contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/agent/inventory/database_config.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/reporting/reporting_events/architecture_component'
-require 'contrast/api/decorators/architecture_component'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/timer'
@@ -25,25 +24,21 @@ module Contrast
         LOCALHOST = 'localhost'
 
         class << self
-          # Append the available database connection information to the message being sent to TeamServer. This message
-          # may be a Contrast::Api::Dtm::Activity or Contrast::Agent::Reporting::ApplicationUpdate.
-          # Both report the same
-          # Contrast::Api::Dtm::ArchitectureComponent, but have different names for their fields.
+          # Append the available database connection information to the message being sent to TeamServer.
           #
-          # @param activity_or_update [Contrast::Api::Dtm::Activity, Contrast::Agent::Reporting::ApplicationUpdate]
-          # @param hash_or_str [Hash, String, #configuration_hash] the database connection information
+          # @param activity_or_update [Contrast::Agent::Reporting::ApplicationUpdate]
+          # @param hash_or_str [Hash, String] the database connection information
           def append_db_config activity_or_update, hash_or_str = active_record_config
             arr = build_from_db_config(hash_or_str)
             return unless arr&.any?
 
-            arr.each do |a|
-              next unless a
+            arr.each do |component|
+              next unless component
 
-              if activity_or_update.is_a?(Contrast::Api::Dtm::Activity)
-                activity_or_update.architectures << a
+              if activity_or_update.cs__is_a?(Contrast::Agent::Reporting::ApplicationUpdate)
+                activity_or_update.components << component
               else
-                converted_comp = Contrast::Agent::Reporting::ArchitectureComponent.convert(a)
-                activity_or_update.components << converted_comp
+                activity_or_update.attach_inventory(component)
               end
             end
           rescue StandardError => e
@@ -74,11 +69,11 @@ module Contrast
           # The classes we instrument in order to determine which, if any, database(s) an application connects to take
           # either a Hash or a String as a parameter. We install this one patch into all of those methods, letting our
           # code here, rather than at the patch level, make the determination of which path to call. We'll make that
-          # decision and then parse the given configuration to create a Contrast::Api::Dtm::ArchitectureComponent for
-          # reporting.
+          # decision and then parse the given configuration to create a
+          # Contrast::Agent::Reporting::ArchitectureComponent for reporting.
           #
           # @param hash_or_str [Hash, String]
-          # @return [Array<Contrast::Api::Dtm::ArchitectureComponent>, nil]
+          # @return [Array<Contrast::Agent::Reporting::ArchitectureComponent>, nil]
           def build_from_db_config hash_or_str
             return unless hash_or_str
 
@@ -94,13 +89,13 @@ module Contrast
             end
           end
 
-          # Convert the Hash used to create a database connection into an Contrast::Api::Dtm::ArchitectureComponent
-          # understandable by TeamServer.
+          # Convert the Hash used to create a database connection into a
+          # Contrast::Agent::Reporting::ArchitectureComponent understandable by TeamServer.
           #
           # @param hash [Hash] the information used to open a database connection
-          # @return [Array<Contrast::Api::Dtm::ArchitectureComponent>]
+          # @return [Array<Contrast::Agent::Reporting::ArchitectureComponent>]
           def build_from_db_hash hash
-            ac = Contrast::Api::Dtm::ArchitectureComponent.build_database
+            ac = Contrast::Agent::Reporting::ArchitectureComponent.build_database
             ac.vendor = hash[:adapter] || hash[ADAPTER] || Contrast::Utils::ObjectShare::EMPTY_STRING
             ac.remote_host = host_from_hash(hash)
             ac.remote_port = port_from_hash(hash)
@@ -131,7 +126,7 @@ module Contrast
           # mysql+mysqlconnector://scott:tiger@localhost/foo # pragma: allowlist secret
           #
           # @param str [String] the DB connection string
-          # @return [Array<Contrast::Api::Dtm::ArchitectureComponent>, nil]
+          # @return [Array<Contrast::Agent::Reporting::ArchitectureComponent>, nil]
           def build_from_db_string str
             adapter, hosts, database = split_connection_str(str)
             return unless adapter && hosts && database
@@ -140,7 +135,7 @@ module Contrast
             hosts.split(Contrast::Utils::ObjectShare::COMMA).map do |s|
               host, port = s.split(Contrast::Utils::ObjectShare::COLON)
 
-              ac = Contrast::Api::Dtm::ArchitectureComponent.build_database
+              ac = Contrast::Agent::Reporting::ArchitectureComponent.build_database
               ac.vendor = Contrast::Utils::StringUtils.force_utf8(adapter)
               ac.remote_host = Contrast::Utils::StringUtils.force_utf8(host)
               ac.remote_port = port.to_i
@@ -151,7 +146,7 @@ module Contrast
           end
 
           # Parse the given string used to connect to a database into its composite components, allowing for the
-          # generation of a Contrast::Api::Dtm::ArchitectureComponent
+          # generation of a Contrast::Agent::Reporting::ArchitectureComponent
           #
           # @param str [String] the DB connection string
           # @return [Array<String>, nil] the adapter, hosts, and database

data/lib/contrast/agent/middleware.rb

@@ -73,12 +73,12 @@ module Contrast
       private
 
       # Startup the Agent as part of the initialization process:
-      # - start the service sending thread, responsible for sending and processing messages
-      # - start the heartbeat thread, which triggers service startup
+      # - start the TeamServer sending thread, responsible for sending and processing messages
+      # - start the heartbeat thread, which handles periodic messages to TeamServer
       # - start instrumenting libraries and do a 'catchup' patch for everything we didn't see get loaded
       # - enable TracePoint, which handles all class loads and required instrumentation going forward
       def agent_startup_routine
-        logger.debug_with_time('middleware: starting service') do
+        logger.debug_with_time('middleware: starting reporting threads') do
           Contrast::Agent.thread_watcher.ensure_running?
         end
 
@@ -147,7 +147,7 @@ module Contrast
       #    which is being triggered when there is a failure within the pre-call with the agent
       def pre_call_with_agent context, request_handler
         with_contrast_scope do
-          context.service_extract_request
+          context.protect_input_analysis
           request_handler.ruleset.prefilter
         end
       rescue StandardError => e
@@ -180,7 +180,6 @@ module Contrast
           else
             request_handler.ruleset.postfilter
             request_handler.report_activity
-            request_handler.send_activity_messages # TODO: RUBY-1438 -- remove
           end
         end
       # unsuccessful attack

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -56,6 +56,7 @@ module Contrast
               unless Contrast::Agent::Assess.cs__object_method_prepended?(Marshal, :load, false)
                 apply_marshal_load_alias_patch
               end
+              apply_array_join_prepend_patch if Contrast::Agent::Assess.cs__object_method_prepended?(Array, :join, true)
               true
             end
           end
@@ -121,6 +122,11 @@ module Contrast
             Marshal.alias_method(:cs__marshal_load, :load)
             Marshal.alias_method(:load, :cs__marshal_load)
           end
+
+          # Prepend Contrast::Extension::Assess::ContrastArray to pick up the ContrastArray#join method
+          def apply_array_join_prepend_patch
+            Array.prepend(Contrast::Extension::Assess::ContrastArray)
+          end
         end
       end
     end

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -4,14 +4,21 @@
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/bot_blocker'
+require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
+require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
+require 'contrast/agent/protect/rule/no_sqli'
 require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
+require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
+require 'contrast/agent/protect/rule/xss'
+require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
-require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
-require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'json'
 
 module Contrast
@@ -20,131 +27,143 @@ module Contrast
       # InputAnalyzer will extract input form current request context and will analyze it.
       # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
       module InputAnalyzer
-        # DISPOSITION_NAME = 'name'
-        # DISPOSITION_FILENAME = 'filename'
-        #
-        # class << self
-        #   include Contrast::Agent::Reporting::InputType
-        #   include Contrast::Agent::Reporting::ScoreLevel
-        #   include Contrast::Agent::Protect::Rule::SqliWorthWatching
-        #   include Contrast::Utils::ObjectShare
-        #   include Contrast::Agent::Protect::Rule::CmdiWorthWatching
-        #
-        #   PROTECT_RULES = {
-        #       sqli: {
-        #           rule_name: 'sql-injection',
-        #           classification: Contrast::Agent::Protect::Rule::SqliInputClassification
-        #       },
-        #       cmdi: {
-        #           rule_name: 'cmd-injection',
-        #           classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
-        #       },
-        #       method_tampering: {
-        #           rule_name: 'method-tampering',
-        #           classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
-        #       },
-        #       unsafe_file_upload: {
-        #           rule_name: 'unsafe-file-upload',
-        #           classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
-        #       },
-        #       nosqli: {
-        #           rule_name: 'nosql-injection',
-        #           classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
-        #       }
-        #   }.cs__freeze
-        #
-        #   # This method with analyze the user input from the context of the
-        #   # current request and run each of the protect rules against all
-        #   # found input types
-        #   #
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-        #   def analyse request
-        #     return unless Contrast::PROTECT.enabled?
-        #     return if request.nil?
-        #
-        #     inputs = extract_input request
-        #     return unless inputs
-        #
-        #     input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
-        #     input_analysis.request = request
-        #     # each rule against each input
-        #     input_classification inputs, input_analysis
-        #     input_analysis
-        #   end
-        #
-        #   private
-        #
-        #   # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-        #   #
-        #   # @param inputs [String, Array<String>] user input to be analysed.
-        #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-        #   #                                                       for each protect rule.
-        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-        #   def input_classification inputs, input_analysis
-        #     # key = input type, value = user_input
-        #     inputs.each do |input_type, value|
-        #       next if value.nil? || value.empty?
-        #
-        #       PROTECT_RULES.each do |_key, rule|
-        #         protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
-        #         logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
-        #
-        #         # check if rule is enabled
-        #         next unless protect_rule&.enabled?
-        #
-        #         # method tampering doesn't take value
-        #         if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-        #           rule[:classification].send(:classify, input_type, input_analysis)
-        #         else
-        #           rule[:classification].send(:classify, input_type, value, input_analysis)
-        #         end
-        #       end
-        #     end
-        #     input_analysis
-        #   end
-        #
-        #   # Extract the inputs from the request context and label them with Protect
-        #   # input type tags. Each tag will contain one or more user inputs.
-        #   #
-        #   # This methods is to be expanded and modified as needed by other Protect rules
-        #   # and sub-rules for their requirements.
-        #   #
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-        #   def extract_input request
-        #     inputs = {}
-        #     inputs[BODY] = request.body
-        #     inputs[COOKIE_NAME] = request.cookies.keys
-        #     inputs[COOKIE_VALUE] = request.cookies.values
-        #     inputs[HEADER] = request.headers
-        #     inputs[PARAMETER_NAME] = request.parameters.keys
-        #     inputs[PARAMETER_VALUE] = request.parameters.values
-        #     inputs[QUERYSTRING] = request.query_string
-        #     inputs[METHOD] = request.request_method
-        #     extract_multipart inputs, request
-        #     inputs.compact!
-        #     inputs
-        #   end
-        #
-        #   # Extract the filename and name of the  Content Disposition Header.
-        #   #
-        #   # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   def extract_multipart inputs, request
-        #     disposition = request.rack_request.env['Content-Disposition']
-        #     disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
-        #     return unless disposition
-        #
-        #     pairs = {}
-        #     disposition.split(SEMICOLON).each do |elem|
-        #       new_pair = elem.strip.split(EQUALS, 2)
-        #       pairs[new_pair[0].downcase] = new_pair[1] if new_pair
-        #     end
-        #     inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
-        #     inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
-        #   end
-        # end
+        DISPOSITION_NAME = 'name'
+        DISPOSITION_FILENAME = 'filename'
+        DISPOSITION_KEYS = %w[Content-Disposition CONTENT_DISPOSITION].cs__freeze
+
+        class << self
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Utils::ObjectShare
+          include Contrast::Components::Logger::InstanceMethods
+
+          PROTECT_RULES = {
+              sqli: {
+                  rule_name: 'sql-injection',
+                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
+              },
+              cmdi: {
+                  rule_name: 'cmd-injection',
+                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
+              },
+              # method_tampering: {
+              #     rule_name: 'method-tampering',
+              #     classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
+              # },
+              reflected_xss: {
+                  rule_name: Contrast::Agent::Protect::Rule::Xss::NAME,
+                  classification: Contrast::Agent::Protect::Rule::ReflectedXssInputClassification
+              },
+              bot_blocker: {
+                  rule_name: Contrast::Agent::Protect::Rule::BotBlocker::NAME,
+                  classification: Contrast::Agent::Protect::Rule::BotBlockerInputClassification
+              },
+              unsafe_file_upload: {
+                  rule_name: Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
+                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
+              },
+              path_traversal: {
+                  rule_name: Contrast::Agent::Protect::Rule::PathTraversal::NAME,
+                  classification: Contrast::Agent::Protect::Rule::PathTraversalInputClassification
+              },
+              nosqli: {
+                  rule_name: Contrast::Agent::Protect::Rule::NoSqli::NAME,
+                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
+              }
+          }.cs__freeze
+
+          # This method with analyze the user input from the context of the
+          # current request and run each of the protect rules against all
+          # found input types
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def analyse request
+            return unless Contrast::PROTECT.enabled?
+            return if request.nil?
+
+            inputs = extract_input(request)
+            return unless inputs
+
+            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+            input_analysis.request = request
+            # each rule against each input
+            input_classification(inputs, input_analysis)
+            input_analysis
+          end
+
+          private
+
+          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+          #
+          # @param inputs [String, Array<String>] user input to be analysed.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def input_classification inputs, input_analysis
+            # key = input type, value = user_input
+            inputs.each do |input_type, value|
+              next if value.nil? || value.empty?
+
+              PROTECT_RULES.each do |_key, rule|
+                protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
+                logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
+
+                # check if rule is enabled
+                next unless protect_rule&.enabled?
+
+                # method tampering doesn't take value
+                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+                  rule[:classification].send(:classify, rule[:rule_name], input_type, input_analysis)
+                else
+                  rule[:classification].send(:classify, rule[:rule_name], input_type, value, input_analysis)
+                end
+              end
+            end
+            input_analysis
+          end
+
+          # Extract the inputs from the request context and label them with Protect
+          # input type tags. Each tag will contain one or more user inputs.
+          #
+          # This methods is to be expanded and modified as needed by other Protect rules
+          # and sub-rules for their requirements.
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          def extract_input request
+            inputs = {}
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+            inputs[METHOD] = request.request_method
+            extract_multipart(inputs, request)
+            inputs.compact!
+            inputs
+          end
+
+          # Extract the filename and name of the  Content Disposition Header.
+          #
+          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          # @param request [Contrast::Agent::Request] current request context.
+          def extract_multipart inputs, request
+            disposition = request.rack_request.env[DISPOSITION_KEYS[0]]
+            disposition = request.rack_request.env[DISPOSITION_KEYS[1]] if disposition.nil? || disposition.empty?
+            return unless disposition
+
+            pairs = {}
+            disposition.split(SEMICOLON).each do |elem|
+              new_pair = elem.strip.split(EQUALS, 2)
+              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
+            end
+            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
+            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+          end
+        end
       end
     end
   end

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -33,6 +33,10 @@ module Contrast
               clazz = object.is_a?(Module) ? object : object.cs__class
               class_name = clazz.cs__name
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              # invoke cmdi sub-rules.
+              rule.sub_rules.each do |sub_rule|
+                sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              end
             end
 
             protected

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
 require 'contrast/agent/protect/policy/rule_applicator'
 require 'contrast/utils/object_share'
 
@@ -27,6 +28,9 @@ module Contrast
               action = properties['action']
               write_marker = write?(action, *args)
               possible_write = write_marker && possible_write?(write_marker)
+
+              # Invoke semantic rules from here, not in a separate protect policy
+              invoke_semantic_rules(path, possible_write, object, method)
               path_traversal_rule(path, possible_write, object, method)
 
               # If the action was copy, we need to handle the write half of it.
@@ -37,6 +41,7 @@ module Contrast
               dst = args[1]
               return unless dst.is_a?(String)
 
+              invoke_semantic_rules(dst, true, object, method)
               path_traversal_rule(dst, true, object, method)
             end
 
@@ -75,6 +80,21 @@ module Contrast
               logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
             end
 
+            # @raise [Contrast::SecurityException] re-raises if some attack is blocked and raised from the infilter
+            def invoke_semantic_rules path, possible_write, object, method
+              return unless applies_to?(path, possible_write: possible_write)
+
+              rule.sub_rules.each do |sub_rule|
+                sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
+              end
+            rescue Contrast::SecurityException => e
+              raise(e)
+            rescue StandardError => e
+              logger.error('Error applying path traversal semantic rule', e,
+                           module: object.cs__class.cs__name,
+                           method: method)
+            end
+
             CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
             def safer_abs_paths
               @_safer_abs_paths ||= begin

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -30,6 +30,7 @@ module Contrast
 
               sql = args[index]
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
+              rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
             end
 
             protected

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -66,7 +66,7 @@ module Contrast
             raise(NoMethodError, 'This is abstract, override it.')
           end
 
-          # The name of the rule, as expected by the Contrast Service and Contrast UI.
+          # The name of the rule, as expected by the Contrast UI.
           #
           # @return [String]
           # @raise [NoMethodError] This is abstract method