contrast-agent 6.7.0 → 6.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +0 -2
- data/.simplecov +0 -1
- data/Rakefile +0 -1
- data/ext/cs__assess_array/cs__assess_array.c +41 -10
- data/ext/cs__assess_array/cs__assess_array.h +4 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -3
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +11 -11
- data/lib/contrast/agent/assess.rb +0 -1
- data/lib/contrast/agent/excluder.rb +53 -35
- data/lib/contrast/agent/exclusion_matcher.rb +21 -9
- data/lib/contrast/agent/middleware.rb +12 -6
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +146 -127
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +116 -0
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +20 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +47 -55
- data/lib/contrast/agent/protect/rule/base_service.rb +48 -24
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +20 -2
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -5
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +22 -22
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +64 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +63 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +2 -58
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +3 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +2 -2
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -11
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +29 -34
- data/lib/contrast/agent/protect/rule/no_sqli.rb +25 -18
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +40 -13
- data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +33 -15
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +0 -14
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -62
- data/lib/contrast/agent/protect/rule/sqli.rb +74 -3
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +39 -63
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +6 -33
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
- data/lib/contrast/agent/protect/rule/xss.rb +15 -20
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -24
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +19 -40
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +9 -9
- data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +10 -2
- data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +8 -2
- data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
- data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -2
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +16 -2
- data/lib/contrast/agent/reporting/masker/masker.rb +2 -0
- data/lib/contrast/agent/reporting/report.rb +1 -0
- data/lib/contrast/agent/reporting/reporter.rb +35 -14
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +3 -9
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +16 -13
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +12 -7
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +6 -1
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +0 -2
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +6 -6
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +239 -93
- data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +10 -23
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +10 -9
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +0 -5
- data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +12 -0
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +1 -11
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +8 -0
- data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +43 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +8 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +58 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +4 -6
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +77 -16
- data/lib/contrast/agent/reporting/server_settings_worker.rb +44 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +14 -2
- data/lib/contrast/agent/reporting/settings/code_exclusion.rb +6 -1
- data/lib/contrast/agent/reporting/settings/exclusion_base.rb +18 -0
- data/lib/contrast/agent/reporting/settings/exclusions.rb +2 -1
- data/lib/contrast/agent/reporting/settings/helpers.rb +7 -0
- data/lib/contrast/agent/reporting/settings/input_exclusion.rb +9 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +15 -15
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +39 -2
- data/lib/contrast/agent/reporting/settings/rule_definition.rb +3 -0
- data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +9 -0
- data/lib/contrast/agent/reporting/settings/syslog.rb +34 -5
- data/lib/contrast/agent/request.rb +3 -14
- data/lib/contrast/agent/request_context.rb +6 -9
- data/lib/contrast/agent/request_context_extend.rb +9 -148
- data/lib/contrast/agent/request_handler.rb +5 -10
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +37 -18
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +6 -11
- data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
- data/lib/contrast/agent_lib/api/init.rb +101 -0
- data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
- data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
- data/lib/contrast/agent_lib/api/panic.rb +87 -0
- data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
- data/lib/contrast/agent_lib/interface.rb +260 -0
- data/lib/contrast/agent_lib/interface_base.rb +118 -0
- data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
- data/lib/contrast/agent_lib/test.rb +29 -0
- data/lib/contrast/api/communication/connection_status.rb +20 -5
- data/lib/contrast/components/agent.rb +34 -14
- data/lib/contrast/components/api.rb +23 -0
- data/lib/contrast/components/app_context.rb +23 -5
- data/lib/contrast/components/app_context_extend.rb +0 -25
- data/lib/contrast/components/assess.rb +34 -4
- data/lib/contrast/components/assess_rules.rb +18 -0
- data/lib/contrast/components/base.rb +40 -0
- data/lib/contrast/components/config/sources.rb +95 -0
- data/lib/contrast/components/config.rb +19 -19
- data/lib/contrast/components/heap_dump.rb +10 -0
- data/lib/contrast/components/inventory.rb +15 -2
- data/lib/contrast/components/logger.rb +18 -0
- data/lib/contrast/components/polling.rb +36 -0
- data/lib/contrast/components/protect.rb +52 -2
- data/lib/contrast/components/ruby_component.rb +16 -1
- data/lib/contrast/components/sampling.rb +70 -13
- data/lib/contrast/components/security_logger.rb +13 -0
- data/lib/contrast/components/settings.rb +105 -90
- data/lib/contrast/config/certification_configuration.rb +14 -0
- data/lib/contrast/config/config.rb +46 -0
- data/lib/contrast/config/diagnostics.rb +114 -0
- data/lib/contrast/config/diagnostics_tools.rb +98 -0
- data/lib/contrast/config/effective_config.rb +65 -0
- data/lib/contrast/config/effective_config_value.rb +32 -0
- data/lib/contrast/config/exception_configuration.rb +12 -0
- data/lib/contrast/config/protect_rule_configuration.rb +8 -8
- data/lib/contrast/config/protect_rules_configuration.rb +23 -60
- data/lib/contrast/config/request_audit_configuration.rb +13 -0
- data/lib/contrast/config/server_configuration.rb +41 -2
- data/lib/contrast/configuration.rb +29 -12
- data/lib/contrast/extension/assess/array.rb +9 -0
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/delegator.rb +2 -0
- data/lib/contrast/framework/manager.rb +3 -1
- data/lib/contrast/framework/rails/railtie.rb +0 -1
- data/lib/contrast/framework/rails/support.rb +0 -1
- data/lib/contrast/tasks/config.rb +1 -8
- data/lib/contrast/utils/assess/event_limit_utils.rb +31 -9
- data/lib/contrast/utils/assess/trigger_method_utils.rb +5 -4
- data/lib/contrast/utils/duck_utils.rb +1 -0
- data/lib/contrast/utils/hash_digest.rb +2 -2
- data/lib/contrast/utils/input_classification_base.rb +155 -0
- data/lib/contrast/utils/os.rb +0 -20
- data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +81 -0
- data/lib/contrast/utils/response_utils.rb +0 -16
- data/lib/contrast/utils/routes_sent.rb +60 -0
- data/lib/contrast/utils/stack_trace_utils.rb +3 -15
- data/lib/contrast/utils/string_utils.rb +10 -7
- data/lib/contrast/utils/telemetry_client.rb +1 -2
- data/lib/contrast/utils/timer.rb +16 -0
- data/lib/contrast.rb +5 -4
- data/resources/protect/policy.json +1 -2
- data/ruby-agent.gemspec +7 -6
- metadata +69 -130
- data/exe/contrast_service +0 -23
- data/lib/contrast/agent/assess/contrast_event.rb +0 -157
- data/lib/contrast/agent/assess/events/event_factory.rb +0 -34
- data/lib/contrast/agent/assess/events/source_event.rb +0 -46
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +0 -64
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +0 -118
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +0 -45
- data/lib/contrast/agent/reaction_processor.rb +0 -47
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +0 -36
- data/lib/contrast/agent/service_heartbeat.rb +0 -35
- data/lib/contrast/api/communication/messaging_queue.rb +0 -128
- data/lib/contrast/api/communication/response_processor.rb +0 -90
- data/lib/contrast/api/communication/service_lifecycle.rb +0 -77
- data/lib/contrast/api/communication/socket.rb +0 -44
- data/lib/contrast/api/communication/socket_client.rb +0 -130
- data/lib/contrast/api/communication/speedracer.rb +0 -138
- data/lib/contrast/api/communication/tcp_socket.rb +0 -32
- data/lib/contrast/api/communication/unix_socket.rb +0 -28
- data/lib/contrast/api/communication.rb +0 -20
- data/lib/contrast/api/decorators/address.rb +0 -59
- data/lib/contrast/api/decorators/agent_startup.rb +0 -56
- data/lib/contrast/api/decorators/application_settings.rb +0 -43
- data/lib/contrast/api/decorators/application_startup.rb +0 -56
- data/lib/contrast/api/decorators/bot_blocker.rb +0 -37
- data/lib/contrast/api/decorators/http_request.rb +0 -137
- data/lib/contrast/api/decorators/input_analysis.rb +0 -18
- data/lib/contrast/api/decorators/instrumentation_mode.rb +0 -35
- data/lib/contrast/api/decorators/ip_denylist.rb +0 -37
- data/lib/contrast/api/decorators/message.rb +0 -67
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -52
- data/lib/contrast/api/decorators/response_type.rb +0 -17
- data/lib/contrast/api/decorators/server_features.rb +0 -25
- data/lib/contrast/api/decorators/user_input.rb +0 -51
- data/lib/contrast/api/decorators/virtual_patch.rb +0 -34
- data/lib/contrast/api/decorators.rb +0 -22
- data/lib/contrast/api/dtm.pb.rb +0 -363
- data/lib/contrast/api/settings.pb.rb +0 -500
- data/lib/contrast/api.rb +0 -16
- data/lib/contrast/components/contrast_service.rb +0 -88
- data/lib/contrast/components/service.rb +0 -55
- data/lib/contrast/tasks/service.rb +0 -84
- data/lib/contrast/utils/input_classification.rb +0 -73
- data/lib/protobuf/code_generator.rb +0 -129
- data/lib/protobuf/decoder.rb +0 -28
- data/lib/protobuf/deprecation.rb +0 -117
- data/lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb +0 -79
- data/lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb +0 -360
- data/lib/protobuf/descriptors.rb +0 -3
- data/lib/protobuf/encoder.rb +0 -11
- data/lib/protobuf/enum.rb +0 -365
- data/lib/protobuf/exceptions.rb +0 -9
- data/lib/protobuf/field/base_field.rb +0 -380
- data/lib/protobuf/field/base_field_object_definitions.rb +0 -504
- data/lib/protobuf/field/bool_field.rb +0 -64
- data/lib/protobuf/field/bytes_field.rb +0 -67
- data/lib/protobuf/field/double_field.rb +0 -25
- data/lib/protobuf/field/enum_field.rb +0 -56
- data/lib/protobuf/field/field_array.rb +0 -102
- data/lib/protobuf/field/field_hash.rb +0 -122
- data/lib/protobuf/field/fixed32_field.rb +0 -25
- data/lib/protobuf/field/fixed64_field.rb +0 -28
- data/lib/protobuf/field/float_field.rb +0 -43
- data/lib/protobuf/field/int32_field.rb +0 -21
- data/lib/protobuf/field/int64_field.rb +0 -34
- data/lib/protobuf/field/integer_field.rb +0 -23
- data/lib/protobuf/field/message_field.rb +0 -51
- data/lib/protobuf/field/sfixed32_field.rb +0 -27
- data/lib/protobuf/field/sfixed64_field.rb +0 -28
- data/lib/protobuf/field/signed_integer_field.rb +0 -29
- data/lib/protobuf/field/sint32_field.rb +0 -21
- data/lib/protobuf/field/sint64_field.rb +0 -21
- data/lib/protobuf/field/string_field.rb +0 -51
- data/lib/protobuf/field/uint32_field.rb +0 -21
- data/lib/protobuf/field/uint64_field.rb +0 -21
- data/lib/protobuf/field/varint_field.rb +0 -77
- data/lib/protobuf/field.rb +0 -74
- data/lib/protobuf/generators/base.rb +0 -85
- data/lib/protobuf/generators/enum_generator.rb +0 -39
- data/lib/protobuf/generators/extension_generator.rb +0 -27
- data/lib/protobuf/generators/field_generator.rb +0 -193
- data/lib/protobuf/generators/file_generator.rb +0 -262
- data/lib/protobuf/generators/group_generator.rb +0 -122
- data/lib/protobuf/generators/message_generator.rb +0 -104
- data/lib/protobuf/generators/option_generator.rb +0 -17
- data/lib/protobuf/generators/printable.rb +0 -160
- data/lib/protobuf/generators/service_generator.rb +0 -50
- data/lib/protobuf/lifecycle.rb +0 -33
- data/lib/protobuf/logging.rb +0 -39
- data/lib/protobuf/message/fields.rb +0 -233
- data/lib/protobuf/message/serialization.rb +0 -85
- data/lib/protobuf/message.rb +0 -241
- data/lib/protobuf/optionable.rb +0 -72
- data/lib/protobuf/tasks/compile.rake +0 -80
- data/lib/protobuf/tasks.rb +0 -1
- data/lib/protobuf/varint.rb +0 -20
- data/lib/protobuf/varint_pure.rb +0 -31
- data/lib/protobuf/version.rb +0 -3
- data/lib/protobuf/wire_type.rb +0 -10
- data/lib/protobuf.rb +0 -91
- data/proto/dynamic_discovery.proto +0 -46
- data/proto/google/protobuf/compiler/plugin.proto +0 -183
- data/proto/google/protobuf/descriptor.proto +0 -911
- data/proto/rpc.proto +0 -71
- data/service_executables/.gitkeep +0 -0
- data/service_executables/VERSION +0 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb
ADDED
@@ -0,0 +1,114 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/protect/rule/base_service'
|
5
|
+
require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
|
6
|
+
require 'contrast/agent/request_context'
|
7
|
+
require 'contrast/utils/string_utils'
|
8
|
+
require 'contrast/agent_lib/api/path_semantic_file_security_bypass'
|
9
|
+
require 'contrast/agent_lib/interface'
|
10
|
+
|
11
|
+
module Contrast
|
12
|
+
module Agent
|
13
|
+
module Protect
|
14
|
+
module Rule
|
15
|
+
# The Ruby implementation of the Protect Path Traversal Semantic
|
16
|
+
# Bypass sub-rule. This rule should report the attack result
|
17
|
+
class PathTraversalSemanticBypass < Contrast::Agent::Protect::Rule::BaseService
|
18
|
+
NAME = 'path-traversal-semantic-file-security-bypass'
|
19
|
+
# There paths here will eventually be moved
|
20
|
+
|
21
|
+
def rule_name
|
22
|
+
NAME
|
23
|
+
end
|
24
|
+
|
25
|
+
def infilter context, method, path
|
26
|
+
return unless rule_violated?(path)
|
27
|
+
|
28
|
+
result = find_vulnerability(context, path)
|
29
|
+
|
30
|
+
return unless result
|
31
|
+
|
32
|
+
append_to_activity(context, result)
|
33
|
+
return unless blocked?
|
34
|
+
|
35
|
+
result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
|
36
|
+
cef_logging(result, :successful_attack, value: path)
|
37
|
+
exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
|
38
|
+
raise(Contrast::SecurityException.new(self, exception_messasge))
|
39
|
+
end
|
40
|
+
|
41
|
+
protected
|
42
|
+
|
43
|
+
# Check if semantic file security bypass is detected
|
44
|
+
#
|
45
|
+
# @param file_path [String] command to check.
|
46
|
+
# @param is_custom_code[String] whether the file is being accessed by custom (user) code,
|
47
|
+
# rather than framework code
|
48
|
+
# @return result[Integer, nil] returns:
|
49
|
+
# 1 => security bypass is detected.
|
50
|
+
# 0 => no security bypass is detected.
|
51
|
+
def file_security_bypassed? file_path, is_custom_code = nil
|
52
|
+
return false unless (agent_lib = Contrast::AGENT_LIB) || file_path
|
53
|
+
|
54
|
+
custom_call = is_custom_code.nil? ? 0 : 1
|
55
|
+
|
56
|
+
agent_lib.check_path_semantic_security_bypass(file_path, custom_call) == 1
|
57
|
+
end
|
58
|
+
|
59
|
+
def rule_violated? path
|
60
|
+
is_custom_code = custom_code_accessing_system_file?(path)
|
61
|
+
is_custom_code || file_security_bypassed?(path, is_custom_code)
|
62
|
+
end
|
63
|
+
|
64
|
+
def find_vulnerability context, path
|
65
|
+
build_attack_with_match(context, nil, nil, path)
|
66
|
+
end
|
67
|
+
|
68
|
+
def build_sample context, _input_analysis_result, path, **_kwargs
|
69
|
+
sample = build_base_sample(context, nil)
|
70
|
+
sample.details = Contrast::Agent::Reporting::Details::PathTraversalSemanticAnalysisDetails.new
|
71
|
+
path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
|
72
|
+
sample.details.path = path
|
73
|
+
|
74
|
+
is_custom_code = custom_code_accessing_system_file?(path)
|
75
|
+
# This should catch all the types of security breaches in that sub-rule scope
|
76
|
+
# but apparently it's not, because some of the system files is being skipped and not detected,
|
77
|
+
# but for our previous logic - it was expected for certain files to be detected and blocked
|
78
|
+
security_bypassed = file_security_bypassed?(path, is_custom_code)
|
79
|
+
|
80
|
+
# if agent lib sub-rule returns true and is custom code -> assign and report
|
81
|
+
if security_bypassed
|
82
|
+
if is_custom_code
|
83
|
+
sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
|
84
|
+
sample.details.findings << :COMMON_FILE_EXPLOITS if common_file_exploits_enabled?
|
85
|
+
end
|
86
|
+
return sample
|
87
|
+
end
|
88
|
+
|
89
|
+
if is_custom_code
|
90
|
+
sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
|
91
|
+
return sample
|
92
|
+
end
|
93
|
+
|
94
|
+
nil
|
95
|
+
end
|
96
|
+
|
97
|
+
def custom_code_accessing_system_file? input
|
98
|
+
system_file?(input) && Contrast::Utils::StackTraceUtils.custom_code_context?
|
99
|
+
end
|
100
|
+
|
101
|
+
def system_file? path
|
102
|
+
return false unless path
|
103
|
+
|
104
|
+
Contrast::Agent::Protect::Rule::PathTraversal::SYSTEM_PATHS.any? { |sys_path| sys_path.include?(path) }
|
105
|
+
end
|
106
|
+
|
107
|
+
def common_file_exploits_enabled?
|
108
|
+
false
|
109
|
+
end
|
110
|
+
end
|
111
|
+
end
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
@@ -2,9 +2,13 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
5
|
+
require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
|
6
|
+
require 'contrast/agent/reporting/input_analysis/input_type'
|
7
|
+
require 'contrast/agent/reporting/input_analysis/score_level'
|
5
8
|
require 'contrast/utils/stack_trace_utils'
|
6
9
|
require 'contrast/agent/reporting/details/path_traversal_details'
|
7
10
|
require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
|
11
|
+
require 'contrast/utils/string_utils'
|
8
12
|
|
9
13
|
module Contrast
|
10
14
|
module Agent
|
@@ -13,7 +17,13 @@ module Contrast
|
|
13
17
|
# This class handles our implementation of the Path Traversal
|
14
18
|
# Protect rule.
|
15
19
|
class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
|
20
|
+
include Contrast::Agent::Reporting::InputType
|
21
|
+
|
16
22
|
NAME = 'path-traversal'
|
23
|
+
APPLICABLE_USER_INPUTS = [
|
24
|
+
BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_VALUE, PARAMETER_NAME,
|
25
|
+
JSON_VALUE, MULTIPART_VALUE, MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE, URI
|
26
|
+
].cs__freeze
|
17
27
|
SYSTEM_PATHS = %w[
|
18
28
|
/proc/self
|
19
29
|
etc/passwd
|
@@ -27,20 +37,21 @@ module Contrast
|
|
27
37
|
/windows/repair/
|
28
38
|
].cs__freeze
|
29
39
|
|
30
|
-
class << self
|
31
|
-
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
32
|
-
# @return [Hash] the details for this specific rule
|
33
|
-
def extract_details attack_sample
|
34
|
-
{
|
35
|
-
path: attack_sample.path_traversal.path
|
36
|
-
}
|
37
|
-
end
|
38
|
-
end
|
39
|
-
|
40
40
|
def rule_name
|
41
41
|
NAME
|
42
42
|
end
|
43
43
|
|
44
|
+
# Array of sub_rules
|
45
|
+
#
|
46
|
+
# @return [Array]
|
47
|
+
def sub_rules
|
48
|
+
@_sub_rules ||= [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new].cs__freeze
|
49
|
+
end
|
50
|
+
|
51
|
+
def applicable_user_inputs
|
52
|
+
APPLICABLE_USER_INPUTS
|
53
|
+
end
|
54
|
+
|
44
55
|
def infilter context, method, path
|
45
56
|
return unless infilter?(context)
|
46
57
|
|
@@ -50,9 +61,10 @@ module Contrast
|
|
50
61
|
append_to_activity(context, result)
|
51
62
|
return unless blocked?
|
52
63
|
|
53
|
-
|
54
|
-
|
55
|
-
|
64
|
+
result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
|
65
|
+
cef_logging(result, :successful_attack, value: path)
|
66
|
+
exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
|
67
|
+
raise(Contrast::SecurityException.new(self, exception_messasge))
|
56
68
|
end
|
57
69
|
|
58
70
|
protected
|
@@ -73,6 +85,21 @@ module Contrast
|
|
73
85
|
sample
|
74
86
|
end
|
75
87
|
|
88
|
+
# @param context [Contrast::Agent::RequestContext]
|
89
|
+
def infilter? context
|
90
|
+
return false unless enabled?
|
91
|
+
return false unless context&.agent_input_analysis&.results&.any? do |result|
|
92
|
+
# When a file is being accessed, the agent should see if any of its worth-watching inputs appear in
|
93
|
+
# the file path. If so, the input is considered a confirmed attack and should be reported or blocked.
|
94
|
+
# If the score level is ignore we don't need to report it.
|
95
|
+
result.rule_id == rule_name && result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
|
96
|
+
end
|
97
|
+
|
98
|
+
return false if protect_excluded_by_code?
|
99
|
+
|
100
|
+
true
|
101
|
+
end
|
102
|
+
|
76
103
|
private
|
77
104
|
|
78
105
|
# Build a subclass of the RaspRuleSample if the sample matches
|
@@ -15,11 +15,11 @@ module Contrast
|
|
15
15
|
# by TeamServer
|
16
16
|
#
|
17
17
|
# @param context [Contrast::Agent::RequestContext] the context for the current request
|
18
|
-
# @param input_analysis_result [Contrast::
|
18
|
+
# @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
|
19
19
|
# if one exists, in the case of multiple inputs being found to violate the protection criteria
|
20
20
|
# @candidate_string [String] the value of the input which may be an attack
|
21
21
|
# @kwargs [Hash] key - value pairs of context individual rules need to build out details
|
22
|
-
# to send to
|
22
|
+
# to send to TeamServer to tell the story of the attack
|
23
23
|
# @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
|
24
24
|
module SqliSample
|
25
25
|
def build_sample context, input_analysis_result, candidate_string, **kwargs
|
@@ -38,11 +38,11 @@ module Contrast
|
|
38
38
|
# by TeamServer
|
39
39
|
#
|
40
40
|
# @param context [Contrast::Agent::RequestContext] the context for the current request
|
41
|
-
# @param input_analysis_result [Contrast::
|
41
|
+
# @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
|
42
42
|
# if one exists, in the case of multiple inputs being found to violate the protection criteria
|
43
43
|
# @candidate_string [String] the value of the input which may be an attack
|
44
44
|
# @kwargs [Hash] key - value pairs of context individual rules need to build out details
|
45
|
-
# to send to
|
45
|
+
# to send to TeamServer to tell the story of the attack
|
46
46
|
# @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
|
47
47
|
module NoSqliSample
|
48
48
|
def build_sample context, input_analysis_result, candidate_string, **kwargs
|
@@ -63,24 +63,21 @@ module Contrast
|
|
63
63
|
# Set up an attack result and assigns Database scanner for the No-SQL and SQLI injection detection rules
|
64
64
|
#
|
65
65
|
# @param context [Contrast::Agent::RequestContext] the context for the current request
|
66
|
-
# @param input_analysis_result [Contrast::
|
66
|
+
# @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
|
67
67
|
# if one exists, in the case of multiple inputs being found to violate the protection criteria
|
68
|
-
# @param result [Contrast::
|
68
|
+
# @param result [Contrast::Agent::Reporting, nil] previous attack result for this rule, if one exists,
|
69
69
|
# in the case of multiple inputs being found to violate the protection criteria
|
70
70
|
# @param query_string [String] the value of the input which may be an attack
|
71
71
|
# @param kwargs [Hash] key - value pairs of context individual rules need to build out details to send
|
72
|
-
# to
|
73
|
-
# @return [Contrast::
|
72
|
+
# to TeamServer to tell the story of the attack
|
73
|
+
# @return [Contrast::Agent::Reporting] the result from this attack
|
74
74
|
def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
|
75
|
-
if mode ==
|
76
|
-
mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
|
77
|
-
|
78
|
-
return result
|
79
|
-
end
|
75
|
+
return result if mode == :NO_ACTION || mode == :PERMIT
|
80
76
|
|
81
77
|
attack_string = input_analysis_result.value
|
82
78
|
regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
|
83
|
-
|
79
|
+
# extract struct result from kwargs
|
80
|
+
agent_lib_struct_result = kwargs[:result_struct]
|
84
81
|
return unless query_string.match?(regexp)
|
85
82
|
|
86
83
|
database = kwargs[:database]
|
@@ -94,7 +91,14 @@ module Contrast
|
|
94
91
|
next unless last_boundary && boundary
|
95
92
|
|
96
93
|
result ||= build_attack_result(context)
|
97
|
-
|
94
|
+
|
95
|
+
# if the struct actually has the needed data in it - use it
|
96
|
+
if agent_lib_struct_result.cs__is_a?(Hash)
|
97
|
+
record_agent_lib_match(agent_lib_struct_result, length, kwargs)
|
98
|
+
else
|
99
|
+
record_match(idx, length, boundary, last_boundary, kwargs)
|
100
|
+
end
|
101
|
+
|
98
102
|
append_match(context, input_analysis_result, result, query_string, **kwargs)
|
99
103
|
end
|
100
104
|
|
@@ -124,6 +128,20 @@ module Contrast
|
|
124
128
|
kwargs[:input_boundary_idx] = last_boundary
|
125
129
|
end
|
126
130
|
|
131
|
+
# all the agent_lib checks methods needed
|
132
|
+
|
133
|
+
# @param struct[ResultingStruct] The struct including all the data from the agent_lib scan
|
134
|
+
def record_agent_lib_match struct, length, kwargs
|
135
|
+
kwargs[:start_idx] = struct[:start_index]
|
136
|
+
kwargs[:end_idx] = if (struct[:end_index]).zero?
|
137
|
+
struct[:start_index] + length
|
138
|
+
else
|
139
|
+
struct[:end_index]
|
140
|
+
end
|
141
|
+
kwargs[:boundary_overrun_idx] = struct[:boundary_overrun_index]
|
142
|
+
kwargs[:input_boundary_idx] = struct[:input_boundary_index]
|
143
|
+
end
|
144
|
+
|
127
145
|
def append_match context, input_analysis_result, result, query_string, **kwargs
|
128
146
|
input_analysis_result.attack_count = input_analysis_result.attack_count + 1
|
129
147
|
update_successful_attack_response(context, input_analysis_result, result, query_string)
|
@@ -19,20 +19,6 @@ module Contrast
|
|
19
19
|
XML_VALUE, DWR_VALUE
|
20
20
|
].cs__freeze
|
21
21
|
|
22
|
-
class << self
|
23
|
-
# @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
|
24
|
-
# @return [Hash] the details for this specific rule
|
25
|
-
def extract_details attack_sample
|
26
|
-
{
|
27
|
-
start: attack_sample.sqli.start_idx,
|
28
|
-
end: attack_sample.sqli.end_idx,
|
29
|
-
boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
|
30
|
-
inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
|
31
|
-
query: attack_sample.sqli.query
|
32
|
-
}
|
33
|
-
end
|
34
|
-
end
|
35
|
-
|
36
22
|
def infilter context, database, query_string
|
37
23
|
return unless infilter?(context)
|
38
24
|
|
@@ -5,10 +5,8 @@ require 'contrast/utils/object_share'
|
|
5
5
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
6
|
require 'contrast/agent/protect/rule/sqli'
|
7
7
|
require 'contrast/agent/reporting/input_analysis/score_level'
|
8
|
-
require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
|
9
8
|
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
10
|
-
require 'contrast/utils/
|
11
|
-
require 'contrast/components/logger'
|
9
|
+
require 'contrast/utils/input_classification_base'
|
12
10
|
|
13
11
|
module Contrast
|
14
12
|
module Agent
|
@@ -18,68 +16,10 @@ module Contrast
|
|
18
16
|
# as a result input would be marked as WORTHWATCHING or IGNORE,
|
19
17
|
# to be analyzed at the sink level.
|
20
18
|
module SqliInputClassification
|
19
|
+
WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'.cs__freeze
|
21
20
|
class << self
|
22
21
|
include InputClassificationBase
|
23
|
-
include Contrast::Agent::Protect::Rule::SqliWorthWatching
|
24
22
|
include Contrast::Components::Logger::InstanceMethods
|
25
|
-
|
26
|
-
WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
|
27
|
-
SQLI_KEYS_NEEDED = [
|
28
|
-
COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
|
29
|
-
].cs__freeze
|
30
|
-
|
31
|
-
# Input Classification stage is done to determine if an user input is
|
32
|
-
# WORTHWATCHING or to be ignored.
|
33
|
-
#
|
34
|
-
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
35
|
-
# @param value [String, Array<String>] the value of the input.
|
36
|
-
# @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
|
37
|
-
# agent analysis from the current
|
38
|
-
# Request.
|
39
|
-
# @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
|
40
|
-
def classify input_type, value, input_analysis
|
41
|
-
return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
|
42
|
-
return unless super
|
43
|
-
|
44
|
-
rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
|
45
|
-
|
46
|
-
# double check the input to avoid calling match? on array
|
47
|
-
Array(value).each do |val|
|
48
|
-
Array(val).each do |v|
|
49
|
-
input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
|
-
input_analysis
|
54
|
-
rescue StandardError => e
|
55
|
-
logger.debug('An Error was recorded in the input classification of the sqli.')
|
56
|
-
logger.debug(e)
|
57
|
-
end
|
58
|
-
|
59
|
-
private
|
60
|
-
|
61
|
-
# This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
|
62
|
-
# key if needed and Creates new isntance of InputAnalysisResult.
|
63
|
-
#
|
64
|
-
# @param request [Contrast::Agent::Request] the current request context.
|
65
|
-
# @param rule_id [String] The name of the Protect Rule.
|
66
|
-
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
67
|
-
# @param value [String, Array<String>] the value of the input.
|
68
|
-
#
|
69
|
-
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
70
|
-
def sqli_create_new_input_result request, rule_id, input_type, value
|
71
|
-
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
72
|
-
if sqli_worth_watching?(value)
|
73
|
-
ia_result.ids << WORTHWATCHING_MATCH
|
74
|
-
ia_result.score_level = WORTHWATCHING
|
75
|
-
ia_result
|
76
|
-
else
|
77
|
-
ia_result.score_level = IGNORE
|
78
|
-
end
|
79
|
-
|
80
|
-
add_needed_key(request, ia_result, input_type, value) if SQLI_KEYS_NEEDED.include?(input_type)
|
81
|
-
ia_result
|
82
|
-
end
|
83
23
|
end
|
84
24
|
end
|
85
25
|
end
|
@@ -26,8 +26,6 @@ module Contrast
|
|
26
26
|
|
27
27
|
NAME = 'sql-injection'
|
28
28
|
|
29
|
-
SUB_RULES = [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
|
30
|
-
|
31
29
|
def rule_name
|
32
30
|
NAME
|
33
31
|
end
|
@@ -36,8 +34,81 @@ module Contrast
|
|
36
34
|
BLOCK_MESSAGE
|
37
35
|
end
|
38
36
|
|
37
|
+
# Array of sub_rules
|
38
|
+
#
|
39
|
+
# @return [Array]
|
39
40
|
def sub_rules
|
40
|
-
|
41
|
+
@_sub_rules ||= [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
|
42
|
+
end
|
43
|
+
|
44
|
+
def applicable_user_inputs
|
45
|
+
APPLICABLE_USER_INPUTS
|
46
|
+
end
|
47
|
+
|
48
|
+
def infilter context, database, query_string
|
49
|
+
return unless infilter?(context)
|
50
|
+
|
51
|
+
result = find_attacker(context, query_string, database: database)
|
52
|
+
return unless result
|
53
|
+
|
54
|
+
append_to_activity(context, result)
|
55
|
+
|
56
|
+
cef_logging(result, :successful_attack, value: query_string)
|
57
|
+
raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
|
58
|
+
end
|
59
|
+
|
60
|
+
# Allows for the InputAnalysis from Agent Library to be extracted early
|
61
|
+
# @param context [Contrast::Agent::RequestContext]
|
62
|
+
# @param potential_attack_string [String, nil]
|
63
|
+
# @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
|
64
|
+
# @param **kwargs
|
65
|
+
# @return [Contrast::Agent::Reporting, nil]
|
66
|
+
def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
|
67
|
+
logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
|
68
|
+
|
69
|
+
result = nil
|
70
|
+
ia_results.each do |ia_result|
|
71
|
+
if potential_attack_string
|
72
|
+
idx = potential_attack_string.index(ia_result.value)
|
73
|
+
next unless idx
|
74
|
+
|
75
|
+
database_type = kwargs[:database].to_sym
|
76
|
+
input_length = ia_result.value.length
|
77
|
+
lib_result = check_sql_input_with_agent(potential_attack_string, database_type, idx, input_length)
|
78
|
+
|
79
|
+
kwargs[:result_struct] = lib_result
|
80
|
+
result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
|
81
|
+
else
|
82
|
+
result = build_attack_without_match(context, ia_result, result, **kwargs)
|
83
|
+
end
|
84
|
+
end
|
85
|
+
result
|
86
|
+
end
|
87
|
+
|
88
|
+
# We'll need a second place, where we need to check the token boundaries if are being crossed and
|
89
|
+
# worth-watching.
|
90
|
+
#
|
91
|
+
# @param sql[String] SQL coming from parameter
|
92
|
+
# @param database[String] Type of database
|
93
|
+
# @param input_index[String] index in the sqlQuery string where user input was found
|
94
|
+
# @param input_length[Number] length of the input value
|
95
|
+
# @return [Hash, Boolean]
|
96
|
+
def check_sql_input_with_agent sql, database, input_index, input_length
|
97
|
+
return false unless (agent_lib = Contrast::AGENT_LIB) && sql && database
|
98
|
+
|
99
|
+
agent_lib.check_sql_query(input_index, input_length, database, sql)
|
100
|
+
end
|
101
|
+
|
102
|
+
# @param context [Contrast::Agent::RequestContext]
|
103
|
+
def infilter? context
|
104
|
+
return false unless enabled?
|
105
|
+
return false unless context&.agent_input_analysis&.results&.any? do |result|
|
106
|
+
result.rule_id == rule_name
|
107
|
+
end
|
108
|
+
|
109
|
+
return false if protect_excluded_by_code?
|
110
|
+
|
111
|
+
true
|
41
112
|
end
|
42
113
|
end
|
43
114
|
end
|
data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb
CHANGED
@@ -3,9 +3,8 @@
|
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
5
|
require 'contrast/agent/protect/rule/unsafe_file_upload'
|
6
|
-
require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
|
7
6
|
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
8
|
-
require 'contrast/utils/
|
7
|
+
require 'contrast/utils/input_classification_base'
|
9
8
|
|
10
9
|
module Contrast
|
11
10
|
module Agent
|
@@ -14,67 +13,44 @@ module Contrast
|
|
14
13
|
# This module will do the Input Classification stage of Unsafe File Upload
|
15
14
|
# rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
|
16
15
|
module UnsafeFileUploadInputClassification
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
# #
|
56
|
-
# # @param request [Contrast::Agent::Request] the current request context.
|
57
|
-
# # @param rule_id [String] The name of the Protect Rule.
|
58
|
-
# # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
59
|
-
# # @param value [String, Array<String>] the value of the input.
|
60
|
-
# #
|
61
|
-
# # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
62
|
-
# def create_new_input_result request, rule_id, input_type, value
|
63
|
-
# ia_result = new_ia_result rule_id, input_type, request.path, value
|
64
|
-
# if unsafe_match? value
|
65
|
-
# ia_result.score_level = DEFINITEATTACK
|
66
|
-
# ia_result.ids << UNSAFE_UPLOAD_MATCH
|
67
|
-
# else
|
68
|
-
# ia_result.score_level = IGNORE
|
69
|
-
# end
|
70
|
-
# ia_result.key = if input_type == MULTIPART_FIELD_NAME
|
71
|
-
# Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
|
72
|
-
# else
|
73
|
-
# Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
|
74
|
-
# end
|
75
|
-
# ia_result
|
76
|
-
# end
|
77
|
-
# end
|
16
|
+
UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
|
17
|
+
|
18
|
+
class << self
|
19
|
+
include InputClassificationBase
|
20
|
+
|
21
|
+
private
|
22
|
+
|
23
|
+
# This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
|
24
|
+
# key if needed and Creates new isntance of InputAnalysisResult.
|
25
|
+
#
|
26
|
+
# @param request [Contrast::Agent::Request] the current request context.
|
27
|
+
# @param rule_id [String] The name of the Protect Rule.
|
28
|
+
# @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
|
29
|
+
# @param value [String, Array<String>] the value of the input.
|
30
|
+
#
|
31
|
+
# @return res [Contrast::Agent::Reporting::InputAnalysisResult]
|
32
|
+
def create_new_input_result request, rule_id, input_type, value
|
33
|
+
return unless Contrast::AGENT_LIB
|
34
|
+
return unless (input_eval = Contrast::AGENT_LIB.eval_input(value,
|
35
|
+
Contrast::AGENT_LIB.input_set[:MULTIPART_NAME],
|
36
|
+
Contrast::AGENT_LIB.rule_set[rule_id],
|
37
|
+
Contrast::AGENT_LIB.eval_option[:NONE]))
|
38
|
+
|
39
|
+
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
40
|
+
if input_eval.score >= THRESHOLD
|
41
|
+
ia_result.score_level = DEFINITEATTACK
|
42
|
+
ia_result.ids << UNSAFE_UPLOAD_MATCH
|
43
|
+
else
|
44
|
+
ia_result.score_level = IGNORE
|
45
|
+
end
|
46
|
+
ia_result.key = if input_type == MULTIPART_FIELD_NAME
|
47
|
+
Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
|
48
|
+
else
|
49
|
+
Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
|
50
|
+
end
|
51
|
+
ia_result
|
52
|
+
end
|
53
|
+
end
|
78
54
|
end
|
79
55
|
end
|
80
56
|
end
|