contrast-agent 6.7.0 → 6.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +0 -2
- data/.simplecov +0 -1
- data/Rakefile +0 -1
- data/ext/cs__assess_array/cs__assess_array.c +41 -10
- data/ext/cs__assess_array/cs__assess_array.h +4 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -3
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +11 -11
- data/lib/contrast/agent/assess.rb +0 -1
- data/lib/contrast/agent/excluder.rb +53 -35
- data/lib/contrast/agent/exclusion_matcher.rb +21 -9
- data/lib/contrast/agent/middleware.rb +12 -6
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +146 -127
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +116 -0
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +20 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +47 -55
- data/lib/contrast/agent/protect/rule/base_service.rb +48 -24
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +20 -2
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -5
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +22 -22
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +64 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +63 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +2 -58
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +3 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +2 -2
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -11
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +29 -34
- data/lib/contrast/agent/protect/rule/no_sqli.rb +25 -18
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +40 -13
- data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +33 -15
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +0 -14
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -62
- data/lib/contrast/agent/protect/rule/sqli.rb +74 -3
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +39 -63
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +6 -33
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
- data/lib/contrast/agent/protect/rule/xss.rb +15 -20
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -24
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +19 -40
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +9 -9
- data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +10 -2
- data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +8 -2
- data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
- data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -2
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +16 -2
- data/lib/contrast/agent/reporting/masker/masker.rb +2 -0
- data/lib/contrast/agent/reporting/report.rb +1 -0
- data/lib/contrast/agent/reporting/reporter.rb +35 -14
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +3 -9
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +16 -13
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +12 -7
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +6 -1
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +0 -2
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +6 -6
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +239 -93
- data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +10 -23
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +10 -9
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +0 -5
- data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +12 -0
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +1 -11
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +8 -0
- data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +43 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +8 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +58 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +4 -6
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +77 -16
- data/lib/contrast/agent/reporting/server_settings_worker.rb +44 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +14 -2
- data/lib/contrast/agent/reporting/settings/code_exclusion.rb +6 -1
- data/lib/contrast/agent/reporting/settings/exclusion_base.rb +18 -0
- data/lib/contrast/agent/reporting/settings/exclusions.rb +2 -1
- data/lib/contrast/agent/reporting/settings/helpers.rb +7 -0
- data/lib/contrast/agent/reporting/settings/input_exclusion.rb +9 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +15 -15
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +39 -2
- data/lib/contrast/agent/reporting/settings/rule_definition.rb +3 -0
- data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +9 -0
- data/lib/contrast/agent/reporting/settings/syslog.rb +34 -5
- data/lib/contrast/agent/request.rb +3 -14
- data/lib/contrast/agent/request_context.rb +6 -9
- data/lib/contrast/agent/request_context_extend.rb +9 -148
- data/lib/contrast/agent/request_handler.rb +5 -10
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +37 -18
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +6 -11
- data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
- data/lib/contrast/agent_lib/api/init.rb +101 -0
- data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
- data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
- data/lib/contrast/agent_lib/api/panic.rb +87 -0
- data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
- data/lib/contrast/agent_lib/interface.rb +260 -0
- data/lib/contrast/agent_lib/interface_base.rb +118 -0
- data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
- data/lib/contrast/agent_lib/test.rb +29 -0
- data/lib/contrast/api/communication/connection_status.rb +20 -5
- data/lib/contrast/components/agent.rb +34 -14
- data/lib/contrast/components/api.rb +23 -0
- data/lib/contrast/components/app_context.rb +23 -5
- data/lib/contrast/components/app_context_extend.rb +0 -25
- data/lib/contrast/components/assess.rb +34 -4
- data/lib/contrast/components/assess_rules.rb +18 -0
- data/lib/contrast/components/base.rb +40 -0
- data/lib/contrast/components/config/sources.rb +95 -0
- data/lib/contrast/components/config.rb +19 -19
- data/lib/contrast/components/heap_dump.rb +10 -0
- data/lib/contrast/components/inventory.rb +15 -2
- data/lib/contrast/components/logger.rb +18 -0
- data/lib/contrast/components/polling.rb +36 -0
- data/lib/contrast/components/protect.rb +52 -2
- data/lib/contrast/components/ruby_component.rb +16 -1
- data/lib/contrast/components/sampling.rb +70 -13
- data/lib/contrast/components/security_logger.rb +13 -0
- data/lib/contrast/components/settings.rb +105 -90
- data/lib/contrast/config/certification_configuration.rb +14 -0
- data/lib/contrast/config/config.rb +46 -0
- data/lib/contrast/config/diagnostics.rb +114 -0
- data/lib/contrast/config/diagnostics_tools.rb +98 -0
- data/lib/contrast/config/effective_config.rb +65 -0
- data/lib/contrast/config/effective_config_value.rb +32 -0
- data/lib/contrast/config/exception_configuration.rb +12 -0
- data/lib/contrast/config/protect_rule_configuration.rb +8 -8
- data/lib/contrast/config/protect_rules_configuration.rb +23 -60
- data/lib/contrast/config/request_audit_configuration.rb +13 -0
- data/lib/contrast/config/server_configuration.rb +41 -2
- data/lib/contrast/configuration.rb +29 -12
- data/lib/contrast/extension/assess/array.rb +9 -0
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/delegator.rb +2 -0
- data/lib/contrast/framework/manager.rb +3 -1
- data/lib/contrast/framework/rails/railtie.rb +0 -1
- data/lib/contrast/framework/rails/support.rb +0 -1
- data/lib/contrast/tasks/config.rb +1 -8
- data/lib/contrast/utils/assess/event_limit_utils.rb +31 -9
- data/lib/contrast/utils/assess/trigger_method_utils.rb +5 -4
- data/lib/contrast/utils/duck_utils.rb +1 -0
- data/lib/contrast/utils/hash_digest.rb +2 -2
- data/lib/contrast/utils/input_classification_base.rb +155 -0
- data/lib/contrast/utils/os.rb +0 -20
- data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +81 -0
- data/lib/contrast/utils/response_utils.rb +0 -16
- data/lib/contrast/utils/routes_sent.rb +60 -0
- data/lib/contrast/utils/stack_trace_utils.rb +3 -15
- data/lib/contrast/utils/string_utils.rb +10 -7
- data/lib/contrast/utils/telemetry_client.rb +1 -2
- data/lib/contrast/utils/timer.rb +16 -0
- data/lib/contrast.rb +5 -4
- data/resources/protect/policy.json +1 -2
- data/ruby-agent.gemspec +7 -6
- metadata +69 -130
- data/exe/contrast_service +0 -23
- data/lib/contrast/agent/assess/contrast_event.rb +0 -157
- data/lib/contrast/agent/assess/events/event_factory.rb +0 -34
- data/lib/contrast/agent/assess/events/source_event.rb +0 -46
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +0 -64
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +0 -118
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +0 -45
- data/lib/contrast/agent/reaction_processor.rb +0 -47
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +0 -36
- data/lib/contrast/agent/service_heartbeat.rb +0 -35
- data/lib/contrast/api/communication/messaging_queue.rb +0 -128
- data/lib/contrast/api/communication/response_processor.rb +0 -90
- data/lib/contrast/api/communication/service_lifecycle.rb +0 -77
- data/lib/contrast/api/communication/socket.rb +0 -44
- data/lib/contrast/api/communication/socket_client.rb +0 -130
- data/lib/contrast/api/communication/speedracer.rb +0 -138
- data/lib/contrast/api/communication/tcp_socket.rb +0 -32
- data/lib/contrast/api/communication/unix_socket.rb +0 -28
- data/lib/contrast/api/communication.rb +0 -20
- data/lib/contrast/api/decorators/address.rb +0 -59
- data/lib/contrast/api/decorators/agent_startup.rb +0 -56
- data/lib/contrast/api/decorators/application_settings.rb +0 -43
- data/lib/contrast/api/decorators/application_startup.rb +0 -56
- data/lib/contrast/api/decorators/bot_blocker.rb +0 -37
- data/lib/contrast/api/decorators/http_request.rb +0 -137
- data/lib/contrast/api/decorators/input_analysis.rb +0 -18
- data/lib/contrast/api/decorators/instrumentation_mode.rb +0 -35
- data/lib/contrast/api/decorators/ip_denylist.rb +0 -37
- data/lib/contrast/api/decorators/message.rb +0 -67
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -52
- data/lib/contrast/api/decorators/response_type.rb +0 -17
- data/lib/contrast/api/decorators/server_features.rb +0 -25
- data/lib/contrast/api/decorators/user_input.rb +0 -51
- data/lib/contrast/api/decorators/virtual_patch.rb +0 -34
- data/lib/contrast/api/decorators.rb +0 -22
- data/lib/contrast/api/dtm.pb.rb +0 -363
- data/lib/contrast/api/settings.pb.rb +0 -500
- data/lib/contrast/api.rb +0 -16
- data/lib/contrast/components/contrast_service.rb +0 -88
- data/lib/contrast/components/service.rb +0 -55
- data/lib/contrast/tasks/service.rb +0 -84
- data/lib/contrast/utils/input_classification.rb +0 -73
- data/lib/protobuf/code_generator.rb +0 -129
- data/lib/protobuf/decoder.rb +0 -28
- data/lib/protobuf/deprecation.rb +0 -117
- data/lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb +0 -79
- data/lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb +0 -360
- data/lib/protobuf/descriptors.rb +0 -3
- data/lib/protobuf/encoder.rb +0 -11
- data/lib/protobuf/enum.rb +0 -365
- data/lib/protobuf/exceptions.rb +0 -9
- data/lib/protobuf/field/base_field.rb +0 -380
- data/lib/protobuf/field/base_field_object_definitions.rb +0 -504
- data/lib/protobuf/field/bool_field.rb +0 -64
- data/lib/protobuf/field/bytes_field.rb +0 -67
- data/lib/protobuf/field/double_field.rb +0 -25
- data/lib/protobuf/field/enum_field.rb +0 -56
- data/lib/protobuf/field/field_array.rb +0 -102
- data/lib/protobuf/field/field_hash.rb +0 -122
- data/lib/protobuf/field/fixed32_field.rb +0 -25
- data/lib/protobuf/field/fixed64_field.rb +0 -28
- data/lib/protobuf/field/float_field.rb +0 -43
- data/lib/protobuf/field/int32_field.rb +0 -21
- data/lib/protobuf/field/int64_field.rb +0 -34
- data/lib/protobuf/field/integer_field.rb +0 -23
- data/lib/protobuf/field/message_field.rb +0 -51
- data/lib/protobuf/field/sfixed32_field.rb +0 -27
- data/lib/protobuf/field/sfixed64_field.rb +0 -28
- data/lib/protobuf/field/signed_integer_field.rb +0 -29
- data/lib/protobuf/field/sint32_field.rb +0 -21
- data/lib/protobuf/field/sint64_field.rb +0 -21
- data/lib/protobuf/field/string_field.rb +0 -51
- data/lib/protobuf/field/uint32_field.rb +0 -21
- data/lib/protobuf/field/uint64_field.rb +0 -21
- data/lib/protobuf/field/varint_field.rb +0 -77
- data/lib/protobuf/field.rb +0 -74
- data/lib/protobuf/generators/base.rb +0 -85
- data/lib/protobuf/generators/enum_generator.rb +0 -39
- data/lib/protobuf/generators/extension_generator.rb +0 -27
- data/lib/protobuf/generators/field_generator.rb +0 -193
- data/lib/protobuf/generators/file_generator.rb +0 -262
- data/lib/protobuf/generators/group_generator.rb +0 -122
- data/lib/protobuf/generators/message_generator.rb +0 -104
- data/lib/protobuf/generators/option_generator.rb +0 -17
- data/lib/protobuf/generators/printable.rb +0 -160
- data/lib/protobuf/generators/service_generator.rb +0 -50
- data/lib/protobuf/lifecycle.rb +0 -33
- data/lib/protobuf/logging.rb +0 -39
- data/lib/protobuf/message/fields.rb +0 -233
- data/lib/protobuf/message/serialization.rb +0 -85
- data/lib/protobuf/message.rb +0 -241
- data/lib/protobuf/optionable.rb +0 -72
- data/lib/protobuf/tasks/compile.rake +0 -80
- data/lib/protobuf/tasks.rb +0 -1
- data/lib/protobuf/varint.rb +0 -20
- data/lib/protobuf/varint_pure.rb +0 -31
- data/lib/protobuf/version.rb +0 -3
- data/lib/protobuf/wire_type.rb +0 -10
- data/lib/protobuf.rb +0 -91
- data/proto/dynamic_discovery.proto +0 -46
- data/proto/google/protobuf/compiler/plugin.proto +0 -183
- data/proto/google/protobuf/descriptor.proto +0 -911
- data/proto/rpc.proto +0 -71
- data/service_executables/.gitkeep +0 -0
- data/service_executables/VERSION +0 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
@@ -4,14 +4,21 @@
|
|
4
4
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
5
5
|
require 'contrast/agent/reporting/input_analysis/score_level'
|
6
6
|
require 'contrast/agent/reporting/input_analysis/input_analysis'
|
7
|
+
require 'contrast/agent/protect/rule/bot_blocker'
|
8
|
+
require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
|
9
|
+
require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
|
10
|
+
require 'contrast/agent/protect/rule/no_sqli'
|
7
11
|
require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
|
8
12
|
require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
|
9
13
|
require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
|
10
14
|
require 'contrast/agent/protect/rule/unsafe_file_upload'
|
15
|
+
require 'contrast/agent/protect/rule/path_traversal'
|
16
|
+
require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
|
17
|
+
require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
|
18
|
+
require 'contrast/agent/protect/rule/xss'
|
19
|
+
require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
|
11
20
|
require 'contrast/components/logger'
|
12
21
|
require 'contrast/utils/object_share'
|
13
|
-
require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
|
14
|
-
require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
|
15
22
|
require 'json'
|
16
23
|
|
17
24
|
module Contrast
|
@@ -20,131 +27,143 @@ module Contrast
|
|
20
27
|
# InputAnalyzer will extract input form current request context and will analyze it.
|
21
28
|
# This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
|
22
29
|
module InputAnalyzer
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
30
|
+
DISPOSITION_NAME = 'name'
|
31
|
+
DISPOSITION_FILENAME = 'filename'
|
32
|
+
DISPOSITION_KEYS = %w[Content-Disposition CONTENT_DISPOSITION].cs__freeze
|
33
|
+
|
34
|
+
class << self
|
35
|
+
include Contrast::Agent::Reporting::InputType
|
36
|
+
include Contrast::Agent::Reporting::ScoreLevel
|
37
|
+
include Contrast::Utils::ObjectShare
|
38
|
+
include Contrast::Components::Logger::InstanceMethods
|
39
|
+
|
40
|
+
PROTECT_RULES = {
|
41
|
+
sqli: {
|
42
|
+
rule_name: 'sql-injection',
|
43
|
+
classification: Contrast::Agent::Protect::Rule::SqliInputClassification
|
44
|
+
},
|
45
|
+
cmdi: {
|
46
|
+
rule_name: 'cmd-injection',
|
47
|
+
classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
|
48
|
+
},
|
49
|
+
# method_tampering: {
|
50
|
+
# rule_name: 'method-tampering',
|
51
|
+
# classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
|
52
|
+
# },
|
53
|
+
reflected_xss: {
|
54
|
+
rule_name: Contrast::Agent::Protect::Rule::Xss::NAME,
|
55
|
+
classification: Contrast::Agent::Protect::Rule::ReflectedXssInputClassification
|
56
|
+
},
|
57
|
+
bot_blocker: {
|
58
|
+
rule_name: Contrast::Agent::Protect::Rule::BotBlocker::NAME,
|
59
|
+
classification: Contrast::Agent::Protect::Rule::BotBlockerInputClassification
|
60
|
+
},
|
61
|
+
unsafe_file_upload: {
|
62
|
+
rule_name: Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
|
63
|
+
classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
|
64
|
+
},
|
65
|
+
path_traversal: {
|
66
|
+
rule_name: Contrast::Agent::Protect::Rule::PathTraversal::NAME,
|
67
|
+
classification: Contrast::Agent::Protect::Rule::PathTraversalInputClassification
|
68
|
+
},
|
69
|
+
nosqli: {
|
70
|
+
rule_name: Contrast::Agent::Protect::Rule::NoSqli::NAME,
|
71
|
+
classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
|
72
|
+
}
|
73
|
+
}.cs__freeze
|
74
|
+
|
75
|
+
# This method with analyze the user input from the context of the
|
76
|
+
# current request and run each of the protect rules against all
|
77
|
+
# found input types
|
78
|
+
#
|
79
|
+
# @param request [Contrast::Agent::Request] current request context.
|
80
|
+
# @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
|
81
|
+
def analyse request
|
82
|
+
return unless Contrast::PROTECT.enabled?
|
83
|
+
return if request.nil?
|
84
|
+
|
85
|
+
inputs = extract_input(request)
|
86
|
+
return unless inputs
|
87
|
+
|
88
|
+
input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
|
89
|
+
input_analysis.request = request
|
90
|
+
# each rule against each input
|
91
|
+
input_classification(inputs, input_analysis)
|
92
|
+
input_analysis
|
93
|
+
end
|
94
|
+
|
95
|
+
private
|
96
|
+
|
97
|
+
# classify input by rule implementation of worth_watching_v2 for the rules supporting it.
|
98
|
+
#
|
99
|
+
# @param inputs [String, Array<String>] user input to be analysed.
|
100
|
+
# @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
|
101
|
+
# for each protect rule.
|
102
|
+
# @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
|
103
|
+
def input_classification inputs, input_analysis
|
104
|
+
# key = input type, value = user_input
|
105
|
+
inputs.each do |input_type, value|
|
106
|
+
next if value.nil? || value.empty?
|
107
|
+
|
108
|
+
PROTECT_RULES.each do |_key, rule|
|
109
|
+
protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
|
110
|
+
logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
|
111
|
+
|
112
|
+
# check if rule is enabled
|
113
|
+
next unless protect_rule&.enabled?
|
114
|
+
|
115
|
+
# method tampering doesn't take value
|
116
|
+
if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
|
117
|
+
rule[:classification].send(:classify, rule[:rule_name], input_type, input_analysis)
|
118
|
+
else
|
119
|
+
rule[:classification].send(:classify, rule[:rule_name], input_type, value, input_analysis)
|
120
|
+
end
|
121
|
+
end
|
122
|
+
end
|
123
|
+
input_analysis
|
124
|
+
end
|
125
|
+
|
126
|
+
# Extract the inputs from the request context and label them with Protect
|
127
|
+
# input type tags. Each tag will contain one or more user inputs.
|
128
|
+
#
|
129
|
+
# This methods is to be expanded and modified as needed by other Protect rules
|
130
|
+
# and sub-rules for their requirements.
|
131
|
+
#
|
132
|
+
# @param request [Contrast::Agent::Request] current request context.
|
133
|
+
# @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
|
134
|
+
def extract_input request
|
135
|
+
inputs = {}
|
136
|
+
inputs[BODY] = request.body
|
137
|
+
inputs[COOKIE_NAME] = request.cookies.keys
|
138
|
+
inputs[COOKIE_VALUE] = request.cookies.values
|
139
|
+
inputs[HEADER] = request.headers
|
140
|
+
inputs[PARAMETER_NAME] = request.parameters.keys
|
141
|
+
inputs[PARAMETER_VALUE] = request.parameters.values
|
142
|
+
inputs[QUERYSTRING] = request.query_string
|
143
|
+
inputs[METHOD] = request.request_method
|
144
|
+
extract_multipart(inputs, request)
|
145
|
+
inputs.compact!
|
146
|
+
inputs
|
147
|
+
end
|
148
|
+
|
149
|
+
# Extract the filename and name of the Content Disposition Header.
|
150
|
+
#
|
151
|
+
# @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
|
152
|
+
# @param request [Contrast::Agent::Request] current request context.
|
153
|
+
def extract_multipart inputs, request
|
154
|
+
disposition = request.rack_request.env[DISPOSITION_KEYS[0]]
|
155
|
+
disposition = request.rack_request.env[DISPOSITION_KEYS[1]] if disposition.nil? || disposition.empty?
|
156
|
+
return unless disposition
|
157
|
+
|
158
|
+
pairs = {}
|
159
|
+
disposition.split(SEMICOLON).each do |elem|
|
160
|
+
new_pair = elem.strip.split(EQUALS, 2)
|
161
|
+
pairs[new_pair[0].downcase] = new_pair[1] if new_pair
|
162
|
+
end
|
163
|
+
inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
|
164
|
+
inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
|
165
|
+
end
|
166
|
+
end
|
148
167
|
end
|
149
168
|
end
|
150
169
|
end
|
@@ -0,0 +1,116 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/worker_thread'
|
5
|
+
require 'contrast/agent/reporting/input_analysis/score_level'
|
6
|
+
require 'contrast/agent/reporting/reporting_events/application_activity'
|
7
|
+
require 'contrast/utils/input_classification_base'
|
8
|
+
|
9
|
+
module Contrast
|
10
|
+
module Agent
|
11
|
+
module Protect
|
12
|
+
# WorthWatchingInputAnalyzer Perform analysis of input tracing v2 worthwatching results in a
|
13
|
+
# separate thread, should only be run at the end of the request.
|
14
|
+
# Currently only includes: cmd_injection & sqli_injection rules
|
15
|
+
class WorthWatchingInputAnalyzer < WorkerThread
|
16
|
+
include Timeout
|
17
|
+
include Contrast::Agent::Protect::Rule::InputClassificationBase
|
18
|
+
|
19
|
+
QUEUE_SIZE = 1000.cs__freeze
|
20
|
+
AGENTLIB_TIMEOUT = 5.cs__freeze
|
21
|
+
# max size of inputs to evaluate
|
22
|
+
INPUT_BYTESIZE_THRESHOLD = 100_000.cs__freeze
|
23
|
+
REPORT_INTERVAL_SECOND = 30.cs__freeze
|
24
|
+
|
25
|
+
# Thread that will process all the InputAnalysisResults that have a score level of WORTHWATCHING and
|
26
|
+
# sends results to TeamServer
|
27
|
+
def start_thread!
|
28
|
+
return if running?
|
29
|
+
|
30
|
+
@_thread = Contrast::Agent::Thread.new do
|
31
|
+
logger.info('Starting Worth Watching Analyzer thread.')
|
32
|
+
loop do
|
33
|
+
sleep(REPORT_INTERVAL_SECOND)
|
34
|
+
next if queue.empty?
|
35
|
+
|
36
|
+
report = false
|
37
|
+
num_to_report = queue.length
|
38
|
+
activity = Contrast::Agent::Reporting::ApplicationActivity.new
|
39
|
+
num_to_report.times do
|
40
|
+
next unless (attack_result = eval_input(queue.pop))
|
41
|
+
|
42
|
+
activity.attach_defend(attack_result)
|
43
|
+
report = true
|
44
|
+
end
|
45
|
+
Contrast::Agent.reporter.send_event_immediately(activity) if report
|
46
|
+
rescue StandardError => e
|
47
|
+
logger.debug('Worth Watching Analyzer thread could not process result because of:', e)
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
# param Contrast::Agent::Reporting::InputAnalysis
|
53
|
+
def add_to_queue input_analysis
|
54
|
+
return if input_analysis&.results&.empty?
|
55
|
+
|
56
|
+
if queue.size >= QUEUE_SIZE
|
57
|
+
logger.debug('WorthWatching queue at max size, skip input_result')
|
58
|
+
return
|
59
|
+
end
|
60
|
+
input_analysis.results.select { |val| val.score_level == WORTHWATCHING }.
|
61
|
+
each do |ia_result|
|
62
|
+
queue << ia_result
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
66
|
+
private
|
67
|
+
|
68
|
+
# @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the WorthWatching InputAnalysisResult
|
69
|
+
# @return [Contrast::Agent::Reporting::InputAnalysisResult, nil] InputAnalysisResult updated Result or nil
|
70
|
+
def eval_input ia_result
|
71
|
+
return if ia_result.nil?
|
72
|
+
|
73
|
+
if ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
|
74
|
+
logger.debug("Skip anaylsis: Input size is larger than #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
|
75
|
+
return
|
76
|
+
end
|
77
|
+
|
78
|
+
begin
|
79
|
+
input_eval = Timeout.timeout(AGENTLIB_TIMEOUT) do
|
80
|
+
Contrast::AGENT_LIB.eval_input(ia_result.value,
|
81
|
+
convert_input_type(ia_result.input_type),
|
82
|
+
Contrast::AGENT_LIB.rule_set[ia_result.rule_id],
|
83
|
+
Contrast::AGENT_LIB.eval_option[:NONE])
|
84
|
+
end
|
85
|
+
score = input_eval&.score || 0
|
86
|
+
return if score <= THRESHOLD
|
87
|
+
|
88
|
+
ia_result.score_level = DEFINITEATTACK
|
89
|
+
build_attack_result(ia_result)
|
90
|
+
rescue Timeout::Error => e
|
91
|
+
logger.warn('AgentLib timed out when processing WORTHWATCHING InputAnalysisResult', e, ia_result)
|
92
|
+
nil
|
93
|
+
end
|
94
|
+
end
|
95
|
+
|
96
|
+
# @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the updated InputAnalysisResult
|
97
|
+
# with a score of :DEFINITEATTACK
|
98
|
+
# @return [Contrast::Agent::Reporting::AttackResult] the attack result from
|
99
|
+
# this input
|
100
|
+
def build_attack_result ia_result
|
101
|
+
Contrast::PROTECT.rule(ia_result.rule_id).build_attack_without_match(nil, ia_result, nil)
|
102
|
+
end
|
103
|
+
|
104
|
+
def queue
|
105
|
+
@_queue ||= Queue.new
|
106
|
+
end
|
107
|
+
|
108
|
+
def delete_queue!
|
109
|
+
@_queue&.clear
|
110
|
+
@_queue&.close
|
111
|
+
@_queue = nil
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
115
|
+
end
|
116
|
+
end
|
@@ -2,6 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/path_traversal'
|
5
|
+
require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
|
5
6
|
require 'contrast/agent/protect/policy/rule_applicator'
|
6
7
|
require 'contrast/utils/object_share'
|
7
8
|
|
@@ -27,6 +28,9 @@ module Contrast
|
|
27
28
|
action = properties['action']
|
28
29
|
write_marker = write?(action, *args)
|
29
30
|
possible_write = write_marker && possible_write?(write_marker)
|
31
|
+
|
32
|
+
# Invoke semantic rules from here, not in a separate protect policy
|
33
|
+
invoke_semantic_rules(path, possible_write, object, method)
|
30
34
|
path_traversal_rule(path, possible_write, object, method)
|
31
35
|
|
32
36
|
# If the action was copy, we need to handle the write half of it.
|
@@ -37,6 +41,7 @@ module Contrast
|
|
37
41
|
dst = args[1]
|
38
42
|
return unless dst.is_a?(String)
|
39
43
|
|
44
|
+
invoke_semantic_rules(dst, true, object, method)
|
40
45
|
path_traversal_rule(dst, true, object, method)
|
41
46
|
end
|
42
47
|
|
@@ -75,6 +80,21 @@ module Contrast
|
|
75
80
|
logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
|
76
81
|
end
|
77
82
|
|
83
|
+
# @raise [Contrast::SecurityException] re-raises if some attack is blocked and raised from the infilter
|
84
|
+
def invoke_semantic_rules path, possible_write, object, method
|
85
|
+
return unless applies_to?(path, possible_write: possible_write)
|
86
|
+
|
87
|
+
rule.sub_rules.each do |sub_rule|
|
88
|
+
sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
|
89
|
+
end
|
90
|
+
rescue Contrast::SecurityException => e
|
91
|
+
raise(e)
|
92
|
+
rescue StandardError => e
|
93
|
+
logger.error('Error applying path traversal semantic rule', e,
|
94
|
+
module: object.cs__class.cs__name,
|
95
|
+
method: method)
|
96
|
+
end
|
97
|
+
|
78
98
|
CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
|
79
99
|
def safer_abs_paths
|
80
100
|
@_safer_abs_paths ||= begin
|
@@ -66,7 +66,7 @@ module Contrast
|
|
66
66
|
raise(NoMethodError, 'This is abstract, override it.')
|
67
67
|
end
|
68
68
|
|
69
|
-
# The name of the rule, as expected by the Contrast
|
69
|
+
# The name of the rule, as expected by the Contrast UI.
|
70
70
|
#
|
71
71
|
# @return [String]
|
72
72
|
# @raise [NoMethodError] This is abstract method
|