contrast-agent 6.0.0 → 6.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (260) hide show
  1. checksums.yaml +4 -4
  2. data/.simplecov +1 -1
  3. data/Rakefile +1 -1
  4. data/ext/build_funchook.rb +3 -3
  5. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +5 -1
  6. data/ext/cs__assess_regexp/cs__assess_regexp.c +15 -2
  7. data/ext/cs__assess_regexp/cs__assess_regexp.h +2 -0
  8. data/ext/cs__assess_string/cs__assess_string.c +8 -0
  9. data/ext/cs__assess_test/cs__assess_test.h +9 -0
  10. data/ext/cs__assess_test/cs__assess_tests.c +22 -0
  11. data/ext/cs__assess_test/extconf.rb +5 -0
  12. data/ext/cs__common/cs__common.c +101 -0
  13. data/ext/cs__common/cs__common.h +29 -5
  14. data/ext/cs__contrast_patch/cs__contrast_patch.c +1 -1
  15. data/ext/cs__tests/cs__tests.c +12 -0
  16. data/ext/cs__tests/cs__tests.h +3 -0
  17. data/ext/cs__tests/extconf.rb +5 -0
  18. data/ext/extconf_common.rb +1 -1
  19. data/lib/contrast/agent/assess/contrast_object.rb +16 -16
  20. data/lib/contrast/agent/assess/events/source_event.rb +17 -19
  21. data/lib/contrast/agent/assess/finalizers/hash.rb +2 -2
  22. data/lib/contrast/agent/assess/policy/policy.rb +9 -10
  23. data/lib/contrast/agent/assess/policy/policy_node.rb +9 -10
  24. data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -16
  25. data/lib/contrast/agent/assess/policy/propagation_method.rb +3 -3
  26. data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -3
  27. data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
  28. data/lib/contrast/agent/assess/policy/propagator/buffer.rb +2 -1
  29. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
  30. data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
  31. data/lib/contrast/agent/assess/policy/propagator/split.rb +17 -21
  32. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  33. data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
  34. data/lib/contrast/agent/assess/policy/trigger_method.rb +10 -18
  35. data/lib/contrast/agent/assess/policy/trigger_node.rb +16 -16
  36. data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
  37. data/lib/contrast/agent/assess/property/evented.rb +2 -2
  38. data/lib/contrast/agent/assess/property/tagged.rb +2 -2
  39. data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +6 -8
  40. data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +6 -7
  41. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +12 -7
  42. data/lib/contrast/agent/assess/rule/response/base_rule.rb +13 -6
  43. data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +66 -43
  44. data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +4 -4
  45. data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +6 -6
  46. data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +4 -4
  47. data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +4 -4
  48. data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +4 -4
  49. data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +3 -4
  50. data/lib/contrast/agent/assess/tag.rb +13 -14
  51. data/lib/contrast/agent/at_exit_hook.rb +12 -1
  52. data/lib/contrast/agent/inventory/database_config.rb +22 -7
  53. data/lib/contrast/agent/middleware.rb +9 -6
  54. data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -5
  55. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +2 -2
  56. data/lib/contrast/agent/patching/policy/method_policy_extend.rb +4 -4
  57. data/lib/contrast/agent/patching/policy/patch.rb +20 -19
  58. data/lib/contrast/agent/patching/policy/patch_status.rb +10 -3
  59. data/lib/contrast/agent/patching/policy/patcher.rb +1 -1
  60. data/lib/contrast/agent/patching/policy/policy.rb +13 -15
  61. data/lib/contrast/agent/patching/policy/policy_node.rb +19 -21
  62. data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
  63. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +126 -122
  64. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
  65. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
  66. data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
  67. data/lib/contrast/agent/protect/policy/rule_applicator.rb +4 -4
  68. data/lib/contrast/agent/protect/rule/base.rb +30 -18
  69. data/lib/contrast/agent/protect/rule/base_service.rb +31 -14
  70. data/lib/contrast/agent/protect/rule/cmd_injection.rb +16 -9
  71. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +3 -3
  72. data/lib/contrast/agent/protect/rule/default_scanner.rb +2 -1
  73. data/lib/contrast/agent/protect/rule/deserialization.rb +18 -7
  74. data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +74 -74
  75. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +71 -53
  76. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +3 -3
  77. data/lib/contrast/agent/protect/rule/no_sqli.rb +15 -16
  78. data/lib/contrast/agent/protect/rule/path_traversal.rb +13 -3
  79. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -2
  80. data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -1
  81. data/lib/contrast/agent/protect/rule/sqli.rb +16 -23
  82. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +61 -61
  83. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +29 -29
  84. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +32 -32
  85. data/lib/contrast/agent/protect/rule/xss.rb +17 -0
  86. data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +14 -13
  87. data/lib/contrast/agent/protect/rule/xxe.rb +25 -3
  88. data/lib/contrast/agent/reaction_processor.rb +1 -1
  89. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +36 -36
  90. data/lib/contrast/agent/reporting/masker/masker.rb +18 -21
  91. data/lib/contrast/agent/reporting/masker/masker_utils.rb +10 -6
  92. data/lib/contrast/agent/reporting/reporter.rb +11 -16
  93. data/lib/contrast/agent/reporting/reporter_heartbeat.rb +49 -0
  94. data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +6 -2
  95. data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +51 -0
  96. data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +96 -0
  97. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +70 -0
  98. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +182 -0
  99. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +56 -0
  100. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
  101. data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +70 -0
  102. data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +6 -2
  103. data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +60 -0
  104. data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +27 -0
  105. data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +15 -11
  106. data/lib/contrast/agent/reporting/reporting_events/application_update.rb +7 -12
  107. data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +1 -1
  108. data/lib/contrast/agent/reporting/reporting_events/finding.rb +9 -3
  109. data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +2 -4
  110. data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +3 -3
  111. data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +6 -2
  112. data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +7 -3
  113. data/lib/contrast/agent/reporting/reporting_events/poll.rb +6 -2
  114. data/lib/contrast/agent/reporting/reporting_events/preflight.rb +10 -8
  115. data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +6 -10
  116. data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +12 -20
  117. data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +27 -0
  118. data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +17 -27
  119. data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +38 -0
  120. data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +8 -0
  121. data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
  122. data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -2
  123. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +15 -10
  124. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -67
  125. data/lib/contrast/agent/reporting/reporting_utilities/response.rb +17 -7
  126. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +9 -6
  127. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +17 -17
  128. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +47 -32
  129. data/lib/contrast/agent/reporting/settings/application_settings.rb +1 -1
  130. data/lib/contrast/agent/reporting/settings/assess.rb +5 -5
  131. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +3 -3
  132. data/lib/contrast/agent/reporting/settings/exclusions.rb +3 -3
  133. data/lib/contrast/agent/reporting/settings/protect.rb +21 -6
  134. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +6 -6
  135. data/lib/contrast/agent/reporting/settings/reaction.rb +3 -3
  136. data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +2 -2
  137. data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +2 -2
  138. data/lib/contrast/agent/reporting/settings/server_features.rb +2 -2
  139. data/lib/contrast/agent/request.rb +5 -5
  140. data/lib/contrast/agent/request_context.rb +23 -19
  141. data/lib/contrast/agent/request_context_extend.rb +11 -24
  142. data/lib/contrast/agent/request_handler.rb +4 -4
  143. data/lib/contrast/agent/response.rb +2 -0
  144. data/lib/contrast/agent/rule_set.rb +2 -2
  145. data/lib/contrast/agent/scope.rb +1 -1
  146. data/lib/contrast/agent/service_heartbeat.rb +6 -48
  147. data/lib/contrast/agent/static_analysis.rb +1 -1
  148. data/lib/contrast/agent/telemetry/base.rb +155 -0
  149. data/lib/contrast/agent/telemetry/events/event.rb +35 -0
  150. data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
  151. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +44 -36
  152. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +29 -21
  153. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +91 -73
  154. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +62 -44
  155. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +50 -33
  156. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb +20 -0
  157. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb +30 -0
  158. data/lib/contrast/agent/telemetry/events/metric_event.rb +28 -0
  159. data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +123 -0
  160. data/lib/contrast/agent/thread_watcher.rb +52 -68
  161. data/lib/contrast/agent/version.rb +1 -1
  162. data/lib/contrast/agent/worker_thread.rb +8 -0
  163. data/lib/contrast/agent.rb +1 -3
  164. data/lib/contrast/api/communication/messaging_queue.rb +29 -12
  165. data/lib/contrast/api/communication/response_processor.rb +7 -10
  166. data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
  167. data/lib/contrast/api/communication/socket.rb +1 -1
  168. data/lib/contrast/api/communication/socket_client.rb +1 -1
  169. data/lib/contrast/api/communication/speedracer.rb +3 -3
  170. data/lib/contrast/api/decorators/activity.rb +33 -0
  171. data/lib/contrast/api/decorators/agent_startup.rb +10 -9
  172. data/lib/contrast/api/decorators/application_settings.rb +1 -1
  173. data/lib/contrast/api/decorators/application_startup.rb +4 -4
  174. data/lib/contrast/api/decorators/http_request.rb +1 -1
  175. data/lib/contrast/api/decorators/response_type.rb +4 -17
  176. data/lib/contrast/components/agent.rb +1 -1
  177. data/lib/contrast/components/base.rb +1 -1
  178. data/lib/contrast/components/config.rb +19 -28
  179. data/lib/contrast/components/contrast_service.rb +13 -1
  180. data/lib/contrast/components/sampling.rb +1 -1
  181. data/lib/contrast/components/settings.rb +58 -24
  182. data/lib/contrast/config/agent_configuration.rb +21 -11
  183. data/lib/contrast/config/api_configuration.rb +12 -8
  184. data/lib/contrast/config/api_proxy_configuration.rb +7 -3
  185. data/lib/contrast/config/application_configuration.rb +15 -11
  186. data/lib/contrast/config/assess_configuration.rb +13 -9
  187. data/lib/contrast/config/assess_rules_configuration.rb +6 -2
  188. data/lib/contrast/config/base_configuration.rb +3 -35
  189. data/lib/contrast/config/certification_configuration.rb +9 -5
  190. data/lib/contrast/config/exception_configuration.rb +10 -7
  191. data/lib/contrast/config/heap_dump_configuration.rb +13 -9
  192. data/lib/contrast/config/inventory_configuration.rb +9 -6
  193. data/lib/contrast/config/logger_configuration.rb +9 -6
  194. data/lib/contrast/config/protect_configuration.rb +9 -6
  195. data/lib/contrast/config/protect_rule_configuration.rb +12 -8
  196. data/lib/contrast/config/protect_rules_configuration.rb +19 -18
  197. data/lib/contrast/config/request_audit_configuration.rb +10 -7
  198. data/lib/contrast/config/root_configuration.rb +29 -12
  199. data/lib/contrast/config/ruby_configuration.rb +14 -11
  200. data/lib/contrast/config/sampling_configuration.rb +11 -8
  201. data/lib/contrast/config/server_configuration.rb +13 -9
  202. data/lib/contrast/config/service_configuration.rb +14 -11
  203. data/lib/contrast/configuration.rb +23 -14
  204. data/lib/contrast/extension/assess/array.rb +1 -1
  205. data/lib/contrast/extension/assess/erb.rb +1 -1
  206. data/lib/contrast/extension/assess/marshal.rb +1 -1
  207. data/lib/contrast/extension/assess/string.rb +1 -1
  208. data/lib/contrast/extension/extension.rb +2 -2
  209. data/lib/contrast/framework/base_support.rb +8 -8
  210. data/lib/contrast/framework/grape/support.rb +3 -3
  211. data/lib/contrast/framework/manager.rb +5 -5
  212. data/lib/contrast/framework/manager_extend.rb +1 -1
  213. data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
  214. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +14 -3
  215. data/lib/contrast/framework/rails/patch/assess_configuration.rb +3 -3
  216. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
  217. data/lib/contrast/framework/rails/patch/support.rb +14 -46
  218. data/lib/contrast/framework/rails/support.rb +2 -2
  219. data/lib/contrast/framework/sinatra/support.rb +1 -1
  220. data/lib/contrast/logger/aliased_logging.rb +94 -0
  221. data/lib/contrast/logger/application.rb +0 -4
  222. data/lib/contrast/logger/cef_log.rb +14 -14
  223. data/lib/contrast/logger/format.rb +1 -1
  224. data/lib/contrast/logger/log.rb +8 -8
  225. data/lib/contrast/tasks/config.rb +30 -21
  226. data/lib/contrast/tasks/service.rb +2 -2
  227. data/lib/contrast/utils/assess/tracking_util.rb +4 -4
  228. data/lib/contrast/utils/class_util.rb +6 -10
  229. data/lib/contrast/utils/findings.rb +3 -3
  230. data/lib/contrast/utils/hash_digest.rb +6 -7
  231. data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
  232. data/lib/contrast/utils/invalid_configuration_util.rb +2 -2
  233. data/lib/contrast/utils/log_utils.rb +6 -4
  234. data/lib/contrast/utils/lru_cache.rb +1 -1
  235. data/lib/contrast/utils/metrics_hash.rb +1 -1
  236. data/lib/contrast/utils/middleware_utils.rb +6 -6
  237. data/lib/contrast/utils/net_http_base.rb +4 -4
  238. data/lib/contrast/utils/object_share.rb +1 -1
  239. data/lib/contrast/utils/os.rb +1 -1
  240. data/lib/contrast/utils/patching/policy/patch_utils.rb +2 -2
  241. data/lib/contrast/utils/request_utils.rb +2 -2
  242. data/lib/contrast/utils/sha256_builder.rb +4 -4
  243. data/lib/contrast/utils/stack_trace_utils.rb +31 -13
  244. data/lib/contrast/utils/telemetry.rb +22 -7
  245. data/lib/contrast/utils/telemetry_client.rb +27 -15
  246. data/lib/contrast/utils/telemetry_hash.rb +41 -0
  247. data/lib/contrast/utils/telemetry_identifier.rb +18 -3
  248. data/lib/contrast/utils/timer.rb +1 -1
  249. data/lib/contrast.rb +9 -0
  250. data/resources/assess/policy.json +1 -1
  251. data/ruby-agent.gemspec +1 -1
  252. data/service_executables/VERSION +1 -1
  253. data/service_executables/linux/contrast-service +0 -0
  254. data/service_executables/mac/contrast-service +0 -0
  255. metadata +41 -16
  256. data/lib/contrast/agent/telemetry/events/metric_telemetry_event.rb +0 -26
  257. data/lib/contrast/agent/telemetry/events/startup_metrics_telemetry_event.rb +0 -121
  258. data/lib/contrast/agent/telemetry/events/telemetry_event.rb +0 -33
  259. data/lib/contrast/agent/telemetry/telemetry.rb +0 -150
  260. data/lib/contrast/utils/exclude_key.rb +0 -20
@@ -99,10 +99,17 @@ module Contrast
99
99
  :CONTRAST_PATCH_POLICY_STATUS
100
100
  end
101
101
 
102
+ # @param mod [Module or Class] the entity on which the patch has been placed
103
+ # @param method [Symbol] the method being patched
104
+ # @param ret [Contrast::Agent::Patching::Policy::MethodPolicy] the policy of the patched method
102
105
  def update_holder mod, method, ret
103
- mod.instance_variable_set(method_info_key, {}) unless mod.instance_variable_defined?(method_info_key)
104
- holder = mod.instance_variable_get(method_info_key)
105
- holder[method] = ret
106
+ unless mod.instance_variable_defined?(method_info_key) &&
107
+ (holder = mod.instance_variable_get(method_info_key))
108
+
109
+ holder = {}
110
+ mod.instance_variable_set(method_info_key, holder)
111
+ end
112
+ holder[method] = ret # rubocop:disable Lint/UselessSetterCall
106
113
  end
107
114
 
108
115
  def find_info_for candidates, method
@@ -207,7 +207,7 @@ module Contrast
207
207
  def patch_into_instance_methods module_data, module_policy
208
208
  mod = module_data.mod
209
209
  methods = all_instance_methods(mod, private: true)
210
- methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
210
+ methods.delete(:initialize) if mod.to_s.start_with?('RSpec') && mod.to_s.include?('Matchers')
211
211
  patch_into_methods(mod, methods, module_policy, true)
212
212
  end
213
213
 
@@ -20,6 +20,19 @@ module Contrast
20
20
  class Policy
21
21
  include Singleton
22
22
  include Contrast::Components::Logger::InstanceMethods
23
+ SOURCES_KEY = 'sources'
24
+ PROPAGATION_KEY = 'propagators'
25
+ RULES_KEY = 'rules'
26
+ TRIGGERS_KEY = 'triggers'
27
+ def initialize
28
+ @sources = []
29
+ @propagators = []
30
+ @triggers = []
31
+ @providers = {}
32
+
33
+ json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
34
+ from_hash_string(json)
35
+ end
23
36
 
24
37
  # Indicates the folder in `resources` where this policy lives.
25
38
  def self.policy_folder
@@ -38,25 +51,10 @@ module Contrast
38
51
 
39
52
  attr_reader :sources, :propagators, :triggers, :providers
40
53
 
41
- SOURCES_KEY = 'sources'
42
- PROPAGATION_KEY = 'propagators'
43
- RULES_KEY = 'rules'
44
- TRIGGERS_KEY = 'triggers'
45
-
46
54
  def self.policy_json
47
55
  File.join(policy_folder, 'policy.json').cs__freeze
48
56
  end
49
57
 
50
- def initialize
51
- @sources = []
52
- @propagators = []
53
- @triggers = []
54
- @providers = {}
55
-
56
- json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
57
- from_hash_string(json)
58
- end
59
-
60
58
  # Our policy for patching rules is a 'dope ass' JSON file. Rather than hard code in a bunch of things to
61
59
  # monkey patch, we let the JSON file define the conditions in which modifications are applied. This let's us
62
60
  # be flexible and extensible.
@@ -14,6 +14,23 @@ module Contrast
14
14
  # @abstract
15
15
  class PolicyNode
16
16
  include Contrast::Components::Scope::InstanceMethods
17
+ JSON_METHOD_VISIBILITY = 'method_visibility'
18
+ JSON_PROPERTIES = 'properties'
19
+ JSON_METHOD_NAME = 'method_name'
20
+ JSON_METHOD_SCOPE = 'scope'
21
+ # The keys used to read from policy.json to create the individual
22
+ # policy nodes. These are common across node types
23
+ JSON_CLASS_NAME = 'class_name'
24
+ JSON_INSTANCE_METHOD = 'instance_method'
25
+ def initialize policy_hash = {}
26
+ @class_name = policy_hash[JSON_CLASS_NAME]
27
+ @instance_method = policy_hash[JSON_INSTANCE_METHOD]
28
+ @method_name = policy_hash[JSON_METHOD_NAME]
29
+ @method_scope = policy_hash[JSON_METHOD_SCOPE]
30
+ @method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
31
+ @properties = policy_hash[JSON_PROPERTIES]
32
+ symbolize
33
+ end
17
34
 
18
35
  # Name of the class in which the method is being invoked.
19
36
  attr_accessor :class_name
@@ -31,21 +48,11 @@ module Contrast
31
48
  attr_reader :method_scope
32
49
 
33
50
  def node_class
34
- raise NoMethodError, 'specify the type of the feature for which this node patches'
51
+ raise(NoMethodError, 'specify the type of the feature for which this node patches')
35
52
  end
36
53
 
37
54
  def feature
38
- raise NoMethodError, 'specify the name of the feature for which this node patches'
39
- end
40
-
41
- def initialize policy_hash = {}
42
- @class_name = policy_hash[JSON_CLASS_NAME]
43
- @instance_method = policy_hash[JSON_INSTANCE_METHOD]
44
- @method_name = policy_hash[JSON_METHOD_NAME]
45
- @method_scope = policy_hash[JSON_METHOD_SCOPE]
46
- @method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
47
- @properties = policy_hash[JSON_PROPERTIES]
48
- symbolize
55
+ raise(NoMethodError, 'specify the name of the feature for which this node patches')
49
56
  end
50
57
 
51
58
  def id
@@ -91,15 +98,6 @@ module Contrast
91
98
  @method_visibility = @method_visibility.to_sym if @method_visibility
92
99
  @method_scope = @method_scope.to_sym if @method_scope
93
100
  end
94
-
95
- # The keys used to read from policy.json to create the individual
96
- # policy nodes. These are common across node types
97
- JSON_CLASS_NAME = 'class_name'
98
- JSON_INSTANCE_METHOD = 'instance_method'
99
- JSON_METHOD_NAME = 'method_name'
100
- JSON_METHOD_SCOPE = 'scope'
101
- JSON_METHOD_VISIBILITY = 'method_visibility'
102
- JSON_PROPERTIES = 'properties'
103
101
  end
104
102
  end
105
103
  end
@@ -24,6 +24,7 @@ module Contrast
24
24
  attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties,
25
25
  :rule_id
26
26
 
27
+ NODE = 'Trigger'
27
28
  def initialize trigger_hash = {}, rule_hash = {}
28
29
  super(trigger_hash)
29
30
  @rule_id = rule_hash[JSON_NAME]
@@ -36,7 +37,6 @@ module Contrast
36
37
  @applicator_method = (trigger_hash[JSON_APPLICATOR_METHOD] || rule_hash[JSON_APPLICATOR_METHOD]).to_sym
37
38
  end
38
39
 
39
- NODE = 'Trigger'
40
40
  def node_class
41
41
  NODE
42
42
  end
@@ -8,6 +8,7 @@ require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
8
8
  require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
9
9
  require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
10
10
  require 'contrast/agent/protect/rule/unsafe_file_upload'
11
+ require 'contrast/components/logger'
11
12
  require 'contrast/utils/object_share'
12
13
  require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
13
14
  require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
@@ -19,128 +20,131 @@ module Contrast
19
20
  # InputAnalyzer will extract input form current request context and will analyze it.
20
21
  # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
21
22
  module InputAnalyzer
22
- DISPOSITION_NAME = 'name'
23
- DISPOSITION_FILENAME = 'filename'
24
-
25
- class << self
26
- include Contrast::Agent::Reporting::InputType
27
- include Contrast::Agent::Reporting::ScoreLevel
28
- include Contrast::Agent::Protect::Rule::SqliWorthWatching
29
- include Contrast::Utils::ObjectShare
30
- include Contrast::Agent::Protect::Rule::CmdiWorthWatching
31
-
32
- PROTECT_RULES = {
33
- sqli: {
34
- rule_name: 'sql-injection',
35
- classification: Contrast::Agent::Protect::Rule::SqliInputClassification
36
- },
37
- cmdi: {
38
- rule_name: 'cmd-injection',
39
- classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
40
- },
41
- method_tampering: {
42
- rule_name: 'method-tampering',
43
- classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
44
- },
45
- unsafe_file_upload: {
46
- rule_name: 'unsafe-file-upload',
47
- classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
48
- },
49
- nosqli: {
50
- rule_name: 'nosql-injection',
51
- classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
52
- }
53
- }.cs__freeze
54
-
55
- # This method with analyze the user input from the context of the
56
- # current request and run each of the protect rules against all
57
- # found input types
58
- #
59
- # @param request [Contrast::Agent::Request] current request context.
60
- # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
61
- def analyse request
62
- return unless Contrast::SETTINGS.protect_state.enabled
63
- return if request.nil?
64
-
65
- inputs = extract_input request
66
- return unless inputs
67
-
68
- input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
69
- input_analysis.request = request
70
- # each rule against each input
71
- input_classification inputs, input_analysis
72
- input_analysis
73
- end
74
-
75
- private
76
-
77
- # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
78
- #
79
- # @param inputs [String, Array<String>] user input to be analysed.
80
- # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
81
- # for each protect rule.
82
- # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
83
- def input_classification inputs, input_analysis
84
- # key = input type, value = user_input
85
- inputs.each do |input_type, value|
86
- next if value.nil? || value.empty?
87
-
88
- PROTECT_RULES.each do |_key, rule|
89
- # check if rule is enabled
90
- next unless Contrast::PROTECT.rule(rule[:rule_name]).enabled?
91
-
92
- # method tampering doesn't take value
93
- if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
94
- rule[:classification].send(:classify, input_type, input_analysis)
95
- else
96
- rule[:classification].send(:classify, input_type, value, input_analysis)
97
- end
98
- end
99
- end
100
- input_analysis
101
- end
102
-
103
- # Extract the inputs from the request context and label them with Protect
104
- # input type tags. Each tag will contain one or more user inputs.
105
- #
106
- # This methods is to be expanded and modified as needed by other Protect rules
107
- # and sub-rules for their requirements.
108
- #
109
- # @param request [Contrast::Agent::Request] current request context.
110
- # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
111
- def extract_input request
112
- inputs = {}
113
- inputs[BODY] = request.body
114
- inputs[COOKIE_NAME] = request.cookies.keys
115
- inputs[COOKIE_VALUE] = request.cookies.values
116
- inputs[HEADER] = request.headers
117
- inputs[PARAMETER_NAME] = request.parameters.keys
118
- inputs[PARAMETER_VALUE] = request.parameters.values
119
- inputs[QUERYSTRING] = request.query_string
120
- inputs[METHOD] = request.request_method
121
- extract_multipart inputs, request
122
- inputs.compact!
123
- inputs
124
- end
125
-
126
- # Extract the filename and name of the Content Disposition Header.
127
- #
128
- # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
129
- # @param request [Contrast::Agent::Request] current request context.
130
- def extract_multipart inputs, request
131
- disposition = request.rack_request.env['Content-Disposition']
132
- disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
133
- return unless disposition
134
-
135
- pairs = {}
136
- disposition.split(SEMICOLON).each do |elem|
137
- new_pair = elem.strip.split(EQUALS, 2)
138
- pairs[new_pair[0].downcase] = new_pair[1] if new_pair
139
- end
140
- inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
141
- inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
142
- end
143
- end
23
+ # DISPOSITION_NAME = 'name'
24
+ # DISPOSITION_FILENAME = 'filename'
25
+ #
26
+ # class << self
27
+ # include Contrast::Agent::Reporting::InputType
28
+ # include Contrast::Agent::Reporting::ScoreLevel
29
+ # include Contrast::Agent::Protect::Rule::SqliWorthWatching
30
+ # include Contrast::Utils::ObjectShare
31
+ # include Contrast::Agent::Protect::Rule::CmdiWorthWatching
32
+ #
33
+ # PROTECT_RULES = {
34
+ # sqli: {
35
+ # rule_name: 'sql-injection',
36
+ # classification: Contrast::Agent::Protect::Rule::SqliInputClassification
37
+ # },
38
+ # cmdi: {
39
+ # rule_name: 'cmd-injection',
40
+ # classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
41
+ # },
42
+ # method_tampering: {
43
+ # rule_name: 'method-tampering',
44
+ # classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
45
+ # },
46
+ # unsafe_file_upload: {
47
+ # rule_name: 'unsafe-file-upload',
48
+ # classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
49
+ # },
50
+ # nosqli: {
51
+ # rule_name: 'nosql-injection',
52
+ # classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
53
+ # }
54
+ # }.cs__freeze
55
+ #
56
+ # # This method with analyze the user input from the context of the
57
+ # # current request and run each of the protect rules against all
58
+ # # found input types
59
+ # #
60
+ # # @param request [Contrast::Agent::Request] current request context.
61
+ # # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
62
+ # def analyse request
63
+ # return unless Contrast::PROTECT.enabled?
64
+ # return if request.nil?
65
+ #
66
+ # inputs = extract_input request
67
+ # return unless inputs
68
+ #
69
+ # input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
70
+ # input_analysis.request = request
71
+ # # each rule against each input
72
+ # input_classification inputs, input_analysis
73
+ # input_analysis
74
+ # end
75
+ #
76
+ # private
77
+ #
78
+ # # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
79
+ # #
80
+ # # @param inputs [String, Array<String>] user input to be analysed.
81
+ # # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
82
+ # # for each protect rule.
83
+ # # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
84
+ # def input_classification inputs, input_analysis
85
+ # # key = input type, value = user_input
86
+ # inputs.each do |input_type, value|
87
+ # next if value.nil? || value.empty?
88
+ #
89
+ # PROTECT_RULES.each do |_key, rule|
90
+ # protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
91
+ # logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
92
+ #
93
+ # # check if rule is enabled
94
+ # next unless protect_rule&.enabled?
95
+ #
96
+ # # method tampering doesn't take value
97
+ # if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
98
+ # rule[:classification].send(:classify, input_type, input_analysis)
99
+ # else
100
+ # rule[:classification].send(:classify, input_type, value, input_analysis)
101
+ # end
102
+ # end
103
+ # end
104
+ # input_analysis
105
+ # end
106
+ #
107
+ # # Extract the inputs from the request context and label them with Protect
108
+ # # input type tags. Each tag will contain one or more user inputs.
109
+ # #
110
+ # # This methods is to be expanded and modified as needed by other Protect rules
111
+ # # and sub-rules for their requirements.
112
+ # #
113
+ # # @param request [Contrast::Agent::Request] current request context.
114
+ # # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
115
+ # def extract_input request
116
+ # inputs = {}
117
+ # inputs[BODY] = request.body
118
+ # inputs[COOKIE_NAME] = request.cookies.keys
119
+ # inputs[COOKIE_VALUE] = request.cookies.values
120
+ # inputs[HEADER] = request.headers
121
+ # inputs[PARAMETER_NAME] = request.parameters.keys
122
+ # inputs[PARAMETER_VALUE] = request.parameters.values
123
+ # inputs[QUERYSTRING] = request.query_string
124
+ # inputs[METHOD] = request.request_method
125
+ # extract_multipart inputs, request
126
+ # inputs.compact!
127
+ # inputs
128
+ # end
129
+ #
130
+ # # Extract the filename and name of the Content Disposition Header.
131
+ # #
132
+ # # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
133
+ # # @param request [Contrast::Agent::Request] current request context.
134
+ # def extract_multipart inputs, request
135
+ # disposition = request.rack_request.env['Content-Disposition']
136
+ # disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
137
+ # return unless disposition
138
+ #
139
+ # pairs = {}
140
+ # disposition.split(SEMICOLON).each do |elem|
141
+ # new_pair = elem.strip.split(EQUALS, 2)
142
+ # pairs[new_pair[0].downcase] = new_pair[1] if new_pair
143
+ # end
144
+ # inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
145
+ # inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
146
+ # end
147
+ # end
144
148
  end
145
149
  end
146
150
  end
@@ -55,9 +55,9 @@ module Contrast
55
55
  end
56
56
 
57
57
  def extract_mongo_data operation
58
- if operation.cs__respond_to? :selector
58
+ if operation.cs__respond_to?(:selector)
59
59
  operation.selector
60
- elsif operation.cs__respond_to? :documents
60
+ elsif operation.cs__respond_to?(:documents)
61
61
  operation.documents
62
62
  end
63
63
  end
@@ -69,7 +69,7 @@ module Contrast
69
69
 
70
70
  rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
71
71
  rescue Contrast::SecurityException => e
72
- raise e
72
+ raise(e)
73
73
  rescue StandardError => e
74
74
  logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
75
75
  end
@@ -111,7 +111,7 @@ module Contrast
111
111
  end
112
112
  end
113
113
  rescue Contrast::SecurityException => e
114
- raise e
114
+ raise(e)
115
115
  rescue StandardError => e
116
116
  parser ||= Contrast::Utils::ObjectShare::UNKNOWN
117
117
  logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,
@@ -38,7 +38,7 @@ module Contrast
38
38
  def apply_rule method, exception, properties, object, args
39
39
  invoke(method, exception, properties, object, args)
40
40
  rescue Contrast::SecurityException => e
41
- raise e
41
+ raise(e)
42
42
  rescue StandardError => e
43
43
  logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
44
44
  rule: rule_name)
@@ -64,14 +64,14 @@ module Contrast
64
64
  # @raise [Contrast::SecurityException] on block, will pass the
65
65
  # exception from the rule
66
66
  def invoke _method, _exception, _properties, _object, _args
67
- raise NoMethodError, 'This is abstract, override it.'
67
+ raise(NoMethodError, 'This is abstract, override it.')
68
68
  end
69
69
 
70
70
  # The name of the rule, as expected by the Contrast Service and Contrast UI.
71
71
  #
72
72
  # @return [String]
73
73
  def rule_name
74
- raise NoMethodError, 'This is abstract, override it.'
74
+ raise(NoMethodError, 'This is abstract, override it.')
75
75
  end
76
76
 
77
77
  # The rule for which this applicator applies. It'll be a concrete
@@ -80,7 +80,7 @@ module Contrast
80
80
  #
81
81
  # @return [Contrast::Agent::Protect::Rule::Base]
82
82
  def rule
83
- ::Contrast::PROTECT.rule rule_name
83
+ ::Contrast::PROTECT.rule(rule_name)
84
84
  end
85
85
 
86
86
  # Should we skip analysis for this rule for this method invocation?
@@ -180,13 +180,13 @@ module Contrast
180
180
  # @param attack [Symbol] the type of message we want to send
181
181
  # @param value [String] the input value we want to log
182
182
  def cef_logging result, attack = :ineffective_attack, value = nil
183
- sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
184
- outcome = if result.response.cs__is_a? Hash
183
+ sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0])
184
+ outcome = if result.response.cs__is_a?(Hash)
185
185
  Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
186
186
  else
187
187
  Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
188
188
  end
189
- input_type = extract_input_type sample_to_json[:user_input].input_type
189
+ input_type = extract_input_type(sample_to_json[:user_input].input_type)
190
190
  input_value = value || sample_to_json[:user_input].value
191
191
  cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
192
192
  end
@@ -231,7 +231,7 @@ module Contrast
231
231
  # @param _kwargs [Hash] key-value pairs used by the rule to build a
232
232
  # report.
233
233
  def find_attacker _context, _potential_attack_string, **_kwargs
234
- raise NoMethodError, "Rule #{ rule_name } did not implement find_attack"
234
+ raise(NoMethodError, "Rule #{ rule_name } did not implement find_attack")
235
235
  end
236
236
 
237
237
  def update_successful_attack_response context, ia_result, result, attack_string = nil
@@ -248,6 +248,13 @@ module Contrast
248
248
  result
249
249
  end
250
250
 
251
+ # @param context [Contrast::Agent::RequestContext] the context of the
252
+ # request in which this input is evaluated.
253
+ # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
254
+ # analysis of the input that was determined to be an attack
255
+ # @param result [Contrast::Api::Dtm::AttackResult] previous
256
+ # attack result for this rule, if one exists, in the case of
257
+ # multiple inputs being found to violate the protection criteria
251
258
  def update_perimeter_attack_response context, ia_result, result
252
259
  if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
253
260
  result.response = if blocked_rule?(ia_result)
@@ -257,7 +264,7 @@ module Contrast
257
264
  end
258
265
  log_rule_matched(context, ia_result, result.response)
259
266
  elsif ia_result.nil? || ia_result.attack_count.zero?
260
- result.response = assign_reporter_response_type ia_result
267
+ result.response = assign_reporter_response_type(ia_result)
261
268
  log_rule_probed(context, ia_result)
262
269
  end
263
270
 
@@ -320,7 +327,7 @@ module Contrast
320
327
  # @param enum [Enumerable]
321
328
  # @return [Symbol]
322
329
  def extract_input_type enum
323
- Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag enum
330
+ Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag(enum)
324
331
  end
325
332
 
326
333
  private
@@ -339,21 +346,26 @@ module Contrast
339
346
  name: ia_result&.key, input: ia_result&.value)
340
347
  end
341
348
 
342
- # Handles the Response type for different Protect rules.
343
- # Some rules need to report SUSPICIOUS over PROBED in
349
+ # Some rules are reported as suspicious, rather than exploited or probed, b/c they don't actually follow
350
+ # input tracing or other detection types that provide enough confidnece for a determination.
351
+ #
352
+ # @param ia_result
353
+ # @return [Boolean]
354
+ def suspicious_rule? ia_result
355
+ [
356
+ Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
357
+ Contrast::Agent::Protect::Rule::Xss::NAME
358
+ ].include?(ia_result&.rule_id)
359
+ end
360
+
361
+ # Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
344
362
  # MONITORED mode.
345
363
  #
346
- # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
347
- # @return [Contrast::Agent::Reporting::ResponseType,
348
- # Contrast::Api::Dtm::AttackResult::ResponseType]
364
+ # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
365
+ # determined to be an attack
349
366
  def assign_reporter_response_type ia_result
350
- if (ia_result&.rule_id == Contrast::Agent::Protect::Rule::Xss::NAME ||
351
- Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME) &&
352
- Contrast::CONTRAST_SERVICE.use_agent_communication?
353
-
354
- # Here we'll have xss or unsafe file upload in monitoring mode
355
- # and we have to report it as SUSPICIOUS, not as PROBED.
356
- Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
367
+ if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
368
+ Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
357
369
  else
358
370
  Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
359
371
  end