contrast-agent 6.6.5 → 6.7.0

data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb

@@ -0,0 +1,67 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/sqli_dangerous_functions'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This class will include the check for SQL Injection Semantic Dangerous Functions
+        class SqliDangerousFunctions < Contrast::Agent::Protect::Rule::SqliBaseRule
+          NAME = 'sql-injection-semantic-dangerous-functions'
+          BLOCK_MESSAGE = 'SQLi Semantic Dangerous Functions rule triggered. Response blocked.'
+
+          SQL_DANGEROUS_FUNCTIONS = %w[unhex waitfor xp_cmdshell exec].cs__freeze
+
+          def rule_name
+            NAME
+          end
+
+          def infilter context, query_string
+            return unless infilter?(context)
+            return unless violated?(query_string)
+
+            result = build_violation(context, query_string)
+            return unless result
+
+            append_to_activity(context, result)
+
+            cef_logging(result, :successful_attack)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          end
+
+          protected
+
+          def violated? attack_string
+            SQL_DANGEROUS_FUNCTIONS.any? { |dang_func| attack_string.downcase.include?(dang_func) }
+          end
+
+          def build_violation context, potential_attack_string
+            result = build_attack_result(context)
+            update_successful_attack_response(context, nil, result, potential_attack_string)
+            append_sample(context, nil, result, potential_attack_string)
+            result
+          end
+
+          # Override if rule can make use of the candidate string or kwargs to
+          # build rasp rule sample.
+          def build_sample context, ia_result, candidate_string, **_kwargs
+            sample = build_base_sample(context, nil)
+            sample.details = Contrast::Agent::Reporting::Details::SqliDangerousFunctions.new
+            sample.details.query = candidate_string
+
+            if ia_result.nil?
+              ui = Contrast::Agent::Reporting::UserInput.new
+              ui.input_type = :UNKNOWN
+              ui.value = candidate_string
+              sample.user_input = ui
+            end
+
+            sample
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -5,13 +5,15 @@ require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/policy/applies_sqli_rule'
 require 'contrast/agent/protect/rule/sql_sample_builder'
 require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/sqli/sqli_base_rule'
+require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
 
 module Contrast
   module Agent
     module Protect
       module Rule
         # The Ruby implementation of the Protect SQL Injection rule.
-        class Sqli < Contrast::Agent::Protect::Rule::BaseService
+        class Sqli < Contrast::Agent::Protect::Rule::SqliBaseRule
           # Generate a sample for the SQLI injection detection rule, allowing for reporting to and rendering
           # by TeamServer
           include SqlSampleBuilder::SqliSample
@@ -22,28 +24,9 @@ module Contrast
             include Contrast::Agent::Reporting::InputType
           end
 
-          APPLICABLE_USER_INPUTS = [
-            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
-            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
-            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
-            XML_VALUE, DWR_VALUE
-          ].cs__freeze
           NAME = 'sql-injection'
-          BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  start: attack_sample.sqli.start_idx,
-                  end: attack_sample.sqli.end_idx,
-                  boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
-                  inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
-                  query: attack_sample.sqli.query
-              }
-            end
-          end
+          SUB_RULES = [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
 
           def rule_name
             NAME
@@ -53,16 +36,8 @@ module Contrast
             BLOCK_MESSAGE
           end
 
-          def infilter context, database, query_string
-            return unless infilter?(context)
-
-            result = find_attacker(context, query_string, database: database)
-            return unless result
-
-            append_to_activity(context, result)
-
-            cef_logging(result, :successful_attack, value: query_string)
-            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          def sub_rules
+            SUB_RULES
           end
         end
       end

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -59,6 +59,8 @@ module Contrast
           # @raise [Contrast::SecurityException] Security exception if an XXE
           #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
+            return if protect_excluded_by_url?(context)
+
             result = find_attacker(context, xml, framework: framework)
             return unless result
 

data/lib/contrast/agent/protect/rule.rb

@@ -28,12 +28,14 @@ require 'contrast/agent/protect/rule/sqli/default_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/mysql_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/postgres_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/sqlite_sql_scanner'
+require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
 
 # The classes required for Path Traversal
 require 'contrast/agent/protect/rule/path_traversal'
 
-# The classes required for Command Injection
+# The classes required for Command Injection and sub-rules
 require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/protect/rule/cmdi/cmdi_backdoors'
 
 # The classes required for XXE
 require 'contrast/agent/protect/rule/xxe'

data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb

@@ -25,6 +25,10 @@ module Contrast
         attr_accessor :virtual_patch
 
         class << self
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
           def build context, ia_result
             sample = new
             sample.time_stamp = context&.timer&.start_ms
@@ -35,6 +39,8 @@ module Contrast
             sample
           end
 
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
           def build_user_input_from_ia ia_result
             # TODO: RUBY-99999 remove once only using Agent IA
             result = if ia_result.cs__is_a?(Contrast::Api::Settings::InputAnalysisResult)

data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb

@@ -0,0 +1,22 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/protect_rule_details'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Details
+        # SqliDangerousFunctions IA result details info.
+        class SqliDangerousFunctions < ProtectRuleDetails
+          # @return [String]
+          attr_accessor :query
+
+          def to_controlled_hash
+            { query: query }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporter.rb

@@ -125,8 +125,7 @@ module Contrast
       #
       # @return [Boolean]
       def app_create_complete?
-        return true if Contrast::CONTRAST_SERVICE.use_agent_communication?
-        return true if Contrast::Agent.messaging_queue&.speedracer&.status&.startup_messages_sent?
+        return true if Contrast::APP_CONTEXT.session_id
 
         logger.debug('Service startup incomplete; Application may not be created; sleeping')
         sleep(5)

data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb

@@ -23,8 +23,8 @@ module Contrast
 
         def to_controlled_hash
           {
-              environment: ::Contrast::CONFIG.root.server.environment,
-              tags: ::Contrast::CONFIG.root.server.tags,
+              environment: ::Contrast::CONFIG.server.environment,
+              tags: ::Contrast::CONFIG.server.tags,
               version: Contrast::Agent::VERSION
           }
         end

data/lib/contrast/agent/reporting/reporting_events/application_activity.rb

@@ -19,14 +19,11 @@ module Contrast
         attr_accessor :query_count
         # @return [Array]
         attr_accessor :routes
-        # @return [Array]
-        attr_accessor :dynamic_sources
         # @return [Contrast::Agent::Response]
         attr_accessor :response
 
         def initialize
           @routes = []
-          @dynamic_sources = {}
           @query_count = 0
           @event_method = :PUT
           @event_type = :application_activity
@@ -77,7 +74,7 @@ module Contrast
             results << case response_type
                        when BLOCKED, BLOCK_AT_PERIMETER
                          attacker.protection_rules[rule_id].blocked
-                       when EXPLOITED
+                       when MONITORED
                          attacker.protection_rules[rule_id].exploited
                        when PROBED
                          attacker.protection_rules[rule_id].ineffective

data/lib/contrast/agent/reporting/reporting_events/application_startup.rb

@@ -27,7 +27,7 @@ module Contrast
         #
         # @return [Hash]
         def to_controlled_hash
-          app_config = ::Contrast::CONFIG.root.application
+          app_config = ::Contrast::CONFIG.application
           {
               code: app_config.code,
               group: app_config.group,

data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb

@@ -29,18 +29,6 @@ module Contrast
         AC_TYPE_DB = 'db'
         VALID_TYPES = %w[db ldap ws].cs__freeze
 
-        # class << self
-        #   # Convert a DTM for SpeedRacer to an Event for TeamServer.
-        #   #
-        #   # @param component_dtm [Contrast::Api::Dtm::ArchitectureComponent]
-        #   # @return [Contrast::Agent::Reporting::ArchitectureComponent]
-        #   def convert component_dtm
-        #     report = new
-        #     report.attach_data(component_dtm)
-        #     report
-        #   end
-        # end
-
         class << self
           def build_database
             msg = new
@@ -49,17 +37,6 @@ module Contrast
           end
         end
 
-        # # Attach the data from the protobuf models to this reporter so that it can be sent to TeamServer directly.
-        # #
-        # # @param component_dtm [Contrast::Api::Dtm::ArchitectureComponent]
-        # def attach_data component_dtm
-        #   @remote_host = component_dtm.remote_host
-        #   @remote_port = component_dtm.remote_port
-        #   @type = component_dtm.type
-        #   @url = component_dtm.url
-        #   @vendor = component_dtm.vendor
-        # end
-
         # Convert the instance variables on the class, and other information, into the identifiers required for
         # TeamServer to process the JSON form of this message.
         #

data/lib/contrast/agent/reporting/reporting_events/finding.rb

@@ -29,14 +29,14 @@ module Contrast
         # @return [Array<Contrast::Agent::Reporting::FindingEvent>] the events associated with this finding, if the
         #   finding is event (dataflow) based.
         attr_reader :events
-        # @return [String] the evidence associated with this finding, if the finding is event based. deprecated in
-        #   favor of properties
+        # # @return [String] the evidence associated with this finding, if the finding is event based. deprecated in
+        # #   favor of properties
         # attr_reader :evidence
         # @return [Hash<String,String>] properties that prove the violation of the rule for this finding
         attr_reader :properties
         # @return [Contrast::Agent::Reporting::FindingRequest] the request associated with this finding, if the finding
         #   is request based
-        attr_reader :request
+        attr_accessor :request
         # @return [String] the uniquely identifying hash of this finding
         attr_accessor :hash_code
 
@@ -54,16 +54,6 @@ module Contrast
           xxssprotection-header-disabled
         ].cs__freeze
 
-        class << self
-          # @param finding_dtm [Contrast::Api::Dtm::Finding]
-          # @return [Contrast::Agent::Reporting::Finding]
-          def convert finding_dtm
-            report = new(finding_dtm.rule_id)
-            report.attach_property_data(finding_dtm)
-            report
-          end
-        end
-
         def initialize rule_id
           @event_method = :PUT
           @event_endpoint = "#{ Contrast::API.api_url }/api/ng/traces"
@@ -100,28 +90,10 @@ module Contrast
           event_data = Contrast::Agent::Assess::Events::EventData.new(trigger_node, source, object, ret, args)
           contrast_event = Contrast::Agent::Assess::ContrastEvent.new(event_data)
           events << Contrast::Agent::Reporting::FindingEvent.convert(contrast_event)
-          attach_properties
           return unless request
 
           @request = Contrast::Agent::Reporting::FindingRequest.convert(request)
-          @routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route) if request.route
-        end
-
-        # Attach the data from a Contrast::Api::Dtm::Finding required for property based findings generated during
-        # response analysis.
-        #
-        # @param finding_dtm [Contrast::Api::Dtm::Finding]
-        def attach_property_data finding_dtm
-          @hash_code = finding_dtm.hash_code
-          @rule_id = finding_dtm.rule_id
-          finding_dtm.properties.each_pair do |key, value|
-            @properties[key] = value
-          end
-          finding_dtm.routes.each do |route|
-            @routes << Contrast::Agent::Reporting::RouteDiscovery.convert(route)
-          end
-          request = Contrast::Agent::REQUEST_TRACKER.current&.request
-          @request = Contrast::Agent::Reporting::FindingRequest.convert(request) if request
+          @routes << request.discovered_route if request.discovered_route
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -137,16 +109,9 @@ module Contrast
             return
           end
 
-          hsh = {
-              created: created,
-              hash: hash_code.to_s,
-              ruleId: rule_id,
-              session_id: ::Contrast::ASSESS.session_id,
-              version: 4
-          }
-          hsh[:events] = events.map(&:to_controlled_hash) if event_based?
-          # hsh[:evidence] = evidence unless event_based? || property_based?
-          hsh[:properties] = properties if property_based?
+          hsh = base_hash
+          hsh[:events] = events.map(&:to_controlled_hash) if events.any?
+          hsh[:properties] = properties if properties.any?
           hsh[:tags] = Contrast::ASSESS.tags if Contrast::ASSESS.tags
           return hsh unless request_based?
 
@@ -155,6 +120,17 @@ module Contrast
           hsh
         end
 
+        # @return [Hash] the base of every finding, regardless of type
+        def base_hash
+          {
+              created: created,
+              hash: hash_code.to_s,
+              ruleId: rule_id,
+              session_id: ::Contrast::ASSESS.session_id,
+              version: 4
+          }
+        end
+
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
@@ -174,12 +150,6 @@ module Contrast
 
         private
 
-        # Our events have properties on them. To report them to TeamServer, we need to pull them from our object up to
-        # the Contrast::Agent::Reporting::Finding level.
-        #
-        # TODO: RUBY-99999 put properties on events, not just on DTM
-        def attach_properties; end
-
         def build_events events, event
           return unless event
 
@@ -196,7 +166,7 @@ module Contrast
         #
         # @return [Boolean]
         def event_based?
-          !property_based? && !config_based?
+          !property_based? && !config_based? && !hardcoded?
         end
 
         # Rules which are property based must have a property to be sent to TeamServer. Eventually, each rule may own

data/lib/contrast/agent/reporting/reporting_events/finding_event.rb

@@ -100,6 +100,10 @@ module Contrast
           end
         end
 
+        def initialize
+          @event_sources = []
+        end
+
         # Parse the data from a Contrast::Agent::Assess::ContrastEvent to attach what is required for reporting to
         # TeamServer to this Contrast::Agent::Reporting::FindingEvent
         #
@@ -208,11 +212,9 @@ module Contrast
         #
         # @param event [Contrast::Agent::Assess::ContrastEvent]
         def event_sources! event
-          @event_sources = []
           return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
 
-          source = Contrast::Agent::Reporting::FindingEventSource.convert(event)
-          event_sources << source if source
+          event_sources << event.event_source if event.event_source
         end
 
         # Convert the parent id's of the given ContrastEvent to the reportable form for this FindingEvent.
@@ -237,12 +239,13 @@ module Contrast
         #
         # @param event [Contrast::Agent::Assess::ContrastEvent]
         def stack! event
-          @stack = []
-          event.stack_trace.each do |stack_event|
-            if (report = Contrast::Agent::Reporting::FindingEventStack.convert(stack_event))
-              stack << report
-            end
-          end
+          @stack = if event.stack_trace
+                     event.stack_trace.compact.map! do |stack_event|
+                       Contrast::Agent::Reporting::FindingEventStack.new(stack_event)
+                     end
+                   else
+                     Contrast::Utils::ObjectShare::EMPTY_ARRAY
+                   end
         end
 
         # Convert the taint ranges of the given ContrastEvent to the reportable form for this FindingEvent.

data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb

@@ -61,7 +61,7 @@ module Contrast
           # 8 is STATIC in Java... we have to placate them for now it has been requested that flags be removed since it
           # isn't used
           @flags = 8 unless node.instance_method?
-          @method_name = node.method_name
+          @method_name = node.method_name.to_s
           @return_type = type_name(event.ret)
           # if there's a ret, then this method isn't nil. not 100% full proof since you can return nil, but this is the
           # best we've got currently.

data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb

@@ -2,8 +2,6 @@
 # frozen_string_literal: true
 
 require 'base64'
-require 'contrast/agent/assess/contrast_event'
-require 'contrast/agent/assess/events/source_event'
 require 'contrast/components/logger'
 
 module Contrast
@@ -21,25 +19,11 @@ module Contrast
         # @return [String] the type of the source
         attr_reader :type
 
-        class << self
-          # @param event [Contrast::Agent::Assess::Events::ContrastEvent] the event to pull the source off of
-          # @return [Contrast::Agent::Reporting::FindingEventSource]
-          def convert event
-            return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
-
-            report = new
-            report.attach_data(event)
-            report
-          end
-        end
-
-        # Parse the data from a Contrast::Agent::Assess::Events::SourceEvent to attach what is required for reporting
-        # to TeamServer to this Contrast::Agent::Reporting::FindingEventSource
-        #
-        # @param event [Contrast::Agent::Assess::Events::SourceEvent] the event to pull the source off of
-        def attach_data event
-          @name = event.source_name
-          @type = event.source_type
+        # @param type [String]
+        # @param name [String]
+        def initialize type, name
+          @type = type
+          @name = name
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -61,6 +45,24 @@ module Contrast
           }
         end
 
+        # Convert this EventSource into the format expected for route observation
+        #
+        # @return [Hash]
+        # @raise [ArgumentError]
+        def to_controlled_observation_hash
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventSource observation validation failed with: ', e)
+            return
+          end
+
+          {
+              name: name, # rubocop:disable Security/Module/Name
+              type: type
+          }
+        end
+
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type && !type.empty?

data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb

@@ -28,25 +28,12 @@ module Contrast
 
         AGENT_CLASS_MARKER = '/lib/contrast/'
 
-        class << self
-          # @param stack [String]
-          # @return [Contrast::Agent::Reporting::FindingEventStack,nil]
-          def convert stack
-            return unless stack
-            return if stack.include?(AGENT_CLASS_MARKER)
-
-            report = new
-            report.attach_data(stack)
-            report
-          end
-        end
-
-        # Parse the data from a Contrast::Agent::Assess::Tag to attach what is required for reporting to TeamServer to
-        # this Contrast::Agent::Reporting::FindingEventTaintRange
+        # To play nice with the way that TeamServer is rendering these values, we only populate the file_name field with
+        # exactly what we want them to display.
         #
-        # @param stack [String]
-        def attach_data stack
-          @file = stack
+        # @param file_name [String] the caller location this stack frame represents.
+        def initialize file_name
+          @file = file_name
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for

data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/tag'
+require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
 require 'contrast/components/logger'
 
 module Contrast

data/lib/contrast/{api/decorators/trace_taint_range_tags.rb → agent/reporting/reporting_events/finding_event_taint_range_tags.rb}

@@ -2,13 +2,13 @@
 # frozen_string_literal: true
 
 module Contrast
-  module Api
-    module Decorators
-      # A holder for the valid tags that can be sent to the Service, and
-      # ultimately TS, that we have to honor. Placed here so as not to clutter
-      # other code.
-      module TraceTaintRangeTags
+  module Agent
+    module Reporting
+      # A holder for the valid tags that can be sent to TeamServer that we have to honor. Placed here so as not to
+      # clutter other code.
+      module FindingEventTaintRangeTags
         # EventTagTypeDTM
+        # @return [Array<Symbol>]
         VALID_TAGS = %w[
           XML_ENCODED
           XML_DECODED
@@ -97,6 +97,7 @@ module Contrast
           DATABASE_WRITE
         ].cs__freeze
 
+        # @return [Array<Symbol>]
         VALID_SOURCE_TAGS = %w[NO_NEWLINES UNTRUSTED CROSS_SITE LIMITED_CHARS].cs__freeze
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -40,7 +40,7 @@ module Contrast
         # @return [Hash]
         attr_reader :cookies
         # REMOVE_DTM_REQUEST
-        # @return [Contrast::Api::Dtm::RawRequest]
+        # @return [Contrast::Api::Dtm::HttpRequest]
         attr_reader :dtm
 
         class << self

data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb

@@ -11,7 +11,7 @@ module Contrast
         include Contrast::Components::Logger::InstanceMethods
 
         # @param [String] Sha256Sum of library as identified by the agent
-        attr_accessor :id
+        attr_reader :id
         # @param [Array<String>] List of file paths that have been loaded out of or executed by the library
         attr_reader :names
 

data/lib/contrast/agent/reporting/reporting_events/observed_route.rb

@@ -24,7 +24,7 @@ module Contrast
         attr_accessor :url
         # @param [String] the HTTP Verb used  to access the method in the route.
         attr_accessor :verb
-        # @param [Array<Contrast::Agent::Reporting::TraceEventSource>] the sources of user input accessed during this
+        # @param [Array<Contrast::Agent::Reporting::FindingEventSource>] the sources of user input accessed during this
         #   request. Used for remediation determinations in TeamServer.
         attr_reader :sources
 
@@ -56,7 +56,7 @@ module Contrast
 
           {
               session_id: ::Contrast::ASSESS.session_id,
-              sources: @sources.map(&:to_controlled_hash),
+              sources: @sources.map(&:to_controlled_observation_hash),
               signature: @signature,
               verb: @verb,
               url: @url