contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb

@@ -0,0 +1,58 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/input_classification_base'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Reflected XSS rule
+        # Input classification
+        module ReflectedXssInputClassification
+          REFLECTED_XSS_MATCH = 'reflected-xss-input-tracing-v1'.cs__freeze
+          WORTHWATCHING_MATCH = 'xss-worth-watching-v2'.cs__freeze
+          class << self
+            include InputClassificationBase
+
+            private
+
+            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+            # key if needed and Creates new isntance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def create_new_input_result request, rule_id, input_type, value
+              return unless Contrast::AGENT_LIB
+
+              input_eval = Contrast::AGENT_LIB.eval_input(value,
+                                                          convert_input_type(input_type),
+                                                          Contrast::AGENT_LIB.rule_set[rule_id],
+                                                          Contrast::AGENT_LIB.
+                                                            eval_option[:WORTHWATCHING])
+
+              score = input_eval&.score || 0
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              if score >= THRESHOLD
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << REFLECTED_XSS_MATCH
+              elsif score >= WORTHWATCHING_THRESHOLD
+                ia_result.score_level = WORTHWATCHING
+                ia_result.ids << WORTHWATCHING_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+
+              add_needed_key(request, ia_result, input_type, value)
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/xss.rb

@@ -9,37 +9,31 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect Cross-Site Scripting rule.
         class Xss < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Agent::Reporting::InputType
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
 
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              # TODO: RUBY-1702 - figure out why xss isn't populated when reported; probably something to do w/
-              #   suspicious
-              return Contrast::Utils::ObjectShare::EMPTY_HASH unless attack_sample&.xss
-
-              {
-                  input: attack_sample.xss.input,
-                  matches: attack_sample.xss.matches.map do |match|
-                             {
-                                 evidenceStart: match.evidence_start_ms,
-                                 evidence: match.evidence,
-                                 offset: match.offset
-                             }
-                           end
-              }
-            end
-          end
+          APPLICABLE_USER_INPUTS = [
+            BODY, PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
+            MULTIPART_VALUE, MULTIPART_FIELD_NAME, XML_VALUE,
+            DWR_VALUE, URI, QUERYSTRING
+          ].cs__freeze
 
           def rule_name
             NAME
           end
 
+          def block_message
+            BLOCK_MESSAGE
+          end
+
           def stream_safe?
             false
           end
+
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -2,6 +2,9 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/reporting/details/xxe_details'
+require 'contrast/agent/reporting/details/xxe_match'
+require 'contrast/agent/reporting/details/xxe_wrapper'
 require 'contrast/utils/timer'
 require 'contrast/components/logger'
 
@@ -19,28 +22,6 @@ module Contrast
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
 
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  xml: attack_sample.xxe.xml,
-                  declaredEntities: attack_sample.xxe.declared_entities.map do |entity|
-                                      {
-                                          start: entity.start_idx,
-                                          end: entity.end_idx
-                                      }
-                                    end,
-                  entitiesResolved: attack_sample.xxe.entities_resolved.map do |entity|
-                                      {
-                                          systemId: entity.system_id,
-                                          publicId: entity.public_id
-                                      }
-                                    end
-              }
-            end
-          end
-
           def rule_name
             NAME
           end
@@ -56,13 +37,15 @@ module Contrast
           # @raise [Contrast::SecurityException] Security exception if an XXE
           #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
+            return if protect_excluded_by_url?(context)
+
             result = find_attacker(context, xml, framework: framework)
             return unless result
 
             append_to_activity(context, result)
             return unless blocked?
 
-            cef_logging(result, :successful_attack, xml)
+            cef_logging(result, :successful_attack, value: xml)
             raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE))
           end
 
@@ -76,7 +59,7 @@ module Contrast
           # @param xml [String] the literal value of the XML being checked for
           #   external entity resolution
           # @param _kwargs [Hash]
-          # @return [Contrast::Api::Dtm::AttackResult, nil] the determination
+          # @return [Contrast::Agent::Reporting, nil] the determination
           #   as to whether or not this XML has an XXE attack in it.
           def find_attacker context, xml, **_kwargs
             return unless xml
@@ -105,7 +88,7 @@ module Contrast
               entity_wrapper = Contrast::Agent::Protect::Rule::Xxe::EntityWrapper.new(ss.matched)
               next unless entity_wrapper.external_entity?
 
-              xxe_details ||= Contrast::Api::Dtm::XxeDetails.new
+              xxe_details ||= Contrast::Agent::Reporting::Details::XxeDetails.new
               xxe_details.declared_entities << build_match(ss)
               xxe_details.entities_resolved << build_wrapper(entity_wrapper)
             end
@@ -119,12 +102,12 @@ module Contrast
           def build_sample context, ia_result, _url, **kwargs
             sample = build_base_sample(context, ia_result)
             sample.user_input = build_user_input(ia_result)
-            sample.xxe = kwargs[:details]
+            sample.details = kwargs[:details]
             sample
           end
 
           def build_user_input ia_result
-            input = Contrast::Api::Dtm::UserInput.new
+            input = Contrast::Agent::Reporting::UserInput.new
             input.key = INPUT_NAME
             input.input_type = :UNKNOWN
             input.document_type = :XML
@@ -137,8 +120,10 @@ module Contrast
           # We know that this attack happened, so the result is always matched
           # and the level is always critical. Only variable is the XML value
           # supplied by the attacker.
+          #
+          # @return [Contrast::Agent::Reporting::InputAnalysisResult]
           def build_evaluation xml
-            ia_result = Contrast::Api::Settings::InputAnalysisResult.new
+            ia_result = Contrast::Agent::Reporting::InputAnalysisResult.new
             ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(xml)
@@ -146,14 +131,14 @@ module Contrast
           end
 
           def build_match string_scanner
-            match = Contrast::Api::Dtm::XxeMatch.new
+            match = Contrast::Agent::Reporting::Details::XxeMatch.new
             match.end_idx = string_scanner.pos.to_i
             match.start_idx = match.end_idx - string_scanner.matched_size
             match
           end
 
           def build_wrapper entity_wrapper
-            wrapper = Contrast::Api::Dtm::XxeWrapper.new
+            wrapper = Contrast::Agent::Reporting::Details::XxeWrapper.new
             wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.system_id)
             wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.public_id)
             wrapper

data/lib/contrast/agent/protect/rule.rb

@@ -28,12 +28,14 @@ require 'contrast/agent/protect/rule/sqli/default_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/mysql_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/postgres_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/sqlite_sql_scanner'
+require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
 
 # The classes required for Path Traversal
 require 'contrast/agent/protect/rule/path_traversal'
 
-# The classes required for Command Injection
+# The classes required for Command Injection and sub-rules
 require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/protect/rule/cmdi/cmdi_backdoors'
 
 # The classes required for XXE
 require 'contrast/agent/protect/rule/xxe'

data/lib/contrast/agent/reporting/attack_result/attack_result.rb

@@ -57,6 +57,14 @@ module Contrast
         def tags= tags
           @_tags = tags if tags.is_a?(String)
         end
+
+        def details
+          @_details ||= {}
+        end
+
+        def details= protect_details
+          @_details = protect_details if protect_details.is_a?(Contrast::Agent::Reporting::Details::ProtectRuleDetails)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb

@@ -4,48 +4,82 @@
 require 'contrast/utils/object_share'
 require 'contrast/utils/timer'
 require 'contrast/agent/reporting/attack_result/user_input'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/details/protect_rule_details'
+require 'contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack'
 
 module Contrast
   module Agent
     module Reporting
       # This class will hold the new RaspRuleSample.
-      # protect rules.
-      class RaspRuleSample # rubocop:disable Lint/EmptyClass
-        # def timestamp
-        #   @_timestamp ||= 0
-        # end
+      # It is mainly used to build samples for each
+      # protect rule, and translate data from SP IA.
+      # It is not a reporting event.
+      class RaspRuleSample
+        # Any rules specific details
         #
-        # def timestamp= timestamp_ms
-        #   @_timestamp = timestamp_ms
-        # end
-        #
-        # def user_input
-        #   @_user_input ||= Contrast::Agent::Reporting::UserInput.new
-        # end
-        #
-        # def user_input= input
-        #   @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
-        # end
-        #
-        # def build context, ia_result
-        #   sample = self
-        #   sample.timestamp = context&.timer&.start_ms
-        #   sample.user_input = build_user_input_from_ia(ia_result)
-        #   sample.user_input.document_type = if context&.request
-        #                                       Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
-        #                                     end
-        #   sample
-        # end
-        #
-        # def build_user_input_from_ia ia_result
-        #   user_input = Contrast::Agent::Reporting::UserInput.new
-        #   user_input.input_type = ia_result.input_type
-        #   user_input.matcher_ids = ia_result.ids
-        #   user_input.path = ia_result.path
-        #   user_input.key = ia_result.key if ia_result.key
-        #   user_input.value = ia_result.value if ia_result.value
-        #   user_input
-        # end
+        # @return [Contrast::Agent::Reporting::Details::ProtectRuleDetails, nil]
+        attr_accessor :details
+
+        class << self
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
+          def build context, ia_result
+            sample = new
+            sample.time_stamp = context&.timer&.start_ms
+            sample.user_input = build_user_input_from_ia(ia_result)
+            sample.user_input.document_type = if context&.request
+                                                Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
+                                              end
+            sample
+          end
+
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
+          def build_user_input_from_ia ia_result
+            user_input = Contrast::Agent::Reporting::UserInput.new
+            return user_input unless ia_result
+
+            user_input.input_type = ia_result.input_type
+            user_input.matcher_ids = ia_result.ids
+            user_input.path = ia_result.path
+            user_input.key = ia_result.key if ia_result.key
+            user_input.value = ia_result.value if ia_result.value
+            user_input
+          end
+        end
+
+        def time_stamp
+          @_time_stamp ||= Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0
+        end
+
+        def time_stamp= timestamp_ms
+          @_time_stamp = timestamp_ms
+        end
+
+        def user_input
+          @_user_input ||= Contrast::Agent::Reporting::UserInput.new
+        end
+
+        def user_input= input
+          @_user_input = input if input.is_a?(Contrast::Agent::Reporting::UserInput)
+        end
+
+        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack>,Array]
+        def stack
+          @_stack ||= []
+        end
+
+        def to_controlled_hash
+          {
+              timeStamp: Time.at(time_stamp).iso8601,
+              userInput: user_input.to_controlled_hash,
+              details: details&.to_controlled_hash,
+              stack: stack.map(&:to_controlled_hash)
+          }
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/attack_result/response_type.rb

@@ -9,18 +9,18 @@ module Contrast
       # This module will hold the response types used to generate
       # attack result.
       module ResponseType
-        BLOCKED             = :BLOCKED.cs__freeze
-        MONITORED           = :MONITORED.cs__freeze
-        PROBED              = :PROBED.cs__freeze
-        BLOCK_AT_PERIMETER  = :BLOCK_AT_PERIMETER.cs__freeze
-        SUSPICIOUS          = :SUSPICIOUS.cs__freeze
-        AGGREGATED          = :AGGREGATED.cs__freeze
-        EXPLOITED           = :EXPLOITED.cs__freeze
-        NO_ACTION           = :NO_ACTION.cs__freeze
+        BLOCKED               = :BLOCKED.cs__freeze
+        MONITORED             = :MONITORED.cs__freeze
+        PROBED                = :PROBED.cs__freeze
+        BLOCKED_AT_PERIMETER  = :BLOCKED_AT_PERIMETER.cs__freeze
+        SUSPICIOUS            = :SUSPICIOUS.cs__freeze
+        AGGREGATED            = :AGGREGATED.cs__freeze
+        EXPLOITED             = :EXPLOITED.cs__freeze
+        NO_ACTION             = :NO_ACTION.cs__freeze
 
         class << self
           def to_a
-            [NO_ACTION, BLOCKED, MONITORED, PROBED, BLOCK_AT_PERIMETER, EXPLOITED, SUSPICIOUS, AGGREGATED]
+            [NO_ACTION, BLOCKED, MONITORED, PROBED, BLOCKED_AT_PERIMETER, EXPLOITED, SUSPICIOUS, AGGREGATED]
           end
         end
       end

data/lib/contrast/agent/reporting/attack_result/user_input.rb

@@ -81,6 +81,17 @@ module Contrast
         def matcher_ids= ids
           @_matcher_ids = ids if ids.is_a?(Array) && ids.any?(String)
         end
+
+        def to_controlled_hash
+          {
+              path: path,
+              key: key,
+              value: value,
+              inputType: input_type.to_s,
+              documentType: document_type.to_s,
+              matcherIds: matcher_ids&.map(&:to_s)
+          }
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/details/bot_blocker_details.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # Bot blocker IA result details info.
+        class BotBlockerDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :bot
+          # User agent header value
+          #
+          # @return [String]
+          attr_accessor :user_agent
+
+          def to_controlled_hash
+            {
+                bot: bot,
+                userAgent: user_agent
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/cmd_injection_details.rb

@@ -0,0 +1,30 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # CMDI IA result details info.
+        class CmdInjectionDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :cmd
+          # @return [Integer]
+          attr_accessor :start_idx
+          # @return [Integer]
+          attr_accessor :end_idx
+
+          def to_controlled_hash
+            {
+                command: cmd,
+                startIndex: start_idx,
+                endIndex: end_idx
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/details.rb

@@ -0,0 +1,18 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/bot_blocker_details'
+require 'contrast/agent/reporting/details/cmd_injection_details'
+require 'contrast/agent/reporting/details/http_method_tempering_details'
+require 'contrast/agent/reporting/details/no_sqli_details'
+require 'contrast/agent/reporting/details/path_traversal_details'
+require 'contrast/agent/reporting/details/protect_rule_details'
+require 'contrast/agent/reporting/details/sqli_details'
+require 'contrast/agent/reporting/details/untrusted_deserialization_details'
+require 'contrast/agent/reporting/details/xss_match'
+require 'contrast/agent/reporting/details/xss_details'
+require 'contrast/agent/reporting/details/xxe_details'
+require 'contrast/agent/reporting/details/xxe_match'
+require 'contrast/agent/reporting/details/xxe_wrapper'
+require 'contrast/agent/reporting/details/virtual_patch_details'
+require 'contrast/agent/reporting/details/ip_denylist_details'

data/lib/contrast/agent/reporting/details/http_method_tempering_details.rb

@@ -0,0 +1,27 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # HttpMethodTemperingDetails IA result details info.
+        class HttpMethodTemperingDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :method
+          # @return [Integer]
+          attr_accessor :response_code
+
+          def to_controlled_hash
+            {
+                method: method, # rubocop:disable Security/Object/Method
+                responseCode: response_code
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/ip_denylist_details.rb

@@ -0,0 +1,35 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # Bot blocker IA result details info.
+        class IpDenylistDetails < ProtectRuleDetails
+          # @return [String]
+          attr_reader :ip
+          # @return [String]
+          attr_reader :uuid
+
+          # @param ip [String] the IP address that was blocked
+          # @param uuid [String] the UUID to identify the block rule in TeamServer
+          def initialize ip, uuid
+            @ip = ip
+            @uuid = uuid
+            super()
+          end
+
+          def to_controlled_hash
+            {
+                ip: ip,
+                uuid: uuid
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/no_sqli_details.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # NoSqliDetails IA result details info.
+        class NoSqliDetails < ProtectRuleDetails
+          # @return [Integer]
+          attr_accessor :start_idx
+          # @return [Integer]
+          attr_accessor :end_idx
+          # @return [Integer]
+          attr_accessor :boundary_overrun_idx
+          # @return [Integer]
+          attr_accessor :input_boundary_idx
+          # @return [String]
+          attr_accessor :query
+
+          def to_controlled_hash
+            {
+                start: start_idx,
+                end: end_idx,
+                boundaryOverrunIndex: boundary_overrun_idx,
+                inputBoundaryIndex: input_boundary_idx,
+                query: query
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/path_traversal_details.rb

@@ -0,0 +1,24 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # PathTraversalDetails IA result details info.
+        class PathTraversalDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :path
+
+          def to_controlled_hash
+            {
+                path: path
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/path_traversal_semantic_analysis_details.rb

@@ -0,0 +1,32 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # PathTraversalDetails IA result details info.
+        class PathTraversalSemanticAnalysisDetails < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :path
+          # @return [Array<Symbol>]
+          attr_accessor :findings
+
+          def initialize
+            @findings = []
+            super
+          end
+
+          def to_controlled_hash
+            {
+                path: path,
+                findings: findings&.map(&:to_s)
+            }
+          end
+        end
+      end
+    end
+  end
+end