contrast-agent 5.0.0 → 5.3.0

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -34,7 +34,11 @@ module Contrast
                      else
                        build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
                      end
-            append_to_activity(context, result) if result
+
+            return unless result
+
+            append_to_activity(context, result)
+            cef_logging result, :ineffective_attack
           end
 
           protected

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -35,6 +35,7 @@ module Contrast
 
             append_to_activity(context, result)
 
+            cef_logging result, :successful_attack
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -38,6 +38,7 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
+            cef_logging result, :successful_attack, path
             raise Contrast::SecurityException.new(self,
                                                   "Path Traversal rule triggered. Call to File.#{ method } blocked.")
           end

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb

@@ -0,0 +1,124 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/sqli'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of SQLI rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module SqliInputClassification
+          class << self
+            include Contrast::Agent::Reporting::InputType
+            include Contrast::Agent::Reporting::ScoreLevel
+            include Contrast::Agent::Protect::Rule::SqliWorthWatching
+
+            WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
+            SQLI_KEYS_NEEDED = [
+              COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
+            ].cs__freeze
+
+            # Input Classification stage is done to determine if an user input is
+            # WORTHWATCHING or to be ignored.
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+            #                                                       agent analysis from the current
+            #                                                       Request.
+            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+            def classify input_type, value, input_analysis
+              return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
+              return unless input_analysis.request
+
+              rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
+              results = []
+
+              # double check the input to avoid calling match? on array
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                end
+              end
+
+              input_analysis.results = results
+              input_analysis
+            end
+
+            private
+
+            # Creates new isntance of InputAnalysisResult with basic info.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
+            # @param value [String, Array<String>] the value of the input.
+            # @param path [String] the path of the current request context.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def new_ia_result rule_id, input_type, score_level, path, value
+              res = Contrast::Agent::Reporting::InputAnalysisResult.new
+              res.rule_id = rule_id
+              res.input_type = input_type
+              res.path = path
+              res.score_level = score_level
+              res.value = value
+              res
+            end
+
+            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+            # key if needed and Creates new isntance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def sqli_create_new_input_result request, rule_id, input_type, value
+              result = if sqli_worth_watching? value
+                         ia_result = new_ia_result(rule_id, input_type, WORTHWATCHING, request.path, value)
+                         ia_result.ids << WORTHWATCHING_MATCH
+                         ia_result
+                       else
+                         new_ia_result(rule_id, input_type, IGNORE, request.path, value)
+                       end
+              if SQLI_KEYS_NEEDED.include? input_type
+                result.key = sqli_add_needed_key request, result, input_type, value
+              end
+              result
+            end
+
+            # This methods checks if input is value that matches a key in the input.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
+            def sqli_add_needed_key request, result, input_type, value
+              case input_type
+              when COOKIE_VALUE
+                result.key = request.cookies.key(value)
+              when PARAMETER_VALUE
+                result.key = request.parameters.key(value)
+              else
+                result.key
+              end
+              result.key
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb

@@ -0,0 +1,121 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module implements the sqli-worth-watching-v2 check to determine whether input
+        # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
+        # https://protect-spec.prod.dotnet.contsec.com/rules/sql-injection.html#input-tracing
+        module SqliWorthWatching
+          COLOR_CODE = /^#[0-9A-Fa-f]{6}$/.cs__freeze
+          ALPHA_NUMERIC_AND_SPACES = /^+[a-zA-Z\d\s]+$/.cs__freeze
+          OR_CLAUSE = /[oO][rR]/.cs__freeze
+          EXPLOITABLE_SUBSTRING = %w[# -- // /*].cs__freeze
+          SUSPICIOUS_CHARS = %w[` " \' ; - % , ( ) | { } =].cs__freeze
+          SQL_COMMENTS = %w[# /* */ // -- @@].cs__freeze
+          BLOCK_START = '/*'.cs__freeze
+          BLOCK_END = '*/'.cs__freeze
+          SQL_KEYWORDS = %w[
+            alter begin between create case column_name
+            current_user delete drop exec execute from
+            group insert limit like merge order outfile
+            select session_user syslogins update union
+            UTL_INADDR UTL_HTTP
+          ].cs__freeze
+
+          # This method will determine if a user input is Worth watching and return true if it is.
+          # This is done by running checks, and if the inputs is worth to watch it would be
+          # saved for the later sink sqli input analysis.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def sqli_worth_watching? input
+            return false if input.nil? || input.empty?
+
+            exploitable?(input) && (
+              input.match?(OR_CLAUSE) || sql_comments?(input) || suspicious_chars?(input) || language_keywords?(input)
+            )
+          end
+
+          private
+
+          # Check if input is exploitable, with min length set to 3 chars
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def exploitable? input
+            return false if input.length < 3 && input.match?(ALPHA_NUMERIC_AND_SPACES)
+            return false if input.length == 3 && !contains_substring?(input, EXPLOITABLE_SUBSTRING)
+            return false if input.length == 7 && input.match?(COLOR_CODE)
+
+            true
+          end
+
+          # Check if input contains sqli comments:
+          # '# /* */ // -- @@'
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def sql_comments? input
+            input.length >= 3 && contains_substring?(input, SQL_COMMENTS)
+          end
+
+          # Check if input contains block comments starting and
+          # ending with '/*..*/'
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def block_comments? input
+            idx1 = input.index(BLOCK_START)
+            idx2 = input.index(BLOCK_END)
+
+            return false if idx1.nil? || idx2.nil?
+
+            (idx1 >= 0 && idx2 >= 2 && (idx1 < idx2))
+          end
+
+          # Runs the input against suspicious chars array.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def suspicious_chars? input
+            input.length >= 7 && (number_of_substrings(input, SUSPICIOUS_CHARS) >= 2 || block_comments?(input))
+          end
+
+          # Runs the input against SQL language preserved words.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def language_keywords? input
+            contains_substring? input, SQL_KEYWORDS
+          end
+
+          # Helper method to find a substrings in given input.
+          #
+          # @param substrings [Array] set of substrings to inspect.
+          # @return true | false
+          def contains_substring? input, substrings
+            return true if substrings.any? { |sub| input.include?(sub) }
+
+            false
+          end
+
+          # Helper method to find the number of substrings.
+          #
+          # @param input [String] the user input to be inspected
+          # @return number [Integer] Number of substrings
+          def number_of_substrings input, substring
+            number = 0
+            input.each_char.reduce(0) { |_acc, elem| number += 1 if contains_substring?(elem, substring) }
+
+            number
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -4,6 +4,7 @@
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/policy/applies_sqli_rule'
 require 'contrast/agent/protect/rule/sql_sample_builder'
+require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
   module Agent
@@ -16,7 +17,17 @@ module Contrast
           include SqlSampleBuilder::SqliSample
           # Defining build_attack_with_match method
           include SqlSampleBuilder::AttackBuilder
+          include Contrast::Agent::Reporting::InputType
+          class << self
+            include Contrast::Agent::Reporting::InputType
+          end
 
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
+            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
+            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
+            XML_VALUE, DWR_VALUE
+          ].cs__freeze
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
@@ -36,8 +47,30 @@ module Contrast
 
             append_to_activity(context, result)
 
+            cef_logging result, :successful_attack, query_string
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
+
+          private
+
+          def find_attacker context, potential_attack_string, **kwargs
+            ia_results = gather_ia_results(context)
+            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
+          end
+
+          def infilter? context
+            return false unless context&.agent_input_analysis&.results
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
+          def gather_ia_results context
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/protect/rule/base'
 require 'contrast/utils/timer'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
         # Implementation of the XXE Protect Rule used to evaluate XML calls for exploit
         # of unsafe external entity resolution.
         class Xxe < Contrast::Agent::Protect::Rule::Base
+          include Contrast::Components::Logger::InstanceMethods
+
           NAME = 'xxe'
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
@@ -36,6 +39,7 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
+            cef_logging result, :successful_attack, xml
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE)
           end
 

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb

@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_analysis_result'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will do ia analysis for our protect rules instead of
+      # using the service.
+      class InputAnalysis
+        # result from input analysis
+        #
+        # @return @_results [Array<Contrast::Agent::Reporting::Settings::InputAnalysisResult>]
+        def results
+          @_results ||= []
+        end
+
+        # result from input analysis
+        #
+        # @return @_results [Array<Contrast::Agent::Reporting::Settings::InputAnalysisResult>]
+        def results= results
+          @_results = results
+        end
+
+        # Returns our wrapper around the Rack::Request for this context
+        #
+        # @return request [Contrast::Agent::Request, nil]
+        def request
+          @_request ||= nil
+        end
+
+        # Sets current request
+        #
+        # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request for this context
+        # @return request [Contrast::Agent::Request, nil]
+        def request= request
+          @_request = request if request.instance_of?(Contrast::Agent::Request)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb

@@ -0,0 +1,115 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will do ia analysis for our protect rules instead of
+      # using the service.
+      class InputAnalysisResult
+        INPUT_TYPE = Contrast::Agent::Reporting::InputType
+        SCORE_LEVEL = Contrast::Agent::Reporting::ScoreLevel
+
+        # @return @_rule_id [String]
+        def rule_id
+          @_rule_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param id [String]
+        # @return @_rule_id [String]
+        def rule_id= id
+          @_rule_id = id if id.is_a?(String)
+        end
+
+        # @return @_input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        def input_type
+          @_input_type ||= INPUT_TYPE::UNDEFINED_TYPE
+        end
+
+        # @param input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        # @return @_input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        def input_type= input_type
+          @_input_type = input_type if INPUT_TYPE.to_a.include?(input_type)
+        end
+
+        # @return @_path [String]
+        def path
+          @_path ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param path [String]
+        # @return @_path [String]
+        def path= path
+          @_path = path if path.is_a?(String)
+        end
+
+        # @return @_key [String]
+        def key
+          @_key ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param key [String]
+        # @return @_key [String]
+        def key= key
+          @_key = key if key.is_a?(String)
+        end
+
+        # @return value [String]
+        def value
+          @_value ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param value [String]
+        # @return value [String]
+        def value= value
+          @_value = value if value.is_a?(String)
+        end
+
+        # Matchers IDs
+        # @return @_ids [Array<String>]
+        def ids
+          @_ids ||= []
+        end
+
+        # Matchers IDs
+        # @param ids [Array<String>]
+        # @return @_ids [Array<String>]
+        def ids= ids
+          @_ids = ids if ids.is_a?(Array) && ids.any?(String)
+        end
+
+        # @return @_attack_count [Integer]
+        def attack_count
+          @_attack_count ||= 0
+        end
+
+        # @param attack_count
+        # @return @_attack_count
+        def attack_count= attack_count
+          @_attack_count = attack_count if attack_count.is_a?(Integer)
+        end
+
+        # @return @_score_level [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::ScoreLevel>]
+        def score_level
+          @_score_level ||= SCORE_LEVEL::IGNORE
+        end
+
+        # @param score_level [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::ScoreLevel>]
+        # @return @_score_level [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::ScoreLevel>]
+        def score_level= score_level
+          @_score_level = score_level if SCORE_LEVEL.to_a.include?(score_level)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/input_type.rb

@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      # input types for InputAnalysis results
+      module InputType
+        UNDEFINED_TYPE          = :UNDEFINED_TYPE.cs__freeze
+        BODY                    = :BODY.cs__freeze
+        COOKIE_NAME             = :COOKIE_NAME.cs__freeze
+        COOKIE_VALUE            = :COOKIE_VALUE.cs__freeze
+        HEADER                  = :HEADER.cs__freeze
+        PARAMETER_NAME          = :PARAMETER_NAME.cs__freeze
+        PARAMETER_VALUE         = :PARAMETER_VALUE.cs__freeze
+        QUERYSTRING             = :QUERYSTRING.cs__freeze
+        URI                     = :URI.cs__freeze
+        SOCKET                  = :SOCKET.cs__freeze
+        JSON_VALUE              = :JSON_VALUE.cs__freeze
+        JSON_ARRAYED_VALUE      = :JSON_ARRAYED_VALUE.cs__freeze
+        MULTIPART_CONTENT_TYPE  = :MULTIPART_CONTENT_TYPE.cs__freeze
+        MULTIPART_VALUE         = :MULTIPART_VALUE.cs__freeze
+        MULTIPART_FIELD_NAME    = :MULTIPART_FIELD_NAME.cs__freeze
+        MULTIPART_NAME          = :MULTIPART_NAME.cs__freeze
+        XML_VALUE               = :XML_VALUE.cs__freeze
+        DWR_VALUE               = :DWR_VALUE.cs__freeze
+        METHOD                  = :METHOD.cs__freeze
+        REQUEST                 = :REQUEST.cs__freeze
+        URL_PARAMETER           = :URL_PARAMETER.cs__freeze
+        UNKNOWN                 = :UNKNOWN.cs__freeze
+
+        class << self
+          def to_a
+            [
+              UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME, PARAMETER_VALUE,
+              QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE, MULTIPART_VALUE,
+              MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST, URL_PARAMETER, UNKNOWN
+            ]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/score_level.rb

@@ -0,0 +1,21 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      # input types for InputAnalysis results
+      module ScoreLevel
+        IGNORE = :DONTCARE.cs__freeze
+        WORTHWATCHING = :WORTHWATCHING.cs__freeze
+        DEFINITEATTACK = :DEFINITEATTACK.cs__freeze
+
+        class << self
+          def to_a
+            [IGNORE, WORTHWATCHING, DEFINITEATTACK]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/report.rb

@@ -25,3 +25,4 @@ require 'contrast/agent/reporting/reporting_events/preflight'
 require 'contrast/agent/reporting/reporting_events/observed_route'
 require 'contrast/agent/reporting/reporting_events/route_coverage'
 require 'contrast/agent/reporting/reporting_events/observed_library_usage'
+require 'contrast/agent/reporting/reporting_events/poll'

data/lib/contrast/agent/reporting/reporter.rb

@@ -53,6 +53,11 @@ module Contrast
         @_thread = Contrast::Agent::Thread.new do
           logger.debug('Starting background Reporter thread.')
           loop do
+            # TODO: RUBY-99999
+            # The client and connection are being used in multiple threads/ concurrently, and that's not okay. We need
+            # to figure out why that is and lock it so that it isn't.
+            next unless client && connection
+
             event = queue.pop
             begin
               response = client.send_event(event, connection)
@@ -86,7 +91,9 @@ module Contrast
           return
         end
         response = client.send_event(event, connection, true)
-        client.send(:handle_response, event, response, connection) if response&.code == 200
+        return unless response
+
+        client.handle_response(event, response, connection)
         audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable?
       rescue StandardError => e
         logger.error('Could not send message to service from Reporter queue.', e)