contrast-agent 5.3.0 → 6.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (161) hide show
  1. checksums.yaml +4 -4
  2. data/ext/cs__assess_array/cs__assess_array.c +7 -0
  3. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
  4. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
  5. data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
  6. data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -2
  7. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
  8. data/ext/cs__assess_module/cs__assess_module.c +1 -1
  9. data/ext/cs__assess_string/cs__assess_string.c +13 -1
  10. data/ext/cs__common/cs__common.c +12 -11
  11. data/ext/cs__contrast_patch/cs__contrast_patch.c +54 -43
  12. data/ext/cs__os_information/cs__os_information.c +13 -10
  13. data/ext/cs__scope/cs__scope.c +146 -97
  14. data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
  15. data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
  16. data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
  17. data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
  18. data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
  19. data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
  20. data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
  21. data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
  22. data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
  23. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
  24. data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
  25. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  26. data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
  27. data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
  28. data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -1
  29. data/lib/contrast/agent/assess/property/tagged.rb +1 -1
  30. data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
  31. data/lib/contrast/agent/assess/rule/response/body_rule.rb +3 -3
  32. data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +1 -1
  33. data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
  34. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
  35. data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
  36. data/lib/contrast/agent/exclusion_matcher.rb +3 -3
  37. data/lib/contrast/agent/middleware.rb +3 -1
  38. data/lib/contrast/agent/patching/policy/patcher.rb +3 -3
  39. data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
  40. data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
  41. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +61 -8
  42. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
  43. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
  44. data/lib/contrast/agent/protect/rule/base.rb +37 -5
  45. data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
  46. data/lib/contrast/agent/protect/rule/cmd_injection.rb +13 -0
  47. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
  48. data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
  49. data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
  50. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +8 -0
  51. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
  52. data/lib/contrast/agent/protect/rule/no_sqli.rb +27 -0
  53. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +18 -54
  54. data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -4
  55. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
  56. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
  57. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
  58. data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
  59. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
  60. data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
  61. data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
  62. data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
  63. data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
  64. data/lib/contrast/agent/reporting/report.rb +2 -0
  65. data/lib/contrast/agent/reporting/reporter.rb +23 -11
  66. data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
  67. data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
  68. data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
  69. data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
  70. data/lib/contrast/agent/reporting/reporting_events/finding.rb +1 -1
  71. data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
  72. data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
  73. data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
  74. data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +2 -1
  75. data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
  76. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +16 -5
  77. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +27 -26
  78. data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
  79. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
  80. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +68 -6
  81. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
  82. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +122 -96
  83. data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
  84. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
  85. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
  86. data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
  87. data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
  88. data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
  89. data/lib/contrast/agent/request_context.rb +1 -1
  90. data/lib/contrast/agent/request_context_extend.rb +1 -1
  91. data/lib/contrast/agent/request_handler.rb +4 -0
  92. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
  93. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
  94. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
  95. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
  96. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
  97. data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
  98. data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
  99. data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
  100. data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
  101. data/lib/contrast/agent/thread_watcher.rb +1 -1
  102. data/lib/contrast/agent/version.rb +1 -1
  103. data/lib/contrast/agent.rb +3 -0
  104. data/lib/contrast/api/communication/speedracer.rb +1 -1
  105. data/lib/contrast/api/decorators/address.rb +1 -1
  106. data/lib/contrast/api/decorators/response_type.rb +30 -0
  107. data/lib/contrast/api/decorators.rb +1 -0
  108. data/lib/contrast/components/app_context.rb +0 -4
  109. data/lib/contrast/components/assess.rb +14 -0
  110. data/lib/contrast/components/protect.rb +2 -2
  111. data/lib/contrast/components/sampling.rb +7 -11
  112. data/lib/contrast/components/settings.rb +106 -8
  113. data/lib/contrast/config/agent_configuration.rb +13 -30
  114. data/lib/contrast/config/api_configuration.rb +4 -67
  115. data/lib/contrast/config/api_proxy_configuration.rb +2 -45
  116. data/lib/contrast/config/application_configuration.rb +9 -84
  117. data/lib/contrast/config/assess_configuration.rb +10 -69
  118. data/lib/contrast/config/assess_rules_configuration.rb +9 -38
  119. data/lib/contrast/config/base_configuration.rb +17 -50
  120. data/lib/contrast/config/certification_configuration.rb +6 -63
  121. data/lib/contrast/config/exception_configuration.rb +5 -52
  122. data/lib/contrast/config/heap_dump_configuration.rb +6 -64
  123. data/lib/contrast/config/inventory_configuration.rb +2 -49
  124. data/lib/contrast/config/logger_configuration.rb +0 -36
  125. data/lib/contrast/config/protect_configuration.rb +17 -7
  126. data/lib/contrast/config/protect_rule_configuration.rb +12 -30
  127. data/lib/contrast/config/protect_rules_configuration.rb +21 -26
  128. data/lib/contrast/config/request_audit_configuration.rb +6 -48
  129. data/lib/contrast/config/root_configuration.rb +52 -12
  130. data/lib/contrast/config/ruby_configuration.rb +0 -36
  131. data/lib/contrast/config/sampling_configuration.rb +1 -57
  132. data/lib/contrast/config/server_configuration.rb +0 -36
  133. data/lib/contrast/config/service_configuration.rb +5 -44
  134. data/lib/contrast/configuration.rb +2 -3
  135. data/lib/contrast/extension/assess/string.rb +20 -1
  136. data/lib/contrast/extension/module.rb +0 -1
  137. data/lib/contrast/framework/manager.rb +2 -2
  138. data/lib/contrast/logger/application.rb +1 -1
  139. data/lib/contrast/logger/cef_log.rb +1 -1
  140. data/lib/contrast/tasks/config.rb +90 -3
  141. data/lib/contrast/utils/assess/object_store.rb +36 -0
  142. data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
  143. data/lib/contrast/utils/class_util.rb +3 -12
  144. data/lib/contrast/utils/input_classification.rb +73 -0
  145. data/lib/contrast/utils/log_utils.rb +1 -1
  146. data/lib/contrast/utils/middleware_utils.rb +9 -8
  147. data/lib/contrast/utils/net_http_base.rb +1 -1
  148. data/lib/contrast/utils/object_share.rb +2 -1
  149. data/lib/contrast/utils/os.rb +0 -5
  150. data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -5
  151. data/lib/contrast/utils/response_utils.rb +18 -33
  152. data/lib/contrast/utils/telemetry.rb +1 -1
  153. data/lib/contrast/utils/telemetry_client.rb +1 -1
  154. data/lib/contrast/utils/telemetry_identifier.rb +1 -1
  155. data/resources/assess/policy.json +98 -0
  156. data/resources/deadzone/policy.json +0 -86
  157. data/ruby-agent.gemspec +9 -8
  158. data/service_executables/VERSION +1 -1
  159. data/service_executables/linux/contrast-service +0 -0
  160. data/service_executables/mac/contrast-service +0 -0
  161. metadata +73 -28
@@ -0,0 +1,231 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+ require 'contrast/agent/protect/rule/no_sqli'
6
+ require 'contrast/agent/protect/input_analyzer/input_analyzer'
7
+ require 'contrast/utils/input_classification'
8
+
9
+ module Contrast
10
+ module Agent
11
+ module Protect
12
+ module Rule
13
+ # This module will do the Input Classification stage of NoSQLI rule
14
+ # as a result input would be marked as WORTHWATCHING or IGNORE,
15
+ # to be analyzed at the sink level.
16
+ module NoSqliInputClassification
17
+ class << self
18
+ include InputClassificationBase
19
+
20
+ NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
21
+ NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
22
+ NOSQL_COMMENTS_AFTER_REGEXP = %r{(?:<--|//)}.cs__freeze
23
+
24
+ ZERO_OR_MORE_SPACES_REGEXP = /\s*/.cs__freeze
25
+ QUOTE_REGEXP = /['"’‘]/.cs__freeze
26
+ NUMBERS_AND_LETTERS_REGEXP = /[[:alnum:]]+/.cs__freeze
27
+ COMPARISON_REGEXP = /(?:==|>=|<=|>|<|)/.cs__freeze
28
+ NOSQL_QUOTED_REGEXP = /
29
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
30
+ #{ QUOTE_REGEXP }
31
+ #{ NUMBERS_AND_LETTERS_REGEXP }
32
+ #{ QUOTE_REGEXP }
33
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
34
+ #{ COMPARISON_REGEXP }
35
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
36
+ #{ QUOTE_REGEXP }
37
+ #{ NUMBERS_AND_LETTERS_REGEXP }
38
+ #{ QUOTE_REGEXP }
39
+ /x.cs__freeze
40
+ NOSQL_NUMERIC_REGEXP = /
41
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
42
+ #{ NUMBERS_AND_LETTERS_REGEXP }
43
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
44
+ #{ COMPARISON_REGEXP }
45
+ #{ ZERO_OR_MORE_SPACES_REGEXP }
46
+ #{ NUMBERS_AND_LETTERS_REGEXP }
47
+ /x.cs__freeze
48
+
49
+ NOSQL_DEFINITE_THRESHOLD = 3
50
+ NOSQL_WORTH_WATCHING_THRESHOLD = 1
51
+ NOSQL_CONFIDENCE_THRESHOLD = 3
52
+ MAX_DISTANCE = 10
53
+
54
+ # Input Classification stage is done to determine if an user input is
55
+ # WORTHWATCHING or to be ignored.
56
+ #
57
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
58
+ # @param value [String, Array<String>] the value of the input.
59
+ # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
60
+ # agent analysis from the current
61
+ # Request.
62
+ # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
63
+ def classify input_type, value, input_analysis
64
+ return unless input_analysis.request
65
+
66
+ rule_id = Contrast::Agent::Protect::Rule::NoSqli::NAME
67
+
68
+ # double check the input to avoid calling match? on array
69
+ Array(value).each do |val|
70
+ Array(val).each do |v|
71
+ input_analysis.results << nosqli_create_new_input_result(input_analysis.request,
72
+ rule_id,
73
+ input_type,
74
+ v)
75
+ end
76
+ end
77
+
78
+ input_analysis
79
+ end
80
+
81
+ private
82
+
83
+ # Creates a new instance of InputAnalysisResult with basic info.
84
+ #
85
+ # @param rule_id [String] The name of the Protect Rule.
86
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
87
+ # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
88
+ # @param value [String, Array<String>] the value of the input.
89
+ # @param path [String] the path of the current request context.
90
+ #
91
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
92
+ def new_ia_result rule_id, input_type, score_level, path, value
93
+ super(rule_id, input_type, path, value).tap { |res| res.score_level = score_level }
94
+ end
95
+
96
+ # This methods checks if input should be tagged DEFINITEATTACK, WORTHWATCHING, or IGNORE,
97
+ # and creates a new instance of InputAnalysisResult.
98
+ #
99
+ # @param request [Contrast::Agent::Request] the current request context.
100
+ # @param rule_id [String] The name of the Protect Rule.
101
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
102
+ # @param value [String, Array<String>] the value of the input.
103
+ #
104
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
105
+ def nosqli_create_new_input_result request, rule_id, input_type, value
106
+ score = evaluate_patterns(value)
107
+ score = evaluate_rules(value, score)
108
+
109
+ score_level = if definite_attack? score
110
+ DEFINITEATTACK
111
+ elsif worth_watching? score
112
+ WORTHWATCHING
113
+ else
114
+ IGNORE
115
+ end
116
+
117
+ new_ia_result(rule_id, input_type, score_level, request.path, value)
118
+ end
119
+
120
+ # This method evaluates the patterns relevant to NoSQL Injection to check whether
121
+ # the input is matched by any of them. The total score of all patterns matched is
122
+ # returned, unless the individual matching pattern score matches or exceeds
123
+ # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
124
+ # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
125
+ # point is returned.
126
+ #
127
+ # @param value [String] the value of the input.
128
+ # @param value [Integer] the total score thus far.
129
+ #
130
+ # @return res [Integer]
131
+ def evaluate_patterns value, total_score = 0
132
+ applicable_patterns = nosqli_patterns
133
+ return total_score if applicable_patterns.nil?
134
+
135
+ total_patterns_score = 0
136
+ applicable_patterns.each do |pattern|
137
+ next unless value.match?(pattern[:value])
138
+
139
+ total_patterns_score += pattern[:score].to_i
140
+ total_score += pattern[:score].to_i
141
+
142
+ if pattern[:score].to_i >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
143
+ return total_score
144
+ end
145
+ end
146
+
147
+ total_score
148
+ end
149
+
150
+ def evaluate_comment_rule value
151
+ (value =~ NOSQL_COMMENT_REGEXP).nil? ? 0 : 2 # None/Medium
152
+ end
153
+
154
+ # This method evaluates the searcher rules relevant to NoSQL Injection to check whether
155
+ # the input is matched by any of them. The total score of all rules matched is
156
+ # returned, unless the individual matching rukle score matches or exceeds
157
+ # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
158
+ # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
159
+ # point is returned.
160
+ #
161
+ # @param value [String] the value of the input.
162
+ # @param value [Integer] the total score thus far.
163
+ #
164
+ # @return res [Integer]
165
+ def evaluate_rules value, total_score = 0
166
+ total_rules_score = 0
167
+ %i[evaluate_comment_rule evaluate_or_rule].each do |method|
168
+ rule_score = send(method, value)
169
+ total_rules_score += rule_score
170
+ total_score += rule_score
171
+
172
+ return total_score if rule_score >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
173
+ end
174
+
175
+ total_score
176
+ end
177
+
178
+ # This method evaluates the input value for NoSQL Or searches. Each possible match is
179
+ # checked. If a match is found then a score of either 3 (High) or 4 (Critical) will
180
+ # be returned, depending on whether the regexp for finding comments is also matched.
181
+ #
182
+ # @param value [String] the value of the input.
183
+ #
184
+ # @return res [Integer]
185
+ def evaluate_or_rule value
186
+ score = 0
187
+
188
+ locs = matches_by_position value, NOSQL_OR_REGEXP
189
+ return score if locs.empty?
190
+
191
+ locs.each do |loc|
192
+ [NOSQL_QUOTED_REGEXP, NOSQL_NUMERIC_REGEXP].each do |pattern|
193
+ pattern_locs = matches_by_position(value[loc[1]..], pattern)
194
+ next unless !pattern_locs.empty? && pattern_locs[0][0] < MAX_DISTANCE
195
+
196
+ return 4 if value.match?(NOSQL_COMMENTS_AFTER_REGEXP, loc[1] + pattern_locs[0][1]) # Critical
197
+
198
+ score = 3 # High
199
+ break
200
+ end
201
+ end
202
+
203
+ score
204
+ end
205
+
206
+ # This method returns the patterns to be checked against the input value.
207
+ #
208
+ # @return res [Array, nil]
209
+ def nosqli_patterns
210
+ server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
211
+ rule_definitions = server_features&.protect&.rule_definition_list
212
+ rule_definitions&.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
213
+ end
214
+
215
+ def matches_by_position value, pattern
216
+ value.to_enum(:scan, pattern).map { Regexp.last_match.offset(Regexp.last_match.size - 1) }
217
+ end
218
+
219
+ def definite_attack? score
220
+ score >= NOSQL_DEFINITE_THRESHOLD
221
+ end
222
+
223
+ def worth_watching? score
224
+ score >= NOSQL_WORTH_WATCHING_THRESHOLD
225
+ end
226
+ end
227
+ end
228
+ end
229
+ end
230
+ end
231
+ end
@@ -39,6 +39,19 @@ module Contrast
39
39
  raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
40
40
  end
41
41
 
42
+ def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
43
+ if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
44
+ mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
45
+
46
+ return result
47
+ end
48
+
49
+ result ||= build_attack_result(context)
50
+ update_successful_attack_response(context, input_analysis_result, result, candidate_string)
51
+ append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
52
+ result
53
+ end
54
+
42
55
  protected
43
56
 
44
57
  def find_attacker context, potential_attack_string, **kwargs
@@ -53,6 +66,20 @@ module Contrast
53
66
  end
54
67
  super(context, potential_attack_string, **kwargs)
55
68
  end
69
+
70
+ def infilter? context
71
+ return false unless context&.agent_input_analysis&.results
72
+ return false unless enabled?
73
+ return false if protect_excluded_by_code?
74
+
75
+ true
76
+ end
77
+
78
+ def gather_ia_results context
79
+ context.agent_input_analysis.results.select do |ia_result|
80
+ ia_result.rule_id == rule_name
81
+ end
82
+ end
56
83
  end
57
84
  end
58
85
  end
@@ -7,6 +7,8 @@ require 'contrast/agent/protect/rule/sqli'
7
7
  require 'contrast/agent/reporting/input_analysis/score_level'
8
8
  require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
9
9
  require 'contrast/agent/protect/input_analyzer/input_analyzer'
10
+ require 'contrast/utils/input_classification'
11
+ require 'contrast/components/logger'
10
12
 
11
13
  module Contrast
12
14
  module Agent
@@ -17,9 +19,9 @@ module Contrast
17
19
  # to be analyzed at the sink level.
18
20
  module SqliInputClassification
19
21
  class << self
20
- include Contrast::Agent::Reporting::InputType
21
- include Contrast::Agent::Reporting::ScoreLevel
22
+ include InputClassificationBase
22
23
  include Contrast::Agent::Protect::Rule::SqliWorthWatching
24
+ include Contrast::Components::Logger::InstanceMethods
23
25
 
24
26
  WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
25
27
  SQLI_KEYS_NEEDED = [
@@ -37,43 +39,25 @@ module Contrast
37
39
  # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
38
40
  def classify input_type, value, input_analysis
39
41
  return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
40
- return unless input_analysis.request
42
+ return unless super
41
43
 
42
44
  rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
43
- results = []
44
45
 
45
46
  # double check the input to avoid calling match? on array
46
47
  Array(value).each do |val|
47
48
  Array(val).each do |v|
48
- results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
49
+ input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
49
50
  end
50
51
  end
51
52
 
52
- input_analysis.results = results
53
53
  input_analysis
54
+ rescue StandardError => e
55
+ logger.debug('An Error was recorded in the input classification of the sqli.')
56
+ logger.debug(e)
54
57
  end
55
58
 
56
59
  private
57
60
 
58
- # Creates new isntance of InputAnalysisResult with basic info.
59
- #
60
- # @param rule_id [String] The name of the Protect Rule.
61
- # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
62
- # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
63
- # @param value [String, Array<String>] the value of the input.
64
- # @param path [String] the path of the current request context.
65
- #
66
- # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
67
- def new_ia_result rule_id, input_type, score_level, path, value
68
- res = Contrast::Agent::Reporting::InputAnalysisResult.new
69
- res.rule_id = rule_id
70
- res.input_type = input_type
71
- res.path = path
72
- res.score_level = score_level
73
- res.value = value
74
- res
75
- end
76
-
77
61
  # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
78
62
  # key if needed and Creates new isntance of InputAnalysisResult.
79
63
  #
@@ -84,37 +68,17 @@ module Contrast
84
68
  #
85
69
  # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
86
70
  def sqli_create_new_input_result request, rule_id, input_type, value
87
- result = if sqli_worth_watching? value
88
- ia_result = new_ia_result(rule_id, input_type, WORTHWATCHING, request.path, value)
89
- ia_result.ids << WORTHWATCHING_MATCH
90
- ia_result
91
- else
92
- new_ia_result(rule_id, input_type, IGNORE, request.path, value)
93
- end
94
- if SQLI_KEYS_NEEDED.include? input_type
95
- result.key = sqli_add_needed_key request, result, input_type, value
96
- end
97
- result
98
- end
99
-
100
- # This methods checks if input is value that matches a key in the input.
101
- #
102
- # @param request [Contrast::Agent::Request] the current request context.
103
- # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
104
- # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
105
- # @param value [String, Array<String>] the value of the input.
106
- #
107
- # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
108
- def sqli_add_needed_key request, result, input_type, value
109
- case input_type
110
- when COOKIE_VALUE
111
- result.key = request.cookies.key(value)
112
- when PARAMETER_VALUE
113
- result.key = request.parameters.key(value)
71
+ ia_result = new_ia_result(rule_id, input_type, request.path, value)
72
+ if sqli_worth_watching? value
73
+ ia_result.ids << WORTHWATCHING_MATCH
74
+ ia_result.score_level = WORTHWATCHING
75
+ ia_result
114
76
  else
115
- result.key
77
+ ia_result.score_level = IGNORE
116
78
  end
117
- result.key
79
+
80
+ add_needed_key request, ia_result, input_type, value if SQLI_KEYS_NEEDED.include? input_type
81
+ ia_result
118
82
  end
119
83
  end
120
84
  end
@@ -99,9 +99,7 @@ module Contrast
99
99
  # @param substrings [Array] set of substrings to inspect.
100
100
  # @return true | false
101
101
  def contains_substring? input, substrings
102
- return true if substrings.any? { |sub| input.include?(sub) }
103
-
104
- false
102
+ substrings.any? { |sub| input.include?(sub) }
105
103
  end
106
104
 
107
105
  # Helper method to find the number of substrings.
@@ -111,7 +109,6 @@ module Contrast
111
109
  def number_of_substrings input, substring
112
110
  number = 0
113
111
  input.each_char.reduce(0) { |_acc, elem| number += 1 if contains_substring?(elem, substring) }
114
-
115
112
  number
116
113
  end
117
114
  end
@@ -0,0 +1,82 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+ require 'contrast/agent/protect/rule/unsafe_file_upload'
6
+ require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
7
+ require 'contrast/agent/protect/input_analyzer/input_analyzer'
8
+ require 'contrast/utils/input_classification'
9
+
10
+ module Contrast
11
+ module Agent
12
+ module Protect
13
+ module Rule
14
+ # This module will do the Input Classification stage of Unsafe File Upload
15
+ # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
16
+ module UnsafeFileUploadInputClassification
17
+ UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
18
+
19
+ class << self
20
+ include InputClassificationBase
21
+ include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
22
+
23
+ # Input Classification stage is done to determine if an user input is
24
+ # DEFINITEATTACK or to be ignored.
25
+ #
26
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
27
+ # @param value [String, Array<String>] the value of the input.
28
+ # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
29
+ # agent analysis from the current
30
+ # Request.
31
+ # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
32
+ def classify input_type, value, input_analysis
33
+ unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
34
+ return
35
+ end
36
+ return unless input_analysis.request
37
+
38
+ rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
39
+ results = []
40
+
41
+ Array(value).each do |val|
42
+ Array(val).each do |v|
43
+ results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
44
+ end
45
+ end
46
+
47
+ input_analysis.results = results
48
+ input_analysis
49
+ end
50
+
51
+ private
52
+
53
+ # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
54
+ # key if needed and Creates new isntance of InputAnalysisResult.
55
+ #
56
+ # @param request [Contrast::Agent::Request] the current request context.
57
+ # @param rule_id [String] The name of the Protect Rule.
58
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
59
+ # @param value [String, Array<String>] the value of the input.
60
+ #
61
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
62
+ def create_new_input_result request, rule_id, input_type, value
63
+ ia_result = new_ia_result rule_id, input_type, request.path, value
64
+ if unsafe_match? value
65
+ ia_result.score_level = DEFINITEATTACK
66
+ ia_result.ids << UNSAFE_UPLOAD_MATCH
67
+ else
68
+ ia_result.score_level = IGNORE
69
+ end
70
+ ia_result.key = if input_type == MULTIPART_FIELD_NAME
71
+ Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
72
+ else
73
+ Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
74
+ end
75
+ ia_result
76
+ end
77
+ end
78
+ end
79
+ end
80
+ end
81
+ end
82
+ end
@@ -0,0 +1,45 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Agent
6
+ module Protect
7
+ module Rule
8
+ # Here will be made the match of the user input provided by the
9
+ # Agent InputAnalysis.
10
+ module UnsafeFileUploadMatcher
11
+ EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze
12
+ # Extensions that can be executed on the server side or can be dangerous on the client side:
13
+ # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
14
+ EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
15
+
16
+ # Match the user input to see if the filename
17
+ # contains malicious file extension.
18
+ #
19
+ # @param input [String] The filename
20
+ # extracted from the current request
21
+ # @return true | false
22
+ def unsafe_match? input
23
+ suspicious_chars?(input) || suspicious_extensions?(input)
24
+ end
25
+
26
+ private
27
+
28
+ # @param input [String] The filename
29
+ # extracted from the current request
30
+ # @return true | false
31
+ def suspicious_chars? input
32
+ input.chars.any? { |c| EXPLOIT_CHARS.include? c }
33
+ end
34
+
35
+ # @param input [String] The filename
36
+ # extracted from the current request
37
+ # @return true | false
38
+ def suspicious_extensions? input
39
+ EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
40
+ end
41
+ end
42
+ end
43
+ end
44
+ end
45
+ end
@@ -2,19 +2,61 @@
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/protect/rule/base_service'
5
+ require 'contrast/agent/reporting/input_analysis/input_type'
6
+ require 'contrast/agent/reporting/input_analysis/score_level'
5
7
 
6
8
  module Contrast
7
9
  module Agent
8
10
  module Protect
9
11
  module Rule
10
12
  # The Ruby implementation of the Protect Unsafe File Upload rule.
13
+ # The unsafe-file-upload rule can trigger the following results:
14
+ # BLOCKED in Blocking mode na SUSPICIOUS in Monitor mode.
11
15
  class UnsafeFileUpload < Contrast::Agent::Protect::Rule::BaseService
16
+ include Contrast::Agent::Reporting::InputType
17
+
12
18
  NAME = 'unsafe-file-upload'
13
19
  BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
20
+ APPLICABLE_USER_INPUTS = [MULTIPART_NAME, MULTIPART_FIELD_NAME].cs__freeze
14
21
 
15
22
  def rule_name
16
23
  NAME
17
24
  end
25
+
26
+ def block_message
27
+ BLOCK_MESSAGE
28
+ end
29
+
30
+ def prefilter context
31
+ return unless prefilter?(context)
32
+
33
+ ia_results = gather_ia_results context
34
+
35
+ ia_results.each do |ia_result|
36
+ result = build_attack_result(context)
37
+ build_attack_without_match context, ia_result, result
38
+ append_to_activity context, result
39
+
40
+ cef_logging result, :successful_attack
41
+ raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
42
+ end
43
+ end
44
+
45
+ private
46
+
47
+ def prefilter? context
48
+ return false unless context&.agent_input_analysis&.results
49
+ return false unless enabled?
50
+ return false if protect_excluded_by_code?
51
+
52
+ true
53
+ end
54
+
55
+ def gather_ia_results context
56
+ context.agent_input_analysis.results.select do |ia_result|
57
+ ia_result.rule_id == rule_name
58
+ end
59
+ end
18
60
  end
19
61
  end
20
62
  end
@@ -0,0 +1,63 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/object_share'
5
+ require 'contrast/utils/timer'
6
+ require 'contrast/agent/reporting/attack_result/response_type'
7
+ require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
8
+
9
+ module Contrast
10
+ module Agent
11
+ module Reporting
12
+ # This class will hold the new Attacks results generated by our
13
+ # protect rules.
14
+ class AttackResult
15
+ RESPONSE_TYPE = Contrast::Agent::Reporting::ResponseType
16
+ # Generated the attack result
17
+ #
18
+ # @return @_response_type [Contrast::Agent::Reporting::ResponseType]
19
+ def response
20
+ @_response ||= RESPONSE_TYPE::NO_ACTION
21
+ end
22
+
23
+ # sets the response_type
24
+ #
25
+ # @param response_type [Contrast::Agent::Reporting::Settings::InputAnalysisResult]
26
+ # @return @_response_type []
27
+ def response= response_type
28
+ @_response = response_type if RESPONSE_TYPE.to_a.include?(response_type)
29
+ end
30
+
31
+ # @return @_rule_id [String]
32
+ def rule_id
33
+ @_rule_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
34
+ end
35
+
36
+ # @param rule_id [String]
37
+ # @return @_rule_id [String]
38
+ def rule_id= rule_id
39
+ @_rule_id = rule_id if rule_id.is_a?(String)
40
+ end
41
+
42
+ # @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
43
+ def samples
44
+ @_samples ||= []
45
+ end
46
+
47
+ # @param samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
48
+ # @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
49
+ def samples= samples
50
+ @_samples = samples if samples.is_a?(Array)
51
+ end
52
+
53
+ def tags
54
+ @_tags ||= Contrast::Utils::ObjectShare::EMPTY_STRING
55
+ end
56
+
57
+ def tags= tags
58
+ @_tags = tags if tags.is_a?(String)
59
+ end
60
+ end
61
+ end
62
+ end
63
+ end