contrast-agent 4.14.0 → 5.2.0

data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb

@@ -0,0 +1,69 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/body_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body contains a form which
+          # incorrectly sets the autocomplete attribute.
+          class AutoComplete < BaseRule
+            include BodyRule
+            def rule_id
+              'autocomplete-missing'
+            end
+
+            protected
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              body = response.body
+              forms = html_elements(body, FORM_START_REGEXP, true)
+              forms.each do |form|
+                # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
+                # skip out on the first violation.
+                return form if autocomplete?(form[HTML_PROP])
+              end
+              nil
+            end
+
+            def off_values
+              [/"off"/, /'off'/, /off /, /off>/]
+            end
+
+            # Determine if the given form does not have a valid autocomplete tag. Because autocompletion is on by
+            # default, the form must both have the value and set it to being disabled to not autocomplete.
+            #
+            # @param form [String] the form tag
+            # @return [Boolean]
+            def autocomplete? form
+              idx = form =~ /autocomplete=/i
+              return true unless idx
+
+              # Adjust for the length of 'autocomplete='
+              idx += 13
+              off_values.each do |off_value|
+                return false if (form =~ off_value) == idx
+              end
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/base_rule.rb

@@ -0,0 +1,130 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'rack'
+require 'json'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/utils/hash_digest'
+require 'contrast/utils/preflight_util'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if something was set incorrectly or
+          # insecurely in it.
+          class BaseRule
+            # Analyze a given application response to determine if it violates the rule
+            #
+            # TODO: RUBY-999999 either extract the response's body or memoize it to some degree so that it's not
+            #   generated on every call of this method
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze response
+              return unless analyze_response?(response)
+
+              violation = violated?(response)
+              return unless violation
+
+              finding = build_finding(violation)
+              return unless finding
+
+              if Contrast::Agent::Reporter.enabled?
+                report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(finding)
+                # TODO: RUBY-99999 preflight
+                Contrast::Agent.reporter.send_event(report)
+              else
+                Contrast::Agent::REQUEST_TRACKER.current.activity.findings << finding
+              end
+            end
+
+            protected
+
+            DATA = 'data'.cs__freeze
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              return false unless response
+              return false if disabled?
+              return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_response_assess?
+              return false unless valid_response_code?(response.response_code)
+              return false unless valid_content_type?(response.content_type)
+
+              true
+            end
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? _response; end
+
+            def evidence data = Contrast::Utils::ObjectShare::EMPTY_STRING
+              data = Contrast::Utils::ObjectShare::EMPTY_STRING if data.nil?
+              { DATA => data }
+            end
+
+            # Convert the given evidence into a finding. The rule will populate this evidence with each of the
+            #
+            # @param evidence [Hash] the properties required to build this finding.
+            # @return [Contrast::Api::Dtm::Finding]
+            def build_finding evidence
+              finding = Contrast::Api::Dtm::Finding.new
+              finding.rule_id = rule_id
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              finding.routes << context.route if context&.route
+              build_evidence evidence, finding
+              hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
+              finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
+              finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
+              finding
+            end
+
+            # This method allows to change the evidence we attach and the way we attach it
+            # Change it accordingly the rule you work on
+            #
+            # @param evidence [Hash] the properties required to build this finding.
+            # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
+            def build_evidence evidence, finding
+              evidence.each_pair do |key, value|
+                finding.properties[key] = if value.cs__is_a?(Hash)
+                                            Contrast::Utils::StringUtils.protobuf_format(value.to_json)
+                                          else
+                                            Contrast::Utils::StringUtils.protobuf_format(value)
+                                          end
+              end
+            end
+
+            # A rule is disabled if assess is off or it is turned off by TeamServer or by configuration.
+            #
+            # @return [Boolean]
+            def disabled?
+              !::Contrast::ASSESS.enabled? || ::Contrast::ASSESS.rule_disabled?(rule_id)
+            end
+
+            # Rules discern which response codes to which they apply. If the response is of one that the rule should not
+            # examine, it can short circuit early. If the code is unknown, it must be examined.
+            #
+            # @param code [Integer,nil] the response code
+            # @return [Boolean]
+            def valid_response_code? code
+              !code || [301, 302, 307, 404, 410, 500].none?(code)
+            end
+
+            # Rules discern which Content-Type to which they apply. If the response is of one that the rule should not
+            # examine, it can short circuit early. If the type is unknown, it must be examined.
+            #
+            # @param type [String,nil] the value of the Content-Type header
+            # @return [Boolean]
+            def valid_content_type? type
+              !type || [/json/i, /xml/i].none? { |invalid_content| type =~ invalid_content }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -0,0 +1,109 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'rack'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/utils/hash_digest'
+require 'contrast/utils/preflight_util'
+require 'contrast/utils/string_utils'
+require 'contrast/agent/assess/rule/response/base_rule'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if something was set incorrectly or
+          # insecurely in it.
+          module BodyRule
+            protected
+
+            HTML_PROP = 'html'.cs__freeze
+            START_PROP = 'start'.cs__freeze
+            END_PROP = 'end'.cs__freeze
+            FORM_START_REGEXP = /<form/i.cs__freeze
+            META_TYPE = 'meta'
+            PRAGMA = 'pragma'
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+
+            # Determine if a response has a body or not.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def body? response
+              Contrast::Utils::StringUtils.present?(response.body)
+            end
+
+            # Find the elements in this section, if any, so as to determine if they violate this rule.
+            #
+            # @param section [String,nil] html section to find element
+            # @param element_start_str [String] element to find in html section
+            # @return [Array<Hash>] the found elements of this section, as well as their start and end indexes.
+            def html_elements section, element_start_str = '', capture_overflow = false
+              elements = []
+              section_start = 0
+              return [] unless section
+
+              potential_elements(section, element_start_str).flatten.each do |potential_element|
+                next unless potential_element
+                next unless element_openings.any? { |opening| potential_element.starts_with?(opening) }
+
+                section_start = section.index(element_start_str, section_start)
+                next unless section_start
+
+                element_stop = potential_element.index('>').to_i
+                next unless element_stop
+
+                section_close = section_start + 6 + element_stop
+                elements << capture(section, section_start, section_close, element_stop, capture_overflow)
+                section_start = section_close
+              end
+              elements
+            end
+
+            def potential_elements section, element_start
+              section.split(element_start)
+            end
+
+            def element_openings
+              [' ', "\n", "\r", "\t", '>']
+            end
+
+            # Capture the information needed to build the properties of this finding by parsing out from the body
+            #
+            # @param body [String] the entire HTTP Response body
+            # @param body_start [Integer] the start of the range to take from the body
+            # @param body_close [Integer] the end of the range to take from the body
+            # @param tag_stop [Integer] the index of the end of the html tag from its start
+            # @return [Hash]
+            def capture body, body_start, body_close, tag_stop, overflow = false
+              tag = {}
+              # Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
+              if overflow
+                capture_start = body_start < 50 ? 0 : body_start - 50
+                # Start is where the '<form' is in the body
+                # 6 accounts for the characters in the form and the opening char
+                # potential_form.index('>') accounts for finding the rest of the form
+                # 50 accounts for the context to capture beyond
+                capture_close = body_close + 50
+                tag[HTML_PROP] = body[capture_start...capture_close]
+                tag[START_PROP] = body_start < 50 ? body_start : 50
+              else
+                tag[HTML_PROP] = body[body_start...body_close]
+                tag[START_PROP] = body_start
+              end
+              tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
+              tag
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb

@@ -0,0 +1,157 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/agent/assess/rule/response/body_rule'
+require 'contrast/agent/assess/rule/response/framework/rails_support'
+require 'contrast/utils/string_utils'
+require 'json'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body or the headers include and/or
+          # set incorrectly the cache-control header
+          class CacheControl < HeaderRule
+            include BodyRule
+            include Framework::RailsSupport
+
+            def rule_id
+              'cache-controls-missing'
+            end
+
+            protected
+
+            HEADER_KEYS = %w[Cache-Control].cs__freeze
+            ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
+            DEFAULT_SAFE = false
+            META_START_STR = /<meta/i.cs__freeze
+            HEAD_TAG = /<head>/i.cs__freeze
+            NAME = 'cache-control'
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              has_header, evidence = process_header(response)
+              return evidence unless evidence.nil?
+
+              has_tag, evidence = process_body(response)
+              return evidence unless evidence.nil?
+              return {} if !has_header && !has_tag
+
+              nil
+            end
+
+            # Process Header value to determine if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Array[Boolean, Hash]] whether the header exists and the evidence hash or nil
+            def process_header response
+              # Rails 7 adds support for the cache_control header directly in the
+              # rack response, we should use that value
+              if framework_supported?
+                cache_control = response.rack_response.cache_control
+                has_header = !cache_control.empty?
+                not_valid = has_header && !((cache_control[:no_cache]) || (cache_control[:no_store]))
+                # evidence requires header value string, pull directly instead of rebuilding from hash
+                return has_header, evidence(HEADER_TYPE, NAME, cache_control_to_s(cache_control)) if not_valid
+              else
+                # This rule is violated if the header is not there is there,
+                # but the value is not 'no-store' or 'no-cache'
+                cache_control = get_header_value(response)
+                has_header = !!cache_control
+                not_valid = has_header && !valid_header?(cache_control)
+                return has_header, evidence(HEADER_TYPE, NAME, cache_control) if not_valid
+              end
+              [has_header, nil]
+            end
+
+            # Process Body to determine cache control exists as meta tag and if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Array[Boolean, Hash]] whether the meta tags exists and the evidence hash or nil
+            def process_body response
+              body = response.body
+              # check if the meta tag is include it
+              meta_tags = html_elements(body&.split(HEAD_TAG)&.last, META_START_STR)
+              meta_tags.each do |tag|
+                return true, evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
+              end
+              [!meta_tags.empty?, nil]
+            end
+
+            def potential_elements section, element_start
+              section.split(element_start)
+            end
+
+            def accepted_http_values
+              [/'cache-control'/i, /"cache-control"/i]
+            end
+
+            def accepted_values
+              [/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i, /'cache-control'/i, /"cache-control"/i]
+            end
+
+            # Determine if the given metatag does not have a valid cache-control tag.
+            # Meta tags has the option to set http-equiv and content to set the http response header
+            # to define for the document
+            #
+            # @param tag [String] the meta tag
+            # @return [Boolean, nil]
+            def meta_cache_tag? tag
+              # Here we should determine the index of the needed keys
+              # http-equiv and content
+              http_equiv_idx = tag =~ /http-equiv=/i
+              return false unless http_equiv_idx
+
+              content_idx = tag =~ /content=/i
+              return false unless content_idx
+
+              # determine the value of the http-equiv if it's cache-control
+              http_equiv_idx += 11
+              is_valid = accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
+              return false unless is_valid
+
+              content_idx += 8
+              return false if accepted_values.any? { |value| (tag =~ value) == content_idx }
+
+              true
+            end
+
+            # This method accepts the violation and transforms it to the proper hash
+            # before return in as violation
+            #
+            # @param type [String] String of Header or META of the type
+            # @param name [String] String of either cache-control or pragma
+            # @param value [String] String of the violated value
+            def evidence type, name, value
+              { DATA => { type: type, name: name, value: value }.to_s }
+            end
+
+            # Rebuilds the String value of the Cache-Control Header
+            # from the hash build in the Rack::Response
+            #
+            # @param hsh [Hash]
+            # @return [String]
+            def cache_control_to_s hsh
+              values = []
+              hsh.each_pair do |k, v|
+                key = k.to_s.tr('_', '-')
+                values << if key.to_sym == :extras
+                            v
+                          elsif v.is_a?(TrueClass)
+                            key
+                          else
+                            "#{ key }=#{ v }"
+                          end
+              end
+              values.join(', ')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the headers contains the required header
+          class ClickJacking < HeaderRule
+            def rule_id
+              'clickjacking-control-missing'
+            end
+
+            HEADER_KEYS = %w[X-Frame-Options].cs__freeze
+            ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
+            DEFAULT_SAFE = false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb

@@ -0,0 +1,100 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check that the HTTP Headers include CSP header types
+          class CspHeaderInsecure < HeaderRule
+            def rule_id
+              'csp-header-insecure'
+            end
+
+            protected
+
+            HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
+            DEFAULT_SAFE = false
+            SETTINGS = %w[
+              base-uri child-src default-src connect-src frame-src media-src object-src script-src
+              style-src form-action frame-ancestors plugin-types reflected-xss referer
+            ].cs__freeze
+            UNSAFE_VALUE_REGEXP = /^unsafe-(?:inline|eval)$/.cs__freeze
+            ASTERISK_REGEXP = /[*]/.cs__freeze
+            SAFE_REFLECTED_XSS = /1/.cs__freeze
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
+            def violated? response
+              settings = {}
+              csp_hash = get_header_value(response)
+              return if csp_hash.nil?
+
+              SETTINGS.each do |setting_attr|
+                # default src has to be checked all other keys may be missing
+                next unless csp_hash.key?(setting_attr) || setting_attr == 'default-src'
+
+                value = csp_hash[setting_attr]
+                key = convert_key(setting_attr)
+                settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value)
+                settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value
+              end
+              evidence(settings) if settings.value?(false)
+            end
+
+            # Get the CSP values from and transforms them to key value hash
+            #
+            # ex default-src 'self' *.test.com; img-src * becomes:
+            # { default-src: "'self' *.test.com", img-src: "*" }
+            #
+            # @param headers [Hash] the response of the application
+            # @return [Array, nil] array of CSP header values
+            def get_header_value response
+              csp_hash = {}
+              headers = response.headers
+              HEADER_KEYS.each do |header_key|
+                next unless headers[header_key]&.length&.positive?
+
+                values = headers[header_key].split(Contrast::Utils::ObjectShare::SEMICOLON)
+                values.each do |value|
+                  normalized = value.downcase.strip
+                  kv = normalized.split(Contrast::Utils::ObjectShare::SPACE, 2)
+                  csp_hash[kv[0]] = kv[1]
+                end
+              end
+              csp_hash
+            end
+
+            def value_secure? value
+              ASTERISK_REGEXP.match(value).nil?
+            end
+
+            def value_safe? value
+              UNSAFE_VALUE_REGEXP.match(value).nil? || !SAFE_REFLECTED_XSS.match(value).nil?
+            end
+
+            # Converts the CSP key to camelcase to be used as key for evidence object
+            #
+            #  base-uri -> baseUri
+            #
+            # @param key [String] key as found in header
+            # @return [String] camelcase key
+            def convert_key key
+              return key unless key.include?('-')
+
+              str = key.split('-')
+              "#{ str[0] }#{ str[1].capitalize }"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check that the HTTP Headers include CSP header types
+          class CspHeaderMissing < HeaderRule
+            def rule_id
+              'csp-header-missing'
+            end
+
+            HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
+            ACCEPTED_VALUES = [/(.)/].cs__freeze
+            DEFAULT_SAFE = false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'rails'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          module Framework
+            # Rails 7 supports managing potential unsafe Headers
+            # this module contains methods for checking if Rails 7 supercedes our rules
+            module RailsSupport
+              RAILS_VERSION = Gem::Version.new('7.0.0')
+
+              def framework_supported?
+                rails_version = ::Rails.version
+                return false unless !!rails_version
+
+                Gem::Version.new(rails_version) >= RAILS_VERSION
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end