contrast-agent 4.4.0 → 4.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitmodules +1 -1
- data/.simplecov +1 -1
- data/Gemfile +1 -1
- data/LICENSE.txt +1 -1
- data/Rakefile +2 -3
- data/exe/contrast_service +1 -1
- data/ext/build_funchook.rb +4 -4
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
- data/ext/cs__assess_active_record_named/extconf.rb +1 -1
- data/ext/cs__assess_array/cs__assess_array.c +1 -1
- data/ext/cs__assess_array/extconf.rb +1 -1
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
- data/ext/cs__assess_basic_object/extconf.rb +1 -1
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_fiber_track/extconf.rb +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
- data/ext/cs__assess_hash/extconf.rb +1 -1
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
- data/ext/cs__assess_kernel/extconf.rb +1 -1
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
- data/ext/cs__assess_marshal_module/extconf.rb +1 -1
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_module/extconf.rb +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
- data/ext/cs__assess_regexp/extconf.rb +1 -1
- data/ext/cs__assess_string/cs__assess_string.c +1 -1
- data/ext/cs__assess_string/extconf.rb +1 -1
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
- data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +1 -1
- data/ext/cs__common/cs__common.c +5 -5
- data/ext/cs__common/cs__common.h +4 -4
- data/ext/cs__common/extconf.rb +1 -1
- data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
- data/ext/cs__contrast_patch/extconf.rb +1 -1
- data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
- data/ext/cs__protect_kernel/extconf.rb +1 -1
- data/ext/extconf_common.rb +2 -6
- data/lib/contrast-agent.rb +1 -1
- data/lib/contrast.rb +20 -1
- data/lib/contrast/agent.rb +1 -3
- data/lib/contrast/agent/assess.rb +2 -2
- data/lib/contrast/agent/assess/contrast_event.rb +54 -69
- data/lib/contrast/agent/assess/contrast_object.rb +3 -3
- data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
- data/lib/contrast/agent/assess/events/source_event.rb +7 -2
- data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +26 -34
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +24 -20
- data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
- data/lib/contrast/agent/assess/policy/policy.rb +1 -1
- data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +8 -21
- data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
- data/lib/contrast/agent/assess/policy/propagator.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator/append.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +4 -8
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -8
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
- data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
- data/lib/contrast/agent/assess/policy/trigger_method.rb +102 -74
- data/lib/contrast/agent/assess/policy/trigger_node.rb +5 -4
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +5 -4
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -3
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +2 -9
- data/lib/contrast/agent/assess/properties.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +9 -6
- data/lib/contrast/agent/assess/property/tagged.rb +1 -1
- data/lib/contrast/agent/assess/property/updated.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
- data/lib/contrast/agent/assess/tag.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +1 -1
- data/lib/contrast/agent/at_exit_hook.rb +1 -1
- data/lib/contrast/agent/class_reopener.rb +4 -2
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
- data/lib/contrast/agent/disable_reaction.rb +2 -4
- data/lib/contrast/agent/exclusion_matcher.rb +6 -12
- data/lib/contrast/agent/inventory.rb +1 -2
- data/lib/contrast/agent/inventory/dependencies.rb +3 -1
- data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
- data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
- data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/middleware.rb +38 -67
- data/lib/contrast/agent/module_data.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
- data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
- data/lib/contrast/agent/patching/policy/patch.rb +23 -29
- data/lib/contrast/agent/patching/policy/patch_status.rb +7 -8
- data/lib/contrast/agent/patching/policy/patcher.rb +23 -22
- data/lib/contrast/agent/patching/policy/policy.rb +14 -21
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
- data/lib/contrast/agent/patching/policy/trigger_node.rb +22 -9
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
- data/lib/contrast/agent/protect/policy/policy.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
- data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +19 -33
- data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
- data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
- data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
- data/lib/contrast/agent/protect/rule/sqli.rb +3 -3
- data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
- data/lib/contrast/agent/protect/rule/xss.rb +2 -2
- data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
- data/lib/contrast/agent/reaction_processor.rb +12 -11
- data/lib/contrast/agent/request.rb +25 -24
- data/lib/contrast/agent/request_context.rb +13 -23
- data/lib/contrast/agent/request_handler.rb +1 -1
- data/lib/contrast/agent/response.rb +1 -1
- data/lib/contrast/agent/rewriter.rb +6 -4
- data/lib/contrast/agent/rule_set.rb +3 -3
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +3 -4
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +1 -1
- data/lib/contrast/agent/tracepoint_hook.rb +2 -2
- data/lib/contrast/agent/version.rb +2 -2
- data/lib/contrast/agent/worker_thread.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/communication.rb +1 -1
- data/lib/contrast/api/communication/connection_status.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +1 -1
- data/lib/contrast/api/communication/response_processor.rb +5 -7
- data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +9 -22
- data/lib/contrast/api/communication/speedracer.rb +6 -10
- data/lib/contrast/api/communication/tcp_socket.rb +1 -1
- data/lib/contrast/api/communication/unix_socket.rb +1 -1
- data/lib/contrast/api/decorators.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +1 -1
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +10 -4
- data/lib/contrast/api/decorators/application_update.rb +1 -1
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/input_analysis.rb +1 -1
- data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
- data/lib/contrast/api/decorators/library.rb +9 -7
- data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
- data/lib/contrast/api/decorators/message.rb +4 -4
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
- data/lib/contrast/api/decorators/route_coverage.rb +1 -1
- data/lib/contrast/api/decorators/server_features.rb +1 -1
- data/lib/contrast/api/decorators/trace_event.rb +4 -2
- data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
- data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
- data/lib/contrast/api/decorators/user_input.rb +1 -1
- data/lib/contrast/components/agent.rb +14 -15
- data/lib/contrast/components/app_context.rb +7 -7
- data/lib/contrast/components/assess.rb +6 -11
- data/lib/contrast/components/config.rb +3 -2
- data/lib/contrast/components/contrast_service.rb +8 -9
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/interface.rb +4 -3
- data/lib/contrast/components/inventory.rb +1 -1
- data/lib/contrast/components/logger.rb +1 -1
- data/lib/contrast/components/protect.rb +11 -14
- data/lib/contrast/components/sampling.rb +9 -3
- data/lib/contrast/components/scope.rb +2 -1
- data/lib/contrast/components/settings.rb +27 -98
- data/lib/contrast/config.rb +1 -1
- data/lib/contrast/config/agent_configuration.rb +1 -1
- data/lib/contrast/config/application_configuration.rb +1 -1
- data/lib/contrast/config/assess_configuration.rb +1 -1
- data/lib/contrast/config/assess_rules_configuration.rb +2 -4
- data/lib/contrast/config/base_configuration.rb +5 -6
- data/lib/contrast/config/default_value.rb +1 -1
- data/lib/contrast/config/exception_configuration.rb +2 -6
- data/lib/contrast/config/heap_dump_configuration.rb +13 -7
- data/lib/contrast/config/inventory_configuration.rb +1 -1
- data/lib/contrast/config/logger_configuration.rb +2 -6
- data/lib/contrast/config/protect_configuration.rb +1 -1
- data/lib/contrast/config/protect_rule_configuration.rb +23 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/config/root_configuration.rb +1 -1
- data/lib/contrast/config/ruby_configuration.rb +1 -1
- data/lib/contrast/config/sampling_configuration.rb +1 -1
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config/service_configuration.rb +1 -1
- data/lib/contrast/configuration.rb +4 -15
- data/lib/contrast/delegators/input_analysis.rb +12 -0
- data/lib/contrast/extension/assess.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +2 -7
- data/lib/contrast/extension/assess/erb.rb +2 -8
- data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
- data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
- data/lib/contrast/extension/assess/fiber.rb +3 -13
- data/lib/contrast/extension/assess/hash.rb +1 -1
- data/lib/contrast/extension/assess/kernel.rb +3 -10
- data/lib/contrast/extension/assess/marshal.rb +3 -11
- data/lib/contrast/extension/assess/regexp.rb +2 -7
- data/lib/contrast/extension/assess/string.rb +4 -2
- data/lib/contrast/extension/delegator.rb +1 -1
- data/lib/contrast/extension/inventory.rb +1 -1
- data/lib/contrast/extension/kernel.rb +5 -3
- data/lib/contrast/extension/module.rb +1 -1
- data/lib/contrast/extension/protect.rb +1 -1
- data/lib/contrast/extension/protect/kernel.rb +1 -1
- data/lib/contrast/extension/protect/psych.rb +1 -1
- data/lib/contrast/extension/thread.rb +1 -1
- data/lib/contrast/framework/base_support.rb +1 -1
- data/lib/contrast/framework/manager.rb +5 -9
- data/lib/contrast/framework/platform_version.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
- data/lib/contrast/framework/rack/patch/support.rb +7 -5
- data/lib/contrast/framework/rack/support.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
- data/lib/contrast/framework/rails/patch/support.rb +6 -4
- data/lib/contrast/framework/rails/railtie.rb +32 -0
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
- data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
- data/lib/contrast/framework/rails/support.rb +3 -3
- data/lib/contrast/framework/sinatra/support.rb +4 -2
- data/lib/contrast/funchook/funchook.rb +2 -6
- data/lib/contrast/logger/application.rb +13 -10
- data/lib/contrast/logger/format.rb +3 -6
- data/lib/contrast/logger/log.rb +5 -4
- data/lib/contrast/logger/request.rb +2 -3
- data/lib/contrast/logger/time.rb +1 -1
- data/lib/contrast/security_exception.rb +2 -2
- data/lib/contrast/tasks/config.rb +1 -1
- data/lib/contrast/tasks/service.rb +6 -2
- data/lib/contrast/utils/assess/sampling_util.rb +1 -1
- data/lib/contrast/utils/assess/tracking_util.rb +2 -3
- data/lib/contrast/utils/class_util.rb +15 -11
- data/lib/contrast/utils/duck_utils.rb +1 -1
- data/lib/contrast/utils/env_configuration_item.rb +1 -1
- data/lib/contrast/utils/hash_digest.rb +16 -24
- data/lib/contrast/utils/heap_dump_util.rb +1 -1
- data/lib/contrast/utils/invalid_configuration_util.rb +1 -1
- data/lib/contrast/utils/inventory_util.rb +1 -1
- data/lib/contrast/utils/io_util.rb +2 -2
- data/lib/contrast/utils/job_servers_running.rb +10 -5
- data/lib/contrast/utils/object_share.rb +1 -1
- data/lib/contrast/utils/os.rb +3 -2
- data/lib/contrast/utils/preflight_util.rb +1 -1
- data/lib/contrast/utils/resource_loader.rb +1 -1
- data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
- data/lib/contrast/utils/sha256_builder.rb +1 -1
- data/lib/contrast/utils/stack_trace_utils.rb +1 -1
- data/lib/contrast/utils/string_utils.rb +1 -1
- data/lib/contrast/utils/tag_util.rb +1 -1
- data/lib/contrast/utils/thread_tracker.rb +1 -1
- data/lib/contrast/utils/timer.rb +1 -1
- data/resources/assess/policy.json +60 -2
- data/resources/deadzone/policy.json +7 -23
- data/ruby-agent.gemspec +22 -20
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- data/sonar-project.properties +9 -0
- metadata +94 -50
- data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
- data/lib/contrast/agent/railtie.rb +0 -31
- data/lib/contrast/common_agent_configuration.rb +0 -87
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/patching/policy/trigger_node'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -36,42 +36,31 @@ module Contrast
|
|
36
36
|
|
37
37
|
attr_reader :mode
|
38
38
|
|
39
|
-
def initialize
|
40
|
-
PROTECT.rules[
|
41
|
-
@mode = mode_from_settings
|
39
|
+
def initialize
|
40
|
+
PROTECT.rules[rule_name] = self
|
41
|
+
@mode = mode_from_settings
|
42
42
|
end
|
43
43
|
|
44
44
|
# Should return the name as it is known to Teamserver; defaults to class
|
45
|
-
def
|
46
|
-
cs__class.
|
45
|
+
def rule_name
|
46
|
+
cs__class.cs__name
|
47
47
|
end
|
48
48
|
|
49
|
-
OFF = 'off'
|
50
|
-
|
51
49
|
def enabled?
|
52
50
|
# 1. it is not enabled because protect is not enabled
|
53
51
|
return false unless AGENT.enabled?
|
54
52
|
return false unless PROTECT.enabled?
|
55
53
|
|
56
|
-
|
57
|
-
|
58
|
-
# 2. it is not enabled because it is in the list of disabled protect rules
|
59
|
-
disabled_rules = rule_configs.disabled_rules
|
60
|
-
return false if disabled_rules&.include?(name)
|
61
|
-
|
62
|
-
# 3. it is not enabled because it has been turned "off" explicitly
|
63
|
-
rule_config = rule_configs.send(name)
|
64
|
-
|
65
|
-
return rule_config.mode != OFF unless rule_config.mode.nil?
|
66
|
-
end
|
54
|
+
# 2. it is not enabled because it is in the list of disabled protect rules
|
55
|
+
return false if PROTECT.rule_config&.disabled_rules&.include?(rule_name)
|
67
56
|
|
68
|
-
#
|
69
|
-
@mode !=
|
57
|
+
# 3. it is enabled so long as its mode is not NO_ACTION
|
58
|
+
@mode != Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
|
70
59
|
end
|
71
60
|
|
72
61
|
def excluded? exclusions
|
73
62
|
Array(exclusions).any? do |ex|
|
74
|
-
ex.protection_rule?(
|
63
|
+
ex.protection_rule?(rule_name)
|
75
64
|
end
|
76
65
|
end
|
77
66
|
|
@@ -187,8 +176,8 @@ module Contrast
|
|
187
176
|
protected
|
188
177
|
|
189
178
|
def mode_from_settings
|
190
|
-
PROTECT.rule_mode(
|
191
|
-
logger.trace('Retrieving rule mode', rule:
|
179
|
+
PROTECT.rule_mode(rule_name).tap do |mode|
|
180
|
+
logger.trace('Retrieving rule mode', rule: rule_name, mode: mode)
|
192
181
|
end
|
193
182
|
end
|
194
183
|
|
@@ -205,7 +194,7 @@ module Contrast
|
|
205
194
|
exclusions = SETTINGS.code_exclusions
|
206
195
|
return false unless exclusions
|
207
196
|
|
208
|
-
for_rule = exclusions.select { |ex| ex.protection_rule?(
|
197
|
+
for_rule = exclusions.select { |ex| ex.protection_rule?(rule_name) }
|
209
198
|
return false if for_rule.empty?
|
210
199
|
|
211
200
|
stack = caller_locations
|
@@ -224,7 +213,7 @@ module Contrast
|
|
224
213
|
# @param _kwargs [Hash] key-value pairs used by the rule to build a
|
225
214
|
# report.
|
226
215
|
def find_attacker _context, _potential_attack_string, **_kwargs
|
227
|
-
raise NoMethodError, "Rule #{
|
216
|
+
raise NoMethodError, "Rule #{ rule_name } did not implement find_attack"
|
228
217
|
end
|
229
218
|
|
230
219
|
def update_successful_attack_response context, ia_result, result, attack_string = nil
|
@@ -260,7 +249,7 @@ module Contrast
|
|
260
249
|
# @return [Contrast::Api::Dtm::AttackResult]
|
261
250
|
def build_attack_result _context
|
262
251
|
result = Contrast::Api::Dtm::AttackResult.new
|
263
|
-
result.rule_id =
|
252
|
+
result.rule_id = rule_name
|
264
253
|
result
|
265
254
|
end
|
266
255
|
|
@@ -297,7 +286,7 @@ module Contrast
|
|
297
286
|
|
298
287
|
def log_rule_matched _context, ia_result, response, _matched_string = nil
|
299
288
|
logger.debug('A successful attack was detected',
|
300
|
-
rule:
|
289
|
+
rule: rule_name,
|
301
290
|
type: ia_result&.input_type,
|
302
291
|
name: ia_result&.key,
|
303
292
|
input: ia_result&.value,
|
@@ -307,11 +296,8 @@ module Contrast
|
|
307
296
|
private
|
308
297
|
|
309
298
|
def log_rule_probed _context, ia_result
|
310
|
-
logger.debug('An unsuccessful attack was detected',
|
311
|
-
|
312
|
-
type: ia_result&.input_type,
|
313
|
-
name: ia_result&.key,
|
314
|
-
input: ia_result&.value)
|
299
|
+
logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
|
300
|
+
name: ia_result&.key, input: ia_result&.value)
|
315
301
|
end
|
316
302
|
end
|
317
303
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base'
|
@@ -10,7 +10,7 @@ module Contrast
|
|
10
10
|
# Encapsulate common code for protect rules that do their
|
11
11
|
# input analysis on Speedracer rather in ruby code
|
12
12
|
class BaseService < Contrast::Agent::Protect::Rule::Base
|
13
|
-
def
|
13
|
+
def rule_name
|
14
14
|
'base-service'
|
15
15
|
end
|
16
16
|
|
@@ -32,7 +32,11 @@ module Contrast
|
|
32
32
|
# streamed responses will break
|
33
33
|
def postfilter context
|
34
34
|
return unless enabled? && POSTFILTER_MODES.include?(mode)
|
35
|
-
|
35
|
+
if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
|
36
|
+
mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
|
37
|
+
|
38
|
+
return
|
39
|
+
end
|
36
40
|
|
37
41
|
result = find_postfilter_attacker(context, nil)
|
38
42
|
return unless result&.samples&.any?
|
@@ -40,14 +44,14 @@ module Contrast
|
|
40
44
|
append_to_activity(context, result)
|
41
45
|
return unless result.response == :BLOCKED
|
42
46
|
|
43
|
-
raise Contrast::SecurityException.new(self, "#{
|
47
|
+
raise Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")
|
44
48
|
end
|
45
49
|
|
46
50
|
protected
|
47
51
|
|
48
52
|
def gather_ia_results context
|
49
53
|
context.speedracer_input_analysis.results.select do |ia_result|
|
50
|
-
ia_result.rule_id ==
|
54
|
+
ia_result.rule_id == rule_name
|
51
55
|
end
|
52
56
|
end
|
53
57
|
|
@@ -58,7 +62,7 @@ module Contrast
|
|
58
62
|
|
59
63
|
# Allows for the InputAnalysis from service to be extracted early
|
60
64
|
def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
|
61
|
-
logger.trace('Checking vectors for attacks', rule:
|
65
|
+
logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
|
62
66
|
|
63
67
|
result = nil
|
64
68
|
ia_results.each do |ia_result|
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
@@ -18,7 +18,7 @@ module Contrast
|
|
18
18
|
NAME = 'cmd-injection'
|
19
19
|
CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
|
20
20
|
|
21
|
-
def
|
21
|
+
def rule_name
|
22
22
|
NAME
|
23
23
|
end
|
24
24
|
|
@@ -34,20 +34,25 @@ module Contrast
|
|
34
34
|
Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
|
35
35
|
end
|
36
36
|
|
37
|
-
result = find_attacker_with_results(context, command, ia_results,
|
37
|
+
result = find_attacker_with_results(context, command, ia_results,
|
38
|
+
**{ classname: classname, method: method })
|
38
39
|
result ||= report_command_execution(context, command, **{ classname: classname, method: method })
|
39
40
|
return unless result
|
40
41
|
|
41
42
|
append_to_activity(context, result)
|
42
43
|
return unless blocked?
|
43
44
|
|
44
|
-
raise Contrast::SecurityException.new(
|
45
|
-
|
46
|
-
|
45
|
+
raise Contrast::SecurityException.new(self,
|
46
|
+
'Command Injection rule triggered. '\
|
47
|
+
"Call to #{ classname }.#{ method } blocked.")
|
47
48
|
end
|
48
49
|
|
49
50
|
def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
|
50
|
-
|
51
|
+
if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
|
52
|
+
mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
|
53
|
+
|
54
|
+
return result
|
55
|
+
end
|
51
56
|
|
52
57
|
result ||= build_attack_result(context)
|
53
58
|
update_successful_attack_response(context, input_analysis_result, result, candidate_string)
|
@@ -60,14 +65,10 @@ module Contrast
|
|
60
65
|
# Because results are not necessarily on the context across
|
61
66
|
# processes; extract early and pass into the method
|
62
67
|
def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
|
63
|
-
logger.trace('Checking vectors for attacks', rule:
|
68
|
+
logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
|
64
69
|
result = super(context, potential_attack_string, ia_results, **kwargs)
|
65
70
|
if result.nil? && potential_attack_string
|
66
|
-
result = find_probable_attacker(
|
67
|
-
context,
|
68
|
-
potential_attack_string,
|
69
|
-
ia_results,
|
70
|
-
**kwargs)
|
71
|
+
result = find_probable_attacker(context, potential_attack_string, ia_results, **kwargs)
|
71
72
|
end
|
72
73
|
result
|
73
74
|
end
|
@@ -109,12 +110,7 @@ module Contrast
|
|
109
110
|
likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
|
110
111
|
return unless likely_attacker
|
111
112
|
|
112
|
-
build_attack_with_match(
|
113
|
-
context,
|
114
|
-
likely_attacker,
|
115
|
-
nil,
|
116
|
-
potential_attack_string,
|
117
|
-
**kwargs)
|
113
|
+
build_attack_with_match(context, likely_attacker, nil, potential_attack_string, **kwargs)
|
118
114
|
end
|
119
115
|
|
120
116
|
def chained_command? command
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
# The base class used to determine if a user input crosses a token boundary or
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base'
|
@@ -17,10 +17,7 @@ module Contrast
|
|
17
17
|
BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
|
18
18
|
|
19
19
|
# Gadgets that map to ERB modules
|
20
|
-
ERB_GADGETS = %W[
|
21
|
-
object:ERB
|
22
|
-
o:\bERB
|
23
|
-
].cs__freeze
|
20
|
+
ERB_GADGETS = %W[object:ERB o:\bERB].cs__freeze
|
24
21
|
|
25
22
|
# Gadgets that map to ActionDispatch modules
|
26
23
|
ACTION_DISPATCH_GADGETS = %w[
|
@@ -29,11 +26,7 @@ module Contrast
|
|
29
26
|
].cs__freeze
|
30
27
|
|
31
28
|
# Gadgets that map to Arel Modules
|
32
|
-
AREL_GADGETS = %w[
|
33
|
-
string:Arel::Nodes::SqlLiteral
|
34
|
-
object:Arel::Nodes
|
35
|
-
o:\bArel::Nodes
|
36
|
-
].cs__freeze
|
29
|
+
AREL_GADGETS = %w[string:Arel::Nodes::SqlLiteral object:Arel::Nodes o:\bArel::Nodes].cs__freeze
|
37
30
|
|
38
31
|
# Used to indicate to TeamServer the gadget is an ERB module
|
39
32
|
ERB = 'ERB'
|
@@ -45,7 +38,7 @@ module Contrast
|
|
45
38
|
|
46
39
|
# Return the TeamServer understood id / name of this rule.
|
47
40
|
# @return [String] the TeamServer understood id / name of this rule.
|
48
|
-
def
|
41
|
+
def rule_name
|
49
42
|
NAME
|
50
43
|
end
|
51
44
|
|
@@ -124,8 +117,8 @@ module Contrast
|
|
124
117
|
sample = build_base_sample(context, input_analysis_result)
|
125
118
|
sample.untrusted_deserialization = Contrast::Api::Dtm::UntrustedDeserializationDetails.new
|
126
119
|
|
127
|
-
deserializer = kwargs[:GADGET_TYPE]
|
128
|
-
sample.untrusted_deserialization.deserializer =
|
120
|
+
deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:GADGET_TYPE])
|
121
|
+
sample.untrusted_deserialization.deserializer = deserializer
|
129
122
|
|
130
123
|
command = !!kwargs[:COMMAND_SCOPE]
|
131
124
|
sample.untrusted_deserialization.command = command
|
@@ -148,7 +141,7 @@ module Contrast
|
|
148
141
|
# of the analysis done by this rule.
|
149
142
|
def build_evaluation gadget_string
|
150
143
|
ia_result = Contrast::Api::Settings::InputAnalysisResult.new
|
151
|
-
ia_result.rule_id =
|
144
|
+
ia_result.rule_id = rule_name
|
152
145
|
ia_result.input_type = :UNKNOWN
|
153
146
|
ia_result.key = INPUT_NAME
|
154
147
|
ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(gadget_string)
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
@@ -12,7 +12,7 @@ module Contrast
|
|
12
12
|
NAME = 'method-tampering'
|
13
13
|
STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
|
14
14
|
|
15
|
-
def
|
15
|
+
def rule_name
|
16
16
|
NAME
|
17
17
|
end
|
18
18
|
|
@@ -30,20 +30,9 @@ module Contrast
|
|
30
30
|
|
31
31
|
method = ia_results.first.value
|
32
32
|
result = if response_code.to_s.start_with?('4', '5')
|
33
|
-
build_attack_without_match(
|
34
|
-
context,
|
35
|
-
nil,
|
36
|
-
nil,
|
37
|
-
method: method,
|
38
|
-
response_code: response_code)
|
33
|
+
build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
|
39
34
|
else
|
40
|
-
build_attack_with_match(
|
41
|
-
context,
|
42
|
-
nil,
|
43
|
-
nil,
|
44
|
-
nil,
|
45
|
-
method: method,
|
46
|
-
response_code: response_code)
|
35
|
+
build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
|
47
36
|
end
|
48
37
|
append_to_activity(context, result) if result
|
49
38
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
@@ -12,7 +12,7 @@ module Contrast
|
|
12
12
|
NAME = 'nosql-injection'
|
13
13
|
BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
|
14
14
|
|
15
|
-
def
|
15
|
+
def rule_name
|
16
16
|
NAME
|
17
17
|
end
|
18
18
|
|
@@ -32,7 +32,11 @@ module Contrast
|
|
32
32
|
end
|
33
33
|
|
34
34
|
def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
|
35
|
-
|
35
|
+
if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
|
36
|
+
mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
|
37
|
+
|
38
|
+
return result
|
39
|
+
end
|
36
40
|
|
37
41
|
attack_string = input_analysis_result.value
|
38
42
|
regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -14,9 +14,7 @@ module Contrast
|
|
14
14
|
# Is the current & next character '//' or are the current and
|
15
15
|
# subsequent characters '<--' ?
|
16
16
|
def start_line_comment? char, index, query
|
17
|
-
if char == Contrast::Utils::ObjectShare::SLASH &&
|
18
|
-
query[index + 1] == Contrast::Utils::ObjectShare::SLASH
|
19
|
-
|
17
|
+
if char == Contrast::Utils::ObjectShare::SLASH && query[index + 1] == Contrast::Utils::ObjectShare::SLASH
|
20
18
|
return true
|
21
19
|
end
|
22
20
|
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
@@ -29,7 +29,7 @@ module Contrast
|
|
29
29
|
/windows/repair/
|
30
30
|
].cs__freeze
|
31
31
|
|
32
|
-
def
|
32
|
+
def rule_name
|
33
33
|
NAME
|
34
34
|
end
|
35
35
|
|
@@ -42,9 +42,8 @@ module Contrast
|
|
42
42
|
append_to_activity(context, result)
|
43
43
|
return unless blocked?
|
44
44
|
|
45
|
-
raise Contrast::SecurityException.new(
|
46
|
-
|
47
|
-
"Path Traversal rule triggered. Call to File.#{ method } blocked.")
|
45
|
+
raise Contrast::SecurityException.new(self,
|
46
|
+
"Path Traversal rule triggered. Call to File.#{ method } blocked.")
|
48
47
|
end
|
49
48
|
|
50
49
|
protected
|
@@ -128,7 +127,8 @@ module Contrast
|
|
128
127
|
# return 'NUL' in str(e) or 'null byte' in str(e) or (PY34 and 'embedded NUL character' == str(e))
|
129
128
|
# except Exception as e:
|
130
129
|
# return 'null byte' in str(e).lower()
|
131
|
-
# return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in
|
130
|
+
# return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in
|
131
|
+
# PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
|
132
132
|
false
|
133
133
|
end
|
134
134
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
@@ -13,7 +13,7 @@ module Contrast
|
|
13
13
|
NAME = 'sql-injection'
|
14
14
|
BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
|
15
15
|
|
16
|
-
def
|
16
|
+
def rule_name
|
17
17
|
NAME
|
18
18
|
end
|
19
19
|
|
@@ -52,7 +52,7 @@ module Contrast
|
|
52
52
|
|
53
53
|
result ||= build_attack_result(context)
|
54
54
|
record_match(idx, length, boundary, last_boundary, kwargs)
|
55
|
-
append_match(context, input_analysis_result, result, query_string, kwargs)
|
55
|
+
append_match(context, input_analysis_result, result, query_string, **kwargs)
|
56
56
|
end
|
57
57
|
|
58
58
|
result
|