RubyGems - contrast-agent - Versions diffs - 4.13.1 → 5.1.0 - Mend

contrast-agent 4.13.1 → 5.1.0

Files changed (399) hide show

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb CHANGED Viewed

@@ -1,9 +1,10 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/trigger_method'
 require 'contrast/components/logger'
 require 'contrast/extension/module'
+require 'contrast/agent/reporting/report'
 module Contrast
   module Agent
@@ -24,52 +25,6 @@ module Contrast
               !::Contrast::ASSESS.enabled? || ::Contrast::ASSESS.rule_disabled?(rule_id)
             end
-            # TODO: RUBY-1014 - remove `#analyze`
-            COMMON_CONSTANTS = %i[CONTRAST_ASSESS_POLICY_STATUS VERSION].cs__freeze
-            def analyze clazz
-              return if disabled?
-              # we only want the constants explicitly defined in this class, not
-              # those of its ancestor(s)
-              constants = clazz.cs__constants(false)
-              # if there are no constants, let's just leave
-              return unless constants&.any?
-              constants.each do |constant|
-                next if COMMON_CONSTANTS.include?(constant)
-                # if this class autoloads its constant, get the hell away from it
-                # I mean it! Don't even think about it.
-                #
-                # Autoload means this constant (usually [always?] a class or
-                # module) won't be required until something in the application
-                # tries to load it. We CANNOT be that thing. We'll just have to
-                # wait until it's loaded, at which point we'll be handed it
-                # again.
-                next if clazz.cs__autoload?(constant)
-                # constant comes to us as a symbol. that sucks. we need to do
-                # some string methods on it, so stringify it.
-                constant_string = constant.to_s
-                # if this is another class or a module, move on
-                next unless constant_name?(constant_string)
-                next unless name_passes?(constant_string)
-                value = clazz.cs__const_get(constant, false)
-                # if the constant isn't holding a string, skip it
-                next unless value_type_passes?(value)
-                # if it looks like a placeholder / pointer to a config, skip it
-                next unless value_passes?(value)
-                build_finding(clazz, constant_string)
-              end
-            end
             # Parse the file pertaining to the given TracePoint to walk its AST
             # to determine if a Constant is hardcoded. For our purposes, this
             # hard coding means directly set rather than as an interpolated
@@ -91,14 +46,6 @@ module Contrast
               logger.error('Unable to parse AST for hardcoded keys', e, module: trace_point.self)
             end
-            # Constants can be variable or classes defined in the given
-            # class. We ONLY want the variables, which should be defined in
-            # the MACRO_CASE (upper case & underscore format)
-            CONSTANT_NAME_PATTERN = /^[A-Z_]+$/.cs__freeze
-            def constant_name? constant
-              constant.match?(CONSTANT_NAME_PATTERN)
-            end
             # The name of the field
             CONSTANT_NAME_KEY = 'name'
             # The code line, recreated, with the password obfuscated
@@ -138,7 +85,11 @@ module Contrast
               # sort. We leave it to each rule to properly handle these nodes.
               return unless value_node_passes?(value)
-              build_finding(mod, name)
+              if Contrast::Agent::Reporter.enabled?
+                new_finding_and_reporting mod, name
+              else # TODO: RUBY-1438 -- remove
+                build_finding mod, name
+              end
             end
             # Constants can be set as frozen directly. We need to account for
@@ -161,6 +112,14 @@ module Contrast
             def build_finding clazz, constant_string
               class_name = clazz.cs__name
+              finding = assign_finding class_name, constant_string
+              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
+            rescue StandardError => e
+              logger.error('Unable to build a finding for Hardcoded Rule', e)
+              nil
+            end
+            def assign_finding class_name, constant_string
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
               finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
@@ -173,10 +132,33 @@ module Contrast
               hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
-            rescue StandardError => e
-              logger.error('Unable to build a finding for Hardcoded Rule', e)
-              nil
+              finding
+            end
+            def new_finding_and_reporting clazz, constant_string
+              return unless Contrast::Agent::Reporter.enabled?
+              # sent to reporter
+              # and add logger message for the report of the preflight
+              new_preflight = Contrast::Agent::Reporting::Preflight.new
+              new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
+              new_preflight_message.hash_code = hash
+              new_preflight_message.data = "#{ rule_id },#{ hash }"
+              new_preflight.messages << new_preflight_message
+              # extract to new method
+              # here we will generate new type of finding
+              ruby_finding = Contrast::Agent::Reporting::Finding.new rule_id
+              ruby_finding.hash_code = hash
+              ruby_finding.properties[SOURCE_KEY] = clazz.cs__name
+              ruby_finding.properties[CONSTANT_NAME_KEY] = constant_string
+              ruby_finding.properties[CODE_SOURCE_KEY] = constant_string + redacted_marker
+              save_and_report_finding ruby_finding, new_preflight
+            end
+            def save_and_report_finding ruby_finding, new_preflight
+              Contrast::Agent::Reporting::ReportingStorage[hash] = ruby_finding
+              Contrast::Agent.reporter&.send_event_immediately(new_preflight)
             end
           end
         end

data/lib/contrast/agent/assess/rule/provider.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/assess/rule/response/autocomplete_rule.rb ADDED Viewed

@@ -0,0 +1,68 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body contains a form which
+          # incorrectly sets the autocomplete attribute.
+          class Autocomplete < BaseRule
+            def rule_id
+              'autocomplete-missing'
+            end
+            protected
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              body = response.body
+              forms = forms(body)
+              forms.each do |form|
+                # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
+                # skip out on the first violation.
+                return form if autocomplete?(form[HTML_PROP])
+              end
+              nil
+            end
+            def off_values
+              [/"off"/, /'off'/, /off /, /off>/]
+            end
+            # Determine if the given form does not have a valid autocomplete tag. Because autocompletion is on by
+            # default, the form must both have the value and set it to being disabled to not autocomplete.
+            #
+            # @param form [String] the form tag
+            # @return [Boolean]
+            def autocomplete? form
+              idx = form =~ /autocomplete=/i
+              return true unless idx
+              # Adjust for the length of 'autocomplete='
+              idx += 13
+              off_values.each do |off_value|
+                return false if (form =~ off_value) == idx
+              end
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/base_rule.rb ADDED Viewed

@@ -0,0 +1,197 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'rack'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/utils/hash_digest'
+require 'contrast/utils/preflight_util'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if something was set incorrectly or
+          # insecurely in it.
+          class BaseRule
+            # Analyze a given application response to determine if it violates the rule
+            #
+            # TODO: RUBY-999999 either extract the response's body or memoize it to some degree so that it's not
+            #   generated on every call of this method
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze response
+              return unless analyze_response?(response)
+              violation = violated?(response)
+              return unless violation
+              finding = build_finding(violation)
+              return unless finding
+              if Contrast::Agent::Reporter.enabled?
+                report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(finding)
+                # TODO: RUBY-99999 preflight
+                Contrast::Agent.reporter.send_event(report)
+              else
+                Contrast::Agent::REQUEST_TRACKER.current.activity.findings << finding
+              end
+            end
+            protected
+            DATA = 'data'.cs__freeze
+            HTML_PROP = 'html'.cs__freeze
+            START_PROP = 'start'.cs__freeze
+            END_PROP = 'end'.cs__freeze
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              return false unless response
+              return false if disabled?
+              return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_response_assess?
+              return false unless valid_response_code?(response.response_code)
+              return false unless valid_content_type?(response.content_type)
+              true
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param _response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? _response; end
+            # Convert the given evidence into a finding. The rule will populate this evidence with each of the
+            #
+            # @param evidence [Hash] the properties required to build this finding.
+            # @return [Contrast::Api::Dtm::Finding]
+            def build_finding evidence
+              finding = Contrast::Api::Dtm::Finding.new
+              finding.rule_id = rule_id
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              finding.routes << context.route if context&.route
+              build_evidence evidence, finding
+              hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
+              finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
+              finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
+              finding
+            end
+            # This method allows to change the evidence we attach and the way we attach it
+            # Change it accordingly the rule you work on
+            #
+            # @param evidence [Hash] the properties required to build this finding.
+            # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
+            def build_evidence evidence, finding
+              evidence.each_pair do |key, value|
+                finding.properties[key] = Contrast::Utils::StringUtils.force_utf8(value)
+              end
+            end
+            # A rule is disabled if assess is off or it is turned off by TeamServer or by configuration.
+            #
+            # @return [Boolean]
+            def disabled?
+              !::Contrast::ASSESS.enabled? || ::Contrast::ASSESS.rule_disabled?(rule_id)
+            end
+            # Rules discern which response codes to which they apply. If the response is of one that the rule should not
+            # examine, it can short circuit early. If the code is unknown, it must be examined.
+            #
+            # @param code [Integer,nil] the response code
+            # @return [Boolean]
+            def valid_response_code? code
+              !code || [301, 302, 307, 404, 410, 500].none?(code)
+            end
+            # Rules discern which Content-Type to which they apply. If the response is of one that the rule should not
+            # examine, it can short circuit early. If the type is unknown, it must be examined.
+            #
+            # @param type [String,nil] the value of the Content-Type header
+            # @return [Boolean]
+            def valid_content_type? type
+              !type || [/json/i, /xml/i].none? { |invalid_content| type =~ invalid_content }
+            end
+            # Determine if a response has a body or not.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def body? response
+              Contrast::Utils::StringUtils.present?(response.body)
+            end
+            # Capture the information needed to build the properties of this finding by parsing out from the body
+            #
+            # @param body [String] the entire HTTP Response body
+            # @param body_start [Integer] the start of the range to take from the body
+            # @param body_close [Integer] the end of the range to take from the body
+            # @param tag_stop [Integer] the index of the end of the html tag from its start
+            # @return [Hash]
+            def capture body, body_start, body_close, tag_stop
+              tag = {}
+              # Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
+              capture_start = body_start < 50 ? 0 : body_start - 50
+              # Start is where the '<form' is in the body
+              # 6 accounts for the characters in the form and the opening char
+              # potential_form.index('>') accounts for finding the rest of the form
+              # 50 accounts for the context to capture beyond
+              capture_close = body_close + 50
+              tag[HTML_PROP] = body[capture_start...capture_close]
+              tag[START_PROP] = body_start < 50 ? body_start : 50
+              tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
+              tag
+            end
+            # Find the forms in this body, if any, so as to determine if they violate this rule.
+            #
+            # @param body [String]
+            # @return [Array<Hash>] the forms of this body, as well as their start and end indexes.
+            def forms body
+              forms = []
+              body_start = 0
+              # The instance of "<form" in the body may be a form. Turn them into chunks to check.
+              potential_forms = body.split(form_start)
+              potential_forms.each do |potential_form|
+                # We can consider this a form if the next character is one of whitespace of form tag closing
+                # characters.
+                next unless potential_form
+                next unless form_openings.any? { |opening| potential_form.start_with?(opening) }
+                body_start = body.index(form_start, body_start)
+                next unless body_start
+                form_stop = potential_form.index('>').to_i
+                next unless form_stop
+                body_close = body_start + 6 + form_stop
+                forms << capture(body, body_start, body_close, form_stop)
+                body_start = body_close
+              end
+              forms
+            end
+            def form_start
+              /<form/i
+            end
+            def form_openings
+              [' ', "\n", "\r", "\t", '>']
+            end
+            # Determine if a response has headers.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def headers? response
+              response.headers.cs__is_a?(Hash)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/cachecontrol_rule.rb ADDED Viewed

@@ -0,0 +1,184 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+require 'json'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body or the headers include and/or
+          # set incorrectly the cache-control header
+          class Cachecontrol < BaseRule
+            def rule_id
+              'cache-controls-missing'
+            end
+            protected
+            HEADER_KEY = 'Cache-Control'.cs__freeze
+            ACCEPTED_VALUES = %w[no-store no-cache].cs__freeze
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              # This rule is violated if the header is not there
+              # or if it's there, but the value is not 'no-store' or 'no-cache'
+              headers = response.headers
+              header_key_sym = HEADER_KEY.to_sym
+              cache_control = headers[HEADER_KEY] || headers[header_key_sym]
+              if cache_control && !valid_header?(cache_control)
+                return to_cachecontrol_rule('header', 'cache-control', cache_control)
+              end
+              body = response.body
+              # check if the meta tag is include it
+              tags = meta_tags(body)
+              tags.each do |tag|
+                return to_cachecontrol_rule('meta', 'pragma', tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
+              end
+              # we should return if header not presented and no tags are detected
+              return {} if !(headers.key?(HEADER_KEY) || headers.key?(header_key_sym)) && tags.empty?
+              nil
+            end
+            def valid_header? header
+              ACCEPTED_VALUES.any? { |val| header.include?(val) || header == val }
+            end
+            # Find the tags in this body, if any, so as to determine if they violate this rule.
+            #
+            # @param body [String,nil]
+            # @return [Array<Hash>] the tags of this body, as well as their start and end indexes.
+            def meta_tags body
+              tags = []
+              body_start = 0
+              # meta tags are stored in the <head></head> section
+              head_section = body&.split(head_tag)
+              return [] unless head_section
+              potential_tags = head_section.map { |el| el.split(meta_start) }
+              potential_tags.flatten.each do |potential_tag|
+                next unless potential_tag
+                next unless tag_openings.any? { |opening| potential_tag.starts_with?(opening) }
+                body_start = body.index(meta_start, body_start)
+                next unless body_start
+                tag_stop = potential_tag.index('>').to_i
+                next unless tag_stop
+                body_close = body_start + 6 + tag_stop
+                tags << capture(body, body_start, body_close, tag_stop)
+                body_start = body_close
+              end
+              tags
+            end
+            def meta_start
+              /<meta/i
+            end
+            def head_tag
+              /<head>/i
+            end
+            def tag_openings
+              [' ', "\n", "\r", "\t"]
+            end
+            def accepted_http_values
+              [/'cache-control'/i, /"cache-control"/i]
+            end
+            def accepted_values
+              [/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i]
+            end
+            # Determine if the given metatag does not have a valid cache-control tag.
+            # Meta tags has the option to set http-equiv and content to set the http response header
+            # to define for the document
+            #
+            # @param tag [String] the meta tag
+            # @return [Boolean, nil]
+            def meta_cache_tag? tag
+              # Here we should determine the index of the needed keys
+              # http-equiv and content
+              http_equiv_idx = tag =~ /http-equiv=/i
+              return false unless http_equiv_idx
+              content_idx = tag =~ /content=/i
+              return false unless content_idx
+              # determine the value of the http-equiv if it's cache-control
+              http_equiv_idx += 11
+              is_valid = accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
+              return false unless is_valid
+              content_idx += 8
+              return false if accepted_values.any? { |value| (tag =~ value) == content_idx }
+              true
+            end
+            # This method allows to change the evidence we attach and the way we attach it
+            # Change it accordingly the rule you work on
+            #
+            # @param evidence [Hash] the properties required to build this finding.
+            # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
+            def build_evidence evidence, finding
+              evidence.each_pair do |key, value|
+                finding.properties[key] = Contrast::Utils::StringUtils.protobuf_format(value)
+              end
+            end
+            # This method accepts the violation and transforms it to the proper hash
+            # before return in as violation
+            #
+            # @param type [String] String of Header or META of the type
+            # @param name [String] String of either cache-control or pragma
+            # @param value [String] String of the violated value
+            def to_cachecontrol_rule type, name, value
+              { data: { type: type, name: name, value: value }.to_s }
+            end
+            # Capture the information needed to build the properties of this finding by parsing out from the body
+            #
+            # @param body [String] the entire HTTP Response body
+            # @param body_start [Integer] the start of the range to take from the body
+            # @param body_close [Integer] the end of the range to take from the body
+            # @param tag_stop [Integer] the index of the end of the html tag from its start
+            # @return [Hash]
+            def capture body, body_start, body_close, tag_stop
+              # In this situation we don't need to capture before and after the meta tag, as this may produce an error
+              # So if we capture 30-50 chars before and after the tag, we may capture part of the tag, we want to
+              # inspect and eventually this wil return wrong string. Because of that - we split the <head> and take
+              # each meta tag and examine it
+              tag = {}
+              # we dont need to capture here before or after the meta tag
+              tag[HTML_PROP] = body[body_start...body_close]
+              tag[START_PROP] = body_start
+              tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
+              tag
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/clickjacking_rule.rb ADDED Viewed

@@ -0,0 +1,66 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the headers contains the required header
+          class Clickjacking < BaseRule
+            def rule_id
+              'clickjacking-control-missing'
+            end
+            protected
+            HEADER_KEY = 'X-Frame-Options'.cs__freeze
+            HEADER_KEY_SYM = HEADER_KEY.to_sym
+            ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && headers?(response)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              headers = response.headers
+              cache_control = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
+              return unsafe_response unless cache_control
+              return unsafe_response(cache_control) unless valid_header?(cache_control)
+              nil
+            end
+            def valid_header? header
+              ACCEPTED_VALUES.any? { |val| header =~ val }
+            end
+            def unsafe_response value = ''
+              { data: value }
+            end
+            # Change it accordingly the rule you work on
+            #
+            # @param evidence [Hash] the properties required to build this finding.
+            # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
+            def build_evidence evidence, finding
+              evidence.each_pair do |key, value|
+                finding.properties[key] = Contrast::Utils::StringUtils.protobuf_format(value)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end