contrast-agent 5.1.0 → 6.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (218) hide show
  1. checksums.yaml +4 -4
  2. data/ext/cs__assess_array/cs__assess_array.c +7 -0
  3. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
  4. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
  5. data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
  6. data/ext/cs__assess_kernel/cs__assess_kernel.c +7 -5
  7. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
  8. data/ext/cs__assess_module/cs__assess_module.c +7 -7
  9. data/ext/cs__assess_string/cs__assess_string.c +13 -1
  10. data/ext/cs__common/cs__common.c +16 -11
  11. data/ext/cs__common/cs__common.h +1 -0
  12. data/ext/cs__contrast_patch/cs__contrast_patch.c +100 -64
  13. data/ext/cs__contrast_patch/cs__contrast_patch.h +2 -0
  14. data/ext/cs__os_information/cs__os_information.c +13 -10
  15. data/ext/cs__scope/cs__scope.c +796 -0
  16. data/ext/cs__scope/cs__scope.h +88 -0
  17. data/ext/cs__scope/extconf.rb +5 -0
  18. data/lib/contrast/agent/assess/contrast_event.rb +20 -13
  19. data/lib/contrast/agent/assess/contrast_object.rb +4 -1
  20. data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
  21. data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
  22. data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
  23. data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
  24. data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
  25. data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -5
  26. data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
  27. data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
  28. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +2 -0
  29. data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
  30. data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
  31. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
  32. data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
  33. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  34. data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
  35. data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
  36. data/lib/contrast/agent/assess/policy/trigger_method.rb +6 -1
  37. data/lib/contrast/agent/assess/property/tagged.rb +1 -1
  38. data/lib/contrast/agent/assess/rule/response/{autocomplete_rule.rb → auto_complete_rule.rb} +4 -3
  39. data/lib/contrast/agent/assess/rule/response/base_rule.rb +12 -79
  40. data/lib/contrast/agent/assess/rule/response/body_rule.rb +109 -0
  41. data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +157 -0
  42. data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
  43. data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +14 -15
  44. data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +5 -25
  45. data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +29 -0
  46. data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
  47. data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +12 -36
  48. data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +2 -1
  49. data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
  50. data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +35 -0
  51. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
  52. data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
  53. data/lib/contrast/agent/exclusion_matcher.rb +3 -3
  54. data/lib/contrast/agent/middleware.rb +4 -1
  55. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +1 -3
  56. data/lib/contrast/agent/patching/policy/patch.rb +2 -6
  57. data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
  58. data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
  59. data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
  60. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +147 -0
  61. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
  62. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
  63. data/lib/contrast/agent/protect/rule/base.rb +61 -2
  64. data/lib/contrast/agent/protect/rule/base_service.rb +12 -1
  65. data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -0
  66. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
  67. data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
  68. data/lib/contrast/agent/protect/rule/deserialization.rb +6 -0
  69. data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
  70. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +13 -1
  71. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
  72. data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -0
  73. data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -0
  74. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +88 -0
  75. data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +118 -0
  76. data/lib/contrast/agent/protect/rule/sqli.rb +33 -0
  77. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
  78. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
  79. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
  80. data/lib/contrast/agent/protect/rule/xxe.rb +4 -0
  81. data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
  82. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
  83. data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
  84. data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
  85. data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +44 -0
  86. data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +115 -0
  87. data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
  88. data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
  89. data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
  90. data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
  91. data/lib/contrast/agent/reporting/report.rb +3 -0
  92. data/lib/contrast/agent/reporting/reporter.rb +31 -12
  93. data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
  94. data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
  95. data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
  96. data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
  97. data/lib/contrast/agent/reporting/reporting_events/finding.rb +69 -36
  98. data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +88 -59
  99. data/lib/contrast/agent/reporting/reporting_events/{finding_object.rb → finding_event_object.rb} +24 -20
  100. data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +39 -0
  101. data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +40 -0
  102. data/lib/contrast/agent/reporting/reporting_events/{finding_signature.rb → finding_event_signature.rb} +29 -24
  103. data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +12 -8
  104. data/lib/contrast/agent/reporting/reporting_events/{finding_stack.rb → finding_event_stack.rb} +23 -19
  105. data/lib/contrast/agent/reporting/reporting_events/{finding_taint_range.rb → finding_event_taint_range.rb} +17 -15
  106. data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +26 -53
  107. data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
  108. data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
  109. data/lib/contrast/agent/reporting/reporting_events/poll.rb +29 -0
  110. data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
  111. data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +6 -4
  112. data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
  113. data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +1 -0
  114. data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +1 -1
  115. data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +10 -3
  116. data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +0 -1
  117. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +17 -5
  118. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -45
  119. data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
  120. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
  121. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +69 -7
  122. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
  123. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +123 -85
  124. data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
  125. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
  126. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
  127. data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
  128. data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
  129. data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
  130. data/lib/contrast/agent/request_context.rb +7 -2
  131. data/lib/contrast/agent/request_context_extend.rb +85 -21
  132. data/lib/contrast/agent/request_handler.rb +4 -0
  133. data/lib/contrast/agent/scope.rb +102 -107
  134. data/lib/contrast/agent/service_heartbeat.rb +45 -2
  135. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
  136. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
  137. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
  138. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
  139. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
  140. data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
  141. data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
  142. data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
  143. data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
  144. data/lib/contrast/agent/thread_watcher.rb +1 -1
  145. data/lib/contrast/agent/version.rb +1 -1
  146. data/lib/contrast/agent.rb +3 -0
  147. data/lib/contrast/api/communication/speedracer.rb +1 -1
  148. data/lib/contrast/api/decorators/address.rb +1 -1
  149. data/lib/contrast/api/decorators/bot_blocker.rb +37 -0
  150. data/lib/contrast/api/decorators/ip_denylist.rb +37 -0
  151. data/lib/contrast/api/decorators/rasp_rule_sample.rb +29 -0
  152. data/lib/contrast/api/decorators/response_type.rb +30 -0
  153. data/lib/contrast/api/decorators/user_input.rb +11 -1
  154. data/lib/contrast/api/decorators/virtual_patch.rb +34 -0
  155. data/lib/contrast/api/decorators.rb +1 -0
  156. data/lib/contrast/components/app_context.rb +0 -4
  157. data/lib/contrast/components/assess.rb +14 -0
  158. data/lib/contrast/components/logger.rb +5 -0
  159. data/lib/contrast/components/protect.rb +6 -4
  160. data/lib/contrast/components/sampling.rb +7 -11
  161. data/lib/contrast/components/scope.rb +98 -91
  162. data/lib/contrast/components/settings.rb +106 -8
  163. data/lib/contrast/config/agent_configuration.rb +41 -12
  164. data/lib/contrast/config/api_configuration.rb +37 -12
  165. data/lib/contrast/config/api_proxy_configuration.rb +12 -3
  166. data/lib/contrast/config/application_configuration.rb +38 -14
  167. data/lib/contrast/config/assess_configuration.rb +47 -12
  168. data/lib/contrast/config/assess_rules_configuration.rb +15 -3
  169. data/lib/contrast/config/base_configuration.rb +18 -50
  170. data/lib/contrast/config/certification_configuration.rb +17 -3
  171. data/lib/contrast/config/exception_configuration.rb +14 -3
  172. data/lib/contrast/config/heap_dump_configuration.rb +43 -17
  173. data/lib/contrast/config/inventory_configuration.rb +17 -3
  174. data/lib/contrast/config/logger_configuration.rb +10 -3
  175. data/lib/contrast/config/protect_configuration.rb +17 -7
  176. data/lib/contrast/config/protect_rule_configuration.rb +17 -8
  177. data/lib/contrast/config/protect_rules_configuration.rb +115 -17
  178. data/lib/contrast/config/request_audit_configuration.rb +26 -3
  179. data/lib/contrast/config/root_configuration.rb +52 -12
  180. data/lib/contrast/config/ruby_configuration.rb +60 -22
  181. data/lib/contrast/config/sampling_configuration.rb +19 -9
  182. data/lib/contrast/config/server_configuration.rb +19 -10
  183. data/lib/contrast/config/service_configuration.rb +27 -11
  184. data/lib/contrast/configuration.rb +5 -3
  185. data/lib/contrast/extension/assess/string.rb +20 -1
  186. data/lib/contrast/extension/module.rb +0 -1
  187. data/lib/contrast/framework/manager.rb +2 -2
  188. data/lib/contrast/logger/application.rb +1 -1
  189. data/lib/contrast/logger/cef_log.rb +151 -0
  190. data/lib/contrast/tasks/config.rb +90 -3
  191. data/lib/contrast/utils/assess/object_store.rb +36 -0
  192. data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
  193. data/lib/contrast/utils/class_util.rb +3 -12
  194. data/lib/contrast/utils/hash_digest.rb +14 -6
  195. data/lib/contrast/utils/input_classification.rb +73 -0
  196. data/lib/contrast/utils/log_utils.rb +114 -0
  197. data/lib/contrast/utils/middleware_utils.rb +9 -9
  198. data/lib/contrast/utils/net_http_base.rb +13 -10
  199. data/lib/contrast/utils/object_share.rb +2 -1
  200. data/lib/contrast/utils/os.rb +0 -5
  201. data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -9
  202. data/lib/contrast/utils/response_utils.rb +18 -33
  203. data/lib/contrast/utils/telemetry.rb +1 -1
  204. data/lib/contrast/utils/telemetry_client.rb +1 -1
  205. data/lib/contrast/utils/telemetry_identifier.rb +1 -1
  206. data/lib/contrast.rb +4 -3
  207. data/resources/assess/policy.json +98 -0
  208. data/resources/deadzone/policy.json +0 -86
  209. data/ruby-agent.gemspec +9 -8
  210. data/service_executables/VERSION +1 -1
  211. data/service_executables/linux/contrast-service +0 -0
  212. data/service_executables/mac/contrast-service +0 -0
  213. metadata +103 -38
  214. data/lib/contrast/agent/assess/rule/response/cachecontrol_rule.rb +0 -184
  215. data/lib/contrast/agent/assess/rule/response/clickjacking_rule.rb +0 -66
  216. data/lib/contrast/agent/assess/rule/response/x_content_type_rule.rb +0 -52
  217. data/lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb +0 -53
  218. data/lib/contrast/extension/kernel.rb +0 -54
@@ -1,184 +0,0 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- require 'contrast/agent/assess/rule/response/base_rule'
5
- require 'contrast/utils/string_utils'
6
- require 'json'
7
-
8
- module Contrast
9
- module Agent
10
- module Assess
11
- module Rule
12
- module Response
13
- # These rules check the content of the HTTP Response to determine if the body or the headers include and/or
14
- # set incorrectly the cache-control header
15
- class Cachecontrol < BaseRule
16
- def rule_id
17
- 'cache-controls-missing'
18
- end
19
-
20
- protected
21
-
22
- HEADER_KEY = 'Cache-Control'.cs__freeze
23
- ACCEPTED_VALUES = %w[no-store no-cache].cs__freeze
24
-
25
- # Rules discern which responses they can/should analyze.
26
- #
27
- # @param response [Contrast::Agent::Response] the response of the application
28
- def analyze_response? response
29
- super && body?(response)
30
- end
31
-
32
- # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
33
- #
34
- # @param response [Contrast::Agent::Response] the response of the application
35
- # @return [Hash, nil] the evidence required to prove the violation of the rule
36
- def violated? response
37
- # This rule is violated if the header is not there
38
- # or if it's there, but the value is not 'no-store' or 'no-cache'
39
- headers = response.headers
40
- header_key_sym = HEADER_KEY.to_sym
41
- cache_control = headers[HEADER_KEY] || headers[header_key_sym]
42
- if cache_control && !valid_header?(cache_control)
43
- return to_cachecontrol_rule('header', 'cache-control', cache_control)
44
- end
45
-
46
- body = response.body
47
- # check if the meta tag is include it
48
- tags = meta_tags(body)
49
-
50
- tags.each do |tag|
51
- return to_cachecontrol_rule('meta', 'pragma', tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
52
- end
53
- # we should return if header not presented and no tags are detected
54
- return {} if !(headers.key?(HEADER_KEY) || headers.key?(header_key_sym)) && tags.empty?
55
-
56
- nil
57
- end
58
-
59
- def valid_header? header
60
- ACCEPTED_VALUES.any? { |val| header.include?(val) || header == val }
61
- end
62
-
63
- # Find the tags in this body, if any, so as to determine if they violate this rule.
64
- #
65
- # @param body [String,nil]
66
- # @return [Array<Hash>] the tags of this body, as well as their start and end indexes.
67
- def meta_tags body
68
- tags = []
69
- body_start = 0
70
-
71
- # meta tags are stored in the <head></head> section
72
- head_section = body&.split(head_tag)
73
- return [] unless head_section
74
-
75
- potential_tags = head_section.map { |el| el.split(meta_start) }
76
- potential_tags.flatten.each do |potential_tag|
77
- next unless potential_tag
78
- next unless tag_openings.any? { |opening| potential_tag.starts_with?(opening) }
79
-
80
- body_start = body.index(meta_start, body_start)
81
- next unless body_start
82
-
83
- tag_stop = potential_tag.index('>').to_i
84
- next unless tag_stop
85
-
86
- body_close = body_start + 6 + tag_stop
87
- tags << capture(body, body_start, body_close, tag_stop)
88
- body_start = body_close
89
- end
90
- tags
91
- end
92
-
93
- def meta_start
94
- /<meta/i
95
- end
96
-
97
- def head_tag
98
- /<head>/i
99
- end
100
-
101
- def tag_openings
102
- [' ', "\n", "\r", "\t"]
103
- end
104
-
105
- def accepted_http_values
106
- [/'cache-control'/i, /"cache-control"/i]
107
- end
108
-
109
- def accepted_values
110
- [/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i]
111
- end
112
-
113
- # Determine if the given metatag does not have a valid cache-control tag.
114
- # Meta tags has the option to set http-equiv and content to set the http response header
115
- # to define for the document
116
- #
117
- # @param tag [String] the meta tag
118
- # @return [Boolean, nil]
119
- def meta_cache_tag? tag
120
- # Here we should determine the index of the needed keys
121
- # http-equiv and content
122
- http_equiv_idx = tag =~ /http-equiv=/i
123
- return false unless http_equiv_idx
124
-
125
- content_idx = tag =~ /content=/i
126
- return false unless content_idx
127
-
128
- # determine the value of the http-equiv if it's cache-control
129
- http_equiv_idx += 11
130
- is_valid = accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
131
- return false unless is_valid
132
-
133
- content_idx += 8
134
- return false if accepted_values.any? { |value| (tag =~ value) == content_idx }
135
-
136
- true
137
- end
138
-
139
- # This method allows to change the evidence we attach and the way we attach it
140
- # Change it accordingly the rule you work on
141
- #
142
- # @param evidence [Hash] the properties required to build this finding.
143
- # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
144
- def build_evidence evidence, finding
145
- evidence.each_pair do |key, value|
146
- finding.properties[key] = Contrast::Utils::StringUtils.protobuf_format(value)
147
- end
148
- end
149
-
150
- # This method accepts the violation and transforms it to the proper hash
151
- # before return in as violation
152
- #
153
- # @param type [String] String of Header or META of the type
154
- # @param name [String] String of either cache-control or pragma
155
- # @param value [String] String of the violated value
156
- def to_cachecontrol_rule type, name, value
157
- { data: { type: type, name: name, value: value }.to_s }
158
- end
159
-
160
- # Capture the information needed to build the properties of this finding by parsing out from the body
161
- #
162
- # @param body [String] the entire HTTP Response body
163
- # @param body_start [Integer] the start of the range to take from the body
164
- # @param body_close [Integer] the end of the range to take from the body
165
- # @param tag_stop [Integer] the index of the end of the html tag from its start
166
- # @return [Hash]
167
- def capture body, body_start, body_close, tag_stop
168
- # In this situation we don't need to capture before and after the meta tag, as this may produce an error
169
- # So if we capture 30-50 chars before and after the tag, we may capture part of the tag, we want to
170
- # inspect and eventually this wil return wrong string. Because of that - we split the <head> and take
171
- # each meta tag and examine it
172
- tag = {}
173
- # we dont need to capture here before or after the meta tag
174
- tag[HTML_PROP] = body[body_start...body_close]
175
- tag[START_PROP] = body_start
176
- tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
177
- tag
178
- end
179
- end
180
- end
181
- end
182
- end
183
- end
184
- end
@@ -1,66 +0,0 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- require 'contrast/agent/assess/rule/response/base_rule'
5
- require 'contrast/utils/string_utils'
6
-
7
- module Contrast
8
- module Agent
9
- module Assess
10
- module Rule
11
- module Response
12
- # These rules check the content of the HTTP Response to determine if the headers contains the required header
13
- class Clickjacking < BaseRule
14
- def rule_id
15
- 'clickjacking-control-missing'
16
- end
17
-
18
- protected
19
-
20
- HEADER_KEY = 'X-Frame-Options'.cs__freeze
21
- HEADER_KEY_SYM = HEADER_KEY.to_sym
22
- ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
23
-
24
- # Rules discern which responses they can/should analyze.
25
- #
26
- # @param response [Contrast::Agent::Response] the response of the application
27
- def analyze_response? response
28
- super && headers?(response)
29
- end
30
-
31
- # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
32
- #
33
- # @param response [Contrast::Agent::Response] the response of the application
34
- # @return [Hash, nil] the evidence required to prove the violation of the rule
35
- def violated? response
36
- headers = response.headers
37
- cache_control = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
38
- return unsafe_response unless cache_control
39
- return unsafe_response(cache_control) unless valid_header?(cache_control)
40
-
41
- nil
42
- end
43
-
44
- def valid_header? header
45
- ACCEPTED_VALUES.any? { |val| header =~ val }
46
- end
47
-
48
- def unsafe_response value = ''
49
- { data: value }
50
- end
51
-
52
- # Change it accordingly the rule you work on
53
- #
54
- # @param evidence [Hash] the properties required to build this finding.
55
- # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
56
- def build_evidence evidence, finding
57
- evidence.each_pair do |key, value|
58
- finding.properties[key] = Contrast::Utils::StringUtils.protobuf_format(value)
59
- end
60
- end
61
- end
62
- end
63
- end
64
- end
65
- end
66
- end
@@ -1,52 +0,0 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- require 'contrast/agent/assess/rule/response/base_rule'
5
- require 'contrast/utils/string_utils'
6
-
7
- module Contrast
8
- module Agent
9
- module Assess
10
- module Rule
11
- module Response
12
- # These rules check the content of the HTTP Response to determine if the response contains the needed header
13
- class XContentType < BaseRule
14
- def rule_id
15
- 'xcontenttype-header-missing'
16
- end
17
-
18
- protected
19
-
20
- HEADER_KEY = 'X-Content-Type-Options'.cs__freeze
21
- HEADER_KEY_SYM = HEADER_KEY.to_sym
22
- ACCEPTED_VALUE = /^nosniff/i.cs__freeze
23
-
24
- # Rules discern which responses they can/should analyze.
25
- #
26
- # @param response [Contrast::Agent::Response] the response of the application
27
- def analyze_response? response
28
- super && headers?(response)
29
- end
30
-
31
- # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
32
- #
33
- # @param response [Contrast::Agent::Response] the response of the application
34
- # @return [Hash, nil] the evidence required to prove the violation of the rule
35
- def violated? response
36
- headers = response.headers
37
- x_content_type = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
38
- return unsafe_response unless x_content_type
39
- return unsafe_response x_content_type unless ACCEPTED_VALUE.match?(x_content_type)
40
-
41
- nil
42
- end
43
-
44
- def unsafe_response value = ''
45
- { data: value }
46
- end
47
- end
48
- end
49
- end
50
- end
51
- end
52
- end
@@ -1,53 +0,0 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- require 'contrast/agent/assess/rule/response/base_rule'
5
- require 'contrast/utils/string_utils'
6
-
7
- module Contrast
8
- module Agent
9
- module Assess
10
- module Rule
11
- module Response
12
- # These rules check the content of the HTTP Response to determine if the response contains the needed header
13
- class XXssProtection < BaseRule
14
- def rule_id
15
- 'xxssprotection-header-disabled'
16
- end
17
-
18
- protected
19
-
20
- HEADER_KEY = 'X-XSS-Protection'.cs__freeze
21
- HEADER_KEY_SYM = HEADER_KEY.to_sym
22
- ACCEPTED_VALUE = /^1/.cs__freeze
23
-
24
- # Rules discern which responses they can/should analyze.
25
- #
26
- # @param response [Contrast::Agent::Response] the response of the application
27
- def analyze_response? response
28
- super && headers?(response)
29
- end
30
-
31
- # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
32
- #
33
- # @param response [Contrast::Agent::Response] the response of the application
34
- # @return [Hash, nil] the evidence required to prove the violation of the rule
35
- def violated? response
36
- headers = response.headers
37
- x_xss_protection = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
38
- # header is safe by default so only need to return finding on failed value match
39
- return unless x_xss_protection
40
- return unsafe_response x_xss_protection unless ACCEPTED_VALUE.match?(x_xss_protection)
41
-
42
- nil
43
- end
44
-
45
- def unsafe_response value = ''
46
- { data: value }
47
- end
48
- end
49
- end
50
- end
51
- end
52
- end
53
- end
@@ -1,54 +0,0 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- require 'contrast/components/scope'
5
-
6
- # This is a reasonable place for the Kernel#catch hook to live.
7
- # No current plans for component re-design, but if we had some kind of
8
- # "do this when a component is hooked in" thing, this would live there.
9
- # For now, it's over-engineering to live anywhere else. -ajm
10
- module Kernel # :nodoc:
11
- alias_method :cs__catch, :catch
12
-
13
- # In the event of a `throw`, we need to override `catch`
14
- # to save & restore scope state:
15
- #
16
- # scope_level == 0
17
- #
18
- # catch(:abc) do
19
- # with_contrast_scope do
20
- # throw :abc # will leak
21
- # end
22
- # end
23
- #
24
- # scope_level == 1
25
- #
26
- # Frankly, this isn't how scope should be used. This is in place of
27
- # proper `ensure` blocks within the instrumentation call stack.
28
- # This will actually /create/ scope leaks if you're doing something like:
29
- #
30
- # catch(:ohno) do
31
- # enter scope
32
- # end
33
- #
34
- # abc()
35
- #
36
- # exit scope
37
- #
38
- # i.e. if you intend to change net scope across a catch block boundary.
39
-
40
- private
41
-
42
- def catch *args, &block
43
- # Save current scope level
44
- scope_level = ::Contrast::SCOPE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
45
-
46
- # Run original catch with block.
47
- retval = cs__catch(*args, &block)
48
-
49
- # Restore scope.
50
- ::Contrast::SCOPE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
51
-
52
- retval
53
- end
54
- end