contrast-agent 6.13.0 → 6.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf537fe7f51e1701577cb567c81862d9ed3b9eaadf89d45da26ddc65e9135afb
-  data.tar.gz: b344f21256b15416fb395ed6f91880d4579b39d9bdb331df9492965ddf385129
+  metadata.gz: e4f1f41a4e9c4b720867bf41832aceec4b4d4b2e55efafc086f5bf9a14f56401
+  data.tar.gz: 575fbbe0b929cc700daa495403325a27ff90cd92b44f549c9fd44dde7f25ec55
 SHA512:
-  metadata.gz: cab435e1cfaf07a8f5c101805d3ca0046062071e10d61e3fcef4012e989e145bca2d586113176c89a96019eb32c2a6487de7149a01b4139d95c3b31d648a3ec5
-  data.tar.gz: 5270af8f8b5c398d974857194adff85b826c75cd603006eac060d8762985220f13d095cd4b01ae94976b22a261c6250daa4ee05176b2bc635f7455bbd5eeeaf0
+  metadata.gz: a6a321d684f4a220f3eed2cc85ddac8985a4720216beb062d9bc9c75322bbf9d626b96c83f8f0698acdf611fe0ba4dabfa3f908cb6d12a400c3ee05e3d850c05
+  data.tar.gz: 6de14c43bfd6bb54f6fc6da174c1affe91e2712dc6438d69fa6b87404336e8d68691f84339ba756a4a85f5d70ac8b17488a96e786faa77099c5e34963c8e0ffd

data/lib/contrast/agent/{assess.rb → assess/assess.rb}

@@ -9,7 +9,7 @@ module Contrast
     # point of require for this functionality.
     module Assess
       require 'contrast/agent/assess/tracker'
-      require 'contrast/agent/module_data'
+      require 'contrast/agent/assess/module_data'
       require 'contrast/agent/assess/policy/preshift'
 
       # Dynamic Sources

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/method_policy'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -15,6 +16,8 @@ module Contrast
           READ_TABLE = 'readTable'
           READ_COLUMN = 'readColumn'
           class << self
+            include Contrast::Components::Logger::InstanceMethods
+
             # Given a Class representing a table in a Database and a map of
             # methods representing columns, generate sources for each method
             # such that calls to that method will result in a Source Event.

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -38,6 +38,7 @@ module Contrast
             capitalize!
             chomp
             to_s
+            to_str
             downcase
             downcase!
             lstrip
@@ -45,7 +46,7 @@ module Contrast
             upcase!
             upcase
           ].cs__freeze
-          TO_S = 'to_s'
+          TO_S = %w[to_s to_str].cs__freeze
 
           def initialize policy_hash = {}
             super(policy_hash)
@@ -63,7 +64,7 @@ module Contrast
             # String#to_s => self or string. This method is included here to cover the situations such as
             # String.to_s.html_safe, where normally the dynamic sources properties get lost. To solve this
             # we will simply return the original object here.
-            return true if @_use_original_object && policy_hash[JSON_METHOD_NAME] == TO_S
+            return true if @_use_original_object && TO_S.include?(policy_hash[JSON_METHOD_NAME])
 
             @_use_original_object &&
                 # Check if method name ends with a (!) bang unless is the to_s method:

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -92,11 +92,11 @@ module Contrast
             #   propagation event.
             # @param target [Object] the Target to which to propagate.
             def apply_tags propagation_node, target
-              return unless propagation_node.tags
+              return unless (propagation_tags = propagation_node.tags)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
 
               length = Contrast::Utils::StringUtils.ret_length(target)
-              propagation_node.tags.each do |tag|
+              propagation_tags.each do |tag|
                 properties.add_tag(tag, 0...length)
               end
             end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -50,7 +50,6 @@ module Contrast
                   next if known_tainted&.include?(key)
                   next unless (properties = Contrast::Agent::Assess::Tracker.properties!(value))
 
-                  # TODO: RUBY-540 handle sanitization, handle nested objects
                   Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)
                   event_data = Contrast::Agent::Assess::Events::EventData.new(propagation_node,
                                                                               value, preshift.object,

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -3,7 +3,7 @@
 
 require 'set'
 require 'contrast/agent/assess/policy/source_validation/source_validation'
-require 'contrast/agent/excluder'
+require 'contrast/agent/excluder/excluder'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -2,9 +2,10 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
-require 'contrast/agent/excluder'
+require 'contrast/agent/excluder/excluder'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 require 'contrast/utils/sha256_builder'
 require 'contrast/utils/assess/trigger_method_utils'
 require 'contrast/agent/assess/events/event_data'
@@ -99,6 +100,7 @@ module Contrast
               return if excluded_by_input_and_rule?(request, finding, trigger_node.rule_id)
 
               finding.hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
+              check_for_stored_xss(finding)
               finding
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
@@ -188,6 +190,39 @@ module Contrast
             def excluded_by_input_and_rule? request, finding, rule_id
               Contrast::SETTINGS.excluder.assess_excluded_by_input_and_rule?(request, finding, rule_id)
             end
+
+            # Handles the Stored Xss rule. If a vector is stored in the database
+            def check_for_stored_xss finding
+              return unless finding && finding.rule_id == 'reflected-xss'
+
+              # Check for database tainted event propagation:
+              if finding.events.select { |event| event.reportable_tags.include?('DATABASE_WRITE') }.
+                    any? && !Contrast::ASSESS.disabled_rules.include?('stored-xss')
+
+                # Override 'reflected-xss' => 'stored-xss'
+                finding.instance_variable_set(:@rule_id, 'stored-xss')
+                extract_dynamic_source_info(finding)
+                finding
+              end
+            end
+
+            def extract_dynamic_source_info finding
+              return unless finding
+
+              creation_events = finding.events.select { |e| e.action == :CREATION }
+              source_event_policy = creation_events[0].policy_node if creation_events.any?
+              properties = source_event_policy.properties if source_event_policy
+              # Properties example:
+              # => {"dynamic_source_id"=>"Assess:Source:Comment#message",
+              #  "dynamic_source_name"=>"Comment.message",
+              #  "readTable"=>"Comment",
+              #  "readColumn"=>:message,
+              #  "writeDateTimeUtc"=>1675087341948,
+              #  "writeRequestUrl"=>"/comments"}
+              return if Contrast::Utils::DuckUtils.empty_duck?(properties)
+
+              finding.instance_variable_set(:@properties, finding.properties.merge(properties))
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a REDOS finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the TeamServer.
+          # before serializing that finding as a Event to report to the TeamServer.
           module REDOSValidator
             RULE_NAME = 'redos'
             # If Regexp is set to Float::Infinite this is the maximum number it will receive

data/lib/contrast/agent/inventory/database_config.rb

@@ -54,6 +54,7 @@ module Contrast
           # @return [Hash]
           def active_record_config
             return @_active_record_config if instance_variable_defined?(:@_active_record_config)
+            return unless defined?(ActiveRecord) && defined?(ActiveRecord::Base)
 
             @_active_record_config = if ActiveRecord::Base.cs__respond_to?(:connection_db_config)
                                        ActiveRecord::Base.connection_db_config

data/lib/contrast/agent/{middleware.rb → middleware/middleware.rb}

@@ -10,9 +10,9 @@ require 'contrast/utils/object_share'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/heap_dump_util'
-require 'contrast/agent/telemetry'
-require 'contrast/agent/request_handler'
-require 'contrast/agent/static_analysis'
+require 'contrast/agent/telemetry/telemetry'
+require 'contrast/agent/request/request_handler'
+require 'contrast/agent/middleware/static_analysis'
 require 'contrast/agent/telemetry/startup_metrics_event'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
 require 'contrast/utils/middleware_utils'

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -4,18 +4,18 @@
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
-require 'contrast/agent/protect/rule/bot_blocker'
+require 'contrast/agent/protect/rule/bot_blocker/bot_blocker'
 require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
 require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
-require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli'
 require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
-require 'contrast/agent/protect/rule/unsafe_file_upload'
-require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
-require 'contrast/agent/protect/rule/xss'
+require 'contrast/agent/protect/rule/xss/xss'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'json'

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/worker_thread'
+require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/reporting/input_analysis/input_analysis_result'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/reporting_events/application_activity'

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/protect/rule/cmdi/cmd_injection'
 require 'contrast/agent/protect/policy/applies_deserialization_rule'
 require 'contrast/agent/protect/policy/rule_applicator'
 

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/deserialization'
+require 'contrast/agent/protect/rule/deserialization/deserialization'
 require 'contrast/agent/protect/policy/rule_applicator'
 
 module Contrast

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli'
 require 'contrast/agent/protect/policy/rule_applicator'
 
 module Contrast

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
 require 'contrast/agent/protect/policy/rule_applicator'
 require 'contrast/utils/object_share'

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/sqli'
+require 'contrast/agent/protect/rule/sqli/sqli'
 require 'contrast/agent/protect/policy/rule_applicator'
 
 module Contrast

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/xxe'
+require 'contrast/agent/protect/rule/xxe/xxe'
 require 'contrast/agent/protect/policy/rule_applicator'
 require 'contrast/utils/object_share'