contrast-agent 6.7.0 → 6.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +0 -2
- data/.simplecov +0 -1
- data/Rakefile +0 -1
- data/ext/cs__assess_array/cs__assess_array.c +41 -10
- data/ext/cs__assess_array/cs__assess_array.h +4 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +2 -2
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
- data/lib/contrast/agent/excluder.rb +52 -34
- data/lib/contrast/agent/exclusion_matcher.rb +21 -9
- data/lib/contrast/agent/middleware.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +146 -127
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +20 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +45 -53
- data/lib/contrast/agent/protect/rule/base_service.rb +48 -24
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +18 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -5
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +22 -22
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +69 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +68 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +2 -58
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +3 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +2 -2
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -11
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +29 -34
- data/lib/contrast/agent/protect/rule/no_sqli.rb +25 -18
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +38 -12
- data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +33 -15
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +0 -14
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -62
- data/lib/contrast/agent/protect/rule/sqli.rb +70 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +39 -63
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +6 -33
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
- data/lib/contrast/agent/protect/rule/xss.rb +14 -20
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -24
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +18 -39
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +9 -9
- data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +10 -2
- data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +8 -2
- data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
- data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -2
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +16 -2
- data/lib/contrast/agent/reporting/masker/masker.rb +2 -0
- data/lib/contrast/agent/reporting/reporter.rb +1 -14
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +15 -12
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +0 -2
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +4 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +0 -5
- data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +1 -11
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +0 -3
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +1 -0
- data/lib/contrast/agent/reporting/settings/code_exclusion.rb +6 -1
- data/lib/contrast/agent/reporting/settings/exclusion_base.rb +18 -0
- data/lib/contrast/agent/reporting/settings/exclusions.rb +2 -1
- data/lib/contrast/agent/reporting/settings/input_exclusion.rb +9 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +15 -15
- data/lib/contrast/agent/request.rb +2 -14
- data/lib/contrast/agent/request_context.rb +6 -9
- data/lib/contrast/agent/request_context_extend.rb +9 -148
- data/lib/contrast/agent/thread_watcher.rb +3 -18
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +0 -11
- data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
- data/lib/contrast/agent_lib/api/init.rb +101 -0
- data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
- data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
- data/lib/contrast/agent_lib/api/panic.rb +87 -0
- data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
- data/lib/contrast/agent_lib/interface.rb +260 -0
- data/lib/contrast/agent_lib/interface_base.rb +118 -0
- data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
- data/lib/contrast/agent_lib/test.rb +29 -0
- data/lib/contrast/api/communication/connection_status.rb +5 -5
- data/lib/contrast/components/agent.rb +0 -14
- data/lib/contrast/components/app_context.rb +0 -2
- data/lib/contrast/components/app_context_extend.rb +0 -25
- data/lib/contrast/components/config.rb +1 -18
- data/lib/contrast/components/protect.rb +4 -1
- data/lib/contrast/components/ruby_component.rb +1 -1
- data/lib/contrast/components/settings.rb +37 -89
- data/lib/contrast/config/protect_rule_configuration.rb +7 -7
- data/lib/contrast/config/protect_rules_configuration.rb +20 -58
- data/lib/contrast/configuration.rb +1 -10
- data/lib/contrast/extension/assess/array.rb +9 -0
- data/lib/contrast/extension/delegator.rb +2 -0
- data/lib/contrast/framework/manager.rb +3 -1
- data/lib/contrast/framework/rails/railtie.rb +0 -1
- data/lib/contrast/framework/rails/support.rb +0 -1
- data/lib/contrast/tasks/config.rb +1 -8
- data/lib/contrast/utils/duck_utils.rb +1 -0
- data/lib/contrast/utils/input_classification_base.rb +156 -0
- data/lib/contrast/utils/os.rb +0 -20
- data/lib/contrast/utils/response_utils.rb +0 -16
- data/lib/contrast/utils/stack_trace_utils.rb +3 -15
- data/lib/contrast/utils/string_utils.rb +10 -7
- data/lib/contrast.rb +2 -3
- data/resources/protect/policy.json +1 -2
- data/ruby-agent.gemspec +2 -5
- metadata +42 -112
- data/exe/contrast_service +0 -23
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +0 -64
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +0 -118
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +0 -45
- data/lib/contrast/agent/reaction_processor.rb +0 -47
- data/lib/contrast/agent/service_heartbeat.rb +0 -35
- data/lib/contrast/api/communication/messaging_queue.rb +0 -128
- data/lib/contrast/api/communication/response_processor.rb +0 -90
- data/lib/contrast/api/communication/service_lifecycle.rb +0 -77
- data/lib/contrast/api/communication/socket.rb +0 -44
- data/lib/contrast/api/communication/socket_client.rb +0 -130
- data/lib/contrast/api/communication/speedracer.rb +0 -138
- data/lib/contrast/api/communication/tcp_socket.rb +0 -32
- data/lib/contrast/api/communication/unix_socket.rb +0 -28
- data/lib/contrast/api/communication.rb +0 -20
- data/lib/contrast/api/decorators/address.rb +0 -59
- data/lib/contrast/api/decorators/agent_startup.rb +0 -56
- data/lib/contrast/api/decorators/application_settings.rb +0 -43
- data/lib/contrast/api/decorators/application_startup.rb +0 -56
- data/lib/contrast/api/decorators/bot_blocker.rb +0 -37
- data/lib/contrast/api/decorators/http_request.rb +0 -137
- data/lib/contrast/api/decorators/input_analysis.rb +0 -18
- data/lib/contrast/api/decorators/instrumentation_mode.rb +0 -35
- data/lib/contrast/api/decorators/ip_denylist.rb +0 -37
- data/lib/contrast/api/decorators/message.rb +0 -67
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -52
- data/lib/contrast/api/decorators/response_type.rb +0 -17
- data/lib/contrast/api/decorators/server_features.rb +0 -25
- data/lib/contrast/api/decorators/user_input.rb +0 -51
- data/lib/contrast/api/decorators/virtual_patch.rb +0 -34
- data/lib/contrast/api/decorators.rb +0 -22
- data/lib/contrast/api/dtm.pb.rb +0 -363
- data/lib/contrast/api/settings.pb.rb +0 -500
- data/lib/contrast/api.rb +0 -16
- data/lib/contrast/components/contrast_service.rb +0 -88
- data/lib/contrast/components/service.rb +0 -55
- data/lib/contrast/tasks/service.rb +0 -84
- data/lib/contrast/utils/input_classification.rb +0 -73
- data/lib/protobuf/code_generator.rb +0 -129
- data/lib/protobuf/decoder.rb +0 -28
- data/lib/protobuf/deprecation.rb +0 -117
- data/lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb +0 -79
- data/lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb +0 -360
- data/lib/protobuf/descriptors.rb +0 -3
- data/lib/protobuf/encoder.rb +0 -11
- data/lib/protobuf/enum.rb +0 -365
- data/lib/protobuf/exceptions.rb +0 -9
- data/lib/protobuf/field/base_field.rb +0 -380
- data/lib/protobuf/field/base_field_object_definitions.rb +0 -504
- data/lib/protobuf/field/bool_field.rb +0 -64
- data/lib/protobuf/field/bytes_field.rb +0 -67
- data/lib/protobuf/field/double_field.rb +0 -25
- data/lib/protobuf/field/enum_field.rb +0 -56
- data/lib/protobuf/field/field_array.rb +0 -102
- data/lib/protobuf/field/field_hash.rb +0 -122
- data/lib/protobuf/field/fixed32_field.rb +0 -25
- data/lib/protobuf/field/fixed64_field.rb +0 -28
- data/lib/protobuf/field/float_field.rb +0 -43
- data/lib/protobuf/field/int32_field.rb +0 -21
- data/lib/protobuf/field/int64_field.rb +0 -34
- data/lib/protobuf/field/integer_field.rb +0 -23
- data/lib/protobuf/field/message_field.rb +0 -51
- data/lib/protobuf/field/sfixed32_field.rb +0 -27
- data/lib/protobuf/field/sfixed64_field.rb +0 -28
- data/lib/protobuf/field/signed_integer_field.rb +0 -29
- data/lib/protobuf/field/sint32_field.rb +0 -21
- data/lib/protobuf/field/sint64_field.rb +0 -21
- data/lib/protobuf/field/string_field.rb +0 -51
- data/lib/protobuf/field/uint32_field.rb +0 -21
- data/lib/protobuf/field/uint64_field.rb +0 -21
- data/lib/protobuf/field/varint_field.rb +0 -77
- data/lib/protobuf/field.rb +0 -74
- data/lib/protobuf/generators/base.rb +0 -85
- data/lib/protobuf/generators/enum_generator.rb +0 -39
- data/lib/protobuf/generators/extension_generator.rb +0 -27
- data/lib/protobuf/generators/field_generator.rb +0 -193
- data/lib/protobuf/generators/file_generator.rb +0 -262
- data/lib/protobuf/generators/group_generator.rb +0 -122
- data/lib/protobuf/generators/message_generator.rb +0 -104
- data/lib/protobuf/generators/option_generator.rb +0 -17
- data/lib/protobuf/generators/printable.rb +0 -160
- data/lib/protobuf/generators/service_generator.rb +0 -50
- data/lib/protobuf/lifecycle.rb +0 -33
- data/lib/protobuf/logging.rb +0 -39
- data/lib/protobuf/message/fields.rb +0 -233
- data/lib/protobuf/message/serialization.rb +0 -85
- data/lib/protobuf/message.rb +0 -241
- data/lib/protobuf/optionable.rb +0 -72
- data/lib/protobuf/tasks/compile.rake +0 -80
- data/lib/protobuf/tasks.rb +0 -1
- data/lib/protobuf/varint.rb +0 -20
- data/lib/protobuf/varint_pure.rb +0 -31
- data/lib/protobuf/version.rb +0 -3
- data/lib/protobuf/wire_type.rb +0 -10
- data/lib/protobuf.rb +0 -91
- data/proto/dynamic_discovery.proto +0 -46
- data/proto/google/protobuf/compiler/plugin.proto +0 -183
- data/proto/google/protobuf/descriptor.proto +0 -911
- data/proto/rpc.proto +0 -71
- data/service_executables/.gitkeep +0 -0
- data/service_executables/VERSION +0 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
@@ -2,8 +2,6 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
|
-
require 'contrast/api/dtm.pb'
|
6
|
-
require 'contrast/api/settings.pb'
|
7
5
|
|
8
6
|
module Contrast
|
9
7
|
module Agent
|
@@ -79,23 +77,25 @@ module Contrast
|
|
79
77
|
|
80
78
|
modes_by_id = {}
|
81
79
|
protection_rules.each do |rule|
|
82
|
-
setting_mode = rule[:mode]
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
80
|
+
setting_mode = rule[:mode] || rule['mode']
|
81
|
+
api_mode = if PROTECT_RULES_MODE.include?(setting_mode)
|
82
|
+
case setting_mode
|
83
|
+
when PROTECT_RULES_MODE[1]
|
84
|
+
:MONITOR
|
85
|
+
when PROTECT_RULES_MODE[2]
|
86
|
+
if rule[:blockAtEntry] || rule['blockAtEntry']
|
87
|
+
:BLOCK_AT_PERIMETER
|
88
|
+
else
|
89
|
+
:BLOCK
|
90
|
+
end
|
91
91
|
else
|
92
|
-
|
92
|
+
:NO_ACTION
|
93
93
|
end
|
94
94
|
else
|
95
|
-
|
95
|
+
setting_mode.to_sym
|
96
96
|
end
|
97
|
-
|
98
|
-
modes_by_id[
|
97
|
+
id = rule[:id] || rule['id']
|
98
|
+
modes_by_id[id] = api_mode
|
99
99
|
end
|
100
100
|
modes_by_id
|
101
101
|
end
|
@@ -74,7 +74,8 @@ module Contrast
|
|
74
74
|
# @return uri [String]
|
75
75
|
def normalized_uri
|
76
76
|
@_normalized_uri ||= begin
|
77
|
-
path = rack_request.path_info
|
77
|
+
path = rack_request.path_info || rack_request.path.to_s
|
78
|
+
path = '/' if path.empty?
|
78
79
|
uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0] # remove ;jsessionid
|
79
80
|
uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
|
80
81
|
uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER) # replace interior tokens
|
@@ -142,19 +143,6 @@ module Contrast
|
|
142
143
|
@_body
|
143
144
|
end
|
144
145
|
|
145
|
-
# REMOVE_DTM_REQUEST
|
146
|
-
#
|
147
|
-
# Unlike most of our translation, which is called where needed for each
|
148
|
-
# message and forgotten, we'll leave this method to call the build as we
|
149
|
-
# don't want to pay to reconstruct the DTM for this Request multiple
|
150
|
-
# times.
|
151
|
-
#
|
152
|
-
# @return [Contrast::Api::Dtm::HttpRequest] the SpeedRacer compatible
|
153
|
-
# form of this Request
|
154
|
-
def dtm
|
155
|
-
@_dtm ||= Contrast::Api::Dtm::HttpRequest.build(self)
|
156
|
-
end
|
157
|
-
|
158
146
|
# flattened hash of request params
|
159
147
|
#
|
160
148
|
# @return parameters [Hash]
|
@@ -1,7 +1,6 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/api/dtm.pb'
|
5
4
|
require 'contrast/utils/timer'
|
6
5
|
require 'contrast/agent/request'
|
7
6
|
require 'contrast/agent/response'
|
@@ -24,7 +23,7 @@ module Contrast
|
|
24
23
|
include Contrast::Utils::RequestUtils
|
25
24
|
include Contrast::Agent::RequestContextExtend
|
26
25
|
|
27
|
-
|
26
|
+
INPUT_ANALYSIS = Contrast::Agent::Reporting::InputAnalysis.new
|
28
27
|
|
29
28
|
# @return [Contrast::Agent::Reporting:ApplicationActivity] the application activity found in this request
|
30
29
|
attr_reader :activity
|
@@ -39,8 +38,8 @@ module Contrast
|
|
39
38
|
attr_reader :response
|
40
39
|
# @return [Contrast::Agent::Reporting::RouteDiscovery] the route, used for findings, of this request
|
41
40
|
attr_reader :discovered_route
|
42
|
-
# @return [Contrast::
|
43
|
-
attr_reader :
|
41
|
+
# @return [Contrast::Agent::Reporting::InputAnalysis]
|
42
|
+
attr_reader :agent_input_analysis
|
44
43
|
# @return [Array<String>] the hash of findings already reported fro this request
|
45
44
|
attr_reader :reported_findings
|
46
45
|
# @return [Contrast::Utils::Timer] when the context was created
|
@@ -55,15 +54,13 @@ module Contrast
|
|
55
54
|
@logging_hash = { request_id: __id__ }
|
56
55
|
|
57
56
|
# instantiate helper for request and response
|
58
|
-
@request = Contrast::Agent::Request.new(rack_request)
|
57
|
+
@request = Contrast::Agent::Request.new(rack_request) if rack_request
|
59
58
|
@activity = Contrast::Agent::Reporting::ApplicationActivity.new
|
60
59
|
|
61
60
|
# build analyzer
|
62
61
|
@do_not_track = false
|
63
|
-
@
|
64
|
-
|
65
|
-
|
66
|
-
# TODO: RUBY-1627
|
62
|
+
@agent_input_analysis = INPUT_ANALYSIS
|
63
|
+
agent_input_analysis.request = request
|
67
64
|
|
68
65
|
# flag to indicate whether the app is fully loaded
|
69
66
|
@app_loaded = !!app_loaded
|
@@ -20,12 +20,9 @@ module Contrast
|
|
20
20
|
# This class extends RequestContexts: this class acts to encapsulate information about the currently
|
21
21
|
# executed request, making it available to the Agent for the duration of the request in a standardized
|
22
22
|
# and normalized format which the Agent understands.
|
23
|
-
module RequestContextExtend
|
23
|
+
module RequestContextExtend
|
24
24
|
include Contrast::Utils::CEFLogUtils
|
25
25
|
include Contrast::Components::Logger::InstanceMethods
|
26
|
-
BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
|
27
|
-
CEF_LOGGING_RULES = %w[bot-blocker virtual-patch ip-denylist].cs__freeze
|
28
|
-
|
29
26
|
# Convert the discovered route for this request to appropriate forms and disseminate it to those locations
|
30
27
|
# where it is necessary for our route coverage and finding vulnerability discovery features to function.
|
31
28
|
#
|
@@ -43,55 +40,24 @@ module Contrast
|
|
43
40
|
@request.discovered_route = @discovered_route
|
44
41
|
end
|
45
42
|
|
43
|
+
# If protect is enabled for this request, examine said request for any possible attack input. If those inputs
|
44
|
+
# provided match a rule which should block at the perimeter, that will be raised here.
|
45
|
+
#
|
46
46
|
# @raise [Contrast::SecurityException]
|
47
|
-
def
|
47
|
+
def protect_input_analysis
|
48
48
|
return false unless ::Contrast::AGENT.enabled?
|
49
49
|
return false unless ::Contrast::PROTECT.enabled?
|
50
50
|
return false if @do_not_track
|
51
51
|
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
handle_protect_state(service_response)
|
56
|
-
ia = service_response.input_analysis
|
57
|
-
if ia
|
58
|
-
service_extract_logging(ia)
|
59
|
-
# TODO: RUBY-1629
|
60
|
-
# using Agent analysis
|
61
|
-
# initialize_agent_input_analysis request
|
62
|
-
|
63
|
-
@speedracer_input_analysis = ia
|
64
|
-
speedracer_input_analysis.request = request
|
52
|
+
if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
|
53
|
+
@agent_input_analysis = ia
|
65
54
|
else
|
66
|
-
logger.trace('Analysis from
|
67
|
-
false
|
55
|
+
logger.trace('Analysis from Agent was empty.')
|
68
56
|
end
|
69
57
|
rescue Contrast::SecurityException => e
|
70
58
|
raise(e)
|
71
59
|
rescue StandardError => e
|
72
|
-
logger.warn('Unable to extract
|
73
|
-
false
|
74
|
-
end
|
75
|
-
|
76
|
-
# NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
|
77
|
-
# indicates a security exception should be thrown. This method ensures that the attack reports are generated.
|
78
|
-
# Normally these should be generated on Speedracer for any attacks detected during prefilter.
|
79
|
-
#
|
80
|
-
# @param agent_settings [Contrast::Api::Settings::AgentSettings]
|
81
|
-
# @raise[Contrast::SecurityException]
|
82
|
-
def handle_protect_state agent_settings
|
83
|
-
return unless agent_settings&.protect_state
|
84
|
-
|
85
|
-
state = agent_settings.protect_state
|
86
|
-
@uuid = state.uuid
|
87
|
-
@do_not_track = true unless state.track_request
|
88
|
-
return unless state.security_exception
|
89
|
-
|
90
|
-
# make sure the activity get send before the error
|
91
|
-
# If Contrast Service has NOT handled the input analysis, handle them here
|
92
|
-
build_attack_results(agent_settings)
|
93
|
-
logger.debug('Contrast Service said to block this request')
|
94
|
-
raise(Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior')))
|
60
|
+
logger.warn('Unable to extract protect information from request', e)
|
95
61
|
end
|
96
62
|
|
97
63
|
# append anything we've learned to the request seen message this is the sum-total of all inventory information
|
@@ -114,111 +80,6 @@ module Contrast
|
|
114
80
|
rescue StandardError => e
|
115
81
|
logger.error('Unable to extract information after request', e)
|
116
82
|
end
|
117
|
-
|
118
|
-
# This here is for things we don't have implemented
|
119
|
-
def log_to_cef
|
120
|
-
activity.defend.attackers.each { |attacker| logging_logic(attacker.protection_rules) }
|
121
|
-
end
|
122
|
-
|
123
|
-
# @param input_analysis [Contrast::Api::Settings::InputAnalysis]
|
124
|
-
def service_extract_logging input_analysis
|
125
|
-
log_to_cef
|
126
|
-
logger.trace('Analysis from Contrast Service', evaluations: input_analysis.results.length) if logger.trace?
|
127
|
-
logger.trace('Results', input_analysis: input_analysis.inspect) if logger.trace?
|
128
|
-
end
|
129
|
-
|
130
|
-
private
|
131
|
-
|
132
|
-
# Generate attack results directly from any evaluations on the agent settings object.
|
133
|
-
#
|
134
|
-
# @param agent_settings [Contrast::Api::Settings::AgentSettings]
|
135
|
-
def build_attack_results agent_settings
|
136
|
-
return unless agent_settings&.input_analysis&.results&.any?
|
137
|
-
|
138
|
-
results_by_rule = {}
|
139
|
-
agent_settings.input_analysis.results.each do |ia_result|
|
140
|
-
rule_id = ia_result.rule_id
|
141
|
-
rule = ::Contrast::PROTECT.rule(rule_id)
|
142
|
-
next unless rule
|
143
|
-
|
144
|
-
logger.debug(BUILD_ATTACK_LOGGER_MESSAGE, result: ia_result.inspect) if logger.debug?
|
145
|
-
results_by_rule[rule_id] = attack_result(rule, rule_id, ia_result, results_by_rule)
|
146
|
-
end
|
147
|
-
|
148
|
-
results_by_rule.each_pair do |_, attack_result|
|
149
|
-
logger.info('Blocking attack result', rule: attack_result.rule_id)
|
150
|
-
activity.attach_defend(attack_result)
|
151
|
-
end
|
152
|
-
end
|
153
|
-
|
154
|
-
# Generates the attack result
|
155
|
-
#
|
156
|
-
# @param rule [Contrast::Agent::Protect::Rule, Contrast::Agent::Assess::Rule]
|
157
|
-
# @param rule_id [String] String name of the rule
|
158
|
-
# @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
|
159
|
-
# analysis of the input that was determined to be an attack
|
160
|
-
# @param results_by_rule [Hash] attack results from any evaluations on the agent settings object.
|
161
|
-
# @return [Contrast::Api::Dtm::AttackResult] the attack result from this input
|
162
|
-
def attack_result rule, rule_id, ia_result, results_by_rule
|
163
|
-
@_attack_result = if rule.mode == :BLOCK
|
164
|
-
# special case for rules (like reflected xss) that used to have an infilter / block mode
|
165
|
-
# but now are just block at perimeter
|
166
|
-
rule.build_attack_with_match(self, ia_result, results_by_rule[rule_id], ia_result.value)
|
167
|
-
else
|
168
|
-
rule.build_attack_without_match(self, ia_result, results_by_rule[rule_id])
|
169
|
-
end
|
170
|
-
end
|
171
|
-
|
172
|
-
# @param protection_rules [Array<rule_id => Contrast::Agent::Reporting::ApplicationDefendAttackActivity>] Array
|
173
|
-
# of all protection rules per active attackers of this request life cycle.
|
174
|
-
def logging_logic protection_rules
|
175
|
-
protection_rules.any? do |rule_id, activity|
|
176
|
-
next unless CEF_LOGGING_RULES.include?(rule_id)
|
177
|
-
|
178
|
-
outcome = activity.response_type
|
179
|
-
rule_details = details_builder(outcome, activity)
|
180
|
-
case rule_id
|
181
|
-
when /bot-blocker/i
|
182
|
-
cef_logger.bot_blocking_message(rule_details.to_controlled_hash, outcome) if rule_details
|
183
|
-
when /virtual-patch/i
|
184
|
-
cef_logger.virtual_patch_message(rule_details.to_controlled_hash, outcome) if rule_details
|
185
|
-
when /ip-denylist/i
|
186
|
-
sender_ip = extract_sender_ip
|
187
|
-
next unless sender_ip
|
188
|
-
next unless rule_details && rule_details.ip == sender_ip
|
189
|
-
|
190
|
-
cef_logger.ip_denylisted_message(sender_ip, rule_details.to_controlled_hash, outcome)
|
191
|
-
end
|
192
|
-
end
|
193
|
-
end
|
194
|
-
|
195
|
-
# @param outcome [Symbol<Contrast::Agent::Reporting::ResponseType>]
|
196
|
-
# @param activity [Contrast::Agent::Reporting::ApplicationDefendAttackActivity]
|
197
|
-
def details_builder outcome, activity
|
198
|
-
case outcome
|
199
|
-
when ::Contrast::Agent::Reporting::ResponseType::BLOCKED
|
200
|
-
blocked = activity.blocked
|
201
|
-
get_details(blocked)
|
202
|
-
when ::Contrast::Agent::Reporting::ResponseType::MONITORED
|
203
|
-
exploited = activity.exploited
|
204
|
-
get_details(exploited)
|
205
|
-
when ::Contrast::Agent::Reporting::ResponseType::PROBED
|
206
|
-
ineffective = activity.ineffective
|
207
|
-
get_details(ineffective)
|
208
|
-
when ::Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
|
209
|
-
activity.suspicious.samples[0].details
|
210
|
-
suspicious = activity.suspicious
|
211
|
-
get_details(suspicious)
|
212
|
-
end
|
213
|
-
end
|
214
|
-
|
215
|
-
# @param type [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
|
216
|
-
# @return details [Contrast::Agent::Reporting::ProtectRuleDetails] depends on rule
|
217
|
-
def get_details type
|
218
|
-
sample = nil
|
219
|
-
sample = type.samples[0] unless type.samples.empty?
|
220
|
-
sample&.details
|
221
|
-
end
|
222
83
|
end
|
223
84
|
end
|
224
85
|
end
|
@@ -2,8 +2,6 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/logger'
|
5
|
-
require 'contrast/agent/service_heartbeat'
|
6
|
-
require 'contrast/api/communication/messaging_queue'
|
7
5
|
require 'contrast/agent/reporting/report'
|
8
6
|
require 'contrast/agent/reporting/reporter_heartbeat'
|
9
7
|
require 'contrast/agent/telemetry/base'
|
@@ -16,10 +14,6 @@ module Contrast
|
|
16
14
|
|
17
15
|
# @return [Contrast::Utils::HeapDumpUtil]
|
18
16
|
attr_reader :heapdump_util
|
19
|
-
# @return [Contrast::Agent::ServiceHeartbeat, nil]
|
20
|
-
attr_reader :heartbeat
|
21
|
-
# @return [Contrast::Api::Communication::MessagingQueue, nil]
|
22
|
-
attr_reader :messaging_queue
|
23
17
|
# @return [Contrast::Agent::Reporter]
|
24
18
|
attr_reader :reporter
|
25
19
|
# @return [Contrast::Agent::ReporterHeartbeat]
|
@@ -28,10 +22,6 @@ module Contrast
|
|
28
22
|
def initialize
|
29
23
|
@pids = {}
|
30
24
|
@heapdump_util = Contrast::Utils::HeapDumpUtil.new
|
31
|
-
unless ::Contrast::CONTRAST_SERVICE.unnecessary?
|
32
|
-
@heartbeat = Contrast::Agent::ServiceHeartbeat.new
|
33
|
-
@messaging_queue = Contrast::Api::Communication::MessagingQueue.new
|
34
|
-
end
|
35
25
|
@reporter = Contrast::Agent::Reporter.new
|
36
26
|
@reporter_heartbeat = Contrast::Agent::ReporterHeartbeat.new
|
37
27
|
@telemetry = Contrast::Agent::Telemetry::Base.new if Contrast::Agent::Telemetry::Base.enabled?
|
@@ -42,16 +32,13 @@ module Contrast
|
|
42
32
|
return unless ::Contrast::AGENT.enabled?
|
43
33
|
|
44
34
|
logger.debug('ThreadWatcher started threads')
|
45
|
-
|
46
|
-
|
47
|
-
@pids[Process.pid] =
|
35
|
+
reporter_status = init_thread(reporter)
|
36
|
+
reporter_heartbeat_status = init_thread(reporter_heartbeat)
|
37
|
+
@pids[Process.pid] = reporter_status && reporter_heartbeat_status
|
48
38
|
if Contrast::Agent::Telemetry::Base.enabled?
|
49
39
|
telemetry_status = init_thread(telemetry_queue)
|
50
40
|
@pids[Process.pid] = @pids[Process.pid] && telemetry_status
|
51
41
|
end
|
52
|
-
reporter_status = init_thread(reporter)
|
53
|
-
reporter_heartbeat_status = init_thread(reporter_heartbeat)
|
54
|
-
@pids[Process.pid] = @pids[Process.pid] && reporter_status && reporter_heartbeat_status
|
55
42
|
@pids
|
56
43
|
end
|
57
44
|
|
@@ -63,8 +50,6 @@ module Contrast
|
|
63
50
|
end
|
64
51
|
|
65
52
|
def shutdown!
|
66
|
-
heartbeat&.stop!
|
67
|
-
messaging_queue&.stop!
|
68
53
|
heapdump_util&.stop!
|
69
54
|
telemetry_queue&.stop!
|
70
55
|
reporter&.stop!
|
data/lib/contrast/agent.rb
CHANGED
@@ -42,9 +42,6 @@ require 'contrast/utils/thread_tracker'
|
|
42
42
|
# Framework support
|
43
43
|
require 'contrast/framework/manager'
|
44
44
|
|
45
|
-
# Communication to SR
|
46
|
-
require 'contrast/api/communication'
|
47
|
-
|
48
45
|
require 'contrast/agent/thread_watcher'
|
49
46
|
|
50
47
|
module Contrast
|
@@ -66,11 +63,6 @@ module Contrast
|
|
66
63
|
thread_watcher.heapdump_util
|
67
64
|
end
|
68
65
|
|
69
|
-
# @return [nil, Contrast::Api::Communication::MessagingQueue]
|
70
|
-
def self.messaging_queue
|
71
|
-
thread_watcher.messaging_queue
|
72
|
-
end
|
73
|
-
|
74
66
|
# @return [nil, Contrast::Agent::Telemetry::Base]
|
75
67
|
def self.telemetry_queue
|
76
68
|
thread_watcher.telemetry_queue
|
@@ -87,14 +79,11 @@ module Contrast
|
|
87
79
|
end
|
88
80
|
end
|
89
81
|
|
90
|
-
require 'contrast/api'
|
91
|
-
|
92
82
|
require 'contrast/utils/resource_loader'
|
93
83
|
require 'contrast/utils/duck_utils'
|
94
84
|
require 'contrast/agent/tracepoint_hook'
|
95
85
|
require 'contrast/agent/at_exit_hook'
|
96
86
|
|
97
|
-
# communication with contrast service
|
98
87
|
require 'contrast/agent/exclusion_matcher'
|
99
88
|
|
100
89
|
# threads that handle contrast scope
|
@@ -0,0 +1,46 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: false
|
3
|
+
|
4
|
+
require 'ffi'
|
5
|
+
# require the gem
|
6
|
+
require 'contrast-agent-lib'
|
7
|
+
|
8
|
+
module Contrast
|
9
|
+
module AgentLib
|
10
|
+
# This module is defined in Rust as external, we used it here.
|
11
|
+
# Initializes the AgentLib. Here will be all methods from
|
12
|
+
# the C bindings contrast_c::cmdi_semantic_chained_command module.
|
13
|
+
module CommandInjection
|
14
|
+
extend FFI::Library
|
15
|
+
ffi_lib ContrastAgentLib::CONTRAST_C
|
16
|
+
|
17
|
+
attach_function :get_index_of_chained_command, [:string], :long_long
|
18
|
+
attach_function :does_command_contain_dangerous_path, [:string], :int
|
19
|
+
|
20
|
+
private
|
21
|
+
|
22
|
+
# Checks that a given shell command contained a chained command.
|
23
|
+
# This is used for the cmd-injection-semantic-chained-commands rule.
|
24
|
+
#
|
25
|
+
# @param cmd [String] command to check.
|
26
|
+
# @return index[Integer] Returns the index of the command chaining if found.
|
27
|
+
# If the chaining index is >= 0, an injection is detected. Returns -1 when
|
28
|
+
# no command chaining is found.
|
29
|
+
def dl__index_of_chained_command cmd
|
30
|
+
get_index_of_chained_command(cmd)
|
31
|
+
end
|
32
|
+
|
33
|
+
# Checks if a given shell command is trying to access a dangerous path.
|
34
|
+
# This is used for the cmd-injection-semantic-dangerous-paths rule.
|
35
|
+
#
|
36
|
+
# @param path [String] path to check.
|
37
|
+
# @return index[Boolean] Returns 1 if a dangerous path is found.
|
38
|
+
# Returns 0 if no dangerous paths are found.
|
39
|
+
def dl__dangerous_path? path
|
40
|
+
return false if does_command_contain_dangerous_path(path).zero?
|
41
|
+
|
42
|
+
true
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
@@ -0,0 +1,101 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: false
|
3
|
+
|
4
|
+
require 'ffi'
|
5
|
+
# require the gem
|
6
|
+
require 'contrast-agent-lib'
|
7
|
+
|
8
|
+
module Contrast
|
9
|
+
module AgentLib
|
10
|
+
# This module is defined in Rust as external, we used it here.
|
11
|
+
# Initializes the AgentLib. Here will be all methods from
|
12
|
+
# the C bindings agent_init mod.
|
13
|
+
module Init
|
14
|
+
extend FFI::Library
|
15
|
+
ffi_lib ContrastAgentLib::CONTRAST_C
|
16
|
+
|
17
|
+
# Init
|
18
|
+
#
|
19
|
+
# 0 => OK, -1 => Err
|
20
|
+
# The attach function could be called also like this:
|
21
|
+
# attach_function :ruby_name, :c_name, [ :params ], :returns, { :options => values }
|
22
|
+
# an that way we define a ruby_name for the C method, but we alias to make a documentation
|
23
|
+
# for the method.
|
24
|
+
#
|
25
|
+
# Also we extend the FFI::Library inside this module so we could also redefine the
|
26
|
+
# attach_function to our taste, not worry about it leaking outside of this module.
|
27
|
+
#
|
28
|
+
# @param [Symbol] Name of required function.
|
29
|
+
# @param [Array] An array of argument types.
|
30
|
+
# @return [Integer] Return type of the function.
|
31
|
+
attach_function :init, [], :int
|
32
|
+
|
33
|
+
# TODO: RUBY-1693
|
34
|
+
# Initialize agent lib without any optional settings. To set optional settings consider using
|
35
|
+
# `init_with_options` instead If you want to enable logging, it must be set using environment variables
|
36
|
+
# `CONTRAST_AGENTLIB_LOG_LEVEL` - set to log level. Must of one of ERROR, WARN, INFO, DEBUG or TRACE
|
37
|
+
# `CONTRAST_AGENTLIB_LOG_DIR` - must point to an accessible directory where logs will be written.
|
38
|
+
# The name of the log file
|
39
|
+
# is auto-generated and cannot be set. The format is 'libcontrast_<date>_<process_id>.log'
|
40
|
+
#
|
41
|
+
# If these environment variables are not present during `init`, agent-lib will be initialized with
|
42
|
+
# logging disabled and you will not be able to re-enable it using `change_log_settings`
|
43
|
+
# @param [Symbol] Name of required function.
|
44
|
+
# @param [Array] An array of argument types.
|
45
|
+
# @return [Integer] Return type of the function.
|
46
|
+
attach_function :init_with_options, %i[bool string string], :int
|
47
|
+
|
48
|
+
# TODO: RUBY-1693
|
49
|
+
# Change log settings for agent lib after it's been initialized. This api must be used after init
|
50
|
+
#
|
51
|
+
# Safety
|
52
|
+
# The `log_level` parameter must point to must point to an UTF-8 encoded string C-string
|
53
|
+
# @param enable_logging [Boolean] flag to enable or disable logging.
|
54
|
+
# @param log_level [String] UTF-8 encoded string indicating the maximum log level
|
55
|
+
# if logging is enabled
|
56
|
+
attach_function :change_log_settings, %i[bool string], :int
|
57
|
+
|
58
|
+
# TODO: RUBY-1693
|
59
|
+
# Initialize AgentLib with options.
|
60
|
+
# If init returns 0 = successful setup with options
|
61
|
+
# if init returns 1 = unsuccessful setup with options
|
62
|
+
#
|
63
|
+
# @param enable_logging [Boolean] flag to enable or disable logging.
|
64
|
+
# @param log_dir [String] path to existing log directory.
|
65
|
+
# @param log_level [String] OFF, ERROR, WARN, INFO, DEBUG or TRACE.
|
66
|
+
# @return [Boolean] true if initialized false if not.
|
67
|
+
def dl__init_with_options enable_logging, log_dir, log_level
|
68
|
+
# This is useful for scope sensitive string pointers, if function ends and
|
69
|
+
# you need them to be picked up after the C function.
|
70
|
+
init_with_options(enable_logging, log_dir, log_level).zero?
|
71
|
+
end
|
72
|
+
|
73
|
+
private
|
74
|
+
|
75
|
+
# Initialize AgentLib without options. Log level could not be set after.
|
76
|
+
# If you want to set the log levels you can do it be ENV variables:
|
77
|
+
# EVN [CONTRAST_AGENTLIB_LOG_LEVEL] - set to log level. Must of one of ERROR, WARN, INFO, DEBUG or TRACE
|
78
|
+
# ENV['CONTRAST_AGENTLIB_LOG_DIR'] - must point to an accessible directory where logs will be written.
|
79
|
+
# The name of the log file.
|
80
|
+
#
|
81
|
+
# @return [Boolean] true if initialized, false if not.
|
82
|
+
def dl__init
|
83
|
+
init.zero?
|
84
|
+
end
|
85
|
+
|
86
|
+
# TODO: RUBY-1693
|
87
|
+
# Change the log settings. This api must be called after the dl__init_with_options.
|
88
|
+
#
|
89
|
+
# @param enable_log [Boolean] flag to enable or disable logging this sets the inner flag.
|
90
|
+
# @param log_level [String] OFF, ERROR, WARN, INFO, DEBUG or TRACE.
|
91
|
+
# @return [Boolean] true if initialized false if not.
|
92
|
+
def dl__change_log_settings enable_log, log_level
|
93
|
+
# transform to C strings pointers here and pass to function.
|
94
|
+
log_dir_pointer = FFI::MemoryPointer.from_string(log_level.dup.force_encoding('UTF-8'))
|
95
|
+
return true if change_log_settings(enable_log, log_dir_pointer).zero?
|
96
|
+
|
97
|
+
false
|
98
|
+
end
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|