RubyGems - contrast-agent - Versions diffs - 6.6.4 → 6.8.0 - Mend

contrast-agent 6.6.4 → 6.8.0

Files changed (340) hide show

data/lib/contrast/agent/protect/rule/sql_sample_builder.rb CHANGED Viewed

@@ -3,6 +3,8 @@
 require 'contrast/agent/protect/rule/base'
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/reporting/details/sqli_details'
+require 'contrast/agent/reporting/details/no_sqli_details'
 module Contrast
   module Agent
@@ -13,21 +15,21 @@ module Contrast
           # by TeamServer
           #
           # @param context [Contrast::Agent::RequestContext] the context for the current request
-          # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+          # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
           #   if one exists, in the case of multiple inputs being found to violate the protection criteria
           # @candidate_string [String] the value of the input which may be an attack
           # @kwargs [Hash] key - value pairs of context individual rules need to build out details
-          #   to send to the Service to tell the story of the attack
-          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          #   to send to TeamServer to tell the story of the attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
           module SqliSample
             def build_sample context, input_analysis_result, candidate_string, **kwargs
               sqli_sample = build_base_sample(context, input_analysis_result)
-              sqli_sample.sqli = Contrast::Api::Dtm::SqlInjectionDetails.new
-              sqli_sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-              sqli_sample.sqli.start_idx = kwargs[:start_idx]
-              sqli_sample.sqli.end_idx = kwargs[:end_idx]
-              sqli_sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
-              sqli_sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              sqli_sample.details = Contrast::Agent::Reporting::Details::SqliDetails.new
+              sqli_sample.details.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              sqli_sample.details.start_idx = kwargs[:start_idx]
+              sqli_sample.details.end_idx = kwargs[:end_idx]
+              sqli_sample.details.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              sqli_sample.details.input_boundary_idx = kwargs[:input_boundary_idx].to_i
               sqli_sample
             end
           end
@@ -36,21 +38,21 @@ module Contrast
           # by TeamServer
           #
           # @param context [Contrast::Agent::RequestContext] the context for the current request
-          # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+          # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
           #   if one exists, in the case of multiple inputs being found to violate the protection criteria
           # @candidate_string [String] the value of the input which may be an attack
           # @kwargs [Hash] key - value pairs of context individual rules need to build out details
-          #   to send to the Service to tell the story of the attack
-          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          #   to send to TeamServer to tell the story of the attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
           module NoSqliSample
             def build_sample context, input_analysis_result, candidate_string, **kwargs
               no_sqli_sample = build_base_sample(context, input_analysis_result)
-              no_sqli_sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
-              no_sqli_sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-              no_sqli_sample.no_sqli.start_idx = kwargs[:start_idx].to_i
-              no_sqli_sample.no_sqli.end_idx = kwargs[:end_idx].to_i
-              no_sqli_sample.no_sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
-              no_sqli_sample.no_sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              no_sqli_sample.details = Contrast::Agent::Reporting::Details::NoSqliDetails.new
+              no_sqli_sample.details.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              no_sqli_sample.details.start_idx = kwargs[:start_idx].to_i
+              no_sqli_sample.details.end_idx = kwargs[:end_idx].to_i
+              no_sqli_sample.details.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              no_sqli_sample.details.input_boundary_idx = kwargs[:input_boundary_idx].to_i
               no_sqli_sample
             end
           end
@@ -61,24 +63,21 @@ module Contrast
             # Set up an attack result and assigns Database scanner for the No-SQL and SQLI injection detection rules
             #
             # @param context [Contrast::Agent::RequestContext] the context for the current request
-            # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+            # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
             #   if one exists, in the case of multiple inputs being found to violate the protection criteria
-            # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
+            # @param result [Contrast::Agent::Reporting, nil] previous attack result for this rule, if one exists,
             #   in the case of multiple inputs being found to violate the protection criteria
             # @param query_string [String] the value of the input which may be an attack
             # @param kwargs [Hash] key - value pairs of context individual rules need to build out details to send
-            #   to the Service to tell the story of the attack
-            # @return [Contrast::Api::Dtm::AttackResult] the result from this attack
+            #   to TeamServer to tell the story of the attack
+            # @return [Contrast::Agent::Reporting] the result from this attack
             def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-              if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                    mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-                return result
-              end
+              return result if mode == :NO_ACTION || mode == :PERMIT
               attack_string = input_analysis_result.value
               regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
+              # extract struct result from kwargs
+              agent_lib_struct_result = kwargs[:result_struct]
               return unless query_string.match?(regexp)
               database = kwargs[:database]
@@ -92,7 +91,14 @@ module Contrast
                 next unless last_boundary && boundary
                 result ||= build_attack_result(context)
-                record_match(idx, length, boundary, last_boundary, kwargs)
+                # if the struct actually has the needed data in it - use it
+                if agent_lib_struct_result.cs__is_a?(Hash)
+                  record_agent_lib_match(agent_lib_struct_result, length, kwargs)
+                else
+                  record_match(idx, length, boundary, last_boundary, kwargs)
+                end
                 append_match(context, input_analysis_result, result, query_string, **kwargs)
               end
@@ -122,6 +128,20 @@ module Contrast
               kwargs[:input_boundary_idx] = last_boundary
             end
+            # all the agent_lib checks methods needed
+            # @param struct[ResultingStruct] The struct including all the data from the agent_lib scan
+            def record_agent_lib_match struct, length, kwargs
+              kwargs[:start_idx] = struct[:start_index]
+              kwargs[:end_idx] = if (struct[:end_index]).zero?
+                                   struct[:start_index] + length
+                                 else
+                                   struct[:end_index]
+                                 end
+              kwargs[:boundary_overrun_idx] = struct[:boundary_overrun_index]
+              kwargs[:input_boundary_idx] = struct[:input_boundary_index]
+            end
             def append_match context, input_analysis_result, result, query_string, **kwargs
               input_analysis_result.attack_count = input_analysis_result.attack_count + 1
               update_successful_attack_response(context, input_analysis_result, result, query_string)

data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb ADDED Viewed

@@ -0,0 +1,37 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This is the Base Rule
+        class SqliBaseRule < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Agent::Reporting::InputType
+          BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
+            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
+            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
+            XML_VALUE, DWR_VALUE
+          ].cs__freeze
+          def infilter context, database, query_string
+            return unless infilter?(context)
+            result = find_attacker(context, query_string, database: database)
+            return unless result
+            append_to_activity(context, result)
+            cef_logging(result, :successful_attack)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb CHANGED Viewed

@@ -5,10 +5,8 @@ require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/protect/rule/sqli'
 require 'contrast/agent/reporting/input_analysis/score_level'
-require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification'
-require 'contrast/components/logger'
+require 'contrast/utils/input_classification_base'
 module Contrast
   module Agent
@@ -18,68 +16,10 @@ module Contrast
         # as a result input would be marked as WORTHWATCHING or IGNORE,
         # to be analyzed at the sink level.
         module SqliInputClassification
+          WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'.cs__freeze
           class << self
             include InputClassificationBase
-            include Contrast::Agent::Protect::Rule::SqliWorthWatching
             include Contrast::Components::Logger::InstanceMethods
-            WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
-            SQLI_KEYS_NEEDED = [
-              COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
-            ].cs__freeze
-            # Input Classification stage is done to determine if an user input is
-            # WORTHWATCHING or to be ignored.
-            #
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
-            #                                                       agent analysis from the current
-            #                                                       Request.
-            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
-            def classify input_type, value, input_analysis
-              return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
-              return unless super
-              rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
-              # double check the input to avoid calling match? on array
-              Array(value).each do |val|
-                Array(val).each do |v|
-                  input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
-                end
-              end
-              input_analysis
-            rescue StandardError => e
-              logger.debug('An Error was recorded in the input classification of the sqli.')
-              logger.debug(e)
-            end
-            private
-            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
-            #
-            # @param request [Contrast::Agent::Request] the current request context.
-            # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def sqli_create_new_input_result request, rule_id, input_type, value
-              ia_result = new_ia_result(rule_id, input_type, request.path, value)
-              if sqli_worth_watching?(value)
-                ia_result.ids << WORTHWATCHING_MATCH
-                ia_result.score_level = WORTHWATCHING
-                ia_result
-              else
-                ia_result.score_level = IGNORE
-              end
-              add_needed_key(request, ia_result, input_type, value) if SQLI_KEYS_NEEDED.include?(input_type)
-              ia_result
-            end
           end
         end
       end

data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb ADDED Viewed

@@ -0,0 +1,67 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/details/sqli_dangerous_functions'
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This class will include the check for SQL Injection Semantic Dangerous Functions
+        class SqliDangerousFunctions < Contrast::Agent::Protect::Rule::SqliBaseRule
+          NAME = 'sql-injection-semantic-dangerous-functions'
+          BLOCK_MESSAGE = 'SQLi Semantic Dangerous Functions rule triggered. Response blocked.'
+          SQL_DANGEROUS_FUNCTIONS = %w[unhex waitfor xp_cmdshell exec].cs__freeze
+          def rule_name
+            NAME
+          end
+          def infilter context, query_string
+            return unless infilter?(context)
+            return unless violated?(query_string)
+            result = build_violation(context, query_string)
+            return unless result
+            append_to_activity(context, result)
+            cef_logging(result, :successful_attack)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          end
+          protected
+          def violated? attack_string
+            SQL_DANGEROUS_FUNCTIONS.any? { |dang_func| attack_string.downcase.include?(dang_func) }
+          end
+          def build_violation context, potential_attack_string
+            result = build_attack_result(context)
+            update_successful_attack_response(context, nil, result, potential_attack_string)
+            append_sample(context, nil, result, potential_attack_string)
+            result
+          end
+          # Override if rule can make use of the candidate string or kwargs to
+          # build rasp rule sample.
+          def build_sample context, ia_result, candidate_string, **_kwargs
+            sample = build_base_sample(context, nil)
+            sample.details = Contrast::Agent::Reporting::Details::SqliDangerousFunctions.new
+            sample.details.query = candidate_string
+            if ia_result.nil?
+              ui = Contrast::Agent::Reporting::UserInput.new
+              ui.input_type = :UNKNOWN
+              ui.value = candidate_string
+              sample.user_input = ui
+            end
+            sample
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli.rb CHANGED Viewed

@@ -5,13 +5,15 @@ require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/policy/applies_sqli_rule'
 require 'contrast/agent/protect/rule/sql_sample_builder'
 require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/sqli/sqli_base_rule'
+require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
 module Contrast
   module Agent
     module Protect
       module Rule
         # The Ruby implementation of the Protect SQL Injection rule.
-        class Sqli < Contrast::Agent::Protect::Rule::BaseService
+        class Sqli < Contrast::Agent::Protect::Rule::SqliBaseRule
           # Generate a sample for the SQLI injection detection rule, allowing for reporting to and rendering
           # by TeamServer
           include SqlSampleBuilder::SqliSample
@@ -22,28 +24,9 @@ module Contrast
             include Contrast::Agent::Reporting::InputType
           end
-          APPLICABLE_USER_INPUTS = [
-            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
-            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
-            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
-            XML_VALUE, DWR_VALUE
-          ].cs__freeze
           NAME = 'sql-injection'
-          BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  start: attack_sample.sqli.start_idx,
-                  end: attack_sample.sqli.end_idx,
-                  boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
-                  inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
-                  query: attack_sample.sqli.query
-              }
-            end
-          end
+          SUB_RULES = [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
           def rule_name
             NAME
@@ -53,6 +36,14 @@ module Contrast
             BLOCK_MESSAGE
           end
+          def sub_rules
+            SUB_RULES
+          end
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
+          end
           def infilter context, database, query_string
             return unless infilter?(context)
@@ -61,9 +52,63 @@ module Contrast
             append_to_activity(context, result)
-            cef_logging(result, :successful_attack, query_string)
+            cef_logging(result, :successful_attack, value: query_string)
             raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
+          # Allows for the InputAnalysis from Agent Library to be extracted early
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
+          # @param **kwargs
+          # @return [Contrast::Agent::Reporting, nil]
+          def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
+            result = nil
+            ia_results.each do |ia_result|
+              if potential_attack_string
+                idx = potential_attack_string.index(ia_result.value)
+                next unless idx
+                database_type = kwargs[:database].to_sym
+                input_length = ia_result.value.length
+                lib_result = check_sql_input_with_agent(potential_attack_string, database_type, idx, input_length)
+                kwargs[:result_struct] = lib_result
+                result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
+              else
+                result = build_attack_without_match(context, ia_result, result, **kwargs)
+              end
+            end
+            result
+          end
+          # We'll need a second place, where we need to check the token boundaries if are being crossed and
+          # worth-watching.
+          #
+          # @param sql[String] SQL coming from parameter
+          # @param database[String] Type of database
+          # @param input_index[String] index in the sqlQuery string where user input was found
+          # @param input_length[Number] length of the input value
+          # @return [Hash, Boolean]
+          def check_sql_input_with_agent sql, database, input_index, input_length
+            return false unless (agent_lib = Contrast::AGENT_LIB) && sql && database
+            agent_lib.check_sql_query(input_index, input_length, database, sql)
+          end
+          # @param context [Contrast::Agent::RequestContext]
+          def infilter? context
+            return false unless enabled?
+            return false unless context&.agent_input_analysis&.results&.any? do |result|
+              result.rule_id == rule_name
+            end
+            return false if protect_excluded_by_code?
+            true
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb CHANGED Viewed

@@ -3,9 +3,8 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/protect/rule/unsafe_file_upload'
-require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification'
+require 'contrast/utils/input_classification_base'
 module Contrast
   module Agent
@@ -14,67 +13,44 @@ module Contrast
         # This module will do the Input Classification stage of Unsafe File Upload
         # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
         module UnsafeFileUploadInputClassification
-          # UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
-          #
-          # class << self
-          #   include InputClassificationBase
-          #   include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
-          #
-          #   # Input Classification stage is done to determine if an user input is
-          #   # DEFINITEATTACK or to be ignored.
-          #   #
-          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-          #   # @param value [String, Array<String>] the value of the input.
-          #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
-          #   #                                                       agent analysis from the current
-          #   #                                                       Request.
-          #   # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
-          #   def classify input_type, value, input_analysis
-          #     unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
-          #       return
-          #     end
-          #     return unless input_analysis.request
-          #
-          #     rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
-          #     results = []
-          #
-          #     Array(value).each do |val|
-          #       Array(val).each do |v|
-          #         results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
-          #       end
-          #     end
-          #
-          #     input_analysis.results = results
-          #     input_analysis
-          #   end
-          #
-          #   private
-          #
-          #   # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-          #   # key if needed and Creates new isntance of InputAnalysisResult.
-          #   #
-          #   # @param request [Contrast::Agent::Request] the current request context.
-          #   # @param rule_id [String] The name of the Protect Rule.
-          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-          #   # @param value [String, Array<String>] the value of the input.
-          #   #
-          #   # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-          #   def create_new_input_result request, rule_id, input_type, value
-          #     ia_result = new_ia_result rule_id, input_type, request.path, value
-          #     if unsafe_match? value
-          #       ia_result.score_level = DEFINITEATTACK
-          #       ia_result.ids << UNSAFE_UPLOAD_MATCH
-          #     else
-          #       ia_result.score_level = IGNORE
-          #     end
-          #     ia_result.key = if input_type == MULTIPART_FIELD_NAME
-          #                       Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
-          #                     else
-          #                       Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
-          #                     end
-          #     ia_result
-          #   end
-          # end
+          UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
+          class << self
+            include InputClassificationBase
+            private
+            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+            # key if needed and Creates new isntance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def create_new_input_result request, rule_id, input_type, value
+              return unless Contrast::AGENT_LIB
+              return unless (input_eval = Contrast::AGENT_LIB.eval_input(value,
+                                                                         Contrast::AGENT_LIB.input_set[:MULTIPART_NAME],
+                                                                         Contrast::AGENT_LIB.rule_set[rule_id],
+                                                                         Contrast::AGENT_LIB.eval_option[:NONE]))
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              if input_eval.score >= THRESHOLD
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << UNSAFE_UPLOAD_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+              ia_result.key = if input_type == MULTIPART_FIELD_NAME
+                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
+                              else
+                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
+                              end
+              ia_result
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect Unsafe File Upload rule.
         # The unsafe-file-upload rule can trigger the following results:
-        # BLOCKED in Blocking mode na SUSPICIOUS in Monitor mode.
+        # BLOCKED in Blocking mode and SUSPICIOUS in Monitor mode.
         class UnsafeFileUpload < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Agent::Reporting::InputType
@@ -23,40 +23,13 @@ module Contrast
             NAME
           end
-          # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
-          # agent with protect library, we should re-enable these tests and that rule.
-          # TODO: RUBY-1574
-          def enabled?
-            super && false
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
           end
-          # def block_message
-          #   BLOCK_MESSAGE
-          # end
-          #
-          # def prefilter context
-          #   return unless prefilter?(context)
-          #
-          #   ia_results = gather_ia_results context
-          #
-          #   ia_results.each do |ia_result|
-          #     result = build_attack_result(context)
-          #     build_attack_without_match context, ia_result, result
-          #     append_to_activity context, result
-          #
-          #     cef_logging result, :successful_attack
-          #     raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
-          #   end
-          # end
-          #
-          # private
-          #
-          # def prefilter? _context
-          #   return false unless enabled?
-          #   return false if protect_excluded_by_code?
-          #
-          #   true
-          # end
+          def block_message
+            BLOCK_MESSAGE
+          end
         end
       end
     end