contrast-agent 5.3.0 → 6.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (161) hide show
  1. checksums.yaml +4 -4
  2. data/ext/cs__assess_array/cs__assess_array.c +7 -0
  3. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
  4. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
  5. data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
  6. data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -2
  7. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
  8. data/ext/cs__assess_module/cs__assess_module.c +1 -1
  9. data/ext/cs__assess_string/cs__assess_string.c +13 -1
  10. data/ext/cs__common/cs__common.c +12 -11
  11. data/ext/cs__contrast_patch/cs__contrast_patch.c +54 -43
  12. data/ext/cs__os_information/cs__os_information.c +13 -10
  13. data/ext/cs__scope/cs__scope.c +146 -97
  14. data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
  15. data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
  16. data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
  17. data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
  18. data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
  19. data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
  20. data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
  21. data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
  22. data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
  23. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
  24. data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
  25. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  26. data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
  27. data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
  28. data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -1
  29. data/lib/contrast/agent/assess/property/tagged.rb +1 -1
  30. data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
  31. data/lib/contrast/agent/assess/rule/response/body_rule.rb +3 -3
  32. data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +1 -1
  33. data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
  34. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
  35. data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
  36. data/lib/contrast/agent/exclusion_matcher.rb +3 -3
  37. data/lib/contrast/agent/middleware.rb +3 -1
  38. data/lib/contrast/agent/patching/policy/patcher.rb +3 -3
  39. data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
  40. data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
  41. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +61 -8
  42. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
  43. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
  44. data/lib/contrast/agent/protect/rule/base.rb +37 -5
  45. data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
  46. data/lib/contrast/agent/protect/rule/cmd_injection.rb +13 -0
  47. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
  48. data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
  49. data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
  50. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +8 -0
  51. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
  52. data/lib/contrast/agent/protect/rule/no_sqli.rb +27 -0
  53. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +18 -54
  54. data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -4
  55. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
  56. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
  57. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
  58. data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
  59. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
  60. data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
  61. data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
  62. data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
  63. data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
  64. data/lib/contrast/agent/reporting/report.rb +2 -0
  65. data/lib/contrast/agent/reporting/reporter.rb +23 -11
  66. data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
  67. data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
  68. data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
  69. data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
  70. data/lib/contrast/agent/reporting/reporting_events/finding.rb +1 -1
  71. data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
  72. data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
  73. data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
  74. data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +2 -1
  75. data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
  76. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +16 -5
  77. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +27 -26
  78. data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
  79. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
  80. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +68 -6
  81. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
  82. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +122 -96
  83. data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
  84. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
  85. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
  86. data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
  87. data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
  88. data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
  89. data/lib/contrast/agent/request_context.rb +1 -1
  90. data/lib/contrast/agent/request_context_extend.rb +1 -1
  91. data/lib/contrast/agent/request_handler.rb +4 -0
  92. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
  93. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
  94. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
  95. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
  96. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
  97. data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
  98. data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
  99. data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
  100. data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
  101. data/lib/contrast/agent/thread_watcher.rb +1 -1
  102. data/lib/contrast/agent/version.rb +1 -1
  103. data/lib/contrast/agent.rb +3 -0
  104. data/lib/contrast/api/communication/speedracer.rb +1 -1
  105. data/lib/contrast/api/decorators/address.rb +1 -1
  106. data/lib/contrast/api/decorators/response_type.rb +30 -0
  107. data/lib/contrast/api/decorators.rb +1 -0
  108. data/lib/contrast/components/app_context.rb +0 -4
  109. data/lib/contrast/components/assess.rb +14 -0
  110. data/lib/contrast/components/protect.rb +2 -2
  111. data/lib/contrast/components/sampling.rb +7 -11
  112. data/lib/contrast/components/settings.rb +106 -8
  113. data/lib/contrast/config/agent_configuration.rb +13 -30
  114. data/lib/contrast/config/api_configuration.rb +4 -67
  115. data/lib/contrast/config/api_proxy_configuration.rb +2 -45
  116. data/lib/contrast/config/application_configuration.rb +9 -84
  117. data/lib/contrast/config/assess_configuration.rb +10 -69
  118. data/lib/contrast/config/assess_rules_configuration.rb +9 -38
  119. data/lib/contrast/config/base_configuration.rb +17 -50
  120. data/lib/contrast/config/certification_configuration.rb +6 -63
  121. data/lib/contrast/config/exception_configuration.rb +5 -52
  122. data/lib/contrast/config/heap_dump_configuration.rb +6 -64
  123. data/lib/contrast/config/inventory_configuration.rb +2 -49
  124. data/lib/contrast/config/logger_configuration.rb +0 -36
  125. data/lib/contrast/config/protect_configuration.rb +17 -7
  126. data/lib/contrast/config/protect_rule_configuration.rb +12 -30
  127. data/lib/contrast/config/protect_rules_configuration.rb +21 -26
  128. data/lib/contrast/config/request_audit_configuration.rb +6 -48
  129. data/lib/contrast/config/root_configuration.rb +52 -12
  130. data/lib/contrast/config/ruby_configuration.rb +0 -36
  131. data/lib/contrast/config/sampling_configuration.rb +1 -57
  132. data/lib/contrast/config/server_configuration.rb +0 -36
  133. data/lib/contrast/config/service_configuration.rb +5 -44
  134. data/lib/contrast/configuration.rb +2 -3
  135. data/lib/contrast/extension/assess/string.rb +20 -1
  136. data/lib/contrast/extension/module.rb +0 -1
  137. data/lib/contrast/framework/manager.rb +2 -2
  138. data/lib/contrast/logger/application.rb +1 -1
  139. data/lib/contrast/logger/cef_log.rb +1 -1
  140. data/lib/contrast/tasks/config.rb +90 -3
  141. data/lib/contrast/utils/assess/object_store.rb +36 -0
  142. data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
  143. data/lib/contrast/utils/class_util.rb +3 -12
  144. data/lib/contrast/utils/input_classification.rb +73 -0
  145. data/lib/contrast/utils/log_utils.rb +1 -1
  146. data/lib/contrast/utils/middleware_utils.rb +9 -8
  147. data/lib/contrast/utils/net_http_base.rb +1 -1
  148. data/lib/contrast/utils/object_share.rb +2 -1
  149. data/lib/contrast/utils/os.rb +0 -5
  150. data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -5
  151. data/lib/contrast/utils/response_utils.rb +18 -33
  152. data/lib/contrast/utils/telemetry.rb +1 -1
  153. data/lib/contrast/utils/telemetry_client.rb +1 -1
  154. data/lib/contrast/utils/telemetry_identifier.rb +1 -1
  155. data/resources/assess/policy.json +98 -0
  156. data/resources/deadzone/policy.json +0 -86
  157. data/ruby-agent.gemspec +9 -8
  158. data/service_executables/VERSION +1 -1
  159. data/service_executables/linux/contrast-service +0 -0
  160. data/service_executables/mac/contrast-service +0 -0
  161. metadata +73 -28
@@ -0,0 +1,38 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/components/logger'
5
+
6
+ module Contrast
7
+ module Agent
8
+ module Protect
9
+ # This class will store all exploits or definite attack but
10
+ # require us to wait for response
11
+ class ExploitableCollection
12
+ include Contrast::Components::Logger::InstanceMethods
13
+
14
+ def initialize
15
+ @_collection = []
16
+ end
17
+
18
+ def collection
19
+ @_collection ||= []
20
+ end
21
+
22
+ # Push the Result we need to store until response is available
23
+ #
24
+ # @param attack_result [Contrast::Agent::Reporting::AttackResult]
25
+ def push attack_result
26
+ @_collection << attack_result
27
+ end
28
+
29
+ # Attach attack results to the context
30
+ #
31
+ # @param context [Contrast::Agent::RequestContext]
32
+ def report_recorded_exploits context
33
+ context.activity.results.concat(@_collection)
34
+ end
35
+ end
36
+ end
37
+ end
38
+ end
@@ -4,7 +4,13 @@
4
4
  require 'contrast/agent/reporting/input_analysis/input_type'
5
5
  require 'contrast/agent/reporting/input_analysis/score_level'
6
6
  require 'contrast/agent/reporting/input_analysis/input_analysis'
7
+ require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
7
8
  require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
9
+ require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
10
+ require 'contrast/agent/protect/rule/unsafe_file_upload'
11
+ require 'contrast/utils/object_share'
12
+ require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
13
+ require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
8
14
  require 'json'
9
15
 
10
16
  module Contrast
@@ -13,12 +19,38 @@ module Contrast
13
19
  # InputAnalyzer will extract input form current request context and will analyze it.
14
20
  # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
15
21
  module InputAnalyzer
22
+ DISPOSITION_NAME = 'name'
23
+ DISPOSITION_FILENAME = 'filename'
24
+
16
25
  class << self
17
26
  include Contrast::Agent::Reporting::InputType
18
27
  include Contrast::Agent::Reporting::ScoreLevel
19
28
  include Contrast::Agent::Protect::Rule::SqliWorthWatching
29
+ include Contrast::Utils::ObjectShare
30
+ include Contrast::Agent::Protect::Rule::CmdiWorthWatching
20
31
 
21
- PROTECT_RULES = { sqli: 'sql-injection' }.cs__freeze
32
+ PROTECT_RULES = {
33
+ sqli: {
34
+ rule_name: 'sql-injection',
35
+ classification: Contrast::Agent::Protect::Rule::SqliInputClassification
36
+ },
37
+ cmdi: {
38
+ rule_name: 'cmd-injection',
39
+ classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
40
+ },
41
+ method_tampering: {
42
+ rule_name: 'method-tampering',
43
+ classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
44
+ },
45
+ unsafe_file_upload: {
46
+ rule_name: 'unsafe-file-upload',
47
+ classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
48
+ },
49
+ nosqli: {
50
+ rule_name: 'nosql-injection',
51
+ classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
52
+ }
53
+ }.cs__freeze
22
54
 
23
55
  # This method with analyze the user input from the context of the
24
56
  # current request and run each of the protect rules against all
@@ -51,16 +83,17 @@ module Contrast
51
83
  def input_classification inputs, input_analysis
52
84
  # key = input type, value = user_input
53
85
  inputs.each do |input_type, value|
54
- PROTECT_RULES.each do |_key, rule_id|
86
+ next if value.nil? || value.empty?
87
+
88
+ PROTECT_RULES.each do |_key, rule|
55
89
  # check if rule is enabled
56
- next unless Contrast::PROTECT.rule(rule_id).enabled?
90
+ next unless Contrast::PROTECT.rule(rule[:rule_name]).enabled?
57
91
 
58
- # start with sqli rule
59
- case rule_id
60
- when PROTECT_RULES[:sqli]
61
- Contrast::Agent::Protect::Rule::SqliInputClassification.classify input_type, value, input_analysis
92
+ # method tampering doesn't take value
93
+ if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
94
+ rule[:classification].send(:classify, input_type, input_analysis)
62
95
  else
63
- return nil
96
+ rule[:classification].send(:classify, input_type, value, input_analysis)
64
97
  end
65
98
  end
66
99
  end
@@ -84,9 +117,29 @@ module Contrast
84
117
  inputs[PARAMETER_NAME] = request.parameters.keys
85
118
  inputs[PARAMETER_VALUE] = request.parameters.values
86
119
  inputs[QUERYSTRING] = request.query_string
120
+ inputs[METHOD] = request.request_method
121
+ extract_multipart inputs, request
87
122
  inputs.compact!
88
123
  inputs
89
124
  end
125
+
126
+ # Extract the filename and name of the Content Disposition Header.
127
+ #
128
+ # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
129
+ # @param request [Contrast::Agent::Request] current request context.
130
+ def extract_multipart inputs, request
131
+ disposition = request.rack_request.env['Content-Disposition']
132
+ disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
133
+ return unless disposition
134
+
135
+ pairs = {}
136
+ disposition.split(SEMICOLON).each do |elem|
137
+ new_pair = elem.strip.split(EQUALS, 2)
138
+ pairs[new_pair[0].downcase] = new_pair[1] if new_pair
139
+ end
140
+ inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
141
+ inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
142
+ end
90
143
  end
91
144
  end
92
145
  end
@@ -41,7 +41,8 @@ module Contrast
41
41
  private
42
42
 
43
43
  def valid_input? args
44
- return false unless args&.any?
44
+ return false unless args
45
+ return false unless args.cs__is_a?(Array) && args.any?
45
46
 
46
47
  args[0]
47
48
  end
@@ -65,7 +65,7 @@ module Contrast
65
65
  end
66
66
 
67
67
  def path_traversal_rule path, possible_write, object, method
68
- return unless applies_to?(path, possible_write)
68
+ return unless applies_to?(path, possible_write: possible_write)
69
69
 
70
70
  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
71
71
  rescue Contrast::SecurityException => e
@@ -90,7 +90,7 @@ module Contrast
90
90
  end
91
91
  end
92
92
 
93
- def applies_to? path, possible_write = false
93
+ def applies_to? path, possible_write: false
94
94
  # any possible write is a potential risk
95
95
  return true if possible_write
96
96
 
@@ -3,6 +3,7 @@
3
3
 
4
4
  require 'contrast/components/logger'
5
5
  require 'contrast/components/scope'
6
+ require 'contrast/api/decorators/response_type'
6
7
 
7
8
  module Contrast
8
9
  module Agent
@@ -180,7 +181,11 @@ module Contrast
180
181
  # @param value [String] the input value we want to log
181
182
  def cef_logging result, attack = :ineffective_attack, value = nil
182
183
  sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
183
- outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
184
+ outcome = if result.response.cs__is_a? Hash
185
+ Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
186
+ else
187
+ Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
188
+ end
184
189
  input_type = extract_input_type sample_to_json[:user_input].input_type
185
190
  input_value = value || sample_to_json[:user_input].value
186
191
  cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
@@ -245,16 +250,14 @@ module Contrast
245
250
 
246
251
  def update_perimeter_attack_response context, ia_result, result
247
252
  if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
248
- result.response = if ia_result&.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
249
- # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
250
- # and should be treated equivalent to Blocked mode if set
253
+ result.response = if blocked_rule?(ia_result)
251
254
  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
252
255
  else
253
256
  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
254
257
  end
255
258
  log_rule_matched(context, ia_result, result.response)
256
259
  elsif ia_result.nil? || ia_result.attack_count.zero?
257
- result.response = Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
260
+ result.response = assign_reporter_response_type ia_result
258
261
  log_rule_probed(context, ia_result)
259
262
  end
260
263
 
@@ -322,10 +325,39 @@ module Contrast
322
325
 
323
326
  private
324
327
 
328
+ # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
329
+ # and should be treated equivalent to Blocked mode if set
330
+ def blocked_rule? ia_result
331
+ [
332
+ Contrast::Agent::Protect::Rule::Sqli::NAME,
333
+ Contrast::Agent::Protect::Rule::NoSqli::NAME
334
+ ].include?(ia_result&.rule_id)
335
+ end
336
+
325
337
  def log_rule_probed _context, ia_result
326
338
  logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
327
339
  name: ia_result&.key, input: ia_result&.value)
328
340
  end
341
+
342
+ # Handles the Response type for different Protect rules.
343
+ # Some rules need to report SUSPICIOUS over PROBED in
344
+ # MONITORED mode.
345
+ #
346
+ # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
347
+ # @return [Contrast::Agent::Reporting::ResponseType,
348
+ # Contrast::Api::Dtm::AttackResult::ResponseType]
349
+ def assign_reporter_response_type ia_result
350
+ if (ia_result&.rule_id == Contrast::Agent::Protect::Rule::Xss::NAME ||
351
+ Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME) &&
352
+ Contrast::CONTRAST_SERVICE.use_agent_communication?
353
+
354
+ # Here we'll have xss or unsafe file upload in monitoring mode
355
+ # and we have to report it as SUSPICIOUS, not as PROBED.
356
+ Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
357
+ else
358
+ Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
359
+ end
360
+ end
329
361
  end
330
362
  end
331
363
  end
@@ -87,7 +87,9 @@ module Contrast
87
87
  def find_postfilter_attacker context, potential_attack_string, **kwargs
88
88
  ia_results = gather_ia_results(context)
89
89
  ia_results.select! do |ia_result|
90
- ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
90
+ ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME ||
91
+ ia_result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
92
+
91
93
  Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
92
94
  else
93
95
  # legacy implementation for DEFINITEATATACK
@@ -5,6 +5,7 @@ require 'contrast/agent/protect/rule/base_service'
5
5
  require 'contrast/utils/stack_trace_utils'
6
6
  require 'contrast/utils/object_share'
7
7
  require 'contrast/components/logger'
8
+ require 'contrast/agent/reporting/input_analysis/input_type'
8
9
 
9
10
  module Contrast
10
11
  module Agent
@@ -13,9 +14,15 @@ module Contrast
13
14
  # The Ruby implementation of the Protect Command Injection rule.
14
15
  class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
15
16
  include Contrast::Components::Logger::InstanceMethods
17
+ include Contrast::Agent::Reporting::InputType
16
18
 
17
19
  NAME = 'cmd-injection'
18
20
  CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
21
+ APPLICABLE_USER_INPUTS = [
22
+ BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
23
+ PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
24
+ MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
25
+ ].cs__freeze
19
26
 
20
27
  def rule_name
21
28
  NAME
@@ -127,6 +134,12 @@ module Contrast
127
134
  def report_any_command_execution?
128
135
  ::Contrast::PROTECT.report_any_command_execution?
129
136
  end
137
+
138
+ def gather_ia_results context
139
+ context.agent_input_analysis.results.select do |ia_result|
140
+ ia_result.rule_id == rule_name
141
+ end
142
+ end
130
143
  end
131
144
  end
132
145
  end
@@ -0,0 +1,83 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+ require 'contrast/agent/reporting/input_analysis/input_type'
6
+ require 'contrast/agent/protect/rule/cmd_injection'
7
+ require 'contrast/agent/reporting/input_analysis/score_level'
8
+ require 'contrast/agent/protect/rule/cmdi/cmdi_worth_watching'
9
+ require 'contrast/agent/protect/input_analyzer/input_analyzer'
10
+ require 'contrast/utils/input_classification'
11
+ require 'contrast/components/logger'
12
+
13
+ module Contrast
14
+ module Agent
15
+ module Protect
16
+ module Rule
17
+ # This module will do the Input Classification stage of CMD Injection rule
18
+ # as a result input would be marked as WORTHWATCHING or IGNORE,
19
+ # to be analyzed at the sink level.
20
+ module CmdiInputClassification
21
+ class << self
22
+ include InputClassificationBase
23
+ include Contrast::Agent::Protect::Rule::CmdiWorthWatching
24
+ include Contrast::Components::Logger::InstanceMethods
25
+
26
+ WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'
27
+ CMDI_KEYS_NEEDED = [
28
+ COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
29
+ ].cs__freeze
30
+
31
+ # This method will determine actually if the user input is WORTHWATCHING
32
+ #
33
+ # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
34
+ # @param value [String, Array<String>] the value of the input
35
+ # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
36
+ # analysis from the current request.
37
+ def classify input_type, value, input_analysis
38
+ return unless Contrast::Agent::Protect::Rule::CmdInjection::APPLICABLE_USER_INPUTS.include?(input_type)
39
+ return unless super
40
+
41
+ rule_id = Contrast::Agent::Protect::Rule::CmdInjection::NAME
42
+
43
+ Array(value).each do |val|
44
+ Array(val).each do |v|
45
+ input_analysis.results << cmdi_create_new_input_result(input_analysis.request, rule_id, input_type, v)
46
+ end
47
+ end
48
+
49
+ input_analysis
50
+ rescue StandardError => e
51
+ logger.debug('An Error was recorded in the input classification of the cmdi.')
52
+ logger.debug(e)
53
+ end
54
+
55
+ private
56
+
57
+ # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
58
+ # key if needed and Creates new instance of InputAnalysisResult.
59
+ #
60
+ # @param request [Contrast::Agent::Request] the current request context.
61
+ # @param rule_id [String] The name of the Protect Rule.
62
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
63
+ # @param value [String, Array<String>] the value of the input.
64
+ #
65
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
66
+ def cmdi_create_new_input_result request, rule_id, input_type, value
67
+ ia_result = new_ia_result rule_id, input_type, request.path, value
68
+ if cmdi_worth_watching? value
69
+ ia_result.score_level = WORTHWATCHING
70
+ ia_result.ids << WORTHWATCHING_MATCH
71
+ else
72
+ ia_result.score_level = IGNORE
73
+ end
74
+
75
+ add_needed_key request, ia_result, input_type, value if CMDI_KEYS_NEEDED.include? input_type
76
+ ia_result
77
+ end
78
+ end
79
+ end
80
+ end
81
+ end
82
+ end
83
+ end
@@ -0,0 +1,64 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+
6
+ module Contrast
7
+ module Agent
8
+ module Protect
9
+ module Rule
10
+ # This module implements the cmdi-worth-watching-v2 check to determine whether input
11
+ # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
12
+ # https://protect-spec.prod.dotnet.contsec.com/rules/cmd-injection.html#input-tracing
13
+ module CmdiWorthWatching
14
+ POSSIBLE_CHAINING_ELEMENTS = %w[& ; | $ < > `].cs__freeze
15
+ UNIX_COMMANDS = %w[
16
+ uname echo cat ping nestat nc whoami wget curl dir ls ps rm chmod cp kill
17
+ grep sleep mkdir pwd shutdown system touch timeout fetch bash sh
18
+ ].cs__freeze
19
+ UNIX_PATHS = %w[tmp opt etc home mnt proc lib bin sbin sys usr var root run].cs__freeze
20
+ WINDOWS_COMMANDS = %w[
21
+ sc net reg cmd query cmd.exe powershell powershell.exe hostname ifconfig ipconfig netsh
22
+ netstat systeminfo sysinfo whoami wscript cscript wmic PowerShell_ISE pskill psexec qprocess
23
+ regedit regini rename winrm wpeutil ntdsutil taskkill certutil mapisend shellrunas
24
+ ].cs__freeze
25
+ # This method will determine if a user input is Worth watching and return true if it is.
26
+ # This is done by running checks, and if the inputs is worth to watch it would be
27
+ # saved for the later sink cmdi input analysis.
28
+ #
29
+ # @param input [String] the user input to be inspected
30
+ # @return true | false
31
+ def cmdi_worth_watching? input
32
+ return false if input.nil? || input.empty? || input.length < 3
33
+
34
+ exploitable?(input) && worth_watching?(input)
35
+ end
36
+
37
+ private
38
+
39
+ # This method will check if the input is exploitable
40
+ #
41
+ # @param input [String] the user input to be inspected
42
+ def exploitable? input
43
+ contains_substring?(input, POSSIBLE_CHAINING_ELEMENTS)
44
+ end
45
+
46
+ def worth_watching? input
47
+ return true if contains_substring?(input, UNIX_COMMANDS)
48
+ return true if contains_substring?(input, UNIX_PATHS)
49
+ return true if contains_substring?(input, WINDOWS_COMMANDS)
50
+
51
+ false
52
+ end
53
+
54
+ def contains_substring? input, values
55
+ return true if values.any? { |val| input.include?(val) }
56
+ return true if values.include?(Contrast::Utils::ObjectShare::SPACE)
57
+
58
+ false
59
+ end
60
+ end
61
+ end
62
+ end
63
+ end
64
+ end
@@ -0,0 +1,96 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+ require 'contrast/agent/protect/input_analyzer/input_analyzer'
6
+ require 'contrast/agent/reporting/attack_result/attack_result'
7
+ require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
8
+ require 'contrast/utils/input_classification'
9
+
10
+ module Contrast
11
+ module Agent
12
+ module Protect
13
+ module Rule
14
+ # This module will do the Input Classification stage of HttpMethodTampering rule
15
+ # as a result input would be marked as DEFINETEATTACK or IGNORE,
16
+ # to be analyzed at the sink level.
17
+ module HttpMethodTamperingInputClassification
18
+ class << self
19
+ include InputClassificationBase
20
+
21
+ # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
22
+ #
23
+ # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
24
+ # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
25
+ # analysis from the current request.
26
+ def classify input_type, input_analysis
27
+ return unless input_analysis.request
28
+ return unless input_type == METHOD
29
+
30
+ rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
31
+
32
+ ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
33
+ input_analysis.results << ia_result
34
+
35
+ return input_analysis if ia_result.score_level == IGNORE
36
+
37
+ attack_result = build_attack_result ia_result, rule_id
38
+
39
+ if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
40
+ attack_result.response = :EXPLOITED
41
+ Contrast::Agent::EXPLOITS.push attack_result
42
+ return input_analysis
43
+ end
44
+
45
+ attack_result.response = :BLOCKED
46
+ context.activity.results << attack_result
47
+ raise Contrast::SecurityException.new(self,
48
+ 'HTTP Method Tampering rule triggered. '\
49
+ "Call to #{ input_analysis.request.path } with " \
50
+ "#{ input_analysis.request.request_method } blocked.")
51
+ end
52
+
53
+ private
54
+
55
+ # @param request [Contrast::Agent::Request] the current request context.
56
+ def method_tampering_exploited? request
57
+ !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
58
+ end
59
+
60
+ # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
61
+ # key if needed and Creates new instance of InputAnalysisResult.
62
+ #
63
+ # @param request [Contrast::Agent::Request] the current request context.
64
+ # @param rule_id [String] The name of the Protect Rule.
65
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
66
+ #
67
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
68
+ def method_tampering_new_input_analysis request, rule_id, input_type
69
+ ia_result = new_ia_result rule_id, input_type, request.path
70
+ if method_tampering_exploited? request
71
+ ia_result.score_level = DEFINITEATTACK
72
+ ia_result.ids << rule_id
73
+ else
74
+ ia_result.score_level = IGNORE
75
+ end
76
+
77
+ ia_result
78
+ end
79
+
80
+ def build_attack_result ia_result, rule_id
81
+ rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
82
+ result = Contrast::Agent::Reporting::AttackResult.new
83
+ result.rule_id = rule_id
84
+ result.samples << rasp_rule_sample
85
+ result
86
+ end
87
+
88
+ def context
89
+ Contrast::Agent::REQUEST_TRACKER.current
90
+ end
91
+ end
92
+ end
93
+ end
94
+ end
95
+ end
96
+ end
@@ -12,6 +12,14 @@ module Contrast
12
12
  NAME = 'method-tampering'
13
13
  STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
14
14
 
15
+ APPLICABLE_METHODS_INPUTS = %w[
16
+ ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
17
+ DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
18
+ MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
19
+ PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
20
+ UNLOCK UPDATE VERSION-CONTROL
21
+ ].cs__freeze
22
+
15
23
  def rule_name
16
24
  NAME
17
25
  end