contrast-agent 4.6.0 → 4.7.0

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -42,7 +42,8 @@ module Contrast
           rescue Contrast::SecurityException => e
             raise e
           rescue StandardError => e
-            logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method, rule: name)
+            logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
+                                                           rule: rule_name)
           end
 
           protected
@@ -68,11 +69,10 @@ module Contrast
             raise NoMethodError, 'This is abstract, override it.'
           end
 
-          # The name of the rule, as expected by the Contrast Service and
-          # Contrast UI.
+          # The name of the rule, as expected by the Contrast Service and Contrast UI.
           #
           # @return [String]
-          def name
+          def rule_name
             raise NoMethodError, 'This is abstract, override it.'
           end
 
@@ -82,7 +82,7 @@ module Contrast
           #
           # @return [Contrast::Agent::Protect::Rule::Base]
           def rule
-            PROTECT.rule name
+            PROTECT.rule rule_name
           end
 
           # Should we skip analysis for this rule for this method invocation?

data/lib/contrast/agent/protect/rule/base.rb

@@ -37,13 +37,13 @@ module Contrast
           attr_reader :mode
 
           def initialize
-            PROTECT.rules[name] = self
+            PROTECT.rules[rule_name] = self
             @mode = mode_from_settings
           end
 
           # Should return the name as it is known to Teamserver; defaults to class
-          def name
-            cs__class.name
+          def rule_name
+            cs__class.cs__name
           end
 
           def enabled?
@@ -52,7 +52,7 @@ module Contrast
             return false unless PROTECT.enabled?
 
             # 2. it is not enabled because it is in the list of disabled protect rules
-            return false if PROTECT.rule_config&.disabled_rules&.include?(name)
+            return false if PROTECT.rule_config&.disabled_rules&.include?(rule_name)
 
             # 3. it is enabled so long as its mode is not NO_ACTION
             @mode != Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
@@ -60,7 +60,7 @@ module Contrast
 
           def excluded? exclusions
             Array(exclusions).any? do |ex|
-              ex.protection_rule?(name)
+              ex.protection_rule?(rule_name)
             end
           end
 
@@ -176,8 +176,8 @@ module Contrast
           protected
 
           def mode_from_settings
-            PROTECT.rule_mode(name).tap do |mode|
-              logger.trace('Retrieving rule mode', rule: name, mode: mode)
+            PROTECT.rule_mode(rule_name).tap do |mode|
+              logger.trace('Retrieving rule mode', rule: rule_name, mode: mode)
             end
           end
 
@@ -194,7 +194,7 @@ module Contrast
             exclusions = SETTINGS.code_exclusions
             return false unless exclusions
 
-            for_rule = exclusions.select { |ex| ex.protection_rule?(name) }
+            for_rule = exclusions.select { |ex| ex.protection_rule?(rule_name) }
             return false if for_rule.empty?
 
             stack = caller_locations
@@ -213,7 +213,7 @@ module Contrast
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
           def find_attacker _context, _potential_attack_string, **_kwargs
-            raise NoMethodError, "Rule #{ name } did not implement find_attack"
+            raise NoMethodError, "Rule #{ rule_name } did not implement find_attack"
           end
 
           def update_successful_attack_response context, ia_result, result, attack_string = nil
@@ -249,7 +249,7 @@ module Contrast
           # @return [Contrast::Api::Dtm::AttackResult]
           def build_attack_result _context
             result = Contrast::Api::Dtm::AttackResult.new
-            result.rule_id = name
+            result.rule_id = rule_name
             result
           end
 
@@ -286,7 +286,7 @@ module Contrast
 
           def log_rule_matched _context, ia_result, response, _matched_string = nil
             logger.debug('A successful attack was detected',
-                         rule: name,
+                         rule: rule_name,
                          type: ia_result&.input_type,
                          name: ia_result&.key,
                          input: ia_result&.value,
@@ -296,11 +296,8 @@ module Contrast
           private
 
           def log_rule_probed _context, ia_result
-            logger.debug('An unsuccessful attack was detected',
-                         rule: name,
-                         type: ia_result&.input_type,
-                         name: ia_result&.key,
-                         input: ia_result&.value)
+            logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
+                                                                name: ia_result&.key, input: ia_result&.value)
           end
         end
       end

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -10,7 +10,7 @@ module Contrast
         # Encapsulate common code for protect rules that do their
         # input analysis on Speedracer rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
-          def name
+          def rule_name
             'base-service'
           end
 
@@ -32,7 +32,11 @@ module Contrast
           # streamed responses will break
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION || mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+              return
+            end
 
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
@@ -40,14 +44,14 @@ module Contrast
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
 
-            raise Contrast::SecurityException.new(self, "#{ name } triggered in postfilter. Response blocked.")
+            raise Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")
           end
 
           protected
 
           def gather_ia_results context
             context.speedracer_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == name
+              ia_result.rule_id == rule_name
             end
           end
 
@@ -58,7 +62,7 @@ module Contrast
 
           # Allows for the InputAnalysis from service to be extracted early
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
 
             result = nil
             ia_results.each do |ia_result|

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -18,7 +18,7 @@ module Contrast
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
 
-          def name
+          def rule_name
             NAME
           end
 
@@ -34,20 +34,25 @@ module Contrast
               Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
             end
 
-            result = find_attacker_with_results(context, command, ia_results, **{ classname: classname, method: method })
+            result = find_attacker_with_results(context, command, ia_results,
+                                                **{ classname: classname, method: method })
             result ||= report_command_execution(context, command, **{ classname: classname, method: method })
             return unless result
 
             append_to_activity(context, result)
             return unless blocked?
 
-            raise Contrast::SecurityException.new(
-                self,
-                "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
+            raise Contrast::SecurityException.new(self,
+                                                  'Command Injection rule triggered. '\
+                                                  "Call to #{ classname }.#{ method } blocked.")
           end
 
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
-            return result if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION || mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+              return result
+            end
 
             result ||= build_attack_result(context)
             update_successful_attack_response(context, input_analysis_result, result, candidate_string)
@@ -60,14 +65,10 @@ module Contrast
           # Because results are not necessarily on the context across
           # processes; extract early and pass into the method
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
             result = super(context, potential_attack_string, ia_results, **kwargs)
             if result.nil? && potential_attack_string
-              result = find_probable_attacker(
-                  context,
-                  potential_attack_string,
-                  ia_results,
-                  **kwargs)
+              result = find_probable_attacker(context, potential_attack_string, ia_results, **kwargs)
             end
             result
           end
@@ -109,12 +110,7 @@ module Contrast
             likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
             return unless likely_attacker
 
-            build_attack_with_match(
-                context,
-                likely_attacker,
-                nil,
-                potential_attack_string,
-                **kwargs)
+            build_attack_with_match(context, likely_attacker, nil, potential_attack_string, **kwargs)
           end
 
           def chained_command? command

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -17,10 +17,7 @@ module Contrast
           BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
 
           # Gadgets that map to ERB modules
-          ERB_GADGETS = %W[
-            object:ERB
-            o:\bERB
-          ].cs__freeze
+          ERB_GADGETS = %W[object:ERB o:\bERB].cs__freeze
 
           # Gadgets that map to ActionDispatch modules
           ACTION_DISPATCH_GADGETS = %w[
@@ -29,11 +26,7 @@ module Contrast
           ].cs__freeze
 
           # Gadgets that map to Arel Modules
-          AREL_GADGETS = %w[
-            string:Arel::Nodes::SqlLiteral
-            object:Arel::Nodes
-            o:\bArel::Nodes
-          ].cs__freeze
+          AREL_GADGETS = %w[string:Arel::Nodes::SqlLiteral object:Arel::Nodes o:\bArel::Nodes].cs__freeze
 
           # Used to indicate to TeamServer the gadget is an ERB module
           ERB = 'ERB'
@@ -45,7 +38,7 @@ module Contrast
 
           # Return the TeamServer understood id / name of this rule.
           # @return [String] the TeamServer understood id / name of this rule.
-          def name
+          def rule_name
             NAME
           end
 
@@ -124,8 +117,8 @@ module Contrast
             sample = build_base_sample(context, input_analysis_result)
             sample.untrusted_deserialization = Contrast::Api::Dtm::UntrustedDeserializationDetails.new
 
-            deserializer = kwargs[:GADGET_TYPE]
-            sample.untrusted_deserialization.deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(deserializer)
+            deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:GADGET_TYPE])
+            sample.untrusted_deserialization.deserializer = deserializer
 
             command = !!kwargs[:COMMAND_SCOPE]
             sample.untrusted_deserialization.command = command
@@ -148,7 +141,7 @@ module Contrast
           #   of the analysis done by this rule.
           def build_evaluation gadget_string
             ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.key = INPUT_NAME
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(gadget_string)

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -12,7 +12,7 @@ module Contrast
           NAME = 'method-tampering'
           STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
 
-          def name
+          def rule_name
             NAME
           end
 
@@ -30,20 +30,9 @@ module Contrast
 
             method = ia_results.first.value
             result = if response_code.to_s.start_with?('4', '5')
-                       build_attack_without_match(
-                           context,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
+                       build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
                      else
-                       build_attack_with_match(
-                           context,
-                           nil,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
+                       build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
                      end
             append_to_activity(context, result) if result
           end

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -12,7 +12,7 @@ module Contrast
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
 
-          def name
+          def rule_name
             NAME
           end
 
@@ -32,7 +32,11 @@ module Contrast
           end
 
           def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            return result if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION || mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+              return result
+            end
 
             attack_string = input_analysis_result.value
             regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb

@@ -14,9 +14,7 @@ module Contrast
             # Is the current & next character '//' or are the current and
             # subsequent characters '<--' ?
             def start_line_comment? char, index, query
-              if char == Contrast::Utils::ObjectShare::SLASH &&
-                    query[index + 1] == Contrast::Utils::ObjectShare::SLASH
-
+              if char == Contrast::Utils::ObjectShare::SLASH && query[index + 1] == Contrast::Utils::ObjectShare::SLASH
                 return true
               end
 

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -29,7 +29,7 @@ module Contrast
             /windows/repair/
           ].cs__freeze
 
-          def name
+          def rule_name
             NAME
           end
 
@@ -42,9 +42,8 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
-            raise Contrast::SecurityException.new(
-                self,
-                "Path Traversal rule triggered. Call to File.#{ method } blocked.")
+            raise Contrast::SecurityException.new(self,
+                                                  "Path Traversal rule triggered. Call to File.#{ method } blocked.")
           end
 
           protected
@@ -128,7 +127,8 @@ module Contrast
             #     return 'NUL' in str(e) or 'null byte' in str(e) or (PY34 and 'embedded NUL character' == str(e))
             #   except Exception as e:
             #     return 'null byte' in str(e).lower()
-            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
+            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in
+            #   PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
             false
           end
         end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -13,7 +13,7 @@ module Contrast
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
-          def name
+          def rule_name
             NAME
           end
 

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb

@@ -12,7 +12,7 @@ module Contrast
           NAME = 'unsafe-file-upload'
           BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
 
-          def name
+          def rule_name
             NAME
           end
         end

data/lib/contrast/agent/protect/rule/xss.rb

@@ -12,7 +12,7 @@ module Contrast
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
 
-          def name
+          def rule_name
             NAME
           end
 

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -15,7 +15,7 @@ module Contrast
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
 
-          def name
+          def rule_name
             NAME
           end
 
@@ -59,12 +59,7 @@ module Contrast
             return unless xxe_details
 
             ia_result = build_evaluation(xxe_details.xml)
-            build_attack_with_match(
-                context,
-                ia_result,
-                nil,
-                nil,
-                details: xxe_details)
+            build_attack_with_match(context, ia_result, nil, nil, details: xxe_details)
           end
 
           # Given an XML determined to be unsafe, build out the details of the
@@ -118,7 +113,7 @@ module Contrast
           # supplied by the attacker.
           def build_evaluation xml
             ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(xml)
             ia_result
@@ -133,10 +128,8 @@ module Contrast
 
           def build_wrapper entity_wrapper
             wrapper = Contrast::Api::Dtm::XxeWrapper.new
-            wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(
-                entity_wrapper.system_id)
-            wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(
-                entity_wrapper.public_id)
+            wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.system_id)
+            wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.public_id)
             wrapper
           end
         end