contrast-agent 5.1.0 → 5.2.0

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb

@@ -2,7 +2,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/agent/assess/rule/response/header_rule'
 require 'contrast/utils/string_utils'
 
 module Contrast
@@ -11,27 +11,22 @@ module Contrast
       module Rule
         module Response
           # These rules check that the HTTP Headers include CSP header types
-          class CspHeaderInsecure < BaseRule
+          class CspHeaderInsecure < HeaderRule
             def rule_id
               'csp-header-insecure'
             end
 
             protected
 
-            CSP_HEADERS = %w[CONTENT_SECURITY_POLICY X_CONTENT_SECURITY_POLICY X_WEBKIT_CSP].cs__freeze
+            HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
+            DEFAULT_SAFE = false
             SETTINGS = %w[
               base-uri child-src default-src connect-src frame-src media-src object-src script-src
               style-src form-action frame-ancestors plugin-types reflected-xss referer
             ].cs__freeze
             UNSAFE_VALUE_REGEXP = /^unsafe-(?:inline|eval)$/.cs__freeze
             ASTERISK_REGEXP = /[*]/.cs__freeze
-
-            # Rules discern which responses they can/should analyze.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            def analyze_response? response
-              super && headers?(response)
-            end
+            SAFE_REFLECTED_XSS = /1/.cs__freeze
 
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
@@ -39,16 +34,19 @@ module Contrast
             # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
             def violated? response
               settings = {}
-              csp_hash = get_csp_header_values(response.headers)
+              csp_hash = get_header_value(response)
               return if csp_hash.nil?
 
               SETTINGS.each do |setting_attr|
+                # default src has to be checked all other keys may be missing
+                next unless csp_hash.key?(setting_attr) || setting_attr == 'default-src'
+
                 value = csp_hash[setting_attr]
                 key = convert_key(setting_attr)
                 settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value)
                 settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value
               end
-              { DATA => settings }
+              evidence(settings) if settings.value?(false)
             end
 
             # Get the CSP values from and transforms them to key value hash
@@ -58,9 +56,10 @@ module Contrast
             #
             # @param headers [Hash] the response of the application
             # @return [Array, nil] array of CSP header values
-            def get_csp_header_values headers
+            def get_header_value response
               csp_hash = {}
-              CSP_HEADERS.each do |header_key|
+              headers = response.headers
+              HEADER_KEYS.each do |header_key|
                 next unless headers[header_key]&.length&.positive?
 
                 values = headers[header_key].split(Contrast::Utils::ObjectShare::SEMICOLON)
@@ -78,7 +77,7 @@ module Contrast
             end
 
             def value_safe? value
-              UNSAFE_VALUE_REGEXP.match(value).nil?
+              UNSAFE_VALUE_REGEXP.match(value).nil? || !SAFE_REFLECTED_XSS.match(value).nil?
             end
 
             # Converts the CSP key to camelcase to be used as key for evidence object

data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/agent/assess/rule/response/header_rule'
 require 'contrast/utils/string_utils'
 
 module Contrast
@@ -10,34 +10,14 @@ module Contrast
       module Rule
         module Response
           # These rules check that the HTTP Headers include CSP header types
-          class CspHeaderMissing < BaseRule
+          class CspHeaderMissing < HeaderRule
             def rule_id
               'csp-header-missing'
             end
 
-            protected
-
-            CSP_HEADERS = %w[CONTENT_SECURITY_POLICY X_CONTENT_SECURITY_POLICY X_WEBKIT_CSP].cs__freeze
-
-            DATA = 'data'.cs__freeze
-
-            # Rules discern which responses they can/should analyze.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            def analyze_response? response
-              super && headers?(response)
-            end
-
-            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
-            def violated? response
-              response_headers = response.headers
-              return if CSP_HEADERS.any? { |header_key| response_headers[header_key]&.length&.positive? }
-
-              { DATA => Contrast::Utils::ObjectShare::EMPTY_STRING }
-            end
+            HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
+            ACCEPTED_VALUES = [/(.)/].cs__freeze
+            DEFAULT_SAFE = false
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'rails'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          module Framework
+            # Rails 7 supports managing potential unsafe Headers
+            # this module contains methods for checking if Rails 7 supercedes our rules
+            module RailsSupport
+              RAILS_VERSION = Gem::Version.new('7.0.0')
+
+              def framework_supported?
+                rails_version = ::Rails.version
+                return false unless !!rails_version
+
+                Gem::Version.new(rails_version) >= RAILS_VERSION
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/header_rule.rb

@@ -0,0 +1,70 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'rack'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/utils/hash_digest'
+require 'contrast/utils/preflight_util'
+require 'contrast/utils/string_utils'
+require 'contrast/agent/assess/rule/response/base_rule'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if something was set incorrectly or
+          # insecurely in it.
+          class HeaderRule < BaseRule
+            HEADER_TYPE = 'header'
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && headers?(response)
+            end
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              header_value = get_header_value(response)
+              if header_value
+                return evidence(header_value) unless valid_header?(header_value)
+              else
+                return evidence(header_value) unless cs__class::DEFAULT_SAFE
+              end
+              nil
+            end
+
+            # Determine if a response has headers.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def headers? response
+              response.headers&.any?
+            end
+
+            protected
+
+            def get_header_value response
+              response_headers = response.headers
+              values = response_headers.values_at(*cs__class::HEADER_KEYS, *cs__class::HEADER_KEYS.map(&:to_sym))
+              values.compact.first
+            end
+
+            # Determine if the value of the Response Header has a valid value
+            #
+            # @param header [Contrast::Agent::Response] a response header
+            # @return [Boolean] whether the header value is valid
+            def valid_header? header
+              cs__class::ACCEPTED_VALUES.any? { |val| val.match(header) }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb

@@ -1,6 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
 module Contrast
   module Agent
     module Assess
@@ -8,49 +11,22 @@ module Contrast
         module Response
           # This rule checks if the HTTP Headers include HSTS header and ensures that the max-age value
           # is set to a value greater than 0.
-          class HSTSHeader < BaseRule
+          class HSTSHeader < HeaderRule
             def rule_id
               'hsts-header-missing'
             end
 
             protected
 
-            HEADER_KEY = 'Strict-Transport-Security'
-            HEADER_KEY_SYM = HEADER_KEY.to_sym
-            MAX_AGE = 'max-age'
-            MAX_AGE_SYM = MAX_AGE.to_sym
-            # Rules discern which responses they can/should analyze.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            def analyze_response? response
-              super && response.headers.cs__is_a?(Hash)
-            end
-
-            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash<data: Contrast::Utils::ObjectShare::EMPTY_STRING, String>, nil] return string
-            # representation of the max_age
-            def violated? response
-              headers = response.headers
-              target = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
-              # this rule is safe by default if no target => no evidence
-              # if the property max_age is not positive or absent then the rule is violated
-              return unless target
-
-              max_age = target[MAX_AGE] || target[MAX_AGE_SYM]
-              return if max_age.to_i.positive?
-
-              evidence max_age
-            end
+            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
+            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
+            DEFAULT_SAFE = true
 
-            # returns evidence that the max_age is negative or absent
-            #
-            # @param max_age [String] String representation of the max-age value to which the header is set
-            # @return [Hash<data: Contrast::Utils::ObjectShare::EMPTY_STRING, String>] return string representation of
-            # the max_age
-            def evidence max_age
-              { data: max_age.to_s }
+            def evidence data
+              # get only the value of the max-age property
+              val = data&.split('=')&.last
+              val = Contrast::Utils::ObjectShare::EMPTY_STRING if val.nil? || val == 'max-age'
+              { DATA => val }
             end
           end
         end

data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb

@@ -12,6 +12,7 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if the body contains a form which
           # incorrectly sets the action attribute.
           class ParametersPollution < BaseRule
+            include BodyRule
             def rule_id
               'parameter-pollution'
             end
@@ -31,7 +32,7 @@ module Contrast
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
               body = response.body
-              forms = forms(body)
+              forms = html_elements(body, FORM_START_REGEXP, true)
               forms.each do |form|
                 # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
                 # skip out on the first violation.

data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the response contains the needed header
+          class XContentType < HeaderRule
+            def rule_id
+              'xcontenttype-header-missing'
+            end
+
+            HEADER_KEYS = %w[X-Content-Type-Options].cs__freeze
+            ACCEPTED_VALUES = [/^nosniff/i].cs__freeze
+            DEFAULT_SAFE = false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+require 'contrast/agent/assess/rule/response/framework/rails_support'
+require 'rails'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the response contains the needed header
+          class XXssProtection < HeaderRule
+            include Framework::RailsSupport
+
+            def rule_id
+              'xxssprotection-header-disabled'
+            end
+
+            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
+            ACCEPTED_VALUES = [/^1/].cs__freeze
+            DEFAULT_SAFE = true
+
+            protected
+
+            def analyze_response? response
+              !framework_supported? && super
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/middleware.rb

@@ -173,6 +173,7 @@ module Contrast
             request_handler.send_activity_messages # TODO: RUBY-1438 -- remove
           end
         end
+      # unsuccessful attack
       rescue StandardError => e
         raise e if security_exception?(e)
 

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -29,14 +29,13 @@ module Contrast
           # there are no require time side effects of loading our core
           # extensions.
           def apply_direct_patches!
-            @_apply_direct_patches ||= begin
+            @_apply_direct_patches ||= begin # TODO: RUBY-1541 - put 'kernel' back
               paths = %w[
                 array
                 basic_object
                 module
                 fiber_track
                 hash
-                kernel
                 marshal_module
                 regexp
                 string
@@ -75,7 +74,6 @@ module Contrast
           def apply_require_patches!
             @_apply_require_patches ||= begin
               require 'contrast/extension/thread'
-              require 'contrast/extension/kernel'
               true
             rescue LoadError, StandardError => e
               logger.error('failed instrumenting apply_require_patches!', e)

data/lib/contrast/agent/patching/policy/patch.rb

@@ -49,15 +49,11 @@ module Contrast
             ].cs__freeze
 
             def enter_method_scope! method_policy
-              method_policy.scopes_to_enter.each do |scope|
-                enter_scope!(scope)
-              end
+              contrast_enter_method_scopes! method_policy.scopes_to_enter
             end
 
             def exit_method_scope! method_policy
-              method_policy.scopes_to_exit.each do |scope|
-                exit_scope!(scope)
-              end
+              contrast_exit_method_scopes! method_policy.scopes_to_exit
             end
 
             # @param mod [Module] the module in which the patch should be

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -147,7 +147,7 @@ module Contrast
                 return
               end
 
-              patch_methods status, module_data, module_policy
+              patch_methods(status, module_data, module_policy)
             rescue StandardError => e
               status&.failed_patch!
               logger.warn('Patching failed', e, module: module_data.mod_name)

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -0,0 +1,94 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
+require 'json'
+
+module Contrast
+  module Agent
+    module Protect
+      # InputAnalyzer will extract input form current request context and will analyze it.
+      # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
+      module InputAnalyzer
+        class << self
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Agent::Protect::Rule::SqliWorthWatching
+
+          PROTECT_RULES = { sqli: 'sql-injection' }.cs__freeze
+
+          # This method with analyze the user input from the context of the
+          # current request and run each of the protect rules against all
+          # found input types
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def analyse request
+            return unless Contrast::SETTINGS.protect_state.enabled
+            return if request.nil?
+
+            inputs = extract_input request
+            return unless inputs
+
+            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+            input_analysis.request = request
+            # each rule against each input
+            input_classification inputs, input_analysis
+            input_analysis
+          end
+
+          private
+
+          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+          #
+          # @param inputs [String, Array<String>] user input to be analysed.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def input_classification inputs, input_analysis
+            # key = input type, value = user_input
+            inputs.each do |input_type, value|
+              PROTECT_RULES.each do |_key, rule_id|
+                # check if rule is enabled
+                next unless Contrast::PROTECT.rule(rule_id).enabled?
+
+                # start with sqli rule
+                case rule_id
+                when PROTECT_RULES[:sqli]
+                  Contrast::Agent::Protect::Rule::SqliInputClassification.classify input_type, value, input_analysis
+                else
+                  return nil
+                end
+              end
+            end
+            input_analysis
+          end
+
+          # Extract the inputs from the request context and label them with Protect
+          # input type tags. Each tag will contain one or more user inputs.
+          #
+          # This methods is to be expanded and modified as needed by other Protect rules
+          # and sub-rules for their requirements.
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          def extract_input request
+            inputs = {}
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+            inputs.compact!
+            inputs
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/base.rb

@@ -173,6 +173,19 @@ module Contrast
             context.activity.results << result if result
           end
 
+          # With this we log to CEF
+          #
+          # @param result [Contrast::Api::Dtm::AttackResult]
+          # @param attack [Symbol] the type of message we want to send
+          # @param value [String] the input value we want to log
+          def cef_logging result, attack = :ineffective_attack, value = nil
+            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
+            outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+            input_type = extract_input_type sample_to_json[:user_input].input_type
+            input_value = value || sample_to_json[:user_input].value
+            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
+          end
+
           protected
 
           def mode_from_settings
@@ -232,7 +245,13 @@ module Contrast
 
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+              result.response = if ia_result&.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
+                                  # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
+                                  # and should be treated equivalent to Blocked mode if set
+                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+                                else
+                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+                                end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
               result.response = Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
@@ -293,6 +312,14 @@ module Contrast
                          result: response)
           end
 
+          # This method returns the symbol for the enum
+          #
+          # @param enum [Enumerable]
+          # @return [Symbol]
+          def extract_input_type enum
+            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag enum
+          end
+
           private
 
           def log_rule_probed _context, ia_result

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -10,6 +11,8 @@ module Contrast
         # Encapsulate common code for protect rules that do their
         # input analysis on Speedracer rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
+          include Contrast::Components::Logger::InstanceMethods
+
           def rule_name
             'base-service'
           end
@@ -41,6 +44,7 @@ module Contrast
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
 
+            cef_logging result
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
 
@@ -83,7 +87,12 @@ module Contrast
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|
-              ia_result.score_level == Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+              ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
+                                         Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
+                                       else
+                                         # legacy implementation for DEFINITEATATACK
+                                         Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+                                       end
             end
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -39,6 +39,8 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
+            cef_logging result, :successful_attack
+
             return unless blocked?
 
             raise Contrast::SecurityException.new(self,