contrast-agent 5.3.0 → 6.1.1

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb

@@ -0,0 +1,82 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of Unsafe File Upload
+        # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
+        module UnsafeFileUploadInputClassification
+          # UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
+          #
+          # class << self
+          #   include InputClassificationBase
+          #   include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
+          #
+          #   # Input Classification stage is done to determine if an user input is
+          #   # DEFINITEATTACK or to be ignored.
+          #   #
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   # @param value [String, Array<String>] the value of the input.
+          #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #   #                                                       agent analysis from the current
+          #   #                                                       Request.
+          #   # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+          #   def classify input_type, value, input_analysis
+          #     unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
+          #       return
+          #     end
+          #     return unless input_analysis.request
+          #
+          #     rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
+          #     results = []
+          #
+          #     Array(value).each do |val|
+          #       Array(val).each do |v|
+          #         results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
+          #       end
+          #     end
+          #
+          #     input_analysis.results = results
+          #     input_analysis
+          #   end
+          #
+          #   private
+          #
+          #   # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+          #   # key if needed and Creates new isntance of InputAnalysisResult.
+          #   #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   # @param rule_id [String] The name of the Protect Rule.
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   # @param value [String, Array<String>] the value of the input.
+          #   #
+          #   # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          #   def create_new_input_result request, rule_id, input_type, value
+          #     ia_result = new_ia_result rule_id, input_type, request.path, value
+          #     if unsafe_match? value
+          #       ia_result.score_level = DEFINITEATTACK
+          #       ia_result.ids << UNSAFE_UPLOAD_MATCH
+          #     else
+          #       ia_result.score_level = IGNORE
+          #     end
+          #     ia_result.key = if input_type == MULTIPART_FIELD_NAME
+          #                       Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
+          #                     else
+          #                       Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
+          #                     end
+          #     ia_result
+          #   end
+          # end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb

@@ -0,0 +1,45 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # Here will be made the match of the user input provided by the
+        # Agent InputAnalysis.
+        module UnsafeFileUploadMatcher
+          # EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze # rubocop:disable Style/AsciiComments
+          # # Extensions that can be executed on the server side or can be dangerous on the client side:
+          # # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
+          # EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
+          #
+          # # Match the user input to see if the filename
+          # # contains malicious file extension.
+          # #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def unsafe_match? input
+          #   suspicious_chars?(input) || suspicious_extensions?(input)
+          # end
+          #
+          # private
+          #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def suspicious_chars? input
+          #   input.chars.any? { |c| EXPLOIT_CHARS.include? c }
+          # end
+          #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def suspicious_extensions? input
+          #   EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
+          # end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb

@@ -2,19 +2,61 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
 
 module Contrast
   module Agent
     module Protect
       module Rule
         # The Ruby implementation of the Protect Unsafe File Upload rule.
+        # The unsafe-file-upload rule can trigger the following results:
+        # BLOCKED in Blocking mode na SUSPICIOUS in Monitor mode.
         class UnsafeFileUpload < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Agent::Reporting::InputType
+
           NAME = 'unsafe-file-upload'
           BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
+          APPLICABLE_USER_INPUTS = [MULTIPART_NAME, MULTIPART_FIELD_NAME].cs__freeze
 
           def rule_name
             NAME
           end
+
+          # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
+          # agent with protect library, we should re-enable these tests and that rule.
+          # TODO: RUBY-1574
+          def enabled?
+            super && false
+          end
+
+          # def block_message
+          #   BLOCK_MESSAGE
+          # end
+          #
+          # def prefilter context
+          #   return unless prefilter?(context)
+          #
+          #   ia_results = gather_ia_results context
+          #
+          #   ia_results.each do |ia_result|
+          #     result = build_attack_result(context)
+          #     build_attack_without_match context, ia_result, result
+          #     append_to_activity context, result
+          #
+          #     cef_logging result, :successful_attack
+          #     raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+          #   end
+          # end
+          #
+          # private
+          #
+          # def prefilter? _context
+          #   return false unless enabled?
+          #   return false if protect_excluded_by_code?
+          #
+          #   true
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xss.rb

@@ -12,6 +12,23 @@ module Contrast
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
 
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  input: attack_sample.xss.input,
+                  matches: attack_sample.xss.matches.map do |match|
+                             {
+                                 evidenceStart: match.evidence_start_ms,
+                                 evidence: match.evidence,
+                                 offset: match.offset
+                             }
+                           end
+              }
+            end
+          end
+
           def rule_name
             NAME
           end

data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb

@@ -11,6 +11,20 @@ module Contrast
           class EntityWrapper
             attr_reader :system_id, :public_id
 
+            DTD_MARKER =   '.dtd'
+            FILE_START =   'file:'
+            FTP_START =    'ftp:'
+            GOPHER_START = 'gopher:'
+            JAR_START =    'jar:'
+            UP_DIR_LINUX = '../'
+            UP_DIR_WIN =   '..\\'
+            # <!ENTITY name SYSTEM "URI">
+            SYSTEM_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+SYSTEM\s+"(?<id>.*?)">/.cs__freeze
+            # <!ENTITY name PUBLIC "public_ID" "URI">
+            PUBLIC_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+PUBLIC\s+".*?"\s+"(?<id>.*?)">/.cs__freeze
+            # we only use this against lowercase strings, removed A-Z for speed
+            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
+
             def initialize entity
               @system_id = parse_system_id(entity)
               # an entity cannot be system and public
@@ -30,29 +44,16 @@ module Contrast
               @_external_entity
             end
 
-            # <!ENTITY name SYSTEM "URI">
-            SYSTEM_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+SYSTEM\s+"(?<id>.*?)">/.cs__freeze
             def parse_system_id entity
               match = SYSTEM_ID_REGEXP.match(entity)
               match[:id] if match
             end
 
-            # <!ENTITY name PUBLIC "public_ID" "URI">
-            PUBLIC_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+PUBLIC\s+".*?"\s+"(?<id>.*?)">/.cs__freeze
             def parse_public_id entity
               match = PUBLIC_ID_REGEXP.match(entity)
               match[:id] if match
             end
 
-            DTD_MARKER =   '.dtd'
-            FILE_START =   'file:'
-            FTP_START =    'ftp:'
-            GOPHER_START = 'gopher:'
-            JAR_START =    'jar:'
-            UP_DIR_LINUX = '../'
-            UP_DIR_WIN =   '..\\'
-            # we only use this against lowercase strings, removed A-Z for speed
-            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
             def external_id? entity_id
               return false unless entity_id
 

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -13,11 +13,34 @@ module Contrast
         # of unsafe external entity resolution.
         class Xxe < Contrast::Agent::Protect::Rule::Base
           include Contrast::Components::Logger::InstanceMethods
+          INPUT_NAME = 'XML Prolog'
 
           NAME = 'xxe'
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
 
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  xml: attack_sample.xxe.xml,
+                  declaredEntities: attack_sample.xxe.declared_entities.map do |entity|
+                                      {
+                                          start: entity.start_idx,
+                                          end: entity.end_idx
+                                      }
+                                    end,
+                  entitiesResolved: attack_sample.xxe.entities_resolved.map do |entity|
+                                      {
+                                          systemId: entity.system_id,
+                                          publicId: entity.public_id
+                                      }
+                                    end
+              }
+            end
+          end
+
           def rule_name
             NAME
           end
@@ -39,8 +62,8 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
-            cef_logging result, :successful_attack, xml
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE)
+            cef_logging(result, :successful_attack, xml)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE))
           end
 
           protected
@@ -100,7 +123,6 @@ module Contrast
             sample
           end
 
-          INPUT_NAME = 'XML Prolog'
           def build_user_input ia_result
             input = Contrast::Api::Dtm::UserInput.new
             input.key = INPUT_NAME

data/lib/contrast/agent/reaction_processor.rb

@@ -33,7 +33,7 @@ module Contrast
 
           case reaction.operation
           when Contrast::Api::Settings::Reaction::Operation::DISABLE
-            Contrast::Agent::DisableReaction.run reaction, level
+            Contrast::Agent::DisableReaction.run(reaction, level)
           when Contrast::Api::Settings::Reaction::Operation::NOOP
             # NOOP
           else

data/lib/contrast/agent/reporting/attack_result/attack_result.rb

@@ -0,0 +1,63 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/utils/timer'
+require 'contrast/agent/reporting/attack_result/response_type'
+require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will hold the new Attacks results generated by our
+      # protect rules.
+      class AttackResult
+        RESPONSE_TYPE = Contrast::Agent::Reporting::ResponseType
+        # Generated the attack result
+        #
+        # @return @_response_type [Contrast::Agent::Reporting::ResponseType]
+        def response
+          @_response ||= RESPONSE_TYPE::NO_ACTION
+        end
+
+        # sets the response_type
+        #
+        # @param response_type [Contrast::Agent::Reporting::Settings::InputAnalysisResult]
+        # @return @_response_type []
+        def response= response_type
+          @_response = response_type if RESPONSE_TYPE.to_a.include?(response_type)
+        end
+
+        # @return @_rule_id [String]
+        def rule_id
+          @_rule_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param rule_id [String]
+        # @return @_rule_id [String]
+        def rule_id= rule_id
+          @_rule_id = rule_id if rule_id.is_a?(String)
+        end
+
+        # @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        def samples
+          @_samples ||= []
+        end
+
+        # @param samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        # @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        def samples= samples
+          @_samples = samples if samples.is_a?(Array)
+        end
+
+        def tags
+          @_tags ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        def tags= tags
+          @_tags = tags if tags.is_a?(String)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb

@@ -0,0 +1,52 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/utils/timer'
+require 'contrast/agent/reporting/attack_result/user_input'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will hold the new RaspRuleSample.
+      # protect rules.
+      class RaspRuleSample # rubocop:disable Lint/EmptyClass
+        # def timestamp
+        #   @_timestamp ||= 0
+        # end
+        #
+        # def timestamp= timestamp_ms
+        #   @_timestamp = timestamp_ms
+        # end
+        #
+        # def user_input
+        #   @_user_input ||= Contrast::Agent::Reporting::UserInput.new
+        # end
+        #
+        # def user_input= input
+        #   @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
+        # end
+        #
+        # def build context, ia_result
+        #   sample = self
+        #   sample.timestamp = context&.timer&.start_ms
+        #   sample.user_input = build_user_input_from_ia(ia_result)
+        #   sample.user_input.document_type = if context&.request
+        #                                       Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
+        #                                     end
+        #   sample
+        # end
+        #
+        # def build_user_input_from_ia ia_result
+        #   user_input = Contrast::Agent::Reporting::UserInput.new
+        #   user_input.input_type = ia_result.input_type
+        #   user_input.matcher_ids = ia_result.ids
+        #   user_input.path = ia_result.path
+        #   user_input.key = ia_result.key if ia_result.key
+        #   user_input.value = ia_result.value if ia_result.value
+        #   user_input
+        # end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/attack_result/response_type.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold the response types used to generate
+      # attack result.
+      module ResponseType
+        BLOCKED             = :BLOCKED.cs__freeze
+        MONITORED           = :MONITORED.cs__freeze
+        PROBED              = :PROBED.cs__freeze
+        BLOCK_AT_PERIMETER  = :BLOCK_AT_PERIMETER.cs__freeze
+        SUSPICIOUS          = :SUSPICIOUS.cs__freeze
+        AGGREGATED          = :AGGREGATED.cs__freeze
+        EXPLOITED           = :EXPLOITED.cs__freeze
+        NO_ACTION           = :NO_ACTION.cs__freeze
+
+        class << self
+          def to_a
+            [NO_ACTION, BLOCKED, MONITORED, PROBED, BLOCK_AT_PERIMETER, EXPLOITED, SUSPICIOUS, AGGREGATED]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/attack_result/user_input.rb

@@ -0,0 +1,87 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/request_context'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will hold the new Sqli detail used by RaspRuleSample
+      class UserInput
+        INPUT_TYPE = Contrast::Agent::Reporting::InputType
+        DOCUMENT_TYPE = { XML: :XML, JSON: :JSON, NORMAL: :NORMAL }.cs__freeze
+
+        # @return @_path [String]
+        def path
+          @_path ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param path [String]
+        # @return @_path [String]
+        def path= path
+          @_path = path if path.is_a?(String)
+        end
+
+        # @return @_key [String]
+        def key
+          @_key ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param key [String]
+        # @return @_key [String]
+        def key= key
+          @_key = key if key.is_a?(String)
+        end
+
+        # @return value [String]
+        def value
+          @_value ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param value [String]
+        # @return value [String]
+        def value= value
+          @_value = value if value.is_a?(String)
+        end
+
+        # @return @_input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        def input_type
+          @_input_type ||= INPUT_TYPE::UNDEFINED_TYPE
+        end
+
+        # @param input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        # @return @_input_type [
+        # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
+        def input_type= input_type
+          @_input_type = input_type if INPUT_TYPE.to_a.include?(input_type)
+        end
+
+        # type [Symbol<:XML, :JSON, :NORMAL>]
+        def document_type
+          @_document_type ||= DOCUMENT_TYPE[:NORMAL]
+        end
+
+        def document_type= type
+          @_document_type = type if DOCUMENT_TYPE.value?(type)
+        end
+
+        # Matchers IDs
+        # @return @_ids [Array<String>]
+        def matcher_ids
+          @_matcher_ids ||= []
+        end
+
+        # Matchers IDs
+        # @param ids [Array<String>]
+        # @return @_ids [Array<String>]
+        def matcher_ids= ids
+          @_matcher_ids = ids if ids.is_a?(Array) && ids.any?(String)
+        end
+      end
+    end
+  end
+end