contrast-agent 5.3.0 → 6.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +1 -1
- data/Rakefile +1 -1
- data/ext/build_funchook.rb +3 -3
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +24 -6
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -2
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +15 -2
- data/ext/cs__assess_regexp/cs__assess_regexp.h +2 -0
- data/ext/cs__assess_string/cs__assess_string.c +21 -1
- data/ext/cs__assess_test/cs__assess_test.h +9 -0
- data/ext/cs__assess_test/cs__assess_tests.c +22 -0
- data/ext/cs__assess_test/extconf.rb +5 -0
- data/ext/cs__common/cs__common.c +113 -11
- data/ext/cs__common/cs__common.h +29 -5
- data/ext/cs__contrast_patch/cs__contrast_patch.c +55 -44
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +146 -97
- data/ext/cs__tests/cs__tests.c +12 -0
- data/ext/cs__tests/cs__tests.h +3 -0
- data/ext/cs__tests/extconf.rb +5 -0
- data/ext/extconf_common.rb +1 -1
- data/lib/contrast/agent/assess/contrast_object.rb +16 -16
- data/lib/contrast/agent/assess/events/source_event.rb +17 -19
- data/lib/contrast/agent/assess/finalizers/hash.rb +4 -2
- data/lib/contrast/agent/assess/policy/policy.rb +9 -10
- data/lib/contrast/agent/assess/policy/policy_node.rb +58 -36
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -16
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +48 -14
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -3
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +119 -0
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/split.rb +17 -21
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +11 -17
- data/lib/contrast/agent/assess/policy/trigger_node.rb +16 -16
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +2 -2
- data/lib/contrast/agent/assess/property/tagged.rb +3 -3
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +6 -8
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +6 -7
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +12 -7
- data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +13 -6
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +3 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +66 -43
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +6 -6
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +3 -4
- data/lib/contrast/agent/assess/tag.rb +13 -14
- data/lib/contrast/agent/at_exit_hook.rb +12 -1
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/inventory/database_config.rb +10 -3
- data/lib/contrast/agent/middleware.rb +10 -5
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -5
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +2 -2
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +4 -4
- data/lib/contrast/agent/patching/policy/patch.rb +20 -19
- data/lib/contrast/agent/patching/policy/patch_status.rb +10 -3
- data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
- data/lib/contrast/agent/patching/policy/policy.rb +13 -15
- data/lib/contrast/agent/patching/policy/policy_node.rb +32 -21
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +132 -75
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +4 -3
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +4 -4
- data/lib/contrast/agent/protect/rule/base.rb +53 -9
- data/lib/contrast/agent/protect/rule/base_service.rb +31 -12
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +23 -3
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/default_scanner.rb +2 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +18 -7
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +72 -46
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -2
- data/lib/contrast/agent/protect/rule/path_traversal.rb +13 -3
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +18 -54
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +2 -5
- data/lib/contrast/agent/protect/rule/sqli.rb +16 -23
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/protect/rule/xss.rb +17 -0
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +14 -13
- data/lib/contrast/agent/protect/rule/xxe.rb +25 -3
- data/lib/contrast/agent/reaction_processor.rb +1 -1
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +243 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +62 -0
- data/lib/contrast/agent/reporting/report.rb +2 -0
- data/lib/contrast/agent/reporting/reporter.rb +29 -22
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +49 -0
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +34 -0
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +96 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +182 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +56 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +13 -5
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +60 -0
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +44 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +7 -12
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +10 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +2 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +16 -12
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/preflight.rb +10 -8
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +8 -11
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +12 -20
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +17 -27
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +38 -0
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +8 -0
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +29 -13
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +64 -76
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +17 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +100 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +75 -13
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +163 -122
- data/lib/contrast/agent/reporting/settings/application_settings.rb +10 -1
- data/lib/contrast/agent/reporting/settings/assess.rb +5 -5
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +7 -35
- data/lib/contrast/agent/reporting/settings/exclusions.rb +3 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +21 -6
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +6 -6
- data/lib/contrast/agent/reporting/settings/reaction.rb +3 -3
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +2 -2
- data/lib/contrast/agent/request.rb +5 -5
- data/lib/contrast/agent/request_context.rb +25 -21
- data/lib/contrast/agent/request_context_extend.rb +12 -25
- data/lib/contrast/agent/request_handler.rb +7 -3
- data/lib/contrast/agent/response.rb +2 -0
- data/lib/contrast/agent/rule_set.rb +2 -2
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +6 -48
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/telemetry/base.rb +155 -0
- data/lib/contrast/agent/telemetry/events/event.rb +35 -0
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +59 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +44 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +115 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +83 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +64 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb +20 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb +30 -0
- data/lib/contrast/agent/telemetry/events/metric_event.rb +28 -0
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +123 -0
- data/lib/contrast/agent/thread_watcher.rb +52 -68
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent/worker_thread.rb +8 -0
- data/lib/contrast/agent.rb +4 -3
- data/lib/contrast/api/communication/messaging_queue.rb +29 -12
- data/lib/contrast/api/communication/response_processor.rb +7 -10
- data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +1 -1
- data/lib/contrast/api/communication/speedracer.rb +3 -3
- data/lib/contrast/api/decorators/activity.rb +33 -0
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +10 -9
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +4 -4
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/response_type.rb +17 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/agent.rb +1 -1
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/base.rb +1 -1
- data/lib/contrast/components/config.rb +19 -28
- data/lib/contrast/components/contrast_service.rb +13 -1
- data/lib/contrast/components/protect.rb +2 -2
- data/lib/contrast/components/sampling.rb +8 -12
- data/lib/contrast/components/settings.rb +151 -19
- data/lib/contrast/config/agent_configuration.rb +34 -41
- data/lib/contrast/config/api_configuration.rb +16 -75
- data/lib/contrast/config/api_proxy_configuration.rb +9 -48
- data/lib/contrast/config/application_configuration.rb +24 -95
- data/lib/contrast/config/assess_configuration.rb +21 -76
- data/lib/contrast/config/assess_rules_configuration.rb +13 -38
- data/lib/contrast/config/base_configuration.rb +11 -76
- data/lib/contrast/config/certification_configuration.rb +15 -68
- data/lib/contrast/config/exception_configuration.rb +15 -59
- data/lib/contrast/config/heap_dump_configuration.rb +19 -73
- data/lib/contrast/config/inventory_configuration.rb +11 -55
- data/lib/contrast/config/logger_configuration.rb +8 -41
- data/lib/contrast/config/protect_configuration.rb +23 -10
- data/lib/contrast/config/protect_rule_configuration.rb +23 -37
- data/lib/contrast/config/protect_rules_configuration.rb +39 -43
- data/lib/contrast/config/request_audit_configuration.rb +16 -55
- data/lib/contrast/config/root_configuration.rb +71 -14
- data/lib/contrast/config/ruby_configuration.rb +14 -47
- data/lib/contrast/config/sampling_configuration.rb +12 -65
- data/lib/contrast/config/server_configuration.rb +13 -45
- data/lib/contrast/config/service_configuration.rb +18 -54
- data/lib/contrast/configuration.rb +25 -17
- data/lib/contrast/extension/assess/array.rb +1 -1
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/assess/marshal.rb +1 -1
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/extension.rb +2 -2
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/base_support.rb +8 -8
- data/lib/contrast/framework/grape/support.rb +3 -3
- data/lib/contrast/framework/manager.rb +7 -7
- data/lib/contrast/framework/manager_extend.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +14 -3
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +3 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +14 -46
- data/lib/contrast/framework/rails/support.rb +2 -2
- data/lib/contrast/framework/sinatra/support.rb +1 -1
- data/lib/contrast/logger/aliased_logging.rb +94 -0
- data/lib/contrast/logger/application.rb +1 -5
- data/lib/contrast/logger/cef_log.rb +15 -15
- data/lib/contrast/logger/format.rb +1 -1
- data/lib/contrast/logger/log.rb +8 -8
- data/lib/contrast/tasks/config.rb +100 -4
- data/lib/contrast/tasks/service.rb +2 -2
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/assess/tracking_util.rb +4 -4
- data/lib/contrast/utils/class_util.rb +9 -22
- data/lib/contrast/utils/findings.rb +3 -3
- data/lib/contrast/utils/hash_digest.rb +6 -7
- data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/invalid_configuration_util.rb +2 -2
- data/lib/contrast/utils/log_utils.rb +7 -5
- data/lib/contrast/utils/lru_cache.rb +1 -1
- data/lib/contrast/utils/metrics_hash.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +15 -14
- data/lib/contrast/utils/net_http_base.rb +5 -5
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +1 -6
- data/lib/contrast/utils/patching/policy/patch_utils.rb +6 -7
- data/lib/contrast/utils/request_utils.rb +2 -2
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/sha256_builder.rb +4 -4
- data/lib/contrast/utils/stack_trace_utils.rb +31 -13
- data/lib/contrast/utils/telemetry.rb +22 -7
- data/lib/contrast/utils/telemetry_client.rb +28 -16
- data/lib/contrast/utils/telemetry_hash.rb +41 -0
- data/lib/contrast/utils/telemetry_identifier.rb +18 -3
- data/lib/contrast/utils/timer.rb +1 -1
- data/lib/contrast.rb +9 -0
- data/resources/assess/policy.json +99 -1
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +10 -9
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +99 -29
- data/lib/contrast/agent/metric_telemetry_event.rb +0 -26
- data/lib/contrast/agent/startup_metrics_telemetry_event.rb +0 -121
- data/lib/contrast/agent/telemetry.rb +0 -137
- data/lib/contrast/agent/telemetry_event.rb +0 -33
- data/lib/contrast/utils/exclude_key.rb +0 -20
@@ -49,11 +49,11 @@ module Contrast
|
|
49
49
|
].cs__freeze
|
50
50
|
|
51
51
|
def enter_method_scope! method_policy
|
52
|
-
contrast_enter_method_scopes!
|
52
|
+
contrast_enter_method_scopes!(method_policy.scopes_to_enter)
|
53
53
|
end
|
54
54
|
|
55
55
|
def exit_method_scope! method_policy
|
56
|
-
contrast_exit_method_scopes!
|
56
|
+
contrast_exit_method_scopes!(method_policy.scopes_to_exit)
|
57
57
|
end
|
58
58
|
|
59
59
|
# @param mod [Module] the module in which the patch should be
|
@@ -114,16 +114,15 @@ module Contrast
|
|
114
114
|
# (equivalent to :alias, where `module = module.singleton class`)
|
115
115
|
# (this is a.k.a. "class-method patch")
|
116
116
|
# :prepend -> prepend instance method of module
|
117
|
-
#
|
117
|
+
# :prepending singleton -> prepend singleton method of module
|
118
118
|
# @return [Symbol] new alias for the underlying method (presumably, so the patched method can call it)
|
119
119
|
def register_c_patch target_module_name, unbound_method, impl = :alias_instance
|
120
120
|
# These could be set as AfterLoadPatches.
|
121
121
|
method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
|
122
|
-
underlying_method_name =
|
122
|
+
underlying_method_name = underlying_method_name(method_name, impl)
|
123
123
|
|
124
124
|
target_module = Module.cs__const_get(target_module_name)
|
125
|
-
target_module = target_module.cs__singleton_class if %i[prepend_singleton
|
126
|
-
target_module = target_module.cs__singleton_class if %i[alias_singleton prepend].include? impl
|
125
|
+
target_module = target_module.cs__singleton_class if %i[prepend_singleton alias_singleton].include?(impl)
|
127
126
|
|
128
127
|
visibility = if target_module.private_instance_methods(false).include?(method_name)
|
129
128
|
:private
|
@@ -132,14 +131,14 @@ module Contrast
|
|
132
131
|
elsif target_module.public_instance_methods(false).include?(method_name)
|
133
132
|
:public
|
134
133
|
else
|
135
|
-
raise
|
136
|
-
<<~ERR
|
134
|
+
raise(NoMethodError,
|
135
|
+
<<~ERR)
|
137
136
|
Tried to register a C-defined #{ impl } patch for \
|
138
137
|
#{ target_module_name }##{ method_name }, but can't find :#{ method_name }.
|
139
138
|
ERR
|
140
139
|
end
|
141
140
|
|
142
|
-
reflect_implementation
|
141
|
+
reflect_implementation(impl, target_module, unbound_method, visibility)
|
143
142
|
# Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
|
144
143
|
# can't invoke this logging method or we'll seg fault as we'd
|
145
144
|
# change the method definition mid-call
|
@@ -161,29 +160,25 @@ module Contrast
|
|
161
160
|
# @param visibility [Symbol] method visibility
|
162
161
|
def reflect_implementation impl, target_module, unbound_method, visibility
|
163
162
|
method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
|
164
|
-
underlying_method_name =
|
163
|
+
underlying_method_name = underlying_method_name(method_name, impl)
|
165
164
|
|
166
165
|
case impl
|
167
166
|
when :alias_instance, :alias_singleton
|
168
167
|
# Core to patching. Ignore define method usage cop.
|
169
168
|
# rubocop:disable Performance/Kernel/DefineMethod
|
170
|
-
unless target_module.instance_methods(false).include?
|
169
|
+
unless target_module.instance_methods(false).include?(underlying_method_name)
|
171
170
|
# alias_method may be private
|
172
171
|
target_module.send(:alias_method, underlying_method_name, method_name)
|
173
172
|
target_module.send(:define_method, method_name, unbound_method.bind(target_module))
|
174
173
|
end
|
175
174
|
target_module.send(visibility, method_name) # e.g., module.private(:my_method)
|
176
175
|
when :prepend_instance, :prepend_singleton
|
176
|
+
prepending_module = Module.new
|
177
|
+
prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
|
178
|
+
prepending_module.send(visibility, method_name)
|
177
179
|
|
178
|
-
unless target_module.instance_methods(false).include? underlying_method_name
|
179
|
-
|
180
|
-
prepending_module = Module.new
|
181
|
-
prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
|
182
|
-
prepending_module.send(visibility, method_name)
|
183
|
-
|
184
|
-
end
|
185
180
|
# This prepends to the singleton class (it patches a class method)
|
186
|
-
target_module.prepend
|
181
|
+
target_module.prepend(prepending_module)
|
187
182
|
# rubocop:enable Performance/Kernel/DefineMethod
|
188
183
|
end
|
189
184
|
end
|
@@ -207,6 +202,12 @@ module Contrast
|
|
207
202
|
|
208
203
|
!ASSESS&.enabled?
|
209
204
|
end
|
205
|
+
|
206
|
+
def underlying_method_name method_name, impl
|
207
|
+
return method_name.to_sym if %i[prepend_instance prepend_singleton].include?(impl)
|
208
|
+
|
209
|
+
build_unbound_method_name(method_name).to_sym
|
210
|
+
end
|
210
211
|
end
|
211
212
|
end
|
212
213
|
end
|
@@ -99,10 +99,17 @@ module Contrast
|
|
99
99
|
:CONTRAST_PATCH_POLICY_STATUS
|
100
100
|
end
|
101
101
|
|
102
|
+
# @param mod [Module or Class] the entity on which the patch has been placed
|
103
|
+
# @param method [Symbol] the method being patched
|
104
|
+
# @param ret [Contrast::Agent::Patching::Policy::MethodPolicy] the policy of the patched method
|
102
105
|
def update_holder mod, method, ret
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
+
unless mod.instance_variable_defined?(method_info_key) &&
|
107
|
+
(holder = mod.instance_variable_get(method_info_key))
|
108
|
+
|
109
|
+
holder = {}
|
110
|
+
mod.instance_variable_set(method_info_key, holder)
|
111
|
+
end
|
112
|
+
holder[method] = ret # rubocop:disable Lint/UselessSetterCall
|
106
113
|
end
|
107
114
|
|
108
115
|
def find_info_for candidates, method
|
@@ -133,7 +133,7 @@ module Contrast
|
|
133
133
|
# @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
|
134
134
|
# @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
|
135
135
|
# Contrast::Agent::Patching::Policy::PatchStatus status on the Module
|
136
|
-
def patch_into_module module_data, redo_patch
|
136
|
+
def patch_into_module module_data, redo_patch: false
|
137
137
|
status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod)
|
138
138
|
return if (status&.patched? || status&.patching?) && !redo_patch
|
139
139
|
|
@@ -179,7 +179,7 @@ module Contrast
|
|
179
179
|
# @param private [Boolean] Indicate if the query should include
|
180
180
|
# private, as well as public, instance methods
|
181
181
|
# @return [Array<Symbol>]
|
182
|
-
def all_instance_methods mod, private
|
182
|
+
def all_instance_methods mod, private: false
|
183
183
|
instance_methods = mod.instance_methods(false)
|
184
184
|
# C magic rb_define_global_function creates private instance
|
185
185
|
# methods. We need to instrument those dudes
|
@@ -206,8 +206,8 @@ module Contrast
|
|
206
206
|
# this module, sorted by type.
|
207
207
|
def patch_into_instance_methods module_data, module_policy
|
208
208
|
mod = module_data.mod
|
209
|
-
methods = all_instance_methods(mod, true)
|
210
|
-
methods.delete(:initialize) if mod.to_s.
|
209
|
+
methods = all_instance_methods(mod, private: true)
|
210
|
+
methods.delete(:initialize) if mod.to_s.start_with?('RSpec') && mod.to_s.include?('Matchers')
|
211
211
|
patch_into_methods(mod, methods, module_policy, true)
|
212
212
|
end
|
213
213
|
|
@@ -20,6 +20,19 @@ module Contrast
|
|
20
20
|
class Policy
|
21
21
|
include Singleton
|
22
22
|
include Contrast::Components::Logger::InstanceMethods
|
23
|
+
SOURCES_KEY = 'sources'
|
24
|
+
PROPAGATION_KEY = 'propagators'
|
25
|
+
RULES_KEY = 'rules'
|
26
|
+
TRIGGERS_KEY = 'triggers'
|
27
|
+
def initialize
|
28
|
+
@sources = []
|
29
|
+
@propagators = []
|
30
|
+
@triggers = []
|
31
|
+
@providers = {}
|
32
|
+
|
33
|
+
json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
|
34
|
+
from_hash_string(json)
|
35
|
+
end
|
23
36
|
|
24
37
|
# Indicates the folder in `resources` where this policy lives.
|
25
38
|
def self.policy_folder
|
@@ -38,25 +51,10 @@ module Contrast
|
|
38
51
|
|
39
52
|
attr_reader :sources, :propagators, :triggers, :providers
|
40
53
|
|
41
|
-
SOURCES_KEY = 'sources'
|
42
|
-
PROPAGATION_KEY = 'propagators'
|
43
|
-
RULES_KEY = 'rules'
|
44
|
-
TRIGGERS_KEY = 'triggers'
|
45
|
-
|
46
54
|
def self.policy_json
|
47
55
|
File.join(policy_folder, 'policy.json').cs__freeze
|
48
56
|
end
|
49
57
|
|
50
|
-
def initialize
|
51
|
-
@sources = []
|
52
|
-
@propagators = []
|
53
|
-
@triggers = []
|
54
|
-
@providers = {}
|
55
|
-
|
56
|
-
json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
|
57
|
-
from_hash_string(json)
|
58
|
-
end
|
59
|
-
|
60
58
|
# Our policy for patching rules is a 'dope ass' JSON file. Rather than hard code in a bunch of things to
|
61
59
|
# monkey patch, we let the JSON file define the conditions in which modifications are applied. This let's us
|
62
60
|
# be flexible and extensible.
|
@@ -2,6 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/scope'
|
5
|
+
require 'contrast/utils/object_share'
|
5
6
|
|
6
7
|
module Contrast
|
7
8
|
module Agent
|
@@ -13,18 +14,14 @@ module Contrast
|
|
13
14
|
# @abstract
|
14
15
|
class PolicyNode
|
15
16
|
include Contrast::Components::Scope::InstanceMethods
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
def feature
|
25
|
-
raise NoMethodError, 'specify the name of the feature for which this node patches'
|
26
|
-
end
|
27
|
-
|
17
|
+
JSON_METHOD_VISIBILITY = 'method_visibility'
|
18
|
+
JSON_PROPERTIES = 'properties'
|
19
|
+
JSON_METHOD_NAME = 'method_name'
|
20
|
+
JSON_METHOD_SCOPE = 'scope'
|
21
|
+
# The keys used to read from policy.json to create the individual
|
22
|
+
# policy nodes. These are common across node types
|
23
|
+
JSON_CLASS_NAME = 'class_name'
|
24
|
+
JSON_INSTANCE_METHOD = 'instance_method'
|
28
25
|
def initialize policy_hash = {}
|
29
26
|
@class_name = policy_hash[JSON_CLASS_NAME]
|
30
27
|
@instance_method = policy_hash[JSON_INSTANCE_METHOD]
|
@@ -35,6 +32,29 @@ module Contrast
|
|
35
32
|
symbolize
|
36
33
|
end
|
37
34
|
|
35
|
+
# Name of the class in which the method is being invoked.
|
36
|
+
attr_accessor :class_name
|
37
|
+
# Check for instance method.
|
38
|
+
#
|
39
|
+
# @return true | false
|
40
|
+
attr_accessor :instance_method
|
41
|
+
# The symbol representation of the invoked method.
|
42
|
+
attr_accessor :method_name
|
43
|
+
# Visibility of the invoked method [Private, Public, Protected]
|
44
|
+
attr_accessor :method_visibility
|
45
|
+
# Properties parsed from our JSON policy.
|
46
|
+
attr_reader :properties
|
47
|
+
# Scope of the method parsed from our JSON policy.
|
48
|
+
attr_reader :method_scope
|
49
|
+
|
50
|
+
def node_class
|
51
|
+
raise(NoMethodError, 'specify the type of the feature for which this node patches')
|
52
|
+
end
|
53
|
+
|
54
|
+
def feature
|
55
|
+
raise(NoMethodError, 'specify the name of the feature for which this node patches')
|
56
|
+
end
|
57
|
+
|
38
58
|
def id
|
39
59
|
@_id ||= "#{ feature }:#{ node_class }:#{ class_name }#{ instance_method? ? '#' : '.' }#{ method_name }"
|
40
60
|
end
|
@@ -78,15 +98,6 @@ module Contrast
|
|
78
98
|
@method_visibility = @method_visibility.to_sym if @method_visibility
|
79
99
|
@method_scope = @method_scope.to_sym if @method_scope
|
80
100
|
end
|
81
|
-
|
82
|
-
# The keys used to read from policy.json to create the individual
|
83
|
-
# policy nodes. These are common across node types
|
84
|
-
JSON_CLASS_NAME = 'class_name'
|
85
|
-
JSON_INSTANCE_METHOD = 'instance_method'
|
86
|
-
JSON_METHOD_NAME = 'method_name'
|
87
|
-
JSON_METHOD_SCOPE = 'scope'
|
88
|
-
JSON_METHOD_VISIBILITY = 'method_visibility'
|
89
|
-
JSON_PROPERTIES = 'properties'
|
90
101
|
end
|
91
102
|
end
|
92
103
|
end
|
@@ -24,6 +24,7 @@ module Contrast
|
|
24
24
|
attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties,
|
25
25
|
:rule_id
|
26
26
|
|
27
|
+
NODE = 'Trigger'
|
27
28
|
def initialize trigger_hash = {}, rule_hash = {}
|
28
29
|
super(trigger_hash)
|
29
30
|
@rule_id = rule_hash[JSON_NAME]
|
@@ -36,7 +37,6 @@ module Contrast
|
|
36
37
|
@applicator_method = (trigger_hash[JSON_APPLICATOR_METHOD] || rule_hash[JSON_APPLICATOR_METHOD]).to_sym
|
37
38
|
end
|
38
39
|
|
39
|
-
NODE = 'Trigger'
|
40
40
|
def node_class
|
41
41
|
NODE
|
42
42
|
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/components/logger'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Protect
|
9
|
+
# This class will store all exploits or definite attack but
|
10
|
+
# require us to wait for response
|
11
|
+
class ExploitableCollection
|
12
|
+
include Contrast::Components::Logger::InstanceMethods
|
13
|
+
|
14
|
+
def initialize
|
15
|
+
@_collection = []
|
16
|
+
end
|
17
|
+
|
18
|
+
def collection
|
19
|
+
@_collection ||= []
|
20
|
+
end
|
21
|
+
|
22
|
+
# Push the Result we need to store until response is available
|
23
|
+
#
|
24
|
+
# @param attack_result [Contrast::Agent::Reporting::AttackResult]
|
25
|
+
def push attack_result
|
26
|
+
@_collection << attack_result
|
27
|
+
end
|
28
|
+
|
29
|
+
# Attach attack results to the context
|
30
|
+
#
|
31
|
+
# @param context [Contrast::Agent::RequestContext]
|
32
|
+
def report_recorded_exploits context
|
33
|
+
context.activity.results.concat(@_collection)
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -4,7 +4,14 @@
|
|
4
4
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
5
5
|
require 'contrast/agent/reporting/input_analysis/score_level'
|
6
6
|
require 'contrast/agent/reporting/input_analysis/input_analysis'
|
7
|
+
require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
|
7
8
|
require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
|
9
|
+
require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
|
10
|
+
require 'contrast/agent/protect/rule/unsafe_file_upload'
|
11
|
+
require 'contrast/components/logger'
|
12
|
+
require 'contrast/utils/object_share'
|
13
|
+
require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
|
14
|
+
require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
|
8
15
|
require 'json'
|
9
16
|
|
10
17
|
module Contrast
|
@@ -13,81 +20,131 @@ module Contrast
|
|
13
20
|
# InputAnalyzer will extract input form current request context and will analyze it.
|
14
21
|
# This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
|
15
22
|
module InputAnalyzer
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
23
|
+
# DISPOSITION_NAME = 'name'
|
24
|
+
# DISPOSITION_FILENAME = 'filename'
|
25
|
+
#
|
26
|
+
# class << self
|
27
|
+
# include Contrast::Agent::Reporting::InputType
|
28
|
+
# include Contrast::Agent::Reporting::ScoreLevel
|
29
|
+
# include Contrast::Agent::Protect::Rule::SqliWorthWatching
|
30
|
+
# include Contrast::Utils::ObjectShare
|
31
|
+
# include Contrast::Agent::Protect::Rule::CmdiWorthWatching
|
32
|
+
#
|
33
|
+
# PROTECT_RULES = {
|
34
|
+
# sqli: {
|
35
|
+
# rule_name: 'sql-injection',
|
36
|
+
# classification: Contrast::Agent::Protect::Rule::SqliInputClassification
|
37
|
+
# },
|
38
|
+
# cmdi: {
|
39
|
+
# rule_name: 'cmd-injection',
|
40
|
+
# classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
|
41
|
+
# },
|
42
|
+
# method_tampering: {
|
43
|
+
# rule_name: 'method-tampering',
|
44
|
+
# classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
|
45
|
+
# },
|
46
|
+
# unsafe_file_upload: {
|
47
|
+
# rule_name: 'unsafe-file-upload',
|
48
|
+
# classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
|
49
|
+
# },
|
50
|
+
# nosqli: {
|
51
|
+
# rule_name: 'nosql-injection',
|
52
|
+
# classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
|
53
|
+
# }
|
54
|
+
# }.cs__freeze
|
55
|
+
#
|
56
|
+
# # This method with analyze the user input from the context of the
|
57
|
+
# # current request and run each of the protect rules against all
|
58
|
+
# # found input types
|
59
|
+
# #
|
60
|
+
# # @param request [Contrast::Agent::Request] current request context.
|
61
|
+
# # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
|
62
|
+
# def analyse request
|
63
|
+
# return unless Contrast::PROTECT.enabled?
|
64
|
+
# return if request.nil?
|
65
|
+
#
|
66
|
+
# inputs = extract_input request
|
67
|
+
# return unless inputs
|
68
|
+
#
|
69
|
+
# input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
|
70
|
+
# input_analysis.request = request
|
71
|
+
# # each rule against each input
|
72
|
+
# input_classification inputs, input_analysis
|
73
|
+
# input_analysis
|
74
|
+
# end
|
75
|
+
#
|
76
|
+
# private
|
77
|
+
#
|
78
|
+
# # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
|
79
|
+
# #
|
80
|
+
# # @param inputs [String, Array<String>] user input to be analysed.
|
81
|
+
# # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
|
82
|
+
# # for each protect rule.
|
83
|
+
# # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
|
84
|
+
# def input_classification inputs, input_analysis
|
85
|
+
# # key = input type, value = user_input
|
86
|
+
# inputs.each do |input_type, value|
|
87
|
+
# next if value.nil? || value.empty?
|
88
|
+
#
|
89
|
+
# PROTECT_RULES.each do |_key, rule|
|
90
|
+
# protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
|
91
|
+
# logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
|
92
|
+
#
|
93
|
+
# # check if rule is enabled
|
94
|
+
# next unless protect_rule&.enabled?
|
95
|
+
#
|
96
|
+
# # method tampering doesn't take value
|
97
|
+
# if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
|
98
|
+
# rule[:classification].send(:classify, input_type, input_analysis)
|
99
|
+
# else
|
100
|
+
# rule[:classification].send(:classify, input_type, value, input_analysis)
|
101
|
+
# end
|
102
|
+
# end
|
103
|
+
# end
|
104
|
+
# input_analysis
|
105
|
+
# end
|
106
|
+
#
|
107
|
+
# # Extract the inputs from the request context and label them with Protect
|
108
|
+
# # input type tags. Each tag will contain one or more user inputs.
|
109
|
+
# #
|
110
|
+
# # This methods is to be expanded and modified as needed by other Protect rules
|
111
|
+
# # and sub-rules for their requirements.
|
112
|
+
# #
|
113
|
+
# # @param request [Contrast::Agent::Request] current request context.
|
114
|
+
# # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
|
115
|
+
# def extract_input request
|
116
|
+
# inputs = {}
|
117
|
+
# inputs[BODY] = request.body
|
118
|
+
# inputs[COOKIE_NAME] = request.cookies.keys
|
119
|
+
# inputs[COOKIE_VALUE] = request.cookies.values
|
120
|
+
# inputs[HEADER] = request.headers
|
121
|
+
# inputs[PARAMETER_NAME] = request.parameters.keys
|
122
|
+
# inputs[PARAMETER_VALUE] = request.parameters.values
|
123
|
+
# inputs[QUERYSTRING] = request.query_string
|
124
|
+
# inputs[METHOD] = request.request_method
|
125
|
+
# extract_multipart inputs, request
|
126
|
+
# inputs.compact!
|
127
|
+
# inputs
|
128
|
+
# end
|
129
|
+
#
|
130
|
+
# # Extract the filename and name of the Content Disposition Header.
|
131
|
+
# #
|
132
|
+
# # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
|
133
|
+
# # @param request [Contrast::Agent::Request] current request context.
|
134
|
+
# def extract_multipart inputs, request
|
135
|
+
# disposition = request.rack_request.env['Content-Disposition']
|
136
|
+
# disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
|
137
|
+
# return unless disposition
|
138
|
+
#
|
139
|
+
# pairs = {}
|
140
|
+
# disposition.split(SEMICOLON).each do |elem|
|
141
|
+
# new_pair = elem.strip.split(EQUALS, 2)
|
142
|
+
# pairs[new_pair[0].downcase] = new_pair[1] if new_pair
|
143
|
+
# end
|
144
|
+
# inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
|
145
|
+
# inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
|
146
|
+
# end
|
147
|
+
# end
|
91
148
|
end
|
92
149
|
end
|
93
150
|
end
|
@@ -41,7 +41,8 @@ module Contrast
|
|
41
41
|
private
|
42
42
|
|
43
43
|
def valid_input? args
|
44
|
-
return false unless args
|
44
|
+
return false unless args
|
45
|
+
return false unless args.cs__is_a?(Array) && args.any?
|
45
46
|
|
46
47
|
args[0]
|
47
48
|
end
|
@@ -54,9 +55,9 @@ module Contrast
|
|
54
55
|
end
|
55
56
|
|
56
57
|
def extract_mongo_data operation
|
57
|
-
if operation.cs__respond_to?
|
58
|
+
if operation.cs__respond_to?(:selector)
|
58
59
|
operation.selector
|
59
|
-
elsif operation.cs__respond_to?
|
60
|
+
elsif operation.cs__respond_to?(:documents)
|
60
61
|
operation.documents
|
61
62
|
end
|
62
63
|
end
|
@@ -65,11 +65,11 @@ module Contrast
|
|
65
65
|
end
|
66
66
|
|
67
67
|
def path_traversal_rule path, possible_write, object, method
|
68
|
-
return unless applies_to?(path, possible_write)
|
68
|
+
return unless applies_to?(path, possible_write: possible_write)
|
69
69
|
|
70
70
|
rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
|
71
71
|
rescue Contrast::SecurityException => e
|
72
|
-
raise
|
72
|
+
raise(e)
|
73
73
|
rescue StandardError => e
|
74
74
|
logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
|
75
75
|
end
|
@@ -90,7 +90,7 @@ module Contrast
|
|
90
90
|
end
|
91
91
|
end
|
92
92
|
|
93
|
-
def applies_to? path, possible_write
|
93
|
+
def applies_to? path, possible_write: false
|
94
94
|
# any possible write is a potential risk
|
95
95
|
return true if possible_write
|
96
96
|
|
@@ -111,7 +111,7 @@ module Contrast
|
|
111
111
|
end
|
112
112
|
end
|
113
113
|
rescue Contrast::SecurityException => e
|
114
|
-
raise
|
114
|
+
raise(e)
|
115
115
|
rescue StandardError => e
|
116
116
|
parser ||= Contrast::Utils::ObjectShare::UNKNOWN
|
117
117
|
logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,
|
@@ -38,7 +38,7 @@ module Contrast
|
|
38
38
|
def apply_rule method, exception, properties, object, args
|
39
39
|
invoke(method, exception, properties, object, args)
|
40
40
|
rescue Contrast::SecurityException => e
|
41
|
-
raise
|
41
|
+
raise(e)
|
42
42
|
rescue StandardError => e
|
43
43
|
logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
|
44
44
|
rule: rule_name)
|
@@ -64,14 +64,14 @@ module Contrast
|
|
64
64
|
# @raise [Contrast::SecurityException] on block, will pass the
|
65
65
|
# exception from the rule
|
66
66
|
def invoke _method, _exception, _properties, _object, _args
|
67
|
-
raise
|
67
|
+
raise(NoMethodError, 'This is abstract, override it.')
|
68
68
|
end
|
69
69
|
|
70
70
|
# The name of the rule, as expected by the Contrast Service and Contrast UI.
|
71
71
|
#
|
72
72
|
# @return [String]
|
73
73
|
def rule_name
|
74
|
-
raise
|
74
|
+
raise(NoMethodError, 'This is abstract, override it.')
|
75
75
|
end
|
76
76
|
|
77
77
|
# The rule for which this applicator applies. It'll be a concrete
|
@@ -80,7 +80,7 @@ module Contrast
|
|
80
80
|
#
|
81
81
|
# @return [Contrast::Agent::Protect::Rule::Base]
|
82
82
|
def rule
|
83
|
-
::Contrast::PROTECT.rule
|
83
|
+
::Contrast::PROTECT.rule(rule_name)
|
84
84
|
end
|
85
85
|
|
86
86
|
# Should we skip analysis for this rule for this method invocation?
|