RubyGems - contrast-agent - Versions diffs - 6.0.0 → 6.1.2 - Mend

contrast-agent 6.0.0 → 6.1.2

Files changed (260) hide show

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb CHANGED Viewed

@@ -69,7 +69,7 @@ module Contrast
             # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
             def sqli_create_new_input_result request, rule_id, input_type, value
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
-              if sqli_worth_watching? value
+              if sqli_worth_watching?(value)
                 ia_result.ids << WORTHWATCHING_MATCH
                 ia_result.score_level = WORTHWATCHING
                 ia_result
@@ -77,7 +77,7 @@ module Contrast
                 ia_result.score_level = IGNORE
               end
-              add_needed_key request, ia_result, input_type, value if SQLI_KEYS_NEEDED.include? input_type
+              add_needed_key(request, ia_result, input_type, value) if SQLI_KEYS_NEEDED.include?(input_type)
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb CHANGED Viewed

@@ -91,7 +91,7 @@ module Contrast
           # @param input [String] the user input to be inspected
           # @return true | false
           def language_keywords? input
-            contains_substring? input, SQL_KEYWORDS
+            contains_substring?(input, SQL_KEYWORDS)
           end
           # Helper method to find a substrings in given input.

data/lib/contrast/agent/protect/rule/sqli.rb CHANGED Viewed

@@ -31,6 +31,20 @@ module Contrast
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  start: attack_sample.sqli.start_idx,
+                  end: attack_sample.sqli.end_idx,
+                  boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
+                  inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
+                  query: attack_sample.sqli.query
+              }
+            end
+          end
           def rule_name
             NAME
           end
@@ -47,29 +61,8 @@ module Contrast
             append_to_activity(context, result)
-            cef_logging result, :successful_attack, query_string
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
-          end
-          private
-          def find_attacker context, potential_attack_string, **kwargs
-            ia_results = gather_ia_results(context)
-            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
-          end
-          def infilter? context
-            return false unless context&.agent_input_analysis&.results
-            return false unless enabled?
-            return false if protect_excluded_by_code?
-            true
-          end
-          def gather_ia_results context
-            context.agent_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name
-            end
+            cef_logging(result, :successful_attack, query_string)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
         end
       end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb CHANGED Viewed

@@ -14,67 +14,67 @@ module Contrast
         # This module will do the Input Classification stage of Unsafe File Upload
         # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
         module UnsafeFileUploadInputClassification
-          UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
-          class << self
-            include InputClassificationBase
-            include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
-            # Input Classification stage is done to determine if an user input is
-            # DEFINITEATTACK or to be ignored.
-            #
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
-            #                                                       agent analysis from the current
-            #                                                       Request.
-            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
-            def classify input_type, value, input_analysis
-              unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
-                return
-              end
-              return unless input_analysis.request
-              rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
-              results = []
-              Array(value).each do |val|
-                Array(val).each do |v|
-                  results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
-                end
-              end
-              input_analysis.results = results
-              input_analysis
-            end
-            private
-            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
-            #
-            # @param request [Contrast::Agent::Request] the current request context.
-            # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              ia_result = new_ia_result rule_id, input_type, request.path, value
-              if unsafe_match? value
-                ia_result.score_level = DEFINITEATTACK
-                ia_result.ids << UNSAFE_UPLOAD_MATCH
-              else
-                ia_result.score_level = IGNORE
-              end
-              ia_result.key = if input_type == MULTIPART_FIELD_NAME
-                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
-                              else
-                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
-                              end
-              ia_result
-            end
-          end
+          # UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
+          #
+          # class << self
+          #   include InputClassificationBase
+          #   include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
+          #
+          #   # Input Classification stage is done to determine if an user input is
+          #   # DEFINITEATTACK or to be ignored.
+          #   #
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   # @param value [String, Array<String>] the value of the input.
+          #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #   #                                                       agent analysis from the current
+          #   #                                                       Request.
+          #   # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+          #   def classify input_type, value, input_analysis
+          #     unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
+          #       return
+          #     end
+          #     return unless input_analysis.request
+          #
+          #     rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
+          #     results = []
+          #
+          #     Array(value).each do |val|
+          #       Array(val).each do |v|
+          #         results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
+          #       end
+          #     end
+          #
+          #     input_analysis.results = results
+          #     input_analysis
+          #   end
+          #
+          #   private
+          #
+          #   # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+          #   # key if needed and Creates new isntance of InputAnalysisResult.
+          #   #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   # @param rule_id [String] The name of the Protect Rule.
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   # @param value [String, Array<String>] the value of the input.
+          #   #
+          #   # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          #   def create_new_input_result request, rule_id, input_type, value
+          #     ia_result = new_ia_result rule_id, input_type, request.path, value
+          #     if unsafe_match? value
+          #       ia_result.score_level = DEFINITEATTACK
+          #       ia_result.ids << UNSAFE_UPLOAD_MATCH
+          #     else
+          #       ia_result.score_level = IGNORE
+          #     end
+          #     ia_result.key = if input_type == MULTIPART_FIELD_NAME
+          #                       Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
+          #                     else
+          #                       Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
+          #                     end
+          #     ia_result
+          #   end
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb CHANGED Viewed

@@ -8,36 +8,36 @@ module Contrast
         # Here will be made the match of the user input provided by the
         # Agent InputAnalysis.
         module UnsafeFileUploadMatcher
-          EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze
-          # Extensions that can be executed on the server side or can be dangerous on the client side:
-          # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
-          EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
-          # Match the user input to see if the filename
-          # contains malicious file extension.
+          # EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze # rubocop:disable Style/AsciiComments
+          # # Extensions that can be executed on the server side or can be dangerous on the client side:
+          # # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
+          # EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
           #
-          # @param input [String] The filename
-          # extracted from the current request
-          # @return true | false
-          def unsafe_match? input
-            suspicious_chars?(input) || suspicious_extensions?(input)
-          end
-          private
-          # @param input [String] The filename
-          # extracted from the current request
-          # @return true | false
-          def suspicious_chars? input
-            input.chars.any? { |c| EXPLOIT_CHARS.include? c }
-          end
-          # @param input [String] The filename
-          # extracted from the current request
-          # @return true | false
-          def suspicious_extensions? input
-            EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
-          end
+          # # Match the user input to see if the filename
+          # # contains malicious file extension.
+          # #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def unsafe_match? input
+          #   suspicious_chars?(input) || suspicious_extensions?(input)
+          # end
+          #
+          # private
+          #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def suspicious_chars? input
+          #   input.chars.any? { |c| EXPLOIT_CHARS.include? c }
+          # end
+          #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def suspicious_extensions? input
+          #   EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb CHANGED Viewed

@@ -23,40 +23,40 @@ module Contrast
             NAME
           end
-          def block_message
-            BLOCK_MESSAGE
+          # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
+          # agent with protect library, we should re-enable these tests and that rule.
+          # TODO: RUBY-1574
+          def enabled?
+            super && false
           end
-          def prefilter context
-            return unless prefilter?(context)
-            ia_results = gather_ia_results context
-            ia_results.each do |ia_result|
-              result = build_attack_result(context)
-              build_attack_without_match context, ia_result, result
-              append_to_activity context, result
-              cef_logging result, :successful_attack
-              raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
-            end
-          end
-          private
-          def prefilter? context
-            return false unless context&.agent_input_analysis&.results
-            return false unless enabled?
-            return false if protect_excluded_by_code?
-            true
-          end
-          def gather_ia_results context
-            context.agent_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name
-            end
-          end
+          # def block_message
+          #   BLOCK_MESSAGE
+          # end
+          #
+          # def prefilter context
+          #   return unless prefilter?(context)
+          #
+          #   ia_results = gather_ia_results context
+          #
+          #   ia_results.each do |ia_result|
+          #     result = build_attack_result(context)
+          #     build_attack_without_match context, ia_result, result
+          #     append_to_activity context, result
+          #
+          #     cef_logging result, :successful_attack
+          #     raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+          #   end
+          # end
+          #
+          # private
+          #
+          # def prefilter? _context
+          #   return false unless enabled?
+          #   return false if protect_excluded_by_code?
+          #
+          #   true
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xss.rb CHANGED Viewed

@@ -12,6 +12,23 @@ module Contrast
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  input: attack_sample.xss.input,
+                  matches: attack_sample.xss.matches.map do |match|
+                             {
+                                 evidenceStart: match.evidence_start_ms,
+                                 evidence: match.evidence,
+                                 offset: match.offset
+                             }
+                           end
+              }
+            end
+          end
           def rule_name
             NAME
           end

data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb CHANGED Viewed

@@ -11,6 +11,20 @@ module Contrast
           class EntityWrapper
             attr_reader :system_id, :public_id
+            DTD_MARKER =   '.dtd'
+            FILE_START =   'file:'
+            FTP_START =    'ftp:'
+            GOPHER_START = 'gopher:'
+            JAR_START =    'jar:'
+            UP_DIR_LINUX = '../'
+            UP_DIR_WIN =   '..\\'
+            # <!ENTITY name SYSTEM "URI">
+            SYSTEM_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+SYSTEM\s+"(?<id>.*?)">/.cs__freeze
+            # <!ENTITY name PUBLIC "public_ID" "URI">
+            PUBLIC_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+PUBLIC\s+".*?"\s+"(?<id>.*?)">/.cs__freeze
+            # we only use this against lowercase strings, removed A-Z for speed
+            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
             def initialize entity
               @system_id = parse_system_id(entity)
               # an entity cannot be system and public
@@ -30,29 +44,16 @@ module Contrast
               @_external_entity
             end
-            # <!ENTITY name SYSTEM "URI">
-            SYSTEM_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+SYSTEM\s+"(?<id>.*?)">/.cs__freeze
             def parse_system_id entity
               match = SYSTEM_ID_REGEXP.match(entity)
               match[:id] if match
             end
-            # <!ENTITY name PUBLIC "public_ID" "URI">
-            PUBLIC_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+PUBLIC\s+".*?"\s+"(?<id>.*?)">/.cs__freeze
             def parse_public_id entity
               match = PUBLIC_ID_REGEXP.match(entity)
               match[:id] if match
             end
-            DTD_MARKER =   '.dtd'
-            FILE_START =   'file:'
-            FTP_START =    'ftp:'
-            GOPHER_START = 'gopher:'
-            JAR_START =    'jar:'
-            UP_DIR_LINUX = '../'
-            UP_DIR_WIN =   '..\\'
-            # we only use this against lowercase strings, removed A-Z for speed
-            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
             def external_id? entity_id
               return false unless entity_id

data/lib/contrast/agent/protect/rule/xxe.rb CHANGED Viewed

@@ -13,11 +13,34 @@ module Contrast
         # of unsafe external entity resolution.
         class Xxe < Contrast::Agent::Protect::Rule::Base
           include Contrast::Components::Logger::InstanceMethods
+          INPUT_NAME = 'XML Prolog'
           NAME = 'xxe'
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  xml: attack_sample.xxe.xml,
+                  declaredEntities: attack_sample.xxe.declared_entities.map do |entity|
+                                      {
+                                          start: entity.start_idx,
+                                          end: entity.end_idx
+                                      }
+                                    end,
+                  entitiesResolved: attack_sample.xxe.entities_resolved.map do |entity|
+                                      {
+                                          systemId: entity.system_id,
+                                          publicId: entity.public_id
+                                      }
+                                    end
+              }
+            end
+          end
           def rule_name
             NAME
           end
@@ -39,8 +62,8 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
-            cef_logging result, :successful_attack, xml
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE)
+            cef_logging(result, :successful_attack, xml)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE))
           end
           protected
@@ -100,7 +123,6 @@ module Contrast
             sample
           end
-          INPUT_NAME = 'XML Prolog'
           def build_user_input ia_result
             input = Contrast::Api::Dtm::UserInput.new
             input.key = INPUT_NAME

data/lib/contrast/agent/reaction_processor.rb CHANGED Viewed

@@ -33,7 +33,7 @@ module Contrast
           case reaction.operation
           when Contrast::Api::Settings::Reaction::Operation::DISABLE
-            Contrast::Agent::DisableReaction.run reaction, level
+            Contrast::Agent::DisableReaction.run(reaction, level)
           when Contrast::Api::Settings::Reaction::Operation::NOOP
             # NOOP
           else

data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb CHANGED Viewed

@@ -10,42 +10,42 @@ module Contrast
     module Reporting
       # This class will hold the new RaspRuleSample.
       # protect rules.
-      class RaspRuleSample
-        def timestamp
-          @_timestamp ||= 0
-        end
-        def timestamp= timestamp_ms
-          @_timestamp = timestamp_ms
-        end
-        def user_input
-          @_user_input ||= Contrast::Agent::Reporting::UserInput.new
-        end
-        def user_input= input
-          @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
-        end
-        def build context, ia_result
-          sample = self
-          sample.timestamp = context&.timer&.start_ms
-          sample.user_input = build_user_input_from_ia(ia_result)
-          sample.user_input.document_type = if context&.request
-                                              Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
-                                            end
-          sample
-        end
-        def build_user_input_from_ia ia_result
-          user_input = Contrast::Agent::Reporting::UserInput.new
-          user_input.input_type = ia_result.input_type
-          user_input.matcher_ids = ia_result.ids
-          user_input.path = ia_result.path
-          user_input.key = ia_result.key if ia_result.key
-          user_input.value = ia_result.value if ia_result.value
-          user_input
-        end
+      class RaspRuleSample # rubocop:disable Lint/EmptyClass
+        # def timestamp
+        #   @_timestamp ||= 0
+        # end
+        #
+        # def timestamp= timestamp_ms
+        #   @_timestamp = timestamp_ms
+        # end
+        #
+        # def user_input
+        #   @_user_input ||= Contrast::Agent::Reporting::UserInput.new
+        # end
+        #
+        # def user_input= input
+        #   @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
+        # end
+        #
+        # def build context, ia_result
+        #   sample = self
+        #   sample.timestamp = context&.timer&.start_ms
+        #   sample.user_input = build_user_input_from_ia(ia_result)
+        #   sample.user_input.document_type = if context&.request
+        #                                       Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
+        #                                     end
+        #   sample
+        # end
+        #
+        # def build_user_input_from_ia ia_result
+        #   user_input = Contrast::Agent::Reporting::UserInput.new
+        #   user_input.input_type = ia_result.input_type
+        #   user_input.matcher_ids = ia_result.ids
+        #   user_input.path = ia_result.path
+        #   user_input.key = ia_result.key if ia_result.key
+        #   user_input.value = ia_result.value if ia_result.value
+        #   user_input
+        # end
       end
     end
   end