contrast-agent 5.1.0 → 6.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +7 -5
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +7 -7
- data/ext/cs__assess_string/cs__assess_string.c +13 -1
- data/ext/cs__common/cs__common.c +16 -11
- data/ext/cs__common/cs__common.h +1 -0
- data/ext/cs__contrast_patch/cs__contrast_patch.c +100 -64
- data/ext/cs__contrast_patch/cs__contrast_patch.h +2 -0
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +796 -0
- data/ext/cs__scope/cs__scope.h +88 -0
- data/ext/cs__scope/extconf.rb +5 -0
- data/lib/contrast/agent/assess/contrast_event.rb +20 -13
- data/lib/contrast/agent/assess/contrast_object.rb +4 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
- data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -5
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +2 -0
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/trigger_method.rb +6 -1
- data/lib/contrast/agent/assess/property/tagged.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/{autocomplete_rule.rb → auto_complete_rule.rb} +4 -3
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +12 -79
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +109 -0
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +157 -0
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +14 -15
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +5 -25
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +29 -0
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +12 -36
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +2 -1
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +35 -0
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/middleware.rb +4 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +1 -3
- data/lib/contrast/agent/patching/policy/patch.rb +2 -6
- data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +147 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
- data/lib/contrast/agent/protect/rule/base.rb +61 -2
- data/lib/contrast/agent/protect/rule/base_service.rb +12 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/deserialization.rb +6 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +13 -1
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +88 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +118 -0
- data/lib/contrast/agent/protect/rule/sqli.rb +33 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -0
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +115 -0
- data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
- data/lib/contrast/agent/reporting/report.rb +3 -0
- data/lib/contrast/agent/reporting/reporter.rb +31 -12
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +69 -36
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +88 -59
- data/lib/contrast/agent/reporting/reporting_events/{finding_object.rb → finding_event_object.rb} +24 -20
- data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +39 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/{finding_signature.rb → finding_event_signature.rb} +29 -24
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +12 -8
- data/lib/contrast/agent/reporting/reporting_events/{finding_stack.rb → finding_event_stack.rb} +23 -19
- data/lib/contrast/agent/reporting/reporting_events/{finding_taint_range.rb → finding_event_taint_range.rb} +17 -15
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +26 -53
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +29 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +6 -4
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +1 -0
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +10 -3
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +17 -5
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -45
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +69 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +123 -85
- data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/request_context.rb +7 -2
- data/lib/contrast/agent/request_context_extend.rb +85 -21
- data/lib/contrast/agent/request_handler.rb +4 -0
- data/lib/contrast/agent/scope.rb +102 -107
- data/lib/contrast/agent/service_heartbeat.rb +45 -2
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
- data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
- data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
- data/lib/contrast/agent/thread_watcher.rb +1 -1
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +3 -0
- data/lib/contrast/api/communication/speedracer.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/bot_blocker.rb +37 -0
- data/lib/contrast/api/decorators/ip_denylist.rb +37 -0
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +29 -0
- data/lib/contrast/api/decorators/response_type.rb +30 -0
- data/lib/contrast/api/decorators/user_input.rb +11 -1
- data/lib/contrast/api/decorators/virtual_patch.rb +34 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/logger.rb +5 -0
- data/lib/contrast/components/protect.rb +6 -4
- data/lib/contrast/components/sampling.rb +7 -11
- data/lib/contrast/components/scope.rb +98 -91
- data/lib/contrast/components/settings.rb +106 -8
- data/lib/contrast/config/agent_configuration.rb +41 -12
- data/lib/contrast/config/api_configuration.rb +37 -12
- data/lib/contrast/config/api_proxy_configuration.rb +12 -3
- data/lib/contrast/config/application_configuration.rb +38 -14
- data/lib/contrast/config/assess_configuration.rb +47 -12
- data/lib/contrast/config/assess_rules_configuration.rb +15 -3
- data/lib/contrast/config/base_configuration.rb +18 -50
- data/lib/contrast/config/certification_configuration.rb +17 -3
- data/lib/contrast/config/exception_configuration.rb +14 -3
- data/lib/contrast/config/heap_dump_configuration.rb +43 -17
- data/lib/contrast/config/inventory_configuration.rb +17 -3
- data/lib/contrast/config/logger_configuration.rb +10 -3
- data/lib/contrast/config/protect_configuration.rb +17 -7
- data/lib/contrast/config/protect_rule_configuration.rb +17 -8
- data/lib/contrast/config/protect_rules_configuration.rb +115 -17
- data/lib/contrast/config/request_audit_configuration.rb +26 -3
- data/lib/contrast/config/root_configuration.rb +52 -12
- data/lib/contrast/config/ruby_configuration.rb +60 -22
- data/lib/contrast/config/sampling_configuration.rb +19 -9
- data/lib/contrast/config/server_configuration.rb +19 -10
- data/lib/contrast/config/service_configuration.rb +27 -11
- data/lib/contrast/configuration.rb +5 -3
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/manager.rb +2 -2
- data/lib/contrast/logger/application.rb +1 -1
- data/lib/contrast/logger/cef_log.rb +151 -0
- data/lib/contrast/tasks/config.rb +90 -3
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/class_util.rb +3 -12
- data/lib/contrast/utils/hash_digest.rb +14 -6
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/log_utils.rb +114 -0
- data/lib/contrast/utils/middleware_utils.rb +9 -9
- data/lib/contrast/utils/net_http_base.rb +13 -10
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +0 -5
- data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -9
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/telemetry.rb +1 -1
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/lib/contrast/utils/telemetry_identifier.rb +1 -1
- data/lib/contrast.rb +4 -3
- data/resources/assess/policy.json +98 -0
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +9 -8
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +103 -38
- data/lib/contrast/agent/assess/rule/response/cachecontrol_rule.rb +0 -184
- data/lib/contrast/agent/assess/rule/response/clickjacking_rule.rb +0 -66
- data/lib/contrast/agent/assess/rule/response/x_content_type_rule.rb +0 -52
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb +0 -53
- data/lib/contrast/extension/kernel.rb +0 -54
@@ -19,6 +19,7 @@ module Contrast
|
|
19
19
|
when Contrast::Utils::ObjectShare::OBJECT_KEY
|
20
20
|
tracked_inputs << preshift.object if Contrast::Agent::Assess::Tracker.tracked?(preshift.object)
|
21
21
|
else
|
22
|
+
check_for_buffer(tracked_inputs, preshift.args[source])
|
22
23
|
find_argument_inputs(tracked_inputs, preshift.args[source])
|
23
24
|
end
|
24
25
|
end
|
@@ -47,9 +48,15 @@ module Contrast
|
|
47
48
|
# @param tracked_inputs [Array] storage for the inputs to act on later
|
48
49
|
# @param arg [Object] an input to the method which act as sources for this propagation.
|
49
50
|
def find_argument_inputs tracked_inputs, arg
|
50
|
-
if arg.is_a?(String)
|
51
|
-
tracked_inputs << arg if
|
52
|
-
|
51
|
+
if arg.is_a?(String) || arg.is_a?(File)
|
52
|
+
tracked_inputs << arg if tracked_value?(arg)
|
53
|
+
else
|
54
|
+
iterable_arg tracked_inputs, arg
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
def iterable_arg tracked_inputs, arg
|
59
|
+
if Contrast::Utils::DuckUtils.iterable_hash?(arg)
|
53
60
|
arg.each_pair do |key, value|
|
54
61
|
tracked_inputs << key if tracked_value?(key)
|
55
62
|
tracked_inputs << value if tracked_value?(value)
|
@@ -60,6 +67,13 @@ module Contrast
|
|
60
67
|
end
|
61
68
|
end
|
62
69
|
end
|
70
|
+
|
71
|
+
def check_for_buffer tracked_inputs, arg
|
72
|
+
return if RUBY_VERSION < '3.1.0'
|
73
|
+
return unless arg.is_a?(IO::Buffer) && tracked_value?(arg)
|
74
|
+
|
75
|
+
tracked_inputs << arg
|
76
|
+
end
|
63
77
|
end
|
64
78
|
end
|
65
79
|
end
|
@@ -29,7 +29,7 @@ module Contrast
|
|
29
29
|
# @param ret [String] the result of the substitution
|
30
30
|
# @param block, the given block
|
31
31
|
# @param global [Boolean] if this was a global or single substitution, optional
|
32
|
-
def substitution_tagger patcher, preshift, ret, block, global
|
32
|
+
def substitution_tagger patcher, preshift, ret, block, global: true
|
33
33
|
return ret unless ret
|
34
34
|
|
35
35
|
begin
|
@@ -30,6 +30,7 @@ module Contrast
|
|
30
30
|
require 'contrast/agent/assess/policy/propagator/split'
|
31
31
|
require 'contrast/agent/assess/policy/propagator/substitution'
|
32
32
|
require 'contrast/agent/assess/policy/propagator/trim'
|
33
|
+
require 'contrast/agent/assess/policy/propagator/buffer'
|
33
34
|
end
|
34
35
|
end
|
35
36
|
end
|
@@ -36,7 +36,7 @@ module Contrast
|
|
36
36
|
# @param ret [Object] the Return of the invoked method
|
37
37
|
# @param args [Array<Object>] the Arguments with which the method was invoked
|
38
38
|
# @return [Object, nil] the tracked Return or nil if no changes were made
|
39
|
-
def
|
39
|
+
def apply_source method_policy, object, ret, args
|
40
40
|
return unless analyze?(method_policy, object, ret, args)
|
41
41
|
return unless (source_node = method_policy.source_node)
|
42
42
|
|
@@ -56,11 +56,11 @@ module Contrast
|
|
56
56
|
target = dup
|
57
57
|
end
|
58
58
|
|
59
|
-
|
59
|
+
process_source(source_node, target, source_data, source_node.type, nil, *args)
|
60
60
|
|
61
61
|
return_val
|
62
62
|
end
|
63
|
-
Contrast::Components::Logger.add_trace_log_timing_for(SourceMethod, :
|
63
|
+
Contrast::Components::Logger.add_trace_log_timing_for(SourceMethod, :apply_source)
|
64
64
|
|
65
65
|
private
|
66
66
|
|
@@ -75,7 +75,7 @@ module Contrast
|
|
75
75
|
# @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a map or
|
76
76
|
# nil if a type like BODY
|
77
77
|
# @param args [Array<Object>] the Arguments with which the method was invoked
|
78
|
-
def
|
78
|
+
def process_source source_node, target, source_data, source_type, source_name = nil, *args
|
79
79
|
context = Contrast::Agent::REQUEST_TRACKER.current
|
80
80
|
return unless context && source_node && target
|
81
81
|
|
@@ -90,7 +90,7 @@ module Contrast
|
|
90
90
|
# values back to ourselves and try again
|
91
91
|
elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
|
92
92
|
target.each do |value|
|
93
|
-
|
93
|
+
process_source(source_node, value, source_data, source_type, source_name, *args)
|
94
94
|
end
|
95
95
|
end
|
96
96
|
rescue StandardError => e
|
@@ -116,8 +116,8 @@ module Contrast
|
|
116
116
|
key = key.dup
|
117
117
|
to_replace << key
|
118
118
|
end
|
119
|
-
|
120
|
-
|
119
|
+
process_source(source_node, key, source_data, key_type(source_type), key, *args)
|
120
|
+
process_source(source_node, value, source_data, source_type, key, *args)
|
121
121
|
end
|
122
122
|
handle_hash_key(target, to_replace)
|
123
123
|
end
|
@@ -8,6 +8,9 @@ require 'contrast/utils/object_share'
|
|
8
8
|
require 'contrast/utils/sha256_builder'
|
9
9
|
require 'contrast/utils/assess/trigger_method_utils'
|
10
10
|
require 'contrast/agent/assess/events/event_data'
|
11
|
+
require 'contrast/agent/reporting/reporting_events/preflight'
|
12
|
+
require 'contrast/agent/reporting/reporting_events/preflight_message'
|
13
|
+
require 'contrast/agent/reporting/reporting_events/route_discovery'
|
11
14
|
require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
|
12
15
|
|
13
16
|
module Contrast
|
@@ -154,7 +157,9 @@ module Contrast
|
|
154
157
|
|
155
158
|
new_preflight = Contrast::Agent::Reporting::Preflight.new
|
156
159
|
new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
|
157
|
-
|
160
|
+
if request.route
|
161
|
+
new_preflight_message.routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
|
162
|
+
end
|
158
163
|
new_preflight_message.hash_code = hash_code
|
159
164
|
new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
|
160
165
|
new_preflight.messages << new_preflight_message
|
@@ -40,7 +40,7 @@ module Contrast
|
|
40
40
|
# @param ranges [Array<Range>] the ranges to delete
|
41
41
|
# @param shift [Boolean] move remaining tags to the left to account
|
42
42
|
# for the deletion
|
43
|
-
def delete_tags_at_ranges ranges, shift
|
43
|
+
def delete_tags_at_ranges ranges, shift: true
|
44
44
|
return unless tracked?
|
45
45
|
|
46
46
|
# Stage one - delete the tags w/o changing their
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/assess/rule/response/
|
4
|
+
require 'contrast/agent/assess/rule/response/body_rule'
|
5
5
|
require 'contrast/utils/string_utils'
|
6
6
|
|
7
7
|
module Contrast
|
@@ -11,7 +11,8 @@ module Contrast
|
|
11
11
|
module Response
|
12
12
|
# These rules check the content of the HTTP Response to determine if the body contains a form which
|
13
13
|
# incorrectly sets the autocomplete attribute.
|
14
|
-
class
|
14
|
+
class AutoComplete < BaseRule
|
15
|
+
include BodyRule
|
15
16
|
def rule_id
|
16
17
|
'autocomplete-missing'
|
17
18
|
end
|
@@ -31,7 +32,7 @@ module Contrast
|
|
31
32
|
# @return [Hash, nil] the evidence required to prove the violation of the rule
|
32
33
|
def violated? response
|
33
34
|
body = response.body
|
34
|
-
forms =
|
35
|
+
forms = html_elements(body, FORM_START_REGEXP, capture_overflow: true)
|
35
36
|
forms.each do |form|
|
36
37
|
# Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
|
37
38
|
# skip out on the first violation.
|
@@ -2,6 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'rack'
|
5
|
+
require 'json'
|
5
6
|
require 'contrast/agent/reporting/reporting_utilities/dtm_message'
|
6
7
|
require 'contrast/utils/hash_digest'
|
7
8
|
require 'contrast/utils/preflight_util'
|
@@ -41,9 +42,6 @@ module Contrast
|
|
41
42
|
protected
|
42
43
|
|
43
44
|
DATA = 'data'.cs__freeze
|
44
|
-
HTML_PROP = 'html'.cs__freeze
|
45
|
-
START_PROP = 'start'.cs__freeze
|
46
|
-
END_PROP = 'end'.cs__freeze
|
47
45
|
|
48
46
|
# Rules discern which responses they can/should analyze.
|
49
47
|
#
|
@@ -60,10 +58,15 @@ module Contrast
|
|
60
58
|
|
61
59
|
# Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
|
62
60
|
#
|
63
|
-
# @param
|
61
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
64
62
|
# @return [Hash, nil] the evidence required to prove the violation of the rule
|
65
63
|
def violated? _response; end
|
66
64
|
|
65
|
+
def evidence data = Contrast::Utils::ObjectShare::EMPTY_STRING
|
66
|
+
data = Contrast::Utils::ObjectShare::EMPTY_STRING if data.nil?
|
67
|
+
{ DATA => data }
|
68
|
+
end
|
69
|
+
|
67
70
|
# Convert the given evidence into a finding. The rule will populate this evidence with each of the
|
68
71
|
#
|
69
72
|
# @param evidence [Hash] the properties required to build this finding.
|
@@ -87,7 +90,11 @@ module Contrast
|
|
87
90
|
# @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
|
88
91
|
def build_evidence evidence, finding
|
89
92
|
evidence.each_pair do |key, value|
|
90
|
-
finding.properties[key] =
|
93
|
+
finding.properties[key] = if value.cs__is_a?(Hash)
|
94
|
+
Contrast::Utils::StringUtils.protobuf_format(value.to_json)
|
95
|
+
else
|
96
|
+
Contrast::Utils::StringUtils.protobuf_format(value)
|
97
|
+
end
|
91
98
|
end
|
92
99
|
end
|
93
100
|
|
@@ -115,80 +122,6 @@ module Contrast
|
|
115
122
|
def valid_content_type? type
|
116
123
|
!type || [/json/i, /xml/i].none? { |invalid_content| type =~ invalid_content }
|
117
124
|
end
|
118
|
-
|
119
|
-
# Determine if a response has a body or not.
|
120
|
-
#
|
121
|
-
# @param response [Contrast::Agent::Response] the response of the application
|
122
|
-
# @return [Boolean]
|
123
|
-
def body? response
|
124
|
-
Contrast::Utils::StringUtils.present?(response.body)
|
125
|
-
end
|
126
|
-
|
127
|
-
# Capture the information needed to build the properties of this finding by parsing out from the body
|
128
|
-
#
|
129
|
-
# @param body [String] the entire HTTP Response body
|
130
|
-
# @param body_start [Integer] the start of the range to take from the body
|
131
|
-
# @param body_close [Integer] the end of the range to take from the body
|
132
|
-
# @param tag_stop [Integer] the index of the end of the html tag from its start
|
133
|
-
# @return [Hash]
|
134
|
-
def capture body, body_start, body_close, tag_stop
|
135
|
-
tag = {}
|
136
|
-
# Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
|
137
|
-
capture_start = body_start < 50 ? 0 : body_start - 50
|
138
|
-
# Start is where the '<form' is in the body
|
139
|
-
# 6 accounts for the characters in the form and the opening char
|
140
|
-
# potential_form.index('>') accounts for finding the rest of the form
|
141
|
-
# 50 accounts for the context to capture beyond
|
142
|
-
capture_close = body_close + 50
|
143
|
-
tag[HTML_PROP] = body[capture_start...capture_close]
|
144
|
-
tag[START_PROP] = body_start < 50 ? body_start : 50
|
145
|
-
tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
|
146
|
-
tag
|
147
|
-
end
|
148
|
-
|
149
|
-
# Find the forms in this body, if any, so as to determine if they violate this rule.
|
150
|
-
#
|
151
|
-
# @param body [String]
|
152
|
-
# @return [Array<Hash>] the forms of this body, as well as their start and end indexes.
|
153
|
-
def forms body
|
154
|
-
forms = []
|
155
|
-
body_start = 0
|
156
|
-
# The instance of "<form" in the body may be a form. Turn them into chunks to check.
|
157
|
-
potential_forms = body.split(form_start)
|
158
|
-
potential_forms.each do |potential_form|
|
159
|
-
# We can consider this a form if the next character is one of whitespace of form tag closing
|
160
|
-
# characters.
|
161
|
-
next unless potential_form
|
162
|
-
next unless form_openings.any? { |opening| potential_form.start_with?(opening) }
|
163
|
-
|
164
|
-
body_start = body.index(form_start, body_start)
|
165
|
-
next unless body_start
|
166
|
-
|
167
|
-
form_stop = potential_form.index('>').to_i
|
168
|
-
next unless form_stop
|
169
|
-
|
170
|
-
body_close = body_start + 6 + form_stop
|
171
|
-
forms << capture(body, body_start, body_close, form_stop)
|
172
|
-
body_start = body_close
|
173
|
-
end
|
174
|
-
forms
|
175
|
-
end
|
176
|
-
|
177
|
-
def form_start
|
178
|
-
/<form/i
|
179
|
-
end
|
180
|
-
|
181
|
-
def form_openings
|
182
|
-
[' ', "\n", "\r", "\t", '>']
|
183
|
-
end
|
184
|
-
|
185
|
-
# Determine if a response has headers.
|
186
|
-
#
|
187
|
-
# @param response [Contrast::Agent::Response] the response of the application
|
188
|
-
# @return [Boolean]
|
189
|
-
def headers? response
|
190
|
-
response.headers.cs__is_a?(Hash)
|
191
|
-
end
|
192
125
|
end
|
193
126
|
end
|
194
127
|
end
|
@@ -0,0 +1,109 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'rack'
|
5
|
+
require 'contrast/agent/reporting/reporting_utilities/dtm_message'
|
6
|
+
require 'contrast/utils/hash_digest'
|
7
|
+
require 'contrast/utils/preflight_util'
|
8
|
+
require 'contrast/utils/string_utils'
|
9
|
+
require 'contrast/agent/assess/rule/response/base_rule'
|
10
|
+
|
11
|
+
module Contrast
|
12
|
+
module Agent
|
13
|
+
module Assess
|
14
|
+
module Rule
|
15
|
+
module Response
|
16
|
+
# These rules check the content of the HTTP Response to determine if something was set incorrectly or
|
17
|
+
# insecurely in it.
|
18
|
+
module BodyRule
|
19
|
+
protected
|
20
|
+
|
21
|
+
HTML_PROP = 'html'.cs__freeze
|
22
|
+
START_PROP = 'start'.cs__freeze
|
23
|
+
END_PROP = 'end'.cs__freeze
|
24
|
+
FORM_START_REGEXP = /<form/i.cs__freeze
|
25
|
+
META_TYPE = 'meta'
|
26
|
+
PRAGMA = 'pragma'
|
27
|
+
|
28
|
+
# Rules discern which responses they can/should analyze.
|
29
|
+
#
|
30
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
31
|
+
def analyze_response? response
|
32
|
+
super && body?(response)
|
33
|
+
end
|
34
|
+
|
35
|
+
# Determine if a response has a body or not.
|
36
|
+
#
|
37
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
38
|
+
# @return [Boolean]
|
39
|
+
def body? response
|
40
|
+
Contrast::Utils::StringUtils.present?(response.body)
|
41
|
+
end
|
42
|
+
|
43
|
+
# Find the elements in this section, if any, so as to determine if they violate this rule.
|
44
|
+
#
|
45
|
+
# @param section [String,nil] html section to find element
|
46
|
+
# @param element_start_str [String] element to find in html section
|
47
|
+
# @return [Array<Hash>] the found elements of this section, as well as their start and end indexes.
|
48
|
+
def html_elements section, element_start_str = '', capture_overflow: false
|
49
|
+
elements = []
|
50
|
+
section_start = 0
|
51
|
+
return [] unless section
|
52
|
+
|
53
|
+
potential_elements(section, element_start_str).flatten.each do |potential_element|
|
54
|
+
next unless potential_element
|
55
|
+
next unless element_openings.any? { |opening| potential_element.starts_with?(opening) }
|
56
|
+
|
57
|
+
section_start = section.index(element_start_str, section_start)
|
58
|
+
next unless section_start
|
59
|
+
|
60
|
+
element_stop = potential_element.index('>').to_i
|
61
|
+
next unless element_stop
|
62
|
+
|
63
|
+
section_close = section_start + 6 + element_stop
|
64
|
+
elements << capture(section, section_start, section_close, element_stop, overflow: capture_overflow)
|
65
|
+
section_start = section_close
|
66
|
+
end
|
67
|
+
elements
|
68
|
+
end
|
69
|
+
|
70
|
+
def potential_elements section, element_start
|
71
|
+
section.split(element_start)
|
72
|
+
end
|
73
|
+
|
74
|
+
def element_openings
|
75
|
+
[' ', "\n", "\r", "\t", '>']
|
76
|
+
end
|
77
|
+
|
78
|
+
# Capture the information needed to build the properties of this finding by parsing out from the body
|
79
|
+
#
|
80
|
+
# @param body [String] the entire HTTP Response body
|
81
|
+
# @param body_start [Integer] the start of the range to take from the body
|
82
|
+
# @param body_close [Integer] the end of the range to take from the body
|
83
|
+
# @param tag_stop [Integer] the index of the end of the html tag from its start
|
84
|
+
# @return [Hash]
|
85
|
+
def capture body, body_start, body_close, tag_stop, overflow: false
|
86
|
+
tag = {}
|
87
|
+
# Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
|
88
|
+
if overflow
|
89
|
+
capture_start = body_start < 50 ? 0 : body_start - 50
|
90
|
+
# Start is where the '<form' is in the body
|
91
|
+
# 6 accounts for the characters in the form and the opening char
|
92
|
+
# potential_form.index('>') accounts for finding the rest of the form
|
93
|
+
# 50 accounts for the context to capture beyond
|
94
|
+
capture_close = body_close + 50
|
95
|
+
tag[HTML_PROP] = body[capture_start...capture_close]
|
96
|
+
tag[START_PROP] = body_start < 50 ? body_start : 50
|
97
|
+
else
|
98
|
+
tag[HTML_PROP] = body[body_start...body_close]
|
99
|
+
tag[START_PROP] = body_start
|
100
|
+
end
|
101
|
+
tag[END_PROP] = tag[START_PROP] + 6 + tag_stop
|
102
|
+
tag
|
103
|
+
end
|
104
|
+
end
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|
@@ -0,0 +1,157 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
5
|
+
require 'contrast/agent/assess/rule/response/body_rule'
|
6
|
+
require 'contrast/agent/assess/rule/response/framework/rails_support'
|
7
|
+
require 'contrast/utils/string_utils'
|
8
|
+
require 'json'
|
9
|
+
|
10
|
+
module Contrast
|
11
|
+
module Agent
|
12
|
+
module Assess
|
13
|
+
module Rule
|
14
|
+
module Response
|
15
|
+
# These rules check the content of the HTTP Response to determine if the body or the headers include and/or
|
16
|
+
# set incorrectly the cache-control header
|
17
|
+
class CacheControl < HeaderRule
|
18
|
+
include BodyRule
|
19
|
+
include Framework::RailsSupport
|
20
|
+
|
21
|
+
def rule_id
|
22
|
+
'cache-controls-missing'
|
23
|
+
end
|
24
|
+
|
25
|
+
protected
|
26
|
+
|
27
|
+
HEADER_KEYS = %w[Cache-Control].cs__freeze
|
28
|
+
ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
|
29
|
+
DEFAULT_SAFE = false
|
30
|
+
META_START_STR = /<meta/i.cs__freeze
|
31
|
+
HEAD_TAG = /<head>/i.cs__freeze
|
32
|
+
NAME = 'cache-control'
|
33
|
+
|
34
|
+
# Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
|
35
|
+
#
|
36
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
37
|
+
# @return [Hash, nil] the evidence required to prove the violation of the rule
|
38
|
+
def violated? response
|
39
|
+
has_header, evidence = process_header(response)
|
40
|
+
return evidence unless evidence.nil?
|
41
|
+
|
42
|
+
has_tag, evidence = process_body(response)
|
43
|
+
return evidence unless evidence.nil?
|
44
|
+
return {} if !has_header && !has_tag
|
45
|
+
|
46
|
+
nil
|
47
|
+
end
|
48
|
+
|
49
|
+
# Process Header value to determine if it violates rule
|
50
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
51
|
+
# @return [Array[Boolean, Hash]] whether the header exists and the evidence hash or nil
|
52
|
+
def process_header response
|
53
|
+
# Rails 7 adds support for the cache_control header directly in the
|
54
|
+
# rack response, we should use that value
|
55
|
+
if framework_supported?
|
56
|
+
cache_control = response.rack_response.cache_control
|
57
|
+
has_header = !cache_control.blank?
|
58
|
+
not_valid = has_header && !((cache_control[:no_cache]) || (cache_control[:no_store]))
|
59
|
+
# evidence requires header value string, pull directly instead of rebuilding from hash
|
60
|
+
return has_header, evidence(HEADER_TYPE, NAME, cache_control_to_s(cache_control)) if not_valid
|
61
|
+
else
|
62
|
+
# This rule is violated if the header is not there is there,
|
63
|
+
# but the value is not 'no-store' or 'no-cache'
|
64
|
+
cache_control = get_header_value(response)
|
65
|
+
has_header = !!cache_control
|
66
|
+
not_valid = has_header && !valid_header?(cache_control)
|
67
|
+
return has_header, evidence(HEADER_TYPE, NAME, cache_control) if not_valid
|
68
|
+
end
|
69
|
+
[has_header, nil]
|
70
|
+
end
|
71
|
+
|
72
|
+
# Process Body to determine cache control exists as meta tag and if it violates rule
|
73
|
+
# @param response [Contrast::Agent::Response] the response of the application
|
74
|
+
# @return [Array[Boolean, Hash]] whether the meta tags exists and the evidence hash or nil
|
75
|
+
def process_body response
|
76
|
+
body = response.body
|
77
|
+
# check if the meta tag is include it
|
78
|
+
meta_tags = html_elements(body&.split(HEAD_TAG)&.last, META_START_STR)
|
79
|
+
meta_tags.each do |tag|
|
80
|
+
return true, evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
|
81
|
+
end
|
82
|
+
[!meta_tags.empty?, nil]
|
83
|
+
end
|
84
|
+
|
85
|
+
def potential_elements section, element_start
|
86
|
+
section.split(element_start)
|
87
|
+
end
|
88
|
+
|
89
|
+
def accepted_http_values
|
90
|
+
[/'cache-control'/i, /"cache-control"/i]
|
91
|
+
end
|
92
|
+
|
93
|
+
def accepted_values
|
94
|
+
[/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i, /'cache-control'/i, /"cache-control"/i]
|
95
|
+
end
|
96
|
+
|
97
|
+
# Determine if the given metatag does not have a valid cache-control tag.
|
98
|
+
# Meta tags has the option to set http-equiv and content to set the http response header
|
99
|
+
# to define for the document
|
100
|
+
#
|
101
|
+
# @param tag [String] the meta tag
|
102
|
+
# @return [Boolean, nil]
|
103
|
+
def meta_cache_tag? tag
|
104
|
+
# Here we should determine the index of the needed keys
|
105
|
+
# http-equiv and content
|
106
|
+
http_equiv_idx = tag =~ /http-equiv=/i
|
107
|
+
return false unless http_equiv_idx
|
108
|
+
|
109
|
+
content_idx = tag =~ /content=/i
|
110
|
+
return false unless content_idx
|
111
|
+
|
112
|
+
# determine the value of the http-equiv if it's cache-control
|
113
|
+
http_equiv_idx += 11
|
114
|
+
is_valid = accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
|
115
|
+
return false unless is_valid
|
116
|
+
|
117
|
+
content_idx += 8
|
118
|
+
return false if accepted_values.any? { |value| (tag =~ value) == content_idx }
|
119
|
+
|
120
|
+
true
|
121
|
+
end
|
122
|
+
|
123
|
+
# This method accepts the violation and transforms it to the proper hash
|
124
|
+
# before return in as violation
|
125
|
+
#
|
126
|
+
# @param type [String] String of Header or META of the type
|
127
|
+
# @param name [String] String of either cache-control or pragma
|
128
|
+
# @param value [String] String of the violated value
|
129
|
+
def evidence type, name, value
|
130
|
+
{ DATA => { type: type, name: name, value: value }.to_s }
|
131
|
+
end
|
132
|
+
|
133
|
+
# Rebuilds the String value of the Cache-Control Header
|
134
|
+
# from the hash build in the Rack::Response
|
135
|
+
#
|
136
|
+
# @param hsh [Hash]
|
137
|
+
# @return [String]
|
138
|
+
def cache_control_to_s hsh
|
139
|
+
values = []
|
140
|
+
hsh.each_pair do |k, v|
|
141
|
+
key = k.to_s.tr('_', '-')
|
142
|
+
values << if key.to_sym == :extras
|
143
|
+
v
|
144
|
+
elsif v.is_a?(TrueClass)
|
145
|
+
key
|
146
|
+
else
|
147
|
+
"#{ key }=#{ v }"
|
148
|
+
end
|
149
|
+
end
|
150
|
+
values.join(', ')
|
151
|
+
end
|
152
|
+
end
|
153
|
+
end
|
154
|
+
end
|
155
|
+
end
|
156
|
+
end
|
157
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/assess/rule/response/header_rule'
|
5
|
+
require 'contrast/utils/string_utils'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Assess
|
10
|
+
module Rule
|
11
|
+
module Response
|
12
|
+
# These rules check the content of the HTTP Response to determine if the headers contains the required header
|
13
|
+
class ClickJacking < HeaderRule
|
14
|
+
def rule_id
|
15
|
+
'clickjacking-control-missing'
|
16
|
+
end
|
17
|
+
|
18
|
+
HEADER_KEYS = %w[X-Frame-Options].cs__freeze
|
19
|
+
ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
|
20
|
+
DEFAULT_SAFE = false
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|