RubyGems - contrast-agent - Versions diffs - 4.13.1 → 5.1.0 - Mend

contrast-agent 4.13.1 → 5.1.0

Files changed (399) hide show

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb ADDED Viewed

@@ -0,0 +1,101 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check that the HTTP Headers include CSP header types
+          class CspHeaderInsecure < BaseRule
+            def rule_id
+              'csp-header-insecure'
+            end
+            protected
+            CSP_HEADERS = %w[CONTENT_SECURITY_POLICY X_CONTENT_SECURITY_POLICY X_WEBKIT_CSP].cs__freeze
+            SETTINGS = %w[
+              base-uri child-src default-src connect-src frame-src media-src object-src script-src
+              style-src form-action frame-ancestors plugin-types reflected-xss referer
+            ].cs__freeze
+            UNSAFE_VALUE_REGEXP = /^unsafe-(?:inline|eval)$/.cs__freeze
+            ASTERISK_REGEXP = /[*]/.cs__freeze
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && headers?(response)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
+            def violated? response
+              settings = {}
+              csp_hash = get_csp_header_values(response.headers)
+              return if csp_hash.nil?
+              SETTINGS.each do |setting_attr|
+                value = csp_hash[setting_attr]
+                key = convert_key(setting_attr)
+                settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value)
+                settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value
+              end
+              { DATA => settings }
+            end
+            # Get the CSP values from and transforms them to key value hash
+            #
+            # ex default-src 'self' *.test.com; img-src * becomes:
+            # { default-src: "'self' *.test.com", img-src: "*" }
+            #
+            # @param headers [Hash] the response of the application
+            # @return [Array, nil] array of CSP header values
+            def get_csp_header_values headers
+              csp_hash = {}
+              CSP_HEADERS.each do |header_key|
+                next unless headers[header_key]&.length&.positive?
+                values = headers[header_key].split(Contrast::Utils::ObjectShare::SEMICOLON)
+                values.each do |value|
+                  normalized = value.downcase.strip
+                  kv = normalized.split(Contrast::Utils::ObjectShare::SPACE, 2)
+                  csp_hash[kv[0]] = kv[1]
+                end
+              end
+              csp_hash
+            end
+            def value_secure? value
+              ASTERISK_REGEXP.match(value).nil?
+            end
+            def value_safe? value
+              UNSAFE_VALUE_REGEXP.match(value).nil?
+            end
+            # Converts the CSP key to camelcase to be used as key for evidence object
+            #
+            #  base-uri -> baseUri
+            #
+            # @param key [String] key as found in header
+            # @return [String] camelcase key
+            def convert_key key
+              return key unless key.include?('-')
+              str = key.split('-')
+              "#{ str[0] }#{ str[1].capitalize }"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check that the HTTP Headers include CSP header types
+          class CspHeaderMissing < BaseRule
+            def rule_id
+              'csp-header-missing'
+            end
+            protected
+            CSP_HEADERS = %w[CONTENT_SECURITY_POLICY X_CONTENT_SECURITY_POLICY X_WEBKIT_CSP].cs__freeze
+            DATA = 'data'.cs__freeze
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && headers?(response)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
+            def violated? response
+              response_headers = response.headers
+              return if CSP_HEADERS.any? { |header_key| response_headers[header_key]&.length&.positive? }
+              { DATA => Contrast::Utils::ObjectShare::EMPTY_STRING }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb ADDED Viewed

@@ -0,0 +1,60 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # This rule checks if the HTTP Headers include HSTS header and ensures that the max-age value
+          # is set to a value greater than 0.
+          class HSTSHeader < BaseRule
+            def rule_id
+              'hsts-header-missing'
+            end
+            protected
+            HEADER_KEY = 'Strict-Transport-Security'
+            HEADER_KEY_SYM = HEADER_KEY.to_sym
+            MAX_AGE = 'max-age'
+            MAX_AGE_SYM = MAX_AGE.to_sym
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && response.headers.cs__is_a?(Hash)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash<data: Contrast::Utils::ObjectShare::EMPTY_STRING, String>, nil] return string
+            # representation of the max_age
+            def violated? response
+              headers = response.headers
+              target = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
+              # this rule is safe by default if no target => no evidence
+              # if the property max_age is not positive or absent then the rule is violated
+              return unless target
+              max_age = target[MAX_AGE] || target[MAX_AGE_SYM]
+              return if max_age.to_i.positive?
+              evidence max_age
+            end
+            # returns evidence that the max_age is negative or absent
+            #
+            # @param max_age [String] String representation of the max-age value to which the header is set
+            # @return [Hash<data: Contrast::Utils::ObjectShare::EMPTY_STRING, String>] return string representation of
+            # the max_age
+            def evidence max_age
+              { data: max_age.to_s }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb ADDED Viewed

@@ -0,0 +1,60 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body contains a form which
+          # incorrectly sets the action attribute.
+          class ParametersPollution < BaseRule
+            def rule_id
+              'parameter-pollution'
+            end
+            protected
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              body = response.body
+              forms = forms(body)
+              forms.each do |form|
+                # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
+                # skip out on the first violation.
+                return form if action?(form[HTML_PROP])
+              end
+              nil
+            end
+            def accepted_values
+              [/action="[^"]/i, /action='[^']/i, /action=[^\\'"]/i, /action=[^\s<>'"]/i].cs__freeze
+            end
+            def action? form
+              return true unless /action=/i.match?(form)
+              accepted_values.each do |off_value|
+                return false if form.match?(off_value)
+              end
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/x_content_type_rule.rb ADDED Viewed

@@ -0,0 +1,52 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the response contains the needed header
+          class XContentType < BaseRule
+            def rule_id
+              'xcontenttype-header-missing'
+            end
+            protected
+            HEADER_KEY = 'X-Content-Type-Options'.cs__freeze
+            HEADER_KEY_SYM = HEADER_KEY.to_sym
+            ACCEPTED_VALUE = /^nosniff/i.cs__freeze
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && headers?(response)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              headers = response.headers
+              x_content_type = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
+              return unsafe_response unless x_content_type
+              return unsafe_response x_content_type unless ACCEPTED_VALUE.match?(x_content_type)
+              nil
+            end
+            def unsafe_response value = ''
+              { data: value }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the response contains the needed header
+          class XXssProtection < BaseRule
+            def rule_id
+              'xxssprotection-header-disabled'
+            end
+            protected
+            HEADER_KEY = 'X-XSS-Protection'.cs__freeze
+            HEADER_KEY_SYM = HEADER_KEY.to_sym
+            ACCEPTED_VALUE = /^1/.cs__freeze
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && headers?(response)
+            end
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              headers = response.headers
+              x_xss_protection = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
+              # header is safe by default so only need to return finding on failed value match
+              return unless x_xss_protection
+              return unsafe_response x_xss_protection unless ACCEPTED_VALUE.match?(x_xss_protection)
+              nil
+            end
+            def unsafe_response value = ''
+              { data: value }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/tag.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/assess/tracker.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/finalizers/hash'

data/lib/contrast/agent/assess.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -10,7 +10,6 @@ module Contrast
     module Assess
       require 'contrast/agent/assess/tracker'
       require 'contrast/agent/module_data'
-      require 'contrast/agent/rewriter' if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
       require 'contrast/agent/assess/policy/preshift'
       # Dynamic Sources

data/lib/contrast/agent/at_exit_hook.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/logger'

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/policy_node'
@@ -7,10 +7,9 @@ module Contrast
   module Agent
     module Deadzone
       module Policy
-        # This class functions to translate our policy.json into an actionable
-        # Ruby object, allowing for dynamic patching over hardcoded patching,
-        # specifically for those methods in which other Contrast operations
-        # should not apply
+        # This class functions to translate our policy.json into an actionable Ruby object, allowing for dynamic
+        # patching over hardcoded patching, specifically for those methods in which other Contrast operations should
+        # not apply.
         class DeadzoneNode < Contrast::Agent::Patching::Policy::PolicyNode
           def node_class
             'Deadzone'
@@ -20,12 +19,18 @@ module Contrast
             'Deadzone'
           end
-          # Deadzone means place the code inside of the contrast scope so that
-          # none of our code executes. As such, all DeadZone nodes have that as
-          # their method scope
+          # Deadzone means place the code inside of the contrast scope so that none of our code executes. As such, all
+          # DeadZone nodes have that as their method scope.
           def method_scope
             :contrast
           end
+          # TODO: RUBY-99999 remove, used to clean up logs while debugging
+          # def validate
+          #   return if class_name
+          #
+          #   raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
+          # end
         end
       end
     end

data/lib/contrast/agent/deadzone/policy/policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/deadzone/policy/deadzone_node'

data/lib/contrast/agent/disable_reaction.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/logger'

data/lib/contrast/agent/exclusion_matcher.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/logger'