contrast-agent 6.6.1 → 6.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f00aee3e36cdb303ca9b209824fbb92386e0ca0043c0f24377f79168dca8d252
|
|
4
|
+
data.tar.gz: 7fc3d7571246ff92a10da151ce4b723768e3f7214b5a1e57d5bb1d6a66e86e2b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9fc9e69602a2706cb41bf8d13e07693afb61ad85ad03ff43182f3c79c5f9dff1c0b8ed3e0cb690d15cf8e43830920516604e9b497945963897f0ee1b82e11f9b
|
|
7
|
+
data.tar.gz: dfd4e5146f9ac498b83d76b13a9d6ed17a5de0e659ed301acbf6a873e18d5ff75ea8aa8fa7c3789433e100903a9f6bfb4b87c9d283107c5bd04015f862e88644
|
|
@@ -20,11 +20,16 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
20
20
|
# :STATE_INSIDE_BLOCK_COMMENT # inside a commend that will end with a closing tag
|
|
21
21
|
# :STATE_SKIP_NEXT_CHARACTER
|
|
22
22
|
|
|
23
|
+
# @param query [String] the query being executed
|
|
24
|
+
# @param index [Integer] the index of the input in the query
|
|
25
|
+
# @param input [String] the input value provided by the user
|
|
26
|
+
# @return [Array<Integer>, nil] the boundary overrun by the input or nil if no overrun
|
|
23
27
|
def crosses_boundary query, index, input
|
|
24
28
|
last_boundary = 0
|
|
25
|
-
|
|
29
|
+
scan_token_boundaries(query).each do |boundary|
|
|
26
30
|
if boundary > index
|
|
27
|
-
|
|
31
|
+
# We should report the previous and overrun boundary if the input crosses one.
|
|
32
|
+
return last_boundary, boundary if boundary < (index + input.length)
|
|
28
33
|
|
|
29
34
|
break
|
|
30
35
|
end
|
|
@@ -33,10 +38,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
33
38
|
nil
|
|
34
39
|
end
|
|
35
40
|
|
|
36
|
-
|
|
37
|
-
@_token_boundaries ||= scan_token_boundaries(query)
|
|
38
|
-
end
|
|
41
|
+
private
|
|
39
42
|
|
|
43
|
+
# @param query [String] the query being executed
|
|
44
|
+
# @return [Array<Integer>] the boundaries of the query
|
|
40
45
|
def scan_token_boundaries query
|
|
41
46
|
boundaries = []
|
|
42
47
|
return boundaries unless query && !query.empty?
|
|
@@ -73,6 +78,11 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
73
78
|
boundaries
|
|
74
79
|
end
|
|
75
80
|
|
|
81
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
|
82
|
+
# @param current_state [Symbol] the state of the query
|
|
83
|
+
# @param char [String] the character being evaluated
|
|
84
|
+
# @param index [Integer] the location of the character in the query
|
|
85
|
+
# @param query [String] the query being executed
|
|
76
86
|
def process_state boundaries, current_state, char, index, query
|
|
77
87
|
case current_state
|
|
78
88
|
when :STATE_EXPECTING_TOKEN
|
|
@@ -88,6 +98,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
88
98
|
end
|
|
89
99
|
end
|
|
90
100
|
|
|
101
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
|
102
|
+
# @param char [String] the character being evaluated
|
|
103
|
+
# @param index [Integer] the location of the character in the query
|
|
104
|
+
# @param query [String] the query being executed
|
|
91
105
|
def process_expecting_token boundaries, char, index, query
|
|
92
106
|
if char == Contrast::Utils::ObjectShare::SINGLE_QUOTE
|
|
93
107
|
boundaries << index
|
|
@@ -112,6 +126,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
112
126
|
end
|
|
113
127
|
end
|
|
114
128
|
|
|
129
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
|
130
|
+
# @param char [String] the character being evaluated
|
|
131
|
+
# @param index [Integer] the location of the character in the query
|
|
132
|
+
# @param query [String] the query being executed
|
|
115
133
|
def process_inside_token boundaries, char, index, query
|
|
116
134
|
if char == Contrast::Utils::ObjectShare::SINGLE_QUOTE
|
|
117
135
|
boundaries << index
|
|
@@ -133,6 +151,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
133
151
|
end
|
|
134
152
|
end
|
|
135
153
|
|
|
154
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
|
155
|
+
# @param char [String] the character being evaluated
|
|
156
|
+
# @param index [Integer] the location of the character in the query
|
|
157
|
+
# @param _query [String] the query being executed
|
|
136
158
|
def process_number boundaries, char, index, _query
|
|
137
159
|
if char.match?(Contrast::Utils::ObjectShare::DIGIT_REGEXP) || char == Contrast::Utils::ObjectShare::PERIOD
|
|
138
160
|
:STATE_INSIDE_NUMBER
|
|
@@ -142,6 +164,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
142
164
|
end
|
|
143
165
|
end
|
|
144
166
|
|
|
167
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
|
168
|
+
# @param char [String] the character being evaluated
|
|
169
|
+
# @param index [Integer] the location of the character in the query
|
|
170
|
+
# @param query [String] the query being executed
|
|
145
171
|
def process_double_quote boundaries, char, index, query
|
|
146
172
|
if escape_char?(char)
|
|
147
173
|
:STATE_SKIP_NEXT_CHARACTER
|
|
@@ -159,6 +185,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
159
185
|
end
|
|
160
186
|
end
|
|
161
187
|
|
|
188
|
+
# @param boundaries [Array<Integer>] the indexes of the state changes in the query
|
|
189
|
+
# @param char [String] the character being evaluated
|
|
190
|
+
# @param index [Integer] the location of the character in the query
|
|
191
|
+
# @param query [String] the query being executed
|
|
162
192
|
def process_single_quote boundaries, char, index, query
|
|
163
193
|
if escape_char?(char)
|
|
164
194
|
:STATE_SKIP_NEXT_CHARACTER
|
|
@@ -176,18 +206,24 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
176
206
|
end
|
|
177
207
|
end
|
|
178
208
|
|
|
209
|
+
# @param query [String] the query being executed
|
|
210
|
+
# @param index [Integer] the location of the character in the query
|
|
179
211
|
def double_quote? query, index
|
|
180
212
|
return false unless index >= 0 && index < query.length
|
|
181
213
|
|
|
182
214
|
query[index] == Contrast::Utils::ObjectShare::DOUBLE_QUOTE
|
|
183
215
|
end
|
|
184
216
|
|
|
217
|
+
# @param query [String] the query being executed
|
|
218
|
+
# @param index [Integer] the location of the character in the query
|
|
185
219
|
def single_quote? query, index
|
|
186
220
|
return false unless index >= 0 && index < query.length
|
|
187
221
|
|
|
188
222
|
query[index] == Contrast::Utils::ObjectShare::SINGLE_QUOTE
|
|
189
223
|
end
|
|
190
224
|
|
|
225
|
+
# @param query [String] the query being executed
|
|
226
|
+
# @param index [Integer] the location of the character in the query
|
|
191
227
|
def find_escape_sequence_boundary query, index
|
|
192
228
|
idx = index
|
|
193
229
|
while idx < query.length
|
|
@@ -199,6 +235,8 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
199
235
|
idx
|
|
200
236
|
end
|
|
201
237
|
|
|
238
|
+
# @param query [String] the query being executed
|
|
239
|
+
# @param index [Integer] the location of the character in the query
|
|
202
240
|
def find_block_comment_boundary query, index
|
|
203
241
|
idx = index
|
|
204
242
|
while idx < query.length
|
|
@@ -210,6 +248,8 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
210
248
|
idx
|
|
211
249
|
end
|
|
212
250
|
|
|
251
|
+
# @param query [String] the query being executed
|
|
252
|
+
# @param index [Integer] the location of the character in the query
|
|
213
253
|
def find_new_line_boundary query, index
|
|
214
254
|
idx = index
|
|
215
255
|
while idx < query.length
|
|
@@ -222,12 +262,17 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
222
262
|
idx
|
|
223
263
|
end
|
|
224
264
|
|
|
265
|
+
# @param char [String] the character being evaluated
|
|
225
266
|
def operator? char
|
|
226
267
|
char.match?(OPERATOR_PATTERN)
|
|
227
268
|
end
|
|
228
269
|
|
|
229
270
|
# @note: Any class extending this module should override these methods as needed
|
|
230
271
|
# Are the current and subsequent characters both '-' ?
|
|
272
|
+
#
|
|
273
|
+
# @param char [String] the character being evaluated
|
|
274
|
+
# @param index [Integer] the location of the character in the query
|
|
275
|
+
# @param query [String] the query being executed
|
|
231
276
|
def start_line_comment? char, index, query
|
|
232
277
|
return false unless char == Contrast::Utils::ObjectShare::DASH
|
|
233
278
|
return false unless (query.length - 2) >= index
|
|
@@ -237,6 +282,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
237
282
|
|
|
238
283
|
# Is the current character / sequence of characters the start of a block comment
|
|
239
284
|
# We assume '/*' starts the comment by default
|
|
285
|
+
#
|
|
286
|
+
# @param char [String] the character being evaluated
|
|
287
|
+
# @param index [Integer] the location of the character in the query
|
|
288
|
+
# @param query [String] the query being executed
|
|
240
289
|
def start_block_comment? char, index, query
|
|
241
290
|
return false unless char == Contrast::Utils::ObjectShare::SLASH
|
|
242
291
|
return false unless (query.length - 2) >= index
|
|
@@ -246,6 +295,10 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
246
295
|
|
|
247
296
|
# Is the current character / sequence of characters the end of a block comment
|
|
248
297
|
# We assume '*/' ends the comment by default
|
|
298
|
+
#
|
|
299
|
+
# @param char [String] the character being evaluated
|
|
300
|
+
# @param index [Integer] the location of the character in the query
|
|
301
|
+
# @param query [String] the query being executed
|
|
249
302
|
def end_block_comment? char, index, query
|
|
250
303
|
return false unless char == Contrast::Utils::ObjectShare::ASTERISK
|
|
251
304
|
return false unless (query.length - 2) >= index
|
|
@@ -267,18 +320,24 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
|
|
|
267
320
|
|
|
268
321
|
# Is the character provided an escape character?
|
|
269
322
|
# By default, we'll assume
|
|
323
|
+
#
|
|
324
|
+
# @param char [String] the character being evaluated
|
|
270
325
|
def escape_char? char
|
|
271
326
|
char == Contrast::Utils::ObjectShare::BACK_SLASH
|
|
272
327
|
end
|
|
273
328
|
|
|
274
329
|
# Is this the start of a string escape sequence?
|
|
275
330
|
# Since escape sequences aren't supported, the answer is always false
|
|
331
|
+
#
|
|
332
|
+
# @param _char [String] the character being evaluated
|
|
276
333
|
def escape_sequence_start? _char
|
|
277
334
|
false
|
|
278
335
|
end
|
|
279
336
|
|
|
280
337
|
# Is this the end of a string escape sequence?
|
|
281
338
|
# Since escape sequences aren't supported, the answer is always false
|
|
339
|
+
#
|
|
340
|
+
# @param _char [String] the character being evaluated
|
|
282
341
|
def escape_sequence_end? _char
|
|
283
342
|
false
|
|
284
343
|
end
|
|
@@ -65,8 +65,8 @@ module Contrast
|
|
|
65
65
|
# if one exists, in the case of multiple inputs being found to violate the protection criteria
|
|
66
66
|
# @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
|
|
67
67
|
# in the case of multiple inputs being found to violate the protection criteria
|
|
68
|
-
# @query_string [
|
|
69
|
-
# @kwargs [Hash] key - value pairs of context individual rules need to build out details to send
|
|
68
|
+
# @param query_string [String] the value of the input which may be an attack
|
|
69
|
+
# @param kwargs [Hash] key - value pairs of context individual rules need to build out details to send
|
|
70
70
|
# to the Service to tell the story of the attack
|
|
71
71
|
# @return [Contrast::Api::Dtm::AttackResult] the result from this attack
|
|
72
72
|
def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
|
|
@@ -86,14 +86,12 @@ module Contrast
|
|
|
86
86
|
ss = StringScanner.new(query_string)
|
|
87
87
|
length = attack_string.length
|
|
88
88
|
while ss.scan_until(regexp)
|
|
89
|
-
# the pos of StringScanner is at the end of the regexp (input string),
|
|
90
|
-
# we need the beginning
|
|
89
|
+
# the pos of StringScanner is at the end of the regexp (input string), we need the beginning
|
|
91
90
|
idx = ss.pos - attack_string.length
|
|
92
91
|
last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
|
|
93
92
|
next unless last_boundary && boundary
|
|
94
93
|
|
|
95
94
|
result ||= build_attack_result(context)
|
|
96
|
-
|
|
97
95
|
record_match(idx, length, boundary, last_boundary, kwargs)
|
|
98
96
|
append_match(context, input_analysis_result, result, query_string, **kwargs)
|
|
99
97
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: contrast-agent
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.6.
|
|
4
|
+
version: 6.6.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- galen.palmer@contrastsecurity.com
|
|
@@ -13,7 +13,7 @@ authors:
|
|
|
13
13
|
autorequire:
|
|
14
14
|
bindir: exe
|
|
15
15
|
cert_chain: []
|
|
16
|
-
date: 2022-07-
|
|
16
|
+
date: 2022-07-15 00:00:00.000000000 Z
|
|
17
17
|
dependencies:
|
|
18
18
|
- !ruby/object:Gem::Dependency
|
|
19
19
|
name: bundler
|