contrast-agent 6.7.0 → 6.9.0

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -4,14 +4,21 @@
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/bot_blocker'
+require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
+require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
+require 'contrast/agent/protect/rule/no_sqli'
 require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
+require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
+require 'contrast/agent/protect/rule/xss'
+require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
-require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
-require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'json'
 
 module Contrast
@@ -20,131 +27,143 @@ module Contrast
       # InputAnalyzer will extract input form current request context and will analyze it.
       # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
       module InputAnalyzer
-        # DISPOSITION_NAME = 'name'
-        # DISPOSITION_FILENAME = 'filename'
-        #
-        # class << self
-        #   include Contrast::Agent::Reporting::InputType
-        #   include Contrast::Agent::Reporting::ScoreLevel
-        #   include Contrast::Agent::Protect::Rule::SqliWorthWatching
-        #   include Contrast::Utils::ObjectShare
-        #   include Contrast::Agent::Protect::Rule::CmdiWorthWatching
-        #
-        #   PROTECT_RULES = {
-        #       sqli: {
-        #           rule_name: 'sql-injection',
-        #           classification: Contrast::Agent::Protect::Rule::SqliInputClassification
-        #       },
-        #       cmdi: {
-        #           rule_name: 'cmd-injection',
-        #           classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
-        #       },
-        #       method_tampering: {
-        #           rule_name: 'method-tampering',
-        #           classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
-        #       },
-        #       unsafe_file_upload: {
-        #           rule_name: 'unsafe-file-upload',
-        #           classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
-        #       },
-        #       nosqli: {
-        #           rule_name: 'nosql-injection',
-        #           classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
-        #       }
-        #   }.cs__freeze
-        #
-        #   # This method with analyze the user input from the context of the
-        #   # current request and run each of the protect rules against all
-        #   # found input types
-        #   #
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-        #   def analyse request
-        #     return unless Contrast::PROTECT.enabled?
-        #     return if request.nil?
-        #
-        #     inputs = extract_input request
-        #     return unless inputs
-        #
-        #     input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
-        #     input_analysis.request = request
-        #     # each rule against each input
-        #     input_classification inputs, input_analysis
-        #     input_analysis
-        #   end
-        #
-        #   private
-        #
-        #   # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-        #   #
-        #   # @param inputs [String, Array<String>] user input to be analysed.
-        #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-        #   #                                                       for each protect rule.
-        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-        #   def input_classification inputs, input_analysis
-        #     # key = input type, value = user_input
-        #     inputs.each do |input_type, value|
-        #       next if value.nil? || value.empty?
-        #
-        #       PROTECT_RULES.each do |_key, rule|
-        #         protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
-        #         logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
-        #
-        #         # check if rule is enabled
-        #         next unless protect_rule&.enabled?
-        #
-        #         # method tampering doesn't take value
-        #         if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-        #           rule[:classification].send(:classify, input_type, input_analysis)
-        #         else
-        #           rule[:classification].send(:classify, input_type, value, input_analysis)
-        #         end
-        #       end
-        #     end
-        #     input_analysis
-        #   end
-        #
-        #   # Extract the inputs from the request context and label them with Protect
-        #   # input type tags. Each tag will contain one or more user inputs.
-        #   #
-        #   # This methods is to be expanded and modified as needed by other Protect rules
-        #   # and sub-rules for their requirements.
-        #   #
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-        #   def extract_input request
-        #     inputs = {}
-        #     inputs[BODY] = request.body
-        #     inputs[COOKIE_NAME] = request.cookies.keys
-        #     inputs[COOKIE_VALUE] = request.cookies.values
-        #     inputs[HEADER] = request.headers
-        #     inputs[PARAMETER_NAME] = request.parameters.keys
-        #     inputs[PARAMETER_VALUE] = request.parameters.values
-        #     inputs[QUERYSTRING] = request.query_string
-        #     inputs[METHOD] = request.request_method
-        #     extract_multipart inputs, request
-        #     inputs.compact!
-        #     inputs
-        #   end
-        #
-        #   # Extract the filename and name of the  Content Disposition Header.
-        #   #
-        #   # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-        #   # @param request [Contrast::Agent::Request] current request context.
-        #   def extract_multipart inputs, request
-        #     disposition = request.rack_request.env['Content-Disposition']
-        #     disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
-        #     return unless disposition
-        #
-        #     pairs = {}
-        #     disposition.split(SEMICOLON).each do |elem|
-        #       new_pair = elem.strip.split(EQUALS, 2)
-        #       pairs[new_pair[0].downcase] = new_pair[1] if new_pair
-        #     end
-        #     inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
-        #     inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
-        #   end
-        # end
+        DISPOSITION_NAME = 'name'
+        DISPOSITION_FILENAME = 'filename'
+        DISPOSITION_KEYS = %w[Content-Disposition CONTENT_DISPOSITION].cs__freeze
+
+        class << self
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Utils::ObjectShare
+          include Contrast::Components::Logger::InstanceMethods
+
+          PROTECT_RULES = {
+              sqli: {
+                  rule_name: 'sql-injection',
+                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
+              },
+              cmdi: {
+                  rule_name: 'cmd-injection',
+                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
+              },
+              # method_tampering: {
+              #     rule_name: 'method-tampering',
+              #     classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
+              # },
+              reflected_xss: {
+                  rule_name: Contrast::Agent::Protect::Rule::Xss::NAME,
+                  classification: Contrast::Agent::Protect::Rule::ReflectedXssInputClassification
+              },
+              bot_blocker: {
+                  rule_name: Contrast::Agent::Protect::Rule::BotBlocker::NAME,
+                  classification: Contrast::Agent::Protect::Rule::BotBlockerInputClassification
+              },
+              unsafe_file_upload: {
+                  rule_name: Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
+                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
+              },
+              path_traversal: {
+                  rule_name: Contrast::Agent::Protect::Rule::PathTraversal::NAME,
+                  classification: Contrast::Agent::Protect::Rule::PathTraversalInputClassification
+              },
+              nosqli: {
+                  rule_name: Contrast::Agent::Protect::Rule::NoSqli::NAME,
+                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
+              }
+          }.cs__freeze
+
+          # This method with analyze the user input from the context of the
+          # current request and run each of the protect rules against all
+          # found input types
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def analyse request
+            return unless Contrast::PROTECT.enabled?
+            return if request.nil?
+
+            inputs = extract_input(request)
+            return unless inputs
+
+            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+            input_analysis.request = request
+            # each rule against each input
+            input_classification(inputs, input_analysis)
+            input_analysis
+          end
+
+          private
+
+          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+          #
+          # @param inputs [String, Array<String>] user input to be analysed.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def input_classification inputs, input_analysis
+            # key = input type, value = user_input
+            inputs.each do |input_type, value|
+              next if value.nil? || value.empty?
+
+              PROTECT_RULES.each do |_key, rule|
+                protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
+                logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
+
+                # check if rule is enabled
+                next unless protect_rule&.enabled?
+
+                # method tampering doesn't take value
+                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+                  rule[:classification].send(:classify, rule[:rule_name], input_type, input_analysis)
+                else
+                  rule[:classification].send(:classify, rule[:rule_name], input_type, value, input_analysis)
+                end
+              end
+            end
+            input_analysis
+          end
+
+          # Extract the inputs from the request context and label them with Protect
+          # input type tags. Each tag will contain one or more user inputs.
+          #
+          # This methods is to be expanded and modified as needed by other Protect rules
+          # and sub-rules for their requirements.
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          def extract_input request
+            inputs = {}
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+            inputs[METHOD] = request.request_method
+            extract_multipart(inputs, request)
+            inputs.compact!
+            inputs
+          end
+
+          # Extract the filename and name of the  Content Disposition Header.
+          #
+          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          # @param request [Contrast::Agent::Request] current request context.
+          def extract_multipart inputs, request
+            disposition = request.rack_request.env[DISPOSITION_KEYS[0]]
+            disposition = request.rack_request.env[DISPOSITION_KEYS[1]] if disposition.nil? || disposition.empty?
+            return unless disposition
+
+            pairs = {}
+            disposition.split(SEMICOLON).each do |elem|
+              new_pair = elem.strip.split(EQUALS, 2)
+              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
+            end
+            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
+            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+          end
+        end
       end
     end
   end

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

@@ -0,0 +1,116 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/reporting_events/application_activity'
+require 'contrast/utils/input_classification_base'
+
+module Contrast
+  module Agent
+    module Protect
+      # WorthWatchingInputAnalyzer Perform analysis of input tracing v2 worthwatching results in a
+      # separate thread, should only be run at the end of the request.
+      # Currently only includes: cmd_injection & sqli_injection rules
+      class WorthWatchingInputAnalyzer < WorkerThread
+        include Timeout
+        include Contrast::Agent::Protect::Rule::InputClassificationBase
+
+        QUEUE_SIZE = 1000.cs__freeze
+        AGENTLIB_TIMEOUT = 5.cs__freeze
+        # max size of inputs to evaluate
+        INPUT_BYTESIZE_THRESHOLD = 100_000.cs__freeze
+        REPORT_INTERVAL_SECOND = 30.cs__freeze
+
+        # Thread that will process all the InputAnalysisResults that have a score level of WORTHWATCHING and
+        # sends results to TeamServer
+        def start_thread!
+          return if running?
+
+          @_thread = Contrast::Agent::Thread.new do
+            logger.info('Starting Worth Watching Analyzer thread.')
+            loop do
+              sleep(REPORT_INTERVAL_SECOND)
+              next if queue.empty?
+
+              report = false
+              num_to_report = queue.length
+              activity = Contrast::Agent::Reporting::ApplicationActivity.new
+              num_to_report.times do
+                next unless (attack_result = eval_input(queue.pop))
+
+                activity.attach_defend(attack_result)
+                report = true
+              end
+              Contrast::Agent.reporter.send_event_immediately(activity) if report
+            rescue StandardError => e
+              logger.debug('Worth Watching Analyzer thread could not process result because of:', e)
+            end
+          end
+        end
+
+        # param Contrast::Agent::Reporting::InputAnalysis
+        def add_to_queue input_analysis
+          return if input_analysis&.results&.empty?
+
+          if queue.size >= QUEUE_SIZE
+            logger.debug('WorthWatching queue at max size, skip input_result')
+            return
+          end
+          input_analysis.results.select { |val| val.score_level == WORTHWATCHING }.
+              each do |ia_result|
+            queue << ia_result
+          end
+        end
+
+        private
+
+        # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the WorthWatching InputAnalysisResult
+        # @return [Contrast::Agent::Reporting::InputAnalysisResult, nil] InputAnalysisResult updated Result or nil
+        def eval_input ia_result
+          return if ia_result.nil?
+
+          if ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
+            logger.debug("Skip anaylsis: Input size is larger than #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
+            return
+          end
+
+          begin
+            input_eval = Timeout.timeout(AGENTLIB_TIMEOUT) do
+              Contrast::AGENT_LIB.eval_input(ia_result.value,
+                                             convert_input_type(ia_result.input_type),
+                                             Contrast::AGENT_LIB.rule_set[ia_result.rule_id],
+                                             Contrast::AGENT_LIB.eval_option[:NONE])
+            end
+            score = input_eval&.score || 0
+            return if score <= THRESHOLD
+
+            ia_result.score_level = DEFINITEATTACK
+            build_attack_result(ia_result)
+          rescue Timeout::Error => e
+            logger.warn('AgentLib timed out when processing WORTHWATCHING InputAnalysisResult', e, ia_result)
+            nil
+          end
+        end
+
+        # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the updated InputAnalysisResult
+        # with a score of :DEFINITEATTACK
+        # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
+        #   this input
+        def build_attack_result ia_result
+          Contrast::PROTECT.rule(ia_result.rule_id).build_attack_without_match(nil, ia_result, nil)
+        end
+
+        def queue
+          @_queue ||= Queue.new
+        end
+
+        def delete_queue!
+          @_queue&.clear
+          @_queue&.close
+          @_queue = nil
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
 require 'contrast/agent/protect/policy/rule_applicator'
 require 'contrast/utils/object_share'
 
@@ -27,6 +28,9 @@ module Contrast
               action = properties['action']
               write_marker = write?(action, *args)
               possible_write = write_marker && possible_write?(write_marker)
+
+              # Invoke semantic rules from here, not in a separate protect policy
+              invoke_semantic_rules(path, possible_write, object, method)
               path_traversal_rule(path, possible_write, object, method)
 
               # If the action was copy, we need to handle the write half of it.
@@ -37,6 +41,7 @@ module Contrast
               dst = args[1]
               return unless dst.is_a?(String)
 
+              invoke_semantic_rules(dst, true, object, method)
               path_traversal_rule(dst, true, object, method)
             end
 
@@ -75,6 +80,21 @@ module Contrast
               logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
             end
 
+            # @raise [Contrast::SecurityException] re-raises if some attack is blocked and raised from the infilter
+            def invoke_semantic_rules path, possible_write, object, method
+              return unless applies_to?(path, possible_write: possible_write)
+
+              rule.sub_rules.each do |sub_rule|
+                sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
+              end
+            rescue Contrast::SecurityException => e
+              raise(e)
+            rescue StandardError => e
+              logger.error('Error applying path traversal semantic rule', e,
+                           module: object.cs__class.cs__name,
+                           method: method)
+            end
+
             CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
             def safer_abs_paths
               @_safer_abs_paths ||= begin

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -66,7 +66,7 @@ module Contrast
             raise(NoMethodError, 'This is abstract, override it.')
           end
 
-          # The name of the rule, as expected by the Contrast Service and Contrast UI.
+          # The name of the rule, as expected by the Contrast UI.
           #
           # @return [String]
           # @raise [NoMethodError] This is abstract method