contrast-agent 5.1.0 → 6.0.0

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb

@@ -0,0 +1,231 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of NoSQLI rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module NoSqliInputClassification
+          class << self
+            include InputClassificationBase
+
+            NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
+            NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
+            NOSQL_COMMENTS_AFTER_REGEXP = %r{(?:<--|//)}.cs__freeze
+
+            ZERO_OR_MORE_SPACES_REGEXP = /\s*/.cs__freeze
+            QUOTE_REGEXP = /['"’‘]/.cs__freeze
+            NUMBERS_AND_LETTERS_REGEXP = /[[:alnum:]]+/.cs__freeze
+            COMPARISON_REGEXP = /(?:==|>=|<=|>|<|)/.cs__freeze
+            NOSQL_QUOTED_REGEXP = /
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ COMPARISON_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ QUOTE_REGEXP }
+            /x.cs__freeze
+            NOSQL_NUMERIC_REGEXP = /
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ COMPARISON_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+            /x.cs__freeze
+
+            NOSQL_DEFINITE_THRESHOLD = 3
+            NOSQL_WORTH_WATCHING_THRESHOLD = 1
+            NOSQL_CONFIDENCE_THRESHOLD = 3
+            MAX_DISTANCE = 10
+
+            # Input Classification stage is done to determine if an user input is
+            # WORTHWATCHING or to be ignored.
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+            #                                                       agent analysis from the current
+            #                                                       Request.
+            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+            def classify input_type, value, input_analysis
+              return unless input_analysis.request
+
+              rule_id = Contrast::Agent::Protect::Rule::NoSqli::NAME
+
+              # double check the input to avoid calling match? on array
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  input_analysis.results << nosqli_create_new_input_result(input_analysis.request,
+                                                                           rule_id,
+                                                                           input_type,
+                                                                           v)
+                end
+              end
+
+              input_analysis
+            end
+
+            private
+
+            # Creates a new instance of InputAnalysisResult with basic info.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
+            # @param value [String, Array<String>] the value of the input.
+            # @param path [String] the path of the current request context.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def new_ia_result rule_id, input_type, score_level, path, value
+              super(rule_id, input_type, path, value).tap { |res| res.score_level = score_level }
+            end
+
+            # This methods checks if input should be tagged DEFINITEATTACK, WORTHWATCHING, or IGNORE,
+            # and creates a new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def nosqli_create_new_input_result request, rule_id, input_type, value
+              score = evaluate_patterns(value)
+              score = evaluate_rules(value, score)
+
+              score_level = if definite_attack? score
+                              DEFINITEATTACK
+                            elsif worth_watching? score
+                              WORTHWATCHING
+                            else
+                              IGNORE
+                            end
+
+              new_ia_result(rule_id, input_type, score_level, request.path, value)
+            end
+
+            # This method evaluates the patterns relevant to NoSQL Injection to check whether
+            # the input is matched by any of them. The total score of all patterns matched is
+            # returned, unless the individual matching pattern score matches or exceeds
+            # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
+            # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
+            # point is returned.
+            #
+            # @param value [String] the value of the input.
+            # @param value [Integer] the total score thus far.
+            #
+            # @return res [Integer]
+            def evaluate_patterns value, total_score = 0
+              applicable_patterns = nosqli_patterns
+              return total_score if applicable_patterns.nil?
+
+              total_patterns_score = 0
+              applicable_patterns.each do |pattern|
+                next unless value.match?(pattern[:value])
+
+                total_patterns_score += pattern[:score].to_i
+                total_score += pattern[:score].to_i
+
+                if pattern[:score].to_i >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
+                  return total_score
+                end
+              end
+
+              total_score
+            end
+
+            def evaluate_comment_rule value
+              (value =~ NOSQL_COMMENT_REGEXP).nil? ? 0 : 2 # None/Medium
+            end
+
+            # This method evaluates the searcher rules relevant to NoSQL Injection to check whether
+            # the input is matched by any of them. The total score of all rules matched is
+            # returned, unless the individual matching rukle score matches or exceeds
+            # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
+            # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
+            # point is returned.
+            #
+            # @param value [String] the value of the input.
+            # @param value [Integer] the total score thus far.
+            #
+            # @return res [Integer]
+            def evaluate_rules value, total_score = 0
+              total_rules_score = 0
+              %i[evaluate_comment_rule evaluate_or_rule].each do |method|
+                rule_score = send(method, value)
+                total_rules_score += rule_score
+                total_score += rule_score
+
+                return total_score if rule_score >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
+              end
+
+              total_score
+            end
+
+            # This method evaluates the input value for NoSQL Or searches. Each possible match is
+            # checked. If a match is found then a score of either 3 (High) or 4 (Critical) will
+            # be returned, depending on whether the regexp for finding comments is also matched.
+            #
+            # @param value [String] the value of the input.
+            #
+            # @return res [Integer]
+            def evaluate_or_rule value
+              score = 0
+
+              locs = matches_by_position value, NOSQL_OR_REGEXP
+              return score if locs.empty?
+
+              locs.each do |loc|
+                [NOSQL_QUOTED_REGEXP, NOSQL_NUMERIC_REGEXP].each do |pattern|
+                  pattern_locs = matches_by_position(value[loc[1]..], pattern)
+                  next unless !pattern_locs.empty? && pattern_locs[0][0] < MAX_DISTANCE
+
+                  return 4 if value.match?(NOSQL_COMMENTS_AFTER_REGEXP, loc[1] + pattern_locs[0][1]) # Critical
+
+                  score = 3 # High
+                  break
+                end
+              end
+
+              score
+            end
+
+            # This method returns the patterns to be checked against the input value.
+            #
+            # @return res [Array, nil]
+            def nosqli_patterns
+              server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
+              rule_definitions = server_features&.protect&.rule_definition_list
+              rule_definitions&.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
+            end
+
+            def matches_by_position value, pattern
+              value.to_enum(:scan, pattern).map { Regexp.last_match.offset(Regexp.last_match.size - 1) }
+            end
+
+            def definite_attack? score
+              score >= NOSQL_DEFINITE_THRESHOLD
+            end
+
+            def worth_watching? score
+              score >= NOSQL_WORTH_WATCHING_THRESHOLD
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -35,9 +35,23 @@ module Contrast
 
             append_to_activity(context, result)
 
+            cef_logging result, :successful_attack
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 
+          def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+              return result
+            end
+
+            result ||= build_attack_result(context)
+            update_successful_attack_response(context, input_analysis_result, result, candidate_string)
+            append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
+            result
+          end
+
           protected
 
           def find_attacker context, potential_attack_string, **kwargs
@@ -52,6 +66,20 @@ module Contrast
             end
             super(context, potential_attack_string, **kwargs)
           end
+
+          def infilter? context
+            return false unless context&.agent_input_analysis&.results
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
+          def gather_ia_results context
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -38,6 +38,7 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
+            cef_logging result, :successful_attack, path
             raise Contrast::SecurityException.new(self,
                                                   "Path Traversal rule triggered. Call to File.#{ method } blocked.")
           end

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb

@@ -0,0 +1,88 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/sqli'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of SQLI rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module SqliInputClassification
+          class << self
+            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::SqliWorthWatching
+            include Contrast::Components::Logger::InstanceMethods
+
+            WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
+            SQLI_KEYS_NEEDED = [
+              COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
+            ].cs__freeze
+
+            # Input Classification stage is done to determine if an user input is
+            # WORTHWATCHING or to be ignored.
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+            #                                                       agent analysis from the current
+            #                                                       Request.
+            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+            def classify input_type, value, input_analysis
+              return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
+              return unless super
+
+              rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
+
+              # double check the input to avoid calling match? on array
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                end
+              end
+
+              input_analysis
+            rescue StandardError => e
+              logger.debug('An Error was recorded in the input classification of the sqli.')
+              logger.debug(e)
+            end
+
+            private
+
+            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+            # key if needed and Creates new isntance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def sqli_create_new_input_result request, rule_id, input_type, value
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              if sqli_worth_watching? value
+                ia_result.ids << WORTHWATCHING_MATCH
+                ia_result.score_level = WORTHWATCHING
+                ia_result
+              else
+                ia_result.score_level = IGNORE
+              end
+
+              add_needed_key request, ia_result, input_type, value if SQLI_KEYS_NEEDED.include? input_type
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb

@@ -0,0 +1,118 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module implements the sqli-worth-watching-v2 check to determine whether input
+        # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
+        # https://protect-spec.prod.dotnet.contsec.com/rules/sql-injection.html#input-tracing
+        module SqliWorthWatching
+          COLOR_CODE = /^#[0-9A-Fa-f]{6}$/.cs__freeze
+          ALPHA_NUMERIC_AND_SPACES = /^+[a-zA-Z\d\s]+$/.cs__freeze
+          OR_CLAUSE = /[oO][rR]/.cs__freeze
+          EXPLOITABLE_SUBSTRING = %w[# -- // /*].cs__freeze
+          SUSPICIOUS_CHARS = %w[` " \' ; - % , ( ) | { } =].cs__freeze
+          SQL_COMMENTS = %w[# /* */ // -- @@].cs__freeze
+          BLOCK_START = '/*'.cs__freeze
+          BLOCK_END = '*/'.cs__freeze
+          SQL_KEYWORDS = %w[
+            alter begin between create case column_name
+            current_user delete drop exec execute from
+            group insert limit like merge order outfile
+            select session_user syslogins update union
+            UTL_INADDR UTL_HTTP
+          ].cs__freeze
+
+          # This method will determine if a user input is Worth watching and return true if it is.
+          # This is done by running checks, and if the inputs is worth to watch it would be
+          # saved for the later sink sqli input analysis.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def sqli_worth_watching? input
+            return false if input.nil? || input.empty?
+
+            exploitable?(input) && (
+              input.match?(OR_CLAUSE) || sql_comments?(input) || suspicious_chars?(input) || language_keywords?(input)
+            )
+          end
+
+          private
+
+          # Check if input is exploitable, with min length set to 3 chars
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def exploitable? input
+            return false if input.length < 3 && input.match?(ALPHA_NUMERIC_AND_SPACES)
+            return false if input.length == 3 && !contains_substring?(input, EXPLOITABLE_SUBSTRING)
+            return false if input.length == 7 && input.match?(COLOR_CODE)
+
+            true
+          end
+
+          # Check if input contains sqli comments:
+          # '# /* */ // -- @@'
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def sql_comments? input
+            input.length >= 3 && contains_substring?(input, SQL_COMMENTS)
+          end
+
+          # Check if input contains block comments starting and
+          # ending with '/*..*/'
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def block_comments? input
+            idx1 = input.index(BLOCK_START)
+            idx2 = input.index(BLOCK_END)
+
+            return false if idx1.nil? || idx2.nil?
+
+            (idx1 >= 0 && idx2 >= 2 && (idx1 < idx2))
+          end
+
+          # Runs the input against suspicious chars array.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def suspicious_chars? input
+            input.length >= 7 && (number_of_substrings(input, SUSPICIOUS_CHARS) >= 2 || block_comments?(input))
+          end
+
+          # Runs the input against SQL language preserved words.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def language_keywords? input
+            contains_substring? input, SQL_KEYWORDS
+          end
+
+          # Helper method to find a substrings in given input.
+          #
+          # @param substrings [Array] set of substrings to inspect.
+          # @return true | false
+          def contains_substring? input, substrings
+            substrings.any? { |sub| input.include?(sub) }
+          end
+
+          # Helper method to find the number of substrings.
+          #
+          # @param input [String] the user input to be inspected
+          # @return number [Integer] Number of substrings
+          def number_of_substrings input, substring
+            number = 0
+            input.each_char.reduce(0) { |_acc, elem| number += 1 if contains_substring?(elem, substring) }
+            number
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -4,6 +4,7 @@
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/policy/applies_sqli_rule'
 require 'contrast/agent/protect/rule/sql_sample_builder'
+require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
   module Agent
@@ -16,7 +17,17 @@ module Contrast
           include SqlSampleBuilder::SqliSample
           # Defining build_attack_with_match method
           include SqlSampleBuilder::AttackBuilder
+          include Contrast::Agent::Reporting::InputType
+          class << self
+            include Contrast::Agent::Reporting::InputType
+          end
 
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
+            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
+            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
+            XML_VALUE, DWR_VALUE
+          ].cs__freeze
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
@@ -36,8 +47,30 @@ module Contrast
 
             append_to_activity(context, result)
 
+            cef_logging result, :successful_attack, query_string
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
+
+          private
+
+          def find_attacker context, potential_attack_string, **kwargs
+            ia_results = gather_ia_results(context)
+            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
+          end
+
+          def infilter? context
+            return false unless context&.agent_input_analysis&.results
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
+          def gather_ia_results context
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb

@@ -0,0 +1,82 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of Unsafe File Upload
+        # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
+        module UnsafeFileUploadInputClassification
+          UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
+
+          class << self
+            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
+
+            # Input Classification stage is done to determine if an user input is
+            # DEFINITEATTACK or to be ignored.
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+            #                                                       agent analysis from the current
+            #                                                       Request.
+            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+            def classify input_type, value, input_analysis
+              unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
+                return
+              end
+              return unless input_analysis.request
+
+              rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
+              results = []
+
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                end
+              end
+
+              input_analysis.results = results
+              input_analysis
+            end
+
+            private
+
+            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+            # key if needed and Creates new isntance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def create_new_input_result request, rule_id, input_type, value
+              ia_result = new_ia_result rule_id, input_type, request.path, value
+              if unsafe_match? value
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << UNSAFE_UPLOAD_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+              ia_result.key = if input_type == MULTIPART_FIELD_NAME
+                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
+                              else
+                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
+                              end
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb

@@ -0,0 +1,45 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # Here will be made the match of the user input provided by the
+        # Agent InputAnalysis.
+        module UnsafeFileUploadMatcher
+          EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze
+          # Extensions that can be executed on the server side or can be dangerous on the client side:
+          # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
+          EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
+
+          # Match the user input to see if the filename
+          # contains malicious file extension.
+          #
+          # @param input [String] The filename
+          # extracted from the current request
+          # @return true | false
+          def unsafe_match? input
+            suspicious_chars?(input) || suspicious_extensions?(input)
+          end
+
+          private
+
+          # @param input [String] The filename
+          # extracted from the current request
+          # @return true | false
+          def suspicious_chars? input
+            input.chars.any? { |c| EXPLOIT_CHARS.include? c }
+          end
+
+          # @param input [String] The filename
+          # extracted from the current request
+          # @return true | false
+          def suspicious_extensions? input
+            EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
+          end
+        end
+      end
+    end
+  end
+end