contrast-agent 6.7.0 → 6.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +0 -2
- data/.simplecov +0 -1
- data/Rakefile +0 -1
- data/ext/cs__assess_array/cs__assess_array.c +41 -10
- data/ext/cs__assess_array/cs__assess_array.h +4 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +2 -2
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
- data/lib/contrast/agent/excluder.rb +52 -34
- data/lib/contrast/agent/exclusion_matcher.rb +21 -9
- data/lib/contrast/agent/middleware.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +146 -127
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +20 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +45 -53
- data/lib/contrast/agent/protect/rule/base_service.rb +48 -24
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +18 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -5
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +22 -22
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +69 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +68 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +2 -58
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +3 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +2 -2
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -11
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +29 -34
- data/lib/contrast/agent/protect/rule/no_sqli.rb +25 -18
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +38 -12
- data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +33 -15
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +0 -14
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -62
- data/lib/contrast/agent/protect/rule/sqli.rb +70 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +39 -63
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +6 -33
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
- data/lib/contrast/agent/protect/rule/xss.rb +14 -20
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -24
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +18 -39
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +9 -9
- data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +10 -2
- data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +8 -2
- data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
- data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -2
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +16 -2
- data/lib/contrast/agent/reporting/masker/masker.rb +2 -0
- data/lib/contrast/agent/reporting/reporter.rb +1 -14
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +15 -12
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +0 -2
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +4 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +0 -5
- data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +1 -11
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +0 -3
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +1 -0
- data/lib/contrast/agent/reporting/settings/code_exclusion.rb +6 -1
- data/lib/contrast/agent/reporting/settings/exclusion_base.rb +18 -0
- data/lib/contrast/agent/reporting/settings/exclusions.rb +2 -1
- data/lib/contrast/agent/reporting/settings/input_exclusion.rb +9 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +15 -15
- data/lib/contrast/agent/request.rb +2 -14
- data/lib/contrast/agent/request_context.rb +6 -9
- data/lib/contrast/agent/request_context_extend.rb +9 -148
- data/lib/contrast/agent/thread_watcher.rb +3 -18
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +0 -11
- data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
- data/lib/contrast/agent_lib/api/init.rb +101 -0
- data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
- data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
- data/lib/contrast/agent_lib/api/panic.rb +87 -0
- data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
- data/lib/contrast/agent_lib/interface.rb +260 -0
- data/lib/contrast/agent_lib/interface_base.rb +118 -0
- data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
- data/lib/contrast/agent_lib/test.rb +29 -0
- data/lib/contrast/api/communication/connection_status.rb +5 -5
- data/lib/contrast/components/agent.rb +0 -14
- data/lib/contrast/components/app_context.rb +0 -2
- data/lib/contrast/components/app_context_extend.rb +0 -25
- data/lib/contrast/components/config.rb +1 -18
- data/lib/contrast/components/protect.rb +4 -1
- data/lib/contrast/components/ruby_component.rb +1 -1
- data/lib/contrast/components/settings.rb +37 -89
- data/lib/contrast/config/protect_rule_configuration.rb +7 -7
- data/lib/contrast/config/protect_rules_configuration.rb +20 -58
- data/lib/contrast/configuration.rb +1 -10
- data/lib/contrast/extension/assess/array.rb +9 -0
- data/lib/contrast/extension/delegator.rb +2 -0
- data/lib/contrast/framework/manager.rb +3 -1
- data/lib/contrast/framework/rails/railtie.rb +0 -1
- data/lib/contrast/framework/rails/support.rb +0 -1
- data/lib/contrast/tasks/config.rb +1 -8
- data/lib/contrast/utils/duck_utils.rb +1 -0
- data/lib/contrast/utils/input_classification_base.rb +156 -0
- data/lib/contrast/utils/os.rb +0 -20
- data/lib/contrast/utils/response_utils.rb +0 -16
- data/lib/contrast/utils/stack_trace_utils.rb +3 -15
- data/lib/contrast/utils/string_utils.rb +10 -7
- data/lib/contrast.rb +2 -3
- data/resources/protect/policy.json +1 -2
- data/ruby-agent.gemspec +2 -5
- metadata +42 -112
- data/exe/contrast_service +0 -23
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +0 -64
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +0 -118
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +0 -45
- data/lib/contrast/agent/reaction_processor.rb +0 -47
- data/lib/contrast/agent/service_heartbeat.rb +0 -35
- data/lib/contrast/api/communication/messaging_queue.rb +0 -128
- data/lib/contrast/api/communication/response_processor.rb +0 -90
- data/lib/contrast/api/communication/service_lifecycle.rb +0 -77
- data/lib/contrast/api/communication/socket.rb +0 -44
- data/lib/contrast/api/communication/socket_client.rb +0 -130
- data/lib/contrast/api/communication/speedracer.rb +0 -138
- data/lib/contrast/api/communication/tcp_socket.rb +0 -32
- data/lib/contrast/api/communication/unix_socket.rb +0 -28
- data/lib/contrast/api/communication.rb +0 -20
- data/lib/contrast/api/decorators/address.rb +0 -59
- data/lib/contrast/api/decorators/agent_startup.rb +0 -56
- data/lib/contrast/api/decorators/application_settings.rb +0 -43
- data/lib/contrast/api/decorators/application_startup.rb +0 -56
- data/lib/contrast/api/decorators/bot_blocker.rb +0 -37
- data/lib/contrast/api/decorators/http_request.rb +0 -137
- data/lib/contrast/api/decorators/input_analysis.rb +0 -18
- data/lib/contrast/api/decorators/instrumentation_mode.rb +0 -35
- data/lib/contrast/api/decorators/ip_denylist.rb +0 -37
- data/lib/contrast/api/decorators/message.rb +0 -67
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -52
- data/lib/contrast/api/decorators/response_type.rb +0 -17
- data/lib/contrast/api/decorators/server_features.rb +0 -25
- data/lib/contrast/api/decorators/user_input.rb +0 -51
- data/lib/contrast/api/decorators/virtual_patch.rb +0 -34
- data/lib/contrast/api/decorators.rb +0 -22
- data/lib/contrast/api/dtm.pb.rb +0 -363
- data/lib/contrast/api/settings.pb.rb +0 -500
- data/lib/contrast/api.rb +0 -16
- data/lib/contrast/components/contrast_service.rb +0 -88
- data/lib/contrast/components/service.rb +0 -55
- data/lib/contrast/tasks/service.rb +0 -84
- data/lib/contrast/utils/input_classification.rb +0 -73
- data/lib/protobuf/code_generator.rb +0 -129
- data/lib/protobuf/decoder.rb +0 -28
- data/lib/protobuf/deprecation.rb +0 -117
- data/lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb +0 -79
- data/lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb +0 -360
- data/lib/protobuf/descriptors.rb +0 -3
- data/lib/protobuf/encoder.rb +0 -11
- data/lib/protobuf/enum.rb +0 -365
- data/lib/protobuf/exceptions.rb +0 -9
- data/lib/protobuf/field/base_field.rb +0 -380
- data/lib/protobuf/field/base_field_object_definitions.rb +0 -504
- data/lib/protobuf/field/bool_field.rb +0 -64
- data/lib/protobuf/field/bytes_field.rb +0 -67
- data/lib/protobuf/field/double_field.rb +0 -25
- data/lib/protobuf/field/enum_field.rb +0 -56
- data/lib/protobuf/field/field_array.rb +0 -102
- data/lib/protobuf/field/field_hash.rb +0 -122
- data/lib/protobuf/field/fixed32_field.rb +0 -25
- data/lib/protobuf/field/fixed64_field.rb +0 -28
- data/lib/protobuf/field/float_field.rb +0 -43
- data/lib/protobuf/field/int32_field.rb +0 -21
- data/lib/protobuf/field/int64_field.rb +0 -34
- data/lib/protobuf/field/integer_field.rb +0 -23
- data/lib/protobuf/field/message_field.rb +0 -51
- data/lib/protobuf/field/sfixed32_field.rb +0 -27
- data/lib/protobuf/field/sfixed64_field.rb +0 -28
- data/lib/protobuf/field/signed_integer_field.rb +0 -29
- data/lib/protobuf/field/sint32_field.rb +0 -21
- data/lib/protobuf/field/sint64_field.rb +0 -21
- data/lib/protobuf/field/string_field.rb +0 -51
- data/lib/protobuf/field/uint32_field.rb +0 -21
- data/lib/protobuf/field/uint64_field.rb +0 -21
- data/lib/protobuf/field/varint_field.rb +0 -77
- data/lib/protobuf/field.rb +0 -74
- data/lib/protobuf/generators/base.rb +0 -85
- data/lib/protobuf/generators/enum_generator.rb +0 -39
- data/lib/protobuf/generators/extension_generator.rb +0 -27
- data/lib/protobuf/generators/field_generator.rb +0 -193
- data/lib/protobuf/generators/file_generator.rb +0 -262
- data/lib/protobuf/generators/group_generator.rb +0 -122
- data/lib/protobuf/generators/message_generator.rb +0 -104
- data/lib/protobuf/generators/option_generator.rb +0 -17
- data/lib/protobuf/generators/printable.rb +0 -160
- data/lib/protobuf/generators/service_generator.rb +0 -50
- data/lib/protobuf/lifecycle.rb +0 -33
- data/lib/protobuf/logging.rb +0 -39
- data/lib/protobuf/message/fields.rb +0 -233
- data/lib/protobuf/message/serialization.rb +0 -85
- data/lib/protobuf/message.rb +0 -241
- data/lib/protobuf/optionable.rb +0 -72
- data/lib/protobuf/tasks/compile.rake +0 -80
- data/lib/protobuf/tasks.rb +0 -1
- data/lib/protobuf/varint.rb +0 -20
- data/lib/protobuf/varint_pure.rb +0 -31
- data/lib/protobuf/version.rb +0 -3
- data/lib/protobuf/wire_type.rb +0 -10
- data/lib/protobuf.rb +0 -91
- data/proto/dynamic_discovery.proto +0 -46
- data/proto/google/protobuf/compiler/plugin.proto +0 -183
- data/proto/google/protobuf/descriptor.proto +0 -911
- data/proto/rpc.proto +0 -71
- data/service_executables/.gitkeep +0 -0
- data/service_executables/VERSION +0 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
@@ -1,13 +1,10 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/utils/object_share'
|
5
|
-
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
4
|
require 'contrast/agent/protect/rule/cmd_injection'
|
7
5
|
require 'contrast/agent/reporting/input_analysis/score_level'
|
8
|
-
require 'contrast/agent/protect/rule/cmdi/cmdi_worth_watching'
|
9
6
|
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
10
|
-
require 'contrast/utils/
|
7
|
+
require 'contrast/utils/input_classification_base'
|
11
8
|
require 'contrast/components/logger'
|
12
9
|
|
13
10
|
module Contrast
|
@@ -18,63 +15,10 @@ module Contrast
|
|
18
15
|
# as a result input would be marked as WORTHWATCHING or IGNORE,
|
19
16
|
# to be analyzed at the sink level.
|
20
17
|
module CmdiInputClassification
|
18
|
+
WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'.cs__freeze
|
21
19
|
class << self
|
22
20
|
include InputClassificationBase
|
23
|
-
include Contrast::Agent::Protect::Rule::CmdiWorthWatching
|
24
21
|
include Contrast::Components::Logger::InstanceMethods
|
25
|
-
|
26
|
-
WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'
|
27
|
-
CMDI_KEYS_NEEDED = [
|
28
|
-
COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
|
29
|
-
].cs__freeze
|
30
|
-
|
31
|
-
# This method will determine actually if the user input is WORTHWATCHING
|
32
|
-
#
|
33
|
-
# @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
|
34
|
-
# @param value [String, Array<String>] the value of the input
|
35
|
-
# @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
|
36
|
-
# analysis from the current request.
|
37
|
-
def classify input_type, value, input_analysis
|
38
|
-
return unless Contrast::Agent::Protect::Rule::CmdInjection::APPLICABLE_USER_INPUTS.include?(input_type)
|
39
|
-
return unless super
|
40
|
-
|
41
|
-
rule_id = Contrast::Agent::Protect::Rule::CmdInjection::NAME
|
42
|
-
|
43
|
-
Array(value).each do |val|
|
44
|
-
Array(val).each do |v|
|
45
|
-
input_analysis.results << cmdi_create_new_input_result(input_analysis.request, rule_id, input_type, v)
|
46
|
-
end
|
47
|
-
end
|
48
|
-
|
49
|
-
input_analysis
|
50
|
-
rescue StandardError => e
|
51
|
-
logger.debug('An Error was recorded in the input classification of the cmdi.')
|
52
|
-
logger.debug(e)
|
53
|
-
end
|
54
|
-
|
55
|
-
private
|
56
|
-
|
57
|
-
# This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
|
58
|
-
# key if needed and Creates new instance of InputAnalysisResult.
|
59
|
-
#
|
60
|
-
# @param request [Contrast::Agent::Request] the current request context.
|
61
|
-
# @param rule_id [String] The name of the Protect Rule.
|
62
|
-
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
63
|
-
# @param value [String, Array<String>] the value of the input.
|
64
|
-
#
|
65
|
-
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
66
|
-
def cmdi_create_new_input_result request, rule_id, input_type, value
|
67
|
-
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
68
|
-
if cmdi_worth_watching?(value)
|
69
|
-
ia_result.score_level = WORTHWATCHING
|
70
|
-
ia_result.ids << WORTHWATCHING_MATCH
|
71
|
-
else
|
72
|
-
ia_result.score_level = IGNORE
|
73
|
-
end
|
74
|
-
|
75
|
-
add_needed_key(request, ia_result, input_type, value) if CMDI_KEYS_NEEDED.include?(input_type)
|
76
|
-
ia_result
|
77
|
-
end
|
78
22
|
end
|
79
23
|
end
|
80
24
|
end
|
@@ -5,7 +5,7 @@
|
|
5
5
|
# state, indicating a successful attack using SQL or NoSQL Injection.
|
6
6
|
#
|
7
7
|
# @deprecated RUBY-356: this class and those that extend it are being phased out
|
8
|
-
# in favor of the more performant code in the
|
8
|
+
# in favor of the more performant code in the Agent Library.
|
9
9
|
class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/ClassAndModuleChildren
|
10
10
|
OPERATOR_PATTERN = %r{[+=*^/%><!-]}.cs__freeze
|
11
11
|
|
@@ -43,17 +43,6 @@ module Contrast
|
|
43
43
|
# Used to indicate to TeamServer the gadget is an Arel module
|
44
44
|
AREL = 'Arel'
|
45
45
|
|
46
|
-
class << self
|
47
|
-
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
48
|
-
# @return [Hash] the details for this specific rule
|
49
|
-
def extract_details attack_sample
|
50
|
-
{
|
51
|
-
command: attack_sample.untrusted_deserialization.command,
|
52
|
-
deserializer: attack_sample.untrusted_deserialization.deserializer
|
53
|
-
}
|
54
|
-
end
|
55
|
-
end
|
56
|
-
|
57
46
|
# Return the TeamServer understood id / name of this rule.
|
58
47
|
# @return [String] the TeamServer understood id / name of this rule.
|
59
48
|
def rule_name
|
@@ -127,7 +116,7 @@ module Contrast
|
|
127
116
|
# Build the RaspRuleSample for the detected Deserialization attack.
|
128
117
|
# @param context [Contrast::Agent::RequestContext] the request
|
129
118
|
# context in which this attack is occurring.
|
130
|
-
# @param input_analysis_result [Contrast::
|
119
|
+
# @param input_analysis_result [Contrast::Agent::Reporting::InputAnalysis]
|
131
120
|
# the result of the analysis done by this rule.
|
132
121
|
# @param _candidate_string [nil] unused.
|
133
122
|
# @param kwargs [Hash, nil] Hash of inputs used by this rule to flesh
|
@@ -156,10 +145,10 @@ module Contrast
|
|
156
145
|
# @param gadget_string [String] the input to be deserialized in which
|
157
146
|
# the gadget exists or the command that resulted from deserializing
|
158
147
|
# an input not detected in the initial infilter.
|
159
|
-
# @return [Contrast::
|
148
|
+
# @return [Contrast::Agent::Reporting::InputAnalysisResult] the result
|
160
149
|
# of the analysis done by this rule.
|
161
150
|
def build_evaluation gadget_string
|
162
|
-
ia_result = Contrast::
|
151
|
+
ia_result = Contrast::Agent::Reporting::InputAnalysisResult.new
|
163
152
|
ia_result.rule_id = rule_name
|
164
153
|
ia_result.input_type = :UNKNOWN
|
165
154
|
ia_result.key = INPUT_NAME
|
@@ -5,7 +5,7 @@ require 'contrast/utils/object_share'
|
|
5
5
|
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
6
6
|
require 'contrast/agent/reporting/attack_result/attack_result'
|
7
7
|
require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
|
8
|
-
require 'contrast/utils/
|
8
|
+
require 'contrast/utils/input_classification_base'
|
9
9
|
|
10
10
|
module Contrast
|
11
11
|
module Agent
|
@@ -36,7 +36,7 @@ module Contrast
|
|
36
36
|
#
|
37
37
|
# attack_result = build_attack_result ia_result, rule_id
|
38
38
|
#
|
39
|
-
# if
|
39
|
+
# if :BLOCK != Contrast::PROTECT.rule_mode(rule_id)
|
40
40
|
# attack_result.response = :EXPLOITED
|
41
41
|
# Contrast::Agent::EXPLOITS.push attack_result
|
42
42
|
# return input_analysis
|
@@ -20,17 +20,6 @@ module Contrast
|
|
20
20
|
# UNLOCK UPDATE VERSION-CONTROL
|
21
21
|
# ].cs__freeze
|
22
22
|
|
23
|
-
class << self
|
24
|
-
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
25
|
-
# @return [Hash] the details for this specific rule
|
26
|
-
def extract_details attack_sample
|
27
|
-
{
|
28
|
-
method: attack_sample.method_tampering.method, # rubocop:disable Security/Object/Method
|
29
|
-
responseCode: attack_sample.method_tampering.response_code
|
30
|
-
}
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
23
|
def rule_name
|
35
24
|
NAME
|
36
25
|
end
|
@@ -4,7 +4,7 @@
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
5
|
require 'contrast/agent/protect/rule/no_sqli'
|
6
6
|
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
7
|
-
require 'contrast/utils/
|
7
|
+
require 'contrast/utils/input_classification_base'
|
8
8
|
|
9
9
|
module Contrast
|
10
10
|
module Agent
|
@@ -50,33 +50,26 @@ module Contrast
|
|
50
50
|
NOSQL_WORTH_WATCHING_THRESHOLD = 1
|
51
51
|
NOSQL_CONFIDENCE_THRESHOLD = 3
|
52
52
|
MAX_DISTANCE = 10
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
input_type,
|
74
|
-
v)
|
75
|
-
end
|
76
|
-
end
|
77
|
-
|
78
|
-
input_analysis
|
79
|
-
end
|
53
|
+
DEFAULT_RULE_DEFINITIONS = [
|
54
|
+
{
|
55
|
+
keywords: [],
|
56
|
+
name: 'nosql-injection',
|
57
|
+
patterns: [
|
58
|
+
{
|
59
|
+
caseSensitive: false,
|
60
|
+
id: 'NO-SQLI-1',
|
61
|
+
score: 1,
|
62
|
+
value: '(?:\\{\\s*\".*\"\\s*:.*\\})'
|
63
|
+
},
|
64
|
+
{
|
65
|
+
id: 'NO-SQLI-2',
|
66
|
+
caseSensitive: true,
|
67
|
+
score: 3,
|
68
|
+
value: "(?:\"|')?\\$(?:gte|gt|lt|lte|eq|ne|in|nin|where|mod|all|size|exists|type|slice|or)(?:\"|')?\\s*:.*" # rubocop:disable Layout/LineLength
|
69
|
+
}
|
70
|
+
]
|
71
|
+
}
|
72
|
+
].cs__freeze
|
80
73
|
|
81
74
|
private
|
82
75
|
|
@@ -102,7 +95,7 @@ module Contrast
|
|
102
95
|
# @param value [String, Array<String>] the value of the input.
|
103
96
|
#
|
104
97
|
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
105
|
-
def
|
98
|
+
def create_new_input_result request, rule_id, input_type, value
|
106
99
|
score = evaluate_patterns(value)
|
107
100
|
score = evaluate_rules(value, score)
|
108
101
|
|
@@ -113,8 +106,9 @@ module Contrast
|
|
113
106
|
else
|
114
107
|
IGNORE
|
115
108
|
end
|
116
|
-
|
117
|
-
|
109
|
+
result = new_ia_result(rule_id, input_type, score_level, request.path, value)
|
110
|
+
add_needed_key(request, result, input_type, value)
|
111
|
+
result
|
118
112
|
end
|
119
113
|
|
120
114
|
# This method evaluates the patterns relevant to NoSQL Injection to check whether
|
@@ -125,7 +119,7 @@ module Contrast
|
|
125
119
|
# point is returned.
|
126
120
|
#
|
127
121
|
# @param value [String] the value of the input.
|
128
|
-
# @param
|
122
|
+
# @param total_score [Integer] the total score thus far.
|
129
123
|
#
|
130
124
|
# @return res [Integer]
|
131
125
|
def evaluate_patterns value, total_score = 0
|
@@ -159,7 +153,7 @@ module Contrast
|
|
159
153
|
# point is returned.
|
160
154
|
#
|
161
155
|
# @param value [String] the value of the input.
|
162
|
-
# @param
|
156
|
+
# @param total_score [Integer] the total score thus far.
|
163
157
|
#
|
164
158
|
# @return res [Integer]
|
165
159
|
def evaluate_rules value, total_score = 0
|
@@ -209,7 +203,8 @@ module Contrast
|
|
209
203
|
def nosqli_patterns
|
210
204
|
server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
|
211
205
|
rule_definitions = server_features&.protect&.rule_definition_list
|
212
|
-
rule_definitions
|
206
|
+
rule_definitions = DEFAULT_RULE_DEFINITIONS if rule_definitions.empty?
|
207
|
+
rule_definitions.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
|
213
208
|
end
|
214
209
|
|
215
210
|
def matches_by_position value, pattern
|
@@ -3,6 +3,7 @@
|
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
5
5
|
require 'contrast/agent/protect/rule/sql_sample_builder'
|
6
|
+
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
7
|
|
7
8
|
module Contrast
|
8
9
|
module Agent
|
@@ -15,22 +16,16 @@ module Contrast
|
|
15
16
|
include SqlSampleBuilder::NoSqliSample
|
16
17
|
# Defining build_attack_with_match method
|
17
18
|
include SqlSampleBuilder::AttackBuilder
|
19
|
+
include Contrast::Agent::Reporting::InputType
|
18
20
|
|
19
21
|
NAME = 'nosql-injection'
|
20
22
|
BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
end: attack_sample.no_sqli.end_idx,
|
28
|
-
boundaryOverrunIndex: attack_sample.no_sqli.boundary_overrun_idx,
|
29
|
-
inputBoundaryIndex: attack_sample.no_sqli.input_boundary_idx,
|
30
|
-
query: attack_sample.no_sqli.query
|
31
|
-
}
|
32
|
-
end
|
33
|
-
end
|
23
|
+
APPLICABLE_USER_INPUTS = [
|
24
|
+
BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
|
25
|
+
PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
|
26
|
+
MULTIPART_VALUE, MULTIPART_FIELD_NAME,
|
27
|
+
XML_VALUE, DWR_VALUE
|
28
|
+
].cs__freeze
|
34
29
|
|
35
30
|
def rule_name
|
36
31
|
NAME
|
@@ -40,6 +35,10 @@ module Contrast
|
|
40
35
|
BLOCK_MESSAGE
|
41
36
|
end
|
42
37
|
|
38
|
+
def applicable_user_inputs
|
39
|
+
APPLICABLE_USER_INPUTS
|
40
|
+
end
|
41
|
+
|
43
42
|
# @raise [Contrast::SecurityException] if the attack is blocked
|
44
43
|
# raised with BLOCK_MESSAGE
|
45
44
|
def infilter context, database, query_string
|
@@ -55,11 +54,7 @@ module Contrast
|
|
55
54
|
end
|
56
55
|
|
57
56
|
def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
|
58
|
-
if mode ==
|
59
|
-
mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
|
60
|
-
|
61
|
-
return result
|
62
|
-
end
|
57
|
+
return result if mode == :NO_ACTION || mode == :PERMIT
|
63
58
|
|
64
59
|
result ||= build_attack_result(context)
|
65
60
|
update_successful_attack_response(context, input_analysis_result, result, candidate_string)
|
@@ -67,6 +62,18 @@ module Contrast
|
|
67
62
|
result
|
68
63
|
end
|
69
64
|
|
65
|
+
# @param context [Contrast::Agent::RequestContext]
|
66
|
+
def infilter? context
|
67
|
+
return false unless enabled?
|
68
|
+
return false unless context&.agent_input_analysis&.results&.any? do |result|
|
69
|
+
result.rule_id == rule_name
|
70
|
+
end
|
71
|
+
|
72
|
+
return false if protect_excluded_by_code?
|
73
|
+
|
74
|
+
true
|
75
|
+
end
|
76
|
+
|
70
77
|
protected
|
71
78
|
|
72
79
|
def find_attacker context, potential_attack_string, **kwargs
|
@@ -0,0 +1,61 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/input_classification_base'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Protect
|
9
|
+
module Rule
|
10
|
+
# The Ruby implementation of the Protect Path Traversal rule
|
11
|
+
# Input classification
|
12
|
+
module PathTraversalInputClassification
|
13
|
+
PATH_TRAVERSAL_MATCH = 'path-traversal-input-tracing-v1'
|
14
|
+
WORTHWATCHING_MATCH = 'path-traversal-worth-watching-v2'
|
15
|
+
|
16
|
+
THRESHOLD = 90.cs__freeze
|
17
|
+
class << self
|
18
|
+
include InputClassificationBase
|
19
|
+
|
20
|
+
private
|
21
|
+
|
22
|
+
# This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
|
23
|
+
# key if needed and Creates new isntance of InputAnalysisResult.
|
24
|
+
#
|
25
|
+
# @param request [Contrast::Agent::Request] the current request context.
|
26
|
+
# @param rule_id [String] The name of the Protect Rule.
|
27
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
28
|
+
# @param value [String, Array<String>] the value of the input.
|
29
|
+
#
|
30
|
+
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
31
|
+
def create_new_input_result request, rule_id, input_type, value
|
32
|
+
return unless Contrast::AGENT_LIB
|
33
|
+
|
34
|
+
input_eval = Contrast::AGENT_LIB.eval_input(value,
|
35
|
+
convert_input_type(input_type),
|
36
|
+
Contrast::AGENT_LIB.rule_set[rule_id],
|
37
|
+
Contrast::AGENT_LIB.eval_option[:WORTHWATCHING])
|
38
|
+
|
39
|
+
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
40
|
+
score = input_eval&.score || 0
|
41
|
+
if score >= THRESHOLD
|
42
|
+
ia_result.score_level = DEFINITEATTACK
|
43
|
+
ia_result.ids << PATH_TRAVERSAL_MATCH
|
44
|
+
elsif score == 10
|
45
|
+
# There is one pattern to match 10 and thus on its own will be reported as a probe.
|
46
|
+
# This rule can report WORTHWATCHING:
|
47
|
+
# https://protect-spec.prod.dotnet.contsec.com/rules/path-traversal.html#applicable-input-types
|
48
|
+
ia_result.score_level = WORTHWATCHING
|
49
|
+
ia_result.ids << WORTHWATCHING_MATCH
|
50
|
+
else
|
51
|
+
ia_result.score_level = IGNORE
|
52
|
+
end
|
53
|
+
add_needed_key(request, ia_result, input_type, value)
|
54
|
+
ia_result
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb
ADDED
@@ -0,0 +1,114 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/protect/rule/base_service'
|
5
|
+
require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
|
6
|
+
require 'contrast/agent/request_context'
|
7
|
+
require 'contrast/utils/string_utils'
|
8
|
+
require 'contrast/agent_lib/api/path_semantic_file_security_bypass'
|
9
|
+
require 'contrast/agent_lib/interface'
|
10
|
+
|
11
|
+
module Contrast
|
12
|
+
module Agent
|
13
|
+
module Protect
|
14
|
+
module Rule
|
15
|
+
# The Ruby implementation of the Protect Path Traversal Semantic
|
16
|
+
# Bypass sub-rule. This rule should report the attack result
|
17
|
+
class PathTraversalSemanticBypass < Contrast::Agent::Protect::Rule::BaseService
|
18
|
+
NAME = 'path-traversal-semantic-file-security-bypass'
|
19
|
+
# There paths here will eventually be moved
|
20
|
+
|
21
|
+
def rule_name
|
22
|
+
NAME
|
23
|
+
end
|
24
|
+
|
25
|
+
def infilter context, method, path
|
26
|
+
return unless rule_violated?(path)
|
27
|
+
|
28
|
+
result = find_vulnerability(context, path)
|
29
|
+
|
30
|
+
return unless result
|
31
|
+
|
32
|
+
append_to_activity(context, result)
|
33
|
+
return unless blocked?
|
34
|
+
|
35
|
+
result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
|
36
|
+
cef_logging(result, :successful_attack, value: path)
|
37
|
+
exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
|
38
|
+
raise(Contrast::SecurityException.new(self, exception_messasge))
|
39
|
+
end
|
40
|
+
|
41
|
+
protected
|
42
|
+
|
43
|
+
# Check if semantic file security bypass is detected
|
44
|
+
#
|
45
|
+
# @param file_path [String] command to check.
|
46
|
+
# @param is_custom_code[String] whether the file is being accessed by custom (user) code,
|
47
|
+
# rather than framework code
|
48
|
+
# @return result[Integer, nil] returns:
|
49
|
+
# 1 => security bypass is detected.
|
50
|
+
# 0 => no security bypass is detected.
|
51
|
+
def file_security_bypassed? file_path, is_custom_code = nil
|
52
|
+
return false unless (agent_lib = Contrast::AGENT_LIB) || file_path
|
53
|
+
|
54
|
+
custom_call = is_custom_code.nil? ? 0 : 1
|
55
|
+
|
56
|
+
agent_lib.check_path_semantic_security_bypass(file_path, custom_call) == 1
|
57
|
+
end
|
58
|
+
|
59
|
+
def rule_violated? path
|
60
|
+
is_custom_code = custom_code_accessing_system_file?(path)
|
61
|
+
is_custom_code || file_security_bypassed?(path, is_custom_code)
|
62
|
+
end
|
63
|
+
|
64
|
+
def find_vulnerability context, path
|
65
|
+
build_attack_with_match(context, nil, nil, path)
|
66
|
+
end
|
67
|
+
|
68
|
+
def build_sample context, _input_analysis_result, path, **_kwargs
|
69
|
+
sample = build_base_sample(context, nil)
|
70
|
+
sample.details = Contrast::Agent::Reporting::Details::PathTraversalSemanticAnalysisDetails.new
|
71
|
+
path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
|
72
|
+
sample.details.path = path
|
73
|
+
|
74
|
+
is_custom_code = custom_code_accessing_system_file?(path)
|
75
|
+
# This should catch all the types of security breaches in that sub-rule scope
|
76
|
+
# but apparently it's not, because some of the system files is being skipped and not detected,
|
77
|
+
# but for our previous logic - it was expected for certain files to be detected and blocked
|
78
|
+
security_bypassed = file_security_bypassed?(path, is_custom_code)
|
79
|
+
|
80
|
+
# if agent lib sub-rule returns true and is custom code -> assign and report
|
81
|
+
if security_bypassed
|
82
|
+
if is_custom_code
|
83
|
+
sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
|
84
|
+
sample.details.findings << :COMMON_FILE_EXPLOITS if common_file_exploits_enabled?
|
85
|
+
end
|
86
|
+
return sample
|
87
|
+
end
|
88
|
+
|
89
|
+
if is_custom_code
|
90
|
+
sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
|
91
|
+
return sample
|
92
|
+
end
|
93
|
+
|
94
|
+
nil
|
95
|
+
end
|
96
|
+
|
97
|
+
def custom_code_accessing_system_file? input
|
98
|
+
system_file?(input) && Contrast::Utils::StackTraceUtils.custom_code_context?
|
99
|
+
end
|
100
|
+
|
101
|
+
def system_file? path
|
102
|
+
return false unless path
|
103
|
+
|
104
|
+
Contrast::Agent::Protect::Rule::PathTraversal::SYSTEM_PATHS.any? { |sys_path| sys_path.include?(path) }
|
105
|
+
end
|
106
|
+
|
107
|
+
def common_file_exploits_enabled?
|
108
|
+
false
|
109
|
+
end
|
110
|
+
end
|
111
|
+
end
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
@@ -2,9 +2,13 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
5
|
+
require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
|
6
|
+
require 'contrast/agent/reporting/input_analysis/input_type'
|
7
|
+
require 'contrast/agent/reporting/input_analysis/score_level'
|
5
8
|
require 'contrast/utils/stack_trace_utils'
|
6
9
|
require 'contrast/agent/reporting/details/path_traversal_details'
|
7
10
|
require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
|
11
|
+
require 'contrast/utils/string_utils'
|
8
12
|
|
9
13
|
module Contrast
|
10
14
|
module Agent
|
@@ -13,7 +17,13 @@ module Contrast
|
|
13
17
|
# This class handles our implementation of the Path Traversal
|
14
18
|
# Protect rule.
|
15
19
|
class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
|
20
|
+
include Contrast::Agent::Reporting::InputType
|
21
|
+
|
16
22
|
NAME = 'path-traversal'
|
23
|
+
APPLICABLE_USER_INPUTS = [
|
24
|
+
BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_VALUE, PARAMETER_NAME,
|
25
|
+
JSON_VALUE, MULTIPART_VALUE, MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE, URI
|
26
|
+
].cs__freeze
|
17
27
|
SYSTEM_PATHS = %w[
|
18
28
|
/proc/self
|
19
29
|
etc/passwd
|
@@ -27,20 +37,20 @@ module Contrast
|
|
27
37
|
/windows/repair/
|
28
38
|
].cs__freeze
|
29
39
|
|
30
|
-
|
31
|
-
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
32
|
-
# @return [Hash] the details for this specific rule
|
33
|
-
def extract_details attack_sample
|
34
|
-
{
|
35
|
-
path: attack_sample.path_traversal.path
|
36
|
-
}
|
37
|
-
end
|
38
|
-
end
|
40
|
+
SUB_RULES = [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new].cs__freeze
|
39
41
|
|
40
42
|
def rule_name
|
41
43
|
NAME
|
42
44
|
end
|
43
45
|
|
46
|
+
def sub_rules
|
47
|
+
SUB_RULES
|
48
|
+
end
|
49
|
+
|
50
|
+
def applicable_user_inputs
|
51
|
+
APPLICABLE_USER_INPUTS
|
52
|
+
end
|
53
|
+
|
44
54
|
def infilter context, method, path
|
45
55
|
return unless infilter?(context)
|
46
56
|
|
@@ -50,9 +60,10 @@ module Contrast
|
|
50
60
|
append_to_activity(context, result)
|
51
61
|
return unless blocked?
|
52
62
|
|
53
|
-
|
54
|
-
|
55
|
-
|
63
|
+
result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
|
64
|
+
cef_logging(result, :successful_attack, value: path)
|
65
|
+
exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
|
66
|
+
raise(Contrast::SecurityException.new(self, exception_messasge))
|
56
67
|
end
|
57
68
|
|
58
69
|
protected
|
@@ -73,6 +84,21 @@ module Contrast
|
|
73
84
|
sample
|
74
85
|
end
|
75
86
|
|
87
|
+
# @param context [Contrast::Agent::RequestContext]
|
88
|
+
def infilter? context
|
89
|
+
return false unless enabled?
|
90
|
+
return false unless context&.agent_input_analysis&.results&.any? do |result|
|
91
|
+
# When a file is being accessed, the agent should see if any of its worth-watching inputs appear in
|
92
|
+
# the file path. If so, the input is considered a confirmed attack and should be reported or blocked.
|
93
|
+
# If the score level is ignore we don't need to report it.
|
94
|
+
result.rule_id == rule_name && result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
|
95
|
+
end
|
96
|
+
|
97
|
+
return false if protect_excluded_by_code?
|
98
|
+
|
99
|
+
true
|
100
|
+
end
|
101
|
+
|
76
102
|
private
|
77
103
|
|
78
104
|
# Build a subclass of the RaspRuleSample if the sample matches
|