contrast-agent 6.6.1 → 6.6.2
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f00aee3e36cdb303ca9b209824fbb92386e0ca0043c0f24377f79168dca8d252
|
4
|
+
data.tar.gz: 7fc3d7571246ff92a10da151ce4b723768e3f7214b5a1e57d5bb1d6a66e86e2b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9fc9e69602a2706cb41bf8d13e07693afb61ad85ad03ff43182f3c79c5f9dff1c0b8ed3e0cb690d15cf8e43830920516604e9b497945963897f0ee1b82e11f9b
|
7
|
+
data.tar.gz: dfd4e5146f9ac498b83d76b13a9d6ed17a5de0e659ed301acbf6a873e18d5ff75ea8aa8fa7c3789433e100903a9f6bfb4b87c9d283107c5bd04015f862e88644
|
@@ -20,11 +20,16 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
20
20
|
# :STATE_INSIDE_BLOCK_COMMENT # inside a commend that will end with a closing tag
|
21
21
|
# :STATE_SKIP_NEXT_CHARACTER
|
22
22
|
|
23
|
+
# @param query [String] the query being executed
|
24
|
+
# @param index [Integer] the index of the input in the query
|
25
|
+
# @param input [String] the input value provided by the user
|
26
|
+
# @return [Array<Integer>, nil] the boundary overrun by the input or nil if no overrun
|
23
27
|
def crosses_boundary query, index, input
|
24
28
|
last_boundary = 0
|
25
|
-
|
29
|
+
scan_token_boundaries(query).each do |boundary|
|
26
30
|
if boundary > index
|
27
|
-
|
31
|
+
# We should report the previous and overrun boundary if the input crosses one.
|
32
|
+
return last_boundary, boundary if boundary < (index + input.length)
|
28
33
|
|
29
34
|
break
|
30
35
|
end
|
@@ -33,10 +38,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
33
38
|
nil
|
34
39
|
end
|
35
40
|
|
36
|
-
|
37
|
-
@_token_boundaries ||= scan_token_boundaries(query)
|
38
|
-
end
|
41
|
+
private
|
39
42
|
|
43
|
+
# @param query [String] the query being executed
|
44
|
+
# @return [Array<Integer>] the boundaries of the query
|
40
45
|
def scan_token_boundaries query
|
41
46
|
boundaries = []
|
42
47
|
return boundaries unless query && !query.empty?
|
@@ -73,6 +78,11 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
73
78
|
boundaries
|
74
79
|
end
|
75
80
|
|
81
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
82
|
+
# @param current_state [Symbol] the state of the query
|
83
|
+
# @param char [String] the character being evaluated
|
84
|
+
# @param index [Integer] the location of the character in the query
|
85
|
+
# @param query [String] the query being executed
|
76
86
|
def process_state boundaries, current_state, char, index, query
|
77
87
|
case current_state
|
78
88
|
when :STATE_EXPECTING_TOKEN
|
@@ -88,6 +98,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
88
98
|
end
|
89
99
|
end
|
90
100
|
|
101
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
102
|
+
# @param char [String] the character being evaluated
|
103
|
+
# @param index [Integer] the location of the character in the query
|
104
|
+
# @param query [String] the query being executed
|
91
105
|
def process_expecting_token boundaries, char, index, query
|
92
106
|
if char == Contrast::Utils::ObjectShare::SINGLE_QUOTE
|
93
107
|
boundaries << index
|
@@ -112,6 +126,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
112
126
|
end
|
113
127
|
end
|
114
128
|
|
129
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
130
|
+
# @param char [String] the character being evaluated
|
131
|
+
# @param index [Integer] the location of the character in the query
|
132
|
+
# @param query [String] the query being executed
|
115
133
|
def process_inside_token boundaries, char, index, query
|
116
134
|
if char == Contrast::Utils::ObjectShare::SINGLE_QUOTE
|
117
135
|
boundaries << index
|
@@ -133,6 +151,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
133
151
|
end
|
134
152
|
end
|
135
153
|
|
154
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
155
|
+
# @param char [String] the character being evaluated
|
156
|
+
# @param index [Integer] the location of the character in the query
|
157
|
+
# @param _query [String] the query being executed
|
136
158
|
def process_number boundaries, char, index, _query
|
137
159
|
if char.match?(Contrast::Utils::ObjectShare::DIGIT_REGEXP) || char == Contrast::Utils::ObjectShare::PERIOD
|
138
160
|
:STATE_INSIDE_NUMBER
|
@@ -142,6 +164,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
142
164
|
end
|
143
165
|
end
|
144
166
|
|
167
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
168
|
+
# @param char [String] the character being evaluated
|
169
|
+
# @param index [Integer] the location of the character in the query
|
170
|
+
# @param query [String] the query being executed
|
145
171
|
def process_double_quote boundaries, char, index, query
|
146
172
|
if escape_char?(char)
|
147
173
|
:STATE_SKIP_NEXT_CHARACTER
|
@@ -159,6 +185,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
159
185
|
end
|
160
186
|
end
|
161
187
|
|
188
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
189
|
+
# @param char [String] the character being evaluated
|
190
|
+
# @param index [Integer] the location of the character in the query
|
191
|
+
# @param query [String] the query being executed
|
162
192
|
def process_single_quote boundaries, char, index, query
|
163
193
|
if escape_char?(char)
|
164
194
|
:STATE_SKIP_NEXT_CHARACTER
|
@@ -176,18 +206,24 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
176
206
|
end
|
177
207
|
end
|
178
208
|
|
209
|
+
# @param query [String] the query being executed
|
210
|
+
# @param index [Integer] the location of the character in the query
|
179
211
|
def double_quote? query, index
|
180
212
|
return false unless index >= 0 && index < query.length
|
181
213
|
|
182
214
|
query[index] == Contrast::Utils::ObjectShare::DOUBLE_QUOTE
|
183
215
|
end
|
184
216
|
|
217
|
+
# @param query [String] the query being executed
|
218
|
+
# @param index [Integer] the location of the character in the query
|
185
219
|
def single_quote? query, index
|
186
220
|
return false unless index >= 0 && index < query.length
|
187
221
|
|
188
222
|
query[index] == Contrast::Utils::ObjectShare::SINGLE_QUOTE
|
189
223
|
end
|
190
224
|
|
225
|
+
# @param query [String] the query being executed
|
226
|
+
# @param index [Integer] the location of the character in the query
|
191
227
|
def find_escape_sequence_boundary query, index
|
192
228
|
idx = index
|
193
229
|
while idx < query.length
|
@@ -199,6 +235,8 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
199
235
|
idx
|
200
236
|
end
|
201
237
|
|
238
|
+
# @param query [String] the query being executed
|
239
|
+
# @param index [Integer] the location of the character in the query
|
202
240
|
def find_block_comment_boundary query, index
|
203
241
|
idx = index
|
204
242
|
while idx < query.length
|
@@ -210,6 +248,8 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
210
248
|
idx
|
211
249
|
end
|
212
250
|
|
251
|
+
# @param query [String] the query being executed
|
252
|
+
# @param index [Integer] the location of the character in the query
|
213
253
|
def find_new_line_boundary query, index
|
214
254
|
idx = index
|
215
255
|
while idx < query.length
|
@@ -222,12 +262,17 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
222
262
|
idx
|
223
263
|
end
|
224
264
|
|
265
|
+
# @param char [String] the character being evaluated
|
225
266
|
def operator? char
|
226
267
|
char.match?(OPERATOR_PATTERN)
|
227
268
|
end
|
228
269
|
|
229
270
|
# @note: Any class extending this module should override these methods as needed
|
230
271
|
# Are the current and subsequent characters both '-' ?
|
272
|
+
#
|
273
|
+
# @param char [String] the character being evaluated
|
274
|
+
# @param index [Integer] the location of the character in the query
|
275
|
+
# @param query [String] the query being executed
|
231
276
|
def start_line_comment? char, index, query
|
232
277
|
return false unless char == Contrast::Utils::ObjectShare::DASH
|
233
278
|
return false unless (query.length - 2) >= index
|
@@ -237,6 +282,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
237
282
|
|
238
283
|
# Is the current character / sequence of characters the start of a block comment
|
239
284
|
# We assume '/*' starts the comment by default
|
285
|
+
#
|
286
|
+
# @param char [String] the character being evaluated
|
287
|
+
# @param index [Integer] the location of the character in the query
|
288
|
+
# @param query [String] the query being executed
|
240
289
|
def start_block_comment? char, index, query
|
241
290
|
return false unless char == Contrast::Utils::ObjectShare::SLASH
|
242
291
|
return false unless (query.length - 2) >= index
|
@@ -246,6 +295,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
246
295
|
|
247
296
|
# Is the current character / sequence of characters the end of a block comment
|
248
297
|
# We assume '*/' ends the comment by default
|
298
|
+
#
|
299
|
+
# @param char [String] the character being evaluated
|
300
|
+
# @param index [Integer] the location of the character in the query
|
301
|
+
# @param query [String] the query being executed
|
249
302
|
def end_block_comment? char, index, query
|
250
303
|
return false unless char == Contrast::Utils::ObjectShare::ASTERISK
|
251
304
|
return false unless (query.length - 2) >= index
|
@@ -267,18 +320,24 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
267
320
|
|
268
321
|
# Is the character provided an escape character?
|
269
322
|
# By default, we'll assume
|
323
|
+
#
|
324
|
+
# @param char [String] the character being evaluated
|
270
325
|
def escape_char? char
|
271
326
|
char == Contrast::Utils::ObjectShare::BACK_SLASH
|
272
327
|
end
|
273
328
|
|
274
329
|
# Is this the start of a string escape sequence?
|
275
330
|
# Since escape sequences aren't supported, the answer is always false
|
331
|
+
#
|
332
|
+
# @param _char [String] the character being evaluated
|
276
333
|
def escape_sequence_start? _char
|
277
334
|
false
|
278
335
|
end
|
279
336
|
|
280
337
|
# Is this the end of a string escape sequence?
|
281
338
|
# Since escape sequences aren't supported, the answer is always false
|
339
|
+
#
|
340
|
+
# @param _char [String] the character being evaluated
|
282
341
|
def escape_sequence_end? _char
|
283
342
|
false
|
284
343
|
end
|
@@ -65,8 +65,8 @@ module Contrast
|
|
65
65
|
# if one exists, in the case of multiple inputs being found to violate the protection criteria
|
66
66
|
# @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
|
67
67
|
# in the case of multiple inputs being found to violate the protection criteria
|
68
|
-
# @query_string [
|
69
|
-
# @kwargs [Hash] key - value pairs of context individual rules need to build out details to send
|
68
|
+
# @param query_string [String] the value of the input which may be an attack
|
69
|
+
# @param kwargs [Hash] key - value pairs of context individual rules need to build out details to send
|
70
70
|
# to the Service to tell the story of the attack
|
71
71
|
# @return [Contrast::Api::Dtm::AttackResult] the result from this attack
|
72
72
|
def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
|
@@ -86,14 +86,12 @@ module Contrast
|
|
86
86
|
ss = StringScanner.new(query_string)
|
87
87
|
length = attack_string.length
|
88
88
|
while ss.scan_until(regexp)
|
89
|
-
# the pos of StringScanner is at the end of the regexp (input string),
|
90
|
-
# we need the beginning
|
89
|
+
# the pos of StringScanner is at the end of the regexp (input string), we need the beginning
|
91
90
|
idx = ss.pos - attack_string.length
|
92
91
|
last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
|
93
92
|
next unless last_boundary && boundary
|
94
93
|
|
95
94
|
result ||= build_attack_result(context)
|
96
|
-
|
97
95
|
record_match(idx, length, boundary, last_boundary, kwargs)
|
98
96
|
append_match(context, input_analysis_result, result, query_string, **kwargs)
|
99
97
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: contrast-agent
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.6.
|
4
|
+
version: 6.6.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- galen.palmer@contrastsecurity.com
|
@@ -13,7 +13,7 @@ authors:
|
|
13
13
|
autorequire:
|
14
14
|
bindir: exe
|
15
15
|
cert_chain: []
|
16
|
-
date: 2022-07-
|
16
|
+
date: 2022-07-15 00:00:00.000000000 Z
|
17
17
|
dependencies:
|
18
18
|
- !ruby/object:Gem::Dependency
|
19
19
|
name: bundler
|