contrast-agent 4.4.0 → 4.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitmodules +1 -1
- data/.simplecov +1 -1
- data/Gemfile +1 -1
- data/LICENSE.txt +1 -1
- data/Rakefile +2 -3
- data/exe/contrast_service +1 -1
- data/ext/build_funchook.rb +4 -4
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
- data/ext/cs__assess_active_record_named/extconf.rb +1 -1
- data/ext/cs__assess_array/cs__assess_array.c +1 -1
- data/ext/cs__assess_array/extconf.rb +1 -1
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
- data/ext/cs__assess_basic_object/extconf.rb +1 -1
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_fiber_track/extconf.rb +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
- data/ext/cs__assess_hash/extconf.rb +1 -1
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
- data/ext/cs__assess_kernel/extconf.rb +1 -1
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
- data/ext/cs__assess_marshal_module/extconf.rb +1 -1
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_module/extconf.rb +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
- data/ext/cs__assess_regexp/extconf.rb +1 -1
- data/ext/cs__assess_string/cs__assess_string.c +1 -1
- data/ext/cs__assess_string/extconf.rb +1 -1
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
- data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +1 -1
- data/ext/cs__common/cs__common.c +5 -5
- data/ext/cs__common/cs__common.h +4 -4
- data/ext/cs__common/extconf.rb +1 -1
- data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
- data/ext/cs__contrast_patch/extconf.rb +1 -1
- data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
- data/ext/cs__protect_kernel/extconf.rb +1 -1
- data/ext/extconf_common.rb +2 -6
- data/lib/contrast-agent.rb +1 -1
- data/lib/contrast.rb +20 -1
- data/lib/contrast/agent.rb +1 -3
- data/lib/contrast/agent/assess.rb +2 -2
- data/lib/contrast/agent/assess/contrast_event.rb +54 -69
- data/lib/contrast/agent/assess/contrast_object.rb +3 -3
- data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
- data/lib/contrast/agent/assess/events/source_event.rb +7 -2
- data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +26 -34
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +24 -20
- data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
- data/lib/contrast/agent/assess/policy/policy.rb +1 -1
- data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +8 -21
- data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
- data/lib/contrast/agent/assess/policy/propagator.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator/append.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +4 -8
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -8
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
- data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
- data/lib/contrast/agent/assess/policy/trigger_method.rb +102 -74
- data/lib/contrast/agent/assess/policy/trigger_node.rb +5 -4
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +5 -4
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -3
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +2 -9
- data/lib/contrast/agent/assess/properties.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +9 -6
- data/lib/contrast/agent/assess/property/tagged.rb +1 -1
- data/lib/contrast/agent/assess/property/updated.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
- data/lib/contrast/agent/assess/tag.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +1 -1
- data/lib/contrast/agent/at_exit_hook.rb +1 -1
- data/lib/contrast/agent/class_reopener.rb +4 -2
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
- data/lib/contrast/agent/disable_reaction.rb +2 -4
- data/lib/contrast/agent/exclusion_matcher.rb +6 -12
- data/lib/contrast/agent/inventory.rb +1 -2
- data/lib/contrast/agent/inventory/dependencies.rb +3 -1
- data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
- data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
- data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/middleware.rb +38 -67
- data/lib/contrast/agent/module_data.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
- data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
- data/lib/contrast/agent/patching/policy/patch.rb +23 -29
- data/lib/contrast/agent/patching/policy/patch_status.rb +7 -8
- data/lib/contrast/agent/patching/policy/patcher.rb +23 -22
- data/lib/contrast/agent/patching/policy/policy.rb +14 -21
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
- data/lib/contrast/agent/patching/policy/trigger_node.rb +22 -9
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
- data/lib/contrast/agent/protect/policy/policy.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
- data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +19 -33
- data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
- data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
- data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
- data/lib/contrast/agent/protect/rule/sqli.rb +3 -3
- data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
- data/lib/contrast/agent/protect/rule/xss.rb +2 -2
- data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
- data/lib/contrast/agent/reaction_processor.rb +12 -11
- data/lib/contrast/agent/request.rb +25 -24
- data/lib/contrast/agent/request_context.rb +13 -23
- data/lib/contrast/agent/request_handler.rb +1 -1
- data/lib/contrast/agent/response.rb +1 -1
- data/lib/contrast/agent/rewriter.rb +6 -4
- data/lib/contrast/agent/rule_set.rb +3 -3
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +3 -4
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +1 -1
- data/lib/contrast/agent/tracepoint_hook.rb +2 -2
- data/lib/contrast/agent/version.rb +2 -2
- data/lib/contrast/agent/worker_thread.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/communication.rb +1 -1
- data/lib/contrast/api/communication/connection_status.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +1 -1
- data/lib/contrast/api/communication/response_processor.rb +5 -7
- data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +9 -22
- data/lib/contrast/api/communication/speedracer.rb +6 -10
- data/lib/contrast/api/communication/tcp_socket.rb +1 -1
- data/lib/contrast/api/communication/unix_socket.rb +1 -1
- data/lib/contrast/api/decorators.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +1 -1
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +10 -4
- data/lib/contrast/api/decorators/application_update.rb +1 -1
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/input_analysis.rb +1 -1
- data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
- data/lib/contrast/api/decorators/library.rb +9 -7
- data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
- data/lib/contrast/api/decorators/message.rb +4 -4
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
- data/lib/contrast/api/decorators/route_coverage.rb +1 -1
- data/lib/contrast/api/decorators/server_features.rb +1 -1
- data/lib/contrast/api/decorators/trace_event.rb +4 -2
- data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
- data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
- data/lib/contrast/api/decorators/user_input.rb +1 -1
- data/lib/contrast/components/agent.rb +14 -15
- data/lib/contrast/components/app_context.rb +7 -7
- data/lib/contrast/components/assess.rb +6 -11
- data/lib/contrast/components/config.rb +3 -2
- data/lib/contrast/components/contrast_service.rb +8 -9
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/interface.rb +4 -3
- data/lib/contrast/components/inventory.rb +1 -1
- data/lib/contrast/components/logger.rb +1 -1
- data/lib/contrast/components/protect.rb +11 -14
- data/lib/contrast/components/sampling.rb +9 -3
- data/lib/contrast/components/scope.rb +2 -1
- data/lib/contrast/components/settings.rb +27 -98
- data/lib/contrast/config.rb +1 -1
- data/lib/contrast/config/agent_configuration.rb +1 -1
- data/lib/contrast/config/application_configuration.rb +1 -1
- data/lib/contrast/config/assess_configuration.rb +1 -1
- data/lib/contrast/config/assess_rules_configuration.rb +2 -4
- data/lib/contrast/config/base_configuration.rb +5 -6
- data/lib/contrast/config/default_value.rb +1 -1
- data/lib/contrast/config/exception_configuration.rb +2 -6
- data/lib/contrast/config/heap_dump_configuration.rb +13 -7
- data/lib/contrast/config/inventory_configuration.rb +1 -1
- data/lib/contrast/config/logger_configuration.rb +2 -6
- data/lib/contrast/config/protect_configuration.rb +1 -1
- data/lib/contrast/config/protect_rule_configuration.rb +23 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/config/root_configuration.rb +1 -1
- data/lib/contrast/config/ruby_configuration.rb +1 -1
- data/lib/contrast/config/sampling_configuration.rb +1 -1
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config/service_configuration.rb +1 -1
- data/lib/contrast/configuration.rb +4 -15
- data/lib/contrast/delegators/input_analysis.rb +12 -0
- data/lib/contrast/extension/assess.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +2 -7
- data/lib/contrast/extension/assess/erb.rb +2 -8
- data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
- data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
- data/lib/contrast/extension/assess/fiber.rb +3 -13
- data/lib/contrast/extension/assess/hash.rb +1 -1
- data/lib/contrast/extension/assess/kernel.rb +3 -10
- data/lib/contrast/extension/assess/marshal.rb +3 -11
- data/lib/contrast/extension/assess/regexp.rb +2 -7
- data/lib/contrast/extension/assess/string.rb +4 -2
- data/lib/contrast/extension/delegator.rb +1 -1
- data/lib/contrast/extension/inventory.rb +1 -1
- data/lib/contrast/extension/kernel.rb +5 -3
- data/lib/contrast/extension/module.rb +1 -1
- data/lib/contrast/extension/protect.rb +1 -1
- data/lib/contrast/extension/protect/kernel.rb +1 -1
- data/lib/contrast/extension/protect/psych.rb +1 -1
- data/lib/contrast/extension/thread.rb +1 -1
- data/lib/contrast/framework/base_support.rb +1 -1
- data/lib/contrast/framework/manager.rb +5 -9
- data/lib/contrast/framework/platform_version.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
- data/lib/contrast/framework/rack/patch/support.rb +7 -5
- data/lib/contrast/framework/rack/support.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
- data/lib/contrast/framework/rails/patch/support.rb +6 -4
- data/lib/contrast/framework/rails/railtie.rb +32 -0
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
- data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
- data/lib/contrast/framework/rails/support.rb +3 -3
- data/lib/contrast/framework/sinatra/support.rb +4 -2
- data/lib/contrast/funchook/funchook.rb +2 -6
- data/lib/contrast/logger/application.rb +13 -10
- data/lib/contrast/logger/format.rb +3 -6
- data/lib/contrast/logger/log.rb +5 -4
- data/lib/contrast/logger/request.rb +2 -3
- data/lib/contrast/logger/time.rb +1 -1
- data/lib/contrast/security_exception.rb +2 -2
- data/lib/contrast/tasks/config.rb +1 -1
- data/lib/contrast/tasks/service.rb +6 -2
- data/lib/contrast/utils/assess/sampling_util.rb +1 -1
- data/lib/contrast/utils/assess/tracking_util.rb +2 -3
- data/lib/contrast/utils/class_util.rb +15 -11
- data/lib/contrast/utils/duck_utils.rb +1 -1
- data/lib/contrast/utils/env_configuration_item.rb +1 -1
- data/lib/contrast/utils/hash_digest.rb +16 -24
- data/lib/contrast/utils/heap_dump_util.rb +1 -1
- data/lib/contrast/utils/invalid_configuration_util.rb +1 -1
- data/lib/contrast/utils/inventory_util.rb +1 -1
- data/lib/contrast/utils/io_util.rb +2 -2
- data/lib/contrast/utils/job_servers_running.rb +10 -5
- data/lib/contrast/utils/object_share.rb +1 -1
- data/lib/contrast/utils/os.rb +3 -2
- data/lib/contrast/utils/preflight_util.rb +1 -1
- data/lib/contrast/utils/resource_loader.rb +1 -1
- data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
- data/lib/contrast/utils/sha256_builder.rb +1 -1
- data/lib/contrast/utils/stack_trace_utils.rb +1 -1
- data/lib/contrast/utils/string_utils.rb +1 -1
- data/lib/contrast/utils/tag_util.rb +1 -1
- data/lib/contrast/utils/thread_tracker.rb +1 -1
- data/lib/contrast/utils/timer.rb +1 -1
- data/resources/assess/policy.json +60 -2
- data/resources/deadzone/policy.json +7 -23
- data/ruby-agent.gemspec +22 -20
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- data/sonar-project.properties +9 -0
- metadata +94 -50
- data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
- data/lib/contrast/agent/railtie.rb +0 -31
- data/lib/contrast/common_agent_configuration.rb +0 -87
@@ -1,6 +1,8 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
|
5
|
+
|
4
6
|
require 'contrast/agent/patching/policy/patch_status'
|
5
7
|
require 'contrast/agent/module_data'
|
6
8
|
require 'contrast/agent/rewriter'
|
@@ -41,7 +43,9 @@ module Contrast
|
|
41
43
|
module_name = mod.cs__name
|
42
44
|
return unless module_name
|
43
45
|
|
44
|
-
if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START,
|
46
|
+
if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START,
|
47
|
+
Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
|
48
|
+
|
45
49
|
status.no_rewrite!
|
46
50
|
return
|
47
51
|
|
@@ -64,8 +68,7 @@ module Contrast
|
|
64
68
|
# To get around this, we have those methods tell us the class
|
65
69
|
# isn't ready
|
66
70
|
def mid_defining? mod
|
67
|
-
mod.instance_variable_defined?(:@cs__defining_class) &&
|
68
|
-
mod.instance_variable_get(:@cs__defining_class)
|
71
|
+
mod.instance_variable_defined?(:@cs__defining_class) && mod.instance_variable_get(:@cs__defining_class)
|
69
72
|
end
|
70
73
|
|
71
74
|
def agent_should_rewrite?
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'set'
|
@@ -11,10 +11,9 @@ module Contrast
|
|
11
11
|
module Agent
|
12
12
|
module Assess
|
13
13
|
module Policy
|
14
|
-
# This class controls the actions we take on Sources, as determined by
|
15
|
-
#
|
16
|
-
#
|
17
|
-
# dataflows used in Assess vulnerability detection.
|
14
|
+
# This class controls the actions we take on Sources, as determined by our Assess policy. It indicates what
|
15
|
+
# actions we should take in order to mark data as User Input and treat it as untrusted, starting the dataflows
|
16
|
+
# used in Assess vulnerability detection.
|
18
17
|
module SourceMethod
|
19
18
|
include Contrast::Components::Interface
|
20
19
|
access_component :analysis, :logging
|
@@ -27,22 +26,17 @@ module Contrast
|
|
27
26
|
COOKIE_KEY_TYPE = 'COOKIE_KEY'
|
28
27
|
|
29
28
|
class << self
|
30
|
-
# This is called from within our woven proc. It will be called as if it
|
31
|
-
#
|
29
|
+
# This is called from within our woven proc. It will be called as if it were inline in the Rack
|
30
|
+
# application.
|
32
31
|
#
|
33
|
-
# @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
|
34
|
-
#
|
32
|
+
# @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
|
33
|
+
# method being called
|
35
34
|
# @param object [Object] the Object on which the method was invoked
|
36
35
|
# @param ret [Object] the Return of the invoked method
|
37
|
-
# @param args [Array<Object>] the Arguments with which the method
|
38
|
-
#
|
39
|
-
# @return [Object, nil] the tracked Return or nil if no changes
|
40
|
-
# were made
|
36
|
+
# @param args [Array<Object>] the Arguments with which the method was invoked
|
37
|
+
# @return [Object, nil] the tracked Return or nil if no changes were made
|
41
38
|
def source_patchers method_policy, object, ret, args
|
42
|
-
return
|
43
|
-
|
44
|
-
current_context = Contrast::Agent::REQUEST_TRACKER.current
|
45
|
-
return unless current_context&.analyze_request? && ASSESS.enabled?
|
39
|
+
return unless analyze?(method_policy, object, ret, args)
|
46
40
|
|
47
41
|
source_node = method_policy.source_node
|
48
42
|
target = determine_target(source_node, object, ret, args)
|
@@ -62,29 +56,26 @@ module Contrast
|
|
62
56
|
# double check that we were able to finalize the replaced return
|
63
57
|
return unless Contrast::Agent::Assess::Tracker.trackable?(target)
|
64
58
|
end
|
65
|
-
apply_source(
|
59
|
+
apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret,
|
60
|
+
source_node.type, nil, *args)
|
66
61
|
restore_frozen_state ? ret : nil
|
67
62
|
end
|
68
63
|
|
69
64
|
private
|
70
65
|
|
71
|
-
# This is our method that actually taints the object our
|
72
|
-
# source_node targets.
|
66
|
+
# This is our method that actually taints the object our source_node targets.
|
73
67
|
#
|
74
|
-
# @param context [Contrast::Utils::ThreadTracker] the current request
|
75
|
-
#
|
76
|
-
#
|
77
|
-
# the node to direct applying this source event
|
68
|
+
# @param context [Contrast::Utils::ThreadTracker] the current request context
|
69
|
+
# @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
|
70
|
+
# event
|
78
71
|
# @param target [Object] the target of the Source Event
|
79
72
|
# @param object [Object] the Object on which the method was invoked
|
80
73
|
# @param ret [Object] the Return of the invoked method
|
81
|
-
# @param source_type [String] the type of this source, from the
|
82
|
-
#
|
83
|
-
# @param source_name [String, nil] the name of this source, i.e.
|
84
|
-
#
|
85
|
-
#
|
86
|
-
# @param args [Array<Object>] the Arguments with which the method
|
87
|
-
# was invoked
|
74
|
+
# @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
|
75
|
+
# map
|
76
|
+
# @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a map or
|
77
|
+
# nil if a type like BODY
|
78
|
+
# @param args [Array<Object>] the Arguments with which the method was invoked
|
88
79
|
def apply_source context, source_node, target, object, ret, source_type, source_name = nil, *args
|
89
80
|
return unless context && source_node && target
|
90
81
|
|
@@ -95,37 +86,34 @@ module Contrast
|
|
95
86
|
apply_tags(source_node, target, object, ret, source_type, source_name, *args)
|
96
87
|
elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
|
97
88
|
apply_hash_tags(context, source_node, target, object, ret, source_type, *args)
|
98
|
-
# While we don't taint arrays themselves, we may taint the things
|
99
|
-
#
|
100
|
-
# try again
|
89
|
+
# While we don't taint arrays themselves, we may taint the things they hold. Let's pass their keys and
|
90
|
+
# values back to ourselves and try again
|
101
91
|
elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
|
102
|
-
target.each
|
92
|
+
target.each do |value|
|
93
|
+
apply_source(context, source_node, value, object, ret, source_type, source_name, *args)
|
94
|
+
end
|
103
95
|
end
|
104
96
|
rescue StandardError => e
|
105
97
|
logger.warn('Unable to apply source', e, node_id: source_node.id)
|
106
98
|
end
|
107
99
|
|
108
|
-
# While we don't taint hashes themselves, we may taint the things
|
109
|
-
#
|
110
|
-
# try again
|
100
|
+
# While we don't taint hashes themselves, we may taint the things they hold. Let's pass their keys and
|
101
|
+
# values back to ourselves and try again
|
111
102
|
#
|
112
|
-
# @param context [Contrast::Utils::ThreadTracker] the current request
|
113
|
-
#
|
114
|
-
#
|
115
|
-
# the node to direct applying this source event
|
103
|
+
# @param context [Contrast::Utils::ThreadTracker] the current request context
|
104
|
+
# @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
|
105
|
+
# event
|
116
106
|
# @param target [Object] the target of the Source Event
|
117
107
|
# @param object [Object] the Object on which the method was invoked
|
118
108
|
# @param ret [Object] the Return of the invoked method
|
119
|
-
# @param source_type [String] the type of this source, from the
|
120
|
-
#
|
121
|
-
# @param args [Array<Object>] the Arguments with which the method
|
122
|
-
# was invoked
|
109
|
+
# @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
|
110
|
+
# map
|
111
|
+
# @param args [Array<Object>] the Arguments with which the method was invoked
|
123
112
|
def apply_hash_tags context, source_node, target, object, ret, source_type, *args
|
124
113
|
to_replace = []
|
125
114
|
target.each_pair do |key, value|
|
126
|
-
# We only do this for Strings b/c of the way Hash lookup works.
|
127
|
-
#
|
128
|
-
# therefore, the application
|
115
|
+
# We only do this for Strings b/c of the way Hash lookup works. To replace another object would break
|
116
|
+
# hash lookup and, therefore, the application
|
129
117
|
if replace_hash_key?(key, target)
|
130
118
|
key = key.dup
|
131
119
|
to_replace << key
|
@@ -136,10 +124,8 @@ module Contrast
|
|
136
124
|
handle_hash_key(target, to_replace)
|
137
125
|
end
|
138
126
|
|
139
|
-
# Given an unfrozen hash, if the key is a String, we should replace
|
140
|
-
#
|
141
|
-
# This method handles checking if that replace can and should
|
142
|
-
# occur.
|
127
|
+
# Given an unfrozen hash, if the key is a String, we should replace it with one that we can finalize,
|
128
|
+
# allowing us to track that key. This method handles checking if that replace can and should occur.
|
143
129
|
#
|
144
130
|
# @param key [Object] the key in the hash that may need replacing.
|
145
131
|
# @param hash [Hash] the hash to which the key belongs.
|
@@ -160,9 +146,8 @@ module Contrast
|
|
160
146
|
nil
|
161
147
|
end
|
162
148
|
|
163
|
-
# Hash is designed to keep one instance of the string key in it.
|
164
|
-
#
|
165
|
-
# tracked one.
|
149
|
+
# Hash is designed to keep one instance of the string key in it. We need to remove the existing one and
|
150
|
+
# replace it with our new tracked one.
|
166
151
|
def handle_hash_key target, to_replace
|
167
152
|
to_replace.each do |key|
|
168
153
|
Contrast::Agent::Assess::Tracker.pre_freeze(key)
|
@@ -175,25 +160,19 @@ module Contrast
|
|
175
160
|
def apply_tags source_node, target, object, ret, source_type, source_name, *args
|
176
161
|
# don't apply tags if we can't track the thing
|
177
162
|
return unless Contrast::Agent::Assess::Tracker.trackable?(target)
|
178
|
-
# don't apply second source -- probably needs tuning later if we
|
179
|
-
# use more than 'UNTRUSTED' in our sources
|
163
|
+
# don't apply second source -- probably needs tuning later if we use more than 'UNTRUSTED' in our sources
|
180
164
|
return if Contrast::Agent::Assess::Tracker.tracked?(target)
|
181
165
|
return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
|
182
166
|
|
183
|
-
# otherwise for each tag this source_node applies, create a tag range
|
184
|
-
#
|
185
|
-
# I realize this looping is counter-intuitive from the above
|
186
|
-
# message, that's why we're revisiting.
|
167
|
+
# otherwise for each tag this source_node applies, create a tag range on the target object. I realize
|
168
|
+
# this looping is counter-intuitive from the above message, that's why we're revisiting.
|
187
169
|
source_node.tags.each do |tag|
|
188
170
|
next unless Contrast::Agent::Assess::Policy::SourceValidation.valid?(tag, source_type, source_name)
|
189
171
|
|
190
172
|
length = Contrast::Utils::StringUtils.ret_length(target)
|
191
173
|
properties.add_tag(tag, 0...length)
|
192
174
|
properties.add_properties(source_node.properties)
|
193
|
-
logger.trace('Source detected',
|
194
|
-
node_id: source_node.id,
|
195
|
-
target_id: target.__id__,
|
196
|
-
tag: tag)
|
175
|
+
logger.trace('Source detected', node_id: source_node.id, target_id: target.__id__, tag: tag)
|
197
176
|
end
|
198
177
|
# make a representation of this method that TeamServer can render
|
199
178
|
properties.build_event(source_node, target, object, ret, args, source_type, source_name)
|
@@ -201,15 +180,13 @@ module Contrast
|
|
201
180
|
|
202
181
|
# Find the name of the source
|
203
182
|
#
|
204
|
-
# @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
|
205
|
-
#
|
183
|
+
# @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
|
184
|
+
# event
|
206
185
|
# @param object [Object] the Object on which the method was invoked
|
207
186
|
# @param ret [Object] the Return of the invoked method
|
208
|
-
# @param args [Array<Object>] the Arguments with which the method
|
209
|
-
#
|
210
|
-
#
|
211
|
-
# which this source event applies, or nil if none provided by the
|
212
|
-
# node
|
187
|
+
# @param args [Array<Object>] the Arguments with which the method was invoked
|
188
|
+
# @return [String, nil] the human readable name of the target to which this source event applies, or nil if
|
189
|
+
# none provided by the node
|
213
190
|
def determine_source_name source_node, object, ret, *args
|
214
191
|
return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
|
215
192
|
|
@@ -226,14 +203,50 @@ module Contrast
|
|
226
203
|
end
|
227
204
|
end
|
228
205
|
|
206
|
+
# Determine if we should analyze this method invocation for a Source or not. We should if we have enough
|
207
|
+
# information to build the context of this invocation, we're not disabled, and we can't immediately
|
208
|
+
# determine the invocation was done safely.
|
209
|
+
#
|
210
|
+
# @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
|
211
|
+
# method being called
|
212
|
+
# @param object [Object] the Object on which the method was invoked
|
213
|
+
# @param ret [Object] the Return of the invoked method
|
214
|
+
# @param args [Array<Object>] the Arguments with which the method was invoked
|
215
|
+
# @return [boolean] if the invocation of this method should be analyzed
|
216
|
+
def analyze? method_policy, object, ret, args
|
217
|
+
return false unless method_policy&.source_node
|
218
|
+
return false unless ASSESS.enabled?
|
219
|
+
return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
|
220
|
+
|
221
|
+
!safe_invocation?(method_policy.source_node, object, ret, args)
|
222
|
+
end
|
223
|
+
|
224
|
+
# Determine if the method was invoked safely.
|
225
|
+
#
|
226
|
+
# @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
|
227
|
+
# event
|
228
|
+
# @param _object [Object] the Object on which the method was invoked
|
229
|
+
# @param _ret [Object] the Return of the invoked method
|
230
|
+
# @param args [Array<Object>] the Arguments with which the method was invoked
|
231
|
+
# @return [boolean] if the invocation of this method was safe
|
232
|
+
def safe_invocation? source_node, _object, _ret, args
|
233
|
+
# According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
|
234
|
+
# from the Request will start with HTTP_. As such, only Headers with that key should be considered for
|
235
|
+
# tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
|
236
|
+
# instance, uses action_dispatch. to store several values. Technically, you can't call
|
237
|
+
# Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
|
238
|
+
source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
|
239
|
+
args&.any? &&
|
240
|
+
!args[0].to_s.start_with?('HTTP_')
|
241
|
+
end
|
242
|
+
|
229
243
|
# Find the literal target of the propagation
|
230
244
|
#
|
231
|
-
# @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
|
232
|
-
#
|
245
|
+
# @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
|
246
|
+
# event
|
233
247
|
# @param object [Object] the Object on which the method was invoked
|
234
248
|
# @param ret [Object] the Return of the invoked method
|
235
|
-
# @param args [Array<Object>] the Arguments with which the method
|
236
|
-
# was invoked
|
249
|
+
# @param args [Array<Object>] the Arguments with which the method was invoked
|
237
250
|
# @return [Object] the target to which this source event applies
|
238
251
|
def determine_target source_node, object, ret, args
|
239
252
|
source_target = source_node.targets[0]
|
@@ -247,12 +260,10 @@ module Contrast
|
|
247
260
|
end
|
248
261
|
end
|
249
262
|
|
250
|
-
# Simple helper method to flip the type from value to key when the
|
251
|
-
# source is the key of a Hash
|
263
|
+
# Simple helper method to flip the type from value to key when the source is the key of a Hash
|
252
264
|
#
|
253
265
|
# @param source_type [String] the original value source type
|
254
|
-
# @return [String] the key form of the source type, if one exists,
|
255
|
-
# else the original source type
|
266
|
+
# @return [String] the key form of the source type, if one exists, else the original source type
|
256
267
|
def key_type source_type
|
257
268
|
case source_type
|
258
269
|
when PARAMETER_TYPE
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/assess/policy/source_method'
|
@@ -8,11 +8,13 @@ module Contrast
|
|
8
8
|
module Assess
|
9
9
|
module Policy
|
10
10
|
module SourceValidation
|
11
|
-
# Validator used to assert a CROSS_SITE tag is actually applicable to
|
12
|
-
#
|
11
|
+
# Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the
|
12
|
+
# tag to its target
|
13
13
|
module CrossSiteValidator
|
14
|
-
#
|
15
|
-
#
|
14
|
+
# Prevent the application of a tag if it is from a source known to not apply a tag in a provided context.
|
15
|
+
# Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in
|
16
|
+
# ActionDispatch::Http::Headers to convert keys like `referer` to `HTTP_REFERER` before they get to the
|
17
|
+
# Rack::Request#get_header method
|
16
18
|
# https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
|
17
19
|
def self.valid? tag, source_type, source_name
|
18
20
|
return true unless tag == 'CROSS_SITE'
|
@@ -20,7 +22,7 @@ module Contrast
|
|
20
22
|
return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE
|
21
23
|
return false unless source_name
|
22
24
|
|
23
|
-
source_name
|
25
|
+
source_name == 'HTTP_REFERER'
|
24
26
|
end
|
25
27
|
end
|
26
28
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/assess/policy/source_validation/cross_site_validator'
|
@@ -11,9 +11,7 @@ module Contrast
|
|
11
11
|
# certain tags in a given context. This provides a single place from
|
12
12
|
# which those validations can be called.
|
13
13
|
module SourceValidation
|
14
|
-
VALIDATORS = [
|
15
|
-
Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator
|
16
|
-
].cs__freeze
|
14
|
+
VALIDATORS = [Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator].cs__freeze
|
17
15
|
|
18
16
|
# Determines if the conditions in which this source was called are
|
19
17
|
# valid and should result in the application of a tag
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -24,7 +24,7 @@ module Contrast
|
|
24
24
|
}.cs__freeze
|
25
25
|
TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
|
26
26
|
|
27
|
-
def xss_tilt_trigger
|
27
|
+
def xss_tilt_trigger trigger_node, _source, object, ret, *args
|
28
28
|
return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
|
29
29
|
|
30
30
|
scope = args[0]
|
@@ -44,7 +44,11 @@ module Contrast
|
|
44
44
|
end
|
45
45
|
|
46
46
|
if Contrast::Agent::Assess::Tracker.tracked?(ret)
|
47
|
-
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
|
47
|
+
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
|
48
|
+
ret,
|
49
|
+
erb_template_prerender,
|
50
|
+
ret,
|
51
|
+
interpolated_inputs)
|
48
52
|
end
|
49
53
|
|
50
54
|
ret
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -19,31 +19,30 @@ module Contrast
|
|
19
19
|
include Contrast::Components::Interface
|
20
20
|
|
21
21
|
class << self
|
22
|
-
def xpath_expression_trigger
|
22
|
+
def xpath_expression_trigger trigger_node, _source, object, ret, *args
|
23
23
|
return ret unless args
|
24
24
|
|
25
|
-
process(
|
25
|
+
process(trigger_node, object, ret, *args)
|
26
26
|
end
|
27
27
|
|
28
|
-
def xpath_oga_trigger
|
28
|
+
def xpath_oga_trigger trigger_node, _source, object, ret, *args
|
29
29
|
return ret unless args
|
30
30
|
|
31
31
|
# convert the options arg in Oga::XML::CharacterNode#initialize into an
|
32
32
|
# array of its values so we can check if any are unsafe
|
33
33
|
args = args.first.values if args.first.cs__is_a?(Hash)
|
34
|
-
process(
|
34
|
+
process(trigger_node, object, ret, *args)
|
35
35
|
end
|
36
36
|
|
37
37
|
private
|
38
38
|
|
39
|
-
def process
|
39
|
+
def process trigger_node, object, ret, *args
|
40
40
|
args.each do |arg|
|
41
41
|
next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
|
42
42
|
next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
|
43
43
|
next unless trigger_node.violated?(arg)
|
44
44
|
|
45
|
-
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
|
46
|
-
context, trigger_node, arg, object, ret, *args)
|
45
|
+
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, arg, object, ret, *args)
|
47
46
|
end
|
48
47
|
|
49
48
|
ret
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/assess/events/event_factory'
|
@@ -27,24 +27,6 @@ module Contrast
|
|
27
27
|
CURRENT_FINDING_VERSION = 4
|
28
28
|
|
29
29
|
class << self
|
30
|
-
# Append the given finding to the given context to be reported when
|
31
|
-
# the Context's activity is sent to the Service or, in the absence
|
32
|
-
# of that Context, generate an Activity and queue it manually
|
33
|
-
# @param finding [Contrast::Api::Dtm::Finding]
|
34
|
-
def report_finding finding
|
35
|
-
context = Contrast::Agent::REQUEST_TRACKER.current
|
36
|
-
if context
|
37
|
-
context.activity.findings << finding
|
38
|
-
else
|
39
|
-
activity = Contrast::Api::Dtm::Activity.new
|
40
|
-
activity.findings << finding
|
41
|
-
|
42
|
-
Contrast::Agent.messaging_queue.send_event_eventually(activity)
|
43
|
-
end
|
44
|
-
logger.debug('Finding reported',
|
45
|
-
rule: finding.rule_id)
|
46
|
-
end
|
47
|
-
|
48
30
|
# This is called from within our woven proc. It will be called as if it
|
49
31
|
# were inline in the Rack application.
|
50
32
|
#
|
@@ -57,38 +39,23 @@ module Contrast
|
|
57
39
|
def apply_trigger_rule trigger_node, object, ret, args
|
58
40
|
return if trigger_node.nil?
|
59
41
|
|
60
|
-
current_context = Contrast::Agent::REQUEST_TRACKER.current
|
61
|
-
return unless current_context&.analyze_request? && ASSESS.enabled?
|
62
|
-
|
63
42
|
if trigger_node.sources&.any?
|
64
43
|
trigger_node.sources.each do |marker|
|
65
44
|
source = determine_source(marker, object, ret, args)
|
66
|
-
apply_trigger(
|
67
|
-
trigger_node,
|
68
|
-
source,
|
69
|
-
object,
|
70
|
-
ret,
|
71
|
-
*args)
|
45
|
+
apply_trigger(trigger_node, source, object, ret, *args)
|
72
46
|
end
|
73
47
|
else
|
74
|
-
apply_trigger(
|
75
|
-
trigger_node,
|
76
|
-
nil,
|
77
|
-
object,
|
78
|
-
ret,
|
79
|
-
*args)
|
48
|
+
apply_trigger(trigger_node, nil, object, ret, *args)
|
80
49
|
end
|
81
50
|
end
|
82
51
|
|
83
|
-
def apply_eval_trigger
|
84
|
-
apply_trigger(
|
52
|
+
def apply_eval_trigger trigger_node, source, object, ret, *args
|
53
|
+
apply_trigger(trigger_node, source, object, ret, *args)
|
85
54
|
end
|
86
55
|
|
87
56
|
# This converts the source of the finding, and the events leading
|
88
57
|
# up to it into a Finding
|
89
58
|
#
|
90
|
-
# @param context [Contrast::Agent::RequestContext] the current
|
91
|
-
# request context
|
92
59
|
# @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
|
93
60
|
# the node to direct applying this trigger event
|
94
61
|
# @param source [Object] the source of the Trigger Event
|
@@ -99,44 +66,94 @@ module Contrast
|
|
99
66
|
# @return [Contrast::Api::Dtm::Finding, nil] the
|
100
67
|
# Contrast::Api::Dtm::Finding to send to TeamServer or nil if
|
101
68
|
# conditions were not met
|
102
|
-
def build_finding
|
69
|
+
def build_finding trigger_node, source, object, ret, *args
|
103
70
|
return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
|
104
|
-
|
71
|
+
|
72
|
+
request = find_request(source)
|
73
|
+
return unless reportable?(request&.env)
|
105
74
|
|
106
75
|
finding = Contrast::Api::Dtm::Finding.new
|
107
76
|
finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
|
108
|
-
|
109
|
-
finding
|
110
|
-
|
111
|
-
finding
|
77
|
+
|
78
|
+
append_events(finding, trigger_node, source, object, ret, args)
|
79
|
+
append_route(finding, request)
|
80
|
+
append_hash(finding, source, request)
|
112
81
|
finding.version = determine_compliance_version(finding)
|
113
|
-
logger.trace('Finding created',
|
114
|
-
|
115
|
-
|
116
|
-
rule: trigger_node.rule_id)
|
117
|
-
report_finding(finding)
|
82
|
+
logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
|
83
|
+
rule: trigger_node.rule_id)
|
84
|
+
report_finding(finding, request)
|
118
85
|
rescue StandardError => e
|
119
86
|
logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
|
120
87
|
end
|
121
88
|
|
89
|
+
# Given a finding, append it to an activity message and send it to
|
90
|
+
# the Service for processing.
|
91
|
+
#
|
92
|
+
# @param finding [Contrast::Api::Dtm::Finding] the Finding to
|
93
|
+
# report.
|
94
|
+
# @param request [Contrast::Agent::Request] our wrapper around the
|
95
|
+
# Rack::Request.
|
96
|
+
def report_finding finding, request = nil
|
97
|
+
context = Contrast::Agent::REQUEST_TRACKER.current
|
98
|
+
if context
|
99
|
+
context.activity.findings << finding
|
100
|
+
return
|
101
|
+
end
|
102
|
+
|
103
|
+
activity = Contrast::Api::Dtm::Activity.new
|
104
|
+
activity.findings << finding
|
105
|
+
if request
|
106
|
+
activity.http_request = request.dtm
|
107
|
+
else
|
108
|
+
logger.debug('Attempted to report finding without request', finding: finding)
|
109
|
+
end
|
110
|
+
|
111
|
+
# If we're out of request context, then we need to report this
|
112
|
+
# finding ourselves, so we'll send it in the one-off activity we
|
113
|
+
# created.
|
114
|
+
Contrast::Agent.messaging_queue.send_event_eventually(activity)
|
115
|
+
end
|
116
|
+
|
122
117
|
private
|
123
118
|
|
124
119
|
# A request is reportable if it is not from ActionController::Live
|
125
120
|
#
|
126
|
-
# @param
|
121
|
+
# @param env [Hash] the env of the Request
|
127
122
|
# @return [Boolean]
|
128
|
-
def reportable?
|
129
|
-
env = context.request.env
|
123
|
+
def reportable? env
|
130
124
|
!(defined?(ActionController::Live) &&
|
131
125
|
env &&
|
132
126
|
env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
|
133
127
|
end
|
134
128
|
|
129
|
+
# Find the request for this finding. This assumes, for now, that if
|
130
|
+
# there is an active request, then that is the request to report.
|
131
|
+
# Otherwise, we'll use the first request found in the events of the
|
132
|
+
# source_object.
|
133
|
+
#
|
134
|
+
# @param source [Object,nil] some Object used as the source of a
|
135
|
+
# trigger event
|
136
|
+
# @return [Contrast::Agent::Request,nil] the request from which the
|
137
|
+
# dataflow on the request originated.
|
138
|
+
def find_request source
|
139
|
+
return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
|
140
|
+
return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
|
141
|
+
|
142
|
+
properties.events.each do |event|
|
143
|
+
next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
|
144
|
+
|
145
|
+
return event.request if event.request
|
146
|
+
end
|
147
|
+
nil
|
148
|
+
end
|
149
|
+
|
150
|
+
def settings
|
151
|
+
Contrast::Agent::FeatureState.instance
|
152
|
+
end
|
153
|
+
|
135
154
|
# This is our method that actually checks the taint on the object
|
136
155
|
# our trigger_node targets.
|
137
156
|
#
|
138
|
-
# @param context [Contrast::Agent::RequestContext] the current
|
139
|
-
# request context
|
140
157
|
# @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
|
141
158
|
# the node to direct applying this trigger event
|
142
159
|
# @param source [Object] the source of the Trigger Event
|
@@ -144,19 +161,19 @@ module Contrast
|
|
144
161
|
# @param ret [Object] the Return of the invoked method
|
145
162
|
# @param args [Array<Object>] the Arguments with which the method
|
146
163
|
# was invoked
|
147
|
-
def apply_trigger
|
148
|
-
return unless
|
164
|
+
def apply_trigger trigger_node, source, object, ret, *args
|
165
|
+
return unless trigger_node
|
149
166
|
return if trigger_node.rule_disabled?
|
150
167
|
return if trigger_node.dataflow? && source.nil?
|
151
168
|
|
152
169
|
if trigger_node.regexp_rule?
|
153
|
-
apply_regexp_rule(
|
170
|
+
apply_regexp_rule(trigger_node, source, object, ret, *args)
|
154
171
|
elsif trigger_node.custom_trigger?
|
155
|
-
trigger_node.apply_custom_trigger(
|
172
|
+
trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
|
156
173
|
elsif trigger_node.dataflow?
|
157
|
-
apply_dataflow_rule(
|
174
|
+
apply_dataflow_rule(trigger_node, source, object, ret, *args)
|
158
175
|
else # trigger rule - just calling the method is dangerous
|
159
|
-
build_finding(
|
176
|
+
build_finding(trigger_node, source, object, ret, *args)
|
160
177
|
end
|
161
178
|
rescue StandardError => e
|
162
179
|
logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
|
@@ -204,8 +221,6 @@ module Contrast
|
|
204
221
|
# This is our method that actually checks the taint on the object
|
205
222
|
# our trigger_node targets for our Regexp based rules.
|
206
223
|
#
|
207
|
-
# @param context [Contrast::Agent::RequestContext] the current
|
208
|
-
# request context
|
209
224
|
# @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
|
210
225
|
# the node to direct applying this trigger event
|
211
226
|
# @param source [Object] the source of the Trigger Event
|
@@ -213,19 +228,17 @@ module Contrast
|
|
213
228
|
# @param ret [Object] the Return of the invoked method
|
214
229
|
# @param args [Array<Object>] the Arguments with which the method
|
215
230
|
# was invoked
|
216
|
-
def apply_regexp_rule
|
231
|
+
def apply_regexp_rule trigger_node, source, object, ret, *args
|
217
232
|
return unless source.is_a?(String)
|
218
233
|
return if trigger_node.good_value && source.match?(trigger_node.good_value)
|
219
234
|
return if trigger_node.bad_value && source !~ trigger_node.bad_value
|
220
235
|
|
221
|
-
build_finding(
|
236
|
+
build_finding(trigger_node, source, object, ret, *args)
|
222
237
|
end
|
223
238
|
|
224
239
|
# This is our method that actually checks the taint on the object
|
225
240
|
# our trigger_node targets for our Dataflow based rules.
|
226
241
|
#
|
227
|
-
# @param context [Contrast::Agent::RequestContext] the current
|
228
|
-
# request context
|
229
242
|
# @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
|
230
243
|
# the node to direct applying this trigger event
|
231
244
|
# @param source [Object] the source of the Trigger Event
|
@@ -233,22 +246,22 @@ module Contrast
|
|
233
246
|
# @param ret [Object] the Return of the invoked method
|
234
247
|
# @param args [Array<Object>] the Arguments with which the method
|
235
248
|
# was invoked
|
236
|
-
def apply_dataflow_rule
|
249
|
+
def apply_dataflow_rule trigger_node, source, object, ret, *args
|
237
250
|
return unless source
|
238
251
|
|
239
252
|
if Contrast::Agent::Assess::Tracker.trackable?(source)
|
240
253
|
return unless Contrast::Agent::Assess::Tracker.tracked?(source)
|
241
254
|
return unless trigger_node.violated?(source)
|
242
255
|
|
243
|
-
build_finding(
|
256
|
+
build_finding(trigger_node, source, object, ret, *args)
|
244
257
|
elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
|
245
258
|
source.each_pair do |key, value|
|
246
|
-
apply_dataflow_rule(
|
247
|
-
apply_dataflow_rule(
|
259
|
+
apply_dataflow_rule(trigger_node, key, object, ret, *args)
|
260
|
+
apply_dataflow_rule(trigger_node, value, object, ret, *args)
|
248
261
|
end
|
249
262
|
elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
|
250
263
|
source.each do |value|
|
251
|
-
apply_dataflow_rule(
|
264
|
+
apply_dataflow_rule(trigger_node, value, object, ret, *args)
|
252
265
|
end
|
253
266
|
else
|
254
267
|
logger.debug('Trigger source is untrackable. Unable to inspect.',
|
@@ -260,7 +273,13 @@ module Contrast
|
|
260
273
|
end
|
261
274
|
end
|
262
275
|
|
263
|
-
def
|
276
|
+
def append_events finding, trigger_node, source, object, ret, args
|
277
|
+
append_from_source(finding, source)
|
278
|
+
finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,
|
279
|
+
args).to_dtm_event
|
280
|
+
end
|
281
|
+
|
282
|
+
def append_from_source finding, source
|
264
283
|
return unless source
|
265
284
|
return unless Contrast::Agent::Assess::Tracker.trackable?(source)
|
266
285
|
|
@@ -291,8 +310,17 @@ module Contrast
|
|
291
310
|
finding.events << event.to_dtm_event
|
292
311
|
end
|
293
312
|
|
294
|
-
def
|
295
|
-
|
313
|
+
def append_route finding, request
|
314
|
+
context = Contrast::Agent::REQUEST_TRACKER.current
|
315
|
+
if context
|
316
|
+
finding.routes << context.route if context.route
|
317
|
+
elsif request&.route
|
318
|
+
finding.routes << request.route
|
319
|
+
end
|
320
|
+
end
|
321
|
+
|
322
|
+
def append_hash finding, source, request
|
323
|
+
hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
|
296
324
|
finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
|
297
325
|
finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
|
298
326
|
end
|