contrast-agent 6.1.0 → 6.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (179) hide show
  1. checksums.yaml +4 -4
  2. data/.simplecov +1 -1
  3. data/Rakefile +1 -1
  4. data/ext/build_funchook.rb +3 -3
  5. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +5 -1
  6. data/ext/extconf_common.rb +1 -1
  7. data/lib/contrast/agent/assess/finalizers/hash.rb +2 -2
  8. data/lib/contrast/agent/assess/policy/policy.rb +9 -10
  9. data/lib/contrast/agent/assess/policy/policy_node.rb +9 -10
  10. data/lib/contrast/agent/assess/policy/propagation_method.rb +3 -3
  11. data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -3
  12. data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
  13. data/lib/contrast/agent/assess/policy/propagator/buffer.rb +2 -1
  14. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
  15. data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
  16. data/lib/contrast/agent/assess/policy/propagator/split.rb +2 -2
  17. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  18. data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
  19. data/lib/contrast/agent/assess/policy/trigger_method.rb +7 -7
  20. data/lib/contrast/agent/assess/policy/trigger_node.rb +16 -16
  21. data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
  22. data/lib/contrast/agent/assess/property/evented.rb +2 -2
  23. data/lib/contrast/agent/assess/property/tagged.rb +2 -2
  24. data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +6 -8
  25. data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +6 -7
  26. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +5 -5
  27. data/lib/contrast/agent/assess/rule/response/base_rule.rb +2 -3
  28. data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +8 -9
  29. data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +4 -4
  30. data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +6 -6
  31. data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +4 -4
  32. data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +4 -4
  33. data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +4 -4
  34. data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +3 -4
  35. data/lib/contrast/agent/assess/tag.rb +13 -14
  36. data/lib/contrast/agent/at_exit_hook.rb +12 -1
  37. data/lib/contrast/agent/middleware.rb +6 -3
  38. data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -3
  39. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +2 -2
  40. data/lib/contrast/agent/patching/policy/method_policy_extend.rb +4 -4
  41. data/lib/contrast/agent/patching/policy/patch.rb +9 -9
  42. data/lib/contrast/agent/patching/policy/patch_status.rb +10 -3
  43. data/lib/contrast/agent/patching/policy/policy.rb +13 -15
  44. data/lib/contrast/agent/patching/policy/policy_node.rb +19 -21
  45. data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
  46. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +125 -125
  47. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
  48. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
  49. data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
  50. data/lib/contrast/agent/protect/policy/rule_applicator.rb +4 -4
  51. data/lib/contrast/agent/protect/rule/base.rb +30 -18
  52. data/lib/contrast/agent/protect/rule/base_service.rb +31 -14
  53. data/lib/contrast/agent/protect/rule/cmd_injection.rb +16 -9
  54. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +3 -3
  55. data/lib/contrast/agent/protect/rule/default_scanner.rb +2 -1
  56. data/lib/contrast/agent/protect/rule/deserialization.rb +18 -7
  57. data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +74 -74
  58. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +71 -53
  59. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +3 -3
  60. data/lib/contrast/agent/protect/rule/no_sqli.rb +15 -16
  61. data/lib/contrast/agent/protect/rule/path_traversal.rb +13 -3
  62. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -2
  63. data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -1
  64. data/lib/contrast/agent/protect/rule/sqli.rb +16 -23
  65. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +61 -61
  66. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +29 -29
  67. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +32 -32
  68. data/lib/contrast/agent/protect/rule/xss.rb +17 -0
  69. data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +14 -13
  70. data/lib/contrast/agent/protect/rule/xxe.rb +25 -3
  71. data/lib/contrast/agent/reaction_processor.rb +1 -1
  72. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +36 -36
  73. data/lib/contrast/agent/reporting/masker/masker.rb +10 -10
  74. data/lib/contrast/agent/reporting/masker/masker_utils.rb +2 -2
  75. data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +8 -10
  76. data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +53 -5
  77. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +25 -19
  78. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +129 -17
  79. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +20 -21
  80. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
  81. data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +26 -12
  82. data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +5 -5
  83. data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +7 -5
  84. data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +4 -10
  85. data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +1 -1
  86. data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -2
  87. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +6 -6
  88. data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
  89. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +1 -1
  90. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +7 -7
  91. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +15 -15
  92. data/lib/contrast/agent/reporting/settings/application_settings.rb +1 -1
  93. data/lib/contrast/agent/reporting/settings/assess.rb +5 -5
  94. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +3 -3
  95. data/lib/contrast/agent/reporting/settings/exclusions.rb +3 -3
  96. data/lib/contrast/agent/reporting/settings/protect.rb +20 -5
  97. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +5 -5
  98. data/lib/contrast/agent/reporting/settings/reaction.rb +3 -3
  99. data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +2 -2
  100. data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +2 -2
  101. data/lib/contrast/agent/reporting/settings/server_features.rb +2 -2
  102. data/lib/contrast/agent/request.rb +2 -2
  103. data/lib/contrast/agent/request_context.rb +23 -19
  104. data/lib/contrast/agent/request_context_extend.rb +10 -23
  105. data/lib/contrast/agent/request_handler.rb +1 -1
  106. data/lib/contrast/agent/rule_set.rb +2 -2
  107. data/lib/contrast/agent/scope.rb +1 -1
  108. data/lib/contrast/agent/telemetry/base.rb +9 -5
  109. data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
  110. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +2 -2
  111. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +1 -1
  112. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +1 -1
  113. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb +16 -18
  114. data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +2 -2
  115. data/lib/contrast/agent/version.rb +1 -1
  116. data/lib/contrast/api/communication/messaging_queue.rb +1 -1
  117. data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
  118. data/lib/contrast/api/communication/socket.rb +1 -1
  119. data/lib/contrast/api/communication/socket_client.rb +1 -1
  120. data/lib/contrast/api/communication/speedracer.rb +2 -2
  121. data/lib/contrast/api/decorators/agent_startup.rb +10 -9
  122. data/lib/contrast/api/decorators/application_settings.rb +1 -1
  123. data/lib/contrast/api/decorators/application_startup.rb +4 -4
  124. data/lib/contrast/api/decorators/response_type.rb +4 -17
  125. data/lib/contrast/components/agent.rb +1 -1
  126. data/lib/contrast/components/base.rb +1 -1
  127. data/lib/contrast/components/config.rb +6 -6
  128. data/lib/contrast/components/contrast_service.rb +4 -1
  129. data/lib/contrast/components/sampling.rb +1 -1
  130. data/lib/contrast/components/settings.rb +52 -28
  131. data/lib/contrast/config/assess_rules_configuration.rb +1 -1
  132. data/lib/contrast/config/protect_rules_configuration.rb +1 -1
  133. data/lib/contrast/config/root_configuration.rb +1 -1
  134. data/lib/contrast/configuration.rb +4 -4
  135. data/lib/contrast/extension/assess/array.rb +1 -1
  136. data/lib/contrast/extension/assess/erb.rb +1 -1
  137. data/lib/contrast/extension/assess/marshal.rb +1 -1
  138. data/lib/contrast/extension/assess/string.rb +1 -1
  139. data/lib/contrast/extension/extension.rb +2 -2
  140. data/lib/contrast/framework/base_support.rb +8 -8
  141. data/lib/contrast/framework/grape/support.rb +3 -3
  142. data/lib/contrast/framework/manager.rb +5 -5
  143. data/lib/contrast/framework/manager_extend.rb +1 -1
  144. data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
  145. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +14 -3
  146. data/lib/contrast/framework/rails/patch/assess_configuration.rb +3 -3
  147. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
  148. data/lib/contrast/framework/rails/patch/support.rb +1 -1
  149. data/lib/contrast/framework/rails/support.rb +2 -2
  150. data/lib/contrast/framework/sinatra/support.rb +1 -1
  151. data/lib/contrast/logger/aliased_logging.rb +29 -22
  152. data/lib/contrast/logger/cef_log.rb +14 -14
  153. data/lib/contrast/logger/format.rb +1 -1
  154. data/lib/contrast/logger/log.rb +8 -8
  155. data/lib/contrast/tasks/config.rb +12 -12
  156. data/lib/contrast/tasks/service.rb +2 -2
  157. data/lib/contrast/utils/assess/tracking_util.rb +4 -4
  158. data/lib/contrast/utils/class_util.rb +4 -4
  159. data/lib/contrast/utils/findings.rb +3 -3
  160. data/lib/contrast/utils/hash_digest.rb +6 -7
  161. data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
  162. data/lib/contrast/utils/invalid_configuration_util.rb +1 -1
  163. data/lib/contrast/utils/log_utils.rb +4 -4
  164. data/lib/contrast/utils/lru_cache.rb +1 -1
  165. data/lib/contrast/utils/metrics_hash.rb +1 -1
  166. data/lib/contrast/utils/middleware_utils.rb +5 -5
  167. data/lib/contrast/utils/net_http_base.rb +4 -4
  168. data/lib/contrast/utils/os.rb +1 -1
  169. data/lib/contrast/utils/patching/policy/patch_utils.rb +2 -2
  170. data/lib/contrast/utils/request_utils.rb +2 -2
  171. data/lib/contrast/utils/sha256_builder.rb +4 -4
  172. data/lib/contrast/utils/stack_trace_utils.rb +31 -13
  173. data/lib/contrast/utils/telemetry.rb +6 -9
  174. data/lib/contrast/utils/telemetry_client.rb +5 -5
  175. data/lib/contrast/utils/telemetry_hash.rb +1 -1
  176. data/lib/contrast/utils/telemetry_identifier.rb +2 -2
  177. data/lib/contrast/utils/timer.rb +1 -1
  178. data/resources/assess/policy.json +1 -1
  179. metadata +15 -13
@@ -13,6 +13,9 @@ module Contrast
13
13
  class Deserialization < Contrast::Agent::Protect::Rule::Base
14
14
  # The TeamServer recognized name of this rule
15
15
  include Contrast::Components::Logger::InstanceMethods
16
+ # Used to name this input since input analysis isn't done for this
17
+ # rule
18
+ INPUT_NAME = 'Serialized Gadget'
16
19
 
17
20
  NAME = 'untrusted-deserialization'
18
21
 
@@ -39,6 +42,17 @@ module Contrast
39
42
  # Used to indicate to TeamServer the gadget is an Arel module
40
43
  AREL = 'Arel'
41
44
 
45
+ class << self
46
+ # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
47
+ # @return [Hash] the details for this specific rule
48
+ def extract_details attack_sample
49
+ {
50
+ command: attack_sample.untrusted_deserialization.command,
51
+ deserializer: attack_sample.untrusted_deserialization.deserializer
52
+ }
53
+ end
54
+ end
55
+
42
56
  # Return the TeamServer understood id / name of this rule.
43
57
  # @return [String] the TeamServer understood id / name of this rule.
44
58
  def rule_name
@@ -81,9 +95,9 @@ module Contrast
81
95
  result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
82
96
  append_to_activity(context, result)
83
97
 
84
- cef_logging result, :successful_attack
98
+ cef_logging(result, :successful_attack)
85
99
 
86
- raise Contrast::SecurityException.new(self, block_message) if blocked?
100
+ raise(Contrast::SecurityException.new(self, block_message)) if blocked?
87
101
  end
88
102
 
89
103
  # Determine if the issued command was called while we're
@@ -102,8 +116,8 @@ module Contrast
102
116
  ia_result = build_evaluation(gadget_command)
103
117
  result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
104
118
  append_to_activity(context, result)
105
- cef_logging result, :successful_attack, gadget_command
106
- raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
119
+ cef_logging(result, :successful_attack, gadget_command)
120
+ raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
107
121
  end
108
122
 
109
123
  protected
@@ -134,9 +148,6 @@ module Contrast
134
148
 
135
149
  private
136
150
 
137
- # Used to name this input since input analysis isn't done for this
138
- # rule
139
- INPUT_NAME = 'Serialized Gadget'
140
151
  # We know that this attack happened, so the result is always matched
141
152
  # and the level is always critical. Only variable is the Gadget
142
153
  # supplied by the attacker.
@@ -15,80 +15,80 @@ module Contrast
15
15
  # as a result input would be marked as DEFINETEATTACK or IGNORE,
16
16
  # to be analyzed at the sink level.
17
17
  module HttpMethodTamperingInputClassification
18
- class << self
19
- include InputClassificationBase
20
-
21
- # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
22
- #
23
- # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
24
- # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
25
- # analysis from the current request.
26
- def classify input_type, input_analysis
27
- return unless input_analysis.request
28
- return unless input_type == METHOD
29
-
30
- rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
31
-
32
- ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
33
- input_analysis.results << ia_result
34
-
35
- return input_analysis if ia_result.score_level == IGNORE
36
-
37
- attack_result = build_attack_result ia_result, rule_id
38
-
39
- if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
40
- attack_result.response = :EXPLOITED
41
- Contrast::Agent::EXPLOITS.push attack_result
42
- return input_analysis
43
- end
44
-
45
- attack_result.response = :BLOCKED
46
- context.activity.results << attack_result
47
- raise Contrast::SecurityException.new(self,
48
- 'HTTP Method Tampering rule triggered. '\
49
- "Call to #{ input_analysis.request.path } with " \
50
- "#{ input_analysis.request.request_method } blocked.")
51
- end
52
-
53
- private
54
-
55
- # @param request [Contrast::Agent::Request] the current request context.
56
- def method_tampering_exploited? request
57
- !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
58
- end
59
-
60
- # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
61
- # key if needed and Creates new instance of InputAnalysisResult.
62
- #
63
- # @param request [Contrast::Agent::Request] the current request context.
64
- # @param rule_id [String] The name of the Protect Rule.
65
- # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
66
- #
67
- # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
68
- def method_tampering_new_input_analysis request, rule_id, input_type
69
- ia_result = new_ia_result rule_id, input_type, request.path
70
- if method_tampering_exploited? request
71
- ia_result.score_level = DEFINITEATTACK
72
- ia_result.ids << rule_id
73
- else
74
- ia_result.score_level = IGNORE
75
- end
76
-
77
- ia_result
78
- end
79
-
80
- def build_attack_result ia_result, rule_id
81
- rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
82
- result = Contrast::Agent::Reporting::AttackResult.new
83
- result.rule_id = rule_id
84
- result.samples << rasp_rule_sample
85
- result
86
- end
87
-
88
- def context
89
- Contrast::Agent::REQUEST_TRACKER.current
90
- end
91
- end
18
+ # class << self
19
+ # include InputClassificationBase
20
+ #
21
+ # # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
22
+ # #
23
+ # # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
24
+ # # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
25
+ # # analysis from the current request.
26
+ # def classify input_type, input_analysis
27
+ # return unless input_analysis.request
28
+ # return unless input_type == METHOD
29
+ #
30
+ # rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
31
+ #
32
+ # ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
33
+ # input_analysis.results << ia_result
34
+ #
35
+ # return input_analysis if ia_result.score_level == IGNORE
36
+ #
37
+ # attack_result = build_attack_result ia_result, rule_id
38
+ #
39
+ # if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
40
+ # attack_result.response = :EXPLOITED
41
+ # Contrast::Agent::EXPLOITS.push attack_result
42
+ # return input_analysis
43
+ # end
44
+ #
45
+ # attack_result.response = :BLOCKED
46
+ # context.activity.results << attack_result
47
+ # raise Contrast::SecurityException.new(self,
48
+ # 'HTTP Method Tampering rule triggered. '\
49
+ # "Call to #{ input_analysis.request.path } with " \
50
+ # "#{ input_analysis.request.request_method } blocked.")
51
+ # end
52
+ #
53
+ # private
54
+ #
55
+ # # @param request [Contrast::Agent::Request] the current request context.
56
+ # def method_tampering_exploited? request
57
+ # !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
58
+ # end
59
+ #
60
+ # # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
61
+ # # key if needed and Creates new instance of InputAnalysisResult.
62
+ # #
63
+ # # @param request [Contrast::Agent::Request] the current request context.
64
+ # # @param rule_id [String] The name of the Protect Rule.
65
+ # # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
66
+ # #
67
+ # # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
68
+ # def method_tampering_new_input_analysis request, rule_id, input_type
69
+ # ia_result = new_ia_result rule_id, input_type, request.path
70
+ # if method_tampering_exploited? request
71
+ # ia_result.score_level = DEFINITEATTACK
72
+ # ia_result.ids << rule_id
73
+ # else
74
+ # ia_result.score_level = IGNORE
75
+ # end
76
+ #
77
+ # ia_result
78
+ # end
79
+ #
80
+ # def build_attack_result ia_result, rule_id
81
+ # rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
82
+ # result = Contrast::Agent::Reporting::AttackResult.new
83
+ # result.rule_id = rule_id
84
+ # result.samples << rasp_rule_sample
85
+ # result
86
+ # end
87
+ #
88
+ # def context
89
+ # Contrast::Agent::REQUEST_TRACKER.current
90
+ # end
91
+ # end
92
92
  end
93
93
  end
94
94
  end
@@ -10,65 +10,83 @@ module Contrast
10
10
  # The Ruby implementation of the Protect HTTP Method Tampering rule.
11
11
  class HttpMethodTampering < Contrast::Agent::Protect::Rule::BaseService
12
12
  NAME = 'method-tampering'
13
- STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
13
+ # STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
14
+ #
15
+ # APPLICABLE_METHODS_INPUTS = %w[
16
+ # ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
17
+ # DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
18
+ # MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
19
+ # PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
20
+ # UNLOCK UPDATE VERSION-CONTROL
21
+ # ].cs__freeze
14
22
 
15
- APPLICABLE_METHODS_INPUTS = %w[
16
- ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
17
- DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
18
- MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
19
- PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
20
- UNLOCK UPDATE VERSION-CONTROL
21
- ].cs__freeze
23
+ class << self
24
+ # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
25
+ # @return [Hash] the details for this specific rule
26
+ def extract_details attack_sample
27
+ {
28
+ method: attack_sample.method_tampering.method, # rubocop:disable Security/Object/Method
29
+ responseCode: attack_sample.method_tampering.response_code
30
+ }
31
+ end
32
+ end
22
33
 
23
34
  def rule_name
24
35
  NAME
25
36
  end
26
37
 
27
- def postfilter context
28
- return unless enabled? && POSTFILTER_MODES.include?(mode)
29
- return if normal_request?(context)
30
-
31
- # The only way to be here in postfilter with a result is if the rule mode was MONITOR
32
- ia_results = gather_ia_results(context)
33
- return if ia_results.empty?
34
-
35
- # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
36
- response_code = context&.response&.response_code
37
- return unless response_code
38
-
39
- method = ia_results.first.value
40
- result = if response_code.to_s.start_with?('4', '5')
41
- build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
42
- else
43
- build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
44
- end
45
-
46
- return unless result
47
-
48
- append_to_activity(context, result)
49
- cef_logging result, :ineffective_attack
50
- end
51
-
52
- protected
53
-
54
- def build_sample context, evaluation, _candidate_string, **kwargs
55
- sample = build_base_sample(context, evaluation)
56
- sample.user_input.value = kwargs[:method]
57
- sample.user_input.input_type = :METHOD
58
-
59
- sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
60
- sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
61
- code = kwargs[:response_code] || -1
62
- sample.method_tampering.response_code = code.to_i
63
- sample
64
- end
65
-
66
- private
67
-
68
- def normal_request? context
69
- method = context.request.request_method
70
- context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
71
- end
38
+ # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
39
+ # agent with protect library, we should re-enable these tests and that rule.
40
+ # TODO: RUBY-1574
41
+ # def enabled?
42
+ # super && false
43
+ # end
44
+ #
45
+ # def postfilter context
46
+ # return unless enabled? && POSTFILTER_MODES.include?(mode)
47
+ # return if normal_request?(context)
48
+ #
49
+ # # The only way to be here in postfilter with a result is if the rule mode was MONITOR
50
+ # ia_results = gather_ia_results(context)
51
+ # return if ia_results.empty?
52
+ #
53
+ # # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
54
+ # response_code = context&.response&.response_code
55
+ # return unless response_code
56
+ #
57
+ # method = ia_results.first.value
58
+ # result = if response_code.to_s.start_with?('4', '5')
59
+ # build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
60
+ # else
61
+ # build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
62
+ # end
63
+ #
64
+ # return unless result
65
+ #
66
+ # append_to_activity(context, result)
67
+ # cef_logging result, :ineffective_attack
68
+ # end
69
+ #
70
+ # protected
71
+ #
72
+ # def build_sample context, evaluation, _candidate_string, **kwargs
73
+ # sample = build_base_sample(context, evaluation)
74
+ # sample.user_input.value = kwargs[:method]
75
+ # sample.user_input.input_type = :METHOD
76
+ #
77
+ # sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
78
+ # sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
79
+ # code = kwargs[:response_code] || -1
80
+ # sample.method_tampering.response_code = code.to_i
81
+ # sample
82
+ # end
83
+ #
84
+ # private
85
+ #
86
+ # def normal_request? context
87
+ # method = context.request.request_method
88
+ # context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
89
+ # end
72
90
  end
73
91
  end
74
92
  end
@@ -106,9 +106,9 @@ module Contrast
106
106
  score = evaluate_patterns(value)
107
107
  score = evaluate_rules(value, score)
108
108
 
109
- score_level = if definite_attack? score
109
+ score_level = if definite_attack?(score)
110
110
  DEFINITEATTACK
111
- elsif worth_watching? score
111
+ elsif worth_watching?(score)
112
112
  WORTHWATCHING
113
113
  else
114
114
  IGNORE
@@ -185,7 +185,7 @@ module Contrast
185
185
  def evaluate_or_rule value
186
186
  score = 0
187
187
 
188
- locs = matches_by_position value, NOSQL_OR_REGEXP
188
+ locs = matches_by_position(value, NOSQL_OR_REGEXP)
189
189
  return score if locs.empty?
190
190
 
191
191
  locs.each do |loc|
@@ -18,6 +18,19 @@ module Contrast
18
18
 
19
19
  NAME = 'nosql-injection'
20
20
  BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
21
+ class << self
22
+ # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
23
+ # @return [Hash] the details for this specific rule
24
+ def extract_details attack_sample
25
+ {
26
+ start: attack_sample.no_sqli.start_idx,
27
+ end: attack_sample.no_sqli.end_idx,
28
+ boundaryOverrunIndex: attack_sample.no_sqli.boundary_overrun_idx,
29
+ inputBoundaryIndex: attack_sample.no_sqli.input_boundary_idx,
30
+ query: attack_sample.no_sqli.query
31
+ }
32
+ end
33
+ end
21
34
 
22
35
  def rule_name
23
36
  NAME
@@ -35,8 +48,8 @@ module Contrast
35
48
 
36
49
  append_to_activity(context, result)
37
50
 
38
- cef_logging result, :successful_attack
39
- raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
51
+ cef_logging(result, :successful_attack)
52
+ raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
40
53
  end
41
54
 
42
55
  def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
@@ -66,20 +79,6 @@ module Contrast
66
79
  end
67
80
  super(context, potential_attack_string, **kwargs)
68
81
  end
69
-
70
- def infilter? context
71
- return false unless context&.agent_input_analysis&.results
72
- return false unless enabled?
73
- return false if protect_excluded_by_code?
74
-
75
- true
76
- end
77
-
78
- def gather_ia_results context
79
- context.agent_input_analysis.results.select do |ia_result|
80
- ia_result.rule_id == rule_name
81
- end
82
- end
83
82
  end
84
83
  end
85
84
  end
@@ -25,6 +25,16 @@ module Contrast
25
25
  /windows/repair/
26
26
  ].cs__freeze
27
27
 
28
+ class << self
29
+ # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
30
+ # @return [Hash] the details for this specific rule
31
+ def extract_details attack_sample
32
+ {
33
+ path: attack_sample.path_traversal.path
34
+ }
35
+ end
36
+ end
37
+
28
38
  def rule_name
29
39
  NAME
30
40
  end
@@ -38,9 +48,9 @@ module Contrast
38
48
  append_to_activity(context, result)
39
49
  return unless blocked?
40
50
 
41
- cef_logging result, :successful_attack, path
42
- raise Contrast::SecurityException.new(self,
43
- "Path Traversal rule triggered. Call to File.#{ method } blocked.")
51
+ cef_logging(result, :successful_attack, path)
52
+ raise(Contrast::SecurityException.new(self,
53
+ "Path Traversal rule triggered. Call to File.#{ method } blocked."))
44
54
  end
45
55
 
46
56
  protected
@@ -69,7 +69,7 @@ module Contrast
69
69
  # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
70
70
  def sqli_create_new_input_result request, rule_id, input_type, value
71
71
  ia_result = new_ia_result(rule_id, input_type, request.path, value)
72
- if sqli_worth_watching? value
72
+ if sqli_worth_watching?(value)
73
73
  ia_result.ids << WORTHWATCHING_MATCH
74
74
  ia_result.score_level = WORTHWATCHING
75
75
  ia_result
@@ -77,7 +77,7 @@ module Contrast
77
77
  ia_result.score_level = IGNORE
78
78
  end
79
79
 
80
- add_needed_key request, ia_result, input_type, value if SQLI_KEYS_NEEDED.include? input_type
80
+ add_needed_key(request, ia_result, input_type, value) if SQLI_KEYS_NEEDED.include?(input_type)
81
81
  ia_result
82
82
  end
83
83
  end
@@ -91,7 +91,7 @@ module Contrast
91
91
  # @param input [String] the user input to be inspected
92
92
  # @return true | false
93
93
  def language_keywords? input
94
- contains_substring? input, SQL_KEYWORDS
94
+ contains_substring?(input, SQL_KEYWORDS)
95
95
  end
96
96
 
97
97
  # Helper method to find a substrings in given input.
@@ -31,6 +31,20 @@ module Contrast
31
31
  NAME = 'sql-injection'
32
32
  BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
33
33
 
34
+ class << self
35
+ # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
36
+ # @return [Hash] the details for this specific rule
37
+ def extract_details attack_sample
38
+ {
39
+ start: attack_sample.sqli.start_idx,
40
+ end: attack_sample.sqli.end_idx,
41
+ boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
42
+ inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
43
+ query: attack_sample.sqli.query
44
+ }
45
+ end
46
+ end
47
+
34
48
  def rule_name
35
49
  NAME
36
50
  end
@@ -47,29 +61,8 @@ module Contrast
47
61
 
48
62
  append_to_activity(context, result)
49
63
 
50
- cef_logging result, :successful_attack, query_string
51
- raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
52
- end
53
-
54
- private
55
-
56
- def find_attacker context, potential_attack_string, **kwargs
57
- ia_results = gather_ia_results(context)
58
- find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
59
- end
60
-
61
- def infilter? context
62
- return false unless context&.agent_input_analysis&.results
63
- return false unless enabled?
64
- return false if protect_excluded_by_code?
65
-
66
- true
67
- end
68
-
69
- def gather_ia_results context
70
- context.agent_input_analysis.results.select do |ia_result|
71
- ia_result.rule_id == rule_name
72
- end
64
+ cef_logging(result, :successful_attack, query_string)
65
+ raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
73
66
  end
74
67
  end
75
68
  end