RubyGems - contrast-agent - Versions diffs - 5.1.0 → 6.0.0 - Mend

contrast-agent 5.1.0 → 6.0.0

Files changed (218) hide show

data/lib/contrast/agent/assess/policy/propagator/splat.rb CHANGED Viewed

@@ -19,6 +19,7 @@ module Contrast
                   when Contrast::Utils::ObjectShare::OBJECT_KEY
                     tracked_inputs << preshift.object if Contrast::Agent::Assess::Tracker.tracked?(preshift.object)
                   else
+                    check_for_buffer(tracked_inputs, preshift.args[source])
                     find_argument_inputs(tracked_inputs, preshift.args[source])
                   end
                 end
@@ -47,9 +48,15 @@ module Contrast
               # @param tracked_inputs [Array] storage for the inputs to act on later
               # @param arg [Object] an input to the method which act as sources for this propagation.
               def find_argument_inputs tracked_inputs, arg
-                if arg.is_a?(String)
-                  tracked_inputs << arg if Contrast::Agent::Assess::Tracker.tracked?(arg)
-                elsif Contrast::Utils::DuckUtils.iterable_hash?(arg)
+                if arg.is_a?(String) || arg.is_a?(File)
+                  tracked_inputs << arg if tracked_value?(arg)
+                else
+                  iterable_arg tracked_inputs, arg
+                end
+              end
+              def iterable_arg tracked_inputs, arg
+                if Contrast::Utils::DuckUtils.iterable_hash?(arg)
                   arg.each_pair do |key, value|
                     tracked_inputs << key if tracked_value?(key)
                     tracked_inputs << value if tracked_value?(value)
@@ -60,6 +67,13 @@ module Contrast
                   end
                 end
               end
+              def check_for_buffer tracked_inputs, arg
+                return if RUBY_VERSION < '3.1.0'
+                return unless  arg.is_a?(IO::Buffer) && tracked_value?(arg)
+                tracked_inputs << arg
+              end
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagator/substitution.rb CHANGED Viewed

@@ -33,7 +33,7 @@ module Contrast
               end
               def sub_tagger patcher, preshift, ret, block
-                substitution_tagger(patcher, preshift, ret, !block.nil?, false)
+                substitution_tagger(patcher, preshift, ret, !block.nil?, global: false)
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb CHANGED Viewed

@@ -29,7 +29,7 @@ module Contrast
             # @param ret [String] the result of the substitution
             # @param block, the given block
             # @param global [Boolean] if this was a global or single substitution, optional
-            def substitution_tagger patcher, preshift, ret, block, global = true
+            def substitution_tagger patcher, preshift, ret, block, global: true
               return ret unless ret
               begin

data/lib/contrast/agent/assess/policy/propagator/trim.rb CHANGED Viewed

@@ -92,7 +92,7 @@ module Contrast
                 end
                 # Be sure to capture the last range in the holder.
                 remove_ranges << (start...stop)
-                properties.delete_tags_at_ranges(remove_ranges, false)
+                properties.delete_tags_at_ranges(remove_ranges, shift: false)
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator.rb CHANGED Viewed

@@ -30,6 +30,7 @@ module Contrast
           require 'contrast/agent/assess/policy/propagator/split'
           require 'contrast/agent/assess/policy/propagator/substitution'
           require 'contrast/agent/assess/policy/propagator/trim'
+          require 'contrast/agent/assess/policy/propagator/buffer'
         end
       end
     end

data/lib/contrast/agent/assess/policy/source_method.rb CHANGED Viewed

@@ -36,7 +36,7 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method was invoked
             # @return [Object, nil] the tracked Return or nil if no changes were made
-            def source_patchers method_policy, object, ret, args
+            def apply_source method_policy, object, ret, args
               return unless analyze?(method_policy, object, ret, args)
               return unless (source_node = method_policy.source_node)
@@ -56,11 +56,11 @@ module Contrast
                 target = dup
               end
-              apply_source(source_node, target, source_data, source_node.type, nil, *args)
+              process_source(source_node, target, source_data, source_node.type, nil, *args)
               return_val
             end
-            Contrast::Components::Logger.add_trace_log_timing_for(SourceMethod, :source_patchers)
+            Contrast::Components::Logger.add_trace_log_timing_for(SourceMethod, :apply_source)
             private
@@ -75,7 +75,7 @@ module Contrast
             # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a map or
             #   nil if a type like BODY
             # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_source source_node, target, source_data, source_type, source_name = nil, *args
+            def process_source source_node, target, source_data, source_type, source_name = nil, *args
               context = Contrast::Agent::REQUEST_TRACKER.current
               return unless context && source_node && target
@@ -90,7 +90,7 @@ module Contrast
                 # values back to ourselves and try again
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
                 target.each do |value|
-                  apply_source(source_node, value, source_data, source_type, source_name, *args)
+                  process_source(source_node, value, source_data, source_type, source_name, *args)
                 end
               end
             rescue StandardError => e
@@ -116,8 +116,8 @@ module Contrast
                   key = key.dup
                   to_replace << key
                 end
-                apply_source(source_node, key, source_data, key_type(source_type), key, *args)
-                apply_source(source_node, value, source_data, source_type, key, *args)
+                process_source(source_node, key, source_data, key_type(source_type), key, *args)
+                process_source(source_node, value, source_data, source_type, key, *args)
               end
               handle_hash_key(target, to_replace)
             end

data/lib/contrast/agent/assess/policy/trigger_method.rb CHANGED Viewed

@@ -8,6 +8,9 @@ require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 require 'contrast/utils/assess/trigger_method_utils'
 require 'contrast/agent/assess/events/event_data'
+require 'contrast/agent/reporting/reporting_events/preflight'
+require 'contrast/agent/reporting/reporting_events/preflight_message'
+require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
 module Contrast
@@ -154,7 +157,9 @@ module Contrast
               new_preflight = Contrast::Agent::Reporting::Preflight.new
               new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-              new_preflight_message.routes << request
+              if request.route
+                new_preflight_message.routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
+              end
               new_preflight_message.hash_code = hash_code
               new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
               new_preflight.messages << new_preflight_message

data/lib/contrast/agent/assess/property/tagged.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module Contrast
           # @param ranges [Array<Range>] the ranges to delete
           # @param shift [Boolean] move remaining tags to the left to account
           #   for the deletion
-          def delete_tags_at_ranges ranges, shift = true
+          def delete_tags_at_ranges ranges, shift: true
             return unless tracked?
             # Stage one - delete the tags w/o changing their

data/lib/contrast/agent/assess/rule/response/{autocomplete_rule.rb → auto_complete_rule.rb} RENAMED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/agent/assess/rule/response/body_rule'
 require 'contrast/utils/string_utils'
 module Contrast
@@ -11,7 +11,8 @@ module Contrast
         module Response
           # These rules check the content of the HTTP Response to determine if the body contains a form which
           # incorrectly sets the autocomplete attribute.
-          class Autocomplete < BaseRule
+          class AutoComplete < BaseRule
+            include BodyRule
             def rule_id
               'autocomplete-missing'
             end
@@ -31,7 +32,7 @@ module Contrast
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
               body = response.body
-              forms = forms(body)
+              forms = html_elements(body, FORM_START_REGEXP, capture_overflow: true)
               forms.each do |form|
                 # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
                 # skip out on the first violation.

data/lib/contrast/agent/assess/rule/response/base_rule.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 require 'rack'
+require 'json'
 require 'contrast/agent/reporting/reporting_utilities/dtm_message'
 require 'contrast/utils/hash_digest'
 require 'contrast/utils/preflight_util'
@@ -41,9 +42,6 @@ module Contrast
             protected
             DATA = 'data'.cs__freeze
-            HTML_PROP = 'html'.cs__freeze
-            START_PROP = 'start'.cs__freeze
-            END_PROP = 'end'.cs__freeze
             # Rules discern which responses they can/should analyze.
             #
@@ -60,10 +58,15 @@ module Contrast
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
-            # @param _response [Contrast::Agent::Response] the response of the application
+            # @param response [Contrast::Agent::Response] the response of the application
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? _response; end
+            def evidence data = Contrast::Utils::ObjectShare::EMPTY_STRING
+              data = Contrast::Utils::ObjectShare::EMPTY_STRING if data.nil?
+              { DATA => data }
+            end
             # Convert the given evidence into a finding. The rule will populate this evidence with each of the
             #
             # @param evidence [Hash] the properties required to build this finding.
@@ -87,7 +90,11 @@ module Contrast
             # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
             def build_evidence evidence, finding
               evidence.each_pair do |key, value|
-                finding.properties[key] = Contrast::Utils::StringUtils.force_utf8(value)
+                finding.properties[key] = if value.cs__is_a?(Hash)
+                                            Contrast::Utils::StringUtils.protobuf_format(value.to_json)
+                                          else
+                                            Contrast::Utils::StringUtils.protobuf_format(value)
+                                          end
               end
             end
@@ -115,80 +122,6 @@ module Contrast
             def valid_content_type? type
               !type || [/json/i, /xml/i].none? { |invalid_content| type =~ invalid_content }
             end
-            # Determine if a response has a body or not.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Boolean]
-            def body? response
-              Contrast::Utils::StringUtils.present?(response.body)
-            end
-            # Capture the information needed to build the properties of this finding by parsing out from the body
-            #
-            # @param body [String] the entire HTTP Response body
-            # @param body_start [Integer] the start of the range to take from the body
-            # @param body_close [Integer] the end of the range to take from the body
-            # @param tag_stop [Integer] the index of the end of the html tag from its start
-            # @return [Hash]
-            def capture body, body_start, body_close, tag_stop
-              tag = {}
-              # Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
-              capture_start = body_start < 50 ? 0 : body_start - 50
-              # Start is where the '<form' is in the body
-              # 6 accounts for the characters in the form and the opening char
-              # potential_form.index('>') accounts for finding the rest of the form
-              # 50 accounts for the context to capture beyond
-              capture_close = body_close + 50
-              tag[HTML_PROP] = body[capture_start...capture_close]
-              tag[START_PROP] = body_start < 50 ? body_start : 50
-              tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
-              tag
-            end
-            # Find the forms in this body, if any, so as to determine if they violate this rule.
-            #
-            # @param body [String]
-            # @return [Array<Hash>] the forms of this body, as well as their start and end indexes.
-            def forms body
-              forms = []
-              body_start = 0
-              # The instance of "<form" in the body may be a form. Turn them into chunks to check.
-              potential_forms = body.split(form_start)
-              potential_forms.each do |potential_form|
-                # We can consider this a form if the next character is one of whitespace of form tag closing
-                # characters.
-                next unless potential_form
-                next unless form_openings.any? { |opening| potential_form.start_with?(opening) }
-                body_start = body.index(form_start, body_start)
-                next unless body_start
-                form_stop = potential_form.index('>').to_i
-                next unless form_stop
-                body_close = body_start + 6 + form_stop
-                forms << capture(body, body_start, body_close, form_stop)
-                body_start = body_close
-              end
-              forms
-            end
-            def form_start
-              /<form/i
-            end
-            def form_openings
-              [' ', "\n", "\r", "\t", '>']
-            end
-            # Determine if a response has headers.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Boolean]
-            def headers? response
-              response.headers.cs__is_a?(Hash)
-            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/body_rule.rb ADDED Viewed

@@ -0,0 +1,109 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'rack'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/utils/hash_digest'
+require 'contrast/utils/preflight_util'
+require 'contrast/utils/string_utils'
+require 'contrast/agent/assess/rule/response/base_rule'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if something was set incorrectly or
+          # insecurely in it.
+          module BodyRule
+            protected
+            HTML_PROP = 'html'.cs__freeze
+            START_PROP = 'start'.cs__freeze
+            END_PROP = 'end'.cs__freeze
+            FORM_START_REGEXP = /<form/i.cs__freeze
+            META_TYPE = 'meta'
+            PRAGMA = 'pragma'
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && body?(response)
+            end
+            # Determine if a response has a body or not.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def body? response
+              Contrast::Utils::StringUtils.present?(response.body)
+            end
+            # Find the elements in this section, if any, so as to determine if they violate this rule.
+            #
+            # @param section [String,nil] html section to find element
+            # @param element_start_str [String] element to find in html section
+            # @return [Array<Hash>] the found elements of this section, as well as their start and end indexes.
+            def html_elements section, element_start_str = '', capture_overflow: false
+              elements = []
+              section_start = 0
+              return [] unless section
+              potential_elements(section, element_start_str).flatten.each do |potential_element|
+                next unless potential_element
+                next unless element_openings.any? { |opening| potential_element.starts_with?(opening) }
+                section_start = section.index(element_start_str, section_start)
+                next unless section_start
+                element_stop = potential_element.index('>').to_i
+                next unless element_stop
+                section_close = section_start + 6 + element_stop
+                elements << capture(section, section_start, section_close, element_stop, overflow: capture_overflow)
+                section_start = section_close
+              end
+              elements
+            end
+            def potential_elements section, element_start
+              section.split(element_start)
+            end
+            def element_openings
+              [' ', "\n", "\r", "\t", '>']
+            end
+            # Capture the information needed to build the properties of this finding by parsing out from the body
+            #
+            # @param body [String] the entire HTTP Response body
+            # @param body_start [Integer] the start of the range to take from the body
+            # @param body_close [Integer] the end of the range to take from the body
+            # @param tag_stop [Integer] the index of the end of the html tag from its start
+            # @return [Hash]
+            def capture body, body_start, body_close, tag_stop, overflow: false
+              tag = {}
+              # Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
+              if overflow
+                capture_start = body_start < 50 ? 0 : body_start - 50
+                # Start is where the '<form' is in the body
+                # 6 accounts for the characters in the form and the opening char
+                # potential_form.index('>') accounts for finding the rest of the form
+                # 50 accounts for the context to capture beyond
+                capture_close = body_close + 50
+                tag[HTML_PROP] = body[capture_start...capture_close]
+                tag[START_PROP] = body_start < 50 ? body_start : 50
+              else
+                tag[HTML_PROP] = body[body_start...body_close]
+                tag[START_PROP] = body_start
+              end
+              tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
+              tag
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb ADDED Viewed

@@ -0,0 +1,157 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/agent/assess/rule/response/body_rule'
+require 'contrast/agent/assess/rule/response/framework/rails_support'
+require 'contrast/utils/string_utils'
+require 'json'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the body or the headers include and/or
+          # set incorrectly the cache-control header
+          class CacheControl < HeaderRule
+            include BodyRule
+            include Framework::RailsSupport
+            def rule_id
+              'cache-controls-missing'
+            end
+            protected
+            HEADER_KEYS = %w[Cache-Control].cs__freeze
+            ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
+            DEFAULT_SAFE = false
+            META_START_STR = /<meta/i.cs__freeze
+            HEAD_TAG = /<head>/i.cs__freeze
+            NAME = 'cache-control'
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              has_header, evidence = process_header(response)
+              return evidence unless evidence.nil?
+              has_tag, evidence = process_body(response)
+              return evidence unless evidence.nil?
+              return {} if !has_header && !has_tag
+              nil
+            end
+            # Process Header value to determine if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Array[Boolean, Hash]] whether the header exists and the evidence hash or nil
+            def process_header response
+              # Rails 7 adds support for the cache_control header directly in the
+              # rack response, we should use that value
+              if framework_supported?
+                cache_control = response.rack_response.cache_control
+                has_header = !cache_control.blank?
+                not_valid = has_header && !((cache_control[:no_cache]) || (cache_control[:no_store]))
+                # evidence requires header value string, pull directly instead of rebuilding from hash
+                return has_header, evidence(HEADER_TYPE, NAME, cache_control_to_s(cache_control)) if not_valid
+              else
+                # This rule is violated if the header is not there is there,
+                # but the value is not 'no-store' or 'no-cache'
+                cache_control = get_header_value(response)
+                has_header = !!cache_control
+                not_valid = has_header && !valid_header?(cache_control)
+                return has_header, evidence(HEADER_TYPE, NAME, cache_control) if not_valid
+              end
+              [has_header, nil]
+            end
+            # Process Body to determine cache control exists as meta tag and if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Array[Boolean, Hash]] whether the meta tags exists and the evidence hash or nil
+            def process_body response
+              body = response.body
+              # check if the meta tag is include it
+              meta_tags = html_elements(body&.split(HEAD_TAG)&.last, META_START_STR)
+              meta_tags.each do |tag|
+                return true, evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
+              end
+              [!meta_tags.empty?, nil]
+            end
+            def potential_elements section, element_start
+              section.split(element_start)
+            end
+            def accepted_http_values
+              [/'cache-control'/i, /"cache-control"/i]
+            end
+            def accepted_values
+              [/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i, /'cache-control'/i, /"cache-control"/i]
+            end
+            # Determine if the given metatag does not have a valid cache-control tag.
+            # Meta tags has the option to set http-equiv and content to set the http response header
+            # to define for the document
+            #
+            # @param tag [String] the meta tag
+            # @return [Boolean, nil]
+            def meta_cache_tag? tag
+              # Here we should determine the index of the needed keys
+              # http-equiv and content
+              http_equiv_idx = tag =~ /http-equiv=/i
+              return false unless http_equiv_idx
+              content_idx = tag =~ /content=/i
+              return false unless content_idx
+              # determine the value of the http-equiv if it's cache-control
+              http_equiv_idx += 11
+              is_valid = accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
+              return false unless is_valid
+              content_idx += 8
+              return false if accepted_values.any? { |value| (tag =~ value) == content_idx }
+              true
+            end
+            # This method accepts the violation and transforms it to the proper hash
+            # before return in as violation
+            #
+            # @param type [String] String of Header or META of the type
+            # @param name [String] String of either cache-control or pragma
+            # @param value [String] String of the violated value
+            def evidence type, name, value
+              { DATA => { type: type, name: name, value: value }.to_s }
+            end
+            # Rebuilds the String value of the Cache-Control Header
+            # from the hash build in the Rack::Response
+            #
+            # @param hsh [Hash]
+            # @return [String]
+            def cache_control_to_s hsh
+              values = []
+              hsh.each_pair do |k, v|
+                key = k.to_s.tr('_', '-')
+                values << if key.to_sym == :extras
+                            v
+                          elsif v.is_a?(TrueClass)
+                            key
+                          else
+                            "#{ key }=#{ v }"
+                          end
+              end
+              values.join(', ')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb ADDED Viewed

@@ -0,0 +1,26 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the headers contains the required header
+          class ClickJacking < HeaderRule
+            def rule_id
+              'clickjacking-control-missing'
+            end
+            HEADER_KEYS = %w[X-Frame-Options].cs__freeze
+            ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
+            DEFAULT_SAFE = false
+          end
+        end
+      end
+    end
+  end
+end