contrast-agent 6.14.0 → 6.15.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/cs__scope/cs__scope.c +2 -1
- data/lib/contrast/agent/{assess.rb → assess/assess.rb} +1 -1
- data/lib/contrast/agent/{module_data.rb → assess/module_data.rb} +0 -0
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +3 -0
- data/lib/contrast/agent/assess/policy/policy_node.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +0 -1
- data/lib/contrast/agent/assess/policy/source_method.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +36 -1
- data/lib/contrast/agent/{excluder.rb → excluder/excluder.rb} +0 -0
- data/lib/contrast/agent/{exclusion_matcher.rb → excluder/exclusion_matcher.rb} +0 -0
- data/lib/contrast/agent/{at_exit_hook.rb → hooks/at_exit_hook.rb} +0 -0
- data/lib/contrast/agent/{tracepoint_hook.rb → hooks/tracepoint_hook.rb} +0 -0
- data/lib/contrast/agent/inventory/database_config.rb +1 -0
- data/lib/contrast/agent/{inventory.rb → inventory/inventory.rb} +0 -0
- data/lib/contrast/agent/{middleware.rb → middleware/middleware.rb} +3 -3
- data/lib/contrast/agent/{static_analysis.rb → middleware/static_analysis.rb} +0 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +5 -5
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +121 -134
- data/lib/contrast/agent/protect/rule/{bot_blocker.rb → bot_blocker/bot_blocker.rb} +2 -2
- data/lib/contrast/agent/protect/rule/{cmd_injection.rb → cmdi/cmd_injection.rb} +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +3 -3
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +2 -2
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +2 -2
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/{deserialization.rb → deserialization/deserialization.rb} +2 -2
- data/lib/contrast/agent/protect/rule/{no_sqli.rb → no_sqli/no_sqli.rb} +3 -3
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/{path_traversal.rb → path_traversal/path_traversal.rb} +2 -2
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +3 -3
- data/lib/contrast/agent/protect/rule/{sql_sample_builder.rb → sqli/sql_sample_builder.rb} +0 -1
- data/lib/contrast/agent/protect/rule/{sqli.rb → sqli/sqli.rb} +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/{unsafe_file_upload.rb → unsafe_file_upload/unsafe_file_upload.rb} +2 -2
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/utils/builders.rb +111 -0
- data/lib/contrast/agent/protect/rule/utils/filters.rb +110 -0
- data/lib/contrast/agent/protect/rule/{xss.rb → xss/xss.rb} +2 -2
- data/lib/contrast/agent/protect/rule/{xxe.rb → xxe/xxe.rb} +2 -2
- data/lib/contrast/agent/protect/rule.rb +8 -9
- data/lib/contrast/agent/{disable_reaction.rb → reactions/disable_reaction.rb} +0 -0
- data/lib/contrast/agent/reporting/reporter.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +1 -1
- data/lib/contrast/agent/{request.rb → request/request.rb} +0 -0
- data/lib/contrast/agent/{request_context.rb → request/request_context.rb} +3 -3
- data/lib/contrast/agent/{request_context_extend.rb → request/request_context_extend.rb} +0 -0
- data/lib/contrast/agent/{request_handler.rb → request/request_handler.rb} +0 -0
- data/lib/contrast/agent/{response.rb → response/response.rb} +0 -0
- data/lib/contrast/agent/{scope.rb → scope/scope.rb} +0 -0
- data/lib/contrast/agent/telemetry/base.rb +2 -2
- data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +0 -0
- data/lib/contrast/agent/{thread.rb → thread/thread.rb} +0 -0
- data/lib/contrast/agent/{thread_watcher.rb → thread/thread_watcher.rb} +0 -0
- data/lib/contrast/agent/{worker_thread.rb → thread/worker_thread.rb} +0 -0
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +11 -11
- data/lib/contrast/components/agent.rb +1 -1
- data/lib/contrast/components/assess.rb +1 -0
- data/lib/contrast/{agent → components}/rule_set.rb +0 -0
- data/lib/contrast/components/scope.rb +1 -1
- data/lib/contrast/components/settings.rb +1 -1
- data/lib/contrast/extension/assess/exec_trigger.rb +1 -1
- data/lib/contrast/extension/assess/string.rb +4 -3
- data/lib/contrast.rb +1 -1
- data/ruby-agent.gemspec +4 -2
- metadata +53 -58
- data/lib/contrast/agent/protect/rule/base_service.rb +0 -175
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: contrast-agent
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.15.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- galen.palmer@contrastsecurity.com
|
@@ -13,7 +13,7 @@ authors:
|
|
13
13
|
autorequire:
|
14
14
|
bindir: exe
|
15
15
|
cert_chain: []
|
16
|
-
date: 2023-
|
16
|
+
date: 2023-02-16 00:00:00.000000000 Z
|
17
17
|
dependencies:
|
18
18
|
- !ruby/object:Gem::Dependency
|
19
19
|
name: bundler
|
@@ -609,6 +609,20 @@ dependencies:
|
|
609
609
|
- - ">="
|
610
610
|
- !ruby/object:Gem::Version
|
611
611
|
version: '0'
|
612
|
+
- !ruby/object:Gem::Dependency
|
613
|
+
name: ffi
|
614
|
+
requirement: !ruby/object:Gem::Requirement
|
615
|
+
requirements:
|
616
|
+
- - "~>"
|
617
|
+
- !ruby/object:Gem::Version
|
618
|
+
version: '1.0'
|
619
|
+
type: :runtime
|
620
|
+
prerelease: false
|
621
|
+
version_requirements: !ruby/object:Gem::Requirement
|
622
|
+
requirements:
|
623
|
+
- - "~>"
|
624
|
+
- !ruby/object:Gem::Version
|
625
|
+
version: '1.0'
|
612
626
|
- !ruby/object:Gem::Dependency
|
613
627
|
name: ougai
|
614
628
|
requirement: !ruby/object:Gem::Requirement
|
@@ -647,36 +661,16 @@ dependencies:
|
|
647
661
|
name: contrast-agent-lib
|
648
662
|
requirement: !ruby/object:Gem::Requirement
|
649
663
|
requirements:
|
650
|
-
- -
|
651
|
-
- !ruby/object:Gem::Version
|
652
|
-
version: 0.1.0
|
653
|
-
- - ">="
|
654
|
-
- !ruby/object:Gem::Version
|
655
|
-
version: 0.1.3
|
656
|
-
type: :runtime
|
657
|
-
prerelease: false
|
658
|
-
version_requirements: !ruby/object:Gem::Requirement
|
659
|
-
requirements:
|
660
|
-
- - "~>"
|
661
|
-
- !ruby/object:Gem::Version
|
662
|
-
version: 0.1.0
|
663
|
-
- - ">="
|
664
|
-
- !ruby/object:Gem::Version
|
665
|
-
version: 0.1.3
|
666
|
-
- !ruby/object:Gem::Dependency
|
667
|
-
name: ffi
|
668
|
-
requirement: !ruby/object:Gem::Requirement
|
669
|
-
requirements:
|
670
|
-
- - "~>"
|
664
|
+
- - '='
|
671
665
|
- !ruby/object:Gem::Version
|
672
|
-
version:
|
666
|
+
version: 1.1.0
|
673
667
|
type: :runtime
|
674
668
|
prerelease: false
|
675
669
|
version_requirements: !ruby/object:Gem::Requirement
|
676
670
|
requirements:
|
677
|
-
- -
|
671
|
+
- - '='
|
678
672
|
- !ruby/object:Gem::Version
|
679
|
-
version:
|
673
|
+
version: 1.1.0
|
680
674
|
description: This gem instantiates a Rack middleware for rack-based web applications
|
681
675
|
in order to provide Interactive Application Security Testing and Protection.
|
682
676
|
email:
|
@@ -900,11 +894,12 @@ files:
|
|
900
894
|
- lib/contrast-agent.rb
|
901
895
|
- lib/contrast.rb
|
902
896
|
- lib/contrast/agent.rb
|
903
|
-
- lib/contrast/agent/assess.rb
|
897
|
+
- lib/contrast/agent/assess/assess.rb
|
904
898
|
- lib/contrast/agent/assess/contrast_object.rb
|
905
899
|
- lib/contrast/agent/assess/events/event_data.rb
|
906
900
|
- lib/contrast/agent/assess/finalizers/freeze.rb
|
907
901
|
- lib/contrast/agent/assess/finalizers/hash.rb
|
902
|
+
- lib/contrast/agent/assess/module_data.rb
|
908
903
|
- lib/contrast/agent/assess/policy/dynamic_source_factory.rb
|
909
904
|
- lib/contrast/agent/assess/policy/patcher.rb
|
910
905
|
- lib/contrast/agent/assess/policy/policy.rb
|
@@ -971,22 +966,22 @@ files:
|
|
971
966
|
- lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb
|
972
967
|
- lib/contrast/agent/assess/tag.rb
|
973
968
|
- lib/contrast/agent/assess/tracker.rb
|
974
|
-
- lib/contrast/agent/at_exit_hook.rb
|
975
969
|
- lib/contrast/agent/deadzone/policy/deadzone_node.rb
|
976
970
|
- lib/contrast/agent/deadzone/policy/policy.rb
|
977
|
-
- lib/contrast/agent/
|
978
|
-
- lib/contrast/agent/excluder.rb
|
979
|
-
- lib/contrast/agent/
|
980
|
-
- lib/contrast/agent/
|
971
|
+
- lib/contrast/agent/excluder/excluder.rb
|
972
|
+
- lib/contrast/agent/excluder/exclusion_matcher.rb
|
973
|
+
- lib/contrast/agent/hooks/at_exit_hook.rb
|
974
|
+
- lib/contrast/agent/hooks/tracepoint_hook.rb
|
981
975
|
- lib/contrast/agent/inventory/database_config.rb
|
982
976
|
- lib/contrast/agent/inventory/dependencies.rb
|
983
977
|
- lib/contrast/agent/inventory/dependency_analysis.rb
|
984
978
|
- lib/contrast/agent/inventory/dependency_usage_analysis.rb
|
979
|
+
- lib/contrast/agent/inventory/inventory.rb
|
985
980
|
- lib/contrast/agent/inventory/policy/datastores.rb
|
986
981
|
- lib/contrast/agent/inventory/policy/policy.rb
|
987
982
|
- lib/contrast/agent/inventory/policy/trigger_node.rb
|
988
|
-
- lib/contrast/agent/middleware.rb
|
989
|
-
- lib/contrast/agent/
|
983
|
+
- lib/contrast/agent/middleware/middleware.rb
|
984
|
+
- lib/contrast/agent/middleware/static_analysis.rb
|
990
985
|
- lib/contrast/agent/patching/policy/after_load_patch.rb
|
991
986
|
- lib/contrast/agent/patching/policy/after_load_patcher.rb
|
992
987
|
- lib/contrast/agent/patching/policy/method_policy.rb
|
@@ -1012,38 +1007,40 @@ files:
|
|
1012
1007
|
- lib/contrast/agent/protect/policy/trigger_node.rb
|
1013
1008
|
- lib/contrast/agent/protect/rule.rb
|
1014
1009
|
- lib/contrast/agent/protect/rule/base.rb
|
1015
|
-
- lib/contrast/agent/protect/rule/
|
1016
|
-
- lib/contrast/agent/protect/rule/bot_blocker.rb
|
1010
|
+
- lib/contrast/agent/protect/rule/bot_blocker/bot_blocker.rb
|
1017
1011
|
- lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb
|
1018
|
-
- lib/contrast/agent/protect/rule/cmd_injection.rb
|
1012
|
+
- lib/contrast/agent/protect/rule/cmdi/cmd_injection.rb
|
1019
1013
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb
|
1020
1014
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb
|
1021
1015
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb
|
1022
1016
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb
|
1023
1017
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb
|
1024
1018
|
- lib/contrast/agent/protect/rule/default_scanner.rb
|
1025
|
-
- lib/contrast/agent/protect/rule/deserialization.rb
|
1026
|
-
- lib/contrast/agent/protect/rule/no_sqli.rb
|
1019
|
+
- lib/contrast/agent/protect/rule/deserialization/deserialization.rb
|
1027
1020
|
- lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb
|
1021
|
+
- lib/contrast/agent/protect/rule/no_sqli/no_sqli.rb
|
1028
1022
|
- lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb
|
1029
|
-
- lib/contrast/agent/protect/rule/path_traversal.rb
|
1023
|
+
- lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb
|
1030
1024
|
- lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb
|
1031
1025
|
- lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb
|
1032
|
-
- lib/contrast/agent/protect/rule/sql_sample_builder.rb
|
1033
|
-
- lib/contrast/agent/protect/rule/sqli.rb
|
1034
1026
|
- lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb
|
1035
1027
|
- lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb
|
1036
1028
|
- lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb
|
1029
|
+
- lib/contrast/agent/protect/rule/sqli/sql_sample_builder.rb
|
1030
|
+
- lib/contrast/agent/protect/rule/sqli/sqli.rb
|
1037
1031
|
- lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb
|
1038
1032
|
- lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb
|
1039
1033
|
- lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb
|
1040
1034
|
- lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb
|
1041
|
-
- lib/contrast/agent/protect/rule/unsafe_file_upload.rb
|
1035
|
+
- lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload.rb
|
1042
1036
|
- lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb
|
1043
|
-
- lib/contrast/agent/protect/rule/
|
1037
|
+
- lib/contrast/agent/protect/rule/utils/builders.rb
|
1038
|
+
- lib/contrast/agent/protect/rule/utils/filters.rb
|
1044
1039
|
- lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb
|
1045
|
-
- lib/contrast/agent/protect/rule/
|
1040
|
+
- lib/contrast/agent/protect/rule/xss/xss.rb
|
1046
1041
|
- lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb
|
1042
|
+
- lib/contrast/agent/protect/rule/xxe/xxe.rb
|
1043
|
+
- lib/contrast/agent/reactions/disable_reaction.rb
|
1047
1044
|
- lib/contrast/agent/reporting/attack_result/attack_result.rb
|
1048
1045
|
- lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb
|
1049
1046
|
- lib/contrast/agent/reporting/attack_result/response_type.rb
|
@@ -1163,15 +1160,12 @@ files:
|
|
1163
1160
|
- lib/contrast/agent/reporting/settings/validator.rb
|
1164
1161
|
- lib/contrast/agent/reporting/settings/virtual_patch.rb
|
1165
1162
|
- lib/contrast/agent/reporting/settings/virtual_patch_condition.rb
|
1166
|
-
- lib/contrast/agent/request.rb
|
1167
|
-
- lib/contrast/agent/request_context.rb
|
1168
|
-
- lib/contrast/agent/request_context_extend.rb
|
1169
|
-
- lib/contrast/agent/request_handler.rb
|
1170
|
-
- lib/contrast/agent/response.rb
|
1171
|
-
- lib/contrast/agent/
|
1172
|
-
- lib/contrast/agent/scope.rb
|
1173
|
-
- lib/contrast/agent/static_analysis.rb
|
1174
|
-
- lib/contrast/agent/telemetry.rb
|
1163
|
+
- lib/contrast/agent/request/request.rb
|
1164
|
+
- lib/contrast/agent/request/request_context.rb
|
1165
|
+
- lib/contrast/agent/request/request_context_extend.rb
|
1166
|
+
- lib/contrast/agent/request/request_handler.rb
|
1167
|
+
- lib/contrast/agent/response/response.rb
|
1168
|
+
- lib/contrast/agent/scope/scope.rb
|
1175
1169
|
- lib/contrast/agent/telemetry/base.rb
|
1176
1170
|
- lib/contrast/agent/telemetry/client.rb
|
1177
1171
|
- lib/contrast/agent/telemetry/event.rb
|
@@ -1185,11 +1179,11 @@ files:
|
|
1185
1179
|
- lib/contrast/agent/telemetry/identifier.rb
|
1186
1180
|
- lib/contrast/agent/telemetry/metric_event.rb
|
1187
1181
|
- lib/contrast/agent/telemetry/startup_metrics_event.rb
|
1188
|
-
- lib/contrast/agent/
|
1189
|
-
- lib/contrast/agent/
|
1190
|
-
- lib/contrast/agent/
|
1182
|
+
- lib/contrast/agent/telemetry/telemetry.rb
|
1183
|
+
- lib/contrast/agent/thread/thread.rb
|
1184
|
+
- lib/contrast/agent/thread/thread_watcher.rb
|
1185
|
+
- lib/contrast/agent/thread/worker_thread.rb
|
1191
1186
|
- lib/contrast/agent/version.rb
|
1192
|
-
- lib/contrast/agent/worker_thread.rb
|
1193
1187
|
- lib/contrast/agent_lib/api/command_injection.rb
|
1194
1188
|
- lib/contrast/agent_lib/api/init.rb
|
1195
1189
|
- lib/contrast/agent_lib/api/input_tracing.rb
|
@@ -1215,6 +1209,7 @@ files:
|
|
1215
1209
|
- lib/contrast/components/polling.rb
|
1216
1210
|
- lib/contrast/components/protect.rb
|
1217
1211
|
- lib/contrast/components/ruby_component.rb
|
1212
|
+
- lib/contrast/components/rule_set.rb
|
1218
1213
|
- lib/contrast/components/sampling.rb
|
1219
1214
|
- lib/contrast/components/scope.rb
|
1220
1215
|
- lib/contrast/components/security_logger.rb
|
@@ -1,175 +0,0 @@
|
|
1
|
-
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
-
# frozen_string_literal: true
|
3
|
-
|
4
|
-
require 'contrast/agent/protect/rule/base'
|
5
|
-
require 'contrast/components/logger'
|
6
|
-
|
7
|
-
module Contrast
|
8
|
-
module Agent
|
9
|
-
module Protect
|
10
|
-
module Rule
|
11
|
-
# Encapsulate common code for protect rules that do their input analysis on agent-lib rather in ruby code
|
12
|
-
class BaseService < Contrast::Agent::Protect::Rule::Base
|
13
|
-
include Contrast::Components::Logger::InstanceMethods
|
14
|
-
|
15
|
-
def rule_name
|
16
|
-
'base-service'
|
17
|
-
end
|
18
|
-
|
19
|
-
def block_message
|
20
|
-
'Contrast Security Protect Rule Triggered. Response blocked.'
|
21
|
-
end
|
22
|
-
|
23
|
-
def prefilter context
|
24
|
-
return unless prefilter?(context)
|
25
|
-
|
26
|
-
ia_results = gather_ia_results(context)
|
27
|
-
|
28
|
-
ia_results.each do |ia_result|
|
29
|
-
result = build_attack_result(context)
|
30
|
-
build_attack_without_match(context, ia_result, result)
|
31
|
-
append_to_activity(context, result)
|
32
|
-
|
33
|
-
cef_logging(result, :successful_attack)
|
34
|
-
raise(Contrast::SecurityException.new(self, block_message)) if blocked?
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
# @param context [Contrast::Agent::RequestContext]
|
39
|
-
# @return [Boolean]
|
40
|
-
def infilter? context
|
41
|
-
return false unless enabled?
|
42
|
-
return false unless (results = gather_ia_results(context)) && results.any?
|
43
|
-
return false if protect_excluded_by_url?(rule_name, context.request.path)
|
44
|
-
return false if protect_excluded_by_input?(results, context.request.path)
|
45
|
-
|
46
|
-
true
|
47
|
-
end
|
48
|
-
|
49
|
-
# Base method for prefilter check. Extend if rule needs more
|
50
|
-
# specific conditioning.
|
51
|
-
#
|
52
|
-
# @param context [Contrast::Agent::RequestContext]
|
53
|
-
# @return [Boolean]
|
54
|
-
def prefilter? context
|
55
|
-
return false unless context
|
56
|
-
return false unless enabled?
|
57
|
-
return false unless (results = gather_ia_results(context)) && results.any?
|
58
|
-
return false if protect_excluded_by_url?(rule_name, context.request.path)
|
59
|
-
return false if protect_excluded_by_input?(results, context.request.path)
|
60
|
-
|
61
|
-
true
|
62
|
-
end
|
63
|
-
|
64
|
-
# Override for rules that need the response
|
65
|
-
# Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify
|
66
|
-
# the response streamed responses will break
|
67
|
-
# @param context [Contrast::Agent::RequestContext]
|
68
|
-
# @raise [Contrast::SecurityException]
|
69
|
-
def postfilter context
|
70
|
-
return unless enabled? && POSTFILTER_MODES.include?(mode)
|
71
|
-
return false if protect_excluded_by_url?(rule_name, context.request.path)
|
72
|
-
return if protect_excluded_by_input?(gather_ia_results(context), context.request.path)
|
73
|
-
|
74
|
-
return if mode == :NO_ACTION || mode == :PERMIT
|
75
|
-
|
76
|
-
result = find_postfilter_attacker(context, nil)
|
77
|
-
return unless result&.samples&.any?
|
78
|
-
|
79
|
-
cef_logging(result)
|
80
|
-
append_to_activity(context, result)
|
81
|
-
return unless result.response == :BLOCKED
|
82
|
-
|
83
|
-
raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
|
84
|
-
end
|
85
|
-
|
86
|
-
protected
|
87
|
-
|
88
|
-
# Used to build and report semantic rules.
|
89
|
-
#
|
90
|
-
# @param context [Contrast::Agent::RequestContext] current request contest
|
91
|
-
# @param potential_attack_string [String]
|
92
|
-
def build_violation context, potential_attack_string
|
93
|
-
result = build_attack_result(context)
|
94
|
-
update_successful_attack_response(context, nil, result, potential_attack_string)
|
95
|
-
return unless result
|
96
|
-
|
97
|
-
append_sample(context, nil, result, potential_attack_string)
|
98
|
-
cef_logging(result, :successful_attack)
|
99
|
-
result
|
100
|
-
end
|
101
|
-
|
102
|
-
# Check to if result is blocked. Used for raise check.
|
103
|
-
#
|
104
|
-
# @param result [Contrast::Agent::Reporting::AttackResult]
|
105
|
-
def blocked_violation? result
|
106
|
-
return false unless result
|
107
|
-
|
108
|
-
result.response == Contrast::Agent::Reporting::ResponseType::BLOCKED
|
109
|
-
end
|
110
|
-
|
111
|
-
# @param context [Contrast::Agent::RequestContext]
|
112
|
-
# @return [Array<Contrast::Agent::Reporting::InputAnalysis>]
|
113
|
-
def gather_ia_results context
|
114
|
-
return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless context&.agent_input_analysis&.results
|
115
|
-
|
116
|
-
context.agent_input_analysis.results.select do |ia_result|
|
117
|
-
ia_result.rule_id == rule_name && ia_result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
|
118
|
-
end
|
119
|
-
end
|
120
|
-
|
121
|
-
def build_attack_result _context
|
122
|
-
result = Contrast::Agent::Reporting::AttackResult.new
|
123
|
-
result.rule_id = rule_name
|
124
|
-
result
|
125
|
-
end
|
126
|
-
|
127
|
-
# @param context [Contrast::Agent::RequestContext]
|
128
|
-
# @param potential_attack_string [String, nil]
|
129
|
-
# @param **kwargs
|
130
|
-
# @return [Contrast::Agent::Reporting]
|
131
|
-
def find_attacker context, potential_attack_string, **kwargs
|
132
|
-
ia_results = gather_ia_results(context)
|
133
|
-
find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
|
134
|
-
end
|
135
|
-
|
136
|
-
# Allows for the InputAnalysis from Agent Library to be extracted early
|
137
|
-
# @param context [Contrast::Agent::RequestContext]
|
138
|
-
# @param potential_attack_string [String, nil]
|
139
|
-
# @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
|
140
|
-
# @param **kwargs
|
141
|
-
# @return [Contrast::Agent::Reporting, nil]
|
142
|
-
def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
|
143
|
-
logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
|
144
|
-
|
145
|
-
result = nil
|
146
|
-
ia_results.each do |ia_result|
|
147
|
-
if potential_attack_string
|
148
|
-
idx = potential_attack_string.index(ia_result.value)
|
149
|
-
next unless idx
|
150
|
-
|
151
|
-
result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
|
152
|
-
else
|
153
|
-
result = build_attack_without_match(context, ia_result, result, **kwargs)
|
154
|
-
end
|
155
|
-
end
|
156
|
-
result
|
157
|
-
end
|
158
|
-
|
159
|
-
private
|
160
|
-
|
161
|
-
# @param context [Contrast::Agent::RequestContext]
|
162
|
-
# @param potential_attack_string [String, nil]
|
163
|
-
# @return [Contrast::Agent::Reporting, nil]
|
164
|
-
def find_postfilter_attacker context, potential_attack_string, **kwargs
|
165
|
-
ia_results = gather_ia_results(context)
|
166
|
-
ia_results.select! do |ia_result|
|
167
|
-
ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
|
168
|
-
end
|
169
|
-
find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
|
170
|
-
end
|
171
|
-
end
|
172
|
-
end
|
173
|
-
end
|
174
|
-
end
|
175
|
-
end
|