contrast-agent 5.1.0 → 6.0.0

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb

@@ -2,7 +2,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/agent/assess/rule/response/header_rule'
 require 'contrast/utils/string_utils'
 
 module Contrast
@@ -11,27 +11,22 @@ module Contrast
       module Rule
         module Response
           # These rules check that the HTTP Headers include CSP header types
-          class CspHeaderInsecure < BaseRule
+          class CspHeaderInsecure < HeaderRule
             def rule_id
               'csp-header-insecure'
             end
 
             protected
 
-            CSP_HEADERS = %w[CONTENT_SECURITY_POLICY X_CONTENT_SECURITY_POLICY X_WEBKIT_CSP].cs__freeze
+            HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
+            DEFAULT_SAFE = false
             SETTINGS = %w[
               base-uri child-src default-src connect-src frame-src media-src object-src script-src
               style-src form-action frame-ancestors plugin-types reflected-xss referer
             ].cs__freeze
             UNSAFE_VALUE_REGEXP = /^unsafe-(?:inline|eval)$/.cs__freeze
             ASTERISK_REGEXP = /[*]/.cs__freeze
-
-            # Rules discern which responses they can/should analyze.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            def analyze_response? response
-              super && headers?(response)
-            end
+            SAFE_REFLECTED_XSS = /1/.cs__freeze
 
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
@@ -39,16 +34,19 @@ module Contrast
             # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
             def violated? response
               settings = {}
-              csp_hash = get_csp_header_values(response.headers)
+              csp_hash = get_header_value(response)
               return if csp_hash.nil?
 
               SETTINGS.each do |setting_attr|
+                # default src has to be checked all other keys may be missing
+                next unless csp_hash.key?(setting_attr) || setting_attr == 'default-src'
+
                 value = csp_hash[setting_attr]
                 key = convert_key(setting_attr)
                 settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value)
                 settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value
               end
-              { DATA => settings }
+              evidence(settings) if settings.value?(false)
             end
 
             # Get the CSP values from and transforms them to key value hash
@@ -58,9 +56,10 @@ module Contrast
             #
             # @param headers [Hash] the response of the application
             # @return [Array, nil] array of CSP header values
-            def get_csp_header_values headers
+            def get_header_value response
               csp_hash = {}
-              CSP_HEADERS.each do |header_key|
+              headers = response.headers
+              HEADER_KEYS.each do |header_key|
                 next unless headers[header_key]&.length&.positive?
 
                 values = headers[header_key].split(Contrast::Utils::ObjectShare::SEMICOLON)
@@ -78,7 +77,7 @@ module Contrast
             end
 
             def value_safe? value
-              UNSAFE_VALUE_REGEXP.match(value).nil?
+              UNSAFE_VALUE_REGEXP.match(value).nil? || !SAFE_REFLECTED_XSS.match(value).nil?
             end
 
             # Converts the CSP key to camelcase to be used as key for evidence object

data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/assess/rule/response/base_rule'
+require 'contrast/agent/assess/rule/response/header_rule'
 require 'contrast/utils/string_utils'
 
 module Contrast
@@ -10,34 +10,14 @@ module Contrast
       module Rule
         module Response
           # These rules check that the HTTP Headers include CSP header types
-          class CspHeaderMissing < BaseRule
+          class CspHeaderMissing < HeaderRule
             def rule_id
               'csp-header-missing'
             end
 
-            protected
-
-            CSP_HEADERS = %w[CONTENT_SECURITY_POLICY X_CONTENT_SECURITY_POLICY X_WEBKIT_CSP].cs__freeze
-
-            DATA = 'data'.cs__freeze
-
-            # Rules discern which responses they can/should analyze.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            def analyze_response? response
-              super && headers?(response)
-            end
-
-            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Contrast::Utils::ObjectShare::EMPTY_STRING, nil] if CSP Header is not found
-            def violated? response
-              response_headers = response.headers
-              return if CSP_HEADERS.any? { |header_key| response_headers[header_key]&.length&.positive? }
-
-              { DATA => Contrast::Utils::ObjectShare::EMPTY_STRING }
-            end
+            HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
+            ACCEPTED_VALUES = [/(.)/].cs__freeze
+            DEFAULT_SAFE = false
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          module Framework
+            # Rails 7 supports managing potential unsafe Headers
+            # this module contains methods for checking if Rails 7 supersedes our rules
+            module RailsSupport
+              RAILS_VERSION = Gem::Version.new('7.0.0')
+
+              def framework_supported?
+                return false unless defined?(::Rails)
+
+                rails_version = ::Rails.version
+                return false unless !!rails_version
+
+                Gem::Version.new(rails_version) >= RAILS_VERSION
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/header_rule.rb

@@ -0,0 +1,70 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'rack'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/utils/hash_digest'
+require 'contrast/utils/preflight_util'
+require 'contrast/utils/string_utils'
+require 'contrast/agent/assess/rule/response/base_rule'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if something was set incorrectly or
+          # insecurely in it.
+          class HeaderRule < BaseRule
+            HEADER_TYPE = 'header'
+
+            # Rules discern which responses they can/should analyze.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            def analyze_response? response
+              super && headers?(response)
+            end
+
+            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            def violated? response
+              header_value = get_header_value(response)
+              if header_value
+                return evidence(header_value) unless valid_header?(header_value)
+              else
+                return evidence(header_value) unless cs__class::DEFAULT_SAFE
+              end
+              nil
+            end
+
+            # Determine if a response has headers.
+            #
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def headers? response
+              response.headers&.any?
+            end
+
+            protected
+
+            def get_header_value response
+              response_headers = response.headers
+              values = response_headers.values_at(*cs__class::HEADER_KEYS, *cs__class::HEADER_KEYS.map(&:to_sym))
+              values.compact.first
+            end
+
+            # Determine if the value of the Response Header has a valid value
+            #
+            # @param header [Contrast::Agent::Response] a response header
+            # @return [Boolean] whether the header value is valid
+            def valid_header? header
+              cs__class::ACCEPTED_VALUES.any? { |val| val.match(header) }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb

@@ -1,6 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
 module Contrast
   module Agent
     module Assess
@@ -8,49 +11,22 @@ module Contrast
         module Response
           # This rule checks if the HTTP Headers include HSTS header and ensures that the max-age value
           # is set to a value greater than 0.
-          class HSTSHeader < BaseRule
+          class HSTSHeader < HeaderRule
             def rule_id
               'hsts-header-missing'
             end
 
             protected
 
-            HEADER_KEY = 'Strict-Transport-Security'
-            HEADER_KEY_SYM = HEADER_KEY.to_sym
-            MAX_AGE = 'max-age'
-            MAX_AGE_SYM = MAX_AGE.to_sym
-            # Rules discern which responses they can/should analyze.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            def analyze_response? response
-              super && response.headers.cs__is_a?(Hash)
-            end
-
-            # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
-            #
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash<data: Contrast::Utils::ObjectShare::EMPTY_STRING, String>, nil] return string
-            # representation of the max_age
-            def violated? response
-              headers = response.headers
-              target = headers[HEADER_KEY] || headers[HEADER_KEY_SYM]
-              # this rule is safe by default if no target => no evidence
-              # if the property max_age is not positive or absent then the rule is violated
-              return unless target
-
-              max_age = target[MAX_AGE] || target[MAX_AGE_SYM]
-              return if max_age.to_i.positive?
-
-              evidence max_age
-            end
+            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
+            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
+            DEFAULT_SAFE = true
 
-            # returns evidence that the max_age is negative or absent
-            #
-            # @param max_age [String] String representation of the max-age value to which the header is set
-            # @return [Hash<data: Contrast::Utils::ObjectShare::EMPTY_STRING, String>] return string representation of
-            # the max_age
-            def evidence max_age
-              { data: max_age.to_s }
+            def evidence data
+              # get only the value of the max-age property
+              val = data&.split('=')&.last
+              val = Contrast::Utils::ObjectShare::EMPTY_STRING if val.nil? || val == 'max-age'
+              { DATA => val }
             end
           end
         end

data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb

@@ -12,6 +12,7 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if the body contains a form which
           # incorrectly sets the action attribute.
           class ParametersPollution < BaseRule
+            include BodyRule
             def rule_id
               'parameter-pollution'
             end
@@ -31,7 +32,7 @@ module Contrast
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
               body = response.body
-              forms = forms(body)
+              forms = html_elements(body, FORM_START_REGEXP, capture_overflow: true)
               forms.each do |form|
                 # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
                 # skip out on the first violation.

data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the response contains the needed header
+          class XContentType < HeaderRule
+            def rule_id
+              'xcontenttype-header-missing'
+            end
+
+            HEADER_KEYS = %w[X-Content-Type-Options].cs__freeze
+            ACCEPTED_VALUES = [/^nosniff/i].cs__freeze
+            DEFAULT_SAFE = false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb

@@ -0,0 +1,35 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/rule/response/framework/rails_support'
+require 'contrast/agent/assess/rule/response/header_rule'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Rule
+        module Response
+          # These rules check the content of the HTTP Response to determine if the response contains the needed header
+          class XXssProtection < HeaderRule
+            include Framework::RailsSupport
+
+            def rule_id
+              'xxssprotection-header-disabled'
+            end
+
+            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
+            ACCEPTED_VALUES = [/^1/].cs__freeze
+            DEFAULT_SAFE = true
+
+            protected
+
+            def analyze_response? response
+              !framework_supported? && super
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb

@@ -24,13 +24,6 @@ module Contrast
           def method_scope
             :contrast
           end
-
-          # TODO: RUBY-99999 remove, used to clean up logs while debugging
-          # def validate
-          #   return if class_name
-          #
-          #   raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
-          # end
         end
       end
     end

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -35,12 +35,6 @@ module Contrast
             end
           end
 
-          def validate
-            return if class_name
-
-            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
-          end
-
           def module_names
             @_module_names ||= Set.new(deadzones.map(&:class_name))
           end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -51,7 +51,7 @@ module Contrast
 
         @urls = []
         @exclusion.urls.each do |url|
-          url_pattern = build_regexp(url, true, true)
+          url_pattern = build_regexp(url, start_anchor: true, end_anchor: true)
           @urls << url_pattern if url_pattern
         end
       end
@@ -66,7 +66,7 @@ module Contrast
         @wildcard_exclusions = []
         @exclusion.denylist.each do |code|
           class_name, method_name = code.split(Contrast::Utils::ObjectShare::COLON)
-          class_pattern = build_regexp(class_name, false, true)
+          class_pattern = build_regexp(class_name, start_anchor: false, end_anchor: true)
           method_pattern = build_regexp(method_name)
           next unless class_pattern && method_pattern
 
@@ -74,7 +74,7 @@ module Contrast
         end
       end
 
-      def build_regexp pattern, start_anchor = false, end_anchor = false
+      def build_regexp pattern, start_anchor: false, end_anchor: false
         pattern = Contrast::Utils::ObjectShare::CARROT + pattern if start_anchor
         pattern += Contrast::Utils::ObjectShare::DOLLAR_SIGN if end_anchor
         Regexp.compile(pattern)

data/lib/contrast/agent/middleware.rb

@@ -13,7 +13,7 @@ require 'contrast/utils/heap_dump_util'
 require 'contrast/utils/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
-require 'contrast/agent/startup_metrics_telemetry_event'
+require 'contrast/agent/telemetry/events/startup_metrics_telemetry_event'
 require 'contrast/utils/middleware_utils'
 
 require 'contrast/utils/timer'
@@ -163,6 +163,8 @@ module Contrast
 
           # Build and report all collected findings prior response
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
+          # All protect rules, which are trigger but require response to be reported
+          Contrast::Agent::EXPLOITS.report_recorded_exploits context unless Contrast::Agent::EXPLOITS.collection.empty?
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity
@@ -173,6 +175,7 @@ module Contrast
             request_handler.send_activity_messages # TODO: RUBY-1438 -- remove
           end
         end
+      # unsuccessful attack
       rescue StandardError => e
         raise e if security_exception?(e)
 

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -29,14 +29,13 @@ module Contrast
           # there are no require time side effects of loading our core
           # extensions.
           def apply_direct_patches!
-            @_apply_direct_patches ||= begin
+            @_apply_direct_patches ||= begin # TODO: RUBY-1541 - put 'kernel' back
               paths = %w[
                 array
                 basic_object
                 module
                 fiber_track
                 hash
-                kernel
                 marshal_module
                 regexp
                 string
@@ -75,7 +74,6 @@ module Contrast
           def apply_require_patches!
             @_apply_require_patches ||= begin
               require 'contrast/extension/thread'
-              require 'contrast/extension/kernel'
               true
             rescue LoadError, StandardError => e
               logger.error('failed instrumenting apply_require_patches!', e)

data/lib/contrast/agent/patching/policy/patch.rb

@@ -49,15 +49,11 @@ module Contrast
             ].cs__freeze
 
             def enter_method_scope! method_policy
-              method_policy.scopes_to_enter.each do |scope|
-                enter_scope!(scope)
-              end
+              contrast_enter_method_scopes! method_policy.scopes_to_enter
             end
 
             def exit_method_scope! method_policy
-              method_policy.scopes_to_exit.each do |scope|
-                exit_scope!(scope)
-              end
+              contrast_exit_method_scopes! method_policy.scopes_to_exit
             end
 
             # @param mod [Module] the module in which the patch should be

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -133,7 +133,7 @@ module Contrast
             # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
             # @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
             #   Contrast::Agent::Patching::Policy::PatchStatus status on the Module
-            def patch_into_module module_data, redo_patch = false
+            def patch_into_module module_data, redo_patch: false
               status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod)
               return if (status&.patched? || status&.patching?) && !redo_patch
 
@@ -147,7 +147,7 @@ module Contrast
                 return
               end
 
-              patch_methods status, module_data, module_policy
+              patch_methods(status, module_data, module_policy)
             rescue StandardError => e
               status&.failed_patch!
               logger.warn('Patching failed', e, module: module_data.mod_name)
@@ -179,7 +179,7 @@ module Contrast
             # @param private [Boolean] Indicate if the query should include
             #   private, as well as public, instance methods
             # @return [Array<Symbol>]
-            def all_instance_methods mod, private = false
+            def all_instance_methods mod, private: false
               instance_methods = mod.instance_methods(false)
               # C magic rb_define_global_function creates private instance
               # methods. We need to instrument those dudes
@@ -206,7 +206,7 @@ module Contrast
             #   this module, sorted by type.
             def patch_into_instance_methods module_data, module_policy
               mod = module_data.mod
-              methods = all_instance_methods(mod, true)
+              methods = all_instance_methods(mod, private: true)
               methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
               patch_into_methods(mod, methods, module_policy, true)
             end

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/scope'
+require 'contrast/utils/object_share'
 
 module Contrast
   module Agent
@@ -14,8 +15,20 @@ module Contrast
         class PolicyNode
           include Contrast::Components::Scope::InstanceMethods
 
-          attr_accessor :class_name, :instance_method, :method_name, :method_visibility
-          attr_reader :properties, :method_scope
+          # Name of the class in which the method is being invoked.
+          attr_accessor :class_name
+          # Check for instance method.
+          #
+          # @return true | false
+          attr_accessor :instance_method
+          # The symbol representation of the invoked method.
+          attr_accessor :method_name
+          # Visibility of the invoked method [Private, Public, Protected]
+          attr_accessor :method_visibility
+          # Properties parsed from our JSON policy.
+          attr_reader :properties
+          # Scope of the method parsed from our JSON policy.
+          attr_reader :method_scope
 
           def node_class
             raise NoMethodError, 'specify the type of the feature for which this node patches'

data/lib/contrast/agent/protect/exploitable_collection.rb

@@ -0,0 +1,38 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      # This class will store all exploits or definite attack but
+      # require us to wait for response
+      class ExploitableCollection
+        include Contrast::Components::Logger::InstanceMethods
+
+        def initialize
+          @_collection = []
+        end
+
+        def collection
+          @_collection ||= []
+        end
+
+        # Push the Result we need to store until response is available
+        #
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+        def push attack_result
+          @_collection << attack_result
+        end
+
+        # Attach attack results to the context
+        #
+        # @param context [Contrast::Agent::RequestContext]
+        def report_recorded_exploits context
+          context.activity.results.concat(@_collection)
+        end
+      end
+    end
+  end
+end