contrast-agent 5.3.0 → 6.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -2
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_string/cs__assess_string.c +13 -1
- data/ext/cs__common/cs__common.c +12 -11
- data/ext/cs__contrast_patch/cs__contrast_patch.c +54 -43
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +146 -97
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
- data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -1
- data/lib/contrast/agent/assess/property/tagged.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +3 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/middleware.rb +3 -1
- data/lib/contrast/agent/patching/policy/patcher.rb +3 -3
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +61 -8
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
- data/lib/contrast/agent/protect/rule/base.rb +37 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +13 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +8 -0
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +27 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +18 -54
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -4
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
- data/lib/contrast/agent/reporting/report.rb +2 -0
- data/lib/contrast/agent/reporting/reporter.rb +23 -11
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +16 -5
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +27 -26
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +68 -6
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +122 -96
- data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/request_context.rb +1 -1
- data/lib/contrast/agent/request_context_extend.rb +1 -1
- data/lib/contrast/agent/request_handler.rb +4 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
- data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
- data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
- data/lib/contrast/agent/thread_watcher.rb +1 -1
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +3 -0
- data/lib/contrast/api/communication/speedracer.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/response_type.rb +30 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/protect.rb +2 -2
- data/lib/contrast/components/sampling.rb +7 -11
- data/lib/contrast/components/settings.rb +106 -8
- data/lib/contrast/config/agent_configuration.rb +13 -30
- data/lib/contrast/config/api_configuration.rb +4 -67
- data/lib/contrast/config/api_proxy_configuration.rb +2 -45
- data/lib/contrast/config/application_configuration.rb +9 -84
- data/lib/contrast/config/assess_configuration.rb +10 -69
- data/lib/contrast/config/assess_rules_configuration.rb +9 -38
- data/lib/contrast/config/base_configuration.rb +17 -50
- data/lib/contrast/config/certification_configuration.rb +6 -63
- data/lib/contrast/config/exception_configuration.rb +5 -52
- data/lib/contrast/config/heap_dump_configuration.rb +6 -64
- data/lib/contrast/config/inventory_configuration.rb +2 -49
- data/lib/contrast/config/logger_configuration.rb +0 -36
- data/lib/contrast/config/protect_configuration.rb +17 -7
- data/lib/contrast/config/protect_rule_configuration.rb +12 -30
- data/lib/contrast/config/protect_rules_configuration.rb +21 -26
- data/lib/contrast/config/request_audit_configuration.rb +6 -48
- data/lib/contrast/config/root_configuration.rb +52 -12
- data/lib/contrast/config/ruby_configuration.rb +0 -36
- data/lib/contrast/config/sampling_configuration.rb +1 -57
- data/lib/contrast/config/server_configuration.rb +0 -36
- data/lib/contrast/config/service_configuration.rb +5 -44
- data/lib/contrast/configuration.rb +2 -3
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/manager.rb +2 -2
- data/lib/contrast/logger/application.rb +1 -1
- data/lib/contrast/logger/cef_log.rb +1 -1
- data/lib/contrast/tasks/config.rb +90 -3
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/class_util.rb +3 -12
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/log_utils.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +9 -8
- data/lib/contrast/utils/net_http_base.rb +1 -1
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +0 -5
- data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -5
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/telemetry.rb +1 -1
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/lib/contrast/utils/telemetry_identifier.rb +1 -1
- data/resources/assess/policy.json +98 -0
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +9 -8
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +73 -28
@@ -0,0 +1,231 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/protect/rule/no_sqli'
|
6
|
+
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
7
|
+
require 'contrast/utils/input_classification'
|
8
|
+
|
9
|
+
module Contrast
|
10
|
+
module Agent
|
11
|
+
module Protect
|
12
|
+
module Rule
|
13
|
+
# This module will do the Input Classification stage of NoSQLI rule
|
14
|
+
# as a result input would be marked as WORTHWATCHING or IGNORE,
|
15
|
+
# to be analyzed at the sink level.
|
16
|
+
module NoSqliInputClassification
|
17
|
+
class << self
|
18
|
+
include InputClassificationBase
|
19
|
+
|
20
|
+
NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
|
21
|
+
NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
|
22
|
+
NOSQL_COMMENTS_AFTER_REGEXP = %r{(?:<--|//)}.cs__freeze
|
23
|
+
|
24
|
+
ZERO_OR_MORE_SPACES_REGEXP = /\s*/.cs__freeze
|
25
|
+
QUOTE_REGEXP = /['"’‘]/.cs__freeze
|
26
|
+
NUMBERS_AND_LETTERS_REGEXP = /[[:alnum:]]+/.cs__freeze
|
27
|
+
COMPARISON_REGEXP = /(?:==|>=|<=|>|<|)/.cs__freeze
|
28
|
+
NOSQL_QUOTED_REGEXP = /
|
29
|
+
#{ ZERO_OR_MORE_SPACES_REGEXP }
|
30
|
+
#{ QUOTE_REGEXP }
|
31
|
+
#{ NUMBERS_AND_LETTERS_REGEXP }
|
32
|
+
#{ QUOTE_REGEXP }
|
33
|
+
#{ ZERO_OR_MORE_SPACES_REGEXP }
|
34
|
+
#{ COMPARISON_REGEXP }
|
35
|
+
#{ ZERO_OR_MORE_SPACES_REGEXP }
|
36
|
+
#{ QUOTE_REGEXP }
|
37
|
+
#{ NUMBERS_AND_LETTERS_REGEXP }
|
38
|
+
#{ QUOTE_REGEXP }
|
39
|
+
/x.cs__freeze
|
40
|
+
NOSQL_NUMERIC_REGEXP = /
|
41
|
+
#{ ZERO_OR_MORE_SPACES_REGEXP }
|
42
|
+
#{ NUMBERS_AND_LETTERS_REGEXP }
|
43
|
+
#{ ZERO_OR_MORE_SPACES_REGEXP }
|
44
|
+
#{ COMPARISON_REGEXP }
|
45
|
+
#{ ZERO_OR_MORE_SPACES_REGEXP }
|
46
|
+
#{ NUMBERS_AND_LETTERS_REGEXP }
|
47
|
+
/x.cs__freeze
|
48
|
+
|
49
|
+
NOSQL_DEFINITE_THRESHOLD = 3
|
50
|
+
NOSQL_WORTH_WATCHING_THRESHOLD = 1
|
51
|
+
NOSQL_CONFIDENCE_THRESHOLD = 3
|
52
|
+
MAX_DISTANCE = 10
|
53
|
+
|
54
|
+
# Input Classification stage is done to determine if an user input is
|
55
|
+
# WORTHWATCHING or to be ignored.
|
56
|
+
#
|
57
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
58
|
+
# @param value [String, Array<String>] the value of the input.
|
59
|
+
# @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
|
60
|
+
# agent analysis from the current
|
61
|
+
# Request.
|
62
|
+
# @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
|
63
|
+
def classify input_type, value, input_analysis
|
64
|
+
return unless input_analysis.request
|
65
|
+
|
66
|
+
rule_id = Contrast::Agent::Protect::Rule::NoSqli::NAME
|
67
|
+
|
68
|
+
# double check the input to avoid calling match? on array
|
69
|
+
Array(value).each do |val|
|
70
|
+
Array(val).each do |v|
|
71
|
+
input_analysis.results << nosqli_create_new_input_result(input_analysis.request,
|
72
|
+
rule_id,
|
73
|
+
input_type,
|
74
|
+
v)
|
75
|
+
end
|
76
|
+
end
|
77
|
+
|
78
|
+
input_analysis
|
79
|
+
end
|
80
|
+
|
81
|
+
private
|
82
|
+
|
83
|
+
# Creates a new instance of InputAnalysisResult with basic info.
|
84
|
+
#
|
85
|
+
# @param rule_id [String] The name of the Protect Rule.
|
86
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
87
|
+
# @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
|
88
|
+
# @param value [String, Array<String>] the value of the input.
|
89
|
+
# @param path [String] the path of the current request context.
|
90
|
+
#
|
91
|
+
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
92
|
+
def new_ia_result rule_id, input_type, score_level, path, value
|
93
|
+
super(rule_id, input_type, path, value).tap { |res| res.score_level = score_level }
|
94
|
+
end
|
95
|
+
|
96
|
+
# This methods checks if input should be tagged DEFINITEATTACK, WORTHWATCHING, or IGNORE,
|
97
|
+
# and creates a new instance of InputAnalysisResult.
|
98
|
+
#
|
99
|
+
# @param request [Contrast::Agent::Request] the current request context.
|
100
|
+
# @param rule_id [String] The name of the Protect Rule.
|
101
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
102
|
+
# @param value [String, Array<String>] the value of the input.
|
103
|
+
#
|
104
|
+
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
105
|
+
def nosqli_create_new_input_result request, rule_id, input_type, value
|
106
|
+
score = evaluate_patterns(value)
|
107
|
+
score = evaluate_rules(value, score)
|
108
|
+
|
109
|
+
score_level = if definite_attack? score
|
110
|
+
DEFINITEATTACK
|
111
|
+
elsif worth_watching? score
|
112
|
+
WORTHWATCHING
|
113
|
+
else
|
114
|
+
IGNORE
|
115
|
+
end
|
116
|
+
|
117
|
+
new_ia_result(rule_id, input_type, score_level, request.path, value)
|
118
|
+
end
|
119
|
+
|
120
|
+
# This method evaluates the patterns relevant to NoSQL Injection to check whether
|
121
|
+
# the input is matched by any of them. The total score of all patterns matched is
|
122
|
+
# returned, unless the individual matching pattern score matches or exceeds
|
123
|
+
# NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
|
124
|
+
# exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
|
125
|
+
# point is returned.
|
126
|
+
#
|
127
|
+
# @param value [String] the value of the input.
|
128
|
+
# @param value [Integer] the total score thus far.
|
129
|
+
#
|
130
|
+
# @return res [Integer]
|
131
|
+
def evaluate_patterns value, total_score = 0
|
132
|
+
applicable_patterns = nosqli_patterns
|
133
|
+
return total_score if applicable_patterns.nil?
|
134
|
+
|
135
|
+
total_patterns_score = 0
|
136
|
+
applicable_patterns.each do |pattern|
|
137
|
+
next unless value.match?(pattern[:value])
|
138
|
+
|
139
|
+
total_patterns_score += pattern[:score].to_i
|
140
|
+
total_score += pattern[:score].to_i
|
141
|
+
|
142
|
+
if pattern[:score].to_i >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
|
143
|
+
return total_score
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
147
|
+
total_score
|
148
|
+
end
|
149
|
+
|
150
|
+
def evaluate_comment_rule value
|
151
|
+
(value =~ NOSQL_COMMENT_REGEXP).nil? ? 0 : 2 # None/Medium
|
152
|
+
end
|
153
|
+
|
154
|
+
# This method evaluates the searcher rules relevant to NoSQL Injection to check whether
|
155
|
+
# the input is matched by any of them. The total score of all rules matched is
|
156
|
+
# returned, unless the individual matching rukle score matches or exceeds
|
157
|
+
# NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
|
158
|
+
# exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
|
159
|
+
# point is returned.
|
160
|
+
#
|
161
|
+
# @param value [String] the value of the input.
|
162
|
+
# @param value [Integer] the total score thus far.
|
163
|
+
#
|
164
|
+
# @return res [Integer]
|
165
|
+
def evaluate_rules value, total_score = 0
|
166
|
+
total_rules_score = 0
|
167
|
+
%i[evaluate_comment_rule evaluate_or_rule].each do |method|
|
168
|
+
rule_score = send(method, value)
|
169
|
+
total_rules_score += rule_score
|
170
|
+
total_score += rule_score
|
171
|
+
|
172
|
+
return total_score if rule_score >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
|
173
|
+
end
|
174
|
+
|
175
|
+
total_score
|
176
|
+
end
|
177
|
+
|
178
|
+
# This method evaluates the input value for NoSQL Or searches. Each possible match is
|
179
|
+
# checked. If a match is found then a score of either 3 (High) or 4 (Critical) will
|
180
|
+
# be returned, depending on whether the regexp for finding comments is also matched.
|
181
|
+
#
|
182
|
+
# @param value [String] the value of the input.
|
183
|
+
#
|
184
|
+
# @return res [Integer]
|
185
|
+
def evaluate_or_rule value
|
186
|
+
score = 0
|
187
|
+
|
188
|
+
locs = matches_by_position value, NOSQL_OR_REGEXP
|
189
|
+
return score if locs.empty?
|
190
|
+
|
191
|
+
locs.each do |loc|
|
192
|
+
[NOSQL_QUOTED_REGEXP, NOSQL_NUMERIC_REGEXP].each do |pattern|
|
193
|
+
pattern_locs = matches_by_position(value[loc[1]..], pattern)
|
194
|
+
next unless !pattern_locs.empty? && pattern_locs[0][0] < MAX_DISTANCE
|
195
|
+
|
196
|
+
return 4 if value.match?(NOSQL_COMMENTS_AFTER_REGEXP, loc[1] + pattern_locs[0][1]) # Critical
|
197
|
+
|
198
|
+
score = 3 # High
|
199
|
+
break
|
200
|
+
end
|
201
|
+
end
|
202
|
+
|
203
|
+
score
|
204
|
+
end
|
205
|
+
|
206
|
+
# This method returns the patterns to be checked against the input value.
|
207
|
+
#
|
208
|
+
# @return res [Array, nil]
|
209
|
+
def nosqli_patterns
|
210
|
+
server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
|
211
|
+
rule_definitions = server_features&.protect&.rule_definition_list
|
212
|
+
rule_definitions&.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
|
213
|
+
end
|
214
|
+
|
215
|
+
def matches_by_position value, pattern
|
216
|
+
value.to_enum(:scan, pattern).map { Regexp.last_match.offset(Regexp.last_match.size - 1) }
|
217
|
+
end
|
218
|
+
|
219
|
+
def definite_attack? score
|
220
|
+
score >= NOSQL_DEFINITE_THRESHOLD
|
221
|
+
end
|
222
|
+
|
223
|
+
def worth_watching? score
|
224
|
+
score >= NOSQL_WORTH_WATCHING_THRESHOLD
|
225
|
+
end
|
226
|
+
end
|
227
|
+
end
|
228
|
+
end
|
229
|
+
end
|
230
|
+
end
|
231
|
+
end
|
@@ -39,6 +39,19 @@ module Contrast
|
|
39
39
|
raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
|
40
40
|
end
|
41
41
|
|
42
|
+
def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
|
43
|
+
if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
|
44
|
+
mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
|
45
|
+
|
46
|
+
return result
|
47
|
+
end
|
48
|
+
|
49
|
+
result ||= build_attack_result(context)
|
50
|
+
update_successful_attack_response(context, input_analysis_result, result, candidate_string)
|
51
|
+
append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
|
52
|
+
result
|
53
|
+
end
|
54
|
+
|
42
55
|
protected
|
43
56
|
|
44
57
|
def find_attacker context, potential_attack_string, **kwargs
|
@@ -53,6 +66,20 @@ module Contrast
|
|
53
66
|
end
|
54
67
|
super(context, potential_attack_string, **kwargs)
|
55
68
|
end
|
69
|
+
|
70
|
+
def infilter? context
|
71
|
+
return false unless context&.agent_input_analysis&.results
|
72
|
+
return false unless enabled?
|
73
|
+
return false if protect_excluded_by_code?
|
74
|
+
|
75
|
+
true
|
76
|
+
end
|
77
|
+
|
78
|
+
def gather_ia_results context
|
79
|
+
context.agent_input_analysis.results.select do |ia_result|
|
80
|
+
ia_result.rule_id == rule_name
|
81
|
+
end
|
82
|
+
end
|
56
83
|
end
|
57
84
|
end
|
58
85
|
end
|
@@ -7,6 +7,8 @@ require 'contrast/agent/protect/rule/sqli'
|
|
7
7
|
require 'contrast/agent/reporting/input_analysis/score_level'
|
8
8
|
require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
|
9
9
|
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
10
|
+
require 'contrast/utils/input_classification'
|
11
|
+
require 'contrast/components/logger'
|
10
12
|
|
11
13
|
module Contrast
|
12
14
|
module Agent
|
@@ -17,9 +19,9 @@ module Contrast
|
|
17
19
|
# to be analyzed at the sink level.
|
18
20
|
module SqliInputClassification
|
19
21
|
class << self
|
20
|
-
include
|
21
|
-
include Contrast::Agent::Reporting::ScoreLevel
|
22
|
+
include InputClassificationBase
|
22
23
|
include Contrast::Agent::Protect::Rule::SqliWorthWatching
|
24
|
+
include Contrast::Components::Logger::InstanceMethods
|
23
25
|
|
24
26
|
WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
|
25
27
|
SQLI_KEYS_NEEDED = [
|
@@ -37,43 +39,25 @@ module Contrast
|
|
37
39
|
# @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
|
38
40
|
def classify input_type, value, input_analysis
|
39
41
|
return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
|
40
|
-
return unless
|
42
|
+
return unless super
|
41
43
|
|
42
44
|
rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
|
43
|
-
results = []
|
44
45
|
|
45
46
|
# double check the input to avoid calling match? on array
|
46
47
|
Array(value).each do |val|
|
47
48
|
Array(val).each do |v|
|
48
|
-
results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
|
49
|
+
input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
|
49
50
|
end
|
50
51
|
end
|
51
52
|
|
52
|
-
input_analysis.results = results
|
53
53
|
input_analysis
|
54
|
+
rescue StandardError => e
|
55
|
+
logger.debug('An Error was recorded in the input classification of the sqli.')
|
56
|
+
logger.debug(e)
|
54
57
|
end
|
55
58
|
|
56
59
|
private
|
57
60
|
|
58
|
-
# Creates new isntance of InputAnalysisResult with basic info.
|
59
|
-
#
|
60
|
-
# @param rule_id [String] The name of the Protect Rule.
|
61
|
-
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
62
|
-
# @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
|
63
|
-
# @param value [String, Array<String>] the value of the input.
|
64
|
-
# @param path [String] the path of the current request context.
|
65
|
-
#
|
66
|
-
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
67
|
-
def new_ia_result rule_id, input_type, score_level, path, value
|
68
|
-
res = Contrast::Agent::Reporting::InputAnalysisResult.new
|
69
|
-
res.rule_id = rule_id
|
70
|
-
res.input_type = input_type
|
71
|
-
res.path = path
|
72
|
-
res.score_level = score_level
|
73
|
-
res.value = value
|
74
|
-
res
|
75
|
-
end
|
76
|
-
|
77
61
|
# This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
|
78
62
|
# key if needed and Creates new isntance of InputAnalysisResult.
|
79
63
|
#
|
@@ -84,37 +68,17 @@ module Contrast
|
|
84
68
|
#
|
85
69
|
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
86
70
|
def sqli_create_new_input_result request, rule_id, input_type, value
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
new_ia_result(rule_id, input_type, IGNORE, request.path, value)
|
93
|
-
end
|
94
|
-
if SQLI_KEYS_NEEDED.include? input_type
|
95
|
-
result.key = sqli_add_needed_key request, result, input_type, value
|
96
|
-
end
|
97
|
-
result
|
98
|
-
end
|
99
|
-
|
100
|
-
# This methods checks if input is value that matches a key in the input.
|
101
|
-
#
|
102
|
-
# @param request [Contrast::Agent::Request] the current request context.
|
103
|
-
# @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
|
104
|
-
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
105
|
-
# @param value [String, Array<String>] the value of the input.
|
106
|
-
#
|
107
|
-
# @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
|
108
|
-
def sqli_add_needed_key request, result, input_type, value
|
109
|
-
case input_type
|
110
|
-
when COOKIE_VALUE
|
111
|
-
result.key = request.cookies.key(value)
|
112
|
-
when PARAMETER_VALUE
|
113
|
-
result.key = request.parameters.key(value)
|
71
|
+
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
72
|
+
if sqli_worth_watching? value
|
73
|
+
ia_result.ids << WORTHWATCHING_MATCH
|
74
|
+
ia_result.score_level = WORTHWATCHING
|
75
|
+
ia_result
|
114
76
|
else
|
115
|
-
|
77
|
+
ia_result.score_level = IGNORE
|
116
78
|
end
|
117
|
-
|
79
|
+
|
80
|
+
add_needed_key request, ia_result, input_type, value if SQLI_KEYS_NEEDED.include? input_type
|
81
|
+
ia_result
|
118
82
|
end
|
119
83
|
end
|
120
84
|
end
|
@@ -99,9 +99,7 @@ module Contrast
|
|
99
99
|
# @param substrings [Array] set of substrings to inspect.
|
100
100
|
# @return true | false
|
101
101
|
def contains_substring? input, substrings
|
102
|
-
|
103
|
-
|
104
|
-
false
|
102
|
+
substrings.any? { |sub| input.include?(sub) }
|
105
103
|
end
|
106
104
|
|
107
105
|
# Helper method to find the number of substrings.
|
@@ -111,7 +109,6 @@ module Contrast
|
|
111
109
|
def number_of_substrings input, substring
|
112
110
|
number = 0
|
113
111
|
input.each_char.reduce(0) { |_acc, elem| number += 1 if contains_substring?(elem, substring) }
|
114
|
-
|
115
112
|
number
|
116
113
|
end
|
117
114
|
end
|
data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb
ADDED
@@ -0,0 +1,82 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/protect/rule/unsafe_file_upload'
|
6
|
+
require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
|
7
|
+
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
8
|
+
require 'contrast/utils/input_classification'
|
9
|
+
|
10
|
+
module Contrast
|
11
|
+
module Agent
|
12
|
+
module Protect
|
13
|
+
module Rule
|
14
|
+
# This module will do the Input Classification stage of Unsafe File Upload
|
15
|
+
# rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
|
16
|
+
module UnsafeFileUploadInputClassification
|
17
|
+
UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
|
18
|
+
|
19
|
+
class << self
|
20
|
+
include InputClassificationBase
|
21
|
+
include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
|
22
|
+
|
23
|
+
# Input Classification stage is done to determine if an user input is
|
24
|
+
# DEFINITEATTACK or to be ignored.
|
25
|
+
#
|
26
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
27
|
+
# @param value [String, Array<String>] the value of the input.
|
28
|
+
# @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
|
29
|
+
# agent analysis from the current
|
30
|
+
# Request.
|
31
|
+
# @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
|
32
|
+
def classify input_type, value, input_analysis
|
33
|
+
unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
|
34
|
+
return
|
35
|
+
end
|
36
|
+
return unless input_analysis.request
|
37
|
+
|
38
|
+
rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
|
39
|
+
results = []
|
40
|
+
|
41
|
+
Array(value).each do |val|
|
42
|
+
Array(val).each do |v|
|
43
|
+
results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
input_analysis.results = results
|
48
|
+
input_analysis
|
49
|
+
end
|
50
|
+
|
51
|
+
private
|
52
|
+
|
53
|
+
# This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
|
54
|
+
# key if needed and Creates new isntance of InputAnalysisResult.
|
55
|
+
#
|
56
|
+
# @param request [Contrast::Agent::Request] the current request context.
|
57
|
+
# @param rule_id [String] The name of the Protect Rule.
|
58
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
59
|
+
# @param value [String, Array<String>] the value of the input.
|
60
|
+
#
|
61
|
+
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
62
|
+
def create_new_input_result request, rule_id, input_type, value
|
63
|
+
ia_result = new_ia_result rule_id, input_type, request.path, value
|
64
|
+
if unsafe_match? value
|
65
|
+
ia_result.score_level = DEFINITEATTACK
|
66
|
+
ia_result.ids << UNSAFE_UPLOAD_MATCH
|
67
|
+
else
|
68
|
+
ia_result.score_level = IGNORE
|
69
|
+
end
|
70
|
+
ia_result.key = if input_type == MULTIPART_FIELD_NAME
|
71
|
+
Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
|
72
|
+
else
|
73
|
+
Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
|
74
|
+
end
|
75
|
+
ia_result
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Agent
|
6
|
+
module Protect
|
7
|
+
module Rule
|
8
|
+
# Here will be made the match of the user input provided by the
|
9
|
+
# Agent InputAnalysis.
|
10
|
+
module UnsafeFileUploadMatcher
|
11
|
+
EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze
|
12
|
+
# Extensions that can be executed on the server side or can be dangerous on the client side:
|
13
|
+
# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
|
14
|
+
EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
|
15
|
+
|
16
|
+
# Match the user input to see if the filename
|
17
|
+
# contains malicious file extension.
|
18
|
+
#
|
19
|
+
# @param input [String] The filename
|
20
|
+
# extracted from the current request
|
21
|
+
# @return true | false
|
22
|
+
def unsafe_match? input
|
23
|
+
suspicious_chars?(input) || suspicious_extensions?(input)
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
# @param input [String] The filename
|
29
|
+
# extracted from the current request
|
30
|
+
# @return true | false
|
31
|
+
def suspicious_chars? input
|
32
|
+
input.chars.any? { |c| EXPLOIT_CHARS.include? c }
|
33
|
+
end
|
34
|
+
|
35
|
+
# @param input [String] The filename
|
36
|
+
# extracted from the current request
|
37
|
+
# @return true | false
|
38
|
+
def suspicious_extensions? input
|
39
|
+
EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
@@ -2,19 +2,61 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
5
|
+
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
|
+
require 'contrast/agent/reporting/input_analysis/score_level'
|
5
7
|
|
6
8
|
module Contrast
|
7
9
|
module Agent
|
8
10
|
module Protect
|
9
11
|
module Rule
|
10
12
|
# The Ruby implementation of the Protect Unsafe File Upload rule.
|
13
|
+
# The unsafe-file-upload rule can trigger the following results:
|
14
|
+
# BLOCKED in Blocking mode na SUSPICIOUS in Monitor mode.
|
11
15
|
class UnsafeFileUpload < Contrast::Agent::Protect::Rule::BaseService
|
16
|
+
include Contrast::Agent::Reporting::InputType
|
17
|
+
|
12
18
|
NAME = 'unsafe-file-upload'
|
13
19
|
BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
|
20
|
+
APPLICABLE_USER_INPUTS = [MULTIPART_NAME, MULTIPART_FIELD_NAME].cs__freeze
|
14
21
|
|
15
22
|
def rule_name
|
16
23
|
NAME
|
17
24
|
end
|
25
|
+
|
26
|
+
def block_message
|
27
|
+
BLOCK_MESSAGE
|
28
|
+
end
|
29
|
+
|
30
|
+
def prefilter context
|
31
|
+
return unless prefilter?(context)
|
32
|
+
|
33
|
+
ia_results = gather_ia_results context
|
34
|
+
|
35
|
+
ia_results.each do |ia_result|
|
36
|
+
result = build_attack_result(context)
|
37
|
+
build_attack_without_match context, ia_result, result
|
38
|
+
append_to_activity context, result
|
39
|
+
|
40
|
+
cef_logging result, :successful_attack
|
41
|
+
raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
private
|
46
|
+
|
47
|
+
def prefilter? context
|
48
|
+
return false unless context&.agent_input_analysis&.results
|
49
|
+
return false unless enabled?
|
50
|
+
return false if protect_excluded_by_code?
|
51
|
+
|
52
|
+
true
|
53
|
+
end
|
54
|
+
|
55
|
+
def gather_ia_results context
|
56
|
+
context.agent_input_analysis.results.select do |ia_result|
|
57
|
+
ia_result.rule_id == rule_name
|
58
|
+
end
|
59
|
+
end
|
18
60
|
end
|
19
61
|
end
|
20
62
|
end
|
@@ -0,0 +1,63 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/utils/timer'
|
6
|
+
require 'contrast/agent/reporting/attack_result/response_type'
|
7
|
+
require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
|
8
|
+
|
9
|
+
module Contrast
|
10
|
+
module Agent
|
11
|
+
module Reporting
|
12
|
+
# This class will hold the new Attacks results generated by our
|
13
|
+
# protect rules.
|
14
|
+
class AttackResult
|
15
|
+
RESPONSE_TYPE = Contrast::Agent::Reporting::ResponseType
|
16
|
+
# Generated the attack result
|
17
|
+
#
|
18
|
+
# @return @_response_type [Contrast::Agent::Reporting::ResponseType]
|
19
|
+
def response
|
20
|
+
@_response ||= RESPONSE_TYPE::NO_ACTION
|
21
|
+
end
|
22
|
+
|
23
|
+
# sets the response_type
|
24
|
+
#
|
25
|
+
# @param response_type [Contrast::Agent::Reporting::Settings::InputAnalysisResult]
|
26
|
+
# @return @_response_type []
|
27
|
+
def response= response_type
|
28
|
+
@_response = response_type if RESPONSE_TYPE.to_a.include?(response_type)
|
29
|
+
end
|
30
|
+
|
31
|
+
# @return @_rule_id [String]
|
32
|
+
def rule_id
|
33
|
+
@_rule_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
|
34
|
+
end
|
35
|
+
|
36
|
+
# @param rule_id [String]
|
37
|
+
# @return @_rule_id [String]
|
38
|
+
def rule_id= rule_id
|
39
|
+
@_rule_id = rule_id if rule_id.is_a?(String)
|
40
|
+
end
|
41
|
+
|
42
|
+
# @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
|
43
|
+
def samples
|
44
|
+
@_samples ||= []
|
45
|
+
end
|
46
|
+
|
47
|
+
# @param samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
|
48
|
+
# @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
|
49
|
+
def samples= samples
|
50
|
+
@_samples = samples if samples.is_a?(Array)
|
51
|
+
end
|
52
|
+
|
53
|
+
def tags
|
54
|
+
@_tags ||= Contrast::Utils::ObjectShare::EMPTY_STRING
|
55
|
+
end
|
56
|
+
|
57
|
+
def tags= tags
|
58
|
+
@_tags = tags if tags.is_a?(String)
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|