contrast-agent 6.7.0 → 6.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +0 -2
- data/.simplecov +0 -1
- data/Rakefile +0 -1
- data/ext/cs__assess_array/cs__assess_array.c +41 -10
- data/ext/cs__assess_array/cs__assess_array.h +4 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -3
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +11 -11
- data/lib/contrast/agent/assess.rb +0 -1
- data/lib/contrast/agent/excluder.rb +53 -35
- data/lib/contrast/agent/exclusion_matcher.rb +21 -9
- data/lib/contrast/agent/middleware.rb +12 -6
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +146 -127
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +116 -0
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +20 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +47 -55
- data/lib/contrast/agent/protect/rule/base_service.rb +48 -24
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +20 -2
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -5
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +22 -22
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +64 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +63 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +2 -58
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +3 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +2 -2
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -11
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +29 -34
- data/lib/contrast/agent/protect/rule/no_sqli.rb +25 -18
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +40 -13
- data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +33 -15
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +0 -14
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -62
- data/lib/contrast/agent/protect/rule/sqli.rb +74 -3
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +39 -63
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +6 -33
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
- data/lib/contrast/agent/protect/rule/xss.rb +15 -20
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -24
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +19 -40
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +9 -9
- data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +10 -2
- data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +8 -2
- data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
- data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -2
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +16 -2
- data/lib/contrast/agent/reporting/masker/masker.rb +2 -0
- data/lib/contrast/agent/reporting/report.rb +1 -0
- data/lib/contrast/agent/reporting/reporter.rb +35 -14
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +3 -9
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +16 -13
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +12 -7
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +6 -1
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +0 -2
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +6 -6
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +239 -93
- data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +10 -23
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +10 -9
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +0 -5
- data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +12 -0
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +1 -11
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +8 -0
- data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +43 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +8 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +58 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +4 -6
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +77 -16
- data/lib/contrast/agent/reporting/server_settings_worker.rb +44 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +14 -2
- data/lib/contrast/agent/reporting/settings/code_exclusion.rb +6 -1
- data/lib/contrast/agent/reporting/settings/exclusion_base.rb +18 -0
- data/lib/contrast/agent/reporting/settings/exclusions.rb +2 -1
- data/lib/contrast/agent/reporting/settings/helpers.rb +7 -0
- data/lib/contrast/agent/reporting/settings/input_exclusion.rb +9 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +15 -15
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +39 -2
- data/lib/contrast/agent/reporting/settings/rule_definition.rb +3 -0
- data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +9 -0
- data/lib/contrast/agent/reporting/settings/syslog.rb +34 -5
- data/lib/contrast/agent/request.rb +3 -14
- data/lib/contrast/agent/request_context.rb +6 -9
- data/lib/contrast/agent/request_context_extend.rb +9 -148
- data/lib/contrast/agent/request_handler.rb +5 -10
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +37 -18
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +6 -11
- data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
- data/lib/contrast/agent_lib/api/init.rb +101 -0
- data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
- data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
- data/lib/contrast/agent_lib/api/panic.rb +87 -0
- data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
- data/lib/contrast/agent_lib/interface.rb +260 -0
- data/lib/contrast/agent_lib/interface_base.rb +118 -0
- data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
- data/lib/contrast/agent_lib/test.rb +29 -0
- data/lib/contrast/api/communication/connection_status.rb +20 -5
- data/lib/contrast/components/agent.rb +34 -14
- data/lib/contrast/components/api.rb +23 -0
- data/lib/contrast/components/app_context.rb +23 -5
- data/lib/contrast/components/app_context_extend.rb +0 -25
- data/lib/contrast/components/assess.rb +34 -4
- data/lib/contrast/components/assess_rules.rb +18 -0
- data/lib/contrast/components/base.rb +40 -0
- data/lib/contrast/components/config/sources.rb +95 -0
- data/lib/contrast/components/config.rb +19 -19
- data/lib/contrast/components/heap_dump.rb +10 -0
- data/lib/contrast/components/inventory.rb +15 -2
- data/lib/contrast/components/logger.rb +18 -0
- data/lib/contrast/components/polling.rb +36 -0
- data/lib/contrast/components/protect.rb +52 -2
- data/lib/contrast/components/ruby_component.rb +16 -1
- data/lib/contrast/components/sampling.rb +70 -13
- data/lib/contrast/components/security_logger.rb +13 -0
- data/lib/contrast/components/settings.rb +105 -90
- data/lib/contrast/config/certification_configuration.rb +14 -0
- data/lib/contrast/config/config.rb +46 -0
- data/lib/contrast/config/diagnostics.rb +114 -0
- data/lib/contrast/config/diagnostics_tools.rb +98 -0
- data/lib/contrast/config/effective_config.rb +65 -0
- data/lib/contrast/config/effective_config_value.rb +32 -0
- data/lib/contrast/config/exception_configuration.rb +12 -0
- data/lib/contrast/config/protect_rule_configuration.rb +8 -8
- data/lib/contrast/config/protect_rules_configuration.rb +23 -60
- data/lib/contrast/config/request_audit_configuration.rb +13 -0
- data/lib/contrast/config/server_configuration.rb +41 -2
- data/lib/contrast/configuration.rb +29 -12
- data/lib/contrast/extension/assess/array.rb +9 -0
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/delegator.rb +2 -0
- data/lib/contrast/framework/manager.rb +3 -1
- data/lib/contrast/framework/rails/railtie.rb +0 -1
- data/lib/contrast/framework/rails/support.rb +0 -1
- data/lib/contrast/tasks/config.rb +1 -8
- data/lib/contrast/utils/assess/event_limit_utils.rb +31 -9
- data/lib/contrast/utils/assess/trigger_method_utils.rb +5 -4
- data/lib/contrast/utils/duck_utils.rb +1 -0
- data/lib/contrast/utils/hash_digest.rb +2 -2
- data/lib/contrast/utils/input_classification_base.rb +155 -0
- data/lib/contrast/utils/os.rb +0 -20
- data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +81 -0
- data/lib/contrast/utils/response_utils.rb +0 -16
- data/lib/contrast/utils/routes_sent.rb +60 -0
- data/lib/contrast/utils/stack_trace_utils.rb +3 -15
- data/lib/contrast/utils/string_utils.rb +10 -7
- data/lib/contrast/utils/telemetry_client.rb +1 -2
- data/lib/contrast/utils/timer.rb +16 -0
- data/lib/contrast.rb +5 -4
- data/resources/protect/policy.json +1 -2
- data/ruby-agent.gemspec +7 -6
- metadata +69 -130
- data/exe/contrast_service +0 -23
- data/lib/contrast/agent/assess/contrast_event.rb +0 -157
- data/lib/contrast/agent/assess/events/event_factory.rb +0 -34
- data/lib/contrast/agent/assess/events/source_event.rb +0 -46
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +0 -64
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +0 -118
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +0 -45
- data/lib/contrast/agent/reaction_processor.rb +0 -47
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +0 -36
- data/lib/contrast/agent/service_heartbeat.rb +0 -35
- data/lib/contrast/api/communication/messaging_queue.rb +0 -128
- data/lib/contrast/api/communication/response_processor.rb +0 -90
- data/lib/contrast/api/communication/service_lifecycle.rb +0 -77
- data/lib/contrast/api/communication/socket.rb +0 -44
- data/lib/contrast/api/communication/socket_client.rb +0 -130
- data/lib/contrast/api/communication/speedracer.rb +0 -138
- data/lib/contrast/api/communication/tcp_socket.rb +0 -32
- data/lib/contrast/api/communication/unix_socket.rb +0 -28
- data/lib/contrast/api/communication.rb +0 -20
- data/lib/contrast/api/decorators/address.rb +0 -59
- data/lib/contrast/api/decorators/agent_startup.rb +0 -56
- data/lib/contrast/api/decorators/application_settings.rb +0 -43
- data/lib/contrast/api/decorators/application_startup.rb +0 -56
- data/lib/contrast/api/decorators/bot_blocker.rb +0 -37
- data/lib/contrast/api/decorators/http_request.rb +0 -137
- data/lib/contrast/api/decorators/input_analysis.rb +0 -18
- data/lib/contrast/api/decorators/instrumentation_mode.rb +0 -35
- data/lib/contrast/api/decorators/ip_denylist.rb +0 -37
- data/lib/contrast/api/decorators/message.rb +0 -67
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -52
- data/lib/contrast/api/decorators/response_type.rb +0 -17
- data/lib/contrast/api/decorators/server_features.rb +0 -25
- data/lib/contrast/api/decorators/user_input.rb +0 -51
- data/lib/contrast/api/decorators/virtual_patch.rb +0 -34
- data/lib/contrast/api/decorators.rb +0 -22
- data/lib/contrast/api/dtm.pb.rb +0 -363
- data/lib/contrast/api/settings.pb.rb +0 -500
- data/lib/contrast/api.rb +0 -16
- data/lib/contrast/components/contrast_service.rb +0 -88
- data/lib/contrast/components/service.rb +0 -55
- data/lib/contrast/tasks/service.rb +0 -84
- data/lib/contrast/utils/input_classification.rb +0 -73
- data/lib/protobuf/code_generator.rb +0 -129
- data/lib/protobuf/decoder.rb +0 -28
- data/lib/protobuf/deprecation.rb +0 -117
- data/lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb +0 -79
- data/lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb +0 -360
- data/lib/protobuf/descriptors.rb +0 -3
- data/lib/protobuf/encoder.rb +0 -11
- data/lib/protobuf/enum.rb +0 -365
- data/lib/protobuf/exceptions.rb +0 -9
- data/lib/protobuf/field/base_field.rb +0 -380
- data/lib/protobuf/field/base_field_object_definitions.rb +0 -504
- data/lib/protobuf/field/bool_field.rb +0 -64
- data/lib/protobuf/field/bytes_field.rb +0 -67
- data/lib/protobuf/field/double_field.rb +0 -25
- data/lib/protobuf/field/enum_field.rb +0 -56
- data/lib/protobuf/field/field_array.rb +0 -102
- data/lib/protobuf/field/field_hash.rb +0 -122
- data/lib/protobuf/field/fixed32_field.rb +0 -25
- data/lib/protobuf/field/fixed64_field.rb +0 -28
- data/lib/protobuf/field/float_field.rb +0 -43
- data/lib/protobuf/field/int32_field.rb +0 -21
- data/lib/protobuf/field/int64_field.rb +0 -34
- data/lib/protobuf/field/integer_field.rb +0 -23
- data/lib/protobuf/field/message_field.rb +0 -51
- data/lib/protobuf/field/sfixed32_field.rb +0 -27
- data/lib/protobuf/field/sfixed64_field.rb +0 -28
- data/lib/protobuf/field/signed_integer_field.rb +0 -29
- data/lib/protobuf/field/sint32_field.rb +0 -21
- data/lib/protobuf/field/sint64_field.rb +0 -21
- data/lib/protobuf/field/string_field.rb +0 -51
- data/lib/protobuf/field/uint32_field.rb +0 -21
- data/lib/protobuf/field/uint64_field.rb +0 -21
- data/lib/protobuf/field/varint_field.rb +0 -77
- data/lib/protobuf/field.rb +0 -74
- data/lib/protobuf/generators/base.rb +0 -85
- data/lib/protobuf/generators/enum_generator.rb +0 -39
- data/lib/protobuf/generators/extension_generator.rb +0 -27
- data/lib/protobuf/generators/field_generator.rb +0 -193
- data/lib/protobuf/generators/file_generator.rb +0 -262
- data/lib/protobuf/generators/group_generator.rb +0 -122
- data/lib/protobuf/generators/message_generator.rb +0 -104
- data/lib/protobuf/generators/option_generator.rb +0 -17
- data/lib/protobuf/generators/printable.rb +0 -160
- data/lib/protobuf/generators/service_generator.rb +0 -50
- data/lib/protobuf/lifecycle.rb +0 -33
- data/lib/protobuf/logging.rb +0 -39
- data/lib/protobuf/message/fields.rb +0 -233
- data/lib/protobuf/message/serialization.rb +0 -85
- data/lib/protobuf/message.rb +0 -241
- data/lib/protobuf/optionable.rb +0 -72
- data/lib/protobuf/tasks/compile.rake +0 -80
- data/lib/protobuf/tasks.rb +0 -1
- data/lib/protobuf/varint.rb +0 -20
- data/lib/protobuf/varint_pure.rb +0 -31
- data/lib/protobuf/version.rb +0 -3
- data/lib/protobuf/wire_type.rb +0 -10
- data/lib/protobuf.rb +0 -91
- data/proto/dynamic_discovery.proto +0 -46
- data/proto/google/protobuf/compiler/plugin.proto +0 -183
- data/proto/google/protobuf/descriptor.proto +0 -911
- data/proto/rpc.proto +0 -71
- data/service_executables/.gitkeep +0 -0
- data/service_executables/VERSION +0 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
@@ -26,6 +26,7 @@ module Contrast
|
|
26
26
|
# @param new_code_exclusions [Array<CodeExclusion>] Array of CodeExclusion: {
|
27
27
|
# name [String] The name of the exclusion as defined by the user in TS.
|
28
28
|
# modes [String] If this exclusion applies to assess or protect. [assess, defend]
|
29
|
+
# protect_rules [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
|
29
30
|
# assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
|
30
31
|
# denylist [String] The call, if in the stack, should result in the agent not taking action.
|
31
32
|
# }
|
@@ -39,7 +40,7 @@ module Contrast
|
|
39
40
|
|
40
41
|
# Cases where rules should be excluded if violated from a given input.
|
41
42
|
#
|
42
|
-
# @return input_exclusions [Array<Contrast::Agent::Reporting::Settings::
|
43
|
+
# @return input_exclusions [Array<Contrast::Agent::Reporting::Settings::InputExclusion>]
|
43
44
|
# Array of InputExclusions
|
44
45
|
def input_exclusions
|
45
46
|
@_input_exclusions ||= []
|
@@ -48,6 +48,13 @@ module Contrast
|
|
48
48
|
result.slice!(idx + 1)
|
49
49
|
result.index('_') ? no_more_underscore(result).to_sym : result.to_sym
|
50
50
|
end
|
51
|
+
|
52
|
+
# rule_id => rule-id
|
53
|
+
#
|
54
|
+
# @param id [String]
|
55
|
+
def to_rule_id id
|
56
|
+
id.to_s.tr('_', '-')
|
57
|
+
end
|
51
58
|
end
|
52
59
|
end
|
53
60
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/reporting/settings/
|
4
|
+
require 'contrast/agent/reporting/settings/url_exclusion'
|
5
5
|
require 'contrast/utils/object_share'
|
6
6
|
|
7
7
|
module Contrast
|
@@ -9,11 +9,17 @@ module Contrast
|
|
9
9
|
module Reporting
|
10
10
|
module Settings
|
11
11
|
# InputExclusions class
|
12
|
-
class InputExclusion <
|
13
|
-
ATTRIBUTES =
|
12
|
+
class InputExclusion < UrlExclusion
|
13
|
+
ATTRIBUTES = UrlExclusion::ATTRIBUTES.dup << :type
|
14
14
|
ATTRIBUTES.cs__freeze
|
15
15
|
VALID_INPUT_TYPES = %w[COOKIE PARAMETER HEADER BODY QUERYSTRING].cs__freeze
|
16
16
|
|
17
|
+
# @return [String] the name of the input to match
|
18
|
+
attr_accessor :input_name
|
19
|
+
|
20
|
+
# @return [String] the type of the input to match
|
21
|
+
attr_accessor :input_type
|
22
|
+
|
17
23
|
# @return type [String] The type of the input
|
18
24
|
def type
|
19
25
|
@_type ||= Contrast::Utils::ObjectShare::EMPTY_STRING
|
@@ -2,8 +2,6 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
|
-
require 'contrast/api/dtm.pb'
|
6
|
-
require 'contrast/api/settings.pb'
|
7
5
|
|
8
6
|
module Contrast
|
9
7
|
module Agent
|
@@ -79,23 +77,25 @@ module Contrast
|
|
79
77
|
|
80
78
|
modes_by_id = {}
|
81
79
|
protection_rules.each do |rule|
|
82
|
-
setting_mode = rule[:mode]
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
80
|
+
setting_mode = rule[:mode] || rule['mode']
|
81
|
+
api_mode = if PROTECT_RULES_MODE.include?(setting_mode)
|
82
|
+
case setting_mode
|
83
|
+
when PROTECT_RULES_MODE[1]
|
84
|
+
:MONITOR
|
85
|
+
when PROTECT_RULES_MODE[2]
|
86
|
+
if rule[:blockAtEntry] || rule['blockAtEntry']
|
87
|
+
:BLOCK_AT_PERIMETER
|
88
|
+
else
|
89
|
+
:BLOCK
|
90
|
+
end
|
91
91
|
else
|
92
|
-
|
92
|
+
:NO_ACTION
|
93
93
|
end
|
94
94
|
else
|
95
|
-
|
95
|
+
setting_mode.to_sym
|
96
96
|
end
|
97
|
-
|
98
|
-
modes_by_id[
|
97
|
+
id = rule[:id] || rule['id']
|
98
|
+
modes_by_id[id] = api_mode
|
99
99
|
end
|
100
100
|
modes_by_id
|
101
101
|
end
|
@@ -17,6 +17,10 @@ module Contrast
|
|
17
17
|
# Application level settings for the Protect featureset.
|
18
18
|
# Used for the FeatureSet TS response
|
19
19
|
class ProtectServerFeature
|
20
|
+
PROTECT_RULES_KEYS = %i[
|
21
|
+
cmd_injection method_tampering nosql_injection path_traversal redos reflected_xss sql_injection
|
22
|
+
ssrf unsafe_file_upload untrusted_deserialization xxe
|
23
|
+
].cs__freeze
|
20
24
|
# Indicate if the protect feature set is enabled for this server or not.
|
21
25
|
#
|
22
26
|
# @return enabled [Boolean]
|
@@ -32,6 +36,21 @@ module Contrast
|
|
32
36
|
@_enabled = enabled
|
33
37
|
end
|
34
38
|
|
39
|
+
# When false, the agent should not track observations.
|
40
|
+
# when true, the agent should track observed usage of protect URLs
|
41
|
+
# { enable: true }
|
42
|
+
#
|
43
|
+
# @return observability [Boolean]
|
44
|
+
def observability
|
45
|
+
@_observability
|
46
|
+
end
|
47
|
+
|
48
|
+
# @param enable [Boolean]
|
49
|
+
# @return observability [Boolean]
|
50
|
+
def observability= enable
|
51
|
+
@_observability = enable
|
52
|
+
end
|
53
|
+
|
35
54
|
# Indicate if the bot protection feature set is enabled for this server or not.
|
36
55
|
#
|
37
56
|
# @return bot_blocker [Contrast::Agent::Reporting::Settings::BotBlocker]
|
@@ -149,6 +168,23 @@ module Contrast
|
|
149
168
|
list)
|
150
169
|
end
|
151
170
|
|
171
|
+
# Transforms ServerSettings hash rules to definition_list
|
172
|
+
#
|
173
|
+
# @param rules [Hash]
|
174
|
+
def rules_to_definition_list rules
|
175
|
+
return unless rules&.cs__is_a?(Hash)
|
176
|
+
|
177
|
+
definition_list = []
|
178
|
+
rules.slice(*PROTECT_RULES_KEYS).each_pair do |key, rule|
|
179
|
+
new_entry = Contrast::Agent::Reporting::Settings::RuleDefinition.new
|
180
|
+
new_entry.name = Contrast::Agent::Reporting::Settings::Helpers.to_rule_id(key)
|
181
|
+
new_entry.patterns = rule[:patterns]
|
182
|
+
new_entry.keywords = rule[:keywords]
|
183
|
+
definition_list << new_entry
|
184
|
+
end
|
185
|
+
@_rule_definition_list = definition_list
|
186
|
+
end
|
187
|
+
|
152
188
|
# Controls for the syslogging feature in the agent.
|
153
189
|
#
|
154
190
|
# @return syslog [Contrast::Agent::Reporting::Settings::Syslog]
|
@@ -175,13 +211,14 @@ module Contrast
|
|
175
211
|
{
|
176
212
|
botBlockers: bot_blocker.bots.map(&:to_controlled_hash),
|
177
213
|
enabled: enabled?,
|
214
|
+
observability: observability, # used with ServerSettings only
|
178
215
|
logEnhancers: log_enhancers.map(&:to_controlled_hash),
|
179
216
|
ipDenylist: ip_denylist.map(&:to_controlled_hash),
|
180
217
|
ipAllowlist: ip_allowlist.map(&:to_controlled_hash),
|
181
|
-
syslog: syslog.to_controlled_hash,
|
218
|
+
syslog: syslog.settings_blank? ? nil : syslog.to_controlled_hash, # used with ServerSettings only
|
182
219
|
ruleDefinitionList: rule_definition_list.map(&:to_controlled_hash),
|
183
220
|
'bot-blocker': bot_blocker.to_controlled_hash
|
184
|
-
}
|
221
|
+
}.compact
|
185
222
|
end
|
186
223
|
end
|
187
224
|
end
|
@@ -12,6 +12,9 @@ module Contrast
|
|
12
12
|
class RuleDefinition
|
13
13
|
ATTRIBUTES = %i[name keywords patterns].cs__freeze
|
14
14
|
|
15
|
+
# For the ServerSettings this name is not used instead it is used as key to the keywords and patterns
|
16
|
+
# arrays. It is used in the agent startup message.
|
17
|
+
#
|
15
18
|
# @return name [String] Name of the rule
|
16
19
|
attr_accessor :name
|
17
20
|
|
@@ -0,0 +1,77 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/reporting/settings/syslog'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
module Settings
|
10
|
+
# this class will hold the security logger settings.
|
11
|
+
class SecurityLogger
|
12
|
+
def initialize
|
13
|
+
@blank = true
|
14
|
+
end
|
15
|
+
|
16
|
+
# check to see if object is being used
|
17
|
+
#
|
18
|
+
# @return [Boolean]
|
19
|
+
def settings_blank?
|
20
|
+
@blank
|
21
|
+
end
|
22
|
+
|
23
|
+
# Set the state of settings
|
24
|
+
#
|
25
|
+
# @return [Boolean]
|
26
|
+
def not_blank!
|
27
|
+
@blank = false
|
28
|
+
end
|
29
|
+
|
30
|
+
# The level at which the agent should log. Overridden by agent.logger.level
|
31
|
+
# if set in a local configuration
|
32
|
+
#
|
33
|
+
# @return log_level [String] [ ERROR, WARN, INFO, DEBUG, TRACE ]
|
34
|
+
def log_level
|
35
|
+
@_log_level ||= Contrast::Utils::ObjectShare::EMPTY_STRING
|
36
|
+
end
|
37
|
+
|
38
|
+
# set the log level
|
39
|
+
#
|
40
|
+
# @param log_level [String]
|
41
|
+
# @return log_level [String] [ ERROR, WARN, INFO, DEBUG, TRACE ]
|
42
|
+
def log_level= log_level
|
43
|
+
@_log_level = log_level if log_level.is_a?(String)
|
44
|
+
end
|
45
|
+
|
46
|
+
# Where to log the agent's log file, if set by the user. Overridden by agent.logger.path
|
47
|
+
# if set in a local configuration.
|
48
|
+
#
|
49
|
+
# @return log_file [String] path
|
50
|
+
def log_file
|
51
|
+
@_log_file ||= Contrast::Utils::ObjectShare::EMPTY_STRING
|
52
|
+
end
|
53
|
+
|
54
|
+
# Set the log file
|
55
|
+
#
|
56
|
+
# @param log_file [String] path
|
57
|
+
# @return log_file [String] path
|
58
|
+
def log_file= log_file
|
59
|
+
@_log_file = log_file if log_file.is_a?(String)
|
60
|
+
end
|
61
|
+
|
62
|
+
def syslog
|
63
|
+
@_syslog ||= Contrast::Agent::Reporting::Settings::Syslog.new
|
64
|
+
end
|
65
|
+
|
66
|
+
def to_controlled_hash
|
67
|
+
{
|
68
|
+
level: log_level,
|
69
|
+
path: log_file,
|
70
|
+
syslog: syslog.to_controlled_hash
|
71
|
+
}
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
@@ -4,6 +4,7 @@
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
5
|
require 'contrast/agent/reporting/settings/assess_server_feature'
|
6
6
|
require 'contrast/agent/reporting/settings/protect_server_feature'
|
7
|
+
require 'contrast/agent/reporting/settings/security_logger'
|
7
8
|
|
8
9
|
module Contrast
|
9
10
|
module Agent
|
@@ -46,6 +47,13 @@ module Contrast
|
|
46
47
|
@_log_file = log_file if log_file.is_a?(String)
|
47
48
|
end
|
48
49
|
|
50
|
+
# Class holding security logger settings:
|
51
|
+
#
|
52
|
+
# @return [Contrast::Agent::Reporting::Settings::SecurityLogger]
|
53
|
+
def security_logger
|
54
|
+
@_security_logger ||= Contrast::Agent::Reporting::Settings::SecurityLogger.new
|
55
|
+
end
|
56
|
+
|
49
57
|
# Controls for the reporting of telemetry events from the agent to TeamServer.
|
50
58
|
# This is NOT for the agent telemetry feature collecting metrics sent to other services.
|
51
59
|
#
|
@@ -74,6 +82,7 @@ module Contrast
|
|
74
82
|
|
75
83
|
def to_controlled_hash
|
76
84
|
{
|
85
|
+
security_logger: security_logger.settings_blank? ? nil : security_logger.to_controlled_hash,
|
77
86
|
assessment: @_assess ? assess.to_controlled_hash : {},
|
78
87
|
defend: @_protect ? protect.to_controlled_hash : {},
|
79
88
|
telemetry: telemetry
|
@@ -14,15 +14,24 @@ module Contrast
|
|
14
14
|
# severity_blocked, severity_blocked_perimeter, severity_exploited, severity_probed,
|
15
15
|
# severity_probed_perimeter
|
16
16
|
SEVERITIES = %w[ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG].cs__freeze
|
17
|
-
|
17
|
+
# Order and elements matter, the same setter must be called against same response field.
|
18
|
+
SYSLOG_METHODS_NG = %i[
|
18
19
|
enable= ip= port= facility= protocol= connection_type= severity_exploited= severity_blocked=
|
19
20
|
severity_probed= severity_probed_suspicious= severity_blocked_perimeter= severity_probed_perimeter=
|
20
21
|
].cs__freeze
|
21
|
-
|
22
|
+
SYSLOG_RESPONSE_KEYS_NG = %i[
|
22
23
|
syslogEnabled syslogIpAddress syslogPortNumber syslogFacilityCode syslogProtocol
|
23
24
|
syslogConnectionType syslogSeverityExploited syslogSeverityBlocked syslogSeverityProbed
|
24
25
|
syslogSeveritySuspicious syslogSeverityBlockedPerimeter syslogSeverityProbedPerimeter
|
25
26
|
].cs__freeze
|
27
|
+
SYSLOG_METHODS = %i[
|
28
|
+
enable= ip= port= facility= connection_type= severity_blocked= severity_blocked_perimeter=
|
29
|
+
severity_exploited= severity_probed= severity_probed_perimeter=
|
30
|
+
].cs__freeze
|
31
|
+
SYSLOG_RESPONSE_KEYS = %i[
|
32
|
+
enable ip facility connection_type severity_blocked severity_blocked_perimeter severity_exploited
|
33
|
+
severity_probed severity_probed_perimeter
|
34
|
+
].cs__freeze
|
26
35
|
|
27
36
|
# @return enable [Boolean]
|
28
37
|
attr_accessor :enable
|
@@ -40,6 +49,21 @@ module Contrast
|
|
40
49
|
@ip = Contrast::Utils::ObjectShare::EMPTY_STRING
|
41
50
|
@port = 0
|
42
51
|
@facility = 0
|
52
|
+
@blank = true
|
53
|
+
end
|
54
|
+
|
55
|
+
# check to see if object is being used
|
56
|
+
#
|
57
|
+
# @return [Boolean]
|
58
|
+
def settings_blank?
|
59
|
+
@blank
|
60
|
+
end
|
61
|
+
|
62
|
+
# Set the state of settings
|
63
|
+
#
|
64
|
+
# @return [Boolean]
|
65
|
+
def not_blank!
|
66
|
+
@blank = false
|
43
67
|
end
|
44
68
|
|
45
69
|
# @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
|
@@ -134,10 +158,15 @@ module Contrast
|
|
134
158
|
end
|
135
159
|
|
136
160
|
# @param settings_array [Array] Settings retrieved from response
|
137
|
-
|
138
|
-
|
139
|
-
|
161
|
+
# @param ng_ [Boolean]
|
162
|
+
def assign_array settings_array, ng_: true
|
163
|
+
methods = ng_ ? SYSLOG_METHODS_NG : SYSLOG_METHODS
|
164
|
+
response_keys = ng_ ? SYSLOG_RESPONSE_KEYS_NG : SYSLOG_RESPONSE_KEYS
|
165
|
+
|
166
|
+
methods.each_with_index do |method, index|
|
167
|
+
send(method, settings_array[response_keys[index]])
|
140
168
|
end
|
169
|
+
not_blank!
|
141
170
|
end
|
142
171
|
|
143
172
|
def to_controlled_hash
|
@@ -74,7 +74,9 @@ module Contrast
|
|
74
74
|
# @return uri [String]
|
75
75
|
def normalized_uri
|
76
76
|
@_normalized_uri ||= begin
|
77
|
-
path = rack_request.path_info
|
77
|
+
path = rack_request.path_info || rack_request.path.to_s
|
78
|
+
path = '/' if path.empty?
|
79
|
+
|
78
80
|
uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0] # remove ;jsessionid
|
79
81
|
uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
|
80
82
|
uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER) # replace interior tokens
|
@@ -142,19 +144,6 @@ module Contrast
|
|
142
144
|
@_body
|
143
145
|
end
|
144
146
|
|
145
|
-
# REMOVE_DTM_REQUEST
|
146
|
-
#
|
147
|
-
# Unlike most of our translation, which is called where needed for each
|
148
|
-
# message and forgotten, we'll leave this method to call the build as we
|
149
|
-
# don't want to pay to reconstruct the DTM for this Request multiple
|
150
|
-
# times.
|
151
|
-
#
|
152
|
-
# @return [Contrast::Api::Dtm::HttpRequest] the SpeedRacer compatible
|
153
|
-
# form of this Request
|
154
|
-
def dtm
|
155
|
-
@_dtm ||= Contrast::Api::Dtm::HttpRequest.build(self)
|
156
|
-
end
|
157
|
-
|
158
147
|
# flattened hash of request params
|
159
148
|
#
|
160
149
|
# @return parameters [Hash]
|
@@ -1,7 +1,6 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/api/dtm.pb'
|
5
4
|
require 'contrast/utils/timer'
|
6
5
|
require 'contrast/agent/request'
|
7
6
|
require 'contrast/agent/response'
|
@@ -24,7 +23,7 @@ module Contrast
|
|
24
23
|
include Contrast::Utils::RequestUtils
|
25
24
|
include Contrast::Agent::RequestContextExtend
|
26
25
|
|
27
|
-
|
26
|
+
INPUT_ANALYSIS = Contrast::Agent::Reporting::InputAnalysis.new
|
28
27
|
|
29
28
|
# @return [Contrast::Agent::Reporting:ApplicationActivity] the application activity found in this request
|
30
29
|
attr_reader :activity
|
@@ -39,8 +38,8 @@ module Contrast
|
|
39
38
|
attr_reader :response
|
40
39
|
# @return [Contrast::Agent::Reporting::RouteDiscovery] the route, used for findings, of this request
|
41
40
|
attr_reader :discovered_route
|
42
|
-
# @return [Contrast::
|
43
|
-
attr_reader :
|
41
|
+
# @return [Contrast::Agent::Reporting::InputAnalysis]
|
42
|
+
attr_reader :agent_input_analysis
|
44
43
|
# @return [Array<String>] the hash of findings already reported fro this request
|
45
44
|
attr_reader :reported_findings
|
46
45
|
# @return [Contrast::Utils::Timer] when the context was created
|
@@ -55,15 +54,13 @@ module Contrast
|
|
55
54
|
@logging_hash = { request_id: __id__ }
|
56
55
|
|
57
56
|
# instantiate helper for request and response
|
58
|
-
@request = Contrast::Agent::Request.new(rack_request)
|
57
|
+
@request = Contrast::Agent::Request.new(rack_request) if rack_request
|
59
58
|
@activity = Contrast::Agent::Reporting::ApplicationActivity.new
|
60
59
|
|
61
60
|
# build analyzer
|
62
61
|
@do_not_track = false
|
63
|
-
@
|
64
|
-
|
65
|
-
|
66
|
-
# TODO: RUBY-1627
|
62
|
+
@agent_input_analysis = INPUT_ANALYSIS
|
63
|
+
agent_input_analysis.request = request
|
67
64
|
|
68
65
|
# flag to indicate whether the app is fully loaded
|
69
66
|
@app_loaded = !!app_loaded
|
@@ -20,12 +20,9 @@ module Contrast
|
|
20
20
|
# This class extends RequestContexts: this class acts to encapsulate information about the currently
|
21
21
|
# executed request, making it available to the Agent for the duration of the request in a standardized
|
22
22
|
# and normalized format which the Agent understands.
|
23
|
-
module RequestContextExtend
|
23
|
+
module RequestContextExtend
|
24
24
|
include Contrast::Utils::CEFLogUtils
|
25
25
|
include Contrast::Components::Logger::InstanceMethods
|
26
|
-
BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
|
27
|
-
CEF_LOGGING_RULES = %w[bot-blocker virtual-patch ip-denylist].cs__freeze
|
28
|
-
|
29
26
|
# Convert the discovered route for this request to appropriate forms and disseminate it to those locations
|
30
27
|
# where it is necessary for our route coverage and finding vulnerability discovery features to function.
|
31
28
|
#
|
@@ -43,55 +40,24 @@ module Contrast
|
|
43
40
|
@request.discovered_route = @discovered_route
|
44
41
|
end
|
45
42
|
|
43
|
+
# If protect is enabled for this request, examine said request for any possible attack input. If those inputs
|
44
|
+
# provided match a rule which should block at the perimeter, that will be raised here.
|
45
|
+
#
|
46
46
|
# @raise [Contrast::SecurityException]
|
47
|
-
def
|
47
|
+
def protect_input_analysis
|
48
48
|
return false unless ::Contrast::AGENT.enabled?
|
49
49
|
return false unless ::Contrast::PROTECT.enabled?
|
50
50
|
return false if @do_not_track
|
51
51
|
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
handle_protect_state(service_response)
|
56
|
-
ia = service_response.input_analysis
|
57
|
-
if ia
|
58
|
-
service_extract_logging(ia)
|
59
|
-
# TODO: RUBY-1629
|
60
|
-
# using Agent analysis
|
61
|
-
# initialize_agent_input_analysis request
|
62
|
-
|
63
|
-
@speedracer_input_analysis = ia
|
64
|
-
speedracer_input_analysis.request = request
|
52
|
+
if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
|
53
|
+
@agent_input_analysis = ia
|
65
54
|
else
|
66
|
-
logger.trace('Analysis from
|
67
|
-
false
|
55
|
+
logger.trace('Analysis from Agent was empty.')
|
68
56
|
end
|
69
57
|
rescue Contrast::SecurityException => e
|
70
58
|
raise(e)
|
71
59
|
rescue StandardError => e
|
72
|
-
logger.warn('Unable to extract
|
73
|
-
false
|
74
|
-
end
|
75
|
-
|
76
|
-
# NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
|
77
|
-
# indicates a security exception should be thrown. This method ensures that the attack reports are generated.
|
78
|
-
# Normally these should be generated on Speedracer for any attacks detected during prefilter.
|
79
|
-
#
|
80
|
-
# @param agent_settings [Contrast::Api::Settings::AgentSettings]
|
81
|
-
# @raise[Contrast::SecurityException]
|
82
|
-
def handle_protect_state agent_settings
|
83
|
-
return unless agent_settings&.protect_state
|
84
|
-
|
85
|
-
state = agent_settings.protect_state
|
86
|
-
@uuid = state.uuid
|
87
|
-
@do_not_track = true unless state.track_request
|
88
|
-
return unless state.security_exception
|
89
|
-
|
90
|
-
# make sure the activity get send before the error
|
91
|
-
# If Contrast Service has NOT handled the input analysis, handle them here
|
92
|
-
build_attack_results(agent_settings)
|
93
|
-
logger.debug('Contrast Service said to block this request')
|
94
|
-
raise(Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior')))
|
60
|
+
logger.warn('Unable to extract protect information from request', e)
|
95
61
|
end
|
96
62
|
|
97
63
|
# append anything we've learned to the request seen message this is the sum-total of all inventory information
|
@@ -114,111 +80,6 @@ module Contrast
|
|
114
80
|
rescue StandardError => e
|
115
81
|
logger.error('Unable to extract information after request', e)
|
116
82
|
end
|
117
|
-
|
118
|
-
# This here is for things we don't have implemented
|
119
|
-
def log_to_cef
|
120
|
-
activity.defend.attackers.each { |attacker| logging_logic(attacker.protection_rules) }
|
121
|
-
end
|
122
|
-
|
123
|
-
# @param input_analysis [Contrast::Api::Settings::InputAnalysis]
|
124
|
-
def service_extract_logging input_analysis
|
125
|
-
log_to_cef
|
126
|
-
logger.trace('Analysis from Contrast Service', evaluations: input_analysis.results.length) if logger.trace?
|
127
|
-
logger.trace('Results', input_analysis: input_analysis.inspect) if logger.trace?
|
128
|
-
end
|
129
|
-
|
130
|
-
private
|
131
|
-
|
132
|
-
# Generate attack results directly from any evaluations on the agent settings object.
|
133
|
-
#
|
134
|
-
# @param agent_settings [Contrast::Api::Settings::AgentSettings]
|
135
|
-
def build_attack_results agent_settings
|
136
|
-
return unless agent_settings&.input_analysis&.results&.any?
|
137
|
-
|
138
|
-
results_by_rule = {}
|
139
|
-
agent_settings.input_analysis.results.each do |ia_result|
|
140
|
-
rule_id = ia_result.rule_id
|
141
|
-
rule = ::Contrast::PROTECT.rule(rule_id)
|
142
|
-
next unless rule
|
143
|
-
|
144
|
-
logger.debug(BUILD_ATTACK_LOGGER_MESSAGE, result: ia_result.inspect) if logger.debug?
|
145
|
-
results_by_rule[rule_id] = attack_result(rule, rule_id, ia_result, results_by_rule)
|
146
|
-
end
|
147
|
-
|
148
|
-
results_by_rule.each_pair do |_, attack_result|
|
149
|
-
logger.info('Blocking attack result', rule: attack_result.rule_id)
|
150
|
-
activity.attach_defend(attack_result)
|
151
|
-
end
|
152
|
-
end
|
153
|
-
|
154
|
-
# Generates the attack result
|
155
|
-
#
|
156
|
-
# @param rule [Contrast::Agent::Protect::Rule, Contrast::Agent::Assess::Rule]
|
157
|
-
# @param rule_id [String] String name of the rule
|
158
|
-
# @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
|
159
|
-
# analysis of the input that was determined to be an attack
|
160
|
-
# @param results_by_rule [Hash] attack results from any evaluations on the agent settings object.
|
161
|
-
# @return [Contrast::Api::Dtm::AttackResult] the attack result from this input
|
162
|
-
def attack_result rule, rule_id, ia_result, results_by_rule
|
163
|
-
@_attack_result = if rule.mode == :BLOCK
|
164
|
-
# special case for rules (like reflected xss) that used to have an infilter / block mode
|
165
|
-
# but now are just block at perimeter
|
166
|
-
rule.build_attack_with_match(self, ia_result, results_by_rule[rule_id], ia_result.value)
|
167
|
-
else
|
168
|
-
rule.build_attack_without_match(self, ia_result, results_by_rule[rule_id])
|
169
|
-
end
|
170
|
-
end
|
171
|
-
|
172
|
-
# @param protection_rules [Array<rule_id => Contrast::Agent::Reporting::ApplicationDefendAttackActivity>] Array
|
173
|
-
# of all protection rules per active attackers of this request life cycle.
|
174
|
-
def logging_logic protection_rules
|
175
|
-
protection_rules.any? do |rule_id, activity|
|
176
|
-
next unless CEF_LOGGING_RULES.include?(rule_id)
|
177
|
-
|
178
|
-
outcome = activity.response_type
|
179
|
-
rule_details = details_builder(outcome, activity)
|
180
|
-
case rule_id
|
181
|
-
when /bot-blocker/i
|
182
|
-
cef_logger.bot_blocking_message(rule_details.to_controlled_hash, outcome) if rule_details
|
183
|
-
when /virtual-patch/i
|
184
|
-
cef_logger.virtual_patch_message(rule_details.to_controlled_hash, outcome) if rule_details
|
185
|
-
when /ip-denylist/i
|
186
|
-
sender_ip = extract_sender_ip
|
187
|
-
next unless sender_ip
|
188
|
-
next unless rule_details && rule_details.ip == sender_ip
|
189
|
-
|
190
|
-
cef_logger.ip_denylisted_message(sender_ip, rule_details.to_controlled_hash, outcome)
|
191
|
-
end
|
192
|
-
end
|
193
|
-
end
|
194
|
-
|
195
|
-
# @param outcome [Symbol<Contrast::Agent::Reporting::ResponseType>]
|
196
|
-
# @param activity [Contrast::Agent::Reporting::ApplicationDefendAttackActivity]
|
197
|
-
def details_builder outcome, activity
|
198
|
-
case outcome
|
199
|
-
when ::Contrast::Agent::Reporting::ResponseType::BLOCKED
|
200
|
-
blocked = activity.blocked
|
201
|
-
get_details(blocked)
|
202
|
-
when ::Contrast::Agent::Reporting::ResponseType::MONITORED
|
203
|
-
exploited = activity.exploited
|
204
|
-
get_details(exploited)
|
205
|
-
when ::Contrast::Agent::Reporting::ResponseType::PROBED
|
206
|
-
ineffective = activity.ineffective
|
207
|
-
get_details(ineffective)
|
208
|
-
when ::Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
|
209
|
-
activity.suspicious.samples[0].details
|
210
|
-
suspicious = activity.suspicious
|
211
|
-
get_details(suspicious)
|
212
|
-
end
|
213
|
-
end
|
214
|
-
|
215
|
-
# @param type [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
|
216
|
-
# @return details [Contrast::Agent::Reporting::ProtectRuleDetails] depends on rule
|
217
|
-
def get_details type
|
218
|
-
sample = nil
|
219
|
-
sample = type.samples[0] unless type.samples.empty?
|
220
|
-
sample&.details
|
221
|
-
end
|
222
83
|
end
|
223
84
|
end
|
224
85
|
end
|
@@ -21,18 +21,13 @@ module Contrast
|
|
21
21
|
@ruleset = ::Contrast::AGENT.ruleset
|
22
22
|
end
|
23
23
|
|
24
|
-
# reports events[Contrast::Agent::Reporting::
|
25
|
-
#
|
26
|
-
#
|
27
|
-
|
28
|
-
def report_activity
|
24
|
+
# reports events[Contrast::Agent::Reporting::ObservedRoute] to TS
|
25
|
+
# Other ReportingEvents are handled through batching in the middleware
|
26
|
+
#
|
27
|
+
def report_observed_route
|
29
28
|
return unless (reporter = Contrast::Agent.reporter)
|
30
29
|
|
31
|
-
reporter.send_event(context.observed_route)
|
32
|
-
# Mask Sensitive Data
|
33
|
-
Contrast::Agent::Reporting::Masker.mask(context.activity)
|
34
|
-
event = context.activity
|
35
|
-
reporter.send_event(event)
|
30
|
+
reporter.send_event(context.observed_route) if Contrast::ROUTES_SENT.sendable?(context.observed_route)
|
36
31
|
end
|
37
32
|
|
38
33
|
# If the response is streaming, we should only perform filtering on our stream safe rules
|