RubyGems - contrast-agent - Versions diffs - 6.1.0 → 6.1.1 - Mend

contrast-agent 6.1.0 → 6.1.1

Files changed (179) hide show

data/lib/contrast/agent/protect/rule/deserialization.rb CHANGED Viewed

@@ -13,6 +13,9 @@ module Contrast
         class Deserialization < Contrast::Agent::Protect::Rule::Base
           # The TeamServer recognized name of this rule
           include Contrast::Components::Logger::InstanceMethods
+          # Used to name this input since input analysis isn't done for this
+          # rule
+          INPUT_NAME = 'Serialized Gadget'
           NAME = 'untrusted-deserialization'
@@ -39,6 +42,17 @@ module Contrast
           # Used to indicate to TeamServer the gadget is an Arel module
           AREL = 'Arel'
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  command: attack_sample.untrusted_deserialization.command,
+                  deserializer: attack_sample.untrusted_deserialization.deserializer
+              }
+            end
+          end
           # Return the TeamServer understood id / name of this rule.
           # @return [String] the TeamServer understood id / name of this rule.
           def rule_name
@@ -81,9 +95,9 @@ module Contrast
             result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
             append_to_activity(context, result)
-            cef_logging result, :successful_attack
+            cef_logging(result, :successful_attack)
-            raise Contrast::SecurityException.new(self, block_message) if blocked?
+            raise(Contrast::SecurityException.new(self, block_message)) if blocked?
           end
           # Determine if the issued command was called while we're
@@ -102,8 +116,8 @@ module Contrast
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
-            cef_logging result, :successful_attack, gadget_command
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+            cef_logging(result, :successful_attack, gadget_command)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
           protected
@@ -134,9 +148,6 @@ module Contrast
           private
-          # Used to name this input since input analysis isn't done for this
-          # rule
-          INPUT_NAME = 'Serialized Gadget'
           # We know that this attack happened, so the result is always matched
           # and the level is always critical. Only variable is the Gadget
           # supplied by the attacker.

data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb CHANGED Viewed

@@ -15,80 +15,80 @@ module Contrast
         # as a result input would be marked as DEFINETEATTACK or IGNORE,
         # to be analyzed at the sink level.
         module HttpMethodTamperingInputClassification
-          class << self
-            include InputClassificationBase
-            # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
-            #
-            # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
-            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
-            # analysis from the current request.
-            def classify input_type, input_analysis
-              return unless input_analysis.request
-              return unless input_type == METHOD
-              rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-              ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
-              input_analysis.results << ia_result
-              return input_analysis if ia_result.score_level == IGNORE
-              attack_result = build_attack_result ia_result, rule_id
-              if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
-                attack_result.response = :EXPLOITED
-                Contrast::Agent::EXPLOITS.push attack_result
-                return input_analysis
-              end
-              attack_result.response = :BLOCKED
-              context.activity.results << attack_result
-              raise Contrast::SecurityException.new(self,
-                                                    'HTTP Method Tampering rule triggered. '\
-                                                    "Call to #{ input_analysis.request.path } with " \
-                                                    "#{ input_analysis.request.request_method } blocked.")
-            end
-            private
-            # @param request [Contrast::Agent::Request] the current request context.
-            def method_tampering_exploited? request
-              !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
-            end
-            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-            # key if needed and Creates new instance of InputAnalysisResult.
-            #
-            # @param request [Contrast::Agent::Request] the current request context.
-            # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def method_tampering_new_input_analysis request, rule_id, input_type
-              ia_result = new_ia_result rule_id, input_type, request.path
-              if method_tampering_exploited? request
-                ia_result.score_level = DEFINITEATTACK
-                ia_result.ids << rule_id
-              else
-                ia_result.score_level = IGNORE
-              end
-              ia_result
-            end
-            def build_attack_result ia_result, rule_id
-              rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
-              result = Contrast::Agent::Reporting::AttackResult.new
-              result.rule_id = rule_id
-              result.samples << rasp_rule_sample
-              result
-            end
-            def context
-              Contrast::Agent::REQUEST_TRACKER.current
-            end
-          end
+          # class << self
+          #   include InputClassificationBase
+          #
+          #   # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
+          #   #
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
+          #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
+          #   # analysis from the current request.
+          #   def classify input_type, input_analysis
+          #     return unless input_analysis.request
+          #     return unless input_type == METHOD
+          #
+          #     rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+          #
+          #     ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
+          #     input_analysis.results << ia_result
+          #
+          #     return input_analysis if ia_result.score_level == IGNORE
+          #
+          #     attack_result = build_attack_result ia_result, rule_id
+          #
+          #     if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
+          #       attack_result.response = :EXPLOITED
+          #       Contrast::Agent::EXPLOITS.push attack_result
+          #       return input_analysis
+          #     end
+          #
+          #     attack_result.response = :BLOCKED
+          #     context.activity.results << attack_result
+          #     raise Contrast::SecurityException.new(self,
+          #                                           'HTTP Method Tampering rule triggered. '\
+          #                                           "Call to #{ input_analysis.request.path } with " \
+          #                                           "#{ input_analysis.request.request_method } blocked.")
+          #   end
+          #
+          #   private
+          #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   def method_tampering_exploited? request
+          #     !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
+          #   end
+          #
+          #   # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+          #   # key if needed and Creates new instance of InputAnalysisResult.
+          #   #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   # @param rule_id [String] The name of the Protect Rule.
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   #
+          #   # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          #   def method_tampering_new_input_analysis request, rule_id, input_type
+          #     ia_result = new_ia_result rule_id, input_type, request.path
+          #     if method_tampering_exploited? request
+          #       ia_result.score_level = DEFINITEATTACK
+          #       ia_result.ids << rule_id
+          #     else
+          #       ia_result.score_level = IGNORE
+          #     end
+          #
+          #     ia_result
+          #   end
+          #
+          #   def build_attack_result ia_result, rule_id
+          #     rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
+          #     result = Contrast::Agent::Reporting::AttackResult.new
+          #     result.rule_id = rule_id
+          #     result.samples << rasp_rule_sample
+          #     result
+          #   end
+          #
+          #   def context
+          #     Contrast::Agent::REQUEST_TRACKER.current
+          #   end
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/http_method_tampering.rb CHANGED Viewed

@@ -10,65 +10,83 @@ module Contrast
         # The Ruby implementation of the Protect HTTP Method Tampering rule.
         class HttpMethodTampering < Contrast::Agent::Protect::Rule::BaseService
           NAME = 'method-tampering'
-          STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
+          # STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
+          #
+          # APPLICABLE_METHODS_INPUTS = %w[
+          #   ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
+          #   DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
+          #   MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
+          #   PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
+          #   UNLOCK UPDATE VERSION-CONTROL
+          # ].cs__freeze
-          APPLICABLE_METHODS_INPUTS = %w[
-            ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
-            DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
-            MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
-            PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
-            UNLOCK UPDATE VERSION-CONTROL
-          ].cs__freeze
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  method: attack_sample.method_tampering.method, # rubocop:disable Security/Object/Method
+                  responseCode: attack_sample.method_tampering.response_code
+              }
+            end
+          end
           def rule_name
             NAME
           end
-          def postfilter context
-            return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return if normal_request?(context)
-            # The only way to be here in postfilter with a result is if the rule mode was MONITOR
-            ia_results = gather_ia_results(context)
-            return if ia_results.empty?
-            # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
-            response_code = context&.response&.response_code
-            return unless response_code
-            method = ia_results.first.value
-            result = if response_code.to_s.start_with?('4', '5')
-                       build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
-                     else
-                       build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
-                     end
-            return unless result
-            append_to_activity(context, result)
-            cef_logging result, :ineffective_attack
-          end
-          protected
-          def build_sample context, evaluation, _candidate_string, **kwargs
-            sample = build_base_sample(context, evaluation)
-            sample.user_input.value = kwargs[:method]
-            sample.user_input.input_type = :METHOD
-            sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
-            sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
-            code = kwargs[:response_code] || -1
-            sample.method_tampering.response_code = code.to_i
-            sample
-          end
-          private
-          def normal_request? context
-            method = context.request.request_method
-            context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
-          end
+          # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
+          # agent with protect library, we should re-enable these tests and that rule.
+          # TODO: RUBY-1574
+          # def enabled?
+          #   super && false
+          # end
+          #
+          # def postfilter context
+          #   return unless enabled? && POSTFILTER_MODES.include?(mode)
+          #   return if normal_request?(context)
+          #
+          #   # The only way to be here in postfilter with a result is if the rule mode was MONITOR
+          #   ia_results = gather_ia_results(context)
+          #   return if ia_results.empty?
+          #
+          #   # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
+          #   response_code = context&.response&.response_code
+          #   return unless response_code
+          #
+          #   method = ia_results.first.value
+          #   result = if response_code.to_s.start_with?('4', '5')
+          #              build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
+          #            else
+          #              build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
+          #            end
+          #
+          #   return unless result
+          #
+          #   append_to_activity(context, result)
+          #   cef_logging result, :ineffective_attack
+          # end
+          #
+          # protected
+          #
+          # def build_sample context, evaluation, _candidate_string, **kwargs
+          #   sample = build_base_sample(context, evaluation)
+          #   sample.user_input.value = kwargs[:method]
+          #   sample.user_input.input_type = :METHOD
+          #
+          #   sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
+          #   sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
+          #   code = kwargs[:response_code] || -1
+          #   sample.method_tampering.response_code = code.to_i
+          #   sample
+          # end
+          #
+          # private
+          #
+          # def normal_request? context
+          #   method = context.request.request_method
+          #   context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb CHANGED Viewed

@@ -106,9 +106,9 @@ module Contrast
               score = evaluate_patterns(value)
               score = evaluate_rules(value, score)
-              score_level = if definite_attack? score
+              score_level = if definite_attack?(score)
                               DEFINITEATTACK
-                            elsif worth_watching? score
+                            elsif worth_watching?(score)
                               WORTHWATCHING
                             else
                               IGNORE
@@ -185,7 +185,7 @@ module Contrast
             def evaluate_or_rule value
               score = 0
-              locs = matches_by_position value, NOSQL_OR_REGEXP
+              locs = matches_by_position(value, NOSQL_OR_REGEXP)
               return score if locs.empty?
               locs.each do |loc|

data/lib/contrast/agent/protect/rule/no_sqli.rb CHANGED Viewed

@@ -18,6 +18,19 @@ module Contrast
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  start: attack_sample.no_sqli.start_idx,
+                  end: attack_sample.no_sqli.end_idx,
+                  boundaryOverrunIndex: attack_sample.no_sqli.boundary_overrun_idx,
+                  inputBoundaryIndex: attack_sample.no_sqli.input_boundary_idx,
+                  query: attack_sample.no_sqli.query
+              }
+            end
+          end
           def rule_name
             NAME
@@ -35,8 +48,8 @@ module Contrast
             append_to_activity(context, result)
-            cef_logging result, :successful_attack
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+            cef_logging(result, :successful_attack)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
@@ -66,20 +79,6 @@ module Contrast
             end
             super(context, potential_attack_string, **kwargs)
           end
-          def infilter? context
-            return false unless context&.agent_input_analysis&.results
-            return false unless enabled?
-            return false if protect_excluded_by_code?
-            true
-          end
-          def gather_ia_results context
-            context.agent_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name
-            end
-          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/path_traversal.rb CHANGED Viewed

@@ -25,6 +25,16 @@ module Contrast
             /windows/repair/
           ].cs__freeze
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  path: attack_sample.path_traversal.path
+              }
+            end
+          end
           def rule_name
             NAME
           end
@@ -38,9 +48,9 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
-            cef_logging result, :successful_attack, path
-            raise Contrast::SecurityException.new(self,
-                                                  "Path Traversal rule triggered. Call to File.#{ method } blocked.")
+            cef_logging(result, :successful_attack, path)
+            raise(Contrast::SecurityException.new(self,
+                                                  "Path Traversal rule triggered. Call to File.#{ method } blocked."))
           end
           protected

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb CHANGED Viewed

@@ -69,7 +69,7 @@ module Contrast
             # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
             def sqli_create_new_input_result request, rule_id, input_type, value
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
-              if sqli_worth_watching? value
+              if sqli_worth_watching?(value)
                 ia_result.ids << WORTHWATCHING_MATCH
                 ia_result.score_level = WORTHWATCHING
                 ia_result
@@ -77,7 +77,7 @@ module Contrast
                 ia_result.score_level = IGNORE
               end
-              add_needed_key request, ia_result, input_type, value if SQLI_KEYS_NEEDED.include? input_type
+              add_needed_key(request, ia_result, input_type, value) if SQLI_KEYS_NEEDED.include?(input_type)
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb CHANGED Viewed

@@ -91,7 +91,7 @@ module Contrast
           # @param input [String] the user input to be inspected
           # @return true | false
           def language_keywords? input
-            contains_substring? input, SQL_KEYWORDS
+            contains_substring?(input, SQL_KEYWORDS)
           end
           # Helper method to find a substrings in given input.

data/lib/contrast/agent/protect/rule/sqli.rb CHANGED Viewed

@@ -31,6 +31,20 @@ module Contrast
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  start: attack_sample.sqli.start_idx,
+                  end: attack_sample.sqli.end_idx,
+                  boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
+                  inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
+                  query: attack_sample.sqli.query
+              }
+            end
+          end
           def rule_name
             NAME
           end
@@ -47,29 +61,8 @@ module Contrast
             append_to_activity(context, result)
-            cef_logging result, :successful_attack, query_string
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
-          end
-          private
-          def find_attacker context, potential_attack_string, **kwargs
-            ia_results = gather_ia_results(context)
-            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
-          end
-          def infilter? context
-            return false unless context&.agent_input_analysis&.results
-            return false unless enabled?
-            return false if protect_excluded_by_code?
-            true
-          end
-          def gather_ia_results context
-            context.agent_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name
-            end
+            cef_logging(result, :successful_attack, query_string)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
         end
       end