contrast-agent 5.1.0 → 6.0.0

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb

@@ -2,19 +2,61 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
 
 module Contrast
   module Agent
     module Protect
       module Rule
         # The Ruby implementation of the Protect Unsafe File Upload rule.
+        # The unsafe-file-upload rule can trigger the following results:
+        # BLOCKED in Blocking mode na SUSPICIOUS in Monitor mode.
         class UnsafeFileUpload < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Agent::Reporting::InputType
+
           NAME = 'unsafe-file-upload'
           BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
+          APPLICABLE_USER_INPUTS = [MULTIPART_NAME, MULTIPART_FIELD_NAME].cs__freeze
 
           def rule_name
             NAME
           end
+
+          def block_message
+            BLOCK_MESSAGE
+          end
+
+          def prefilter context
+            return unless prefilter?(context)
+
+            ia_results = gather_ia_results context
+
+            ia_results.each do |ia_result|
+              result = build_attack_result(context)
+              build_attack_without_match context, ia_result, result
+              append_to_activity context, result
+
+              cef_logging result, :successful_attack
+              raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+            end
+          end
+
+          private
+
+          def prefilter? context
+            return false unless context&.agent_input_analysis&.results
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
+          def gather_ia_results context
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/protect/rule/base'
 require 'contrast/utils/timer'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
         # Implementation of the XXE Protect Rule used to evaluate XML calls for exploit
         # of unsafe external entity resolution.
         class Xxe < Contrast::Agent::Protect::Rule::Base
+          include Contrast::Components::Logger::InstanceMethods
+
           NAME = 'xxe'
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
@@ -36,6 +39,7 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
+            cef_logging result, :successful_attack, xml
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE)
           end
 

data/lib/contrast/agent/reporting/attack_result/attack_result.rb

@@ -0,0 +1,63 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/utils/timer'
+require 'contrast/agent/reporting/attack_result/response_type'
+require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will hold the new Attacks results generated by our
+      # protect rules.
+      class AttackResult
+        RESPONSE_TYPE = Contrast::Agent::Reporting::ResponseType
+        # Generated the attack result
+        #
+        # @return @_response_type [Contrast::Agent::Reporting::ResponseType]
+        def response
+          @_response ||= RESPONSE_TYPE::NO_ACTION
+        end
+
+        # sets the response_type
+        #
+        # @param response_type [Contrast::Agent::Reporting::Settings::InputAnalysisResult]
+        # @return @_response_type []
+        def response= response_type
+          @_response = response_type if RESPONSE_TYPE.to_a.include?(response_type)
+        end
+
+        # @return @_rule_id [String]
+        def rule_id
+          @_rule_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param rule_id [String]
+        # @return @_rule_id [String]
+        def rule_id= rule_id
+          @_rule_id = rule_id if rule_id.is_a?(String)
+        end
+
+        # @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        def samples
+          @_samples ||= []
+        end
+
+        # @param samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        # @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        def samples= samples
+          @_samples = samples if samples.is_a?(Array)
+        end
+
+        def tags
+          @_tags ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        def tags= tags
+          @_tags = tags if tags.is_a?(String)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb

@@ -0,0 +1,52 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/utils/timer'
+require 'contrast/agent/reporting/attack_result/user_input'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will hold the new RaspRuleSample.
+      # protect rules.
+      class RaspRuleSample
+        def timestamp
+          @_timestamp ||= 0
+        end
+
+        def timestamp= timestamp_ms
+          @_timestamp = timestamp_ms
+        end
+
+        def user_input
+          @_user_input ||= Contrast::Agent::Reporting::UserInput.new
+        end
+
+        def user_input= input
+          @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
+        end
+
+        def build context, ia_result
+          sample = self
+          sample.timestamp = context&.timer&.start_ms
+          sample.user_input = build_user_input_from_ia(ia_result)
+          sample.user_input.document_type = if context&.request
+                                              Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
+                                            end
+          sample
+        end
+
+        def build_user_input_from_ia ia_result
+          user_input = Contrast::Agent::Reporting::UserInput.new
+          user_input.input_type = ia_result.input_type
+          user_input.matcher_ids = ia_result.ids
+          user_input.path = ia_result.path
+          user_input.key = ia_result.key if ia_result.key
+          user_input.value = ia_result.value if ia_result.value
+          user_input
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/attack_result/response_type.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold the response types used to generate
+      # attack result.
+      module ResponseType
+        BLOCKED             = :BLOCKED.cs__freeze
+        MONITORED           = :MONITORED.cs__freeze
+        PROBED              = :PROBED.cs__freeze
+        BLOCK_AT_PERIMETER  = :BLOCK_AT_PERIMETER.cs__freeze
+        SUSPICIOUS          = :SUSPICIOUS.cs__freeze
+        AGGREGATED          = :AGGREGATED.cs__freeze
+        EXPLOITED           = :EXPLOITED.cs__freeze
+        NO_ACTION           = :NO_ACTION.cs__freeze
+
+        class << self
+          def to_a
+            [NO_ACTION, BLOCKED, MONITORED, PROBED, BLOCK_AT_PERIMETER, EXPLOITED, SUSPICIOUS, AGGREGATED]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/attack_result/user_input.rb

@@ -0,0 +1,87 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/request_context'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will hold the new Sqli detail used by RaspRuleSample
+      class UserInput
+        INPUT_TYPE = Contrast::Agent::Reporting::InputType
+        DOCUMENT_TYPE = { XML: :XML, JSON: :JSON, NORMAL: :NORMAL }.cs__freeze
+
+        # @return @_path [String]
+        def path
+          @_path ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param path [String]
+        # @return @_path [String]
+        def path= path
+          @_path = path if path.is_a?(String)
+        end
+
+        # @return @_key [String]
+        def key
+          @_key ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param key [String]
+        # @return @_key [String]
+        def key= key
+          @_key = key if key.is_a?(String)
+        end
+
+        # @return value [String]
+        def value
+          @_value ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param value [String]
+        # @return value [String]
+        def value= value
+          @_value = value if value.is_a?(String)
+        end
+
+        # @return @_input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        def input_type
+          @_input_type ||= INPUT_TYPE::UNDEFINED_TYPE
+        end
+
+        # @param input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        # @return @_input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        def input_type= input_type
+          @_input_type = input_type if INPUT_TYPE.to_a.include?(input_type)
+        end
+
+        # type [Symbol<:XML, :JSON, :NORMAL>]
+        def document_type
+          @_document_type ||= DOCUMENT_TYPE[:NORMAL]
+        end
+
+        def document_type= type
+          @_document_type = type if DOCUMENT_TYPE.value?(type)
+        end
+
+        # Matchers IDs
+        # @return @_ids [Array<String>]
+        def matcher_ids
+          @_matcher_ids ||= []
+        end
+
+        # Matchers IDs
+        # @param ids [Array<String>]
+        # @return @_ids [Array<String>]
+        def matcher_ids= ids
+          @_matcher_ids = ids if ids.is_a?(Array) && ids.any?(String)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb

@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_analysis_result'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will do ia analysis for our protect rules instead of
+      # using the service.
+      class InputAnalysis
+        # result from input analysis
+        #
+        # @return @_results [Array<Contrast::Agent::Reporting::Settings::InputAnalysisResult>]
+        def results
+          @_results ||= []
+        end
+
+        # result from input analysis
+        #
+        # @return @_results [Array<Contrast::Agent::Reporting::Settings::InputAnalysisResult>]
+        def results= results
+          @_results = results
+        end
+
+        # Returns our wrapper around the Rack::Request for this context
+        #
+        # @return request [Contrast::Agent::Request, nil]
+        def request
+          @_request ||= nil
+        end
+
+        # Sets current request
+        #
+        # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request for this context
+        # @return request [Contrast::Agent::Request, nil]
+        def request= request
+          @_request = request if request.instance_of?(Contrast::Agent::Request)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb

@@ -0,0 +1,115 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will do ia analysis for our protect rules instead of
+      # using the service.
+      class InputAnalysisResult
+        INPUT_TYPE = Contrast::Agent::Reporting::InputType
+        SCORE_LEVEL = Contrast::Agent::Reporting::ScoreLevel
+
+        # @return @_rule_id [String]
+        def rule_id
+          @_rule_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param id [String]
+        # @return @_rule_id [String]
+        def rule_id= id
+          @_rule_id = id if id.is_a?(String)
+        end
+
+        # @return @_input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        def input_type
+          @_input_type ||= INPUT_TYPE::UNDEFINED_TYPE
+        end
+
+        # @param input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        # @return @_input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        def input_type= input_type
+          @_input_type = input_type if INPUT_TYPE.to_a.include?(input_type)
+        end
+
+        # @return @_path [String]
+        def path
+          @_path ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param path [String]
+        # @return @_path [String]
+        def path= path
+          @_path = path if path.is_a?(String)
+        end
+
+        # @return @_key [String]
+        def key
+          @_key ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param key [String]
+        # @return @_key [String]
+        def key= key
+          @_key = key if key.is_a?(String)
+        end
+
+        # @return value [String]
+        def value
+          @_value ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param value [String]
+        # @return value [String]
+        def value= value
+          @_value = value if value.is_a?(String)
+        end
+
+        # Matchers IDs
+        # @return @_ids [Array<String>]
+        def ids
+          @_ids ||= []
+        end
+
+        # Matchers IDs
+        # @param ids [Array<String>]
+        # @return @_ids [Array<String>]
+        def ids= ids
+          @_ids = ids if ids.is_a?(Array) && ids.any?(String)
+        end
+
+        # @return @_attack_count [Integer]
+        def attack_count
+          @_attack_count ||= 0
+        end
+
+        # @param attack_count
+        # @return @_attack_count
+        def attack_count= attack_count
+          @_attack_count = attack_count if attack_count.is_a?(Integer)
+        end
+
+        # @return @_score_level [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::ScoreLevel>]
+        def score_level
+          @_score_level ||= SCORE_LEVEL::IGNORE
+        end
+
+        # @param score_level [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::ScoreLevel>]
+        # @return @_score_level [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::ScoreLevel>]
+        def score_level= score_level
+          @_score_level = score_level if SCORE_LEVEL.to_a.include?(score_level)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/input_type.rb

@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      # input types for InputAnalysis results
+      module InputType
+        UNDEFINED_TYPE          = :UNDEFINED_TYPE.cs__freeze
+        BODY                    = :BODY.cs__freeze
+        COOKIE_NAME             = :COOKIE_NAME.cs__freeze
+        COOKIE_VALUE            = :COOKIE_VALUE.cs__freeze
+        HEADER                  = :HEADER.cs__freeze
+        PARAMETER_NAME          = :PARAMETER_NAME.cs__freeze
+        PARAMETER_VALUE         = :PARAMETER_VALUE.cs__freeze
+        QUERYSTRING             = :QUERYSTRING.cs__freeze
+        URI                     = :URI.cs__freeze
+        SOCKET                  = :SOCKET.cs__freeze
+        JSON_VALUE              = :JSON_VALUE.cs__freeze
+        JSON_ARRAYED_VALUE      = :JSON_ARRAYED_VALUE.cs__freeze
+        MULTIPART_CONTENT_TYPE  = :MULTIPART_CONTENT_TYPE.cs__freeze
+        MULTIPART_VALUE         = :MULTIPART_VALUE.cs__freeze
+        MULTIPART_FIELD_NAME    = :MULTIPART_FIELD_NAME.cs__freeze
+        MULTIPART_NAME          = :MULTIPART_NAME.cs__freeze
+        XML_VALUE               = :XML_VALUE.cs__freeze
+        DWR_VALUE               = :DWR_VALUE.cs__freeze
+        METHOD                  = :METHOD.cs__freeze
+        REQUEST                 = :REQUEST.cs__freeze
+        URL_PARAMETER           = :URL_PARAMETER.cs__freeze
+        UNKNOWN                 = :UNKNOWN.cs__freeze
+
+        class << self
+          def to_a
+            [
+              UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME, PARAMETER_VALUE,
+              QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE, MULTIPART_VALUE,
+              MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST, URL_PARAMETER, UNKNOWN
+            ]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/score_level.rb

@@ -0,0 +1,21 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      # input types for InputAnalysis results
+      module ScoreLevel
+        IGNORE = :DONTCARE.cs__freeze
+        WORTHWATCHING = :WORTHWATCHING.cs__freeze
+        DEFINITEATTACK = :DEFINITEATTACK.cs__freeze
+
+        class << self
+          def to_a
+            [IGNORE, WORTHWATCHING, DEFINITEATTACK]
+          end
+        end
+      end
+    end
+  end
+end