contrast-agent 6.0.0 → 6.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +1 -1
- data/Rakefile +1 -1
- data/ext/build_funchook.rb +3 -3
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +5 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +15 -2
- data/ext/cs__assess_regexp/cs__assess_regexp.h +2 -0
- data/ext/cs__assess_string/cs__assess_string.c +8 -0
- data/ext/cs__assess_test/cs__assess_test.h +9 -0
- data/ext/cs__assess_test/cs__assess_tests.c +22 -0
- data/ext/cs__assess_test/extconf.rb +5 -0
- data/ext/cs__common/cs__common.c +101 -0
- data/ext/cs__common/cs__common.h +29 -5
- data/ext/cs__contrast_patch/cs__contrast_patch.c +1 -1
- data/ext/cs__tests/cs__tests.c +12 -0
- data/ext/cs__tests/cs__tests.h +3 -0
- data/ext/cs__tests/extconf.rb +5 -0
- data/ext/extconf_common.rb +1 -1
- data/lib/contrast/agent/assess/contrast_object.rb +16 -16
- data/lib/contrast/agent/assess/events/source_event.rb +17 -19
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -2
- data/lib/contrast/agent/assess/policy/policy.rb +9 -10
- data/lib/contrast/agent/assess/policy/policy_node.rb +9 -10
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -16
- data/lib/contrast/agent/assess/policy/propagation_method.rb +3 -3
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -3
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +17 -21
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +10 -18
- data/lib/contrast/agent/assess/policy/trigger_node.rb +16 -16
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +2 -2
- data/lib/contrast/agent/assess/property/tagged.rb +2 -2
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +6 -8
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +6 -7
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +12 -7
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +13 -6
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +66 -43
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +6 -6
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +3 -4
- data/lib/contrast/agent/assess/tag.rb +13 -14
- data/lib/contrast/agent/at_exit_hook.rb +12 -1
- data/lib/contrast/agent/inventory/database_config.rb +22 -7
- data/lib/contrast/agent/middleware.rb +9 -6
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -5
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +2 -2
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +4 -4
- data/lib/contrast/agent/patching/policy/patch.rb +20 -19
- data/lib/contrast/agent/patching/policy/patch_status.rb +10 -3
- data/lib/contrast/agent/patching/policy/patcher.rb +1 -1
- data/lib/contrast/agent/patching/policy/policy.rb +13 -15
- data/lib/contrast/agent/patching/policy/policy_node.rb +19 -21
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +126 -122
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +4 -4
- data/lib/contrast/agent/protect/rule/base.rb +30 -18
- data/lib/contrast/agent/protect/rule/base_service.rb +31 -14
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +16 -9
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +3 -3
- data/lib/contrast/agent/protect/rule/default_scanner.rb +2 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +18 -7
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +74 -74
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +71 -53
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +3 -3
- data/lib/contrast/agent/protect/rule/no_sqli.rb +15 -16
- data/lib/contrast/agent/protect/rule/path_traversal.rb +13 -3
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli.rb +16 -23
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +61 -61
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +29 -29
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +32 -32
- data/lib/contrast/agent/protect/rule/xss.rb +17 -0
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +14 -13
- data/lib/contrast/agent/protect/rule/xxe.rb +25 -3
- data/lib/contrast/agent/reaction_processor.rb +1 -1
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +36 -36
- data/lib/contrast/agent/reporting/masker/masker.rb +18 -21
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +10 -6
- data/lib/contrast/agent/reporting/reporter.rb +11 -16
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +49 -0
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +96 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +182 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +56 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +60 -0
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +15 -11
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +7 -12
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +9 -3
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +2 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +7 -3
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/preflight.rb +10 -8
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +6 -10
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +12 -20
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +17 -27
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +38 -0
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +8 -0
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +15 -10
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -67
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +17 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +9 -6
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +17 -17
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +47 -32
- data/lib/contrast/agent/reporting/settings/application_settings.rb +1 -1
- data/lib/contrast/agent/reporting/settings/assess.rb +5 -5
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +3 -3
- data/lib/contrast/agent/reporting/settings/exclusions.rb +3 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +21 -6
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +6 -6
- data/lib/contrast/agent/reporting/settings/reaction.rb +3 -3
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +2 -2
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +2 -2
- data/lib/contrast/agent/reporting/settings/server_features.rb +2 -2
- data/lib/contrast/agent/request.rb +5 -5
- data/lib/contrast/agent/request_context.rb +23 -19
- data/lib/contrast/agent/request_context_extend.rb +11 -24
- data/lib/contrast/agent/request_handler.rb +4 -4
- data/lib/contrast/agent/response.rb +2 -0
- data/lib/contrast/agent/rule_set.rb +2 -2
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +6 -48
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/telemetry/base.rb +155 -0
- data/lib/contrast/agent/telemetry/events/event.rb +35 -0
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +44 -36
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +29 -21
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +91 -73
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +62 -44
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +50 -33
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb +20 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb +30 -0
- data/lib/contrast/agent/telemetry/events/metric_event.rb +28 -0
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +123 -0
- data/lib/contrast/agent/thread_watcher.rb +52 -68
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent/worker_thread.rb +8 -0
- data/lib/contrast/agent.rb +1 -3
- data/lib/contrast/api/communication/messaging_queue.rb +29 -12
- data/lib/contrast/api/communication/response_processor.rb +7 -10
- data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +1 -1
- data/lib/contrast/api/communication/speedracer.rb +3 -3
- data/lib/contrast/api/decorators/activity.rb +33 -0
- data/lib/contrast/api/decorators/agent_startup.rb +10 -9
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +4 -4
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/response_type.rb +4 -17
- data/lib/contrast/components/agent.rb +1 -1
- data/lib/contrast/components/base.rb +1 -1
- data/lib/contrast/components/config.rb +19 -28
- data/lib/contrast/components/contrast_service.rb +13 -1
- data/lib/contrast/components/sampling.rb +1 -1
- data/lib/contrast/components/settings.rb +58 -24
- data/lib/contrast/config/agent_configuration.rb +21 -11
- data/lib/contrast/config/api_configuration.rb +12 -8
- data/lib/contrast/config/api_proxy_configuration.rb +7 -3
- data/lib/contrast/config/application_configuration.rb +15 -11
- data/lib/contrast/config/assess_configuration.rb +13 -9
- data/lib/contrast/config/assess_rules_configuration.rb +6 -2
- data/lib/contrast/config/base_configuration.rb +3 -35
- data/lib/contrast/config/certification_configuration.rb +9 -5
- data/lib/contrast/config/exception_configuration.rb +10 -7
- data/lib/contrast/config/heap_dump_configuration.rb +13 -9
- data/lib/contrast/config/inventory_configuration.rb +9 -6
- data/lib/contrast/config/logger_configuration.rb +9 -6
- data/lib/contrast/config/protect_configuration.rb +9 -6
- data/lib/contrast/config/protect_rule_configuration.rb +12 -8
- data/lib/contrast/config/protect_rules_configuration.rb +19 -18
- data/lib/contrast/config/request_audit_configuration.rb +10 -7
- data/lib/contrast/config/root_configuration.rb +29 -12
- data/lib/contrast/config/ruby_configuration.rb +14 -11
- data/lib/contrast/config/sampling_configuration.rb +11 -8
- data/lib/contrast/config/server_configuration.rb +13 -9
- data/lib/contrast/config/service_configuration.rb +14 -11
- data/lib/contrast/configuration.rb +23 -14
- data/lib/contrast/extension/assess/array.rb +1 -1
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/assess/marshal.rb +1 -1
- data/lib/contrast/extension/assess/string.rb +1 -1
- data/lib/contrast/extension/extension.rb +2 -2
- data/lib/contrast/framework/base_support.rb +8 -8
- data/lib/contrast/framework/grape/support.rb +3 -3
- data/lib/contrast/framework/manager.rb +5 -5
- data/lib/contrast/framework/manager_extend.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +14 -3
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +3 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +14 -46
- data/lib/contrast/framework/rails/support.rb +2 -2
- data/lib/contrast/framework/sinatra/support.rb +1 -1
- data/lib/contrast/logger/aliased_logging.rb +94 -0
- data/lib/contrast/logger/application.rb +0 -4
- data/lib/contrast/logger/cef_log.rb +14 -14
- data/lib/contrast/logger/format.rb +1 -1
- data/lib/contrast/logger/log.rb +8 -8
- data/lib/contrast/tasks/config.rb +30 -21
- data/lib/contrast/tasks/service.rb +2 -2
- data/lib/contrast/utils/assess/tracking_util.rb +4 -4
- data/lib/contrast/utils/class_util.rb +6 -10
- data/lib/contrast/utils/findings.rb +3 -3
- data/lib/contrast/utils/hash_digest.rb +6 -7
- data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
- data/lib/contrast/utils/invalid_configuration_util.rb +2 -2
- data/lib/contrast/utils/log_utils.rb +6 -4
- data/lib/contrast/utils/lru_cache.rb +1 -1
- data/lib/contrast/utils/metrics_hash.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +6 -6
- data/lib/contrast/utils/net_http_base.rb +4 -4
- data/lib/contrast/utils/object_share.rb +1 -1
- data/lib/contrast/utils/os.rb +1 -1
- data/lib/contrast/utils/patching/policy/patch_utils.rb +2 -2
- data/lib/contrast/utils/request_utils.rb +2 -2
- data/lib/contrast/utils/sha256_builder.rb +4 -4
- data/lib/contrast/utils/stack_trace_utils.rb +31 -13
- data/lib/contrast/utils/telemetry.rb +22 -7
- data/lib/contrast/utils/telemetry_client.rb +27 -15
- data/lib/contrast/utils/telemetry_hash.rb +41 -0
- data/lib/contrast/utils/telemetry_identifier.rb +18 -3
- data/lib/contrast/utils/timer.rb +1 -1
- data/lib/contrast.rb +9 -0
- data/resources/assess/policy.json +1 -1
- data/ruby-agent.gemspec +1 -1
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +41 -16
- data/lib/contrast/agent/telemetry/events/metric_telemetry_event.rb +0 -26
- data/lib/contrast/agent/telemetry/events/startup_metrics_telemetry_event.rb +0 -121
- data/lib/contrast/agent/telemetry/events/telemetry_event.rb +0 -33
- data/lib/contrast/agent/telemetry/telemetry.rb +0 -150
- data/lib/contrast/utils/exclude_key.rb +0 -20
@@ -99,10 +99,17 @@ module Contrast
|
|
99
99
|
:CONTRAST_PATCH_POLICY_STATUS
|
100
100
|
end
|
101
101
|
|
102
|
+
# @param mod [Module or Class] the entity on which the patch has been placed
|
103
|
+
# @param method [Symbol] the method being patched
|
104
|
+
# @param ret [Contrast::Agent::Patching::Policy::MethodPolicy] the policy of the patched method
|
102
105
|
def update_holder mod, method, ret
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
+
unless mod.instance_variable_defined?(method_info_key) &&
|
107
|
+
(holder = mod.instance_variable_get(method_info_key))
|
108
|
+
|
109
|
+
holder = {}
|
110
|
+
mod.instance_variable_set(method_info_key, holder)
|
111
|
+
end
|
112
|
+
holder[method] = ret # rubocop:disable Lint/UselessSetterCall
|
106
113
|
end
|
107
114
|
|
108
115
|
def find_info_for candidates, method
|
@@ -207,7 +207,7 @@ module Contrast
|
|
207
207
|
def patch_into_instance_methods module_data, module_policy
|
208
208
|
mod = module_data.mod
|
209
209
|
methods = all_instance_methods(mod, private: true)
|
210
|
-
methods.delete(:initialize) if mod.to_s.
|
210
|
+
methods.delete(:initialize) if mod.to_s.start_with?('RSpec') && mod.to_s.include?('Matchers')
|
211
211
|
patch_into_methods(mod, methods, module_policy, true)
|
212
212
|
end
|
213
213
|
|
@@ -20,6 +20,19 @@ module Contrast
|
|
20
20
|
class Policy
|
21
21
|
include Singleton
|
22
22
|
include Contrast::Components::Logger::InstanceMethods
|
23
|
+
SOURCES_KEY = 'sources'
|
24
|
+
PROPAGATION_KEY = 'propagators'
|
25
|
+
RULES_KEY = 'rules'
|
26
|
+
TRIGGERS_KEY = 'triggers'
|
27
|
+
def initialize
|
28
|
+
@sources = []
|
29
|
+
@propagators = []
|
30
|
+
@triggers = []
|
31
|
+
@providers = {}
|
32
|
+
|
33
|
+
json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
|
34
|
+
from_hash_string(json)
|
35
|
+
end
|
23
36
|
|
24
37
|
# Indicates the folder in `resources` where this policy lives.
|
25
38
|
def self.policy_folder
|
@@ -38,25 +51,10 @@ module Contrast
|
|
38
51
|
|
39
52
|
attr_reader :sources, :propagators, :triggers, :providers
|
40
53
|
|
41
|
-
SOURCES_KEY = 'sources'
|
42
|
-
PROPAGATION_KEY = 'propagators'
|
43
|
-
RULES_KEY = 'rules'
|
44
|
-
TRIGGERS_KEY = 'triggers'
|
45
|
-
|
46
54
|
def self.policy_json
|
47
55
|
File.join(policy_folder, 'policy.json').cs__freeze
|
48
56
|
end
|
49
57
|
|
50
|
-
def initialize
|
51
|
-
@sources = []
|
52
|
-
@propagators = []
|
53
|
-
@triggers = []
|
54
|
-
@providers = {}
|
55
|
-
|
56
|
-
json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
|
57
|
-
from_hash_string(json)
|
58
|
-
end
|
59
|
-
|
60
58
|
# Our policy for patching rules is a 'dope ass' JSON file. Rather than hard code in a bunch of things to
|
61
59
|
# monkey patch, we let the JSON file define the conditions in which modifications are applied. This let's us
|
62
60
|
# be flexible and extensible.
|
@@ -14,6 +14,23 @@ module Contrast
|
|
14
14
|
# @abstract
|
15
15
|
class PolicyNode
|
16
16
|
include Contrast::Components::Scope::InstanceMethods
|
17
|
+
JSON_METHOD_VISIBILITY = 'method_visibility'
|
18
|
+
JSON_PROPERTIES = 'properties'
|
19
|
+
JSON_METHOD_NAME = 'method_name'
|
20
|
+
JSON_METHOD_SCOPE = 'scope'
|
21
|
+
# The keys used to read from policy.json to create the individual
|
22
|
+
# policy nodes. These are common across node types
|
23
|
+
JSON_CLASS_NAME = 'class_name'
|
24
|
+
JSON_INSTANCE_METHOD = 'instance_method'
|
25
|
+
def initialize policy_hash = {}
|
26
|
+
@class_name = policy_hash[JSON_CLASS_NAME]
|
27
|
+
@instance_method = policy_hash[JSON_INSTANCE_METHOD]
|
28
|
+
@method_name = policy_hash[JSON_METHOD_NAME]
|
29
|
+
@method_scope = policy_hash[JSON_METHOD_SCOPE]
|
30
|
+
@method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
|
31
|
+
@properties = policy_hash[JSON_PROPERTIES]
|
32
|
+
symbolize
|
33
|
+
end
|
17
34
|
|
18
35
|
# Name of the class in which the method is being invoked.
|
19
36
|
attr_accessor :class_name
|
@@ -31,21 +48,11 @@ module Contrast
|
|
31
48
|
attr_reader :method_scope
|
32
49
|
|
33
50
|
def node_class
|
34
|
-
raise
|
51
|
+
raise(NoMethodError, 'specify the type of the feature for which this node patches')
|
35
52
|
end
|
36
53
|
|
37
54
|
def feature
|
38
|
-
raise
|
39
|
-
end
|
40
|
-
|
41
|
-
def initialize policy_hash = {}
|
42
|
-
@class_name = policy_hash[JSON_CLASS_NAME]
|
43
|
-
@instance_method = policy_hash[JSON_INSTANCE_METHOD]
|
44
|
-
@method_name = policy_hash[JSON_METHOD_NAME]
|
45
|
-
@method_scope = policy_hash[JSON_METHOD_SCOPE]
|
46
|
-
@method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
|
47
|
-
@properties = policy_hash[JSON_PROPERTIES]
|
48
|
-
symbolize
|
55
|
+
raise(NoMethodError, 'specify the name of the feature for which this node patches')
|
49
56
|
end
|
50
57
|
|
51
58
|
def id
|
@@ -91,15 +98,6 @@ module Contrast
|
|
91
98
|
@method_visibility = @method_visibility.to_sym if @method_visibility
|
92
99
|
@method_scope = @method_scope.to_sym if @method_scope
|
93
100
|
end
|
94
|
-
|
95
|
-
# The keys used to read from policy.json to create the individual
|
96
|
-
# policy nodes. These are common across node types
|
97
|
-
JSON_CLASS_NAME = 'class_name'
|
98
|
-
JSON_INSTANCE_METHOD = 'instance_method'
|
99
|
-
JSON_METHOD_NAME = 'method_name'
|
100
|
-
JSON_METHOD_SCOPE = 'scope'
|
101
|
-
JSON_METHOD_VISIBILITY = 'method_visibility'
|
102
|
-
JSON_PROPERTIES = 'properties'
|
103
101
|
end
|
104
102
|
end
|
105
103
|
end
|
@@ -24,6 +24,7 @@ module Contrast
|
|
24
24
|
attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties,
|
25
25
|
:rule_id
|
26
26
|
|
27
|
+
NODE = 'Trigger'
|
27
28
|
def initialize trigger_hash = {}, rule_hash = {}
|
28
29
|
super(trigger_hash)
|
29
30
|
@rule_id = rule_hash[JSON_NAME]
|
@@ -36,7 +37,6 @@ module Contrast
|
|
36
37
|
@applicator_method = (trigger_hash[JSON_APPLICATOR_METHOD] || rule_hash[JSON_APPLICATOR_METHOD]).to_sym
|
37
38
|
end
|
38
39
|
|
39
|
-
NODE = 'Trigger'
|
40
40
|
def node_class
|
41
41
|
NODE
|
42
42
|
end
|
@@ -8,6 +8,7 @@ require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
|
|
8
8
|
require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
|
9
9
|
require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
|
10
10
|
require 'contrast/agent/protect/rule/unsafe_file_upload'
|
11
|
+
require 'contrast/components/logger'
|
11
12
|
require 'contrast/utils/object_share'
|
12
13
|
require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
|
13
14
|
require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
|
@@ -19,128 +20,131 @@ module Contrast
|
|
19
20
|
# InputAnalyzer will extract input form current request context and will analyze it.
|
20
21
|
# This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
|
21
22
|
module InputAnalyzer
|
22
|
-
DISPOSITION_NAME = 'name'
|
23
|
-
DISPOSITION_FILENAME = 'filename'
|
24
|
-
|
25
|
-
class << self
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
23
|
+
# DISPOSITION_NAME = 'name'
|
24
|
+
# DISPOSITION_FILENAME = 'filename'
|
25
|
+
#
|
26
|
+
# class << self
|
27
|
+
# include Contrast::Agent::Reporting::InputType
|
28
|
+
# include Contrast::Agent::Reporting::ScoreLevel
|
29
|
+
# include Contrast::Agent::Protect::Rule::SqliWorthWatching
|
30
|
+
# include Contrast::Utils::ObjectShare
|
31
|
+
# include Contrast::Agent::Protect::Rule::CmdiWorthWatching
|
32
|
+
#
|
33
|
+
# PROTECT_RULES = {
|
34
|
+
# sqli: {
|
35
|
+
# rule_name: 'sql-injection',
|
36
|
+
# classification: Contrast::Agent::Protect::Rule::SqliInputClassification
|
37
|
+
# },
|
38
|
+
# cmdi: {
|
39
|
+
# rule_name: 'cmd-injection',
|
40
|
+
# classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
|
41
|
+
# },
|
42
|
+
# method_tampering: {
|
43
|
+
# rule_name: 'method-tampering',
|
44
|
+
# classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
|
45
|
+
# },
|
46
|
+
# unsafe_file_upload: {
|
47
|
+
# rule_name: 'unsafe-file-upload',
|
48
|
+
# classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
|
49
|
+
# },
|
50
|
+
# nosqli: {
|
51
|
+
# rule_name: 'nosql-injection',
|
52
|
+
# classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
|
53
|
+
# }
|
54
|
+
# }.cs__freeze
|
55
|
+
#
|
56
|
+
# # This method with analyze the user input from the context of the
|
57
|
+
# # current request and run each of the protect rules against all
|
58
|
+
# # found input types
|
59
|
+
# #
|
60
|
+
# # @param request [Contrast::Agent::Request] current request context.
|
61
|
+
# # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
|
62
|
+
# def analyse request
|
63
|
+
# return unless Contrast::PROTECT.enabled?
|
64
|
+
# return if request.nil?
|
65
|
+
#
|
66
|
+
# inputs = extract_input request
|
67
|
+
# return unless inputs
|
68
|
+
#
|
69
|
+
# input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
|
70
|
+
# input_analysis.request = request
|
71
|
+
# # each rule against each input
|
72
|
+
# input_classification inputs, input_analysis
|
73
|
+
# input_analysis
|
74
|
+
# end
|
75
|
+
#
|
76
|
+
# private
|
77
|
+
#
|
78
|
+
# # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
|
79
|
+
# #
|
80
|
+
# # @param inputs [String, Array<String>] user input to be analysed.
|
81
|
+
# # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
|
82
|
+
# # for each protect rule.
|
83
|
+
# # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
|
84
|
+
# def input_classification inputs, input_analysis
|
85
|
+
# # key = input type, value = user_input
|
86
|
+
# inputs.each do |input_type, value|
|
87
|
+
# next if value.nil? || value.empty?
|
88
|
+
#
|
89
|
+
# PROTECT_RULES.each do |_key, rule|
|
90
|
+
# protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
|
91
|
+
# logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
|
92
|
+
#
|
93
|
+
# # check if rule is enabled
|
94
|
+
# next unless protect_rule&.enabled?
|
95
|
+
#
|
96
|
+
# # method tampering doesn't take value
|
97
|
+
# if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
|
98
|
+
# rule[:classification].send(:classify, input_type, input_analysis)
|
99
|
+
# else
|
100
|
+
# rule[:classification].send(:classify, input_type, value, input_analysis)
|
101
|
+
# end
|
102
|
+
# end
|
103
|
+
# end
|
104
|
+
# input_analysis
|
105
|
+
# end
|
106
|
+
#
|
107
|
+
# # Extract the inputs from the request context and label them with Protect
|
108
|
+
# # input type tags. Each tag will contain one or more user inputs.
|
109
|
+
# #
|
110
|
+
# # This methods is to be expanded and modified as needed by other Protect rules
|
111
|
+
# # and sub-rules for their requirements.
|
112
|
+
# #
|
113
|
+
# # @param request [Contrast::Agent::Request] current request context.
|
114
|
+
# # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
|
115
|
+
# def extract_input request
|
116
|
+
# inputs = {}
|
117
|
+
# inputs[BODY] = request.body
|
118
|
+
# inputs[COOKIE_NAME] = request.cookies.keys
|
119
|
+
# inputs[COOKIE_VALUE] = request.cookies.values
|
120
|
+
# inputs[HEADER] = request.headers
|
121
|
+
# inputs[PARAMETER_NAME] = request.parameters.keys
|
122
|
+
# inputs[PARAMETER_VALUE] = request.parameters.values
|
123
|
+
# inputs[QUERYSTRING] = request.query_string
|
124
|
+
# inputs[METHOD] = request.request_method
|
125
|
+
# extract_multipart inputs, request
|
126
|
+
# inputs.compact!
|
127
|
+
# inputs
|
128
|
+
# end
|
129
|
+
#
|
130
|
+
# # Extract the filename and name of the Content Disposition Header.
|
131
|
+
# #
|
132
|
+
# # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
|
133
|
+
# # @param request [Contrast::Agent::Request] current request context.
|
134
|
+
# def extract_multipart inputs, request
|
135
|
+
# disposition = request.rack_request.env['Content-Disposition']
|
136
|
+
# disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
|
137
|
+
# return unless disposition
|
138
|
+
#
|
139
|
+
# pairs = {}
|
140
|
+
# disposition.split(SEMICOLON).each do |elem|
|
141
|
+
# new_pair = elem.strip.split(EQUALS, 2)
|
142
|
+
# pairs[new_pair[0].downcase] = new_pair[1] if new_pair
|
143
|
+
# end
|
144
|
+
# inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
|
145
|
+
# inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
|
146
|
+
# end
|
147
|
+
# end
|
144
148
|
end
|
145
149
|
end
|
146
150
|
end
|
@@ -55,9 +55,9 @@ module Contrast
|
|
55
55
|
end
|
56
56
|
|
57
57
|
def extract_mongo_data operation
|
58
|
-
if operation.cs__respond_to?
|
58
|
+
if operation.cs__respond_to?(:selector)
|
59
59
|
operation.selector
|
60
|
-
elsif operation.cs__respond_to?
|
60
|
+
elsif operation.cs__respond_to?(:documents)
|
61
61
|
operation.documents
|
62
62
|
end
|
63
63
|
end
|
@@ -69,7 +69,7 @@ module Contrast
|
|
69
69
|
|
70
70
|
rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
|
71
71
|
rescue Contrast::SecurityException => e
|
72
|
-
raise
|
72
|
+
raise(e)
|
73
73
|
rescue StandardError => e
|
74
74
|
logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
|
75
75
|
end
|
@@ -111,7 +111,7 @@ module Contrast
|
|
111
111
|
end
|
112
112
|
end
|
113
113
|
rescue Contrast::SecurityException => e
|
114
|
-
raise
|
114
|
+
raise(e)
|
115
115
|
rescue StandardError => e
|
116
116
|
parser ||= Contrast::Utils::ObjectShare::UNKNOWN
|
117
117
|
logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,
|
@@ -38,7 +38,7 @@ module Contrast
|
|
38
38
|
def apply_rule method, exception, properties, object, args
|
39
39
|
invoke(method, exception, properties, object, args)
|
40
40
|
rescue Contrast::SecurityException => e
|
41
|
-
raise
|
41
|
+
raise(e)
|
42
42
|
rescue StandardError => e
|
43
43
|
logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
|
44
44
|
rule: rule_name)
|
@@ -64,14 +64,14 @@ module Contrast
|
|
64
64
|
# @raise [Contrast::SecurityException] on block, will pass the
|
65
65
|
# exception from the rule
|
66
66
|
def invoke _method, _exception, _properties, _object, _args
|
67
|
-
raise
|
67
|
+
raise(NoMethodError, 'This is abstract, override it.')
|
68
68
|
end
|
69
69
|
|
70
70
|
# The name of the rule, as expected by the Contrast Service and Contrast UI.
|
71
71
|
#
|
72
72
|
# @return [String]
|
73
73
|
def rule_name
|
74
|
-
raise
|
74
|
+
raise(NoMethodError, 'This is abstract, override it.')
|
75
75
|
end
|
76
76
|
|
77
77
|
# The rule for which this applicator applies. It'll be a concrete
|
@@ -80,7 +80,7 @@ module Contrast
|
|
80
80
|
#
|
81
81
|
# @return [Contrast::Agent::Protect::Rule::Base]
|
82
82
|
def rule
|
83
|
-
::Contrast::PROTECT.rule
|
83
|
+
::Contrast::PROTECT.rule(rule_name)
|
84
84
|
end
|
85
85
|
|
86
86
|
# Should we skip analysis for this rule for this method invocation?
|
@@ -180,13 +180,13 @@ module Contrast
|
|
180
180
|
# @param attack [Symbol] the type of message we want to send
|
181
181
|
# @param value [String] the input value we want to log
|
182
182
|
def cef_logging result, attack = :ineffective_attack, value = nil
|
183
|
-
sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash
|
184
|
-
outcome = if result.response.cs__is_a?
|
183
|
+
sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0])
|
184
|
+
outcome = if result.response.cs__is_a?(Hash)
|
185
185
|
Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
|
186
186
|
else
|
187
187
|
Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
|
188
188
|
end
|
189
|
-
input_type = extract_input_type
|
189
|
+
input_type = extract_input_type(sample_to_json[:user_input].input_type)
|
190
190
|
input_value = value || sample_to_json[:user_input].value
|
191
191
|
cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
|
192
192
|
end
|
@@ -231,7 +231,7 @@ module Contrast
|
|
231
231
|
# @param _kwargs [Hash] key-value pairs used by the rule to build a
|
232
232
|
# report.
|
233
233
|
def find_attacker _context, _potential_attack_string, **_kwargs
|
234
|
-
raise
|
234
|
+
raise(NoMethodError, "Rule #{ rule_name } did not implement find_attack")
|
235
235
|
end
|
236
236
|
|
237
237
|
def update_successful_attack_response context, ia_result, result, attack_string = nil
|
@@ -248,6 +248,13 @@ module Contrast
|
|
248
248
|
result
|
249
249
|
end
|
250
250
|
|
251
|
+
# @param context [Contrast::Agent::RequestContext] the context of the
|
252
|
+
# request in which this input is evaluated.
|
253
|
+
# @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
|
254
|
+
# analysis of the input that was determined to be an attack
|
255
|
+
# @param result [Contrast::Api::Dtm::AttackResult] previous
|
256
|
+
# attack result for this rule, if one exists, in the case of
|
257
|
+
# multiple inputs being found to violate the protection criteria
|
251
258
|
def update_perimeter_attack_response context, ia_result, result
|
252
259
|
if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
|
253
260
|
result.response = if blocked_rule?(ia_result)
|
@@ -257,7 +264,7 @@ module Contrast
|
|
257
264
|
end
|
258
265
|
log_rule_matched(context, ia_result, result.response)
|
259
266
|
elsif ia_result.nil? || ia_result.attack_count.zero?
|
260
|
-
result.response = assign_reporter_response_type
|
267
|
+
result.response = assign_reporter_response_type(ia_result)
|
261
268
|
log_rule_probed(context, ia_result)
|
262
269
|
end
|
263
270
|
|
@@ -320,7 +327,7 @@ module Contrast
|
|
320
327
|
# @param enum [Enumerable]
|
321
328
|
# @return [Symbol]
|
322
329
|
def extract_input_type enum
|
323
|
-
Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag
|
330
|
+
Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag(enum)
|
324
331
|
end
|
325
332
|
|
326
333
|
private
|
@@ -339,21 +346,26 @@ module Contrast
|
|
339
346
|
name: ia_result&.key, input: ia_result&.value)
|
340
347
|
end
|
341
348
|
|
342
|
-
#
|
343
|
-
#
|
349
|
+
# Some rules are reported as suspicious, rather than exploited or probed, b/c they don't actually follow
|
350
|
+
# input tracing or other detection types that provide enough confidnece for a determination.
|
351
|
+
#
|
352
|
+
# @param ia_result
|
353
|
+
# @return [Boolean]
|
354
|
+
def suspicious_rule? ia_result
|
355
|
+
[
|
356
|
+
Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
|
357
|
+
Contrast::Agent::Protect::Rule::Xss::NAME
|
358
|
+
].include?(ia_result&.rule_id)
|
359
|
+
end
|
360
|
+
|
361
|
+
# Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
|
344
362
|
# MONITORED mode.
|
345
363
|
#
|
346
|
-
# @param ia_result [Contrast::
|
347
|
-
#
|
348
|
-
# Contrast::Api::Dtm::AttackResult::ResponseType]
|
364
|
+
# @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
|
365
|
+
# determined to be an attack
|
349
366
|
def assign_reporter_response_type ia_result
|
350
|
-
if (ia_result
|
351
|
-
|
352
|
-
Contrast::CONTRAST_SERVICE.use_agent_communication?
|
353
|
-
|
354
|
-
# Here we'll have xss or unsafe file upload in monitoring mode
|
355
|
-
# and we have to report it as SUSPICIOUS, not as PROBED.
|
356
|
-
Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
|
367
|
+
if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
|
368
|
+
Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
|
357
369
|
else
|
358
370
|
Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
|
359
371
|
end
|