30
|
+
COLLECTABLE_RULES = %w[reflected-xss].cs__freeze
|
24
31
|
|
32
|
+
attr_reader :rule_id, :required_tags, :disallowed_tags, :good_value, :bad_value
|
33
|
+
|
34
|
+
ENCODER_START = 'CUSTOM_ENCODED_'
|
35
|
+
# By default, any rule will be triggered if the source
|
36
|
+
# of the rule event has an untrusted tag range that is
|
37
|
+
# not covered by one of its disallowed tags.
|
38
|
+
UNTRUSTED = 'UNTRUSTED'
|
39
|
+
TRIGGER = 'Trigger'
|
40
|
+
VALIDATOR_START = 'CUSTOM_VALIDATED_'
|
41
|
+
# If a level 1 rule comes from TeamServer, it will have the
|
42
|
+
# tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
|
43
|
+
# All rules should take this into account.
|
44
|
+
# Additionally, if something is marked 'limited-chars' it means
|
45
|
+
# it has been properly vetted to not contain dangerous input.
|
46
|
+
LIMITED_CHARS = 'LIMITED_CHARS'
|
47
|
+
CUSTOM_ENCODED = 'CUSTOM_ENCODED'
|
48
|
+
CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
|
25
49
|
def initialize trigger_hash = {}, rule_hash = {}
|
26
50
|
super(trigger_hash)
|
27
51
|
good_value = trigger_hash[JSON_GOOD_VALUE]
|
@@ -38,15 +62,17 @@ module Contrast
|
|
38
62
|
@trigger_method = trigger_hash['trigger_method']
|
39
63
|
@trigger_method = @trigger_method.to_sym if @trigger_method
|
40
64
|
validate
|
65
|
+
rescue ArgumentError => e
|
66
|
+
logger.error('Trigger Node initialization failed with: ', e)
|
67
|
+
nil
|
41
68
|
end
|
42
69
|
|
43
|
-
TRIGGER = 'Trigger'
|
44
70
|
def node_class
|
45
71
|
TRIGGER
|
46
72
|
end
|
47
73
|
|
48
|
-
def apply_custom_trigger
|
49
|
-
custom_trigger_class.send(@trigger_method,
|
74
|
+
def apply_custom_trigger trigger_node, source, object, ret, *args
|
75
|
+
custom_trigger_class.send(@trigger_method, trigger_node, source, object, ret, *args)
|
50
76
|
end
|
51
77
|
|
52
78
|
def custom_trigger_class
|
@@ -65,8 +91,12 @@ module Contrast
|
|
65
91
|
:TYPE_METHOD
|
66
92
|
end
|
67
93
|
|
94
|
+
def collectable?
|
95
|
+
COLLECTABLE_RULES.include?(rule_id)
|
96
|
+
end
|
97
|
+
|
68
98
|
def rule_disabled?
|
69
|
-
Contrast::
|
99
|
+
::Contrast::ASSESS.rule_disabled?(rule_id)
|
70
100
|
end
|
71
101
|
|
72
102
|
# Indicate if this is a dataflow based trigger, meaning it has a proper
|
@@ -98,16 +128,17 @@ module Contrast
|
|
98
128
|
# if the source isn't tracked, there can't be a violation
|
99
129
|
# this condition may not hold true forever, but for now it's
|
100
130
|
# a nice optimization
|
101
|
-
return false unless
|
131
|
+
return false unless Contrast::Agent::Assess::Tracker.tracked?(source)
|
102
132
|
|
133
|
+
properties = Contrast::Agent::Assess::Tracker.properties(source)
|
103
134
|
# find the ranges that violate the rule (untrusted, etc)
|
104
|
-
vulnerable_ranges =
|
135
|
+
vulnerable_ranges = ranges_with_all_tags(properties, required_tags)
|
105
136
|
# if there aren't any vulnerable ranges, nope out
|
106
137
|
return false if vulnerable_ranges.empty?
|
107
138
|
|
108
139
|
# find the ranges that are exempt from the rule
|
109
140
|
# (validated, sanitized, etc)
|
110
|
-
secure_ranges =
|
141
|
+
secure_ranges = ranges_with_any_tag(properties, disallowed_tags)
|
111
142
|
# if there are vulnerable ranges and no secure, report
|
112
143
|
return true if secure_ranges.empty?
|
113
144
|
|
@@ -118,6 +149,7 @@ module Contrast
|
|
118
149
|
|
119
150
|
# Standard validation + TS trace version two rules:
|
120
151
|
# Must have source
|
152
|
+
# @raise[ArgumentError] raises if any of the required fields is invalid or missing
|
121
153
|
def validate
|
122
154
|
super
|
123
155
|
# If this isn't a dataflow rule, it can't have a source
|
@@ -127,10 +159,6 @@ module Contrast
|
|
127
159
|
|
128
160
|
private
|
129
161
|
|
130
|
-
# By default, any rule will be triggered if the source
|
131
|
-
# of the rule event has an untrusted tag range that is
|
132
|
-
# not covered by one of its disallowed tags.
|
133
|
-
UNTRUSTED = 'UNTRUSTED'
|
134
162
|
def populate_tags required_tags
|
135
163
|
return unless dataflow?
|
136
164
|
|
@@ -139,16 +167,6 @@ module Contrast
|
|
139
167
|
@required_tags << UNTRUSTED
|
140
168
|
end
|
141
169
|
|
142
|
-
ENCODER_START = 'CUSTOM_ENCODED_'
|
143
|
-
VALIDATOR_START = 'CUSTOM_VALIDATED_'
|
144
|
-
# If a level 1 rule comes from TeamServer, it will have the
|
145
|
-
# tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
|
146
|
-
# All rules should take this into account.
|
147
|
-
# Additionally, if something is marked 'limited-chars' it means
|
148
|
-
# it has been properly vetted to not contain dangerous input.
|
149
|
-
LIMITED_CHARS = 'LIMITED_CHARS'
|
150
|
-
CUSTOM_ENCODED = 'CUSTOM_ENCODED'
|
151
|
-
CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
|
152
170
|
def populate_disallowed disallowed_tags
|
153
171
|
return unless dataflow?
|
154
172
|
|
@@ -157,77 +175,84 @@ module Contrast
|
|
157
175
|
@disallowed_tags << LIMITED_CHARS
|
158
176
|
@disallowed_tags << CUSTOM_ENCODED
|
159
177
|
@disallowed_tags << CUSTOM_VALIDATED
|
160
|
-
@disallowed_tags << ENCODER_START + loud_name
|
161
|
-
@disallowed_tags << VALIDATOR_START + loud_name
|
178
|
+
@disallowed_tags << (ENCODER_START + loud_name)
|
179
|
+
@disallowed_tags << (VALIDATOR_START + loud_name)
|
162
180
|
end
|
163
181
|
|
164
|
-
|
182
|
+
# @raise[ArgumentError] raises if any of the tags is invalid
|
165
183
|
def validate_rule_tags tags
|
166
184
|
return unless tags
|
167
185
|
|
168
186
|
tags.each do |tag|
|
169
187
|
raise(ArgumentError, "Rule #{ rule_id } had an invalid tag. #{ tag } is not a known value.") unless
|
170
|
-
|
171
|
-
|
188
|
+
Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_TAGS.include?(tag) ||
|
189
|
+
Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
|
172
190
|
end
|
173
191
|
end
|
174
192
|
|
175
193
|
# Find the ranges that satisfy all of the given tags.
|
176
194
|
#
|
177
|
-
# @param
|
178
|
-
# given tags -- used as the maximum index to search for all of the
|
179
|
-
# tags.
|
180
|
-
# @param cs__properties [Contrast::Agent::Assess::Properties] the
|
195
|
+
# @param properties [Contrast::Agent::Assess::Properties] the
|
181
196
|
# properties to check for the tags
|
182
|
-
# @param
|
197
|
+
# @param required_tags [Set<String>] the list of tags on which to match
|
183
198
|
# @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
|
184
199
|
# by the given conditions
|
185
|
-
def
|
186
|
-
|
187
|
-
return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
|
188
|
-
return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
|
189
|
-
|
190
|
-
# :zap: faster to treat all as any if there's only one tag
|
191
|
-
return find_ranges_by_any_tag(cs__properties, tags) if tags.length == 1
|
200
|
+
def ranges_with_all_tags properties, required_tags
|
201
|
+
return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
|
192
202
|
|
203
|
+
chunking = false
|
193
204
|
ranges = []
|
205
|
+
# find the start and end range of required tags:
|
206
|
+
search_ranges = find_required_ranges(properties, required_tags)
|
207
|
+
start_range = search_ranges.first
|
208
|
+
end_range = search_ranges.last + 1
|
209
|
+
|
194
210
|
# find all the indicies on the source that have all the given tags
|
195
|
-
|
196
|
-
|
197
|
-
|
211
|
+
while start_range < end_range
|
212
|
+
|
213
|
+
tags_at = properties.tags_at(start_range).to_a
|
214
|
+
# only those that have all the required tags in the tags_at
|
215
|
+
# satisfy the requirement
|
216
|
+
satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
|
217
|
+
# if this range matches all the required tags and we're already
|
218
|
+
# chunking, meaning the previous range matched, do nothing
|
219
|
+
|
220
|
+
# if we are satisfied and we were not chunking, this represents
|
221
|
+
# the start of the next range, so create a new entry.
|
222
|
+
if satisfied
|
223
|
+
if chunking
|
224
|
+
start_range += 1
|
225
|
+
next
|
226
|
+
end
|
227
|
+
ranges << Contrast::Agent::Assess::Tag.new('required', 0, start_range)
|
228
|
+
chunking = true
|
229
|
+
# if we are chunking and not satisfied, this represents the end
|
230
|
+
# of the range, meaning the last index is what satisfied the
|
231
|
+
# range. Because the range is exclusive end, we can just use this
|
232
|
+
# index.
|
233
|
+
elsif chunking
|
234
|
+
ranges[-1]&.update_end(start_range)
|
235
|
+
chunking = false
|
236
|
+
end
|
237
|
+
start_range += 1
|
198
238
|
end
|
199
|
-
|
200
|
-
return Contrast::Utils::ObjectShare::EMPTY_ARRAY if ranges.empty?
|
201
|
-
|
202
|
-
# chunk all the adjacent ranges
|
203
|
-
chunked = ranges.chunk_while { |i, j| i + 1 == j }
|
204
|
-
tag_ranges = []
|
205
|
-
# and convert them into Tags
|
206
|
-
chunked.each do |join|
|
207
|
-
start = join[0]
|
208
|
-
stop = join[-1]
|
209
|
-
# add the 1 to account for end index being exclusive
|
210
|
-
tag_length = stop - start + 1
|
211
|
-
tag_ranges = Contrast::Utils::TagUtil.ordered_merge(tag_ranges, Tag.new(tag_length, start))
|
212
|
-
end
|
213
|
-
tag_ranges
|
239
|
+
ranges
|
214
240
|
end
|
215
241
|
|
216
242
|
# Find the ranges that satisfy any of the given tags.
|
217
243
|
#
|
218
|
-
# @param
|
244
|
+
# @param properties [Contrast::Agent::Assess::Properties] the
|
219
245
|
# properties to check for the tags
|
220
246
|
# @param tags [Set<String>] the list of tags on which to match
|
221
247
|
# @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
|
222
248
|
# by the given conditions
|
223
|
-
def
|
249
|
+
def ranges_with_any_tag properties, tags
|
224
250
|
# if there aren't any all_tags or tags, break early
|
225
|
-
return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless
|
226
|
-
return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
|
251
|
+
return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless search_tags?(properties, tags)
|
227
252
|
|
228
253
|
ranges = []
|
229
254
|
tags.each do |desired|
|
230
|
-
found =
|
255
|
+
found = properties.fetch_tag(desired)
|
231
256
|
next unless found
|
232
257
|
|
233
258
|
# we need to dup here so that we don't change the tags if target is
|
@@ -236,6 +261,59 @@ module Contrast
|
|
236
261
|
end
|
237
262
|
ranges
|
238
263
|
end
|
264
|
+
|
265
|
+
# We should only try to match tags on properties if those properties have any tags (are tracked) and there
|
266
|
+
# are tags to try and match on. Some rules, like regexp rules, have no tags. Some rules, like trigger, have
|
267
|
+
# no properties.
|
268
|
+
#
|
269
|
+
# @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
|
270
|
+
# @param tags [Set<String>] the list of tags on which to match
|
271
|
+
# @return [Boolean] if the given properties has instances of every tag in tags
|
272
|
+
def search_tags? properties, tags
|
273
|
+
return false unless properties.tracked?
|
274
|
+
return false unless tags&.any?
|
275
|
+
|
276
|
+
true
|
277
|
+
end
|
278
|
+
|
279
|
+
# Determine if the given properties have instances of all the given tags or not.
|
280
|
+
#
|
281
|
+
# @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
|
282
|
+
# @param tags [Set<String>] the list of tags on which to match
|
283
|
+
# @return [Boolean] if the given properties has instances of every tag in tags
|
284
|
+
def matches_tags? properties, tags
|
285
|
+
return false unless search_tags?(properties, tags)
|
286
|
+
return false unless tags.all? { |tag| properties.tag_keys.include?(tag) }
|
287
|
+
|
288
|
+
true
|
289
|
+
end
|
290
|
+
|
291
|
+
# Range finder helper for #ranges_with_all_tags
|
292
|
+
#
|
293
|
+
# @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
|
294
|
+
# @param required_tags [Set<String>] the list of tags on which to match
|
295
|
+
# @return [Array] of required tags ranges to search
|
296
|
+
def find_required_ranges properties, required_tags
|
297
|
+
start_range = 0
|
298
|
+
end_range = 0
|
299
|
+
required_tags_arr = required_tags.to_a
|
300
|
+
idx = 0
|
301
|
+
|
302
|
+
while idx < required_tags_arr.length
|
303
|
+
# find the start and end range of required tags:
|
304
|
+
start_temp = properties.fetch_tag(required_tags_arr[idx])[0].start_idx
|
305
|
+
end_temp = properties.fetch_tag(required_tags_arr[idx])[0].end_idx
|
306
|
+
# first iteration only
|
307
|
+
start_range = start_temp if idx.zero?
|
308
|
+
end_range = end_temp if idx.zero?
|
309
|
+
|
310
|
+
# find the tag with smallest ranges
|
311
|
+
start_range = start_temp if start_range < start_temp
|
312
|
+
end_range = end_temp if end_range > end_temp
|
313
|
+
idx += 1
|
314
|
+
end
|
315
|
+
[start_range, end_range]
|
316
|
+
end
|
239
317
|
end
|
240
318
|
end
|
241
319
|
end
|
@@ -0,0 +1,98 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Agent
|
6
|
+
module Assess
|
7
|
+
module Policy
|
8
|
+
module TriggerValidation
|
9
|
+
# Validator used to assert a REDOS finding is actually vulnerable
|
10
|
+
# before serializing that finding as a Event to report to the TeamServer.
|
11
|
+
module REDOSValidator
|
12
|
+
RULE_NAME = 'redos'
|
13
|
+
# If Regexp is set to Float::Infinite this is the maximum number it will receive
|
14
|
+
POSITIVE_INFINITY = 18_446_744_073.709553
|
15
|
+
# We are checking and for negative infinity (-1.0/0.0 )
|
16
|
+
NEGATIVE_INFINITY = -POSITIVE_INFINITY
|
17
|
+
|
18
|
+
class << self
|
19
|
+
def valid? _patcher, object, _ret, args
|
20
|
+
# Can arrive here from either:
|
21
|
+
# regexp =~ string
|
22
|
+
# string =~ regexp
|
23
|
+
# regexp.match string
|
24
|
+
#
|
25
|
+
# Thus object/args[0] can be string/regexp or regexp/string.
|
26
|
+
regexp = object.is_a?(Regexp) ? object : args[0]
|
27
|
+
|
28
|
+
# regexp must be exploitable.
|
29
|
+
return false unless regexp_vulnerable?(regexp)
|
30
|
+
|
31
|
+
true
|
32
|
+
end
|
33
|
+
|
34
|
+
protected
|
35
|
+
|
36
|
+
VULNERABLE_PATTERN = /[\[(].*?[\[(].*?[\])][*+?].*?[\])][*+?]/.cs__freeze
|
37
|
+
|
38
|
+
# Does the regexp
|
39
|
+
# https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
|
40
|
+
def regexp_vulnerable? regexp
|
41
|
+
# A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
|
42
|
+
# A level is defined as any set of opening and closing control characters immediately followed by a
|
43
|
+
# multi match control character.
|
44
|
+
# A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS, or MULTI_MATCH_CHARS that
|
45
|
+
# is not immediately preceded by an escaping \ character.
|
46
|
+
# OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
|
47
|
+
|
48
|
+
# Nota bene about Regexp#to_s: it doesn't necessarily give you the original Regexp back
|
49
|
+
# (in the sense of `my_str == Regexp.new(my_str).to_s`), it gives you a Regexp that
|
50
|
+
# will have the same functional characteristics as the original.
|
51
|
+
# Regexp#inspect gives you a "more nicely formatted" version than #to_s.
|
52
|
+
# Regexp#source will give you the original source.
|
53
|
+
|
54
|
+
# Use #match? because it doesn't fill out global variables
|
55
|
+
# in the way match or =~ do.
|
56
|
+
#
|
57
|
+
# Since ruby 3.2.0 the Regexp now have a timeout option. we need to check and see if the timeout
|
58
|
+
# is set. If so we can assume that the regexp is safe.
|
59
|
+
# puts "SAFE #{regexp_timeout_safe?(regexp)}"
|
60
|
+
return false if regexp_timeout_safe?(regexp)
|
61
|
+
|
62
|
+
# report only if pattern is bad:
|
63
|
+
VULNERABLE_PATTERN.match?(regexp.source)
|
64
|
+
end
|
65
|
+
|
66
|
+
# Check and see if a regexp is with safely set Timeout or not.
|
67
|
+
#
|
68
|
+
# @param regexp [Regexp]
|
69
|
+
# @return [Boolean]
|
70
|
+
def regexp_timeout_safe? regexp
|
71
|
+
return false if RUBY_VERSION < '3.2.0'
|
72
|
+
# Global
|
73
|
+
return false if Regexp.timeout.nil? || regexp_infinite?(Regexp)
|
74
|
+
|
75
|
+
# Local
|
76
|
+
return false if regexp.cs__is_a?(Regexp) && !(regexp.timeout.nil? || regexp_infinite?(regexp))
|
77
|
+
|
78
|
+
true
|
79
|
+
end
|
80
|
+
|
81
|
+
private
|
82
|
+
|
83
|
+
# Check and see if the set timeout is set to infinity:
|
84
|
+
#
|
85
|
+
# @param regexp[Regexp] Instance or class
|
86
|
+
# @return[Boolean]
|
87
|
+
def regexp_infinite? regexp
|
88
|
+
return false unless regexp.timeout == POSITIVE_INFINITY || regexp.timeout == NEGATIVE_INFINITY
|
89
|
+
|
90
|
+
true
|
91
|
+
end
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -7,11 +7,10 @@ module Contrast
|
|
7
7
|
module Policy
|
8
8
|
module TriggerValidation
|
9
9
|
# Validator used to assert a SSRF finding is actually vulnerable
|
10
|
-
# before serializing that finding as a DTM to report to the
|
10
|
+
# before serializing that finding as a DTM to report to the TeamServer.
|
11
11
|
module SSRFValidator
|
12
|
-
|
13
|
-
URL_PATTERN =
|
14
|
-
%r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze
|
12
|
+
RULE_NAME = 'ssrf'
|
13
|
+
URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength
|
15
14
|
# The Net::HTTP class validates host format on instantiation. Since
|
16
15
|
# our triggers for that class are on the instance, they already
|
17
16
|
# have this validation done for them. We do not need to apply the
|
@@ -23,7 +22,6 @@ module Contrast
|
|
23
22
|
# querystring
|
24
23
|
# https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/server_side_request_forgery.md
|
25
24
|
def self.valid? patcher, _object, _ret, args
|
26
|
-
return true unless SSRF_RULE == patcher&.rule_id
|
27
25
|
return true if patcher.id.to_s.start_with?(PATH_ONLY_PATCH_MARKER)
|
28
26
|
|
29
27
|
url = args[0].to_s
|
@@ -32,42 +30,14 @@ module Contrast
|
|
32
30
|
|
33
31
|
# It is dangerous for the user to control a section of the URL
|
34
32
|
# between the start of the protocol and the beginning of the
|
35
|
-
# querystring. If there is no
|
33
|
+
# querystring. If there is no path, then the entire URL is
|
36
34
|
# dangerous for the User to control.
|
37
35
|
start = match.begin(:protocol)
|
38
|
-
finish = match.begin(:
|
36
|
+
finish = match.begin(:path)
|
39
37
|
finish ||= url.length
|
40
38
|
|
41
|
-
args[0]
|
42
|
-
|
43
|
-
|
44
|
-
# Some SSRF triggers take multiple parameters to build the URL.
|
45
|
-
# For the net_http_# sources, if the first parameter is a String,
|
46
|
-
# the URL is built by appending the first and second parameters.
|
47
|
-
def self.composite? patcher, args
|
48
|
-
id = patcher.id.to_s
|
49
|
-
return false unless id.start_with?(PATH_ONLY_PATCH_MARKER)
|
50
|
-
|
51
|
-
args[0].is_a?(String)
|
52
|
-
end
|
53
|
-
|
54
|
-
def self.build_single_source args
|
55
|
-
return nil unless args[0].cs__respond_to?(:cs__properties)
|
56
|
-
|
57
|
-
args[0].to_s
|
58
|
-
end
|
59
|
-
|
60
|
-
def self.build_composite_source args
|
61
|
-
if args.length > 1
|
62
|
-
return nil unless args[0].cs__respond_to?(:cs__properties) ||
|
63
|
-
args[1].cs__respond_to?(:cs__properties)
|
64
|
-
|
65
|
-
args[0] + args[1]
|
66
|
-
else
|
67
|
-
return nil unless args[0].cs__respond_to?(:cs__properties)
|
68
|
-
|
69
|
-
args[0].to_s
|
70
|
-
end
|
39
|
+
properties = Contrast::Agent::Assess::Tracker.properties(args[0])
|
40
|
+
properties&.any_tags_between?(start, finish)
|
71
41
|
end
|
72
42
|
end
|
73
43
|
end
|
@@ -1,8 +1,9 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
|
5
|
-
|
4
|
+
require 'contrast/agent/assess/policy/trigger_validation/ssrf_validator'
|
5
|
+
require 'contrast/agent/assess/policy/trigger_validation/xss_validator'
|
6
|
+
require 'contrast/agent/assess/policy/trigger_validation/redos_validator'
|
6
7
|
|
7
8
|
module Contrast
|
8
9
|
module Agent
|
@@ -15,7 +16,8 @@ module Contrast
|
|
15
16
|
module TriggerValidation
|
16
17
|
VALIDATORS = [
|
17
18
|
Contrast::Agent::Assess::Policy::TriggerValidation::SSRFValidator,
|
18
|
-
Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator
|
19
|
+
Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator,
|
20
|
+
Contrast::Agent::Assess::Policy::TriggerValidation::REDOSValidator
|
19
21
|
].cs__freeze
|
20
22
|
|
21
23
|
# Determines if the conditions in which this trigger was called are
|
@@ -32,9 +34,9 @@ module Contrast
|
|
32
34
|
# @return [Boolean] if the conditions are valid for the generation of
|
33
35
|
# a Contrast::Api::Dtm::Finding
|
34
36
|
def self.valid? patcher, object, ret, args
|
35
|
-
VALIDATORS.
|
36
|
-
|
37
|
-
|
37
|
+
specific_validator = VALIDATORS.find { |validator| validator::RULE_NAME == patcher&.rule_id }
|
38
|
+
return specific_validator.valid?(patcher, object, ret, args) if specific_validator
|
39
|
+
|
38
40
|
true
|
39
41
|
end
|
40
42
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -8,26 +8,17 @@ module Contrast
|
|
8
8
|
module TriggerValidation
|
9
9
|
# Validator used to assert a Reflected XSS finding is actually
|
10
10
|
# vulnerable before serializing that finding as a DTM to report to
|
11
|
-
# the
|
11
|
+
# the TeamServer.
|
12
12
|
module XSSValidator
|
13
|
-
|
14
|
-
SAFE_CONTENT_TYPES = %w[
|
15
|
-
/csv
|
16
|
-
/javascript
|
17
|
-
/json
|
18
|
-
/pdf
|
19
|
-
/x-javascript
|
20
|
-
/x-json
|
21
|
-
].cs__freeze
|
13
|
+
RULE_NAME = 'reflected-xss'
|
14
|
+
SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze
|
22
15
|
|
23
16
|
# A finding is valid for XSS if the response type is not one of
|
24
17
|
# those assumed to be safe
|
25
18
|
# https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
|
26
|
-
def self.valid?
|
27
|
-
return true unless XSS_RULE == patcher&.rule_id
|
28
|
-
|
19
|
+
def self.valid? _patcher, _object, _ret, _args
|
29
20
|
content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
|
30
|
-
return
|
21
|
+
return false unless content_type
|
31
22
|
|
32
23
|
content_type = content_type.downcase
|
33
24
|
SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
|