contrast-agent 5.3.0 → 6.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +1 -1
- data/Rakefile +1 -1
- data/ext/build_funchook.rb +3 -3
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +24 -6
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -2
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +15 -2
- data/ext/cs__assess_regexp/cs__assess_regexp.h +2 -0
- data/ext/cs__assess_string/cs__assess_string.c +21 -1
- data/ext/cs__assess_test/cs__assess_test.h +9 -0
- data/ext/cs__assess_test/cs__assess_tests.c +22 -0
- data/ext/cs__assess_test/extconf.rb +5 -0
- data/ext/cs__common/cs__common.c +113 -11
- data/ext/cs__common/cs__common.h +29 -5
- data/ext/cs__contrast_patch/cs__contrast_patch.c +55 -44
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +146 -97
- data/ext/cs__tests/cs__tests.c +12 -0
- data/ext/cs__tests/cs__tests.h +3 -0
- data/ext/cs__tests/extconf.rb +5 -0
- data/ext/extconf_common.rb +1 -1
- data/lib/contrast/agent/assess/contrast_object.rb +16 -16
- data/lib/contrast/agent/assess/events/source_event.rb +17 -19
- data/lib/contrast/agent/assess/finalizers/hash.rb +4 -2
- data/lib/contrast/agent/assess/policy/policy.rb +9 -10
- data/lib/contrast/agent/assess/policy/policy_node.rb +58 -36
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -16
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +48 -14
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -3
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +119 -0
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/split.rb +17 -21
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +11 -17
- data/lib/contrast/agent/assess/policy/trigger_node.rb +16 -16
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +2 -2
- data/lib/contrast/agent/assess/property/tagged.rb +3 -3
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +6 -8
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +6 -7
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +12 -7
- data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +13 -6
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +3 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +66 -43
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +6 -6
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +3 -4
- data/lib/contrast/agent/assess/tag.rb +13 -14
- data/lib/contrast/agent/at_exit_hook.rb +12 -1
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/inventory/database_config.rb +10 -3
- data/lib/contrast/agent/middleware.rb +10 -5
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -5
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +2 -2
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +4 -4
- data/lib/contrast/agent/patching/policy/patch.rb +20 -19
- data/lib/contrast/agent/patching/policy/patch_status.rb +10 -3
- data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
- data/lib/contrast/agent/patching/policy/policy.rb +13 -15
- data/lib/contrast/agent/patching/policy/policy_node.rb +32 -21
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +132 -75
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +4 -3
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +4 -4
- data/lib/contrast/agent/protect/rule/base.rb +53 -9
- data/lib/contrast/agent/protect/rule/base_service.rb +31 -12
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +23 -3
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/default_scanner.rb +2 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +18 -7
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +72 -46
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -2
- data/lib/contrast/agent/protect/rule/path_traversal.rb +13 -3
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +18 -54
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +2 -5
- data/lib/contrast/agent/protect/rule/sqli.rb +16 -23
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/protect/rule/xss.rb +17 -0
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +14 -13
- data/lib/contrast/agent/protect/rule/xxe.rb +25 -3
- data/lib/contrast/agent/reaction_processor.rb +1 -1
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +243 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +62 -0
- data/lib/contrast/agent/reporting/report.rb +2 -0
- data/lib/contrast/agent/reporting/reporter.rb +29 -22
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +49 -0
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +34 -0
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +96 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +182 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +56 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +13 -5
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +60 -0
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +44 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +7 -12
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +10 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +2 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +16 -12
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/preflight.rb +10 -8
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +8 -11
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +12 -20
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +17 -27
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +38 -0
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +8 -0
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +29 -13
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +64 -76
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +17 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +100 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +75 -13
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +163 -122
- data/lib/contrast/agent/reporting/settings/application_settings.rb +10 -1
- data/lib/contrast/agent/reporting/settings/assess.rb +5 -5
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +7 -35
- data/lib/contrast/agent/reporting/settings/exclusions.rb +3 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +21 -6
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +6 -6
- data/lib/contrast/agent/reporting/settings/reaction.rb +3 -3
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +2 -2
- data/lib/contrast/agent/request.rb +5 -5
- data/lib/contrast/agent/request_context.rb +25 -21
- data/lib/contrast/agent/request_context_extend.rb +12 -25
- data/lib/contrast/agent/request_handler.rb +7 -3
- data/lib/contrast/agent/response.rb +2 -0
- data/lib/contrast/agent/rule_set.rb +2 -2
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +6 -48
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/telemetry/base.rb +155 -0
- data/lib/contrast/agent/telemetry/events/event.rb +35 -0
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +59 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +44 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +115 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +83 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +64 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb +20 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb +30 -0
- data/lib/contrast/agent/telemetry/events/metric_event.rb +28 -0
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +123 -0
- data/lib/contrast/agent/thread_watcher.rb +52 -68
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent/worker_thread.rb +8 -0
- data/lib/contrast/agent.rb +4 -3
- data/lib/contrast/api/communication/messaging_queue.rb +29 -12
- data/lib/contrast/api/communication/response_processor.rb +7 -10
- data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +1 -1
- data/lib/contrast/api/communication/speedracer.rb +3 -3
- data/lib/contrast/api/decorators/activity.rb +33 -0
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +10 -9
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +4 -4
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/response_type.rb +17 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/agent.rb +1 -1
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/base.rb +1 -1
- data/lib/contrast/components/config.rb +19 -28
- data/lib/contrast/components/contrast_service.rb +13 -1
- data/lib/contrast/components/protect.rb +2 -2
- data/lib/contrast/components/sampling.rb +8 -12
- data/lib/contrast/components/settings.rb +151 -19
- data/lib/contrast/config/agent_configuration.rb +34 -41
- data/lib/contrast/config/api_configuration.rb +16 -75
- data/lib/contrast/config/api_proxy_configuration.rb +9 -48
- data/lib/contrast/config/application_configuration.rb +24 -95
- data/lib/contrast/config/assess_configuration.rb +21 -76
- data/lib/contrast/config/assess_rules_configuration.rb +13 -38
- data/lib/contrast/config/base_configuration.rb +11 -76
- data/lib/contrast/config/certification_configuration.rb +15 -68
- data/lib/contrast/config/exception_configuration.rb +15 -59
- data/lib/contrast/config/heap_dump_configuration.rb +19 -73
- data/lib/contrast/config/inventory_configuration.rb +11 -55
- data/lib/contrast/config/logger_configuration.rb +8 -41
- data/lib/contrast/config/protect_configuration.rb +23 -10
- data/lib/contrast/config/protect_rule_configuration.rb +23 -37
- data/lib/contrast/config/protect_rules_configuration.rb +39 -43
- data/lib/contrast/config/request_audit_configuration.rb +16 -55
- data/lib/contrast/config/root_configuration.rb +71 -14
- data/lib/contrast/config/ruby_configuration.rb +14 -47
- data/lib/contrast/config/sampling_configuration.rb +12 -65
- data/lib/contrast/config/server_configuration.rb +13 -45
- data/lib/contrast/config/service_configuration.rb +18 -54
- data/lib/contrast/configuration.rb +25 -17
- data/lib/contrast/extension/assess/array.rb +1 -1
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/assess/marshal.rb +1 -1
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/extension.rb +2 -2
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/base_support.rb +8 -8
- data/lib/contrast/framework/grape/support.rb +3 -3
- data/lib/contrast/framework/manager.rb +7 -7
- data/lib/contrast/framework/manager_extend.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +14 -3
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +3 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +14 -46
- data/lib/contrast/framework/rails/support.rb +2 -2
- data/lib/contrast/framework/sinatra/support.rb +1 -1
- data/lib/contrast/logger/aliased_logging.rb +94 -0
- data/lib/contrast/logger/application.rb +1 -5
- data/lib/contrast/logger/cef_log.rb +15 -15
- data/lib/contrast/logger/format.rb +1 -1
- data/lib/contrast/logger/log.rb +8 -8
- data/lib/contrast/tasks/config.rb +100 -4
- data/lib/contrast/tasks/service.rb +2 -2
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/assess/tracking_util.rb +4 -4
- data/lib/contrast/utils/class_util.rb +9 -22
- data/lib/contrast/utils/findings.rb +3 -3
- data/lib/contrast/utils/hash_digest.rb +6 -7
- data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/invalid_configuration_util.rb +2 -2
- data/lib/contrast/utils/log_utils.rb +7 -5
- data/lib/contrast/utils/lru_cache.rb +1 -1
- data/lib/contrast/utils/metrics_hash.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +15 -14
- data/lib/contrast/utils/net_http_base.rb +5 -5
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +1 -6
- data/lib/contrast/utils/patching/policy/patch_utils.rb +6 -7
- data/lib/contrast/utils/request_utils.rb +2 -2
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/sha256_builder.rb +4 -4
- data/lib/contrast/utils/stack_trace_utils.rb +31 -13
- data/lib/contrast/utils/telemetry.rb +22 -7
- data/lib/contrast/utils/telemetry_client.rb +28 -16
- data/lib/contrast/utils/telemetry_hash.rb +41 -0
- data/lib/contrast/utils/telemetry_identifier.rb +18 -3
- data/lib/contrast/utils/timer.rb +1 -1
- data/lib/contrast.rb +9 -0
- data/resources/assess/policy.json +99 -1
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +10 -9
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +99 -29
- data/lib/contrast/agent/metric_telemetry_event.rb +0 -26
- data/lib/contrast/agent/startup_metrics_telemetry_event.rb +0 -121
- data/lib/contrast/agent/telemetry.rb +0 -137
- data/lib/contrast/agent/telemetry_event.rb +0 -33
- data/lib/contrast/utils/exclude_key.rb +0 -20
@@ -3,6 +3,7 @@
|
|
3
3
|
|
4
4
|
require 'contrast/components/logger'
|
5
5
|
require 'contrast/components/scope'
|
6
|
+
require 'contrast/api/decorators/response_type'
|
6
7
|
|
7
8
|
module Contrast
|
8
9
|
module Agent
|
@@ -179,9 +180,13 @@ module Contrast
|
|
179
180
|
# @param attack [Symbol] the type of message we want to send
|
180
181
|
# @param value [String] the input value we want to log
|
181
182
|
def cef_logging result, attack = :ineffective_attack, value = nil
|
182
|
-
sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash
|
183
|
-
outcome =
|
184
|
-
|
183
|
+
sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0])
|
184
|
+
outcome = if result.response.cs__is_a?(Hash)
|
185
|
+
Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
|
186
|
+
else
|
187
|
+
Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
|
188
|
+
end
|
189
|
+
input_type = extract_input_type(sample_to_json[:user_input].input_type)
|
185
190
|
input_value = value || sample_to_json[:user_input].value
|
186
191
|
cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
|
187
192
|
end
|
@@ -226,7 +231,7 @@ module Contrast
|
|
226
231
|
# @param _kwargs [Hash] key-value pairs used by the rule to build a
|
227
232
|
# report.
|
228
233
|
def find_attacker _context, _potential_attack_string, **_kwargs
|
229
|
-
raise
|
234
|
+
raise(NoMethodError, "Rule #{ rule_name } did not implement find_attack")
|
230
235
|
end
|
231
236
|
|
232
237
|
def update_successful_attack_response context, ia_result, result, attack_string = nil
|
@@ -243,18 +248,23 @@ module Contrast
|
|
243
248
|
result
|
244
249
|
end
|
245
250
|
|
251
|
+
# @param context [Contrast::Agent::RequestContext] the context of the
|
252
|
+
# request in which this input is evaluated.
|
253
|
+
# @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
|
254
|
+
# analysis of the input that was determined to be an attack
|
255
|
+
# @param result [Contrast::Api::Dtm::AttackResult] previous
|
256
|
+
# attack result for this rule, if one exists, in the case of
|
257
|
+
# multiple inputs being found to violate the protection criteria
|
246
258
|
def update_perimeter_attack_response context, ia_result, result
|
247
259
|
if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
|
248
|
-
result.response = if ia_result
|
249
|
-
# Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
|
250
|
-
# and should be treated equivalent to Blocked mode if set
|
260
|
+
result.response = if blocked_rule?(ia_result)
|
251
261
|
Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
|
252
262
|
else
|
253
263
|
Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
|
254
264
|
end
|
255
265
|
log_rule_matched(context, ia_result, result.response)
|
256
266
|
elsif ia_result.nil? || ia_result.attack_count.zero?
|
257
|
-
result.response =
|
267
|
+
result.response = assign_reporter_response_type(ia_result)
|
258
268
|
log_rule_probed(context, ia_result)
|
259
269
|
end
|
260
270
|
|
@@ -317,15 +327,49 @@ module Contrast
|
|
317
327
|
# @param enum [Enumerable]
|
318
328
|
# @return [Symbol]
|
319
329
|
def extract_input_type enum
|
320
|
-
Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag
|
330
|
+
Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag(enum)
|
321
331
|
end
|
322
332
|
|
323
333
|
private
|
324
334
|
|
335
|
+
# Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
|
336
|
+
# and should be treated equivalent to Blocked mode if set
|
337
|
+
def blocked_rule? ia_result
|
338
|
+
[
|
339
|
+
Contrast::Agent::Protect::Rule::Sqli::NAME,
|
340
|
+
Contrast::Agent::Protect::Rule::NoSqli::NAME
|
341
|
+
].include?(ia_result&.rule_id)
|
342
|
+
end
|
343
|
+
|
325
344
|
def log_rule_probed _context, ia_result
|
326
345
|
logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
|
327
346
|
name: ia_result&.key, input: ia_result&.value)
|
328
347
|
end
|
348
|
+
|
349
|
+
# Some rules are reported as suspicious, rather than exploited or probed, b/c they don't actually follow
|
350
|
+
# input tracing or other detection types that provide enough confidnece for a determination.
|
351
|
+
#
|
352
|
+
# @param ia_result
|
353
|
+
# @return [Boolean]
|
354
|
+
def suspicious_rule? ia_result
|
355
|
+
[
|
356
|
+
Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
|
357
|
+
Contrast::Agent::Protect::Rule::Xss::NAME
|
358
|
+
].include?(ia_result&.rule_id)
|
359
|
+
end
|
360
|
+
|
361
|
+
# Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
|
362
|
+
# MONITORED mode.
|
363
|
+
#
|
364
|
+
# @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
|
365
|
+
# determined to be an attack
|
366
|
+
def assign_reporter_response_type ia_result
|
367
|
+
if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
|
368
|
+
Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
|
369
|
+
else
|
370
|
+
Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
|
371
|
+
end
|
372
|
+
end
|
329
373
|
end
|
330
374
|
end
|
331
375
|
end
|
@@ -21,18 +21,23 @@ module Contrast
|
|
21
21
|
'Contrast Security Protect Rule Triggered. Response blocked.'
|
22
22
|
end
|
23
23
|
|
24
|
+
# @param context [Contrast::Agent::RequestContext]
|
24
25
|
def infilter? context
|
25
|
-
return false unless context&.speedracer_input_analysis&.results
|
26
26
|
return false unless enabled?
|
27
|
+
return false unless context&.speedracer_input_analysis&.results&.any? do |result|
|
28
|
+
result.rule_id == rule_name
|
29
|
+
end
|
30
|
+
|
27
31
|
return false if protect_excluded_by_code?
|
28
32
|
|
29
33
|
true
|
30
34
|
end
|
31
35
|
|
32
36
|
# Override for rules that need the response
|
33
|
-
# Currently postfilter can be applied to streamed responses,
|
34
|
-
#
|
35
|
-
#
|
37
|
+
# Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify
|
38
|
+
# the response streamed responses will break
|
39
|
+
# @param context [Contrast::Agent::RequestContext]
|
40
|
+
# @raise [Contrast::SecurityException]
|
36
41
|
def postfilter context
|
37
42
|
return unless enabled? && POSTFILTER_MODES.include?(mode)
|
38
43
|
if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
|
@@ -44,27 +49,38 @@ module Contrast
|
|
44
49
|
result = find_postfilter_attacker(context, nil)
|
45
50
|
return unless result&.samples&.any?
|
46
51
|
|
47
|
-
cef_logging
|
52
|
+
cef_logging(result)
|
48
53
|
append_to_activity(context, result)
|
49
54
|
return unless result.response == :BLOCKED
|
50
55
|
|
51
|
-
raise
|
56
|
+
raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
|
52
57
|
end
|
53
58
|
|
54
59
|
protected
|
55
60
|
|
61
|
+
# @param context [Contrast::Agent::RequestContext]
|
62
|
+
# @return [Array<Contrast::Api::Settings::InputAnalysis>]
|
56
63
|
def gather_ia_results context
|
57
64
|
context.speedracer_input_analysis.results.select do |ia_result|
|
58
65
|
ia_result.rule_id == rule_name
|
59
66
|
end
|
60
67
|
end
|
61
68
|
|
69
|
+
# @param context [Contrast::Agent::RequestContext]
|
70
|
+
# @param potential_attack_string [String, nil]
|
71
|
+
# @param **kwargs
|
72
|
+
# @return [Contrast::Api::Dtm::AttackResult]
|
62
73
|
def find_attacker context, potential_attack_string, **kwargs
|
63
74
|
ia_results = gather_ia_results(context)
|
64
75
|
find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
|
65
76
|
end
|
66
77
|
|
67
78
|
# Allows for the InputAnalysis from service to be extracted early
|
79
|
+
# @param context [Contrast::Agent::RequestContext]
|
80
|
+
# @param potential_attack_string [String, nil]
|
81
|
+
# @param ia_results [Array<Contrast::Api::Settings::InputAnalysis>]
|
82
|
+
# @param **kwargs
|
83
|
+
# @return [Contrast::Api::Dtm::AttackResult, nil]
|
68
84
|
def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
|
69
85
|
logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
|
70
86
|
|
@@ -84,15 +100,18 @@ module Contrast
|
|
84
100
|
|
85
101
|
private
|
86
102
|
|
103
|
+
# @param context [Contrast::Agent::RequestContext]
|
104
|
+
# @param potential_attack_string [String, nil]
|
105
|
+
# @return [Contrast::Api::Dtm::AttackResult, nil]
|
87
106
|
def find_postfilter_attacker context, potential_attack_string, **kwargs
|
88
107
|
ia_results = gather_ia_results(context)
|
89
108
|
ia_results.select! do |ia_result|
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
109
|
+
required_level = if ia_result.cs__is_a?(Contrast::Api::Settings::InputAnalysisResult)
|
110
|
+
Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
|
111
|
+
else
|
112
|
+
Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
|
113
|
+
end
|
114
|
+
ia_result.score_level == required_level
|
96
115
|
end
|
97
116
|
find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
|
98
117
|
end
|
@@ -5,6 +5,7 @@ require 'contrast/agent/protect/rule/base_service'
|
|
5
5
|
require 'contrast/utils/stack_trace_utils'
|
6
6
|
require 'contrast/utils/object_share'
|
7
7
|
require 'contrast/components/logger'
|
8
|
+
require 'contrast/agent/reporting/input_analysis/input_type'
|
8
9
|
|
9
10
|
module Contrast
|
10
11
|
module Agent
|
@@ -13,9 +14,27 @@ module Contrast
|
|
13
14
|
# The Ruby implementation of the Protect Command Injection rule.
|
14
15
|
class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
|
15
16
|
include Contrast::Components::Logger::InstanceMethods
|
17
|
+
include Contrast::Agent::Reporting::InputType
|
16
18
|
|
17
19
|
NAME = 'cmd-injection'
|
18
20
|
CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
|
21
|
+
APPLICABLE_USER_INPUTS = [
|
22
|
+
BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
|
23
|
+
PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
|
24
|
+
MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
|
25
|
+
].cs__freeze
|
26
|
+
|
27
|
+
class << self
|
28
|
+
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
29
|
+
# @return [Hash] the details for this specific rule
|
30
|
+
def extract_details attack_sample
|
31
|
+
{
|
32
|
+
command: attack_sample.cmdi.command,
|
33
|
+
startIndex: attack_sample.cmdi.start_idx,
|
34
|
+
endIndex: attack_sample.cmdi.end_idx
|
35
|
+
}
|
36
|
+
end
|
37
|
+
end
|
19
38
|
|
20
39
|
def rule_name
|
21
40
|
NAME
|
@@ -39,13 +58,13 @@ module Contrast
|
|
39
58
|
return unless result
|
40
59
|
|
41
60
|
append_to_activity(context, result)
|
42
|
-
cef_logging
|
61
|
+
cef_logging(result, :successful_attack)
|
43
62
|
|
44
63
|
return unless blocked?
|
45
64
|
|
46
|
-
raise
|
65
|
+
raise(Contrast::SecurityException.new(self,
|
47
66
|
'Command Injection rule triggered. '\
|
48
|
-
"Call to #{ classname }.#{ method } blocked.")
|
67
|
+
"Call to #{ classname }.#{ method } blocked."))
|
49
68
|
end
|
50
69
|
|
51
70
|
def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
|
@@ -83,6 +102,7 @@ module Contrast
|
|
83
102
|
command = candidate_string || input_analysis_result.value
|
84
103
|
command = Contrast::Utils::StringUtils.protobuf_safe_string(command)
|
85
104
|
sample.cmdi.command = command
|
105
|
+
sample.cmdi.end_idx = command.length
|
86
106
|
|
87
107
|
# This is a special case where the user input is UNKNOWN_USER_INPUT but
|
88
108
|
# we want to send the attack value
|
@@ -0,0 +1,83 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
|
+
require 'contrast/agent/protect/rule/cmd_injection'
|
7
|
+
require 'contrast/agent/reporting/input_analysis/score_level'
|
8
|
+
require 'contrast/agent/protect/rule/cmdi/cmdi_worth_watching'
|
9
|
+
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
10
|
+
require 'contrast/utils/input_classification'
|
11
|
+
require 'contrast/components/logger'
|
12
|
+
|
13
|
+
module Contrast
|
14
|
+
module Agent
|
15
|
+
module Protect
|
16
|
+
module Rule
|
17
|
+
# This module will do the Input Classification stage of CMD Injection rule
|
18
|
+
# as a result input would be marked as WORTHWATCHING or IGNORE,
|
19
|
+
# to be analyzed at the sink level.
|
20
|
+
module CmdiInputClassification
|
21
|
+
class << self
|
22
|
+
include InputClassificationBase
|
23
|
+
include Contrast::Agent::Protect::Rule::CmdiWorthWatching
|
24
|
+
include Contrast::Components::Logger::InstanceMethods
|
25
|
+
|
26
|
+
WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'
|
27
|
+
CMDI_KEYS_NEEDED = [
|
28
|
+
COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
|
29
|
+
].cs__freeze
|
30
|
+
|
31
|
+
# This method will determine actually if the user input is WORTHWATCHING
|
32
|
+
#
|
33
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
|
34
|
+
# @param value [String, Array<String>] the value of the input
|
35
|
+
# @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
|
36
|
+
# analysis from the current request.
|
37
|
+
def classify input_type, value, input_analysis
|
38
|
+
return unless Contrast::Agent::Protect::Rule::CmdInjection::APPLICABLE_USER_INPUTS.include?(input_type)
|
39
|
+
return unless super
|
40
|
+
|
41
|
+
rule_id = Contrast::Agent::Protect::Rule::CmdInjection::NAME
|
42
|
+
|
43
|
+
Array(value).each do |val|
|
44
|
+
Array(val).each do |v|
|
45
|
+
input_analysis.results << cmdi_create_new_input_result(input_analysis.request, rule_id, input_type, v)
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
input_analysis
|
50
|
+
rescue StandardError => e
|
51
|
+
logger.debug('An Error was recorded in the input classification of the cmdi.')
|
52
|
+
logger.debug(e)
|
53
|
+
end
|
54
|
+
|
55
|
+
private
|
56
|
+
|
57
|
+
# This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
|
58
|
+
# key if needed and Creates new instance of InputAnalysisResult.
|
59
|
+
#
|
60
|
+
# @param request [Contrast::Agent::Request] the current request context.
|
61
|
+
# @param rule_id [String] The name of the Protect Rule.
|
62
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
63
|
+
# @param value [String, Array<String>] the value of the input.
|
64
|
+
#
|
65
|
+
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
66
|
+
def cmdi_create_new_input_result request, rule_id, input_type, value
|
67
|
+
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
68
|
+
if cmdi_worth_watching?(value)
|
69
|
+
ia_result.score_level = WORTHWATCHING
|
70
|
+
ia_result.ids << WORTHWATCHING_MATCH
|
71
|
+
else
|
72
|
+
ia_result.score_level = IGNORE
|
73
|
+
end
|
74
|
+
|
75
|
+
add_needed_key(request, ia_result, input_type, value) if CMDI_KEYS_NEEDED.include?(input_type)
|
76
|
+
ia_result
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
83
|
+
end
|
@@ -0,0 +1,64 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Protect
|
9
|
+
module Rule
|
10
|
+
# This module implements the cmdi-worth-watching-v2 check to determine whether input
|
11
|
+
# is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
|
12
|
+
# https://protect-spec.prod.dotnet.contsec.com/rules/cmd-injection.html#input-tracing
|
13
|
+
module CmdiWorthWatching
|
14
|
+
POSSIBLE_CHAINING_ELEMENTS = %w[& ; | $ < > `].cs__freeze
|
15
|
+
UNIX_COMMANDS = %w[
|
16
|
+
uname echo cat ping nestat nc whoami wget curl dir ls ps rm chmod cp kill
|
17
|
+
grep sleep mkdir pwd shutdown system touch timeout fetch bash sh
|
18
|
+
].cs__freeze
|
19
|
+
UNIX_PATHS = %w[tmp opt etc home mnt proc lib bin sbin sys usr var root run].cs__freeze
|
20
|
+
WINDOWS_COMMANDS = %w[
|
21
|
+
sc net reg cmd query cmd.exe powershell powershell.exe hostname ifconfig ipconfig netsh
|
22
|
+
netstat systeminfo sysinfo whoami wscript cscript wmic PowerShell_ISE pskill psexec qprocess
|
23
|
+
regedit regini rename winrm wpeutil ntdsutil taskkill certutil mapisend shellrunas
|
24
|
+
].cs__freeze
|
25
|
+
# This method will determine if a user input is Worth watching and return true if it is.
|
26
|
+
# This is done by running checks, and if the inputs is worth to watch it would be
|
27
|
+
# saved for the later sink cmdi input analysis.
|
28
|
+
#
|
29
|
+
# @param input [String] the user input to be inspected
|
30
|
+
# @return true | false
|
31
|
+
def cmdi_worth_watching? input
|
32
|
+
return false if input.nil? || input.empty? || input.length < 3
|
33
|
+
|
34
|
+
exploitable?(input) && worth_watching?(input)
|
35
|
+
end
|
36
|
+
|
37
|
+
private
|
38
|
+
|
39
|
+
# This method will check if the input is exploitable
|
40
|
+
#
|
41
|
+
# @param input [String] the user input to be inspected
|
42
|
+
def exploitable? input
|
43
|
+
contains_substring?(input, POSSIBLE_CHAINING_ELEMENTS)
|
44
|
+
end
|
45
|
+
|
46
|
+
def worth_watching? input
|
47
|
+
return true if contains_substring?(input, UNIX_COMMANDS)
|
48
|
+
return true if contains_substring?(input, UNIX_PATHS)
|
49
|
+
return true if contains_substring?(input, WINDOWS_COMMANDS)
|
50
|
+
|
51
|
+
false
|
52
|
+
end
|
53
|
+
|
54
|
+
def contains_substring? input, values
|
55
|
+
return true if values.any? { |val| input.include?(val) }
|
56
|
+
return true if values.include?(Contrast::Utils::ObjectShare::SPACE)
|
57
|
+
|
58
|
+
false
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
@@ -7,6 +7,8 @@
|
|
7
7
|
# @deprecated RUBY-356: this class and those that extend it are being phased out
|
8
8
|
# in favor of the more performant code in the Service.
|
9
9
|
class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/ClassAndModuleChildren
|
10
|
+
OPERATOR_PATTERN = %r{[+=*^/%><!-]}.cs__freeze
|
11
|
+
|
10
12
|
# Potential states
|
11
13
|
# :STATE_INSIDE_TOKEN
|
12
14
|
# :STATE_INSIDE_NUMBER
|
@@ -220,7 +222,6 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
220
222
|
idx
|
221
223
|
end
|
222
224
|
|
223
|
-
OPERATOR_PATTERN = %r{[+=*^/%><!-]}.cs__freeze
|
224
225
|
def operator? char
|
225
226
|
char.match?(OPERATOR_PATTERN)
|
226
227
|
end
|
@@ -13,6 +13,9 @@ module Contrast
|
|
13
13
|
class Deserialization < Contrast::Agent::Protect::Rule::Base
|
14
14
|
# The TeamServer recognized name of this rule
|
15
15
|
include Contrast::Components::Logger::InstanceMethods
|
16
|
+
# Used to name this input since input analysis isn't done for this
|
17
|
+
# rule
|
18
|
+
INPUT_NAME = 'Serialized Gadget'
|
16
19
|
|
17
20
|
NAME = 'untrusted-deserialization'
|
18
21
|
|
@@ -39,6 +42,17 @@ module Contrast
|
|
39
42
|
# Used to indicate to TeamServer the gadget is an Arel module
|
40
43
|
AREL = 'Arel'
|
41
44
|
|
45
|
+
class << self
|
46
|
+
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
47
|
+
# @return [Hash] the details for this specific rule
|
48
|
+
def extract_details attack_sample
|
49
|
+
{
|
50
|
+
command: attack_sample.untrusted_deserialization.command,
|
51
|
+
deserializer: attack_sample.untrusted_deserialization.deserializer
|
52
|
+
}
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
42
56
|
# Return the TeamServer understood id / name of this rule.
|
43
57
|
# @return [String] the TeamServer understood id / name of this rule.
|
44
58
|
def rule_name
|
@@ -81,9 +95,9 @@ module Contrast
|
|
81
95
|
result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
|
82
96
|
append_to_activity(context, result)
|
83
97
|
|
84
|
-
cef_logging
|
98
|
+
cef_logging(result, :successful_attack)
|
85
99
|
|
86
|
-
raise
|
100
|
+
raise(Contrast::SecurityException.new(self, block_message)) if blocked?
|
87
101
|
end
|
88
102
|
|
89
103
|
# Determine if the issued command was called while we're
|
@@ -102,8 +116,8 @@ module Contrast
|
|
102
116
|
ia_result = build_evaluation(gadget_command)
|
103
117
|
result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
|
104
118
|
append_to_activity(context, result)
|
105
|
-
cef_logging
|
106
|
-
raise
|
119
|
+
cef_logging(result, :successful_attack, gadget_command)
|
120
|
+
raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
|
107
121
|
end
|
108
122
|
|
109
123
|
protected
|
@@ -134,9 +148,6 @@ module Contrast
|
|
134
148
|
|
135
149
|
private
|
136
150
|
|
137
|
-
# Used to name this input since input analysis isn't done for this
|
138
|
-
# rule
|
139
|
-
INPUT_NAME = 'Serialized Gadget'
|
140
151
|
# We know that this attack happened, so the result is always matched
|
141
152
|
# and the level is always critical. Only variable is the Gadget
|
142
153
|
# supplied by the attacker.
|
@@ -0,0 +1,96 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
6
|
+
require 'contrast/agent/reporting/attack_result/attack_result'
|
7
|
+
require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
|
8
|
+
require 'contrast/utils/input_classification'
|
9
|
+
|
10
|
+
module Contrast
|
11
|
+
module Agent
|
12
|
+
module Protect
|
13
|
+
module Rule
|
14
|
+
# This module will do the Input Classification stage of HttpMethodTampering rule
|
15
|
+
# as a result input would be marked as DEFINETEATTACK or IGNORE,
|
16
|
+
# to be analyzed at the sink level.
|
17
|
+
module HttpMethodTamperingInputClassification
|
18
|
+
# class << self
|
19
|
+
# include InputClassificationBase
|
20
|
+
#
|
21
|
+
# # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
|
22
|
+
# #
|
23
|
+
# # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
|
24
|
+
# # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
|
25
|
+
# # analysis from the current request.
|
26
|
+
# def classify input_type, input_analysis
|
27
|
+
# return unless input_analysis.request
|
28
|
+
# return unless input_type == METHOD
|
29
|
+
#
|
30
|
+
# rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
|
31
|
+
#
|
32
|
+
# ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
|
33
|
+
# input_analysis.results << ia_result
|
34
|
+
#
|
35
|
+
# return input_analysis if ia_result.score_level == IGNORE
|
36
|
+
#
|
37
|
+
# attack_result = build_attack_result ia_result, rule_id
|
38
|
+
#
|
39
|
+
# if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
|
40
|
+
# attack_result.response = :EXPLOITED
|
41
|
+
# Contrast::Agent::EXPLOITS.push attack_result
|
42
|
+
# return input_analysis
|
43
|
+
# end
|
44
|
+
#
|
45
|
+
# attack_result.response = :BLOCKED
|
46
|
+
# context.activity.results << attack_result
|
47
|
+
# raise Contrast::SecurityException.new(self,
|
48
|
+
# 'HTTP Method Tampering rule triggered. '\
|
49
|
+
# "Call to #{ input_analysis.request.path } with " \
|
50
|
+
# "#{ input_analysis.request.request_method } blocked.")
|
51
|
+
# end
|
52
|
+
#
|
53
|
+
# private
|
54
|
+
#
|
55
|
+
# # @param request [Contrast::Agent::Request] the current request context.
|
56
|
+
# def method_tampering_exploited? request
|
57
|
+
# !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
|
58
|
+
# end
|
59
|
+
#
|
60
|
+
# # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
|
61
|
+
# # key if needed and Creates new instance of InputAnalysisResult.
|
62
|
+
# #
|
63
|
+
# # @param request [Contrast::Agent::Request] the current request context.
|
64
|
+
# # @param rule_id [String] The name of the Protect Rule.
|
65
|
+
# # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
66
|
+
# #
|
67
|
+
# # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
68
|
+
# def method_tampering_new_input_analysis request, rule_id, input_type
|
69
|
+
# ia_result = new_ia_result rule_id, input_type, request.path
|
70
|
+
# if method_tampering_exploited? request
|
71
|
+
# ia_result.score_level = DEFINITEATTACK
|
72
|
+
# ia_result.ids << rule_id
|
73
|
+
# else
|
74
|
+
# ia_result.score_level = IGNORE
|
75
|
+
# end
|
76
|
+
#
|
77
|
+
# ia_result
|
78
|
+
# end
|
79
|
+
#
|
80
|
+
# def build_attack_result ia_result, rule_id
|
81
|
+
# rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
|
82
|
+
# result = Contrast::Agent::Reporting::AttackResult.new
|
83
|
+
# result.rule_id = rule_id
|
84
|
+
# result.samples << rasp_rule_sample
|
85
|
+
# result
|
86
|
+
# end
|
87
|
+
#
|
88
|
+
# def context
|
89
|
+
# Contrast::Agent::REQUEST_TRACKER.current
|
90
|
+
# end
|
91
|
+
# end
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|