contrast-agent 5.0.0 → 5.3.0

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb

@@ -0,0 +1,100 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check that the HTTP Headers include CSP header types
+          class CspHeaderInsecure < HeaderRule
+            def rule_id
+              'csp-header-insecure'
+            end
+
+            protected
+
+            HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
+            DEFAULT_SAFE = false
+            SETTINGS = %w[
+              base-uri child-src default-src connect-src frame-src media-src object-src script-src
+              style-src form-action frame-ancestors plugin-types reflected-xss referer
+            ].cs__freeze
+            UNSAFE_VALUE_REGEXP = /^unsafe-(?:inline|eval)$/.cs__freeze
+            ASTERISK_REGEXP = /[*]/.cs__freeze
+            SAFE_REFLECTED_XSS = /1/.cs__freeze
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
+            def violated? response
+              settings = {}
+              csp_hash = get_header_value(response)
+              return if csp_hash.nil?
+
+              SETTINGS.each do |setting_attr|
+                # default src has to be checked all other keys may be missing
+                next unless csp_hash.key?(setting_attr) || setting_attr == 'default-src'
+
+                value = csp_hash[setting_attr]
+                key = convert_key(setting_attr)
+                settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value)
+                settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value
+              end
+              evidence(settings) if settings.value?(false)
+            end
+
+            # Get the CSP values from and transforms them to key value hash
+            #
+            # ex default-src 'self' *.test.com; img-src * becomes:
+            # { default-src: "'self' *.test.com", img-src: "*" }
+            #
+            # @param headers [Hash] the response of the application
+            # @return [Array, nil] array of CSP header values
+            def get_header_value response
+              csp_hash = {}
+              headers = response.headers
+              HEADER_KEYS.each do |header_key|
+                next unless headers[header_key]&.length&.positive?
+
+                values = headers[header_key].split(Contrast::Utils::ObjectShare::SEMICOLON)
+                values.each do |value|
+                  normalized = value.downcase.strip
+                  kv = normalized.split(Contrast::Utils::ObjectShare::SPACE, 2)
+                  csp_hash[kv[0]] = kv[1]
+                end
+              end
+              csp_hash
+            end
+
+            def value_secure? value
+              ASTERISK_REGEXP.match(value).nil?
+            end
+
+            def value_safe? value
+              UNSAFE_VALUE_REGEXP.match(value).nil? || !SAFE_REFLECTED_XSS.match(value).nil?
+            end
+
+            # Converts the CSP key to camelcase to be used as key for evidence object
+            #
+            #  base-uri -> baseUri
+            #
+            # @param key [String] key as found in header
+            # @return [String] camelcase key
+            def convert_key key
+              return key unless key.include?('-')
+
+              str = key.split('-')
+              "#{ str[0] }#{ str[1].capitalize }"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check that the HTTP Headers include CSP header types
+          class CspHeaderMissing < HeaderRule
+            def rule_id
+              'csp-header-missing'
+            end
+
+            HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
+            ACCEPTED_VALUES = [/(.)/].cs__freeze
+            DEFAULT_SAFE = false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          module Framework
+            # Rails 7 supports managing potential unsafe Headers
+            # this module contains methods for checking if Rails 7 supersedes our rules
+            module RailsSupport
+              RAILS_VERSION = Gem::Version.new('7.0.0')
+
+              def framework_supported?
+                return false unless defined?(::Rails)
+
+                rails_version = ::Rails.version
+                return false unless !!rails_version
+
+                Gem::Version.new(rails_version) >= RAILS_VERSION
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/header_rule.rb

@@ -0,0 +1,70 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'rack'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/utils/hash_digest'
+require 'contrast/utils/preflight_util'
+require 'contrast/utils/string_utils'
+require 'contrast/agent/assess/rule/response/base_rule'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if something was set incorrectly or
+          # insecurely in it.
+          class HeaderRule < BaseRule
+            HEADER_TYPE = 'header'
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && headers?(response)
+            end
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              header_value = get_header_value(response)
+              if header_value
+                return evidence(header_value) unless valid_header?(header_value)
+              else
+                return evidence(header_value) unless cs__class::DEFAULT_SAFE
+              end
+              nil
+            end
+
+            # Determine if a response has headers.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def headers? response
+              response.headers&.any?
+            end
+
+            protected
+
+            def get_header_value response
+              response_headers = response.headers
+              values = response_headers.values_at(*cs__class::HEADER_KEYS, *cs__class::HEADER_KEYS.map(&:to_sym))
+              values.compact.first
+            end
+
+            # Determine if the value of the Response Header has a valid value
+            #
+            # @param header [Contrast::Agent::Response] a response header
+            # @return [Boolean] whether the header value is valid
+            def valid_header? header
+              cs__class::ACCEPTED_VALUES.any? { |val| val.match(header) }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # This rule checks if the HTTP Headers include HSTS header and ensures that the max-age value
+          # is set to a value greater than 0.
+          class HSTSHeader < HeaderRule
+            def rule_id
+              'hsts-header-missing'
+            end
+
+            protected
+
+            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
+            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
+            DEFAULT_SAFE = true
+
+            def evidence data
+              # get only the value of the max-age property
+              val = data&.split('=')&.last
+              val = Contrast::Utils::ObjectShare::EMPTY_STRING if val.nil? || val == 'max-age'
+              { DATA => val }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body contains a form which
+          # incorrectly sets the action attribute.
+          class ParametersPollution < BaseRule
+            include BodyRule
+            def rule_id
+              'parameter-pollution'
+            end
+
+            protected
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              body = response.body
+              forms = html_elements(body, FORM_START_REGEXP, true)
+              forms.each do |form|
+                # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
+                # skip out on the first violation.
+                return form if action?(form[HTML_PROP])
+              end
+              nil
+            end
+
+            def accepted_values
+              [/action="[^"]/i, /action='[^']/i, /action=[^\\'"]/i, /action=[^\s<>'"]/i].cs__freeze
+            end
+
+            def action? form
+              return true unless /action=/i.match?(form)
+
+              accepted_values.each do |off_value|
+                return false if form.match?(off_value)
+              end
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the response contains the needed header
+          class XContentType < HeaderRule
+            def rule_id
+              'xcontenttype-header-missing'
+            end
+
+            HEADER_KEYS = %w[X-Content-Type-Options].cs__freeze
+            ACCEPTED_VALUES = [/^nosniff/i].cs__freeze
+            DEFAULT_SAFE = false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb

@@ -0,0 +1,35 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/framework/rails_support'
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the response contains the needed header
+          class XXssProtection < HeaderRule
+            include Framework::RailsSupport
+
+            def rule_id
+              'xxssprotection-header-disabled'
+            end
+
+            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
+            ACCEPTED_VALUES = [/^1/].cs__freeze
+            DEFAULT_SAFE = true
+
+            protected
+
+            def analyze_response? response
+              !framework_supported? && super
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/middleware.rb

@@ -173,6 +173,7 @@ module Contrast
             request_handler.send_activity_messages # TODO: RUBY-1438 -- remove
           end
         end
+      # unsuccessful attack
       rescue StandardError => e
         raise e if security_exception?(e)
 

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -29,14 +29,13 @@ module Contrast
           # there are no require time side effects of loading our core
           # extensions.
           def apply_direct_patches!
-            @_apply_direct_patches ||= begin
+            @_apply_direct_patches ||= begin # TODO: RUBY-1541 - put 'kernel' back
               paths = %w[
                 array
                 basic_object
                 module
                 fiber_track
                 hash
-                kernel
                 marshal_module
                 regexp
                 string
@@ -75,7 +74,6 @@ module Contrast
           def apply_require_patches!
             @_apply_require_patches ||= begin
               require 'contrast/extension/thread'
-              require 'contrast/extension/kernel'
               true
             rescue LoadError, StandardError => e
               logger.error('failed instrumenting apply_require_patches!', e)

data/lib/contrast/agent/patching/policy/patch.rb

@@ -49,15 +49,11 @@ module Contrast
             ].cs__freeze
 
             def enter_method_scope! method_policy
-              method_policy.scopes_to_enter.each do |scope|
-                enter_scope!(scope)
-              end
+              contrast_enter_method_scopes! method_policy.scopes_to_enter
             end
 
             def exit_method_scope! method_policy
-              method_policy.scopes_to_exit.each do |scope|
-                exit_scope!(scope)
-              end
+              contrast_exit_method_scopes! method_policy.scopes_to_exit
             end
 
             # @param mod [Module] the module in which the patch should be

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -147,7 +147,7 @@ module Contrast
                 return
               end
 
-              patch_methods status, module_data, module_policy
+              patch_methods(status, module_data, module_policy)
             rescue StandardError => e
               status&.failed_patch!
               logger.warn('Patching failed', e, module: module_data.mod_name)

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -0,0 +1,94 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
+require 'json'
+
+module Contrast
+  module Agent
+    module Protect
+      # InputAnalyzer will extract input form current request context and will analyze it.
+      # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
+      module InputAnalyzer
+        class << self
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Agent::Protect::Rule::SqliWorthWatching
+
+          PROTECT_RULES = { sqli: 'sql-injection' }.cs__freeze
+
+          # This method with analyze the user input from the context of the
+          # current request and run each of the protect rules against all
+          # found input types
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def analyse request
+            return unless Contrast::SETTINGS.protect_state.enabled
+            return if request.nil?
+
+            inputs = extract_input request
+            return unless inputs
+
+            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+            input_analysis.request = request
+            # each rule against each input
+            input_classification inputs, input_analysis
+            input_analysis
+          end
+
+          private
+
+          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+          #
+          # @param inputs [String, Array<String>] user input to be analysed.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def input_classification inputs, input_analysis
+            # key = input type, value = user_input
+            inputs.each do |input_type, value|
+              PROTECT_RULES.each do |_key, rule_id|
+                # check if rule is enabled
+                next unless Contrast::PROTECT.rule(rule_id).enabled?
+
+                # start with sqli rule
+                case rule_id
+                when PROTECT_RULES[:sqli]
+                  Contrast::Agent::Protect::Rule::SqliInputClassification.classify input_type, value, input_analysis
+                else
+                  return nil
+                end
+              end
+            end
+            input_analysis
+          end
+
+          # Extract the inputs from the request context and label them with Protect
+          # input type tags. Each tag will contain one or more user inputs.
+          #
+          # This methods is to be expanded and modified as needed by other Protect rules
+          # and sub-rules for their requirements.
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          def extract_input request
+            inputs = {}
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+            inputs.compact!
+            inputs
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/base.rb

@@ -173,6 +173,19 @@ module Contrast
             context.activity.results << result if result
           end
 
+          # With this we log to CEF
+          #
+          # @param result [Contrast::Api::Dtm::AttackResult]
+          # @param attack [Symbol] the type of message we want to send
+          # @param value [String] the input value we want to log
+          def cef_logging result, attack = :ineffective_attack, value = nil
+            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
+            outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+            input_type = extract_input_type sample_to_json[:user_input].input_type
+            input_value = value || sample_to_json[:user_input].value
+            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
+          end
+
           protected
 
           def mode_from_settings
@@ -232,7 +245,13 @@ module Contrast
 
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+              result.response = if ia_result&.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
+                                  # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
+                                  # and should be treated equivalent to Blocked mode if set
+                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+                                else
+                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+                                end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
               result.response = Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
@@ -293,6 +312,14 @@ module Contrast
                          result: response)
           end
 
+          # This method returns the symbol for the enum
+          #
+          # @param enum [Enumerable]
+          # @return [Symbol]
+          def extract_input_type enum
+            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag enum
+          end
+
           private
 
           def log_rule_probed _context, ia_result

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -10,6 +11,8 @@ module Contrast
         # Encapsulate common code for protect rules that do their
         # input analysis on Speedracer rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
+          include Contrast::Components::Logger::InstanceMethods
+
           def rule_name
             'base-service'
           end
@@ -41,6 +44,7 @@ module Contrast
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
 
+            cef_logging result
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
 
@@ -83,7 +87,12 @@ module Contrast
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|
-              ia_result.score_level == Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+              ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
+                                         Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
+                                       else
+                                         # legacy implementation for DEFINITEATATACK
+                                         Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+                                       end
             end
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -39,6 +39,8 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
+            cef_logging result, :successful_attack
+
             return unless blocked?
 
             raise Contrast::SecurityException.new(self,

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
         # Deserialization Protect rule.
         class Deserialization < Contrast::Agent::Protect::Rule::Base
           # The TeamServer recognized name of this rule
+          include Contrast::Components::Logger::InstanceMethods
+
           NAME = 'untrusted-deserialization'
 
           # The rule specific reason for raising a security exception.
@@ -78,6 +81,8 @@ module Contrast
             result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
             append_to_activity(context, result)
 
+            cef_logging result, :successful_attack
+
             raise Contrast::SecurityException.new(self, block_message) if blocked?
           end
 
@@ -97,6 +102,7 @@ module Contrast
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
+            cef_logging result, :successful_attack, gadget_command
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end