contrast-agent 5.3.0 → 6.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -2
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_string/cs__assess_string.c +13 -1
- data/ext/cs__common/cs__common.c +12 -11
- data/ext/cs__contrast_patch/cs__contrast_patch.c +54 -43
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +146 -97
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
- data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -1
- data/lib/contrast/agent/assess/property/tagged.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +3 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/middleware.rb +3 -1
- data/lib/contrast/agent/patching/policy/patcher.rb +3 -3
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +61 -8
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
- data/lib/contrast/agent/protect/rule/base.rb +37 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +13 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +8 -0
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +27 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +18 -54
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -4
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
- data/lib/contrast/agent/reporting/report.rb +2 -0
- data/lib/contrast/agent/reporting/reporter.rb +23 -11
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +16 -5
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +27 -26
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +68 -6
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +122 -96
- data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/request_context.rb +1 -1
- data/lib/contrast/agent/request_context_extend.rb +1 -1
- data/lib/contrast/agent/request_handler.rb +4 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
- data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
- data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
- data/lib/contrast/agent/thread_watcher.rb +1 -1
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +3 -0
- data/lib/contrast/api/communication/speedracer.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/response_type.rb +30 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/protect.rb +2 -2
- data/lib/contrast/components/sampling.rb +7 -11
- data/lib/contrast/components/settings.rb +106 -8
- data/lib/contrast/config/agent_configuration.rb +13 -30
- data/lib/contrast/config/api_configuration.rb +4 -67
- data/lib/contrast/config/api_proxy_configuration.rb +2 -45
- data/lib/contrast/config/application_configuration.rb +9 -84
- data/lib/contrast/config/assess_configuration.rb +10 -69
- data/lib/contrast/config/assess_rules_configuration.rb +9 -38
- data/lib/contrast/config/base_configuration.rb +17 -50
- data/lib/contrast/config/certification_configuration.rb +6 -63
- data/lib/contrast/config/exception_configuration.rb +5 -52
- data/lib/contrast/config/heap_dump_configuration.rb +6 -64
- data/lib/contrast/config/inventory_configuration.rb +2 -49
- data/lib/contrast/config/logger_configuration.rb +0 -36
- data/lib/contrast/config/protect_configuration.rb +17 -7
- data/lib/contrast/config/protect_rule_configuration.rb +12 -30
- data/lib/contrast/config/protect_rules_configuration.rb +21 -26
- data/lib/contrast/config/request_audit_configuration.rb +6 -48
- data/lib/contrast/config/root_configuration.rb +52 -12
- data/lib/contrast/config/ruby_configuration.rb +0 -36
- data/lib/contrast/config/sampling_configuration.rb +1 -57
- data/lib/contrast/config/server_configuration.rb +0 -36
- data/lib/contrast/config/service_configuration.rb +5 -44
- data/lib/contrast/configuration.rb +2 -3
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/manager.rb +2 -2
- data/lib/contrast/logger/application.rb +1 -1
- data/lib/contrast/logger/cef_log.rb +1 -1
- data/lib/contrast/tasks/config.rb +90 -3
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/class_util.rb +3 -12
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/log_utils.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +9 -8
- data/lib/contrast/utils/net_http_base.rb +1 -1
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +0 -5
- data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -5
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/telemetry.rb +1 -1
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/lib/contrast/utils/telemetry_identifier.rb +1 -1
- data/resources/assess/policy.json +98 -0
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +9 -8
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +73 -28
@@ -0,0 +1,52 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/utils/timer'
|
6
|
+
require 'contrast/agent/reporting/attack_result/user_input'
|
7
|
+
|
8
|
+
module Contrast
|
9
|
+
module Agent
|
10
|
+
module Reporting
|
11
|
+
# This class will hold the new RaspRuleSample.
|
12
|
+
# protect rules.
|
13
|
+
class RaspRuleSample
|
14
|
+
def timestamp
|
15
|
+
@_timestamp ||= 0
|
16
|
+
end
|
17
|
+
|
18
|
+
def timestamp= timestamp_ms
|
19
|
+
@_timestamp = timestamp_ms
|
20
|
+
end
|
21
|
+
|
22
|
+
def user_input
|
23
|
+
@_user_input ||= Contrast::Agent::Reporting::UserInput.new
|
24
|
+
end
|
25
|
+
|
26
|
+
def user_input= input
|
27
|
+
@_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
|
28
|
+
end
|
29
|
+
|
30
|
+
def build context, ia_result
|
31
|
+
sample = self
|
32
|
+
sample.timestamp = context&.timer&.start_ms
|
33
|
+
sample.user_input = build_user_input_from_ia(ia_result)
|
34
|
+
sample.user_input.document_type = if context&.request
|
35
|
+
Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
|
36
|
+
end
|
37
|
+
sample
|
38
|
+
end
|
39
|
+
|
40
|
+
def build_user_input_from_ia ia_result
|
41
|
+
user_input = Contrast::Agent::Reporting::UserInput.new
|
42
|
+
user_input.input_type = ia_result.input_type
|
43
|
+
user_input.matcher_ids = ia_result.ids
|
44
|
+
user_input.path = ia_result.path
|
45
|
+
user_input.key = ia_result.key if ia_result.key
|
46
|
+
user_input.value = ia_result.value if ia_result.value
|
47
|
+
user_input
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
# This module will hold the response types used to generate
|
10
|
+
# attack result.
|
11
|
+
module ResponseType
|
12
|
+
BLOCKED = :BLOCKED.cs__freeze
|
13
|
+
MONITORED = :MONITORED.cs__freeze
|
14
|
+
PROBED = :PROBED.cs__freeze
|
15
|
+
BLOCK_AT_PERIMETER = :BLOCK_AT_PERIMETER.cs__freeze
|
16
|
+
SUSPICIOUS = :SUSPICIOUS.cs__freeze
|
17
|
+
AGGREGATED = :AGGREGATED.cs__freeze
|
18
|
+
EXPLOITED = :EXPLOITED.cs__freeze
|
19
|
+
NO_ACTION = :NO_ACTION.cs__freeze
|
20
|
+
|
21
|
+
class << self
|
22
|
+
def to_a
|
23
|
+
[NO_ACTION, BLOCKED, MONITORED, PROBED, BLOCK_AT_PERIMETER, EXPLOITED, SUSPICIOUS, AGGREGATED]
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,87 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
|
+
require 'contrast/agent/request_context'
|
7
|
+
|
8
|
+
module Contrast
|
9
|
+
module Agent
|
10
|
+
module Reporting
|
11
|
+
# This class will hold the new Sqli detail used by RaspRuleSample
|
12
|
+
class UserInput
|
13
|
+
INPUT_TYPE = Contrast::Agent::Reporting::InputType
|
14
|
+
DOCUMENT_TYPE = { XML: :XML, JSON: :JSON, NORMAL: :NORMAL }.cs__freeze
|
15
|
+
|
16
|
+
# @return @_path [String]
|
17
|
+
def path
|
18
|
+
@_path ||= Contrast::Utils::ObjectShare::EMPTY_STRING
|
19
|
+
end
|
20
|
+
|
21
|
+
# @param path [String]
|
22
|
+
# @return @_path [String]
|
23
|
+
def path= path
|
24
|
+
@_path = path if path.is_a?(String)
|
25
|
+
end
|
26
|
+
|
27
|
+
# @return @_key [String]
|
28
|
+
def key
|
29
|
+
@_key ||= Contrast::Utils::ObjectShare::EMPTY_STRING
|
30
|
+
end
|
31
|
+
|
32
|
+
# @param key [String]
|
33
|
+
# @return @_key [String]
|
34
|
+
def key= key
|
35
|
+
@_key = key if key.is_a?(String)
|
36
|
+
end
|
37
|
+
|
38
|
+
# @return value [String]
|
39
|
+
def value
|
40
|
+
@_value ||= Contrast::Utils::ObjectShare::EMPTY_STRING
|
41
|
+
end
|
42
|
+
|
43
|
+
# @param value [String]
|
44
|
+
# @return value [String]
|
45
|
+
def value= value
|
46
|
+
@_value = value if value.is_a?(String)
|
47
|
+
end
|
48
|
+
|
49
|
+
# @return @_input_type [
|
50
|
+
# Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
|
51
|
+
def input_type
|
52
|
+
@_input_type ||= INPUT_TYPE::UNDEFINED_TYPE
|
53
|
+
end
|
54
|
+
|
55
|
+
# @param input_type [
|
56
|
+
# Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
|
57
|
+
# @return @_input_type [
|
58
|
+
# Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
|
59
|
+
def input_type= input_type
|
60
|
+
@_input_type = input_type if INPUT_TYPE.to_a.include?(input_type)
|
61
|
+
end
|
62
|
+
|
63
|
+
# type [Symbol<:XML, :JSON, :NORMAL>]
|
64
|
+
def document_type
|
65
|
+
@_document_type ||= DOCUMENT_TYPE[:NORMAL]
|
66
|
+
end
|
67
|
+
|
68
|
+
def document_type= type
|
69
|
+
@_document_type = type if DOCUMENT_TYPE.value?(type)
|
70
|
+
end
|
71
|
+
|
72
|
+
# Matchers IDs
|
73
|
+
# @return @_ids [Array<String>]
|
74
|
+
def matcher_ids
|
75
|
+
@_matcher_ids ||= []
|
76
|
+
end
|
77
|
+
|
78
|
+
# Matchers IDs
|
79
|
+
# @param ids [Array<String>]
|
80
|
+
# @return @_ids [Array<String>]
|
81
|
+
def matcher_ids= ids
|
82
|
+
@_matcher_ids = ids if ids.is_a?(Array) && ids.any?(String)
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
@@ -0,0 +1,246 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/components/logger'
|
5
|
+
require 'contrast/agent/reporting/reporter'
|
6
|
+
require 'contrast/utils/object_share'
|
7
|
+
require 'contrast/agent/reporting/attack_result/response_type'
|
8
|
+
require 'contrast/agent/reporting/masker/masker_utils'
|
9
|
+
|
10
|
+
module Contrast
|
11
|
+
module Agent
|
12
|
+
module Reporting
|
13
|
+
# This module duty is to mask any activity containing sensitive information - PII masking.
|
14
|
+
module Masker
|
15
|
+
MASK = 'contrast-redacted-'
|
16
|
+
BODY_MASK = 'contrast-redacted-body'
|
17
|
+
BODY_BINARY_MASK = BODY_MASK.bytes.to_s.cs__freeze
|
18
|
+
|
19
|
+
class << self
|
20
|
+
include Contrast::Components::Logger::InstanceMethods
|
21
|
+
include Contrast::Utils::ObjectShare
|
22
|
+
include Contrast::Agent::Reporting::MaskerUtils
|
23
|
+
|
24
|
+
# Keyword dictionary, extracted from the TS response.
|
25
|
+
#
|
26
|
+
# @return Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>
|
27
|
+
def dictionary
|
28
|
+
@_dictionary ||= update_dictionary
|
29
|
+
end
|
30
|
+
|
31
|
+
# Mask sensitive data according to the contrast sensitive data rules.
|
32
|
+
#
|
33
|
+
# @param [Contrast::Api::Dtm::Activity]
|
34
|
+
def mask activity
|
35
|
+
return unless Contrast::Agent::Reporter.enabled?
|
36
|
+
return unless activity || activity.http_request || activity.results
|
37
|
+
|
38
|
+
logger.debug('Searching for sensitive data',
|
39
|
+
activity: activity.__id__,
|
40
|
+
request: activity.http_request&.uuid)
|
41
|
+
mask_body activity
|
42
|
+
mask_query_string activity
|
43
|
+
mask_request_params activity
|
44
|
+
mask_request_cookies activity
|
45
|
+
mask_request_headers activity
|
46
|
+
rescue StandardError => e
|
47
|
+
logger.debug('Could not mask activity!',
|
48
|
+
activity: activity.__id__,
|
49
|
+
request: activity.http_request&.uuid,
|
50
|
+
error_msg: e.message)
|
51
|
+
end
|
52
|
+
|
53
|
+
private
|
54
|
+
|
55
|
+
# When called this will overwrite existing rules with those
|
56
|
+
# in settings. Ideally we need to call this on init and when
|
57
|
+
# the Agent receives new rules from TS response.This is called
|
58
|
+
# from Contrast::Components::Settings.
|
59
|
+
#
|
60
|
+
# To make it save this is private method because if new
|
61
|
+
# settings arrive and they might be empty as edge case,
|
62
|
+
# this will produce dictionary with empty rules and this
|
63
|
+
# is not desirable.
|
64
|
+
def update_dictionary
|
65
|
+
@_dictionary = Contrast::SETTINGS.sensitive_data_masking.rules
|
66
|
+
end
|
67
|
+
|
68
|
+
# Mask request body:
|
69
|
+
#
|
70
|
+
# @param activity [Contrast::Api::Dtm::Activity]
|
71
|
+
# @return masked_body [String, nil]
|
72
|
+
def mask_body activity
|
73
|
+
return unless mask_body?
|
74
|
+
|
75
|
+
body = activity.http_request.request_body
|
76
|
+
return if body.nil? || body.empty?
|
77
|
+
|
78
|
+
activity.http_request.request_body = BODY_MASK
|
79
|
+
activity.http_request.request_body_binary = BODY_BINARY_MASK
|
80
|
+
end
|
81
|
+
|
82
|
+
# Mask request params.
|
83
|
+
#
|
84
|
+
# @param activity [Contrast::Api::Dtm::Activity]
|
85
|
+
# @return masked_body [String, nil]
|
86
|
+
def mask_request_params activity
|
87
|
+
params = activity.http_request.normalized_request_params
|
88
|
+
return unless params
|
89
|
+
|
90
|
+
mask_with_dictionary activity.results, params
|
91
|
+
end
|
92
|
+
|
93
|
+
def mask_request_headers activity
|
94
|
+
if activity.http_request.parsed_request_headers
|
95
|
+
# Used normalized request_headers
|
96
|
+
mask_with_dictionary activity.results, activity.http_request.normalized_request_headers
|
97
|
+
else
|
98
|
+
headers = activity.http_request.request_headers
|
99
|
+
mask_field_hash headers, activity.results
|
100
|
+
end
|
101
|
+
end
|
102
|
+
|
103
|
+
# Mask Cookies.
|
104
|
+
#
|
105
|
+
# @param activity [Contrast::Api::Dtm::Activity] Activity to mask
|
106
|
+
# @return masked_values [Hash, nil]
|
107
|
+
def mask_request_cookies activity
|
108
|
+
cookies = activity.http_request.normalized_cookies
|
109
|
+
return unless cookies
|
110
|
+
|
111
|
+
mask_with_dictionary activity.results, cookies
|
112
|
+
end
|
113
|
+
|
114
|
+
# Mask request query string:
|
115
|
+
# exp: password => sensitive to password => contrast-redacted-password
|
116
|
+
#
|
117
|
+
# @param activity [Contrast::Api::Dtm::Activity]
|
118
|
+
# @return masked_query [String]
|
119
|
+
def mask_query_string activity
|
120
|
+
qs = activity.http_request.query_string
|
121
|
+
return if qs.nil? || qs.empty?
|
122
|
+
|
123
|
+
mask_field_hash qs, activity.results unless qs.cs__is_a?(String)
|
124
|
+
mask_raw_query qs, activity.results
|
125
|
+
end
|
126
|
+
|
127
|
+
# Mask if the value in the passed hash are matched against dictionary
|
128
|
+
# keyword. If the mask_attack_vector flag is set, this will also mask
|
129
|
+
# any attack.
|
130
|
+
#
|
131
|
+
# @param results [Array<Contrast::Api::Dtm::AttackResults>]
|
132
|
+
# results to match against.
|
133
|
+
# @param hash [Hash] Normalized hash representing the key/val pair from
|
134
|
+
# the activity's http request parameters.
|
135
|
+
# @return nil | Protobuf::Field::FieldHash
|
136
|
+
def mask_with_dictionary results, hash
|
137
|
+
return if hash.nil? || hash.empty?
|
138
|
+
|
139
|
+
hash.each do |key, val|
|
140
|
+
match = dictionary_matcher key
|
141
|
+
next unless match
|
142
|
+
|
143
|
+
# The normalized values are paired.
|
144
|
+
# key => Contrast::Api::Dtm::Pair (key, val<Values>).
|
145
|
+
# try one level down
|
146
|
+
if val.cs__respond_to? :values
|
147
|
+
mask_values key, val, results
|
148
|
+
else
|
149
|
+
# Just assign keys.
|
150
|
+
mask_hash key, val, hash, results
|
151
|
+
end
|
152
|
+
end
|
153
|
+
hash
|
154
|
+
end
|
155
|
+
|
156
|
+
# Mask the values of DTM pair with attack vector condition check.
|
157
|
+
# if the attack vector flag is set then mask the attack value.
|
158
|
+
#
|
159
|
+
# @param key [String] current iterable key from Protobuf::Field::FieldHash
|
160
|
+
# pointing to Contrast::Api::Dtm::Pair<key, val>(holding the value to mask)
|
161
|
+
# @param results [Array<Contrast::Api::Dtm::AttackResults>]
|
162
|
+
# results to match against.
|
163
|
+
# @param val [Contrast::Api::Dtm::Pair<Value>]
|
164
|
+
def mask_values key, val, results
|
165
|
+
val.values.each.with_index do |v, idx|
|
166
|
+
# Mask the attack vector only if the flag is set.
|
167
|
+
val.values[idx] = MASK + key.downcase if attack_vector?(results, v) && mask_attack_vector?
|
168
|
+
# It is not attack vector and we mask it as normal.
|
169
|
+
val.values[idx] = MASK + key.downcase unless attack_vector?(results, v)
|
170
|
+
end
|
171
|
+
val
|
172
|
+
end
|
173
|
+
|
174
|
+
# Handles the masking of Field hash with string values.
|
175
|
+
# this case is used when called from #mask_field_hash
|
176
|
+
# and #mask_raw_query helper methods. Since they dont
|
177
|
+
# return values containing sub-values (key, val<Values>).
|
178
|
+
#
|
179
|
+
# @param key [String] current iterable key from Protobuf::Field::FieldHash
|
180
|
+
# @param val [String] normalized value to be matched against the results
|
181
|
+
# and masked.
|
182
|
+
# @param hash [Hash] Normalized hash representing the key/val pair.
|
183
|
+
# @param results [Array<Contrast::Api::Dtm::AttackResults>]
|
184
|
+
# results to match against.
|
185
|
+
def mask_hash key, val, hash, results
|
186
|
+
hash[key] = MASK + key.downcase if attack_vector?(results, val) && mask_attack_vector?
|
187
|
+
hash[key] = MASK + key.downcase unless attack_vector?(results, val)
|
188
|
+
end
|
189
|
+
|
190
|
+
# Match to see if values matches input from AttackResults array.
|
191
|
+
# If match is found and the attack result's response is any of
|
192
|
+
# [BAP(Block At Perimeter), BLOCKED, PROBED] the return is true.
|
193
|
+
#
|
194
|
+
# @param results [Array<Contrast::Api::Dtm::AttackResults>]
|
195
|
+
# results to match against.
|
196
|
+
# @param value [String] Input to match.
|
197
|
+
# @return true | false
|
198
|
+
def attack_vector? results, value
|
199
|
+
return false unless value && results
|
200
|
+
|
201
|
+
results.each do |result|
|
202
|
+
# Check samples Contrast::Api::Dtm::RaspRuleSample
|
203
|
+
# is the value in sample and the response is valid?
|
204
|
+
result.samples.any? do |sample|
|
205
|
+
# Check user input Contrast::Api::Dtm::UserInput.
|
206
|
+
match = sample.user_input.value == value.to_s &&
|
207
|
+
result.response&.name != Contrast::Agent::Reporting::ResponseType::NO_ACTION
|
208
|
+
|
209
|
+
return match if match
|
210
|
+
end
|
211
|
+
end
|
212
|
+
false
|
213
|
+
end
|
214
|
+
|
215
|
+
# Consult with our current settings state.
|
216
|
+
#
|
217
|
+
# @return true | false
|
218
|
+
def mask_attack_vector?
|
219
|
+
Contrast::SETTINGS.sensitive_data_masking.mask_attack_vector?
|
220
|
+
end
|
221
|
+
|
222
|
+
# Consult with our current settings state.
|
223
|
+
#
|
224
|
+
# @return true | false
|
225
|
+
def mask_body?
|
226
|
+
Contrast::SETTINGS.sensitive_data_masking.mask_http_body?
|
227
|
+
end
|
228
|
+
|
229
|
+
# Check to see if value is matched in the dictionary.
|
230
|
+
#
|
231
|
+
# @param value [String] Value to check.
|
232
|
+
# @return match [String, nil] from the Dictionary, or nil.
|
233
|
+
def dictionary_matcher value
|
234
|
+
return unless @_dictionary
|
235
|
+
|
236
|
+
@_dictionary.each do |rule|
|
237
|
+
idx = rule.keywords.find_index(value.downcase)
|
238
|
+
return rule.keywords[idx] if idx
|
239
|
+
end
|
240
|
+
nil
|
241
|
+
end
|
242
|
+
end
|
243
|
+
end
|
244
|
+
end
|
245
|
+
end
|
246
|
+
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
# helper methods used for masking
|
10
|
+
module MaskerUtils
|
11
|
+
include Contrast::Utils::ObjectShare
|
12
|
+
# Helper to deal with Protobuf FieldHash.
|
13
|
+
#
|
14
|
+
# @param field_hash [Protobuf::Field::FieldHash] hash to be masked
|
15
|
+
# @param results [Array<Contrast::Api::Dtm::AttackResults>]
|
16
|
+
# results to match against.
|
17
|
+
def mask_field_hash field_hash, results
|
18
|
+
hash = {}
|
19
|
+
masked = EMPTY_STRING
|
20
|
+
field_hash.any? do |entry|
|
21
|
+
# Protobuf::Field::FieldHash produces array, with the key as first param and value as second.
|
22
|
+
new_value = entry[1].delete(SEMICOLON).split(SPACE)
|
23
|
+
new_value.each do |value|
|
24
|
+
arr = value.split(EQUALS)
|
25
|
+
# Add to new hash.
|
26
|
+
hash[arr[0]] = arr[1]
|
27
|
+
end
|
28
|
+
# Mask the newly created hash.
|
29
|
+
mask_with_dictionary results, hash
|
30
|
+
|
31
|
+
# Restore to original form.
|
32
|
+
hash.each { |k, v| masked += "#{ k + EQUALS }#{ v + SEMICOLON + SPACE }" }
|
33
|
+
masked.rstrip!
|
34
|
+
field_hash[entry[0]] = masked
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
# Mask raw query as it comes from the env.
|
39
|
+
# exp:
|
40
|
+
# 'ssn=1234567&id=%272%20or%202%20=%202%27' =>
|
41
|
+
# 'ssn=contrast-redacted-ssn&id=contrast-redacted-id'
|
42
|
+
#
|
43
|
+
# @param query [String]
|
44
|
+
# @param results [Array<Contrast::Api::Dtm::AttackResults>]
|
45
|
+
# results to match against.
|
46
|
+
def mask_raw_query query, results
|
47
|
+
masked = EMPTY_STRING
|
48
|
+
hash = URI.decode_www_form(query).to_h
|
49
|
+
mask_with_dictionary results, hash
|
50
|
+
# Restore to string form.
|
51
|
+
hash.each { |k, v| masked += "#{ k + EQUALS }#{ v }#{ AMPERSAND }" }
|
52
|
+
query = masked
|
53
|
+
query.chomp!(masked[-1])
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
@@ -26,3 +26,5 @@ require 'contrast/agent/reporting/reporting_events/observed_route'
|
|
26
26
|
require 'contrast/agent/reporting/reporting_events/route_coverage'
|
27
27
|
require 'contrast/agent/reporting/reporting_events/observed_library_usage'
|
28
28
|
require 'contrast/agent/reporting/reporting_events/poll'
|
29
|
+
# Sensitive data masking
|
30
|
+
require 'contrast/agent/reporting/masker/masker'
|
@@ -4,6 +4,7 @@
|
|
4
4
|
require 'contrast/agent/worker_thread'
|
5
5
|
require 'contrast/agent/reporting/report'
|
6
6
|
require 'contrast/components/logger'
|
7
|
+
require 'contrast/agent/reporting/reporting_events/agent_startup'
|
7
8
|
|
8
9
|
module Contrast
|
9
10
|
module Agent
|
@@ -11,8 +12,6 @@ module Contrast
|
|
11
12
|
class Reporter < WorkerThread
|
12
13
|
include Contrast::Components::Logger::InstanceMethods
|
13
14
|
include Contrast::Utils::ObjectShare
|
14
|
-
# 15 min
|
15
|
-
TIMEOUT = 900.cs__freeze
|
16
15
|
|
17
16
|
class << self
|
18
17
|
# check if we can report to TS
|
@@ -58,19 +57,24 @@ module Contrast
|
|
58
57
|
# to figure out why that is and lock it so that it isn't.
|
59
58
|
next unless client && connection
|
60
59
|
|
61
|
-
|
62
|
-
begin
|
63
|
-
response = client.send_event(event, connection)
|
64
|
-
audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable?
|
65
|
-
rescue StandardError => e
|
66
|
-
logger.error('Could not send message to service from Reporter queue.', e)
|
67
|
-
end
|
68
|
-
sleep(TIMEOUT) if client.sleep?
|
69
|
-
client.wake_up
|
60
|
+
process_event(queue.pop)
|
70
61
|
end
|
71
62
|
end
|
72
63
|
end
|
73
64
|
|
65
|
+
# Suspend the Reporter and try sending the event after the timeout.
|
66
|
+
# The timeout is either default 15 min or received via TS response.
|
67
|
+
#
|
68
|
+
# @param event [Contrast::Agent::Reporting::FindingEvent] Freshly pop-ed event.
|
69
|
+
def handle_resend event
|
70
|
+
sleep(client.timeout) if client.sleep?
|
71
|
+
# Retry once than discard the event. This is trigger on too many events of
|
72
|
+
# same kind error.
|
73
|
+
client.send_event(event, connection) if client.mode.status == client.mode.resending
|
74
|
+
client.mode.reset_mode
|
75
|
+
client.wake_up
|
76
|
+
end
|
77
|
+
|
74
78
|
def send_event event
|
75
79
|
if ::Contrast::AGENT.disabled?
|
76
80
|
logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
|
@@ -117,6 +121,14 @@ module Contrast
|
|
117
121
|
def queue
|
118
122
|
@_queue ||= Queue.new
|
119
123
|
end
|
124
|
+
|
125
|
+
def process_event event
|
126
|
+
response = client.send_event(event, connection)
|
127
|
+
audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable?
|
128
|
+
handle_resend event
|
129
|
+
rescue StandardError => e
|
130
|
+
logger.error('Could not send message to service from Reporter queue.', e)
|
131
|
+
end
|
120
132
|
end
|
121
133
|
end
|
122
134
|
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/reporting/reporting_events/reporting_event'
|
5
|
+
require 'contrast/config'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Reporting
|
10
|
+
# AgentStartup Event which sends the agent data to TeamServer on the startup of a server or process,
|
11
|
+
# used to create a new Server entity there.
|
12
|
+
class AgentStartup < Contrast::Agent::Reporting::ReportingEvent
|
13
|
+
def initialize
|
14
|
+
@event_method = :PUT
|
15
|
+
@event_endpoint = Contrast::Agent::Reporting::Endpoints::NG_ENDPOINTS[:agent_startup]
|
16
|
+
@event_type = :agent_startup
|
17
|
+
super
|
18
|
+
end
|
19
|
+
|
20
|
+
def to_controlled_hash
|
21
|
+
{
|
22
|
+
environment: ::Contrast::CONFIG.root.server.environment,
|
23
|
+
tags: ::Contrast::CONFIG.root.server.tags,
|
24
|
+
version: Contrast::Agent::VERSION
|
25
|
+
}
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -9,9 +9,13 @@ module Contrast
|
|
9
9
|
module Agent
|
10
10
|
module Reporting
|
11
11
|
# This is the new ApplicationInventory class which will include all the needed information
|
12
|
-
# for the new reporting system to report
|
12
|
+
# for the new reporting system to report. Reporting those components or details discovered at
|
13
|
+
# startup, or as soon as possible, but not necessarily seen used by the application. Each of
|
14
|
+
# these messages should only be sent once per application.
|
13
15
|
class ApplicationInventory < Contrast::Agent::Reporting::ReportingEvent
|
14
|
-
|
16
|
+
# @param [Array<Contrast::Agent::Reporting::DiscoveredRoute>] the routes registered to this application, as
|
17
|
+
# discovered during first request processing.
|
18
|
+
attr_reader :routes
|
15
19
|
|
16
20
|
class << self
|
17
21
|
def convert app_update_dtm
|
@@ -31,7 +35,7 @@ module Contrast
|
|
31
35
|
|
32
36
|
def to_controlled_hash
|
33
37
|
{
|
34
|
-
session_id: agent_session_id_value,
|
38
|
+
session_id: @agent_session_id_value,
|
35
39
|
routes: routes.map(&:to_controlled_hash)
|
36
40
|
}
|
37
41
|
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/reporting/reporting_events/application_startup_instrumentation'
|
5
|
+
require 'contrast/agent/reporting/reporting_events/reporting_event'
|
6
|
+
require 'contrast/config'
|
7
|
+
|
8
|
+
module Contrast
|
9
|
+
module Agent
|
10
|
+
module Reporting
|
11
|
+
# This is the new ApplicationStartup class which will include all the needed information for the new reporting
|
12
|
+
# system to report an Application has started; creating a new one or marking an existing one as online in the
|
13
|
+
# Contrast UI
|
14
|
+
class ApplicationStartup < Contrast::Agent::Reporting::ReportingEvent
|
15
|
+
def initialize
|
16
|
+
@event_method = :POST
|
17
|
+
@event_endpoint = Contrast::Agent::Reporting::Endpoints::NG_ENDPOINTS[:application_create]
|
18
|
+
super
|
19
|
+
end
|
20
|
+
|
21
|
+
# Convert the instance variables on the class, and other information, into the identifiers required for
|
22
|
+
# TeamServer to process the JSON form of this message.
|
23
|
+
#
|
24
|
+
# @return [Hash]
|
25
|
+
# @raise [ArgumentError]
|
26
|
+
def to_controlled_hash
|
27
|
+
{
|
28
|
+
code: ::Contrast::CONFIG.root.application.code,
|
29
|
+
group: ::Contrast::CONFIG.root.application.group,
|
30
|
+
instrumentation: Contrast::Agent::Reporting::ApplicationStartupInstrumentation.new.to_controlled_hash,
|
31
|
+
metadata: ::Contrast::CONFIG.root.application.metadata,
|
32
|
+
session_id: ::Contrast::CONFIG.root.application.session_id,
|
33
|
+
session_metadata: ::Contrast::CONFIG.root.application.session_metadata,
|
34
|
+
tags: ::Contrast::CONFIG.root.application.tags
|
35
|
+
}
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/components/protect'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
# This is the new ApplicationStartupInstrumentation class which will include all the needed information for the
|
10
|
+
# system to report the instrumentation mode to which the agent was set by local configuration.
|
11
|
+
class ApplicationStartupInstrumentation
|
12
|
+
# Convert the instance variables on the class, and other information, into the identifiers required for
|
13
|
+
# TeamServer to process the JSON form of this message.
|
14
|
+
#
|
15
|
+
# @return [Hash]
|
16
|
+
# @raise [ArgumentError]
|
17
|
+
def to_controlled_hash
|
18
|
+
{
|
19
|
+
protect: {
|
20
|
+
enable: ::Contrast::PROTECT.enabled?
|
21
|
+
}
|
22
|
+
}
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -100,7 +100,7 @@ module Contrast
|
|
100
100
|
return unless request
|
101
101
|
|
102
102
|
@request = Contrast::Agent::Reporting::FindingRequest.convert(request)
|
103
|
-
@routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
|
103
|
+
@routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route) if request.route
|
104
104
|
end
|
105
105
|
|
106
106
|
# Attach the data from a Contrast::Api::Dtm::Finding required for property based findings generated during
|