RubyGems - contrast-agent - Versions diffs - 6.1.0 → 6.1.1 - Mend

contrast-agent 6.1.0 → 6.1.1

Files changed (179) hide show

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb CHANGED Viewed

@@ -14,67 +14,67 @@ module Contrast
         # This module will do the Input Classification stage of Unsafe File Upload
         # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
         module UnsafeFileUploadInputClassification
-          UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
-          class << self
-            include InputClassificationBase
-            include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
-            # Input Classification stage is done to determine if an user input is
-            # DEFINITEATTACK or to be ignored.
-            #
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
-            #                                                       agent analysis from the current
-            #                                                       Request.
-            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
-            def classify input_type, value, input_analysis
-              unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
-                return
-              end
-              return unless input_analysis.request
-              rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
-              results = []
-              Array(value).each do |val|
-                Array(val).each do |v|
-                  results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
-                end
-              end
-              input_analysis.results = results
-              input_analysis
-            end
-            private
-            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
-            #
-            # @param request [Contrast::Agent::Request] the current request context.
-            # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              ia_result = new_ia_result rule_id, input_type, request.path, value
-              if unsafe_match? value
-                ia_result.score_level = DEFINITEATTACK
-                ia_result.ids << UNSAFE_UPLOAD_MATCH
-              else
-                ia_result.score_level = IGNORE
-              end
-              ia_result.key = if input_type == MULTIPART_FIELD_NAME
-                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
-                              else
-                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
-                              end
-              ia_result
-            end
-          end
+          # UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
+          #
+          # class << self
+          #   include InputClassificationBase
+          #   include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
+          #
+          #   # Input Classification stage is done to determine if an user input is
+          #   # DEFINITEATTACK or to be ignored.
+          #   #
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   # @param value [String, Array<String>] the value of the input.
+          #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #   #                                                       agent analysis from the current
+          #   #                                                       Request.
+          #   # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+          #   def classify input_type, value, input_analysis
+          #     unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
+          #       return
+          #     end
+          #     return unless input_analysis.request
+          #
+          #     rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
+          #     results = []
+          #
+          #     Array(value).each do |val|
+          #       Array(val).each do |v|
+          #         results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
+          #       end
+          #     end
+          #
+          #     input_analysis.results = results
+          #     input_analysis
+          #   end
+          #
+          #   private
+          #
+          #   # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+          #   # key if needed and Creates new isntance of InputAnalysisResult.
+          #   #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   # @param rule_id [String] The name of the Protect Rule.
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   # @param value [String, Array<String>] the value of the input.
+          #   #
+          #   # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          #   def create_new_input_result request, rule_id, input_type, value
+          #     ia_result = new_ia_result rule_id, input_type, request.path, value
+          #     if unsafe_match? value
+          #       ia_result.score_level = DEFINITEATTACK
+          #       ia_result.ids << UNSAFE_UPLOAD_MATCH
+          #     else
+          #       ia_result.score_level = IGNORE
+          #     end
+          #     ia_result.key = if input_type == MULTIPART_FIELD_NAME
+          #                       Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
+          #                     else
+          #                       Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
+          #                     end
+          #     ia_result
+          #   end
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb CHANGED Viewed

@@ -8,36 +8,36 @@ module Contrast
         # Here will be made the match of the user input provided by the
         # Agent InputAnalysis.
         module UnsafeFileUploadMatcher
-          EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze
-          # Extensions that can be executed on the server side or can be dangerous on the client side:
-          # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
-          EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
-          # Match the user input to see if the filename
-          # contains malicious file extension.
+          # EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze # rubocop:disable Style/AsciiComments
+          # # Extensions that can be executed on the server side or can be dangerous on the client side:
+          # # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
+          # EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
           #
-          # @param input [String] The filename
-          # extracted from the current request
-          # @return true | false
-          def unsafe_match? input
-            suspicious_chars?(input) || suspicious_extensions?(input)
-          end
-          private
-          # @param input [String] The filename
-          # extracted from the current request
-          # @return true | false
-          def suspicious_chars? input
-            input.chars.any? { |c| EXPLOIT_CHARS.include? c }
-          end
-          # @param input [String] The filename
-          # extracted from the current request
-          # @return true | false
-          def suspicious_extensions? input
-            EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
-          end
+          # # Match the user input to see if the filename
+          # # contains malicious file extension.
+          # #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def unsafe_match? input
+          #   suspicious_chars?(input) || suspicious_extensions?(input)
+          # end
+          #
+          # private
+          #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def suspicious_chars? input
+          #   input.chars.any? { |c| EXPLOIT_CHARS.include? c }
+          # end
+          #
+          # # @param input [String] The filename
+          # # extracted from the current request
+          # # @return true | false
+          # def suspicious_extensions? input
+          #   EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb CHANGED Viewed

@@ -23,40 +23,40 @@ module Contrast
             NAME
           end
-          def block_message
-            BLOCK_MESSAGE
+          # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
+          # agent with protect library, we should re-enable these tests and that rule.
+          # TODO: RUBY-1574
+          def enabled?
+            super && false
           end
-          def prefilter context
-            return unless prefilter?(context)
-            ia_results = gather_ia_results context
-            ia_results.each do |ia_result|
-              result = build_attack_result(context)
-              build_attack_without_match context, ia_result, result
-              append_to_activity context, result
-              cef_logging result, :successful_attack
-              raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
-            end
-          end
-          private
-          def prefilter? context
-            return false unless context&.agent_input_analysis&.results
-            return false unless enabled?
-            return false if protect_excluded_by_code?
-            true
-          end
-          def gather_ia_results context
-            context.agent_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name
-            end
-          end
+          # def block_message
+          #   BLOCK_MESSAGE
+          # end
+          #
+          # def prefilter context
+          #   return unless prefilter?(context)
+          #
+          #   ia_results = gather_ia_results context
+          #
+          #   ia_results.each do |ia_result|
+          #     result = build_attack_result(context)
+          #     build_attack_without_match context, ia_result, result
+          #     append_to_activity context, result
+          #
+          #     cef_logging result, :successful_attack
+          #     raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+          #   end
+          # end
+          #
+          # private
+          #
+          # def prefilter? _context
+          #   return false unless enabled?
+          #   return false if protect_excluded_by_code?
+          #
+          #   true
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xss.rb CHANGED Viewed

@@ -12,6 +12,23 @@ module Contrast
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  input: attack_sample.xss.input,
+                  matches: attack_sample.xss.matches.map do |match|
+                             {
+                                 evidenceStart: match.evidence_start_ms,
+                                 evidence: match.evidence,
+                                 offset: match.offset
+                             }
+                           end
+              }
+            end
+          end
           def rule_name
             NAME
           end

data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb CHANGED Viewed

@@ -11,6 +11,20 @@ module Contrast
           class EntityWrapper
             attr_reader :system_id, :public_id
+            DTD_MARKER =   '.dtd'
+            FILE_START =   'file:'
+            FTP_START =    'ftp:'
+            GOPHER_START = 'gopher:'
+            JAR_START =    'jar:'
+            UP_DIR_LINUX = '../'
+            UP_DIR_WIN =   '..\\'
+            # <!ENTITY name SYSTEM "URI">
+            SYSTEM_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+SYSTEM\s+"(?<id>.*?)">/.cs__freeze
+            # <!ENTITY name PUBLIC "public_ID" "URI">
+            PUBLIC_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+PUBLIC\s+".*?"\s+"(?<id>.*?)">/.cs__freeze
+            # we only use this against lowercase strings, removed A-Z for speed
+            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
             def initialize entity
               @system_id = parse_system_id(entity)
               # an entity cannot be system and public
@@ -30,29 +44,16 @@ module Contrast
               @_external_entity
             end
-            # <!ENTITY name SYSTEM "URI">
-            SYSTEM_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+SYSTEM\s+"(?<id>.*?)">/.cs__freeze
             def parse_system_id entity
               match = SYSTEM_ID_REGEXP.match(entity)
               match[:id] if match
             end
-            # <!ENTITY name PUBLIC "public_ID" "URI">
-            PUBLIC_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+PUBLIC\s+".*?"\s+"(?<id>.*?)">/.cs__freeze
             def parse_public_id entity
               match = PUBLIC_ID_REGEXP.match(entity)
               match[:id] if match
             end
-            DTD_MARKER =   '.dtd'
-            FILE_START =   'file:'
-            FTP_START =    'ftp:'
-            GOPHER_START = 'gopher:'
-            JAR_START =    'jar:'
-            UP_DIR_LINUX = '../'
-            UP_DIR_WIN =   '..\\'
-            # we only use this against lowercase strings, removed A-Z for speed
-            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
             def external_id? entity_id
               return false unless entity_id

data/lib/contrast/agent/protect/rule/xxe.rb CHANGED Viewed

@@ -13,11 +13,34 @@ module Contrast
         # of unsafe external entity resolution.
         class Xxe < Contrast::Agent::Protect::Rule::Base
           include Contrast::Components::Logger::InstanceMethods
+          INPUT_NAME = 'XML Prolog'
           NAME = 'xxe'
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  xml: attack_sample.xxe.xml,
+                  declaredEntities: attack_sample.xxe.declared_entities.map do |entity|
+                                      {
+                                          start: entity.start_idx,
+                                          end: entity.end_idx
+                                      }
+                                    end,
+                  entitiesResolved: attack_sample.xxe.entities_resolved.map do |entity|
+                                      {
+                                          systemId: entity.system_id,
+                                          publicId: entity.public_id
+                                      }
+                                    end
+              }
+            end
+          end
           def rule_name
             NAME
           end
@@ -39,8 +62,8 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
-            cef_logging result, :successful_attack, xml
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE)
+            cef_logging(result, :successful_attack, xml)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE))
           end
           protected
@@ -100,7 +123,6 @@ module Contrast
             sample
           end
-          INPUT_NAME = 'XML Prolog'
           def build_user_input ia_result
             input = Contrast::Api::Dtm::UserInput.new
             input.key = INPUT_NAME

data/lib/contrast/agent/reaction_processor.rb CHANGED Viewed

@@ -33,7 +33,7 @@ module Contrast
           case reaction.operation
           when Contrast::Api::Settings::Reaction::Operation::DISABLE
-            Contrast::Agent::DisableReaction.run reaction, level
+            Contrast::Agent::DisableReaction.run(reaction, level)
           when Contrast::Api::Settings::Reaction::Operation::NOOP
             # NOOP
           else

data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb CHANGED Viewed

@@ -10,42 +10,42 @@ module Contrast
     module Reporting
       # This class will hold the new RaspRuleSample.
       # protect rules.
-      class RaspRuleSample
-        def timestamp
-          @_timestamp ||= 0
-        end
-        def timestamp= timestamp_ms
-          @_timestamp = timestamp_ms
-        end
-        def user_input
-          @_user_input ||= Contrast::Agent::Reporting::UserInput.new
-        end
-        def user_input= input
-          @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
-        end
-        def build context, ia_result
-          sample = self
-          sample.timestamp = context&.timer&.start_ms
-          sample.user_input = build_user_input_from_ia(ia_result)
-          sample.user_input.document_type = if context&.request
-                                              Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
-                                            end
-          sample
-        end
-        def build_user_input_from_ia ia_result
-          user_input = Contrast::Agent::Reporting::UserInput.new
-          user_input.input_type = ia_result.input_type
-          user_input.matcher_ids = ia_result.ids
-          user_input.path = ia_result.path
-          user_input.key = ia_result.key if ia_result.key
-          user_input.value = ia_result.value if ia_result.value
-          user_input
-        end
+      class RaspRuleSample # rubocop:disable Lint/EmptyClass
+        # def timestamp
+        #   @_timestamp ||= 0
+        # end
+        #
+        # def timestamp= timestamp_ms
+        #   @_timestamp = timestamp_ms
+        # end
+        #
+        # def user_input
+        #   @_user_input ||= Contrast::Agent::Reporting::UserInput.new
+        # end
+        #
+        # def user_input= input
+        #   @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
+        # end
+        #
+        # def build context, ia_result
+        #   sample = self
+        #   sample.timestamp = context&.timer&.start_ms
+        #   sample.user_input = build_user_input_from_ia(ia_result)
+        #   sample.user_input.document_type = if context&.request
+        #                                       Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
+        #                                     end
+        #   sample
+        # end
+        #
+        # def build_user_input_from_ia ia_result
+        #   user_input = Contrast::Agent::Reporting::UserInput.new
+        #   user_input.input_type = ia_result.input_type
+        #   user_input.matcher_ids = ia_result.ids
+        #   user_input.path = ia_result.path
+        #   user_input.key = ia_result.key if ia_result.key
+        #   user_input.value = ia_result.value if ia_result.value
+        #   user_input
+        # end
       end
     end
   end

data/lib/contrast/agent/reporting/masker/masker.rb CHANGED Viewed

@@ -84,16 +84,16 @@ module Contrast
             params = activity.http_request.normalized_request_params
             return unless params
-            mask_with_dictionary activity.results, params
+            mask_with_dictionary(activity.results, params)
           end
           def mask_request_headers activity
             if activity.http_request.parsed_request_headers
               # Used normalized request_headers
-              mask_with_dictionary activity.results, activity.http_request.normalized_request_headers
+              mask_with_dictionary(activity.results, activity.http_request.normalized_request_headers)
             else
               headers = activity.http_request.request_headers
-              mask_field_hash headers, activity.results
+              mask_field_hash(headers, activity.results)
             end
           end
@@ -105,7 +105,7 @@ module Contrast
             cookies = activity.http_request.normalized_cookies
             return unless cookies
-            mask_with_dictionary activity.results, cookies
+            mask_with_dictionary(activity.results, cookies)
           end
           # Mask request query string:
@@ -117,8 +117,8 @@ module Contrast
             qs = activity.http_request.query_string
             return if qs.nil? || qs.empty?
-            mask_field_hash qs, activity.results unless qs.cs__is_a?(String)
-            mask_raw_query qs, activity.results
+            mask_field_hash(qs, activity.results) unless qs.cs__is_a?(String)
+            mask_raw_query(qs, activity.results)
           end
           # Mask if the value in the passed hash are matched against dictionary
@@ -134,17 +134,17 @@ module Contrast
             return if hash.nil? || hash.empty?
             hash.each do |key, val|
-              match = dictionary_matcher key
+              match = dictionary_matcher(key)
               next unless match
               # The normalized values are paired.
               # key => Contrast::Api::Dtm::Pair (key, val<Values>).
               # try one level down
-              if val.cs__respond_to? :values
-                mask_values key, val, results
+              if val.cs__respond_to?(:values)
+                mask_values(key, val, results)
               else
                 # Just assign keys.
-                mask_hash key, val, hash, results
+                mask_hash(key, val, hash, results)
               end
             end
             hash

data/lib/contrast/agent/reporting/masker/masker_utils.rb CHANGED Viewed

@@ -30,7 +30,7 @@ module Contrast
               hash[arr[0]] = arr[1]
             end
             # Mask the newly created hash.
-            mask_with_dictionary results, hash
+            mask_with_dictionary(results, hash)
             # Restore to original form.
             hash.each { |k, v| masked += "#{ k }=#{ v }; " }
@@ -50,7 +50,7 @@ module Contrast
         def mask_raw_query query, results
           masked = EMPTY_STRING
           hash = URI.decode_www_form(query).to_h
-          mask_with_dictionary results, hash
+          mask_with_dictionary(results, hash)
           # Restore to string form.
           hash.each { |k, v| masked += "#{ k }=#{ v }&" }
           query = masked

data/lib/contrast/agent/reporting/reporting_events/application_activity.rb CHANGED Viewed

@@ -17,14 +17,13 @@ module Contrast
           # @return [Contrast::Agent::Reporting::ApplicationActivity]
           def convert app_activity_dtm
             app_activity = new
-            app_activity.attach_data app_activity_dtm
+            app_activity.attach_data(app_activity_dtm)
             app_activity
           end
         end
         def initialize
-          @defend = []
-          @inventory = []
+          @event_method = :PUT
           @event_type = :application_activity
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_activity
           super
@@ -35,17 +34,16 @@ module Contrast
         end
         def to_controlled_hash
-          {
-              lastUpdate: since_last_update,
-              defend: @defend.map(&:to_controlled_hash),
-              inventory: @inventory.map(&:to_controlled_hash)
-          }
+          hsh = { lastUpdate: since_last_update }
+          hsh[:defend] = @defend&.to_controlled_hash if @defend
+          hsh[:inventory] = @inventory&.to_controlled_hash if @inventory
+          hsh
         end
         # @param activity_dtm [Contrast::Api::Dtm::ApplicationActivity]
         def attach_data activity_dtm
-          @defend << Contrast::Agent::Reporting::ApplicationDefendActivity.convert(activity_dtm)
-          @inventory << Contrast::Agent::Reporting::ApplicationInventoryActivity.convert(activity_dtm)
+          @defend = Contrast::Agent::Reporting::ApplicationDefendActivity.convert(activity_dtm)
+          @inventory = Contrast::Agent::Reporting::ApplicationInventoryActivity.convert(activity_dtm)
         end
       end
     end