RubyGems - contrast-agent - Versions diffs - 6.6.4 → 6.8.0 - Mend

contrast-agent 6.6.4 → 6.8.0

Files changed (340) hide show

data/lib/contrast/agent/reporting/details/protect_rule_details.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # This class is holding additional info which is rule specific and this is
+        # the base class for type check made easy.
+        class ProtectRuleDetails
+          # Extend per each rule.
+          def to_controlled_hash; end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/details/protect_rule_details'
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # SqliDangerousFunctions IA result details info.
+        class SqliDangerousFunctions < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :query
+          def to_controlled_hash
+            { query: query }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/sqli_details.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/details/protect_rule_details'
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # SqliDetails IA result details info.
+        class SqliDetails < ProtectRuleDetails
+          # @return [Integer]
+          attr_accessor :start_idx
+          # @return [Integer]
+          attr_accessor :end_idx
+          # @return [Integer]
+          attr_accessor :boundary_overrun_idx
+          # @return [Integer]
+          attr_accessor :input_boundary_idx
+          # @return [String]
+          attr_accessor :query
+          def to_controlled_hash
+            {
+                start: start_idx,
+                end: end_idx,
+                boundaryOverrunIndex: boundary_overrun_idx,
+                inputBoundaryIndex: input_boundary_idx,
+                query: query
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/untrusted_deserialization_details.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/details/protect_rule_details'
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # Untrusted Deserialization IA result details info.
+        class UntrustedDeserializationDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :cmd
+          # @return [String]
+          attr_accessor :deserializer
+          def to_controlled_hash
+            {
+                command: cmd,
+                deserializer: deserializer
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/virtual_patch_details.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/details/protect_rule_details'
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # Virtual Patch IA result details info.
+        class VirtualPatchDetails < ProtectRuleDetails
+          # @return [String]
+          attr_reader :uuid
+          # @param uuid [String] the UUID to identify the block rule in TeamServer
+          def initialize uuid
+            @uuid = uuid
+            super()
+          end
+          def to_controlled_hash
+            {
+                uuid: uuid
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/xss_details.rb ADDED Viewed

@@ -0,0 +1,33 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/details/protect_rule_details'
+require 'contrast/agent/reporting/details/xss_match'
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # XssDetails IA result details info.
+        class XssDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :input
+          # @return [<Array<Contrast::Agent::Reporting::XssMatch>]
+          attr_accessor :matches
+          def initialize
+            @matches = []
+            super
+          end
+          def to_controlled_hash
+            {
+                input: input,
+                matches: matches&.map(&:to_controlled_hash)
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/xss_match.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/details/protect_rule_details'
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # Matcher data for XSS rule.
+        class XssMatch
+          # @return [Integer] in ms
+          attr_accessor :evidence_start
+          # @return [String]
+          attr_accessor :evidence
+          # @return [Integer]
+          attr_accessor :offset
+          def to_controlled_hash
+            {
+                evidenceStart: evidence_start,
+                evidence: evidence,
+                offset: offset
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/xxe_details.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/details/protect_rule_details'
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # XssDetails IA result details info.
+        class XxeDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :xml
+          # @return [<Array<Contrast::Agent::Reporting::Details::XxeMatch>]
+          attr_accessor :declared_entities
+          # @return [<Array<Contrast::Agent::Reporting::Details::XxeWrapper>]
+          attr_accessor :entities_resolved
+          def initialize
+            @declared_entities = []
+            @entities_resolved = []
+            super
+          end
+          def to_controlled_hash
+            {
+                xml: xml,
+                declaredEntities: declared_entities&.map(&:to_controlled_hash),
+                entitiesResolved: entities_resolved&.map(&:to_controlled_hash)
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/xxe_match.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # Matcher data for XXE rule.
+        class XxeMatch
+          # @return [Integer]
+          attr_accessor :start_idx
+          # @return [Integer]
+          attr_accessor :end_idx
+          def to_controlled_hash
+            {
+                start: start_idx,
+                end: end_idx
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/xxe_wrapper.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # Wrapper data for XXE rule.
+        class XxeWrapper
+          # @return [String]
+          attr_accessor :system_id
+          # @return [String]
+          attr_accessor :public_id
+          def to_controlled_hash
+            {
+                systemId: system_id,
+                publicId: public_id
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/input_analysis/details/protect_rule_details'
+module Contrast
+  module Agent
+    module Reporting
+      # Bot blocker IA result details info.
+      class BotBlockerDetails < ProtectRuleDetails
+        # @return [String]
+        attr_accessor :bot
+        # User agent header value
+        #
+        # @return [String]
+        attr_accessor :user_agent
+        def to_controlled_hash
+          {
+              bot: bot,
+              userAgent: user_agent
+          }
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Reporting
+      # This class is holding additional info which is rule specific and this is
+      # the base class for type check made easy.
+      class ProtectRuleDetails
+        # Extend per each rule.
+        def to_controlled_hash; end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb CHANGED Viewed

@@ -7,8 +7,7 @@ require 'contrast/agent/reporting/input_analysis/input_analysis_result'
 module Contrast
   module Agent
     module Reporting
-      # This class will do ia analysis for our protect rules instead of
-      # using the service.
+      # This class will do ia analysis for our protect rules
       class InputAnalysis
         # result from input analysis
         #

data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb CHANGED Viewed

@@ -4,12 +4,12 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/input_analysis/details/protect_rule_details'
 module Contrast
   module Agent
     module Reporting
-      # This class will do ia analysis for our protect rules instead of
-      # using the service.
+      # This class will do ia analysis for our protect rules
       class InputAnalysisResult
         INPUT_TYPE = Contrast::Agent::Reporting::InputType
         SCORE_LEVEL = Contrast::Agent::Reporting::ScoreLevel
@@ -28,7 +28,7 @@ module Contrast
         # @return @_input_type [
         # Symbol<Contrast::Agent::Reporting::Settings::InputAnalysis::InputAnalysisResult::InputType>]
         def input_type
-          @_input_type ||= INPUT_TYPE::UNDEFINED_TYPE
+          @_input_type ||= INPUT_TYPE::UNKNOWN
         end
         # @param input_type [
@@ -109,6 +109,20 @@ module Contrast
         def score_level= score_level
           @_score_level = score_level if SCORE_LEVEL.to_a.include?(score_level)
         end
+        # Additional per rule details containing more specific info.
+        #
+        # @param protect_rule_details [Contrast::Agent::Reporting::ProtectRuleDetails]
+        def details= protect_rule_details
+          @_details = protect_rule_details if protect_rule_details.is_a?(Contrast::Agent::Reporting::ProtectRuleDetails)
+        end
+        # Additional per rule details containing more specific info.
+        #
+        # @return [Contrast::Agent::Reporting::ProtectRuleDetails, nil]
+        def details
+          @_details
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/masker/masker.rb CHANGED Viewed

@@ -30,21 +30,20 @@ module Contrast
           # Mask sensitive data according to the contrast sensitive data rules.
           #
-          # @param [Contrast::Api::Dtm::Activity]
+          # @param [Contrast::Agent::Reporting::ApplicationActivity]
           def mask activity
-            return unless Contrast::Agent::Reporter.enabled?
             return unless activity
-            logger.debug('Searching for sensitive data',
-                         activity: activity.__id__,
-                         request: activity.http_request&.uuid)
+            logger.debug('Masker: masking sensitive data', activity: activity.__id__, request: activity.request&.__id__)
+            return if activity.request.nil?
             mask_body(activity)
             mask_query_string(activity)
             mask_request_params(activity)
             mask_request_cookies(activity)
             mask_request_headers(activity)
           rescue StandardError => _e
-            logger.debug('Could not mask activity!', activity: activity.__id__, request: activity.http_request&.uuid)
+            logger.debug('Could not mask activity!', activity: activity.__id__, request: activity.request&.__id__)
           end
           private
@@ -64,68 +63,67 @@ module Contrast
           # Mask request body:
           #
-          # @param activity [Contrast::Api::Dtm::Activity]
+          # @param activity [Contrast::Agent::Reporting::ApplicationActivity]
           # @return masked_body [String, nil]
           def mask_body activity
             return unless mask_body?
-            body = activity.http_request.request_body
+            body = activity.request.body
             return if body.nil? || body.empty?
-            activity.http_request.request_body = BODY_MASK
-            activity.http_request.request_body_binary = BODY_BINARY_MASK
+            activity.request.body = BODY_MASK
+            activity.request.body_binary = BODY_BINARY_MASK
           end
           # Mask request params.
           #
-          # @param activity [Contrast::Api::Dtm::Activity]
+          # @param activity [Contrast::Agent::Reporting::ApplicationActivity]
           # @return masked_body [String, nil]
           def mask_request_params activity
-            params = activity.http_request.normalized_request_params
+            params = activity.request.parameters
             return unless params
-            mask_with_dictionary(activity.results, params)
+            mask_with_dictionary(activity.attack_results, params)
           end
           def mask_request_headers activity
-            if activity.http_request.parsed_request_headers
-              # Used normalized request_headers
-              mask_with_dictionary(activity.results, activity.http_request.normalized_request_headers)
-            else
-              headers = activity.http_request.request_headers
-              mask_field_hash(headers, activity.results)
-            end
+            headers = activity.request.headers
+            return if headers&.empty?
+            # Used normalized request_headers
+            mask = mask_with_dictionary(activity.attack_results, headers)
+            activity.request.headers = mask if mask
           end
           # Mask Cookies.
           #
-          # @param activity [Contrast::Api::Dtm::Activity] Activity to mask
+          # @param activity [Contrast::Agent::Reporting::ApplicationActivity] Activity to mask
           # @return masked_values [Hash, nil]
           def mask_request_cookies activity
-            cookies = activity.http_request.normalized_cookies
-            return unless cookies
+            cookies = activity.request.cookies
+            return if cookies&.empty?
-            mask_with_dictionary(activity.results, cookies)
+            mask_with_dictionary(activity.attack_results, cookies)
           end
           # Mask request query string:
           # exp: password => sensitive to password => contrast-redacted-password
           #
-          # @param activity [Contrast::Api::Dtm::Activity]
+          # @param activity [Contrast::Agent::Reporting::ApplicationActivity]
           # @return masked_query [String]
           def mask_query_string activity
-            qs = activity.http_request.query_string
+            qs = activity.request.query_string
             return if qs.nil? || qs.empty?
-            mask_field_hash(qs, activity.results) unless qs.cs__is_a?(String)
-            mask_raw_query(qs, activity.results)
+            mask = mask_raw_query(qs, activity.attack_results)
+            activity.request.query_string = mask if mask
           end
           # Mask if the value in the passed hash are matched against dictionary
           # keyword. If the mask_attack_vector flag is set, this will also mask
           # any attack.
           #
-          # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+          # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivity>]
           # results to match against.
           # @param hash [Hash] Normalized hash representing the key/val pair from
           # the activity's http request parameters.
@@ -134,81 +132,98 @@ module Contrast
             return if hash.nil? || hash.empty?
             hash.each do |key, val|
-              match = dictionary_matcher(key)
-              next unless match
-              # The normalized values are paired.
-              # key => Contrast::Api::Dtm::Pair (key, val<Values>).
-              # try one level down
-              if val.cs__respond_to?(:values)
-                mask_values(key, val, results)
+              next unless dictionary_match(key)
+              if val.cs__is_a?(Array)
+                mask_values(key, val, hash, results)
               else
                 # Just assign keys.
                 mask_hash(key, val, hash, results)
               end
             end
-            hash
           end
-          # Mask the values of DTM pair with attack vector condition check.
-          # if the attack vector flag is set then mask the attack value.
+          # Mask the values of key value pair with array of string as input.
+          # If the mask_attack_vector? flag is set then the attack vector won't be
+          # masked.
           #
-          # @param key [String] current iterable key from Protobuf::Field::FieldHash
-          # pointing to Contrast::Api::Dtm::Pair<key, val>(holding the value to mask)
-          # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+          # @param key [String]
+          # @param hash [Hash] Normalized hash representing the key/val pair.
+          # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivity>]
           # results to match against.
-          # @param val [Contrast::Api::Dtm::Pair<Value>]
-          def mask_values key, val, results
-            val.values.each.with_index do |v, idx|
+          # @param val [String, Array<String>]
+          def mask_values key, val, hash, results
+            val.each.with_index do |v, idx|
               # Mask the attack vector only if the flag is set.
-              val.values[idx] = MASK + key.downcase if attack_vector?(results, v) && mask_attack_vector?
+              hash[key][idx] = MASK + key.downcase if attack_vector?(results, v) && mask_attack_vector?
               # It is not attack vector and we mask it as normal.
-              val.values[idx] = MASK + key.downcase unless attack_vector?(results, v)
+              hash[key][idx] = MASK + key.downcase unless attack_vector?(results, v)
             end
-            val
+            hash
           end
-          # Handles the masking of Field hash with string values.
-          # this case is used when called from #mask_field_hash
-          # and #mask_raw_query helper methods. Since they dont
-          # return values containing sub-values  (key, val<Values>).
+          # Handles the masking of hash
           #
           # @param key [String] current iterable key from Protobuf::Field::FieldHash
           # @param val [String] normalized value to be matched against the results
           # and masked.
           # @param hash [Hash] Normalized hash representing the key/val pair.
-          # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+          # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivity>]
           # results to match against.
+          # @return [Hash]
           def mask_hash key, val, hash, results
+            # Mask the attack vector only if the flag is set.
             hash[key] = MASK + key.downcase if attack_vector?(results, val) && mask_attack_vector?
+            # It is not attack vector we mask it.
             hash[key] = MASK + key.downcase unless attack_vector?(results, val)
+            hash
           end
           # Match to see if values matches input from AttackResults array.
           # If match is found and the attack result's response is any of
           # [BAP(Block At Perimeter), BLOCKED, PROBED] the return is true.
           #
-          # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+          # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivity>]
           # results to match against.
           # @param value [String] Input to match.
-          # @return true | false
+          # @return [Boolean]
           def attack_vector? results, value
             return false unless value && results
-            results.each do |result|
-              # Check samples Contrast::Api::Dtm::RaspRuleSample
-              # is the value in sample and the response is valid?
-              result.samples.any? do |sample|
-                # Check user input Contrast::Api::Dtm::UserInput.
-                match = sample.user_input.value == value.to_s &&
-                    result.response&.name != Contrast::Agent::Reporting::ResponseType::NO_ACTION
+            results.each do |attacker|
+              attacker.each do |activity|
+                blocked = iterate_attack_samples(activity.blocked, value)
+                return blocked if blocked
-                return match if match
+                exploited = iterate_attack_samples(activity.exploited, value)
+                return exploited if exploited
+                ineffective = iterate_attack_samples(activity.ineffective, value)
+                return ineffective if ineffective
+                suspicious = iterate_attack_samples(activity.suspicious, value)
+                return suspicious if suspicious
               end
             end
             false
           end
+          # Go through activity samples and search for a matching input.
+          #
+          # @param activity [Contrast::Agent::Reporting::ApplicationDefendAttackActivity]
+          # @param value [String] Input to match.
+          # @return [Boolean]
+          def iterate_attack_samples activity, value
+            return false unless activity
+            activity.samples.any? do |sample|
+              match = sample.user_input.value == value.to_s
+              return true if match
+            end
+            false
+          end
           # Consult with our current settings state.
           #
           # @return true | false
@@ -227,7 +242,7 @@ module Contrast
           #
           # @param value [String] Value to check.
           # @return match [String, nil] from the Dictionary, or nil.
-          def dictionary_matcher value
+          def dictionary_match value
             return unless @_dictionary
             @_dictionary.each do |rule|