contrast-agent 5.1.0 → 6.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (218) hide show
  1. checksums.yaml +4 -4
  2. data/ext/cs__assess_array/cs__assess_array.c +7 -0
  3. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
  4. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
  5. data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
  6. data/ext/cs__assess_kernel/cs__assess_kernel.c +7 -5
  7. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
  8. data/ext/cs__assess_module/cs__assess_module.c +7 -7
  9. data/ext/cs__assess_string/cs__assess_string.c +13 -1
  10. data/ext/cs__common/cs__common.c +16 -11
  11. data/ext/cs__common/cs__common.h +1 -0
  12. data/ext/cs__contrast_patch/cs__contrast_patch.c +100 -64
  13. data/ext/cs__contrast_patch/cs__contrast_patch.h +2 -0
  14. data/ext/cs__os_information/cs__os_information.c +13 -10
  15. data/ext/cs__scope/cs__scope.c +796 -0
  16. data/ext/cs__scope/cs__scope.h +88 -0
  17. data/ext/cs__scope/extconf.rb +5 -0
  18. data/lib/contrast/agent/assess/contrast_event.rb +20 -13
  19. data/lib/contrast/agent/assess/contrast_object.rb +4 -1
  20. data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
  21. data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
  22. data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
  23. data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
  24. data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
  25. data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -5
  26. data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
  27. data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
  28. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +2 -0
  29. data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
  30. data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
  31. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
  32. data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
  33. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  34. data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
  35. data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
  36. data/lib/contrast/agent/assess/policy/trigger_method.rb +6 -1
  37. data/lib/contrast/agent/assess/property/tagged.rb +1 -1
  38. data/lib/contrast/agent/assess/rule/response/{autocomplete_rule.rb → auto_complete_rule.rb} +4 -3
  39. data/lib/contrast/agent/assess/rule/response/base_rule.rb +12 -79
  40. data/lib/contrast/agent/assess/rule/response/body_rule.rb +109 -0
  41. data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +157 -0
  42. data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
  43. data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +14 -15
  44. data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +5 -25
  45. data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +29 -0
  46. data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
  47. data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +12 -36
  48. data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +2 -1
  49. data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
  50. data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +35 -0
  51. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
  52. data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
  53. data/lib/contrast/agent/exclusion_matcher.rb +3 -3
  54. data/lib/contrast/agent/middleware.rb +4 -1
  55. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +1 -3
  56. data/lib/contrast/agent/patching/policy/patch.rb +2 -6
  57. data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
  58. data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
  59. data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
  60. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +147 -0
  61. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
  62. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
  63. data/lib/contrast/agent/protect/rule/base.rb +61 -2
  64. data/lib/contrast/agent/protect/rule/base_service.rb +12 -1
  65. data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -0
  66. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
  67. data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
  68. data/lib/contrast/agent/protect/rule/deserialization.rb +6 -0
  69. data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
  70. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +13 -1
  71. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
  72. data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -0
  73. data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -0
  74. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +88 -0
  75. data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +118 -0
  76. data/lib/contrast/agent/protect/rule/sqli.rb +33 -0
  77. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
  78. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
  79. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
  80. data/lib/contrast/agent/protect/rule/xxe.rb +4 -0
  81. data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
  82. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
  83. data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
  84. data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
  85. data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +44 -0
  86. data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +115 -0
  87. data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
  88. data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
  89. data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
  90. data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
  91. data/lib/contrast/agent/reporting/report.rb +3 -0
  92. data/lib/contrast/agent/reporting/reporter.rb +31 -12
  93. data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
  94. data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
  95. data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
  96. data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
  97. data/lib/contrast/agent/reporting/reporting_events/finding.rb +69 -36
  98. data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +88 -59
  99. data/lib/contrast/agent/reporting/reporting_events/{finding_object.rb → finding_event_object.rb} +24 -20
  100. data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +39 -0
  101. data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +40 -0
  102. data/lib/contrast/agent/reporting/reporting_events/{finding_signature.rb → finding_event_signature.rb} +29 -24
  103. data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +12 -8
  104. data/lib/contrast/agent/reporting/reporting_events/{finding_stack.rb → finding_event_stack.rb} +23 -19
  105. data/lib/contrast/agent/reporting/reporting_events/{finding_taint_range.rb → finding_event_taint_range.rb} +17 -15
  106. data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +26 -53
  107. data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
  108. data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
  109. data/lib/contrast/agent/reporting/reporting_events/poll.rb +29 -0
  110. data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
  111. data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +6 -4
  112. data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
  113. data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +1 -0
  114. data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +1 -1
  115. data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +10 -3
  116. data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +0 -1
  117. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +17 -5
  118. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -45
  119. data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
  120. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
  121. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +69 -7
  122. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
  123. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +123 -85
  124. data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
  125. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
  126. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
  127. data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
  128. data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
  129. data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
  130. data/lib/contrast/agent/request_context.rb +7 -2
  131. data/lib/contrast/agent/request_context_extend.rb +85 -21
  132. data/lib/contrast/agent/request_handler.rb +4 -0
  133. data/lib/contrast/agent/scope.rb +102 -107
  134. data/lib/contrast/agent/service_heartbeat.rb +45 -2
  135. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
  136. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
  137. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
  138. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
  139. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
  140. data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
  141. data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
  142. data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
  143. data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
  144. data/lib/contrast/agent/thread_watcher.rb +1 -1
  145. data/lib/contrast/agent/version.rb +1 -1
  146. data/lib/contrast/agent.rb +3 -0
  147. data/lib/contrast/api/communication/speedracer.rb +1 -1
  148. data/lib/contrast/api/decorators/address.rb +1 -1
  149. data/lib/contrast/api/decorators/bot_blocker.rb +37 -0
  150. data/lib/contrast/api/decorators/ip_denylist.rb +37 -0
  151. data/lib/contrast/api/decorators/rasp_rule_sample.rb +29 -0
  152. data/lib/contrast/api/decorators/response_type.rb +30 -0
  153. data/lib/contrast/api/decorators/user_input.rb +11 -1
  154. data/lib/contrast/api/decorators/virtual_patch.rb +34 -0
  155. data/lib/contrast/api/decorators.rb +1 -0
  156. data/lib/contrast/components/app_context.rb +0 -4
  157. data/lib/contrast/components/assess.rb +14 -0
  158. data/lib/contrast/components/logger.rb +5 -0
  159. data/lib/contrast/components/protect.rb +6 -4
  160. data/lib/contrast/components/sampling.rb +7 -11
  161. data/lib/contrast/components/scope.rb +98 -91
  162. data/lib/contrast/components/settings.rb +106 -8
  163. data/lib/contrast/config/agent_configuration.rb +41 -12
  164. data/lib/contrast/config/api_configuration.rb +37 -12
  165. data/lib/contrast/config/api_proxy_configuration.rb +12 -3
  166. data/lib/contrast/config/application_configuration.rb +38 -14
  167. data/lib/contrast/config/assess_configuration.rb +47 -12
  168. data/lib/contrast/config/assess_rules_configuration.rb +15 -3
  169. data/lib/contrast/config/base_configuration.rb +18 -50
  170. data/lib/contrast/config/certification_configuration.rb +17 -3
  171. data/lib/contrast/config/exception_configuration.rb +14 -3
  172. data/lib/contrast/config/heap_dump_configuration.rb +43 -17
  173. data/lib/contrast/config/inventory_configuration.rb +17 -3
  174. data/lib/contrast/config/logger_configuration.rb +10 -3
  175. data/lib/contrast/config/protect_configuration.rb +17 -7
  176. data/lib/contrast/config/protect_rule_configuration.rb +17 -8
  177. data/lib/contrast/config/protect_rules_configuration.rb +115 -17
  178. data/lib/contrast/config/request_audit_configuration.rb +26 -3
  179. data/lib/contrast/config/root_configuration.rb +52 -12
  180. data/lib/contrast/config/ruby_configuration.rb +60 -22
  181. data/lib/contrast/config/sampling_configuration.rb +19 -9
  182. data/lib/contrast/config/server_configuration.rb +19 -10
  183. data/lib/contrast/config/service_configuration.rb +27 -11
  184. data/lib/contrast/configuration.rb +5 -3
  185. data/lib/contrast/extension/assess/string.rb +20 -1
  186. data/lib/contrast/extension/module.rb +0 -1
  187. data/lib/contrast/framework/manager.rb +2 -2
  188. data/lib/contrast/logger/application.rb +1 -1
  189. data/lib/contrast/logger/cef_log.rb +151 -0
  190. data/lib/contrast/tasks/config.rb +90 -3
  191. data/lib/contrast/utils/assess/object_store.rb +36 -0
  192. data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
  193. data/lib/contrast/utils/class_util.rb +3 -12
  194. data/lib/contrast/utils/hash_digest.rb +14 -6
  195. data/lib/contrast/utils/input_classification.rb +73 -0
  196. data/lib/contrast/utils/log_utils.rb +114 -0
  197. data/lib/contrast/utils/middleware_utils.rb +9 -9
  198. data/lib/contrast/utils/net_http_base.rb +13 -10
  199. data/lib/contrast/utils/object_share.rb +2 -1
  200. data/lib/contrast/utils/os.rb +0 -5
  201. data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -9
  202. data/lib/contrast/utils/response_utils.rb +18 -33
  203. data/lib/contrast/utils/telemetry.rb +1 -1
  204. data/lib/contrast/utils/telemetry_client.rb +1 -1
  205. data/lib/contrast/utils/telemetry_identifier.rb +1 -1
  206. data/lib/contrast.rb +4 -3
  207. data/resources/assess/policy.json +98 -0
  208. data/resources/deadzone/policy.json +0 -86
  209. data/ruby-agent.gemspec +9 -8
  210. data/service_executables/VERSION +1 -1
  211. data/service_executables/linux/contrast-service +0 -0
  212. data/service_executables/mac/contrast-service +0 -0
  213. metadata +103 -38
  214. data/lib/contrast/agent/assess/rule/response/cachecontrol_rule.rb +0 -184
  215. data/lib/contrast/agent/assess/rule/response/clickjacking_rule.rb +0 -66
  216. data/lib/contrast/agent/assess/rule/response/x_content_type_rule.rb +0 -52
  217. data/lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb +0 -53
  218. data/lib/contrast/extension/kernel.rb +0 -54
@@ -0,0 +1,231 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+ require 'contrast/agent/protect/rule/no_sqli'
6
+ require 'contrast/agent/protect/input_analyzer/input_analyzer'
7
+ require 'contrast/utils/input_classification'
8
+
9
+ module Contrast
10
+ module Agent
11
+ module Protect
12
+ module Rule
13
+ # This module will do the Input Classification stage of NoSQLI rule
14
+ # as a result input would be marked as WORTHWATCHING or IGNORE,
15
+ # to be analyzed at the sink level.
16
+ module NoSqliInputClassification
17
+ class << self
18
+ include InputClassificationBase
19
+
20
+ NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
21
+ NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
22
+ NOSQL_COMMENTS_AFTER_REGEXP = %r{(?:<--|//)}.cs__freeze
23
+
24
+ ZERO_OR_MORE_SPACES_REGEXP = /\s*/.cs__freeze
25
+ QUOTE_REGEXP = /['"’‘]/.cs__freeze
26
+ NUMBERS_AND_LETTERS_REGEXP = /[[:alnum:]]+/.cs__freeze
27
+ COMPARISON_REGEXP = /(?:==|>=|<=|>|<|)/.cs__freeze
28
+ NOSQL_QUOTED_REGEXP = /
29
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
30
+ #{ QUOTE_REGEXP }
31
+ #{ NUMBERS_AND_LETTERS_REGEXP }
32
+ #{ QUOTE_REGEXP }
33
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
34
+ #{ COMPARISON_REGEXP }
35
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
36
+ #{ QUOTE_REGEXP }
37
+ #{ NUMBERS_AND_LETTERS_REGEXP }
38
+ #{ QUOTE_REGEXP }
39
+ /x.cs__freeze
40
+ NOSQL_NUMERIC_REGEXP = /
41
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
42
+ #{ NUMBERS_AND_LETTERS_REGEXP }
43
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
44
+ #{ COMPARISON_REGEXP }
45
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
46
+ #{ NUMBERS_AND_LETTERS_REGEXP }
47
+ /x.cs__freeze
48
+
49
+ NOSQL_DEFINITE_THRESHOLD = 3
50
+ NOSQL_WORTH_WATCHING_THRESHOLD = 1
51
+ NOSQL_CONFIDENCE_THRESHOLD = 3
52
+ MAX_DISTANCE = 10
53
+
54
+ # Input Classification stage is done to determine if an user input is
55
+ # WORTHWATCHING or to be ignored.
56
+ #
57
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
58
+ # @param value [String, Array<String>] the value of the input.
59
+ # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
60
+ # agent analysis from the current
61
+ # Request.
62
+ # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
63
+ def classify input_type, value, input_analysis
64
+ return unless input_analysis.request
65
+
66
+ rule_id = Contrast::Agent::Protect::Rule::NoSqli::NAME
67
+
68
+ # double check the input to avoid calling match? on array
69
+ Array(value).each do |val|
70
+ Array(val).each do |v|
71
+ input_analysis.results << nosqli_create_new_input_result(input_analysis.request,
72
+ rule_id,
73
+ input_type,
74
+ v)
75
+ end
76
+ end
77
+
78
+ input_analysis
79
+ end
80
+
81
+ private
82
+
83
+ # Creates a new instance of InputAnalysisResult with basic info.
84
+ #
85
+ # @param rule_id [String] The name of the Protect Rule.
86
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
87
+ # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
88
+ # @param value [String, Array<String>] the value of the input.
89
+ # @param path [String] the path of the current request context.
90
+ #
91
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
92
+ def new_ia_result rule_id, input_type, score_level, path, value
93
+ super(rule_id, input_type, path, value).tap { |res| res.score_level = score_level }
94
+ end
95
+
96
+ # This methods checks if input should be tagged DEFINITEATTACK, WORTHWATCHING, or IGNORE,
97
+ # and creates a new instance of InputAnalysisResult.
98
+ #
99
+ # @param request [Contrast::Agent::Request] the current request context.
100
+ # @param rule_id [String] The name of the Protect Rule.
101
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
102
+ # @param value [String, Array<String>] the value of the input.
103
+ #
104
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
105
+ def nosqli_create_new_input_result request, rule_id, input_type, value
106
+ score = evaluate_patterns(value)
107
+ score = evaluate_rules(value, score)
108
+
109
+ score_level = if definite_attack? score
110
+ DEFINITEATTACK
111
+ elsif worth_watching? score
112
+ WORTHWATCHING
113
+ else
114
+ IGNORE
115
+ end
116
+
117
+ new_ia_result(rule_id, input_type, score_level, request.path, value)
118
+ end
119
+
120
+ # This method evaluates the patterns relevant to NoSQL Injection to check whether
121
+ # the input is matched by any of them. The total score of all patterns matched is
122
+ # returned, unless the individual matching pattern score matches or exceeds
123
+ # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
124
+ # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
125
+ # point is returned.
126
+ #
127
+ # @param value [String] the value of the input.
128
+ # @param value [Integer] the total score thus far.
129
+ #
130
+ # @return res [Integer]
131
+ def evaluate_patterns value, total_score = 0
132
+ applicable_patterns = nosqli_patterns
133
+ return total_score if applicable_patterns.nil?
134
+
135
+ total_patterns_score = 0
136
+ applicable_patterns.each do |pattern|
137
+ next unless value.match?(pattern[:value])
138
+
139
+ total_patterns_score += pattern[:score].to_i
140
+ total_score += pattern[:score].to_i
141
+
142
+ if pattern[:score].to_i >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
143
+ return total_score
144
+ end
145
+ end
146
+
147
+ total_score
148
+ end
149
+
150
+ def evaluate_comment_rule value
151
+ (value =~ NOSQL_COMMENT_REGEXP).nil? ? 0 : 2 # None/Medium
152
+ end
153
+
154
+ # This method evaluates the searcher rules relevant to NoSQL Injection to check whether
155
+ # the input is matched by any of them. The total score of all rules matched is
156
+ # returned, unless the individual matching rukle score matches or exceeds
157
+ # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
158
+ # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
159
+ # point is returned.
160
+ #
161
+ # @param value [String] the value of the input.
162
+ # @param value [Integer] the total score thus far.
163
+ #
164
+ # @return res [Integer]
165
+ def evaluate_rules value, total_score = 0
166
+ total_rules_score = 0
167
+ %i[evaluate_comment_rule evaluate_or_rule].each do |method|
168
+ rule_score = send(method, value)
169
+ total_rules_score += rule_score
170
+ total_score += rule_score
171
+
172
+ return total_score if rule_score >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
173
+ end
174
+
175
+ total_score
176
+ end
177
+
178
+ # This method evaluates the input value for NoSQL Or searches. Each possible match is
179
+ # checked. If a match is found then a score of either 3 (High) or 4 (Critical) will
180
+ # be returned, depending on whether the regexp for finding comments is also matched.
181
+ #
182
+ # @param value [String] the value of the input.
183
+ #
184
+ # @return res [Integer]
185
+ def evaluate_or_rule value
186
+ score = 0
187
+
188
+ locs = matches_by_position value, NOSQL_OR_REGEXP
189
+ return score if locs.empty?
190
+
191
+ locs.each do |loc|
192
+ [NOSQL_QUOTED_REGEXP, NOSQL_NUMERIC_REGEXP].each do |pattern|
193
+ pattern_locs = matches_by_position(value[loc[1]..], pattern)
194
+ next unless !pattern_locs.empty? && pattern_locs[0][0] < MAX_DISTANCE
195
+
196
+ return 4 if value.match?(NOSQL_COMMENTS_AFTER_REGEXP, loc[1] + pattern_locs[0][1]) # Critical
197
+
198
+ score = 3 # High
199
+ break
200
+ end
201
+ end
202
+
203
+ score
204
+ end
205
+
206
+ # This method returns the patterns to be checked against the input value.
207
+ #
208
+ # @return res [Array, nil]
209
+ def nosqli_patterns
210
+ server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
211
+ rule_definitions = server_features&.protect&.rule_definition_list
212
+ rule_definitions&.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
213
+ end
214
+
215
+ def matches_by_position value, pattern
216
+ value.to_enum(:scan, pattern).map { Regexp.last_match.offset(Regexp.last_match.size - 1) }
217
+ end
218
+
219
+ def definite_attack? score
220
+ score >= NOSQL_DEFINITE_THRESHOLD
221
+ end
222
+
223
+ def worth_watching? score
224
+ score >= NOSQL_WORTH_WATCHING_THRESHOLD
225
+ end
226
+ end
227
+ end
228
+ end
229
+ end
230
+ end
231
+ end
@@ -35,9 +35,23 @@ module Contrast
35
35
 
36
36
  append_to_activity(context, result)
37
37
 
38
+ cef_logging result, :successful_attack
38
39
  raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
39
40
  end
40
41
 
42
+ def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
43
+ if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
44
+ mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
45
+
46
+ return result
47
+ end
48
+
49
+ result ||= build_attack_result(context)
50
+ update_successful_attack_response(context, input_analysis_result, result, candidate_string)
51
+ append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
52
+ result
53
+ end
54
+
41
55
  protected
42
56
 
43
57
  def find_attacker context, potential_attack_string, **kwargs
@@ -52,6 +66,20 @@ module Contrast
52
66
  end
53
67
  super(context, potential_attack_string, **kwargs)
54
68
  end
69
+
70
+ def infilter? context
71
+ return false unless context&.agent_input_analysis&.results
72
+ return false unless enabled?
73
+ return false if protect_excluded_by_code?
74
+
75
+ true
76
+ end
77
+
78
+ def gather_ia_results context
79
+ context.agent_input_analysis.results.select do |ia_result|
80
+ ia_result.rule_id == rule_name
81
+ end
82
+ end
55
83
  end
56
84
  end
57
85
  end
@@ -38,6 +38,7 @@ module Contrast
38
38
  append_to_activity(context, result)
39
39
  return unless blocked?
40
40
 
41
+ cef_logging result, :successful_attack, path
41
42
  raise Contrast::SecurityException.new(self,
42
43
  "Path Traversal rule triggered. Call to File.#{ method } blocked.")
43
44
  end
@@ -0,0 +1,88 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+ require 'contrast/agent/reporting/input_analysis/input_type'
6
+ require 'contrast/agent/protect/rule/sqli'
7
+ require 'contrast/agent/reporting/input_analysis/score_level'
8
+ require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
9
+ require 'contrast/agent/protect/input_analyzer/input_analyzer'
10
+ require 'contrast/utils/input_classification'
11
+ require 'contrast/components/logger'
12
+
13
+ module Contrast
14
+ module Agent
15
+ module Protect
16
+ module Rule
17
+ # This module will do the Input Classification stage of SQLI rule
18
+ # as a result input would be marked as WORTHWATCHING or IGNORE,
19
+ # to be analyzed at the sink level.
20
+ module SqliInputClassification
21
+ class << self
22
+ include InputClassificationBase
23
+ include Contrast::Agent::Protect::Rule::SqliWorthWatching
24
+ include Contrast::Components::Logger::InstanceMethods
25
+
26
+ WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
27
+ SQLI_KEYS_NEEDED = [
28
+ COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
29
+ ].cs__freeze
30
+
31
+ # Input Classification stage is done to determine if an user input is
32
+ # WORTHWATCHING or to be ignored.
33
+ #
34
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
35
+ # @param value [String, Array<String>] the value of the input.
36
+ # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
37
+ # agent analysis from the current
38
+ # Request.
39
+ # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
40
+ def classify input_type, value, input_analysis
41
+ return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
42
+ return unless super
43
+
44
+ rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
45
+
46
+ # double check the input to avoid calling match? on array
47
+ Array(value).each do |val|
48
+ Array(val).each do |v|
49
+ input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
50
+ end
51
+ end
52
+
53
+ input_analysis
54
+ rescue StandardError => e
55
+ logger.debug('An Error was recorded in the input classification of the sqli.')
56
+ logger.debug(e)
57
+ end
58
+
59
+ private
60
+
61
+ # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
62
+ # key if needed and Creates new isntance of InputAnalysisResult.
63
+ #
64
+ # @param request [Contrast::Agent::Request] the current request context.
65
+ # @param rule_id [String] The name of the Protect Rule.
66
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
67
+ # @param value [String, Array<String>] the value of the input.
68
+ #
69
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
70
+ def sqli_create_new_input_result request, rule_id, input_type, value
71
+ ia_result = new_ia_result(rule_id, input_type, request.path, value)
72
+ if sqli_worth_watching? value
73
+ ia_result.ids << WORTHWATCHING_MATCH
74
+ ia_result.score_level = WORTHWATCHING
75
+ ia_result
76
+ else
77
+ ia_result.score_level = IGNORE
78
+ end
79
+
80
+ add_needed_key request, ia_result, input_type, value if SQLI_KEYS_NEEDED.include? input_type
81
+ ia_result
82
+ end
83
+ end
84
+ end
85
+ end
86
+ end
87
+ end
88
+ end
@@ -0,0 +1,118 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+
6
+ module Contrast
7
+ module Agent
8
+ module Protect
9
+ module Rule
10
+ # This module implements the sqli-worth-watching-v2 check to determine whether input
11
+ # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
12
+ # https://protect-spec.prod.dotnet.contsec.com/rules/sql-injection.html#input-tracing
13
+ module SqliWorthWatching
14
+ COLOR_CODE = /^#[0-9A-Fa-f]{6}$/.cs__freeze
15
+ ALPHA_NUMERIC_AND_SPACES = /^+[a-zA-Z\d\s]+$/.cs__freeze
16
+ OR_CLAUSE = /[oO][rR]/.cs__freeze
17
+ EXPLOITABLE_SUBSTRING = %w[# -- // /*].cs__freeze
18
+ SUSPICIOUS_CHARS = %w[` " \' ; - % , ( ) | { } =].cs__freeze
19
+ SQL_COMMENTS = %w[# /* */ // -- @@].cs__freeze
20
+ BLOCK_START = '/*'.cs__freeze
21
+ BLOCK_END = '*/'.cs__freeze
22
+ SQL_KEYWORDS = %w[
23
+ alter begin between create case column_name
24
+ current_user delete drop exec execute from
25
+ group insert limit like merge order outfile
26
+ select session_user syslogins update union
27
+ UTL_INADDR UTL_HTTP
28
+ ].cs__freeze
29
+
30
+ # This method will determine if a user input is Worth watching and return true if it is.
31
+ # This is done by running checks, and if the inputs is worth to watch it would be
32
+ # saved for the later sink sqli input analysis.
33
+ #
34
+ # @param input [String] the user input to be inspected
35
+ # @return true | false
36
+ def sqli_worth_watching? input
37
+ return false if input.nil? || input.empty?
38
+
39
+ exploitable?(input) && (
40
+ input.match?(OR_CLAUSE) || sql_comments?(input) || suspicious_chars?(input) || language_keywords?(input)
41
+ )
42
+ end
43
+
44
+ private
45
+
46
+ # Check if input is exploitable, with min length set to 3 chars
47
+ #
48
+ # @param input [String] the user input to be inspected
49
+ # @return true | false
50
+ def exploitable? input
51
+ return false if input.length < 3 && input.match?(ALPHA_NUMERIC_AND_SPACES)
52
+ return false if input.length == 3 && !contains_substring?(input, EXPLOITABLE_SUBSTRING)
53
+ return false if input.length == 7 && input.match?(COLOR_CODE)
54
+
55
+ true
56
+ end
57
+
58
+ # Check if input contains sqli comments:
59
+ # '# /* */ // -- @@'
60
+ #
61
+ # @param input [String] the user input to be inspected
62
+ # @return true | false
63
+ def sql_comments? input
64
+ input.length >= 3 && contains_substring?(input, SQL_COMMENTS)
65
+ end
66
+
67
+ # Check if input contains block comments starting and
68
+ # ending with '/*..*/'
69
+ #
70
+ # @param input [String] the user input to be inspected
71
+ # @return true | false
72
+ def block_comments? input
73
+ idx1 = input.index(BLOCK_START)
74
+ idx2 = input.index(BLOCK_END)
75
+
76
+ return false if idx1.nil? || idx2.nil?
77
+
78
+ (idx1 >= 0 && idx2 >= 2 && (idx1 < idx2))
79
+ end
80
+
81
+ # Runs the input against suspicious chars array.
82
+ #
83
+ # @param input [String] the user input to be inspected
84
+ # @return true | false
85
+ def suspicious_chars? input
86
+ input.length >= 7 && (number_of_substrings(input, SUSPICIOUS_CHARS) >= 2 || block_comments?(input))
87
+ end
88
+
89
+ # Runs the input against SQL language preserved words.
90
+ #
91
+ # @param input [String] the user input to be inspected
92
+ # @return true | false
93
+ def language_keywords? input
94
+ contains_substring? input, SQL_KEYWORDS
95
+ end
96
+
97
+ # Helper method to find a substrings in given input.
98
+ #
99
+ # @param substrings [Array] set of substrings to inspect.
100
+ # @return true | false
101
+ def contains_substring? input, substrings
102
+ substrings.any? { |sub| input.include?(sub) }
103
+ end
104
+
105
+ # Helper method to find the number of substrings.
106
+ #
107
+ # @param input [String] the user input to be inspected
108
+ # @return number [Integer] Number of substrings
109
+ def number_of_substrings input, substring
110
+ number = 0
111
+ input.each_char.reduce(0) { |_acc, elem| number += 1 if contains_substring?(elem, substring) }
112
+ number
113
+ end
114
+ end
115
+ end
116
+ end
117
+ end
118
+ end
@@ -4,6 +4,7 @@
4
4
  require 'contrast/agent/protect/rule/base_service'
5
5
  require 'contrast/agent/protect/policy/applies_sqli_rule'
6
6
  require 'contrast/agent/protect/rule/sql_sample_builder'
7
+ require 'contrast/agent/reporting/input_analysis/input_type'
7
8
 
8
9
  module Contrast
9
10
  module Agent
@@ -16,7 +17,17 @@ module Contrast
16
17
  include SqlSampleBuilder::SqliSample
17
18
  # Defining build_attack_with_match method
18
19
  include SqlSampleBuilder::AttackBuilder
20
+ include Contrast::Agent::Reporting::InputType
21
+ class << self
22
+ include Contrast::Agent::Reporting::InputType
23
+ end
19
24
 
25
+ APPLICABLE_USER_INPUTS = [
26
+ BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
27
+ PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
28
+ MULTIPART_VALUE, MULTIPART_FIELD_NAME,
29
+ XML_VALUE, DWR_VALUE
30
+ ].cs__freeze
20
31
  NAME = 'sql-injection'
21
32
  BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
22
33
 
@@ -36,8 +47,30 @@ module Contrast
36
47
 
37
48
  append_to_activity(context, result)
38
49
 
50
+ cef_logging result, :successful_attack, query_string
39
51
  raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
40
52
  end
53
+
54
+ private
55
+
56
+ def find_attacker context, potential_attack_string, **kwargs
57
+ ia_results = gather_ia_results(context)
58
+ find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
59
+ end
60
+
61
+ def infilter? context
62
+ return false unless context&.agent_input_analysis&.results
63
+ return false unless enabled?
64
+ return false if protect_excluded_by_code?
65
+
66
+ true
67
+ end
68
+
69
+ def gather_ia_results context
70
+ context.agent_input_analysis.results.select do |ia_result|
71
+ ia_result.rule_id == rule_name
72
+ end
73
+ end
41
74
  end
42
75
  end
43
76
  end
@@ -0,0 +1,82 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+ require 'contrast/agent/protect/rule/unsafe_file_upload'
6
+ require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
7
+ require 'contrast/agent/protect/input_analyzer/input_analyzer'
8
+ require 'contrast/utils/input_classification'
9
+
10
+ module Contrast
11
+ module Agent
12
+ module Protect
13
+ module Rule
14
+ # This module will do the Input Classification stage of Unsafe File Upload
15
+ # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
16
+ module UnsafeFileUploadInputClassification
17
+ UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
18
+
19
+ class << self
20
+ include InputClassificationBase
21
+ include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
22
+
23
+ # Input Classification stage is done to determine if an user input is
24
+ # DEFINITEATTACK or to be ignored.
25
+ #
26
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
27
+ # @param value [String, Array<String>] the value of the input.
28
+ # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
29
+ # agent analysis from the current
30
+ # Request.
31
+ # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
32
+ def classify input_type, value, input_analysis
33
+ unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
34
+ return
35
+ end
36
+ return unless input_analysis.request
37
+
38
+ rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
39
+ results = []
40
+
41
+ Array(value).each do |val|
42
+ Array(val).each do |v|
43
+ results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
44
+ end
45
+ end
46
+
47
+ input_analysis.results = results
48
+ input_analysis
49
+ end
50
+
51
+ private
52
+
53
+ # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
54
+ # key if needed and Creates new isntance of InputAnalysisResult.
55
+ #
56
+ # @param request [Contrast::Agent::Request] the current request context.
57
+ # @param rule_id [String] The name of the Protect Rule.
58
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
59
+ # @param value [String, Array<String>] the value of the input.
60
+ #
61
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
62
+ def create_new_input_result request, rule_id, input_type, value
63
+ ia_result = new_ia_result rule_id, input_type, request.path, value
64
+ if unsafe_match? value
65
+ ia_result.score_level = DEFINITEATTACK
66
+ ia_result.ids << UNSAFE_UPLOAD_MATCH
67
+ else
68
+ ia_result.score_level = IGNORE
69
+ end
70
+ ia_result.key = if input_type == MULTIPART_FIELD_NAME
71
+ Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
72
+ else
73
+ Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
74
+ end
75
+ ia_result
76
+ end
77
+ end
78
+ end
79
+ end
80
+ end
81
+ end
82
+ end
@@ -0,0 +1,45 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Agent
6
+ module Protect
7
+ module Rule
8
+ # Here will be made the match of the user input provided by the
9
+ # Agent InputAnalysis.
10
+ module UnsafeFileUploadMatcher
11
+ EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze
12
+ # Extensions that can be executed on the server side or can be dangerous on the client side:
13
+ # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
14
+ EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
15
+
16
+ # Match the user input to see if the filename
17
+ # contains malicious file extension.
18
+ #
19
+ # @param input [String] The filename
20
+ # extracted from the current request
21
+ # @return true | false
22
+ def unsafe_match? input
23
+ suspicious_chars?(input) || suspicious_extensions?(input)
24
+ end
25
+
26
+ private
27
+
28
+ # @param input [String] The filename
29
+ # extracted from the current request
30
+ # @return true | false
31
+ def suspicious_chars? input
32
+ input.chars.any? { |c| EXPLOIT_CHARS.include? c }
33
+ end
34
+
35
+ # @param input [String] The filename
36
+ # extracted from the current request
37
+ # @return true | false
38
+ def suspicious_extensions? input
39
+ EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
40
+ end
41
+ end
42
+ end
43
+ end
44
+ end
45
+ end