contrast-agent 5.3.0 → 6.0.0

data/lib/contrast/agent/protect/exploitable_collection.rb

@@ -0,0 +1,38 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      # This class will store all exploits or definite attack but
+      # require us to wait for response
+      class ExploitableCollection
+        include Contrast::Components::Logger::InstanceMethods
+
+        def initialize
+          @_collection = []
+        end
+
+        def collection
+          @_collection ||= []
+        end
+
+        # Push the Result we need to store until response is available
+        #
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+        def push attack_result
+          @_collection << attack_result
+        end
+
+        # Attach attack results to the context
+        #
+        # @param context [Contrast::Agent::RequestContext]
+        def report_recorded_exploits context
+          context.activity.results.concat(@_collection)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -4,7 +4,13 @@
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
+require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
+require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'json'
 
 module Contrast
@@ -13,12 +19,38 @@ module Contrast
       # InputAnalyzer will extract input form current request context and will analyze it.
       # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
       module InputAnalyzer
+        DISPOSITION_NAME = 'name'
+        DISPOSITION_FILENAME = 'filename'
+
         class << self
           include Contrast::Agent::Reporting::InputType
           include Contrast::Agent::Reporting::ScoreLevel
           include Contrast::Agent::Protect::Rule::SqliWorthWatching
+          include Contrast::Utils::ObjectShare
+          include Contrast::Agent::Protect::Rule::CmdiWorthWatching
 
-          PROTECT_RULES = { sqli: 'sql-injection' }.cs__freeze
+          PROTECT_RULES = {
+              sqli: {
+                  rule_name: 'sql-injection',
+                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
+              },
+              cmdi: {
+                  rule_name: 'cmd-injection',
+                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
+              },
+              method_tampering: {
+                  rule_name: 'method-tampering',
+                  classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
+              },
+              unsafe_file_upload: {
+                  rule_name: 'unsafe-file-upload',
+                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
+              },
+              nosqli: {
+                  rule_name: 'nosql-injection',
+                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
+              }
+          }.cs__freeze
 
           # This method with analyze the user input from the context of the
           # current request and run each of the protect rules against all
@@ -51,16 +83,17 @@ module Contrast
           def input_classification inputs, input_analysis
             # key = input type, value = user_input
             inputs.each do |input_type, value|
-              PROTECT_RULES.each do |_key, rule_id|
+              next if value.nil? || value.empty?
+
+              PROTECT_RULES.each do |_key, rule|
                 # check if rule is enabled
-                next unless Contrast::PROTECT.rule(rule_id).enabled?
+                next unless Contrast::PROTECT.rule(rule[:rule_name]).enabled?
 
-                # start with sqli rule
-                case rule_id
-                when PROTECT_RULES[:sqli]
-                  Contrast::Agent::Protect::Rule::SqliInputClassification.classify input_type, value, input_analysis
+                # method tampering doesn't take value
+                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+                  rule[:classification].send(:classify, input_type, input_analysis)
                 else
-                  return nil
+                  rule[:classification].send(:classify, input_type, value, input_analysis)
                 end
               end
             end
@@ -84,9 +117,29 @@ module Contrast
             inputs[PARAMETER_NAME] = request.parameters.keys
             inputs[PARAMETER_VALUE] = request.parameters.values
             inputs[QUERYSTRING] = request.query_string
+            inputs[METHOD] = request.request_method
+            extract_multipart inputs, request
             inputs.compact!
             inputs
           end
+
+          # Extract the filename and name of the  Content Disposition Header.
+          #
+          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          # @param request [Contrast::Agent::Request] current request context.
+          def extract_multipart inputs, request
+            disposition = request.rack_request.env['Content-Disposition']
+            disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
+            return unless disposition
+
+            pairs = {}
+            disposition.split(SEMICOLON).each do |elem|
+              new_pair = elem.strip.split(EQUALS, 2)
+              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
+            end
+            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
+            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+          end
         end
       end
     end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -41,7 +41,8 @@ module Contrast
             private
 
             def valid_input? args
-              return false unless args&.any?
+              return false unless args
+              return false unless args.cs__is_a?(Array) && args.any?
 
               args[0]
             end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -65,7 +65,7 @@ module Contrast
             end
 
             def path_traversal_rule path, possible_write, object, method
-              return unless applies_to?(path, possible_write)
+              return unless applies_to?(path, possible_write: possible_write)
 
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
             rescue Contrast::SecurityException => e
@@ -90,7 +90,7 @@ module Contrast
               end
             end
 
-            def applies_to? path, possible_write = false
+            def applies_to? path, possible_write: false
               # any possible write is a potential risk
               return true if possible_write
 

data/lib/contrast/agent/protect/rule/base.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/api/decorators/response_type'
 
 module Contrast
   module Agent
@@ -180,7 +181,11 @@ module Contrast
           # @param value [String] the input value we want to log
           def cef_logging result, attack = :ineffective_attack, value = nil
             sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
-            outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+            outcome = if result.response.cs__is_a? Hash
+                        Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
+                      else
+                        Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+                      end
             input_type = extract_input_type sample_to_json[:user_input].input_type
             input_value = value || sample_to_json[:user_input].value
             cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
@@ -245,16 +250,14 @@ module Contrast
 
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
-              result.response = if ia_result&.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
-                                  # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
-                                  # and should be treated equivalent to Blocked mode if set
+              result.response = if blocked_rule?(ia_result)
                                   Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
                                 else
                                   Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
                                 end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+              result.response = assign_reporter_response_type ia_result
               log_rule_probed(context, ia_result)
             end
 
@@ -322,10 +325,39 @@ module Contrast
 
           private
 
+          # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
+          # and should be treated equivalent to Blocked mode if set
+          def blocked_rule? ia_result
+            [
+              Contrast::Agent::Protect::Rule::Sqli::NAME,
+              Contrast::Agent::Protect::Rule::NoSqli::NAME
+            ].include?(ia_result&.rule_id)
+          end
+
           def log_rule_probed _context, ia_result
             logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
                                                                 name: ia_result&.key, input: ia_result&.value)
           end
+
+          # Handles the Response type for different Protect rules.
+          # Some rules need to report SUSPICIOUS over PROBED in
+          # MONITORED mode.
+          #
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
+          # @return [Contrast::Agent::Reporting::ResponseType,
+          # Contrast::Api::Dtm::AttackResult::ResponseType]
+          def assign_reporter_response_type ia_result
+            if (ia_result&.rule_id == Contrast::Agent::Protect::Rule::Xss::NAME ||
+                  Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME) &&
+                  Contrast::CONTRAST_SERVICE.use_agent_communication?
+
+              # Here we'll have xss or unsafe file upload in monitoring mode
+              # and we have to report it as SUSPICIOUS, not as PROBED.
+              Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
+            else
+              Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -87,7 +87,9 @@ module Contrast
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|
-              ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
+              ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME ||
+                    ia_result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
+
                                          Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
                                        else
                                          # legacy implementation for DEFINITEATATACK

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -5,6 +5,7 @@ require 'contrast/agent/protect/rule/base_service'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
 require 'contrast/components/logger'
+require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
   module Agent
@@ -13,9 +14,15 @@ module Contrast
         # The Ruby implementation of the Protect Command Injection rule.
         class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Agent::Reporting::InputType
 
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
+            PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
+            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
+          ].cs__freeze
 
           def rule_name
             NAME
@@ -127,6 +134,12 @@ module Contrast
           def report_any_command_execution?
             ::Contrast::PROTECT.report_any_command_execution?
           end
+
+          def gather_ia_results context
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb

@@ -0,0 +1,83 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/rule/cmdi/cmdi_worth_watching'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of CMD Injection rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module CmdiInputClassification
+          class << self
+            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::CmdiWorthWatching
+            include Contrast::Components::Logger::InstanceMethods
+
+            WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'
+            CMDI_KEYS_NEEDED = [
+              COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
+            ].cs__freeze
+
+            # This method will determine actually if the user input is WORTHWATCHING
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
+            # @param value [String, Array<String>] the value of the input
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
+            # analysis from the current request.
+            def classify input_type, value, input_analysis
+              return unless Contrast::Agent::Protect::Rule::CmdInjection::APPLICABLE_USER_INPUTS.include?(input_type)
+              return unless super
+
+              rule_id = Contrast::Agent::Protect::Rule::CmdInjection::NAME
+
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  input_analysis.results << cmdi_create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                end
+              end
+
+              input_analysis
+            rescue StandardError => e
+              logger.debug('An Error was recorded in the input classification of the cmdi.')
+              logger.debug(e)
+            end
+
+            private
+
+            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+            # key if needed and Creates new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def cmdi_create_new_input_result request, rule_id, input_type, value
+              ia_result = new_ia_result rule_id, input_type, request.path, value
+              if cmdi_worth_watching? value
+                ia_result.score_level = WORTHWATCHING
+                ia_result.ids << WORTHWATCHING_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+
+              add_needed_key request, ia_result, input_type, value if CMDI_KEYS_NEEDED.include? input_type
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb

@@ -0,0 +1,64 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module implements the cmdi-worth-watching-v2 check to determine whether input
+        # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
+        # https://protect-spec.prod.dotnet.contsec.com/rules/cmd-injection.html#input-tracing
+        module CmdiWorthWatching
+          POSSIBLE_CHAINING_ELEMENTS = %w[& ; | $ < > `].cs__freeze
+          UNIX_COMMANDS = %w[
+            uname echo cat ping nestat nc whoami wget curl dir ls ps rm chmod cp kill
+            grep sleep mkdir pwd shutdown system touch timeout fetch bash sh
+          ].cs__freeze
+          UNIX_PATHS = %w[tmp opt etc home mnt proc lib bin sbin sys usr var root run].cs__freeze
+          WINDOWS_COMMANDS = %w[
+            sc net reg cmd query cmd.exe powershell powershell.exe hostname ifconfig ipconfig netsh
+            netstat systeminfo sysinfo whoami wscript cscript wmic PowerShell_ISE pskill psexec qprocess
+            regedit regini rename winrm wpeutil ntdsutil taskkill certutil mapisend shellrunas
+          ].cs__freeze
+          # This method will determine if a user input is Worth watching and return true if it is.
+          # This is done by running checks, and if the inputs is worth to watch it would be
+          # saved for the later sink cmdi input analysis.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def cmdi_worth_watching? input
+            return false if input.nil? || input.empty? || input.length < 3
+
+            exploitable?(input) && worth_watching?(input)
+          end
+
+          private
+
+          # This method will check if the input is exploitable
+          #
+          # @param input [String] the user input to be inspected
+          def exploitable? input
+            contains_substring?(input, POSSIBLE_CHAINING_ELEMENTS)
+          end
+
+          def worth_watching? input
+            return true if contains_substring?(input, UNIX_COMMANDS)
+            return true if contains_substring?(input, UNIX_PATHS)
+            return true if contains_substring?(input, WINDOWS_COMMANDS)
+
+            false
+          end
+
+          def contains_substring? input, values
+            return true if values.any? { |val| input.include?(val) }
+            return true if values.include?(Contrast::Utils::ObjectShare::SPACE)
+
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb

@@ -0,0 +1,96 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/agent/reporting/attack_result/attack_result'
+require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+require 'contrast/utils/input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of HttpMethodTampering rule
+        # as a result input would be marked as DEFINETEATTACK or IGNORE,
+        # to be analyzed at the sink level.
+        module HttpMethodTamperingInputClassification
+          class << self
+            include InputClassificationBase
+
+            # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
+            # analysis from the current request.
+            def classify input_type, input_analysis
+              return unless input_analysis.request
+              return unless input_type == METHOD
+
+              rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+
+              ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
+              input_analysis.results << ia_result
+
+              return input_analysis if ia_result.score_level == IGNORE
+
+              attack_result = build_attack_result ia_result, rule_id
+
+              if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
+                attack_result.response = :EXPLOITED
+                Contrast::Agent::EXPLOITS.push attack_result
+                return input_analysis
+              end
+
+              attack_result.response = :BLOCKED
+              context.activity.results << attack_result
+              raise Contrast::SecurityException.new(self,
+                                                    'HTTP Method Tampering rule triggered. '\
+                                                    "Call to #{ input_analysis.request.path } with " \
+                                                    "#{ input_analysis.request.request_method } blocked.")
+            end
+
+            private
+
+            # @param request [Contrast::Agent::Request] the current request context.
+            def method_tampering_exploited? request
+              !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
+            end
+
+            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+            # key if needed and Creates new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def method_tampering_new_input_analysis request, rule_id, input_type
+              ia_result = new_ia_result rule_id, input_type, request.path
+              if method_tampering_exploited? request
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << rule_id
+              else
+                ia_result.score_level = IGNORE
+              end
+
+              ia_result
+            end
+
+            def build_attack_result ia_result, rule_id
+              rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
+              result = Contrast::Agent::Reporting::AttackResult.new
+              result.rule_id = rule_id
+              result.samples << rasp_rule_sample
+              result
+            end
+
+            def context
+              Contrast::Agent::REQUEST_TRACKER.current
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -12,6 +12,14 @@ module Contrast
           NAME = 'method-tampering'
           STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
 
+          APPLICABLE_METHODS_INPUTS = %w[
+            ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
+            DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
+            MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
+            PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
+            UNLOCK UPDATE VERSION-CONTROL
+          ].cs__freeze
+
           def rule_name
             NAME
           end