contrast-agent 3.9.1 → 6.15.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.dockerignore +0 -1
- data/.flayignore +1 -0
- data/.gitignore +8 -5
- data/.gitmodules +0 -3
- data/.rspec +0 -1
- data/.rspec_parallel +6 -0
- data/.simplecov +6 -2
- data/Gemfile +1 -1
- data/LICENSE.txt +1 -1
- data/Rakefile +5 -2
- data/ext/build_funchook.rb +16 -13
- data/ext/cs__assess_array/cs__assess_array.c +50 -6
- data/ext/cs__assess_array/cs__assess_array.h +5 -1
- data/ext/cs__assess_array/extconf.rb +3 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +39 -17
- data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
- data/ext/cs__assess_basic_object/extconf.rb +3 -0
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +9 -13
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -4
- data/ext/cs__assess_fiber_track/extconf.rb +3 -0
- data/ext/cs__assess_hash/cs__assess_hash.c +46 -21
- data/ext/cs__assess_hash/cs__assess_hash.h +5 -6
- data/ext/cs__assess_hash/extconf.rb +3 -0
- data/ext/cs__assess_kernel/cs__assess_kernel.c +29 -15
- data/ext/cs__assess_kernel/cs__assess_kernel.h +3 -0
- data/ext/cs__assess_kernel/extconf.rb +3 -0
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +57 -23
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +6 -3
- data/ext/cs__assess_marshal_module/extconf.rb +3 -0
- data/ext/cs__assess_module/cs__assess_module.c +82 -22
- data/ext/cs__assess_module/cs__assess_module.h +10 -0
- data/ext/cs__assess_module/extconf.rb +3 -0
- data/ext/cs__assess_regexp/cs__assess_regexp.c +28 -9
- data/ext/cs__assess_regexp/cs__assess_regexp.h +3 -0
- data/ext/cs__assess_regexp/extconf.rb +3 -0
- data/ext/cs__assess_string/cs__assess_string.c +53 -21
- data/ext/cs__assess_string/cs__assess_string.h +7 -1
- data/ext/cs__assess_string/extconf.rb +3 -0
- data/ext/cs__assess_string_interpolation/cs__assess_string_interpolation.c +39 -0
- data/ext/cs__assess_string_interpolation/cs__assess_string_interpolation.h +13 -0
- data/ext/cs__assess_string_interpolation/extconf.rb +5 -0
- data/ext/cs__assess_test/cs__assess_test.h +9 -0
- data/ext/cs__assess_test/cs__assess_tests.c +22 -0
- data/ext/cs__assess_test/extconf.rb +5 -0
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +4 -8
- data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -2
- data/ext/cs__assess_yield_track/extconf.rb +3 -0
- data/ext/cs__common/cs__common.c +240 -4
- data/ext/cs__common/cs__common.h +68 -1
- data/ext/cs__common/extconf.rb +3 -16
- data/ext/cs__contrast_patch/cs__contrast_patch.c +162 -83
- data/ext/cs__contrast_patch/cs__contrast_patch.h +11 -15
- data/ext/cs__contrast_patch/extconf.rb +3 -0
- data/ext/cs__os_information/cs__os_information.c +34 -0
- data/ext/cs__os_information/cs__os_information.h +7 -0
- data/ext/cs__os_information/extconf.rb +5 -0
- data/ext/cs__scope/cs__scope.c +980 -0
- data/ext/cs__scope/cs__scope.h +90 -0
- data/ext/cs__scope/extconf.rb +5 -0
- data/ext/cs__tests/cs__tests.c +12 -0
- data/ext/cs__tests/cs__tests.h +3 -0
- data/ext/cs__tests/extconf.rb +5 -0
- data/ext/extconf_common.rb +4 -34
- data/lib/contrast/agent/assess/assess.rb +23 -0
- data/lib/contrast/agent/assess/contrast_object.rb +54 -0
- data/lib/contrast/agent/assess/events/event_data.rb +30 -0
- data/lib/contrast/agent/assess/finalizers/freeze.rb +15 -0
- data/lib/contrast/agent/assess/finalizers/hash.rb +107 -0
- data/lib/contrast/agent/{module_data.rb → assess/module_data.rb} +5 -4
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +23 -48
- data/lib/contrast/agent/assess/policy/patcher.rb +13 -48
- data/lib/contrast/agent/assess/policy/policy.rb +20 -23
- data/lib/contrast/agent/assess/policy/policy_node.rb +97 -200
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +50 -0
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +15 -12
- data/lib/contrast/agent/assess/policy/preshift.rb +49 -18
- data/lib/contrast/agent/assess/policy/propagation_method.rb +200 -194
- data/lib/contrast/agent/assess/policy/propagation_node.rb +49 -41
- data/lib/contrast/agent/assess/policy/propagator/append.rb +32 -15
- data/lib/contrast/agent/assess/policy/propagator/base.rb +5 -3
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +119 -0
- data/lib/contrast/agent/assess/policy/propagator/center.rb +12 -8
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +7 -3
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +33 -25
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +15 -11
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +23 -6
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +118 -0
- data/lib/contrast/agent/assess/policy/propagator/next.rb +7 -6
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +13 -6
- data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +53 -41
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +5 -3
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +7 -6
- data/lib/contrast/agent/assess/policy/propagator/select.rb +45 -36
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +44 -21
- data/lib/contrast/agent/assess/policy/propagator/split.rb +133 -147
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +7 -132
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +190 -0
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +74 -52
- data/lib/contrast/agent/assess/policy/propagator.rb +21 -18
- data/lib/contrast/agent/assess/policy/source_method.rb +126 -188
- data/lib/contrast/agent/assess/policy/source_node.rb +3 -17
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +9 -7
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +3 -5
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +103 -0
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
- data/lib/contrast/agent/assess/policy/trigger_method.rb +143 -206
- data/lib/contrast/agent/assess/policy/trigger_node.rb +144 -66
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +98 -0
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +8 -38
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +9 -7
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +6 -15
- data/lib/contrast/agent/assess/properties.rb +15 -383
- data/lib/contrast/agent/assess/property/evented.rb +58 -0
- data/lib/contrast/agent/assess/property/tagged.rb +246 -0
- data/lib/contrast/agent/assess/property/updated.rb +131 -0
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +58 -19
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +22 -17
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +93 -81
- data/lib/contrast/agent/assess/rule/provider.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +69 -0
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +121 -0
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +107 -0
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +195 -0
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +100 -0
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +34 -0
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +36 -0
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +61 -0
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +34 -0
- data/lib/contrast/agent/assess/tag.rb +84 -41
- data/lib/contrast/agent/assess/tracker.rb +70 -0
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +11 -6
- data/lib/contrast/agent/deadzone/policy/policy.rb +11 -7
- data/lib/contrast/agent/excluder/excluder.rb +306 -0
- data/lib/contrast/agent/excluder/exclusion_matcher.rb +112 -0
- data/lib/contrast/agent/hooks/at_exit_hook.rb +44 -0
- data/lib/contrast/agent/hooks/tracepoint_hook.rb +57 -0
- data/lib/contrast/agent/inventory/database_config.rb +175 -0
- data/lib/contrast/agent/inventory/dependencies.rb +52 -0
- data/lib/contrast/agent/inventory/dependency_analysis.rb +34 -0
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +120 -0
- data/lib/contrast/agent/inventory/inventory.rb +14 -0
- data/lib/contrast/agent/inventory/policy/datastores.rb +51 -0
- data/lib/contrast/agent/inventory/policy/policy.rb +5 -5
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +2 -2
- data/lib/contrast/agent/middleware/middleware.rb +214 -0
- data/lib/contrast/agent/middleware/static_analysis.rb +51 -0
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +22 -11
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +103 -52
- data/lib/contrast/agent/patching/policy/method_policy.rb +38 -62
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +117 -0
- data/lib/contrast/agent/patching/policy/module_policy.rb +27 -47
- data/lib/contrast/agent/patching/policy/patch.rb +129 -254
- data/lib/contrast/agent/patching/policy/patch_status.rb +21 -43
- data/lib/contrast/agent/patching/policy/patcher.rb +125 -159
- data/lib/contrast/agent/patching/policy/policy.rb +63 -58
- data/lib/contrast/agent/patching/policy/policy_node.rb +55 -37
- data/lib/contrast/agent/patching/policy/trigger_node.rb +32 -16
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +165 -0
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +122 -0
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +67 -0
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +97 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +72 -0
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +141 -0
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +58 -0
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +125 -0
- data/lib/contrast/agent/protect/policy/policy.rb +10 -10
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +119 -0
- data/lib/contrast/agent/protect/policy/trigger_node.rb +2 -2
- data/lib/contrast/agent/protect/rule/base.rb +274 -173
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker.rb +89 -0
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmd_injection.rb +86 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +90 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +170 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +63 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +62 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +27 -0
- data/lib/contrast/agent/protect/rule/default_scanner.rb +69 -25
- data/lib/contrast/agent/protect/rule/{deserialization.rb → deserialization/deserialization.rb} +29 -24
- data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -3
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli.rb +105 -0
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +226 -0
- data/lib/contrast/agent/protect/rule/{path_traversal.rb → path_traversal/path_traversal.rb} +48 -55
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +139 -0
- data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -3
- data/lib/contrast/agent/protect/rule/sqli/sql_sample_builder.rb +154 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli.rb +101 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +37 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +27 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb +67 -0
- data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload.rb +56 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +62 -0
- data/lib/contrast/agent/protect/rule/utils/builders.rb +111 -0
- data/lib/contrast/agent/protect/rule/utils/filters.rb +110 -0
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
- data/lib/contrast/agent/protect/rule/xss/xss.rb +50 -0
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +25 -21
- data/lib/contrast/agent/protect/rule/xxe/xxe.rb +149 -0
- data/lib/contrast/agent/protect/rule.rb +20 -27
- data/lib/contrast/agent/reactions/disable_reaction.rb +20 -0
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +71 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +86 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +97 -0
- data/lib/contrast/agent/reporting/connection_status.rb +45 -0
- data/lib/contrast/agent/reporting/details/bot_blocker_details.rb +29 -0
- data/lib/contrast/agent/reporting/details/cmd_injection_details.rb +30 -0
- data/lib/contrast/agent/reporting/details/details.rb +17 -0
- data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +35 -0
- data/lib/contrast/agent/reporting/details/no_sqli_details.rb +36 -0
- data/lib/contrast/agent/reporting/details/path_traversal_details.rb +24 -0
- data/lib/contrast/agent/reporting/details/path_traversal_semantic_analysis_details.rb +32 -0
- data/lib/contrast/agent/reporting/details/protect_rule_details.rb +17 -0
- data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb +22 -0
- data/lib/contrast/agent/reporting/details/sqli_details.rb +36 -0
- data/lib/contrast/agent/reporting/details/untrusted_deserialization_details.rb +27 -0
- data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +30 -0
- data/lib/contrast/agent/reporting/details/xss_details.rb +33 -0
- data/lib/contrast/agent/reporting/details/xss_match.rb +30 -0
- data/lib/contrast/agent/reporting/details/xxe_details.rb +36 -0
- data/lib/contrast/agent/reporting/details/xxe_match.rb +25 -0
- data/lib/contrast/agent/reporting/details/xxe_wrapper.rb +25 -0
- data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
- data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +55 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +129 -0
- data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +258 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +33 -0
- data/lib/contrast/agent/reporting/report.rb +32 -0
- data/lib/contrast/agent/reporting/reporter.rb +163 -0
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +34 -0
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +120 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +101 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +79 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +101 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +74 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +78 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +43 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +57 -0
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +37 -0
- data/lib/contrast/agent/reporting/reporting_events/application_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +44 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +55 -0
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +122 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +201 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +442 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +96 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +45 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +47 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +99 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb +65 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb +67 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range_tags.rb +105 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +126 -0
- data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +89 -0
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +48 -0
- data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +37 -0
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +83 -0
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +23 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight.rb +52 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_events/reportable_hash.rb +47 -0
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +35 -0
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +87 -0
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +59 -0
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +49 -0
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +35 -0
- data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +133 -0
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +38 -0
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +176 -0
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +57 -0
- data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb +137 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +138 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +161 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +98 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +149 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +118 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +393 -0
- data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +46 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb +14 -0
- data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +46 -0
- data/lib/contrast/agent/reporting/settings/application_settings.rb +61 -0
- data/lib/contrast/agent/reporting/settings/assess.rb +58 -0
- data/lib/contrast/agent/reporting/settings/assess_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +114 -0
- data/lib/contrast/agent/reporting/settings/bot_blocker.rb +68 -0
- data/lib/contrast/agent/reporting/settings/exclusion_base.rb +129 -0
- data/lib/contrast/agent/reporting/settings/exclusions.rb +86 -0
- data/lib/contrast/agent/reporting/settings/helpers.rb +101 -0
- data/lib/contrast/agent/reporting/settings/input_exclusion.rb +87 -0
- data/lib/contrast/agent/reporting/settings/ip_filter.rb +35 -0
- data/lib/contrast/agent/reporting/settings/keyword.rb +74 -0
- data/lib/contrast/agent/reporting/settings/log_enhancer.rb +65 -0
- data/lib/contrast/agent/reporting/settings/protect.rb +111 -0
- data/lib/contrast/agent/reporting/settings/protect_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +227 -0
- data/lib/contrast/agent/reporting/settings/reaction.rb +39 -0
- data/lib/contrast/agent/reporting/settings/rule_definition.rb +66 -0
- data/lib/contrast/agent/reporting/settings/sampling.rb +46 -0
- data/lib/contrast/agent/reporting/settings/sanitizer.rb +38 -0
- data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +118 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +65 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +95 -0
- data/lib/contrast/agent/reporting/settings/syslog.rb +205 -0
- data/lib/contrast/agent/reporting/settings/url_exclusion.rb +18 -0
- data/lib/contrast/agent/reporting/settings/validator.rb +17 -0
- data/lib/contrast/agent/reporting/settings/virtual_patch.rb +56 -0
- data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb +47 -0
- data/lib/contrast/agent/request/request.rb +189 -0
- data/lib/contrast/agent/request/request_context.rb +143 -0
- data/lib/contrast/agent/request/request_context_extend.rb +105 -0
- data/lib/contrast/agent/request/request_handler.rb +41 -0
- data/lib/contrast/agent/response/response.rb +87 -0
- data/lib/contrast/agent/scope/scope.rb +158 -0
- data/lib/contrast/agent/telemetry/base.rb +171 -0
- data/lib/contrast/agent/telemetry/client.rb +111 -0
- data/lib/contrast/agent/telemetry/event.rb +35 -0
- data/lib/contrast/agent/telemetry/exception/base.rb +61 -0
- data/lib/contrast/agent/telemetry/exception/event.rb +46 -0
- data/lib/contrast/agent/telemetry/exception/message.rb +118 -0
- data/lib/contrast/agent/telemetry/exception/message_exception.rb +86 -0
- data/lib/contrast/agent/telemetry/exception/stack_frame.rb +67 -0
- data/lib/contrast/agent/telemetry/exception.rb +19 -0
- data/lib/contrast/agent/telemetry/hash.rb +71 -0
- data/lib/contrast/agent/telemetry/identifier.rb +153 -0
- data/lib/contrast/agent/telemetry/metric_event.rb +28 -0
- data/lib/contrast/agent/telemetry/startup_metrics_event.rb +123 -0
- data/lib/contrast/agent/telemetry/telemetry.rb +109 -0
- data/lib/contrast/agent/{thread.rb → thread/thread.rb} +4 -6
- data/lib/contrast/agent/thread/thread_watcher.rb +126 -0
- data/lib/contrast/agent/thread/worker_thread.rb +42 -0
- data/lib/contrast/agent/version.rb +2 -2
- data/lib/contrast/agent.rb +96 -57
- data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
- data/lib/contrast/agent_lib/api/init.rb +95 -0
- data/lib/contrast/agent_lib/api/input_tracing.rb +265 -0
- data/lib/contrast/agent_lib/api/panic.rb +87 -0
- data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
- data/lib/contrast/agent_lib/interface.rb +245 -0
- data/lib/contrast/agent_lib/interface_base.rb +131 -0
- data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
- data/lib/contrast/agent_lib/test.rb +29 -0
- data/lib/contrast/components/agent.rb +104 -48
- data/lib/contrast/components/api.rb +159 -0
- data/lib/contrast/components/app_context.rb +125 -98
- data/lib/contrast/components/app_context_extend.rb +53 -0
- data/lib/contrast/components/assess.rb +210 -24
- data/lib/contrast/components/assess_rules.rb +54 -0
- data/lib/contrast/components/base.rb +103 -0
- data/lib/contrast/components/config/sources.rb +95 -0
- data/lib/contrast/components/config.rb +182 -60
- data/lib/contrast/components/heap_dump.rb +77 -12
- data/lib/contrast/components/inventory.rb +37 -10
- data/lib/contrast/components/logger.rb +46 -76
- data/lib/contrast/components/polling.rb +39 -0
- data/lib/contrast/components/protect.rb +142 -16
- data/lib/contrast/components/ruby_component.rb +135 -0
- data/lib/contrast/components/rule_set.rb +52 -0
- data/lib/contrast/components/sampling.rb +156 -15
- data/lib/contrast/components/scope.rb +125 -116
- data/lib/contrast/components/security_logger.rb +36 -0
- data/lib/contrast/components/settings.rb +239 -88
- data/lib/contrast/config/api_proxy_configuration.rb +27 -0
- data/lib/contrast/config/base_configuration.rb +20 -94
- data/lib/contrast/config/certification_configuration.rb +47 -0
- data/lib/contrast/config/config.rb +48 -0
- data/lib/contrast/config/diagnostics.rb +123 -0
- data/lib/contrast/config/diagnostics_tools.rb +99 -0
- data/lib/contrast/config/effective_config.rb +131 -0
- data/lib/contrast/config/effective_config_value.rb +32 -0
- data/lib/contrast/config/env_variables.rb +18 -0
- data/lib/contrast/config/exception_configuration.rb +34 -12
- data/lib/contrast/config/protect_rule_configuration.rb +45 -24
- data/lib/contrast/config/protect_rules_configuration.rb +97 -22
- data/lib/contrast/config/request_audit_configuration.rb +57 -0
- data/lib/contrast/config/server_configuration.rb +67 -15
- data/lib/contrast/config/validate.rb +140 -0
- data/lib/contrast/config/yaml_file.rb +129 -0
- data/lib/contrast/config.rb +6 -22
- data/lib/contrast/configuration.rb +241 -109
- data/lib/contrast/extension/assess/array.rb +75 -0
- data/lib/contrast/extension/assess/erb.rb +61 -0
- data/lib/contrast/extension/assess/eval_trigger.rb +47 -0
- data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +9 -21
- data/lib/contrast/extension/assess/fiber.rb +95 -0
- data/lib/contrast/extension/assess/hash.rb +33 -0
- data/lib/contrast/extension/assess/kernel.rb +124 -0
- data/lib/contrast/extension/assess/marshal.rb +80 -0
- data/lib/contrast/extension/assess/regexp.rb +71 -0
- data/lib/contrast/extension/assess/string.rb +85 -0
- data/lib/contrast/extension/assess.rb +47 -0
- data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +3 -1
- data/lib/contrast/extension/extension.rb +59 -0
- data/lib/contrast/extension/inventory.rb +21 -0
- data/lib/contrast/{extensions/ruby_core → extension}/module.rb +2 -3
- data/lib/contrast/extension/object.rb +19 -0
- data/lib/contrast/extension/protect/psych.rb +7 -0
- data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +6 -6
- data/lib/contrast/extension/thread.rb +50 -0
- data/lib/contrast/framework/base_support.rb +69 -54
- data/lib/contrast/framework/grape/support.rb +176 -0
- data/lib/contrast/framework/manager.rb +112 -60
- data/lib/contrast/framework/manager_extend.rb +50 -0
- data/lib/contrast/framework/rack/patch/session_cookie.rb +108 -0
- data/lib/contrast/framework/rack/patch/support.rb +26 -0
- data/lib/contrast/framework/rack/support.rb +23 -0
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +46 -0
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +98 -0
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
- data/lib/contrast/framework/rails/patch/support.rb +46 -0
- data/lib/contrast/framework/rails/railtie.rb +33 -0
- data/lib/contrast/framework/rails/support.rb +187 -0
- data/lib/contrast/framework/sinatra/patch/encrypted_session_cookie.rb +39 -0
- data/lib/contrast/framework/sinatra/support.rb +162 -0
- data/lib/contrast/funchook/funchook.rb +44 -0
- data/lib/contrast/logger/aliased_logging.rb +158 -0
- data/lib/contrast/logger/application.rb +84 -0
- data/lib/contrast/logger/cef_log.rb +169 -0
- data/lib/contrast/logger/format.rb +61 -0
- data/lib/contrast/logger/log.rb +90 -0
- data/lib/contrast/logger/request.rb +25 -0
- data/lib/contrast/logger/time.rb +57 -0
- data/lib/contrast/security_exception.rb +2 -2
- data/lib/contrast/tasks/config.rb +33 -0
- data/lib/contrast/utils/assess/event_limit_utils.rb +134 -0
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +155 -0
- data/lib/contrast/utils/assess/property/tagged_utils.rb +165 -0
- data/lib/contrast/utils/assess/sampling_util.rb +11 -17
- data/lib/contrast/utils/assess/source_method_utils.rb +74 -0
- data/lib/contrast/utils/assess/split_utils.rb +23 -0
- data/lib/contrast/utils/assess/tracking_util.rb +96 -18
- data/lib/contrast/utils/assess/trigger_method_utils.rb +132 -0
- data/lib/contrast/utils/class_util.rb +80 -48
- data/lib/contrast/utils/duck_utils.rb +18 -9
- data/lib/contrast/utils/env_configuration_item.rb +4 -3
- data/lib/contrast/utils/findings.rb +66 -0
- data/lib/contrast/utils/hash_digest.rb +52 -99
- data/lib/contrast/utils/hash_digest_extend.rb +129 -0
- data/lib/contrast/utils/head_dump_utils_extend.rb +74 -0
- data/lib/contrast/utils/heap_dump_util.rb +44 -88
- data/lib/contrast/utils/input_classification_base.rb +169 -0
- data/lib/contrast/utils/invalid_configuration_util.rb +31 -45
- data/lib/contrast/utils/io_util.rb +47 -51
- data/lib/contrast/utils/job_servers_running.rb +21 -11
- data/lib/contrast/utils/log_utils.rb +254 -0
- data/lib/contrast/utils/lru_cache.rb +48 -0
- data/lib/contrast/utils/metrics_hash.rb +59 -0
- data/lib/contrast/utils/middleware_utils.rb +97 -0
- data/lib/contrast/utils/net_http_base.rb +173 -0
- data/lib/contrast/utils/object_share.rb +8 -48
- data/lib/contrast/utils/os.rb +14 -24
- data/lib/contrast/utils/patching/policy/patch_utils.rb +175 -0
- data/lib/contrast/utils/patching/policy/patcher_utils.rb +54 -0
- data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +89 -0
- data/lib/contrast/utils/request_utils.rb +96 -0
- data/lib/contrast/utils/resource_loader.rb +2 -2
- data/lib/contrast/utils/response_utils.rb +79 -0
- data/lib/contrast/utils/routes_sent.rb +63 -0
- data/lib/contrast/utils/sha256_builder.rb +9 -21
- data/lib/contrast/utils/silence_maker.rb +16 -0
- data/lib/contrast/utils/stack_trace_utils.rb +68 -184
- data/lib/contrast/utils/string_utils.rb +82 -52
- data/lib/contrast/utils/tag_util.rb +58 -44
- data/lib/contrast/utils/thread_tracker.rb +27 -23
- data/lib/contrast/utils/timer.rb +20 -55
- data/lib/contrast-agent.rb +2 -2
- data/lib/contrast.rb +106 -43
- data/resources/assess/policy.json +481 -120
- data/resources/deadzone/policy.json +280 -10
- data/resources/inventory/policy.json +2 -2
- data/resources/protect/policy.json +36 -17
- data/ruby-agent.gemspec +116 -46
- data/sonar-project.properties +9 -0
- metadata +694 -317
- data/exe/contrast_service +0 -29
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +0 -47
- data/ext/cs__assess_active_record_named/cs__active_record_named.h +0 -10
- data/ext/cs__assess_active_record_named/extconf.rb +0 -2
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
- data/ext/cs__assess_regexp_track/extconf.rb +0 -2
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +0 -31
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +0 -13
- data/ext/cs__assess_string_interpolation26/extconf.rb +0 -2
- data/ext/cs__protect_kernel/cs__protect_kernel.c +0 -37
- data/ext/cs__protect_kernel/cs__protect_kernel.h +0 -11
- data/ext/cs__protect_kernel/extconf.rb +0 -2
- data/funchook/Makefile +0 -29
- data/funchook/autom4te.cache/output.0 +0 -4976
- data/funchook/autom4te.cache/requests +0 -78
- data/funchook/autom4te.cache/traces.0 +0 -364
- data/funchook/config.log +0 -490
- data/funchook/config.status +0 -1016
- data/funchook/configure +0 -4976
- data/funchook/src/Makefile +0 -70
- data/funchook/src/config.h +0 -101
- data/funchook/src/config.h.in +0 -100
- data/funchook/src/decoder.o +0 -0
- data/funchook/src/distorm.o +0 -0
- data/funchook/src/funchook.o +0 -0
- data/funchook/src/funchook_io.o +0 -0
- data/funchook/src/funchook_syscall.o +0 -0
- data/funchook/src/funchook_unix.o +0 -0
- data/funchook/src/funchook_x86.o +0 -0
- data/funchook/src/instructions.o +0 -0
- data/funchook/src/insts.o +0 -0
- data/funchook/src/libfunchook.so +0 -0
- data/funchook/src/mnemonics.o +0 -0
- data/funchook/src/operands.o +0 -0
- data/funchook/src/os_func.o +0 -0
- data/funchook/src/os_func_unix.o +0 -0
- data/funchook/src/prefix.o +0 -0
- data/funchook/src/printf_base.o +0 -0
- data/funchook/src/textdefs.o +0 -0
- data/funchook/src/wstring.o +0 -0
- data/funchook/test/Makefile +0 -43
- data/funchook/test/funchook_test +0 -0
- data/funchook/test/libfunchook_test.so +0 -0
- data/funchook/test/test_main.o +0 -0
- data/funchook/test/x86_64_test.o +0 -0
- data/lib/contrast/agent/assess/adjusted_span.rb +0 -25
- data/lib/contrast/agent/assess/contrast_event.rb +0 -399
- data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
- data/lib/contrast/agent/assess/insulator.rb +0 -53
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +0 -80
- data/lib/contrast/agent/assess/rule/base.rb +0 -72
- data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
- data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
- data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
- data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
- data/lib/contrast/agent/assess/rule/redos.rb +0 -68
- data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
- data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
- data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
- data/lib/contrast/agent/assess/rule.rb +0 -18
- data/lib/contrast/agent/assess.rb +0 -44
- data/lib/contrast/agent/at_exit_hook.rb +0 -33
- data/lib/contrast/agent/class_reopener.rb +0 -238
- data/lib/contrast/agent/disable_reaction.rb +0 -24
- data/lib/contrast/agent/exclusion_matcher.rb +0 -190
- data/lib/contrast/agent/feature_state.rb +0 -379
- data/lib/contrast/agent/logger_manager.rb +0 -116
- data/lib/contrast/agent/middleware.rb +0 -350
- data/lib/contrast/agent/protect/rule/base_service.rb +0 -88
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +0 -156
- data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
- data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
- data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -80
- data/lib/contrast/agent/protect/rule/no_sqli.rb +0 -101
- data/lib/contrast/agent/protect/rule/sqli.rb +0 -101
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +0 -20
- data/lib/contrast/agent/protect/rule/xss.rb +0 -24
- data/lib/contrast/agent/protect/rule/xxe.rb +0 -120
- data/lib/contrast/agent/railtie.rb +0 -36
- data/lib/contrast/agent/reaction_processor.rb +0 -47
- data/lib/contrast/agent/request.rb +0 -475
- data/lib/contrast/agent/request_context.rb +0 -225
- data/lib/contrast/agent/require_state.rb +0 -61
- data/lib/contrast/agent/response.rb +0 -215
- data/lib/contrast/agent/rewriter.rb +0 -245
- data/lib/contrast/agent/scope.rb +0 -125
- data/lib/contrast/agent/service_heartbeat.rb +0 -40
- data/lib/contrast/agent/settings_state.rb +0 -152
- data/lib/contrast/agent/socket_client.rb +0 -128
- data/lib/contrast/agent/tracepoint_hook.rb +0 -51
- data/lib/contrast/api/connection_status.rb +0 -49
- data/lib/contrast/api/dtm_pb.rb +0 -718
- data/lib/contrast/api/settings_pb.rb +0 -416
- data/lib/contrast/api/socket.rb +0 -43
- data/lib/contrast/api/speedracer.rb +0 -186
- data/lib/contrast/api/tcp_socket.rb +0 -31
- data/lib/contrast/api/unix_socket.rb +0 -25
- data/lib/contrast/api.rb +0 -18
- data/lib/contrast/common_agent_configuration.rb +0 -86
- data/lib/contrast/components/contrast_service.rb +0 -117
- data/lib/contrast/components/interface.rb +0 -178
- data/lib/contrast/config/agent_configuration.rb +0 -24
- data/lib/contrast/config/application_configuration.rb +0 -27
- data/lib/contrast/config/assess_configuration.rb +0 -22
- data/lib/contrast/config/assess_rules_configuration.rb +0 -18
- data/lib/contrast/config/default_value.rb +0 -16
- data/lib/contrast/config/heap_dump_configuration.rb +0 -23
- data/lib/contrast/config/inventory_configuration.rb +0 -20
- data/lib/contrast/config/logger_configuration.rb +0 -20
- data/lib/contrast/config/protect_configuration.rb +0 -20
- data/lib/contrast/config/root_configuration.rb +0 -26
- data/lib/contrast/config/ruby_configuration.rb +0 -44
- data/lib/contrast/config/sampling_configuration.rb +0 -22
- data/lib/contrast/config/service_configuration.rb +0 -22
- data/lib/contrast/delegators/application_update.rb +0 -32
- data/lib/contrast/delegators.rb +0 -9
- data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
- data/lib/contrast/extensions/framework/rack/request.rb +0 -24
- data/lib/contrast/extensions/framework/rack/response.rb +0 -23
- data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
- data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
- data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
- data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
- data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
- data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
- data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
- data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
- data/lib/contrast/extensions/ruby_core/assess/assess_extension.rb +0 -143
- data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
- data/lib/contrast/extensions/ruby_core/assess/erb.rb +0 -42
- data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
- data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
- data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
- data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
- data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
- data/lib/contrast/extensions/ruby_core/assess/string.rb +0 -75
- data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
- data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
- data/lib/contrast/extensions/ruby_core/assess.rb +0 -52
- data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
- data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
- data/lib/contrast/extensions/ruby_core/inventory.rb +0 -22
- data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
- data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
- data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
- data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
- data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
- data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
- data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
- data/lib/contrast/extensions/ruby_core/protect/psych.rb +0 -7
- data/lib/contrast/extensions/ruby_core/thread.rb +0 -31
- data/lib/contrast/framework/platform_version.rb +0 -21
- data/lib/contrast/framework/rails_support.rb +0 -88
- data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
- data/lib/contrast/framework/sinatra_support.rb +0 -94
- data/lib/contrast/framework/view_technologies_descriptor.rb +0 -20
- data/lib/contrast/internal_exception.rb +0 -8
- data/lib/contrast/tasks/service.rb +0 -95
- data/lib/contrast/utils/boolean_util.rb +0 -33
- data/lib/contrast/utils/cache.rb +0 -69
- data/lib/contrast/utils/comment_range.rb +0 -19
- data/lib/contrast/utils/data_store_util.rb +0 -23
- data/lib/contrast/utils/environment_util.rb +0 -82
- data/lib/contrast/utils/freeze_util.rb +0 -32
- data/lib/contrast/utils/gemfile_reader.rb +0 -191
- data/lib/contrast/utils/inventory_util.rb +0 -126
- data/lib/contrast/utils/performs_logging.rb +0 -152
- data/lib/contrast/utils/preflight_util.rb +0 -13
- data/lib/contrast/utils/prevent_serialization.rb +0 -52
- data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
- data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
- data/lib/contrast/utils/random_util.rb +0 -22
- data/lib/contrast/utils/ruby_ast_rewriter.rb +0 -74
- data/lib/contrast/utils/service_response_util.rb +0 -110
- data/lib/contrast/utils/service_sender_util.rb +0 -106
- data/lib/contrast/utils/sinatra_helper.rb +0 -55
- data/resources/csrf/inject.js +0 -44
- data/resources/factory-bot-spec/spec_helper.rb +0 -30
- data/resources/rubocops/kernel/catch_cop.rb +0 -37
- data/resources/rubocops/kernel/require_cop.rb +0 -37
- data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
- data/resources/rubocops/module/autoload_cop.rb +0 -37
- data/resources/rubocops/module/const_defined_cop.rb +0 -37
- data/resources/rubocops/module/const_get_cop.rb +0 -37
- data/resources/rubocops/module/const_set_cop.rb +0 -37
- data/resources/rubocops/module/constants_cop.rb +0 -37
- data/resources/rubocops/module/name_cop.rb +0 -37
- data/resources/rubocops/object/class_cop.rb +0 -37
- data/resources/rubocops/object/freeze_cop.rb +0 -37
- data/resources/rubocops/object/frozen_cop.rb +0 -37
- data/resources/rubocops/object/is_a_cop.rb +0 -37
- data/resources/rubocops/object/method_cop.rb +0 -37
- data/resources/rubocops/object/respond_to_cop.rb +0 -37
- data/resources/rubocops/object/singleton_class_cop.rb +0 -37
- data/resources/rubocops/regexp/spelling_cop.rb +0 -44
- data/resources/rubocops/thread/new_cop.rb +0 -39
- data/resources/ruby-spec/ancestors_spec.rb +0 -70
- data/resources/ruby-spec/modulo_spec.rb +0 -831
- data/resources/ruby-spec/parameters_spec.rb +0 -261
- data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
- data/service_executables/.gitkeep +0 -0
- data/service_executables/VERSION +0 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- data/shared_libraries/funchook.h +0 -123
- data/shared_libraries/libfunchook.so +0 -0
@@ -0,0 +1,195 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
5
|
+
require 'contrast/agent/assess/rule/response/body_rule'
|
6
|
+
require 'contrast/utils/object_share'
|
7
|
+
require 'contrast/utils/string_utils'
|
8
|
+
require 'json'
|
9
|
+
|
10
|
+
module Contrast
|
11
|
+
module Agent
|
12
|
+
module Assess
|
13
|
+
module Rule
|
14
|
+
module Response
|
15
|
+
# These rules check the content of the HTTP Response to determine if the body or the headers include and/or
|
16
|
+
# set incorrectly the cache-control header
|
17
|
+
class CacheControl < HeaderRule
|
18
|
+
include BodyRule
|
19
|
+
HEADER_KEYS = %w[Cache-Control].cs__freeze
|
20
|
+
ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
|
21
|
+
DEFAULT_SAFE = false
|
22
|
+
META_START_STR = /<meta/i.cs__freeze
|
23
|
+
HEAD_TAG = /<head>/i.cs__freeze
|
24
|
+
NAME = 'cache-control'
|
25
|
+
|
26
|
+
def rule_id
|
27
|
+
'cache-controls-missing'
|
28
|
+
end
|
29
|
+
|
30
|
+
protected
|
31
|
+
|
32
|
+
# Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
|
33
|
+
#
|
34
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
35
|
+
# @return [Hash<String,Array<Hash<String,String>>>, nil] the evidence required to prove the violation of
|
36
|
+
# the rule
|
37
|
+
def violated? response
|
38
|
+
cache_header = cache_control_from(response)
|
39
|
+
cache_meta = cache_meta_tags(response)
|
40
|
+
|
41
|
+
has_header = cache_header && !cache_header.blank?
|
42
|
+
has_meta = cache_meta.any?
|
43
|
+
# Because we're not safe by default, the rule should never hit this case, but we'll handle it just in
|
44
|
+
# case.
|
45
|
+
return { DATA => Contrast::Utils::ObjectShare::EMPTY_ARRAY.to_json } unless has_header || has_meta
|
46
|
+
|
47
|
+
evidence = []
|
48
|
+
# If we have a header tag, then we need to make sure it is set safely. If it is, there'll be no evidence
|
49
|
+
# and we can return as the header prevents violation.
|
50
|
+
if has_header
|
51
|
+
header_evidence = header_evidence(cache_header)
|
52
|
+
return unless header_evidence
|
53
|
+
|
54
|
+
evidence << header_evidence
|
55
|
+
end
|
56
|
+
|
57
|
+
# If we have no header, or an unsafe header, then we need to check the meta tag to make sure it is set
|
58
|
+
# safely. If it is, there'll be no evidence and we can return as the meta tag prevents violation.
|
59
|
+
if has_meta
|
60
|
+
tag_evidence = tag_evidence(cache_meta)
|
61
|
+
return unless tag_evidence
|
62
|
+
|
63
|
+
evidence << tag_evidence
|
64
|
+
end
|
65
|
+
|
66
|
+
# Otherwise, we'll report the violation.
|
67
|
+
{ DATA => evidence.to_json }
|
68
|
+
end
|
69
|
+
|
70
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
71
|
+
# @return [Array<Hash<String,String>]
|
72
|
+
def cache_meta_tags response
|
73
|
+
html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR).
|
74
|
+
select { |tag| cache_control_tag?(tag[HTML_PROP]) }
|
75
|
+
end
|
76
|
+
|
77
|
+
# Process Header value to determine if it violates rule
|
78
|
+
# @param cache_control [String] the value of the Cache-Control header
|
79
|
+
# @return [Hash<String,String>, nil] the evidence hash or nil
|
80
|
+
def header_evidence cache_control
|
81
|
+
# If header is valid, then this portion of the rule isn't violated.
|
82
|
+
return if valid_header?(cache_control)
|
83
|
+
|
84
|
+
# evidence requires header value string, pull directly instead of rebuilding from hash
|
85
|
+
evidence(HEADER_TYPE, NAME, cache_control)
|
86
|
+
end
|
87
|
+
|
88
|
+
# Process Body to determine if cache control meta tag violates rule
|
89
|
+
# @param cache_meta_tags [Array<Hash>] the meta tags which contain Cache-Control values
|
90
|
+
# @return [Hash<String,String>, nil] the evidence hash or nil
|
91
|
+
def tag_evidence cache_meta_tags
|
92
|
+
violation = cache_meta_tags.find { |tag| !safe_meta_cache_tag?(tag[HTML_PROP]) }
|
93
|
+
violation ? evidence(META_TYPE, PRAGMA, violation[HTML_PROP]) : nil
|
94
|
+
end
|
95
|
+
|
96
|
+
def potential_elements section, element_start
|
97
|
+
section.split(element_start)
|
98
|
+
end
|
99
|
+
|
100
|
+
def accepted_http_values
|
101
|
+
[/'cache-control'/i, /"cache-control"/i]
|
102
|
+
end
|
103
|
+
|
104
|
+
def accepted_values
|
105
|
+
[/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i, /'cache-control'/i, /"cache-control"/i]
|
106
|
+
end
|
107
|
+
|
108
|
+
# @param tag [String] the tag to check
|
109
|
+
# @return [Boolean] if the tag has cache-control settings or not
|
110
|
+
def cache_control_tag? tag
|
111
|
+
http_equiv_idx = tag =~ /http-equiv=/i
|
112
|
+
return false unless http_equiv_idx
|
113
|
+
|
114
|
+
content_idx = tag =~ /content=/i
|
115
|
+
return false unless content_idx
|
116
|
+
|
117
|
+
# determine the value of the http-equiv if it's cache-control
|
118
|
+
http_equiv_idx += 11
|
119
|
+
accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
|
120
|
+
end
|
121
|
+
|
122
|
+
# Determine if the given metatag does not have a valid cache-control tag.
|
123
|
+
# Meta tags has the option to set http-equiv and content to set the http response header
|
124
|
+
# to define for the document
|
125
|
+
#
|
126
|
+
# @param tag [String] the meta tag
|
127
|
+
# @return [Boolean, nil]
|
128
|
+
def safe_meta_cache_tag? tag
|
129
|
+
# Here we should determine the index of the needed keys
|
130
|
+
# http-equiv and content
|
131
|
+
http_equiv_idx = tag =~ /http-equiv=/i
|
132
|
+
return false unless http_equiv_idx
|
133
|
+
|
134
|
+
content_idx = tag =~ /content=/i
|
135
|
+
return false unless content_idx
|
136
|
+
|
137
|
+
# determine the value of the http-equiv if it's cache-control
|
138
|
+
http_equiv_idx += 11
|
139
|
+
is_valid = accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
|
140
|
+
return false unless is_valid
|
141
|
+
|
142
|
+
content_idx += 8
|
143
|
+
accepted_values.any? { |value| (tag =~ value) == content_idx }
|
144
|
+
end
|
145
|
+
|
146
|
+
# This method accepts the violation and transforms it to the proper hash before returning a violation.
|
147
|
+
# Unlike other rules, this returns a complex structure to be converted to JSON on reporting -- do NOT cast
|
148
|
+
# it here as that'll result in extra escaping later.
|
149
|
+
#
|
150
|
+
# @param type [String] String of Header or META of the type
|
151
|
+
# @param name [String] String of either cache-control or pragma
|
152
|
+
# @param value [String] String of the violated value
|
153
|
+
# @return [Hash<String, String>]
|
154
|
+
def evidence type, name, value
|
155
|
+
{ 'type' => type, 'name' => name, 'value' => value }
|
156
|
+
end
|
157
|
+
|
158
|
+
# return the cache control value from the response, either as a Hash in later versions of Rails or as a
|
159
|
+
# String in all other frameworks/ response types (remember, response can be a few things).
|
160
|
+
#
|
161
|
+
# @param response [Contrast::Agent::Response]
|
162
|
+
# @return [String]
|
163
|
+
def cache_control_from response
|
164
|
+
control = if response.rack_response.cs__is_a?(Rack::Response)
|
165
|
+
response.rack_response.cache_control
|
166
|
+
else
|
167
|
+
get_header_value(response)
|
168
|
+
end
|
169
|
+
control.cs__is_a?(Hash) ? cache_control_to_s(control) : control
|
170
|
+
end
|
171
|
+
|
172
|
+
# Rebuilds the String value of the Cache-Control Header from the hash build in the Rack::Response
|
173
|
+
#
|
174
|
+
# @param hsh [Hash]
|
175
|
+
# @return [String]
|
176
|
+
def cache_control_to_s hsh
|
177
|
+
values = []
|
178
|
+
hsh.each_pair do |k, v|
|
179
|
+
key = k.to_s.tr('_', '-')
|
180
|
+
values << if key.to_sym == :extras
|
181
|
+
v
|
182
|
+
elsif v.is_a?(TrueClass)
|
183
|
+
key
|
184
|
+
else
|
185
|
+
"#{ key }=#{ v }"
|
186
|
+
end
|
187
|
+
end
|
188
|
+
values.join(', ')
|
189
|
+
end
|
190
|
+
end
|
191
|
+
end
|
192
|
+
end
|
193
|
+
end
|
194
|
+
end
|
195
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
5
|
+
require 'contrast/utils/string_utils'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Assess
|
10
|
+
module Rule
|
11
|
+
module Response
|
12
|
+
# These rules check the content of the HTTP Response to determine if the headers contains the required header
|
13
|
+
class ClickJacking < HeaderRule
|
14
|
+
HEADER_KEYS = %w[X-Frame-Options].cs__freeze
|
15
|
+
ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
|
16
|
+
DEFAULT_SAFE = false
|
17
|
+
|
18
|
+
def rule_id
|
19
|
+
'clickjacking-control-missing'
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,100 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
3
|
+
# frozen_string_literal: true
|
4
|
+
|
5
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
6
|
+
require 'contrast/utils/string_utils'
|
7
|
+
|
8
|
+
module Contrast
|
9
|
+
module Agent
|
10
|
+
module Assess
|
11
|
+
module Rule
|
12
|
+
module Response
|
13
|
+
# These rules check that the HTTP Headers include CSP header types
|
14
|
+
class CspHeaderInsecure < HeaderRule
|
15
|
+
HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
|
16
|
+
DEFAULT_SAFE = false
|
17
|
+
SETTINGS = %w[
|
18
|
+
base-uri child-src default-src connect-src frame-src media-src object-src script-src
|
19
|
+
style-src form-action frame-ancestors plugin-types reflected-xss referer
|
20
|
+
].cs__freeze
|
21
|
+
UNSAFE_VALUE_REGEXP = /^unsafe-(?:inline|eval)$/.cs__freeze
|
22
|
+
ASTERISK_REGEXP = /[*]/.cs__freeze
|
23
|
+
SAFE_REFLECTED_XSS = /1/.cs__freeze
|
24
|
+
|
25
|
+
def rule_id
|
26
|
+
'csp-header-insecure'
|
27
|
+
end
|
28
|
+
|
29
|
+
protected
|
30
|
+
|
31
|
+
# Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
|
32
|
+
#
|
33
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
34
|
+
# @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
|
35
|
+
def violated? response
|
36
|
+
settings = {}
|
37
|
+
csp_hash = get_header_value(response)
|
38
|
+
return if csp_hash.nil?
|
39
|
+
|
40
|
+
SETTINGS.each do |setting_attr|
|
41
|
+
# default src has to be checked all other keys may be missing
|
42
|
+
next unless csp_hash.key?(setting_attr) || setting_attr == 'default-src'
|
43
|
+
|
44
|
+
value = csp_hash[setting_attr]
|
45
|
+
key = convert_key(setting_attr)
|
46
|
+
settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value)
|
47
|
+
settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value
|
48
|
+
end
|
49
|
+
evidence(settings.to_json) if settings.value?(false)
|
50
|
+
end
|
51
|
+
|
52
|
+
# Get the CSP values from and transforms them to key value hash
|
53
|
+
#
|
54
|
+
# ex default-src 'self' *.test.com; img-src * becomes:
|
55
|
+
# { default-src: "'self' *.test.com", img-src: "*" }
|
56
|
+
#
|
57
|
+
# @param headers [Hash] the response of the application
|
58
|
+
# @return [Array, nil] array of CSP header values
|
59
|
+
def get_header_value response
|
60
|
+
csp_hash = {}
|
61
|
+
headers = response.headers
|
62
|
+
HEADER_KEYS.each do |header_key|
|
63
|
+
next unless headers[header_key]&.length&.positive?
|
64
|
+
|
65
|
+
values = headers[header_key].split(Contrast::Utils::ObjectShare::SEMICOLON)
|
66
|
+
values.each do |value|
|
67
|
+
normalized = value.downcase.strip
|
68
|
+
kv = normalized.split(Contrast::Utils::ObjectShare::SPACE, 2)
|
69
|
+
csp_hash[kv[0]] = kv[1]
|
70
|
+
end
|
71
|
+
end
|
72
|
+
csp_hash
|
73
|
+
end
|
74
|
+
|
75
|
+
def value_secure? value
|
76
|
+
ASTERISK_REGEXP.match(value).nil?
|
77
|
+
end
|
78
|
+
|
79
|
+
def value_safe? value
|
80
|
+
UNSAFE_VALUE_REGEXP.match(value).nil? || !SAFE_REFLECTED_XSS.match(value).nil?
|
81
|
+
end
|
82
|
+
|
83
|
+
# Converts the CSP key to camelcase to be used as key for evidence object
|
84
|
+
#
|
85
|
+
# base-uri -> baseUri
|
86
|
+
#
|
87
|
+
# @param key [String] key as found in header
|
88
|
+
# @return [String] camelcase key
|
89
|
+
def convert_key key
|
90
|
+
return key unless key.include?('-')
|
91
|
+
|
92
|
+
str = key.split('-')
|
93
|
+
"#{ str[0] }#{ str[1].capitalize }"
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
99
|
+
end
|
100
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
5
|
+
require 'contrast/utils/string_utils'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Assess
|
10
|
+
module Rule
|
11
|
+
module Response
|
12
|
+
# These rules check that the HTTP Headers include CSP header types
|
13
|
+
class CspHeaderMissing < HeaderRule
|
14
|
+
HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
|
15
|
+
ACCEPTED_VALUES = [/(.)/].cs__freeze
|
16
|
+
DEFAULT_SAFE = false
|
17
|
+
|
18
|
+
def rule_id
|
19
|
+
'csp-header-missing'
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Agent
|
6
|
+
module Assess
|
7
|
+
module Rule
|
8
|
+
module Response
|
9
|
+
module Framework
|
10
|
+
# Rails 7 supports managing potential unsafe Headers
|
11
|
+
# this module contains methods for checking if Rails 7 supersedes our rules
|
12
|
+
module RailsSupport
|
13
|
+
RAILS_VERSION = Gem::Version.new('7.0.0')
|
14
|
+
|
15
|
+
# Some rules have features or settings that make them unsupported, meaning unnecessary or unavailable
|
16
|
+
# in that framework. For now, the only distinction required is Rails 7 or not, so that's what we'll
|
17
|
+
# report here.
|
18
|
+
#
|
19
|
+
# @return [Boolean] if the rule is unsupported by the framework
|
20
|
+
def rails_seven?
|
21
|
+
return false unless defined?(::Rails)
|
22
|
+
|
23
|
+
rails_version = ::Rails.version
|
24
|
+
return false unless !!rails_version
|
25
|
+
|
26
|
+
Gem::Version.new(rails_version) >= RAILS_VERSION
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
@@ -0,0 +1,70 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'rack'
|
5
|
+
require 'contrast/utils/hash_digest'
|
6
|
+
require 'contrast/utils/string_utils'
|
7
|
+
require 'contrast/agent/assess/rule/response/base_rule'
|
8
|
+
|
9
|
+
module Contrast
|
10
|
+
module Agent
|
11
|
+
module Assess
|
12
|
+
module Rule
|
13
|
+
module Response
|
14
|
+
# These rules check the content of the HTTP Response to determine if something was set incorrectly or
|
15
|
+
# insecurely in it.
|
16
|
+
class HeaderRule < BaseRule
|
17
|
+
HEADER_TYPE = 'Header'
|
18
|
+
|
19
|
+
# Rules discern which responses they can/should analyze.
|
20
|
+
#
|
21
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
22
|
+
def analyze_response? response
|
23
|
+
super && headers?(response)
|
24
|
+
end
|
25
|
+
|
26
|
+
# Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
|
27
|
+
#
|
28
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
29
|
+
# @return [Hash, nil] the evidence required to prove the violation of the rule
|
30
|
+
def violated? response
|
31
|
+
header_value = get_header_value(response)
|
32
|
+
if header_value
|
33
|
+
return evidence(header_value) unless valid_header?(header_value)
|
34
|
+
else
|
35
|
+
return evidence(header_value) unless cs__class::DEFAULT_SAFE
|
36
|
+
end
|
37
|
+
nil
|
38
|
+
end
|
39
|
+
|
40
|
+
# Determine if a response has headers.
|
41
|
+
#
|
42
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
43
|
+
# @return [Boolean]
|
44
|
+
def headers? response
|
45
|
+
!!response.headers&.any?
|
46
|
+
end
|
47
|
+
|
48
|
+
protected
|
49
|
+
|
50
|
+
# @param response [Contrast::Agent::Response]
|
51
|
+
# @return [Object]
|
52
|
+
def get_header_value response
|
53
|
+
response_headers = response.headers
|
54
|
+
values = response_headers.values_at(*cs__class::HEADER_KEYS, *cs__class::HEADER_KEYS.map(&:to_sym))
|
55
|
+
values.compact.first
|
56
|
+
end
|
57
|
+
|
58
|
+
# Determine if the value of the Response Header has a valid value
|
59
|
+
#
|
60
|
+
# @param header [String] a response header
|
61
|
+
# @return [Boolean] whether the header value is valid
|
62
|
+
def valid_header? header
|
63
|
+
cs__class::ACCEPTED_VALUES.any? { |val| val.match(header) }
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
67
|
+
end
|
68
|
+
end
|
69
|
+
end
|
70
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
5
|
+
require 'contrast/utils/string_utils'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Assess
|
10
|
+
module Rule
|
11
|
+
module Response
|
12
|
+
# This rule checks if the HTTP Headers include HSTS header and ensures that the max-age value
|
13
|
+
# is set to a value greater than 0.
|
14
|
+
class HSTSHeader < HeaderRule
|
15
|
+
HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
|
16
|
+
ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
|
17
|
+
DEFAULT_SAFE = false
|
18
|
+
|
19
|
+
def rule_id
|
20
|
+
'hsts-header-missing'
|
21
|
+
end
|
22
|
+
|
23
|
+
protected
|
24
|
+
|
25
|
+
def evidence data
|
26
|
+
# get only the value of the max-age property
|
27
|
+
val = data&.split('=')&.last
|
28
|
+
val = Contrast::Utils::ObjectShare::EMPTY_STRING if val.nil? || val == 'max-age'
|
29
|
+
{ DATA => val }
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,61 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/base_rule'
|
5
|
+
require 'contrast/utils/string_utils'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Assess
|
10
|
+
module Rule
|
11
|
+
module Response
|
12
|
+
# These rules check the content of the HTTP Response to determine if the body contains a form which
|
13
|
+
# incorrectly sets the action attribute.
|
14
|
+
class ParametersPollution < BaseRule
|
15
|
+
include BodyRule
|
16
|
+
def rule_id
|
17
|
+
'parameter-pollution'
|
18
|
+
end
|
19
|
+
|
20
|
+
protected
|
21
|
+
|
22
|
+
# Rules discern which responses they can/should analyze.
|
23
|
+
#
|
24
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
25
|
+
def analyze_response? response
|
26
|
+
super && body?(response)
|
27
|
+
end
|
28
|
+
|
29
|
+
# Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
|
30
|
+
#
|
31
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
32
|
+
# @return [Hash, nil] the evidence required to prove the violation of the rule
|
33
|
+
def violated? response
|
34
|
+
body = response.body
|
35
|
+
forms = html_elements(body, FORM_START_REGEXP, capture_overflow: true)
|
36
|
+
forms.each do |form|
|
37
|
+
# Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
|
38
|
+
# skip out on the first violation.
|
39
|
+
return form if action?(form[HTML_PROP])
|
40
|
+
end
|
41
|
+
nil
|
42
|
+
end
|
43
|
+
|
44
|
+
def accepted_values
|
45
|
+
[/action="[^"]/i, /action='[^']/i, /action=[^\\'"]/i, /action=[^\s<>'"]/i].cs__freeze
|
46
|
+
end
|
47
|
+
|
48
|
+
def action? form
|
49
|
+
return true unless /action=/i.match?(form)
|
50
|
+
|
51
|
+
accepted_values.each do |off_value|
|
52
|
+
return false if form.match?(off_value)
|
53
|
+
end
|
54
|
+
true
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
5
|
+
require 'contrast/utils/string_utils'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Assess
|
10
|
+
module Rule
|
11
|
+
module Response
|
12
|
+
# These rules check the content of the HTTP Response to determine if the response contains the needed header
|
13
|
+
class XContentType < HeaderRule
|
14
|
+
HEADER_KEYS = %w[X-Content-Type-Options].cs__freeze
|
15
|
+
ACCEPTED_VALUES = [/^nosniff/i].cs__freeze
|
16
|
+
DEFAULT_SAFE = false
|
17
|
+
|
18
|
+
def rule_id
|
19
|
+
'xcontenttype-header-missing'
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/framework/rails_support'
|
5
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
6
|
+
require 'contrast/utils/string_utils'
|
7
|
+
|
8
|
+
module Contrast
|
9
|
+
module Agent
|
10
|
+
module Assess
|
11
|
+
module Rule
|
12
|
+
module Response
|
13
|
+
# These rules check the content of the HTTP Response to determine if the response contains the needed header
|
14
|
+
class XXssProtection < HeaderRule
|
15
|
+
include Framework::RailsSupport
|
16
|
+
HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
|
17
|
+
ACCEPTED_VALUES = [/^1/].cs__freeze
|
18
|
+
DEFAULT_SAFE = true
|
19
|
+
|
20
|
+
def rule_id
|
21
|
+
'xxssprotection-header-disabled'
|
22
|
+
end
|
23
|
+
|
24
|
+
protected
|
25
|
+
|
26
|
+
def analyze_response? response
|
27
|
+
!rails_seven? && super
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|