contrast-agent 5.1.0 → 6.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +7 -5
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +7 -7
- data/ext/cs__assess_string/cs__assess_string.c +13 -1
- data/ext/cs__common/cs__common.c +16 -11
- data/ext/cs__common/cs__common.h +1 -0
- data/ext/cs__contrast_patch/cs__contrast_patch.c +100 -64
- data/ext/cs__contrast_patch/cs__contrast_patch.h +2 -0
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +796 -0
- data/ext/cs__scope/cs__scope.h +88 -0
- data/ext/cs__scope/extconf.rb +5 -0
- data/lib/contrast/agent/assess/contrast_event.rb +20 -13
- data/lib/contrast/agent/assess/contrast_object.rb +4 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
- data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -5
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +2 -0
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/trigger_method.rb +6 -1
- data/lib/contrast/agent/assess/property/tagged.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/{autocomplete_rule.rb → auto_complete_rule.rb} +4 -3
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +12 -79
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +109 -0
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +157 -0
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +14 -15
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +5 -25
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +29 -0
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +12 -36
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +2 -1
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +35 -0
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/middleware.rb +4 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +1 -3
- data/lib/contrast/agent/patching/policy/patch.rb +2 -6
- data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +147 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
- data/lib/contrast/agent/protect/rule/base.rb +61 -2
- data/lib/contrast/agent/protect/rule/base_service.rb +12 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/deserialization.rb +6 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +13 -1
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +88 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +118 -0
- data/lib/contrast/agent/protect/rule/sqli.rb +33 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -0
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +115 -0
- data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
- data/lib/contrast/agent/reporting/report.rb +3 -0
- data/lib/contrast/agent/reporting/reporter.rb +31 -12
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +69 -36
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +88 -59
- data/lib/contrast/agent/reporting/reporting_events/{finding_object.rb → finding_event_object.rb} +24 -20
- data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +39 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/{finding_signature.rb → finding_event_signature.rb} +29 -24
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +12 -8
- data/lib/contrast/agent/reporting/reporting_events/{finding_stack.rb → finding_event_stack.rb} +23 -19
- data/lib/contrast/agent/reporting/reporting_events/{finding_taint_range.rb → finding_event_taint_range.rb} +17 -15
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +26 -53
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +29 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +6 -4
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +1 -0
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +10 -3
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +17 -5
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -45
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +69 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +123 -85
- data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/request_context.rb +7 -2
- data/lib/contrast/agent/request_context_extend.rb +85 -21
- data/lib/contrast/agent/request_handler.rb +4 -0
- data/lib/contrast/agent/scope.rb +102 -107
- data/lib/contrast/agent/service_heartbeat.rb +45 -2
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
- data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
- data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
- data/lib/contrast/agent/thread_watcher.rb +1 -1
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +3 -0
- data/lib/contrast/api/communication/speedracer.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/bot_blocker.rb +37 -0
- data/lib/contrast/api/decorators/ip_denylist.rb +37 -0
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +29 -0
- data/lib/contrast/api/decorators/response_type.rb +30 -0
- data/lib/contrast/api/decorators/user_input.rb +11 -1
- data/lib/contrast/api/decorators/virtual_patch.rb +34 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/logger.rb +5 -0
- data/lib/contrast/components/protect.rb +6 -4
- data/lib/contrast/components/sampling.rb +7 -11
- data/lib/contrast/components/scope.rb +98 -91
- data/lib/contrast/components/settings.rb +106 -8
- data/lib/contrast/config/agent_configuration.rb +41 -12
- data/lib/contrast/config/api_configuration.rb +37 -12
- data/lib/contrast/config/api_proxy_configuration.rb +12 -3
- data/lib/contrast/config/application_configuration.rb +38 -14
- data/lib/contrast/config/assess_configuration.rb +47 -12
- data/lib/contrast/config/assess_rules_configuration.rb +15 -3
- data/lib/contrast/config/base_configuration.rb +18 -50
- data/lib/contrast/config/certification_configuration.rb +17 -3
- data/lib/contrast/config/exception_configuration.rb +14 -3
- data/lib/contrast/config/heap_dump_configuration.rb +43 -17
- data/lib/contrast/config/inventory_configuration.rb +17 -3
- data/lib/contrast/config/logger_configuration.rb +10 -3
- data/lib/contrast/config/protect_configuration.rb +17 -7
- data/lib/contrast/config/protect_rule_configuration.rb +17 -8
- data/lib/contrast/config/protect_rules_configuration.rb +115 -17
- data/lib/contrast/config/request_audit_configuration.rb +26 -3
- data/lib/contrast/config/root_configuration.rb +52 -12
- data/lib/contrast/config/ruby_configuration.rb +60 -22
- data/lib/contrast/config/sampling_configuration.rb +19 -9
- data/lib/contrast/config/server_configuration.rb +19 -10
- data/lib/contrast/config/service_configuration.rb +27 -11
- data/lib/contrast/configuration.rb +5 -3
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/manager.rb +2 -2
- data/lib/contrast/logger/application.rb +1 -1
- data/lib/contrast/logger/cef_log.rb +151 -0
- data/lib/contrast/tasks/config.rb +90 -3
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/class_util.rb +3 -12
- data/lib/contrast/utils/hash_digest.rb +14 -6
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/log_utils.rb +114 -0
- data/lib/contrast/utils/middleware_utils.rb +9 -9
- data/lib/contrast/utils/net_http_base.rb +13 -10
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +0 -5
- data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -9
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/telemetry.rb +1 -1
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/lib/contrast/utils/telemetry_identifier.rb +1 -1
- data/lib/contrast.rb +4 -3
- data/resources/assess/policy.json +98 -0
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +9 -8
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +103 -38
- data/lib/contrast/agent/assess/rule/response/cachecontrol_rule.rb +0 -184
- data/lib/contrast/agent/assess/rule/response/clickjacking_rule.rb +0 -66
- data/lib/contrast/agent/assess/rule/response/x_content_type_rule.rb +0 -52
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb +0 -53
- data/lib/contrast/extension/kernel.rb +0 -54
@@ -50,8 +50,8 @@ module Contrast
|
|
50
50
|
# After implementing the LRU Cache, we firstly need to check if already had that object cached and if we have
|
51
51
|
# it - we can return it directly; otherwise we'll calculate and store the result before returning.
|
52
52
|
#
|
53
|
-
#
|
54
|
-
#
|
53
|
+
# Combining of the caches have close performance, but keeping the two with current implementation has
|
54
|
+
# a slight advantage in performance. For now we can keep the things the way they are.
|
55
55
|
#
|
56
56
|
# @param object [Object, nil] the entity to convert to a String
|
57
57
|
# @return [String, Object] the human readable form of the String, as defined by
|
@@ -98,16 +98,7 @@ module Contrast
|
|
98
98
|
def truly_defined? name
|
99
99
|
return false unless name
|
100
100
|
|
101
|
-
|
102
|
-
previous_module = Module
|
103
|
-
segments.each do |segment|
|
104
|
-
return false if previous_module.cs__autoload?(segment)
|
105
|
-
return false unless previous_module.cs__const_defined?(segment)
|
106
|
-
|
107
|
-
previous_module = previous_module.cs__const_get(segment)
|
108
|
-
end
|
109
|
-
|
110
|
-
true
|
101
|
+
Module.cs__const_defined?(name)
|
111
102
|
rescue NameError # account for nonsense / poorly formatted constants
|
112
103
|
false
|
113
104
|
end
|
@@ -29,7 +29,7 @@ module Contrast
|
|
29
29
|
# request or Contrast::REQUEST_TRACKER.current.request uri and used request
|
30
30
|
# method.
|
31
31
|
#
|
32
|
-
# @param finding [Contrast::Api::Dtm::Finding] finding to be reported
|
32
|
+
# @param finding [Contrast::Api::Dtm::Finding, Contrast::Agent::Reporting::Finding] finding to be reported
|
33
33
|
# @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
|
34
34
|
# @return checksum [Integer, nil] returns nil if there is no request context or tracking
|
35
35
|
# is disabled.
|
@@ -38,12 +38,20 @@ module Contrast
|
|
38
38
|
return unless context || ::Contrast::ASSESS.non_request_tracking?
|
39
39
|
|
40
40
|
if (route = finding.routes[0])
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
41
|
+
if finding.cs__is_a?(Contrast::Agent::Reporting::Finding) && (observation = route.observations[0])
|
42
|
+
update(observation.url)
|
43
|
+
update(observation.verb)
|
44
|
+
else
|
45
|
+
update(route.route) # the normalized URL used to access the method in the route.
|
46
|
+
update(route.verb) # the HTTP Verb used to access the method in the route.
|
47
|
+
end
|
48
|
+
return
|
46
49
|
end
|
50
|
+
|
51
|
+
return unless request ||= context&.request
|
52
|
+
|
53
|
+
update(request.normalized_uri) # the normalized URL used to access the method in the route.
|
54
|
+
update(request.request_method) # The HTTP method used in the request
|
47
55
|
end
|
48
56
|
|
49
57
|
# Update to CRC checksum the event source name and source type.
|
@@ -0,0 +1,73 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
|
+
require 'contrast/agent/reporting/input_analysis/score_level'
|
7
|
+
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
8
|
+
|
9
|
+
module Contrast
|
10
|
+
module Agent
|
11
|
+
module Protect
|
12
|
+
module Rule
|
13
|
+
# This module will include all the similar information for all input classifications
|
14
|
+
# between different rules
|
15
|
+
module InputClassificationBase
|
16
|
+
include Contrast::Agent::Reporting::InputType
|
17
|
+
include Contrast::Agent::Reporting::ScoreLevel
|
18
|
+
|
19
|
+
# Input Classification stage is done to determine if an user input is
|
20
|
+
# WORTHWATCHING or to be ignored.
|
21
|
+
#
|
22
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
23
|
+
# @param value [String, Array<String>] the value of the input.
|
24
|
+
# @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
|
25
|
+
# agent analysis from the current
|
26
|
+
# Request.
|
27
|
+
# @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
|
28
|
+
def classify input_type, value, input_analysis # rubocop:disable Lint/UnusedMethodArgument
|
29
|
+
return false unless input_analysis.request
|
30
|
+
|
31
|
+
true
|
32
|
+
end
|
33
|
+
|
34
|
+
# Creates new isntance of InputAnalysisResult with basic info.
|
35
|
+
#
|
36
|
+
# @param rule_id [String] The name of the Protect Rule.
|
37
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
38
|
+
# @param value [String, Array<String>] the value of the input.
|
39
|
+
# @param path [String] the path of the current request context.
|
40
|
+
#
|
41
|
+
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
42
|
+
def new_ia_result rule_id, input_type, path, value = nil
|
43
|
+
res = Contrast::Agent::Reporting::InputAnalysisResult.new
|
44
|
+
res.rule_id = rule_id
|
45
|
+
res.input_type = input_type
|
46
|
+
res.path = path
|
47
|
+
res.value = value
|
48
|
+
res
|
49
|
+
end
|
50
|
+
|
51
|
+
# This methods checks if input is value that matches a key in the input.
|
52
|
+
#
|
53
|
+
# @param request [Contrast::Agent::Request] the current request context.
|
54
|
+
# @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
|
55
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
56
|
+
# @param value [String, Array<String>] the value of the input.
|
57
|
+
#
|
58
|
+
# @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
|
59
|
+
def add_needed_key request, result, input_type, value
|
60
|
+
case input_type
|
61
|
+
when COOKIE_VALUE
|
62
|
+
result.key = request.cookies.key(value)
|
63
|
+
when PARAMETER_VALUE
|
64
|
+
result.key = request.parameters.key(value)
|
65
|
+
else
|
66
|
+
result.key
|
67
|
+
end
|
68
|
+
end
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
@@ -1,6 +1,9 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require 'socket'
|
5
|
+
require 'contrast/agent/version'
|
6
|
+
|
4
7
|
module Contrast
|
5
8
|
module Utils
|
6
9
|
# Method utility used by Contrast::Logger::log
|
@@ -106,3 +109,114 @@ module Contrast
|
|
106
109
|
end
|
107
110
|
end
|
108
111
|
end
|
112
|
+
|
113
|
+
module Contrast
|
114
|
+
module Utils
|
115
|
+
# These are the utilities for the CEF Logger, which will use the default ruby logger as we are not
|
116
|
+
# interested in special logging. We have the format we need and that's all we need. It would be useless
|
117
|
+
# to use Ougai
|
118
|
+
module CEFLogUtils
|
119
|
+
include Contrast::Utils::LogUtils
|
120
|
+
# <date> <host> CEF:<version>|<company>|<product>|<agent version>|<event type>
|
121
|
+
# |<event message>|<severity>|<other name-value pairs>
|
122
|
+
DEFAULT_CEF_NAME = 'security.log'
|
123
|
+
DEFAULT_LEVEL = ::Logger::Severity::INFO
|
124
|
+
VALID_LEVELS = ::Logger::SEV_LABEL
|
125
|
+
PROGNAME = 'Contrast Agent Ruby'
|
126
|
+
DATE_TIME_FORMAT = '%b %d %Y %H:%M:%S.%L%z'
|
127
|
+
AGENT_VERSION = Contrast::Agent::VERSION
|
128
|
+
EVENT_TYPE = 'SECURITY'
|
129
|
+
DEFAULT_METADATA = '-'
|
130
|
+
|
131
|
+
private
|
132
|
+
|
133
|
+
def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
|
134
|
+
logger = case path
|
135
|
+
when STDOUT_STR, STDERR_STR
|
136
|
+
::Logger.new(Object.cs__const_get(path))
|
137
|
+
else
|
138
|
+
::Logger.new(path)
|
139
|
+
end
|
140
|
+
logger.progname = PROGNAME
|
141
|
+
logger.level = level_const
|
142
|
+
change_logger_formatter logger
|
143
|
+
logger
|
144
|
+
end
|
145
|
+
|
146
|
+
def context
|
147
|
+
Contrast::Agent::REQUEST_TRACKER.current
|
148
|
+
end
|
149
|
+
|
150
|
+
def change_logger_formatter logger
|
151
|
+
ip_address = extract_ip_address
|
152
|
+
logger.formatter = proc do |severity, datetime, progname, msg|
|
153
|
+
date_format = datetime.strftime(DATE_TIME_FORMAT)
|
154
|
+
message = []
|
155
|
+
message << "#{ date_format } #{ ip_address }"
|
156
|
+
message << 'CEF:0|Contrast Security'
|
157
|
+
message << progname
|
158
|
+
message << AGENT_VERSION
|
159
|
+
message << EVENT_TYPE
|
160
|
+
message << msg[0]
|
161
|
+
message << severity
|
162
|
+
message << extract_metadata(msg[1], msg[2])
|
163
|
+
"#{ message.join('|') }\n"
|
164
|
+
end
|
165
|
+
end
|
166
|
+
|
167
|
+
# This method will extract the metadata information from context and other places
|
168
|
+
#
|
169
|
+
# initial structure of the data:
|
170
|
+
# <metadata> := <message-source>" "<source-ip>" "<source-port>" "<request-url>" "<request-method>" \
|
171
|
+
# "<application>" "<outcome>
|
172
|
+
# it could come from: blockEntry, lei, bbi(bot blocker), vp(virtual patch) or pri(rule)
|
173
|
+
# initially here we will use case to add it
|
174
|
+
def extract_metadata rule_id = nil, outcome = nil
|
175
|
+
message = []
|
176
|
+
sender_info = context&.activity&.http_request&.sender
|
177
|
+
rule_id ? message << "pri=#{ rule_id } " : 'asd'
|
178
|
+
request_method = if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
|
179
|
+
context.request.rack_request.env['REQUEST_METHOD']
|
180
|
+
else
|
181
|
+
DEFAULT_METADATA
|
182
|
+
end
|
183
|
+
app_name = ::Contrast::APP_CONTEXT.app_name
|
184
|
+
attach_request_and_sender_info message, sender_info
|
185
|
+
message << "request=#{ context.request.url } "
|
186
|
+
message << "requestMethod=#{ request_method } "
|
187
|
+
message << "app=#{ app_name } "
|
188
|
+
message << "outcome=#{ outcome } "
|
189
|
+
end
|
190
|
+
|
191
|
+
def attach_request_and_sender_info message, sender_info
|
192
|
+
# here, instead of the ip, we need to report the first non-private 'X-Forwarded-For' Header if available.
|
193
|
+
# if not we return '-'
|
194
|
+
needed_header = extract_sender_ip
|
195
|
+
# I'm not sure if we should report the sender ip from the ActivityDtm
|
196
|
+
src = if needed_header
|
197
|
+
needed_header
|
198
|
+
else
|
199
|
+
sender_info.ip.length > 1 ? sender_info.ip : DEFAULT_METADATA
|
200
|
+
end
|
201
|
+
message << "src=#{ src }"
|
202
|
+
message << "port=#{ sender_info.port }"
|
203
|
+
end
|
204
|
+
|
205
|
+
def extract_ip_address
|
206
|
+
res = Socket.getifaddrs.reject do |ifaddr|
|
207
|
+
!ifaddr.addr.ipv4? ||
|
208
|
+
(ifaddr.flags & Socket::IFF_MULTICAST).zero? ||
|
209
|
+
ifaddr.name != 'en0' # rubocop:disable Security/Module/Name
|
210
|
+
end
|
211
|
+
return unless res.length.positive?
|
212
|
+
|
213
|
+
res[0].addr.ip_address
|
214
|
+
end
|
215
|
+
|
216
|
+
def extract_sender_ip
|
217
|
+
request_headers = context.activity.http_request.request_headers&.transform_keys(&:to_s)
|
218
|
+
request_headers['X-Forwarded-For']
|
219
|
+
end
|
220
|
+
end
|
221
|
+
end
|
222
|
+
end
|
@@ -8,6 +8,13 @@ module Contrast
|
|
8
8
|
module MiddlewareUtils
|
9
9
|
private
|
10
10
|
|
11
|
+
# TODO: RUBY-1609 update this part of the method for Ruby Version and Year
|
12
|
+
LANGUAGE_DEPRECATION_VERSION = '2.7'
|
13
|
+
LANGUAGE_DEPRECATION_YEAR = '2023'
|
14
|
+
LANGUAGE_DEPRECATION_WARNING =
|
15
|
+
"[Contrast Security] [DEPRECATION] Support for Ruby #{ LANGUAGE_DEPRECATION_VERSION } will be removed in "\
|
16
|
+
"April #{ LANGUAGE_DEPRECATION_YEAR }. Please contact Customer Support prior if you require continued support."
|
17
|
+
|
11
18
|
def setup_agent
|
12
19
|
::Contrast::SETTINGS.reset_state
|
13
20
|
|
@@ -51,15 +58,8 @@ module Contrast
|
|
51
58
|
# deprecated and soon to be removed functionality. This method handles doing that by leveraging the standard
|
52
59
|
# Kernel#warn approach
|
53
60
|
def inform_deprecations
|
54
|
-
#
|
55
|
-
|
56
|
-
# warnings now so that customers have time to reach out if they'll be impacted.
|
57
|
-
# TODO: RUBY-715 remove this part of the method, leaving it empty if there are no other deprecations, when we
|
58
|
-
# drop 2.5 support.
|
59
|
-
return unless RUBY_VERSION < '2.6.0'
|
60
|
-
|
61
|
-
Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\
|
62
|
-
'Please contact Customer Support prior if you require continued support.')
|
61
|
+
# Warn customers that they're on a version that's losing support in the next year.
|
62
|
+
Kernel.warn(LANGUAGE_DEPRECATION_WARNING) if RUBY_VERSION.start_with?(LANGUAGE_DEPRECATION_VERSION)
|
63
63
|
end
|
64
64
|
|
65
65
|
# Displays Telemetry disclaimer if Telemetry is enabled.
|
@@ -22,7 +22,7 @@ module Contrast
|
|
22
22
|
# @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
|
23
23
|
# self signed certificates provided by config [default = false]
|
24
24
|
# @return [Net::HTTP, nil] Return open connection or nil
|
25
|
-
def initialize_connection service_name, url, use_proxy
|
25
|
+
def initialize_connection service_name, url, use_proxy: false, use_custom_cert: false
|
26
26
|
return unless url
|
27
27
|
|
28
28
|
addr = URI(url)
|
@@ -59,15 +59,7 @@ module Contrast
|
|
59
59
|
return @_connection_verified unless @_connection_verified.nil?
|
60
60
|
return false if client.nil?
|
61
61
|
|
62
|
-
|
63
|
-
ipaddr = if RUBY_VERSION < '2.7.0'
|
64
|
-
socket = TCPSocket.open(client.address, client.port)
|
65
|
-
ipaddr = socket.peeraddr[3]
|
66
|
-
socket.close
|
67
|
-
ipaddr
|
68
|
-
else
|
69
|
-
client.ipaddr
|
70
|
-
end
|
62
|
+
ipaddr = get_ipaddr(client)
|
71
63
|
response = client.request(Net::HTTP::Get.new(client.address))
|
72
64
|
verify_cert = client.address.to_s.include?('localhost') ||
|
73
65
|
OpenSSL::SSL.verify_certificate_identity(client.peer_cert, client.address)
|
@@ -160,6 +152,17 @@ module Contrast
|
|
160
152
|
|
161
153
|
@_proxy_enabled = Contrast::API.proxy_enabled? && !Contrast::API.proxy_url.nil?
|
162
154
|
end
|
155
|
+
|
156
|
+
# Retrieve the IP address from the client.
|
157
|
+
#
|
158
|
+
# @param client [Net::HTTP]
|
159
|
+
# @return [String]
|
160
|
+
def get_ipaddr client
|
161
|
+
socket = TCPSocket.open(client.address, client.port)
|
162
|
+
ipaddr = socket.peeraddr[3]
|
163
|
+
socket.close
|
164
|
+
ipaddr
|
165
|
+
end
|
163
166
|
end
|
164
167
|
end
|
165
168
|
end
|
@@ -10,6 +10,7 @@ module Contrast
|
|
10
10
|
module ObjectShare
|
11
11
|
# Strings
|
12
12
|
ASTERISK = '*'
|
13
|
+
AMPERSAND = '&'
|
13
14
|
BACK_SLASH = '\\'
|
14
15
|
EMPTY_STRING = ''
|
15
16
|
COLON = ':'
|
@@ -38,6 +39,7 @@ module Contrast
|
|
38
39
|
COLON_SLASH_SLASH = '://'
|
39
40
|
DOLLAR_SIGN = '$'
|
40
41
|
CARROT = '^'
|
42
|
+
BANG = '!'
|
41
43
|
|
42
44
|
WRITE_FLAG = 'w'
|
43
45
|
|
@@ -47,7 +49,6 @@ module Contrast
|
|
47
49
|
CACHE = 'cache'
|
48
50
|
|
49
51
|
CONTRAST_PATCHED_METHOD_START = 'cs__patched_'
|
50
|
-
DOUBLE_COLON = '::'
|
51
52
|
|
52
53
|
EMPTY_ARRAY = [].freeze
|
53
54
|
EMPTY_HASH = {}.freeze
|
data/lib/contrast/utils/os.rb
CHANGED
@@ -35,10 +35,9 @@ module Contrast
|
|
35
35
|
# Given a method, return a symbol in the format
|
36
36
|
# <method_start>_unbound_<method_name>
|
37
37
|
def build_unbound_method_name patcher_method
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
patcher_method.to_s).to_sym
|
38
|
+
"#{ Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START }unbound"\
|
39
|
+
"#{ Contrast::Utils::ObjectShare::UNDERSCORE }"\
|
40
|
+
"#{ patcher_method }".to_sym
|
42
41
|
end
|
43
42
|
|
44
43
|
# ===== PATCH APPLIERS =====
|
@@ -63,10 +62,6 @@ module Contrast
|
|
63
62
|
rescue StandardError => e
|
64
63
|
# Anything else was our bad and we gotta catch that to allow for normal application flow
|
65
64
|
logger.error('Unable to apply pre patch to method.', e)
|
66
|
-
rescue Exception => e # rubocop:disable Lint/RescueException
|
67
|
-
# This is something like NoMemoryError that we can't hope to handle. Nonetheless, shouldn't leak scope.
|
68
|
-
exit_contrast_scope!
|
69
|
-
raise e
|
70
65
|
end
|
71
66
|
|
72
67
|
# THIS IS CALLED FROM C. Do not change the signature lightly.
|
@@ -142,7 +137,7 @@ module Contrast
|
|
142
137
|
if method_policy.source_node
|
143
138
|
# If we were given a frozen return, and it was the target of a source, and we have frozen sources enabled,
|
144
139
|
# we'll need to replace the return. Note, this is not the default case.
|
145
|
-
source_ret = Contrast::Agent::Assess::Policy::SourceMethod.
|
140
|
+
source_ret = Contrast::Agent::Assess::Policy::SourceMethod.apply_source(method_policy, object, ret, args)
|
146
141
|
end
|
147
142
|
if method_policy.propagation_node
|
148
143
|
propagated_ret = Contrast::Agent::Assess::Policy::PropagationMethod.apply_propagation(
|
@@ -36,39 +36,24 @@ module Contrast
|
|
36
36
|
return unless body
|
37
37
|
return if defined?(Rack::File) && body.is_a?(Rack::File)
|
38
38
|
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
# handle_rack_body_proxy(body)
|
58
|
-
# elsif (defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
|
59
|
-
# body.is_a?(Rack::Response)
|
60
|
-
#
|
61
|
-
# extract_body(body.body)
|
62
|
-
# elsif Contrast::Utils::DuckUtils.quacks_to?(body, :each)
|
63
|
-
# acc = []
|
64
|
-
# body.each { |tmp| acc << read_or_string(tmp) }
|
65
|
-
# acc.compact.join(Contrast::Utils::ObjectShare::NEW_LINE)
|
66
|
-
# elsif ActionView::OutputBuffer
|
67
|
-
# # https://stackoverflow.com/questions/15654676/how-to-convert-activesupportsafebuffer-to-string
|
68
|
-
# body.to_str
|
69
|
-
# else
|
70
|
-
# read_or_string(body)
|
71
|
-
# end
|
39
|
+
return handle_rack_body_proxy(body) if body.is_a?(Rack::BodyProxy)
|
40
|
+
return extract_body(body.body) if sub_extractable?(body)
|
41
|
+
return enumerable_text_from(body) if Contrast::Utils::DuckUtils.quacks_to?(body, :each)
|
42
|
+
# https://stackoverflow.com/questions/15654676/how-to-convert-activesupportsafebuffer-to-string
|
43
|
+
return body.to_str if body.is_a?(ActionView::OutputBuffer)
|
44
|
+
|
45
|
+
read_or_string(body)
|
46
|
+
end
|
47
|
+
|
48
|
+
def sub_extractable? body
|
49
|
+
(defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
|
50
|
+
body.is_a?(Rack::Response)
|
51
|
+
end
|
52
|
+
|
53
|
+
def enumerable_text_from body
|
54
|
+
entries = body.map { |entry| read_or_string(entry) }
|
55
|
+
entries.compact!
|
56
|
+
entries.join(Contrast::Utils::ObjectShare::NEW_LINE)
|
72
57
|
end
|
73
58
|
|
74
59
|
def handle_rack_body_proxy body
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/telemetry'
|
4
|
+
require 'contrast/agent/telemetry/telemetry'
|
5
5
|
require 'contrast/utils/telemetry_identifier'
|
6
6
|
|
7
7
|
module Contrast
|
@@ -22,7 +22,7 @@ module Contrast
|
|
22
22
|
# @param url [String]
|
23
23
|
# @return [Net::HTTP, nil] Return open connection or nil
|
24
24
|
def initialize_connection url
|
25
|
-
super(SERVICE_NAME, url, false, false)
|
25
|
+
super(SERVICE_NAME, url, use_proxy: false, use_custom_cert: false)
|
26
26
|
end
|
27
27
|
|
28
28
|
# This method will be responsible for building the request. Because the telemetry collector expects to receive
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/telemetry'
|
4
|
+
require 'contrast/agent/telemetry/telemetry'
|
5
5
|
require 'contrast/utils/os'
|
6
6
|
require 'socket'
|
7
7
|
|
data/lib/contrast.rb
CHANGED
@@ -21,10 +21,11 @@ class Object
|
|
21
21
|
alias_method :cs__singleton_class, :singleton_class
|
22
22
|
end
|
23
23
|
|
24
|
-
if RUBY_VERSION >= '3.0.0'
|
24
|
+
if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
|
25
25
|
# This fixes Ruby 3.0 issues with Module#(some instance method) patching by preventing the prepending of
|
26
26
|
# a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticeable.
|
27
|
-
#
|
27
|
+
# This is fixed in Ruby 3.1.0
|
28
|
+
# TODO: RUBY-1132 Remove this once Ruby 3 support is dropped.
|
28
29
|
# See bug here: https://bugs.ruby-lang.org/issues/17725
|
29
30
|
class Class
|
30
31
|
alias_method(:cs__orig_prepend, :prepend)
|
@@ -73,7 +74,7 @@ require 'contrast/utils/preflight_util'
|
|
73
74
|
require 'contrast/utils/assess/sampling_util'
|
74
75
|
require 'contrast/agent'
|
75
76
|
|
76
|
-
if RUBY_VERSION >= '3.0.0'
|
77
|
+
if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
|
77
78
|
# Put prepend back as it was.
|
78
79
|
Class.alias_method(:prepend, :cs__orig_prepend)
|
79
80
|
Class.remove_method(:cs__orig_prepend)
|
@@ -790,6 +790,16 @@
|
|
790
790
|
"patch_method": "select_tagger",
|
791
791
|
"source": "O",
|
792
792
|
"target": "R"
|
793
|
+
},{
|
794
|
+
"class_name": "String",
|
795
|
+
"instance_method": true,
|
796
|
+
"method_visibility": "public",
|
797
|
+
"method_name": "slice",
|
798
|
+
"action": "CUSTOM",
|
799
|
+
"patch_class": "Contrast::Agent::Assess::Policy::Propagator::Select",
|
800
|
+
"patch_method": "select_tagger",
|
801
|
+
"source": "O",
|
802
|
+
"target": "R"
|
793
803
|
},{
|
794
804
|
"class_name":"CGI::Util",
|
795
805
|
"method_name":"unescape",
|
@@ -1112,6 +1122,67 @@
|
|
1112
1122
|
"target":"O",
|
1113
1123
|
"action":"SPLAT"
|
1114
1124
|
},
|
1125
|
+
{
|
1126
|
+
"class_name": "IO::Buffer",
|
1127
|
+
"instance_method": true,
|
1128
|
+
"method_visibility": "public",
|
1129
|
+
"method_name": "get_string",
|
1130
|
+
"source": "O",
|
1131
|
+
"target": "R",
|
1132
|
+
"action": "CUSTOM",
|
1133
|
+
"patch_class": "Contrast::Agent::Assess::Policy::Propagator::Buffer",
|
1134
|
+
"patch_method": "propagate_keep_select"
|
1135
|
+
},
|
1136
|
+
{
|
1137
|
+
"class_name": "IO::Buffer",
|
1138
|
+
"instance_method": true,
|
1139
|
+
"method_visibility": "public",
|
1140
|
+
"method_name": "slice",
|
1141
|
+
"source": "O",
|
1142
|
+
"target": "R",
|
1143
|
+
"action": "CUSTOM",
|
1144
|
+
"patch_class": "Contrast::Agent::Assess::Policy::Propagator::Buffer",
|
1145
|
+
"patch_method": "propagate_keep_select"
|
1146
|
+
},
|
1147
|
+
{
|
1148
|
+
"class_name": "IO::Buffer",
|
1149
|
+
"instance_method": true,
|
1150
|
+
"method_visibility": "public",
|
1151
|
+
"method_name": "set_string",
|
1152
|
+
"source":"P0,O",
|
1153
|
+
"target":"O",
|
1154
|
+
"action": "BUFFER",
|
1155
|
+
"patch_method": "propagate_insert"
|
1156
|
+
},
|
1157
|
+
{
|
1158
|
+
"class_name": "IO::Buffer",
|
1159
|
+
"instance_method": false,
|
1160
|
+
"method_visibility": "public",
|
1161
|
+
"method_name": "for",
|
1162
|
+
"source":"P0",
|
1163
|
+
"target":"R",
|
1164
|
+
"action": "KEEP"
|
1165
|
+
},
|
1166
|
+
{
|
1167
|
+
"class_name": "IO::Buffer",
|
1168
|
+
"instance_method": true,
|
1169
|
+
"method_visibility": "public",
|
1170
|
+
"method_name": "copy",
|
1171
|
+
"source":"P0,O",
|
1172
|
+
"target":"O",
|
1173
|
+
"action": "BUFFER",
|
1174
|
+
"patch_method": "buffer_keep_splat"
|
1175
|
+
},
|
1176
|
+
{
|
1177
|
+
"class_name": "IO::Buffer",
|
1178
|
+
"instance_method": true,
|
1179
|
+
"method_visibility": "public",
|
1180
|
+
"method_name": "pread",
|
1181
|
+
"source":"P0,O",
|
1182
|
+
"target":"O",
|
1183
|
+
"action": "BUFFER",
|
1184
|
+
"patch_method": "buffer_keep_splat"
|
1185
|
+
},
|
1115
1186
|
{
|
1116
1187
|
"class_name": "ERB",
|
1117
1188
|
"method_name": "result",
|
@@ -1177,6 +1248,33 @@
|
|
1177
1248
|
"action": "REMOVE",
|
1178
1249
|
"tags":["HTML_ENCODED"],
|
1179
1250
|
"untags":["HTML_DECODED"]
|
1251
|
+
},
|
1252
|
+
{
|
1253
|
+
"class_name": "IO::Buffer",
|
1254
|
+
"instance_method": false,
|
1255
|
+
"method_visibility": "public",
|
1256
|
+
"method_name": "map",
|
1257
|
+
"source": "P0,O",
|
1258
|
+
"target": "R",
|
1259
|
+
"action": "KEEP"
|
1260
|
+
},
|
1261
|
+
{
|
1262
|
+
"class_name": "IO::Buffer",
|
1263
|
+
"method_name": "pwrite",
|
1264
|
+
"instance_method": true,
|
1265
|
+
"method_visibility": "public",
|
1266
|
+
"source": "O",
|
1267
|
+
"target": "P0",
|
1268
|
+
"action": "KEEP"
|
1269
|
+
},
|
1270
|
+
{
|
1271
|
+
"class_name": "IO::Buffer",
|
1272
|
+
"method_name": "write",
|
1273
|
+
"instance_method": true,
|
1274
|
+
"method_visibility": "public",
|
1275
|
+
"source": "O",
|
1276
|
+
"target": "P0",
|
1277
|
+
"action": "KEEP"
|
1180
1278
|
}
|
1181
1279
|
],
|
1182
1280
|
"rules":[
|