contrast-agent 6.1.0 → 6.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +1 -1
- data/Rakefile +1 -1
- data/ext/build_funchook.rb +3 -3
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +5 -1
- data/ext/extconf_common.rb +1 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -2
- data/lib/contrast/agent/assess/policy/policy.rb +9 -10
- data/lib/contrast/agent/assess/policy/policy_node.rb +9 -10
- data/lib/contrast/agent/assess/policy/propagation_method.rb +3 -3
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -3
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/trigger_node.rb +16 -16
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +2 -2
- data/lib/contrast/agent/assess/property/tagged.rb +2 -2
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +6 -8
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +6 -7
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +5 -5
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +2 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +8 -9
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +6 -6
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +3 -4
- data/lib/contrast/agent/assess/tag.rb +13 -14
- data/lib/contrast/agent/at_exit_hook.rb +12 -1
- data/lib/contrast/agent/middleware.rb +6 -3
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -3
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +2 -2
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +4 -4
- data/lib/contrast/agent/patching/policy/patch.rb +9 -9
- data/lib/contrast/agent/patching/policy/patch_status.rb +10 -3
- data/lib/contrast/agent/patching/policy/policy.rb +13 -15
- data/lib/contrast/agent/patching/policy/policy_node.rb +19 -21
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +125 -125
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +4 -4
- data/lib/contrast/agent/protect/rule/base.rb +30 -18
- data/lib/contrast/agent/protect/rule/base_service.rb +31 -14
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +16 -9
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +3 -3
- data/lib/contrast/agent/protect/rule/default_scanner.rb +2 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +18 -7
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +74 -74
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +71 -53
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +3 -3
- data/lib/contrast/agent/protect/rule/no_sqli.rb +15 -16
- data/lib/contrast/agent/protect/rule/path_traversal.rb +13 -3
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli.rb +16 -23
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +61 -61
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +29 -29
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +32 -32
- data/lib/contrast/agent/protect/rule/xss.rb +17 -0
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +14 -13
- data/lib/contrast/agent/protect/rule/xxe.rb +25 -3
- data/lib/contrast/agent/reaction_processor.rb +1 -1
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +36 -36
- data/lib/contrast/agent/reporting/masker/masker.rb +10 -10
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +8 -10
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +53 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +25 -19
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +129 -17
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +20 -21
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +26 -12
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +7 -5
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +4 -10
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +6 -6
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +7 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +15 -15
- data/lib/contrast/agent/reporting/settings/application_settings.rb +1 -1
- data/lib/contrast/agent/reporting/settings/assess.rb +5 -5
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +3 -3
- data/lib/contrast/agent/reporting/settings/exclusions.rb +3 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +20 -5
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +5 -5
- data/lib/contrast/agent/reporting/settings/reaction.rb +3 -3
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +2 -2
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +2 -2
- data/lib/contrast/agent/reporting/settings/server_features.rb +2 -2
- data/lib/contrast/agent/request.rb +2 -2
- data/lib/contrast/agent/request_context.rb +23 -19
- data/lib/contrast/agent/request_context_extend.rb +10 -23
- data/lib/contrast/agent/request_handler.rb +1 -1
- data/lib/contrast/agent/rule_set.rb +2 -2
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/telemetry/base.rb +9 -5
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +2 -2
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +1 -1
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +1 -1
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb +16 -18
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +2 -2
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +1 -1
- data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +1 -1
- data/lib/contrast/api/communication/speedracer.rb +2 -2
- data/lib/contrast/api/decorators/agent_startup.rb +10 -9
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +4 -4
- data/lib/contrast/api/decorators/response_type.rb +4 -17
- data/lib/contrast/components/agent.rb +1 -1
- data/lib/contrast/components/base.rb +1 -1
- data/lib/contrast/components/config.rb +6 -6
- data/lib/contrast/components/contrast_service.rb +4 -1
- data/lib/contrast/components/sampling.rb +1 -1
- data/lib/contrast/components/settings.rb +52 -28
- data/lib/contrast/config/assess_rules_configuration.rb +1 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/config/root_configuration.rb +1 -1
- data/lib/contrast/configuration.rb +4 -4
- data/lib/contrast/extension/assess/array.rb +1 -1
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/assess/marshal.rb +1 -1
- data/lib/contrast/extension/assess/string.rb +1 -1
- data/lib/contrast/extension/extension.rb +2 -2
- data/lib/contrast/framework/base_support.rb +8 -8
- data/lib/contrast/framework/grape/support.rb +3 -3
- data/lib/contrast/framework/manager.rb +5 -5
- data/lib/contrast/framework/manager_extend.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +14 -3
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +3 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +1 -1
- data/lib/contrast/framework/rails/support.rb +2 -2
- data/lib/contrast/framework/sinatra/support.rb +1 -1
- data/lib/contrast/logger/aliased_logging.rb +29 -22
- data/lib/contrast/logger/cef_log.rb +14 -14
- data/lib/contrast/logger/format.rb +1 -1
- data/lib/contrast/logger/log.rb +8 -8
- data/lib/contrast/tasks/config.rb +12 -12
- data/lib/contrast/tasks/service.rb +2 -2
- data/lib/contrast/utils/assess/tracking_util.rb +4 -4
- data/lib/contrast/utils/class_util.rb +4 -4
- data/lib/contrast/utils/findings.rb +3 -3
- data/lib/contrast/utils/hash_digest.rb +6 -7
- data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
- data/lib/contrast/utils/invalid_configuration_util.rb +1 -1
- data/lib/contrast/utils/log_utils.rb +4 -4
- data/lib/contrast/utils/lru_cache.rb +1 -1
- data/lib/contrast/utils/metrics_hash.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +5 -5
- data/lib/contrast/utils/net_http_base.rb +4 -4
- data/lib/contrast/utils/os.rb +1 -1
- data/lib/contrast/utils/patching/policy/patch_utils.rb +2 -2
- data/lib/contrast/utils/request_utils.rb +2 -2
- data/lib/contrast/utils/sha256_builder.rb +4 -4
- data/lib/contrast/utils/stack_trace_utils.rb +31 -13
- data/lib/contrast/utils/telemetry.rb +6 -9
- data/lib/contrast/utils/telemetry_client.rb +5 -5
- data/lib/contrast/utils/telemetry_hash.rb +1 -1
- data/lib/contrast/utils/telemetry_identifier.rb +2 -2
- data/lib/contrast/utils/timer.rb +1 -1
- data/resources/assess/policy.json +1 -1
- metadata +15 -13
@@ -13,6 +13,9 @@ module Contrast
|
|
13
13
|
class Deserialization < Contrast::Agent::Protect::Rule::Base
|
14
14
|
# The TeamServer recognized name of this rule
|
15
15
|
include Contrast::Components::Logger::InstanceMethods
|
16
|
+
# Used to name this input since input analysis isn't done for this
|
17
|
+
# rule
|
18
|
+
INPUT_NAME = 'Serialized Gadget'
|
16
19
|
|
17
20
|
NAME = 'untrusted-deserialization'
|
18
21
|
|
@@ -39,6 +42,17 @@ module Contrast
|
|
39
42
|
# Used to indicate to TeamServer the gadget is an Arel module
|
40
43
|
AREL = 'Arel'
|
41
44
|
|
45
|
+
class << self
|
46
|
+
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
47
|
+
# @return [Hash] the details for this specific rule
|
48
|
+
def extract_details attack_sample
|
49
|
+
{
|
50
|
+
command: attack_sample.untrusted_deserialization.command,
|
51
|
+
deserializer: attack_sample.untrusted_deserialization.deserializer
|
52
|
+
}
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
42
56
|
# Return the TeamServer understood id / name of this rule.
|
43
57
|
# @return [String] the TeamServer understood id / name of this rule.
|
44
58
|
def rule_name
|
@@ -81,9 +95,9 @@ module Contrast
|
|
81
95
|
result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
|
82
96
|
append_to_activity(context, result)
|
83
97
|
|
84
|
-
cef_logging
|
98
|
+
cef_logging(result, :successful_attack)
|
85
99
|
|
86
|
-
raise
|
100
|
+
raise(Contrast::SecurityException.new(self, block_message)) if blocked?
|
87
101
|
end
|
88
102
|
|
89
103
|
# Determine if the issued command was called while we're
|
@@ -102,8 +116,8 @@ module Contrast
|
|
102
116
|
ia_result = build_evaluation(gadget_command)
|
103
117
|
result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
|
104
118
|
append_to_activity(context, result)
|
105
|
-
cef_logging
|
106
|
-
raise
|
119
|
+
cef_logging(result, :successful_attack, gadget_command)
|
120
|
+
raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
|
107
121
|
end
|
108
122
|
|
109
123
|
protected
|
@@ -134,9 +148,6 @@ module Contrast
|
|
134
148
|
|
135
149
|
private
|
136
150
|
|
137
|
-
# Used to name this input since input analysis isn't done for this
|
138
|
-
# rule
|
139
|
-
INPUT_NAME = 'Serialized Gadget'
|
140
151
|
# We know that this attack happened, so the result is always matched
|
141
152
|
# and the level is always critical. Only variable is the Gadget
|
142
153
|
# supplied by the attacker.
|
@@ -15,80 +15,80 @@ module Contrast
|
|
15
15
|
# as a result input would be marked as DEFINETEATTACK or IGNORE,
|
16
16
|
# to be analyzed at the sink level.
|
17
17
|
module HttpMethodTamperingInputClassification
|
18
|
-
class << self
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
end
|
18
|
+
# class << self
|
19
|
+
# include InputClassificationBase
|
20
|
+
#
|
21
|
+
# # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
|
22
|
+
# #
|
23
|
+
# # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
|
24
|
+
# # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
|
25
|
+
# # analysis from the current request.
|
26
|
+
# def classify input_type, input_analysis
|
27
|
+
# return unless input_analysis.request
|
28
|
+
# return unless input_type == METHOD
|
29
|
+
#
|
30
|
+
# rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
|
31
|
+
#
|
32
|
+
# ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
|
33
|
+
# input_analysis.results << ia_result
|
34
|
+
#
|
35
|
+
# return input_analysis if ia_result.score_level == IGNORE
|
36
|
+
#
|
37
|
+
# attack_result = build_attack_result ia_result, rule_id
|
38
|
+
#
|
39
|
+
# if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
|
40
|
+
# attack_result.response = :EXPLOITED
|
41
|
+
# Contrast::Agent::EXPLOITS.push attack_result
|
42
|
+
# return input_analysis
|
43
|
+
# end
|
44
|
+
#
|
45
|
+
# attack_result.response = :BLOCKED
|
46
|
+
# context.activity.results << attack_result
|
47
|
+
# raise Contrast::SecurityException.new(self,
|
48
|
+
# 'HTTP Method Tampering rule triggered. '\
|
49
|
+
# "Call to #{ input_analysis.request.path } with " \
|
50
|
+
# "#{ input_analysis.request.request_method } blocked.")
|
51
|
+
# end
|
52
|
+
#
|
53
|
+
# private
|
54
|
+
#
|
55
|
+
# # @param request [Contrast::Agent::Request] the current request context.
|
56
|
+
# def method_tampering_exploited? request
|
57
|
+
# !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
|
58
|
+
# end
|
59
|
+
#
|
60
|
+
# # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
|
61
|
+
# # key if needed and Creates new instance of InputAnalysisResult.
|
62
|
+
# #
|
63
|
+
# # @param request [Contrast::Agent::Request] the current request context.
|
64
|
+
# # @param rule_id [String] The name of the Protect Rule.
|
65
|
+
# # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
66
|
+
# #
|
67
|
+
# # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
68
|
+
# def method_tampering_new_input_analysis request, rule_id, input_type
|
69
|
+
# ia_result = new_ia_result rule_id, input_type, request.path
|
70
|
+
# if method_tampering_exploited? request
|
71
|
+
# ia_result.score_level = DEFINITEATTACK
|
72
|
+
# ia_result.ids << rule_id
|
73
|
+
# else
|
74
|
+
# ia_result.score_level = IGNORE
|
75
|
+
# end
|
76
|
+
#
|
77
|
+
# ia_result
|
78
|
+
# end
|
79
|
+
#
|
80
|
+
# def build_attack_result ia_result, rule_id
|
81
|
+
# rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
|
82
|
+
# result = Contrast::Agent::Reporting::AttackResult.new
|
83
|
+
# result.rule_id = rule_id
|
84
|
+
# result.samples << rasp_rule_sample
|
85
|
+
# result
|
86
|
+
# end
|
87
|
+
#
|
88
|
+
# def context
|
89
|
+
# Contrast::Agent::REQUEST_TRACKER.current
|
90
|
+
# end
|
91
|
+
# end
|
92
92
|
end
|
93
93
|
end
|
94
94
|
end
|
@@ -10,65 +10,83 @@ module Contrast
|
|
10
10
|
# The Ruby implementation of the Protect HTTP Method Tampering rule.
|
11
11
|
class HttpMethodTampering < Contrast::Agent::Protect::Rule::BaseService
|
12
12
|
NAME = 'method-tampering'
|
13
|
-
STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
|
13
|
+
# STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
|
14
|
+
#
|
15
|
+
# APPLICABLE_METHODS_INPUTS = %w[
|
16
|
+
# ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
|
17
|
+
# DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
|
18
|
+
# MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
|
19
|
+
# PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
|
20
|
+
# UNLOCK UPDATE VERSION-CONTROL
|
21
|
+
# ].cs__freeze
|
14
22
|
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
23
|
+
class << self
|
24
|
+
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
25
|
+
# @return [Hash] the details for this specific rule
|
26
|
+
def extract_details attack_sample
|
27
|
+
{
|
28
|
+
method: attack_sample.method_tampering.method, # rubocop:disable Security/Object/Method
|
29
|
+
responseCode: attack_sample.method_tampering.response_code
|
30
|
+
}
|
31
|
+
end
|
32
|
+
end
|
22
33
|
|
23
34
|
def rule_name
|
24
35
|
NAME
|
25
36
|
end
|
26
37
|
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
end
|
38
|
+
# This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
|
39
|
+
# agent with protect library, we should re-enable these tests and that rule.
|
40
|
+
# TODO: RUBY-1574
|
41
|
+
# def enabled?
|
42
|
+
# super && false
|
43
|
+
# end
|
44
|
+
#
|
45
|
+
# def postfilter context
|
46
|
+
# return unless enabled? && POSTFILTER_MODES.include?(mode)
|
47
|
+
# return if normal_request?(context)
|
48
|
+
#
|
49
|
+
# # The only way to be here in postfilter with a result is if the rule mode was MONITOR
|
50
|
+
# ia_results = gather_ia_results(context)
|
51
|
+
# return if ia_results.empty?
|
52
|
+
#
|
53
|
+
# # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
|
54
|
+
# response_code = context&.response&.response_code
|
55
|
+
# return unless response_code
|
56
|
+
#
|
57
|
+
# method = ia_results.first.value
|
58
|
+
# result = if response_code.to_s.start_with?('4', '5')
|
59
|
+
# build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
|
60
|
+
# else
|
61
|
+
# build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
|
62
|
+
# end
|
63
|
+
#
|
64
|
+
# return unless result
|
65
|
+
#
|
66
|
+
# append_to_activity(context, result)
|
67
|
+
# cef_logging result, :ineffective_attack
|
68
|
+
# end
|
69
|
+
#
|
70
|
+
# protected
|
71
|
+
#
|
72
|
+
# def build_sample context, evaluation, _candidate_string, **kwargs
|
73
|
+
# sample = build_base_sample(context, evaluation)
|
74
|
+
# sample.user_input.value = kwargs[:method]
|
75
|
+
# sample.user_input.input_type = :METHOD
|
76
|
+
#
|
77
|
+
# sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
|
78
|
+
# sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
|
79
|
+
# code = kwargs[:response_code] || -1
|
80
|
+
# sample.method_tampering.response_code = code.to_i
|
81
|
+
# sample
|
82
|
+
# end
|
83
|
+
#
|
84
|
+
# private
|
85
|
+
#
|
86
|
+
# def normal_request? context
|
87
|
+
# method = context.request.request_method
|
88
|
+
# context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
|
89
|
+
# end
|
72
90
|
end
|
73
91
|
end
|
74
92
|
end
|
@@ -106,9 +106,9 @@ module Contrast
|
|
106
106
|
score = evaluate_patterns(value)
|
107
107
|
score = evaluate_rules(value, score)
|
108
108
|
|
109
|
-
score_level = if definite_attack?
|
109
|
+
score_level = if definite_attack?(score)
|
110
110
|
DEFINITEATTACK
|
111
|
-
elsif worth_watching?
|
111
|
+
elsif worth_watching?(score)
|
112
112
|
WORTHWATCHING
|
113
113
|
else
|
114
114
|
IGNORE
|
@@ -185,7 +185,7 @@ module Contrast
|
|
185
185
|
def evaluate_or_rule value
|
186
186
|
score = 0
|
187
187
|
|
188
|
-
locs = matches_by_position
|
188
|
+
locs = matches_by_position(value, NOSQL_OR_REGEXP)
|
189
189
|
return score if locs.empty?
|
190
190
|
|
191
191
|
locs.each do |loc|
|
@@ -18,6 +18,19 @@ module Contrast
|
|
18
18
|
|
19
19
|
NAME = 'nosql-injection'
|
20
20
|
BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
|
21
|
+
class << self
|
22
|
+
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
23
|
+
# @return [Hash] the details for this specific rule
|
24
|
+
def extract_details attack_sample
|
25
|
+
{
|
26
|
+
start: attack_sample.no_sqli.start_idx,
|
27
|
+
end: attack_sample.no_sqli.end_idx,
|
28
|
+
boundaryOverrunIndex: attack_sample.no_sqli.boundary_overrun_idx,
|
29
|
+
inputBoundaryIndex: attack_sample.no_sqli.input_boundary_idx,
|
30
|
+
query: attack_sample.no_sqli.query
|
31
|
+
}
|
32
|
+
end
|
33
|
+
end
|
21
34
|
|
22
35
|
def rule_name
|
23
36
|
NAME
|
@@ -35,8 +48,8 @@ module Contrast
|
|
35
48
|
|
36
49
|
append_to_activity(context, result)
|
37
50
|
|
38
|
-
cef_logging
|
39
|
-
raise
|
51
|
+
cef_logging(result, :successful_attack)
|
52
|
+
raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
|
40
53
|
end
|
41
54
|
|
42
55
|
def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
|
@@ -66,20 +79,6 @@ module Contrast
|
|
66
79
|
end
|
67
80
|
super(context, potential_attack_string, **kwargs)
|
68
81
|
end
|
69
|
-
|
70
|
-
def infilter? context
|
71
|
-
return false unless context&.agent_input_analysis&.results
|
72
|
-
return false unless enabled?
|
73
|
-
return false if protect_excluded_by_code?
|
74
|
-
|
75
|
-
true
|
76
|
-
end
|
77
|
-
|
78
|
-
def gather_ia_results context
|
79
|
-
context.agent_input_analysis.results.select do |ia_result|
|
80
|
-
ia_result.rule_id == rule_name
|
81
|
-
end
|
82
|
-
end
|
83
82
|
end
|
84
83
|
end
|
85
84
|
end
|
@@ -25,6 +25,16 @@ module Contrast
|
|
25
25
|
/windows/repair/
|
26
26
|
].cs__freeze
|
27
27
|
|
28
|
+
class << self
|
29
|
+
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
30
|
+
# @return [Hash] the details for this specific rule
|
31
|
+
def extract_details attack_sample
|
32
|
+
{
|
33
|
+
path: attack_sample.path_traversal.path
|
34
|
+
}
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
28
38
|
def rule_name
|
29
39
|
NAME
|
30
40
|
end
|
@@ -38,9 +48,9 @@ module Contrast
|
|
38
48
|
append_to_activity(context, result)
|
39
49
|
return unless blocked?
|
40
50
|
|
41
|
-
cef_logging
|
42
|
-
raise
|
43
|
-
"Path Traversal rule triggered. Call to File.#{ method } blocked.")
|
51
|
+
cef_logging(result, :successful_attack, path)
|
52
|
+
raise(Contrast::SecurityException.new(self,
|
53
|
+
"Path Traversal rule triggered. Call to File.#{ method } blocked."))
|
44
54
|
end
|
45
55
|
|
46
56
|
protected
|
@@ -69,7 +69,7 @@ module Contrast
|
|
69
69
|
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
70
70
|
def sqli_create_new_input_result request, rule_id, input_type, value
|
71
71
|
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
72
|
-
if sqli_worth_watching?
|
72
|
+
if sqli_worth_watching?(value)
|
73
73
|
ia_result.ids << WORTHWATCHING_MATCH
|
74
74
|
ia_result.score_level = WORTHWATCHING
|
75
75
|
ia_result
|
@@ -77,7 +77,7 @@ module Contrast
|
|
77
77
|
ia_result.score_level = IGNORE
|
78
78
|
end
|
79
79
|
|
80
|
-
add_needed_key
|
80
|
+
add_needed_key(request, ia_result, input_type, value) if SQLI_KEYS_NEEDED.include?(input_type)
|
81
81
|
ia_result
|
82
82
|
end
|
83
83
|
end
|
@@ -91,7 +91,7 @@ module Contrast
|
|
91
91
|
# @param input [String] the user input to be inspected
|
92
92
|
# @return true | false
|
93
93
|
def language_keywords? input
|
94
|
-
contains_substring?
|
94
|
+
contains_substring?(input, SQL_KEYWORDS)
|
95
95
|
end
|
96
96
|
|
97
97
|
# Helper method to find a substrings in given input.
|
@@ -31,6 +31,20 @@ module Contrast
|
|
31
31
|
NAME = 'sql-injection'
|
32
32
|
BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
|
33
33
|
|
34
|
+
class << self
|
35
|
+
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
36
|
+
# @return [Hash] the details for this specific rule
|
37
|
+
def extract_details attack_sample
|
38
|
+
{
|
39
|
+
start: attack_sample.sqli.start_idx,
|
40
|
+
end: attack_sample.sqli.end_idx,
|
41
|
+
boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
|
42
|
+
inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
|
43
|
+
query: attack_sample.sqli.query
|
44
|
+
}
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
34
48
|
def rule_name
|
35
49
|
NAME
|
36
50
|
end
|
@@ -47,29 +61,8 @@ module Contrast
|
|
47
61
|
|
48
62
|
append_to_activity(context, result)
|
49
63
|
|
50
|
-
cef_logging
|
51
|
-
raise
|
52
|
-
end
|
53
|
-
|
54
|
-
private
|
55
|
-
|
56
|
-
def find_attacker context, potential_attack_string, **kwargs
|
57
|
-
ia_results = gather_ia_results(context)
|
58
|
-
find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
|
59
|
-
end
|
60
|
-
|
61
|
-
def infilter? context
|
62
|
-
return false unless context&.agent_input_analysis&.results
|
63
|
-
return false unless enabled?
|
64
|
-
return false if protect_excluded_by_code?
|
65
|
-
|
66
|
-
true
|
67
|
-
end
|
68
|
-
|
69
|
-
def gather_ia_results context
|
70
|
-
context.agent_input_analysis.results.select do |ia_result|
|
71
|
-
ia_result.rule_id == rule_name
|
72
|
-
end
|
64
|
+
cef_logging(result, :successful_attack, query_string)
|
65
|
+
raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
|
73
66
|
end
|
74
67
|
end
|
75
68
|
end
|