contrast-agent 6.7.0 → 6.9.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (280) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +0 -2
  3. data/.simplecov +0 -1
  4. data/Rakefile +0 -1
  5. data/ext/cs__assess_array/cs__assess_array.c +41 -10
  6. data/ext/cs__assess_array/cs__assess_array.h +4 -1
  7. data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -3
  8. data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
  9. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
  10. data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
  11. data/lib/contrast/agent/assess/property/evented.rb +11 -11
  12. data/lib/contrast/agent/assess.rb +0 -1
  13. data/lib/contrast/agent/excluder.rb +53 -35
  14. data/lib/contrast/agent/exclusion_matcher.rb +21 -9
  15. data/lib/contrast/agent/middleware.rb +12 -6
  16. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -0
  17. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +146 -127
  18. data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +116 -0
  19. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +20 -0
  20. data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
  21. data/lib/contrast/agent/protect/rule/base.rb +47 -55
  22. data/lib/contrast/agent/protect/rule/base_service.rb +48 -24
  23. data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
  24. data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
  25. data/lib/contrast/agent/protect/rule/cmd_injection.rb +20 -2
  26. data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -5
  27. data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +22 -22
  28. data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +64 -0
  29. data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +63 -0
  30. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +2 -58
  31. data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
  32. data/lib/contrast/agent/protect/rule/deserialization.rb +3 -14
  33. data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +2 -2
  34. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -11
  35. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +29 -34
  36. data/lib/contrast/agent/protect/rule/no_sqli.rb +25 -18
  37. data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
  38. data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
  39. data/lib/contrast/agent/protect/rule/path_traversal.rb +40 -13
  40. data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +33 -15
  41. data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +0 -14
  42. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -62
  43. data/lib/contrast/agent/protect/rule/sqli.rb +74 -3
  44. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +39 -63
  45. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +6 -33
  46. data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
  47. data/lib/contrast/agent/protect/rule/xss.rb +15 -20
  48. data/lib/contrast/agent/protect/rule/xxe.rb +4 -24
  49. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +19 -40
  50. data/lib/contrast/agent/reporting/attack_result/response_type.rb +9 -9
  51. data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +10 -2
  52. data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +8 -2
  53. data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
  54. data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
  55. data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -2
  56. data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +16 -2
  57. data/lib/contrast/agent/reporting/masker/masker.rb +2 -0
  58. data/lib/contrast/agent/reporting/report.rb +1 -0
  59. data/lib/contrast/agent/reporting/reporter.rb +35 -14
  60. data/lib/contrast/agent/reporting/reporter_heartbeat.rb +3 -9
  61. data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +16 -13
  62. data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +12 -7
  63. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +3 -3
  64. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -2
  65. data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +6 -1
  66. data/lib/contrast/agent/reporting/reporting_events/application_update.rb +0 -2
  67. data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -1
  68. data/lib/contrast/agent/reporting/reporting_events/finding.rb +6 -6
  69. data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +239 -93
  70. data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +10 -23
  71. data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +10 -9
  72. data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +0 -5
  73. data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +0 -1
  74. data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +12 -0
  75. data/lib/contrast/agent/reporting/reporting_events/poll.rb +1 -11
  76. data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +0 -1
  77. data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +0 -1
  78. data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +8 -0
  79. data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
  80. data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +2 -2
  81. data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
  82. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +43 -1
  83. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +8 -4
  84. data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
  85. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +58 -4
  86. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +4 -6
  87. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +77 -16
  88. data/lib/contrast/agent/reporting/server_settings_worker.rb +44 -0
  89. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +14 -2
  90. data/lib/contrast/agent/reporting/settings/code_exclusion.rb +6 -1
  91. data/lib/contrast/agent/reporting/settings/exclusion_base.rb +18 -0
  92. data/lib/contrast/agent/reporting/settings/exclusions.rb +2 -1
  93. data/lib/contrast/agent/reporting/settings/helpers.rb +7 -0
  94. data/lib/contrast/agent/reporting/settings/input_exclusion.rb +9 -3
  95. data/lib/contrast/agent/reporting/settings/protect.rb +15 -15
  96. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +39 -2
  97. data/lib/contrast/agent/reporting/settings/rule_definition.rb +3 -0
  98. data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
  99. data/lib/contrast/agent/reporting/settings/server_features.rb +9 -0
  100. data/lib/contrast/agent/reporting/settings/syslog.rb +34 -5
  101. data/lib/contrast/agent/request.rb +3 -14
  102. data/lib/contrast/agent/request_context.rb +6 -9
  103. data/lib/contrast/agent/request_context_extend.rb +9 -148
  104. data/lib/contrast/agent/request_handler.rb +5 -10
  105. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +1 -1
  106. data/lib/contrast/agent/thread_watcher.rb +37 -18
  107. data/lib/contrast/agent/version.rb +1 -1
  108. data/lib/contrast/agent.rb +6 -11
  109. data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
  110. data/lib/contrast/agent_lib/api/init.rb +101 -0
  111. data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
  112. data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
  113. data/lib/contrast/agent_lib/api/panic.rb +87 -0
  114. data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
  115. data/lib/contrast/agent_lib/interface.rb +260 -0
  116. data/lib/contrast/agent_lib/interface_base.rb +118 -0
  117. data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
  118. data/lib/contrast/agent_lib/test.rb +29 -0
  119. data/lib/contrast/api/communication/connection_status.rb +20 -5
  120. data/lib/contrast/components/agent.rb +34 -14
  121. data/lib/contrast/components/api.rb +23 -0
  122. data/lib/contrast/components/app_context.rb +23 -5
  123. data/lib/contrast/components/app_context_extend.rb +0 -25
  124. data/lib/contrast/components/assess.rb +34 -4
  125. data/lib/contrast/components/assess_rules.rb +18 -0
  126. data/lib/contrast/components/base.rb +40 -0
  127. data/lib/contrast/components/config/sources.rb +95 -0
  128. data/lib/contrast/components/config.rb +19 -19
  129. data/lib/contrast/components/heap_dump.rb +10 -0
  130. data/lib/contrast/components/inventory.rb +15 -2
  131. data/lib/contrast/components/logger.rb +18 -0
  132. data/lib/contrast/components/polling.rb +36 -0
  133. data/lib/contrast/components/protect.rb +52 -2
  134. data/lib/contrast/components/ruby_component.rb +16 -1
  135. data/lib/contrast/components/sampling.rb +70 -13
  136. data/lib/contrast/components/security_logger.rb +13 -0
  137. data/lib/contrast/components/settings.rb +105 -90
  138. data/lib/contrast/config/certification_configuration.rb +14 -0
  139. data/lib/contrast/config/config.rb +46 -0
  140. data/lib/contrast/config/diagnostics.rb +114 -0
  141. data/lib/contrast/config/diagnostics_tools.rb +98 -0
  142. data/lib/contrast/config/effective_config.rb +65 -0
  143. data/lib/contrast/config/effective_config_value.rb +32 -0
  144. data/lib/contrast/config/exception_configuration.rb +12 -0
  145. data/lib/contrast/config/protect_rule_configuration.rb +8 -8
  146. data/lib/contrast/config/protect_rules_configuration.rb +23 -60
  147. data/lib/contrast/config/request_audit_configuration.rb +13 -0
  148. data/lib/contrast/config/server_configuration.rb +41 -2
  149. data/lib/contrast/configuration.rb +29 -12
  150. data/lib/contrast/extension/assess/array.rb +9 -0
  151. data/lib/contrast/extension/assess/erb.rb +1 -1
  152. data/lib/contrast/extension/delegator.rb +2 -0
  153. data/lib/contrast/framework/manager.rb +3 -1
  154. data/lib/contrast/framework/rails/railtie.rb +0 -1
  155. data/lib/contrast/framework/rails/support.rb +0 -1
  156. data/lib/contrast/tasks/config.rb +1 -8
  157. data/lib/contrast/utils/assess/event_limit_utils.rb +31 -9
  158. data/lib/contrast/utils/assess/trigger_method_utils.rb +5 -4
  159. data/lib/contrast/utils/duck_utils.rb +1 -0
  160. data/lib/contrast/utils/hash_digest.rb +2 -2
  161. data/lib/contrast/utils/input_classification_base.rb +155 -0
  162. data/lib/contrast/utils/os.rb +0 -20
  163. data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +81 -0
  164. data/lib/contrast/utils/response_utils.rb +0 -16
  165. data/lib/contrast/utils/routes_sent.rb +60 -0
  166. data/lib/contrast/utils/stack_trace_utils.rb +3 -15
  167. data/lib/contrast/utils/string_utils.rb +10 -7
  168. data/lib/contrast/utils/telemetry_client.rb +1 -2
  169. data/lib/contrast/utils/timer.rb +16 -0
  170. data/lib/contrast.rb +5 -4
  171. data/resources/protect/policy.json +1 -2
  172. data/ruby-agent.gemspec +7 -6
  173. metadata +69 -130
  174. data/exe/contrast_service +0 -23
  175. data/lib/contrast/agent/assess/contrast_event.rb +0 -157
  176. data/lib/contrast/agent/assess/events/event_factory.rb +0 -34
  177. data/lib/contrast/agent/assess/events/source_event.rb +0 -46
  178. data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +0 -64
  179. data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +0 -118
  180. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +0 -45
  181. data/lib/contrast/agent/reaction_processor.rb +0 -47
  182. data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +0 -36
  183. data/lib/contrast/agent/service_heartbeat.rb +0 -35
  184. data/lib/contrast/api/communication/messaging_queue.rb +0 -128
  185. data/lib/contrast/api/communication/response_processor.rb +0 -90
  186. data/lib/contrast/api/communication/service_lifecycle.rb +0 -77
  187. data/lib/contrast/api/communication/socket.rb +0 -44
  188. data/lib/contrast/api/communication/socket_client.rb +0 -130
  189. data/lib/contrast/api/communication/speedracer.rb +0 -138
  190. data/lib/contrast/api/communication/tcp_socket.rb +0 -32
  191. data/lib/contrast/api/communication/unix_socket.rb +0 -28
  192. data/lib/contrast/api/communication.rb +0 -20
  193. data/lib/contrast/api/decorators/address.rb +0 -59
  194. data/lib/contrast/api/decorators/agent_startup.rb +0 -56
  195. data/lib/contrast/api/decorators/application_settings.rb +0 -43
  196. data/lib/contrast/api/decorators/application_startup.rb +0 -56
  197. data/lib/contrast/api/decorators/bot_blocker.rb +0 -37
  198. data/lib/contrast/api/decorators/http_request.rb +0 -137
  199. data/lib/contrast/api/decorators/input_analysis.rb +0 -18
  200. data/lib/contrast/api/decorators/instrumentation_mode.rb +0 -35
  201. data/lib/contrast/api/decorators/ip_denylist.rb +0 -37
  202. data/lib/contrast/api/decorators/message.rb +0 -67
  203. data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -52
  204. data/lib/contrast/api/decorators/response_type.rb +0 -17
  205. data/lib/contrast/api/decorators/server_features.rb +0 -25
  206. data/lib/contrast/api/decorators/user_input.rb +0 -51
  207. data/lib/contrast/api/decorators/virtual_patch.rb +0 -34
  208. data/lib/contrast/api/decorators.rb +0 -22
  209. data/lib/contrast/api/dtm.pb.rb +0 -363
  210. data/lib/contrast/api/settings.pb.rb +0 -500
  211. data/lib/contrast/api.rb +0 -16
  212. data/lib/contrast/components/contrast_service.rb +0 -88
  213. data/lib/contrast/components/service.rb +0 -55
  214. data/lib/contrast/tasks/service.rb +0 -84
  215. data/lib/contrast/utils/input_classification.rb +0 -73
  216. data/lib/protobuf/code_generator.rb +0 -129
  217. data/lib/protobuf/decoder.rb +0 -28
  218. data/lib/protobuf/deprecation.rb +0 -117
  219. data/lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb +0 -79
  220. data/lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb +0 -360
  221. data/lib/protobuf/descriptors.rb +0 -3
  222. data/lib/protobuf/encoder.rb +0 -11
  223. data/lib/protobuf/enum.rb +0 -365
  224. data/lib/protobuf/exceptions.rb +0 -9
  225. data/lib/protobuf/field/base_field.rb +0 -380
  226. data/lib/protobuf/field/base_field_object_definitions.rb +0 -504
  227. data/lib/protobuf/field/bool_field.rb +0 -64
  228. data/lib/protobuf/field/bytes_field.rb +0 -67
  229. data/lib/protobuf/field/double_field.rb +0 -25
  230. data/lib/protobuf/field/enum_field.rb +0 -56
  231. data/lib/protobuf/field/field_array.rb +0 -102
  232. data/lib/protobuf/field/field_hash.rb +0 -122
  233. data/lib/protobuf/field/fixed32_field.rb +0 -25
  234. data/lib/protobuf/field/fixed64_field.rb +0 -28
  235. data/lib/protobuf/field/float_field.rb +0 -43
  236. data/lib/protobuf/field/int32_field.rb +0 -21
  237. data/lib/protobuf/field/int64_field.rb +0 -34
  238. data/lib/protobuf/field/integer_field.rb +0 -23
  239. data/lib/protobuf/field/message_field.rb +0 -51
  240. data/lib/protobuf/field/sfixed32_field.rb +0 -27
  241. data/lib/protobuf/field/sfixed64_field.rb +0 -28
  242. data/lib/protobuf/field/signed_integer_field.rb +0 -29
  243. data/lib/protobuf/field/sint32_field.rb +0 -21
  244. data/lib/protobuf/field/sint64_field.rb +0 -21
  245. data/lib/protobuf/field/string_field.rb +0 -51
  246. data/lib/protobuf/field/uint32_field.rb +0 -21
  247. data/lib/protobuf/field/uint64_field.rb +0 -21
  248. data/lib/protobuf/field/varint_field.rb +0 -77
  249. data/lib/protobuf/field.rb +0 -74
  250. data/lib/protobuf/generators/base.rb +0 -85
  251. data/lib/protobuf/generators/enum_generator.rb +0 -39
  252. data/lib/protobuf/generators/extension_generator.rb +0 -27
  253. data/lib/protobuf/generators/field_generator.rb +0 -193
  254. data/lib/protobuf/generators/file_generator.rb +0 -262
  255. data/lib/protobuf/generators/group_generator.rb +0 -122
  256. data/lib/protobuf/generators/message_generator.rb +0 -104
  257. data/lib/protobuf/generators/option_generator.rb +0 -17
  258. data/lib/protobuf/generators/printable.rb +0 -160
  259. data/lib/protobuf/generators/service_generator.rb +0 -50
  260. data/lib/protobuf/lifecycle.rb +0 -33
  261. data/lib/protobuf/logging.rb +0 -39
  262. data/lib/protobuf/message/fields.rb +0 -233
  263. data/lib/protobuf/message/serialization.rb +0 -85
  264. data/lib/protobuf/message.rb +0 -241
  265. data/lib/protobuf/optionable.rb +0 -72
  266. data/lib/protobuf/tasks/compile.rake +0 -80
  267. data/lib/protobuf/tasks.rb +0 -1
  268. data/lib/protobuf/varint.rb +0 -20
  269. data/lib/protobuf/varint_pure.rb +0 -31
  270. data/lib/protobuf/version.rb +0 -3
  271. data/lib/protobuf/wire_type.rb +0 -10
  272. data/lib/protobuf.rb +0 -91
  273. data/proto/dynamic_discovery.proto +0 -46
  274. data/proto/google/protobuf/compiler/plugin.proto +0 -183
  275. data/proto/google/protobuf/descriptor.proto +0 -911
  276. data/proto/rpc.proto +0 -71
  277. data/service_executables/.gitkeep +0 -0
  278. data/service_executables/VERSION +0 -1
  279. data/service_executables/linux/contrast-service +0 -0
  280. data/service_executables/mac/contrast-service +0 -0
@@ -0,0 +1,114 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/agent/protect/rule/base_service'
5
+ require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
6
+ require 'contrast/agent/request_context'
7
+ require 'contrast/utils/string_utils'
8
+ require 'contrast/agent_lib/api/path_semantic_file_security_bypass'
9
+ require 'contrast/agent_lib/interface'
10
+
11
+ module Contrast
12
+ module Agent
13
+ module Protect
14
+ module Rule
15
+ # The Ruby implementation of the Protect Path Traversal Semantic
16
+ # Bypass sub-rule. This rule should report the attack result
17
+ class PathTraversalSemanticBypass < Contrast::Agent::Protect::Rule::BaseService
18
+ NAME = 'path-traversal-semantic-file-security-bypass'
19
+ # There paths here will eventually be moved
20
+
21
+ def rule_name
22
+ NAME
23
+ end
24
+
25
+ def infilter context, method, path
26
+ return unless rule_violated?(path)
27
+
28
+ result = find_vulnerability(context, path)
29
+
30
+ return unless result
31
+
32
+ append_to_activity(context, result)
33
+ return unless blocked?
34
+
35
+ result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
36
+ cef_logging(result, :successful_attack, value: path)
37
+ exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
38
+ raise(Contrast::SecurityException.new(self, exception_messasge))
39
+ end
40
+
41
+ protected
42
+
43
+ # Check if semantic file security bypass is detected
44
+ #
45
+ # @param file_path [String] command to check.
46
+ # @param is_custom_code[String] whether the file is being accessed by custom (user) code,
47
+ # rather than framework code
48
+ # @return result[Integer, nil] returns:
49
+ # 1 => security bypass is detected.
50
+ # 0 => no security bypass is detected.
51
+ def file_security_bypassed? file_path, is_custom_code = nil
52
+ return false unless (agent_lib = Contrast::AGENT_LIB) || file_path
53
+
54
+ custom_call = is_custom_code.nil? ? 0 : 1
55
+
56
+ agent_lib.check_path_semantic_security_bypass(file_path, custom_call) == 1
57
+ end
58
+
59
+ def rule_violated? path
60
+ is_custom_code = custom_code_accessing_system_file?(path)
61
+ is_custom_code || file_security_bypassed?(path, is_custom_code)
62
+ end
63
+
64
+ def find_vulnerability context, path
65
+ build_attack_with_match(context, nil, nil, path)
66
+ end
67
+
68
+ def build_sample context, _input_analysis_result, path, **_kwargs
69
+ sample = build_base_sample(context, nil)
70
+ sample.details = Contrast::Agent::Reporting::Details::PathTraversalSemanticAnalysisDetails.new
71
+ path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
72
+ sample.details.path = path
73
+
74
+ is_custom_code = custom_code_accessing_system_file?(path)
75
+ # This should catch all the types of security breaches in that sub-rule scope
76
+ # but apparently it's not, because some of the system files is being skipped and not detected,
77
+ # but for our previous logic - it was expected for certain files to be detected and blocked
78
+ security_bypassed = file_security_bypassed?(path, is_custom_code)
79
+
80
+ # if agent lib sub-rule returns true and is custom code -> assign and report
81
+ if security_bypassed
82
+ if is_custom_code
83
+ sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
84
+ sample.details.findings << :COMMON_FILE_EXPLOITS if common_file_exploits_enabled?
85
+ end
86
+ return sample
87
+ end
88
+
89
+ if is_custom_code
90
+ sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
91
+ return sample
92
+ end
93
+
94
+ nil
95
+ end
96
+
97
+ def custom_code_accessing_system_file? input
98
+ system_file?(input) && Contrast::Utils::StackTraceUtils.custom_code_context?
99
+ end
100
+
101
+ def system_file? path
102
+ return false unless path
103
+
104
+ Contrast::Agent::Protect::Rule::PathTraversal::SYSTEM_PATHS.any? { |sys_path| sys_path.include?(path) }
105
+ end
106
+
107
+ def common_file_exploits_enabled?
108
+ false
109
+ end
110
+ end
111
+ end
112
+ end
113
+ end
114
+ end
@@ -2,9 +2,13 @@
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/protect/rule/base_service'
5
+ require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
6
+ require 'contrast/agent/reporting/input_analysis/input_type'
7
+ require 'contrast/agent/reporting/input_analysis/score_level'
5
8
  require 'contrast/utils/stack_trace_utils'
6
9
  require 'contrast/agent/reporting/details/path_traversal_details'
7
10
  require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
11
+ require 'contrast/utils/string_utils'
8
12
 
9
13
  module Contrast
10
14
  module Agent
@@ -13,7 +17,13 @@ module Contrast
13
17
  # This class handles our implementation of the Path Traversal
14
18
  # Protect rule.
15
19
  class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
20
+ include Contrast::Agent::Reporting::InputType
21
+
16
22
  NAME = 'path-traversal'
23
+ APPLICABLE_USER_INPUTS = [
24
+ BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_VALUE, PARAMETER_NAME,
25
+ JSON_VALUE, MULTIPART_VALUE, MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE, URI
26
+ ].cs__freeze
17
27
  SYSTEM_PATHS = %w[
18
28
  /proc/self
19
29
  etc/passwd
@@ -27,20 +37,21 @@ module Contrast
27
37
  /windows/repair/
28
38
  ].cs__freeze
29
39
 
30
- class << self
31
- # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
32
- # @return [Hash] the details for this specific rule
33
- def extract_details attack_sample
34
- {
35
- path: attack_sample.path_traversal.path
36
- }
37
- end
38
- end
39
-
40
40
  def rule_name
41
41
  NAME
42
42
  end
43
43
 
44
+ # Array of sub_rules
45
+ #
46
+ # @return [Array]
47
+ def sub_rules
48
+ @_sub_rules ||= [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new].cs__freeze
49
+ end
50
+
51
+ def applicable_user_inputs
52
+ APPLICABLE_USER_INPUTS
53
+ end
54
+
44
55
  def infilter context, method, path
45
56
  return unless infilter?(context)
46
57
 
@@ -50,9 +61,10 @@ module Contrast
50
61
  append_to_activity(context, result)
51
62
  return unless blocked?
52
63
 
53
- cef_logging(result, :successful_attack)
54
- raise(Contrast::SecurityException.new(self,
55
- "Path Traversal rule triggered. Call to File.#{ method } blocked."))
64
+ result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
65
+ cef_logging(result, :successful_attack, value: path)
66
+ exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
67
+ raise(Contrast::SecurityException.new(self, exception_messasge))
56
68
  end
57
69
 
58
70
  protected
@@ -73,6 +85,21 @@ module Contrast
73
85
  sample
74
86
  end
75
87
 
88
+ # @param context [Contrast::Agent::RequestContext]
89
+ def infilter? context
90
+ return false unless enabled?
91
+ return false unless context&.agent_input_analysis&.results&.any? do |result|
92
+ # When a file is being accessed, the agent should see if any of its worth-watching inputs appear in
93
+ # the file path. If so, the input is considered a confirmed attack and should be reported or blocked.
94
+ # If the score level is ignore we don't need to report it.
95
+ result.rule_id == rule_name && result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
96
+ end
97
+
98
+ return false if protect_excluded_by_code?
99
+
100
+ true
101
+ end
102
+
76
103
  private
77
104
 
78
105
  # Build a subclass of the RaspRuleSample if the sample matches
@@ -15,11 +15,11 @@ module Contrast
15
15
  # by TeamServer
16
16
  #
17
17
  # @param context [Contrast::Agent::RequestContext] the context for the current request
18
- # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
18
+ # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
19
19
  # if one exists, in the case of multiple inputs being found to violate the protection criteria
20
20
  # @candidate_string [String] the value of the input which may be an attack
21
21
  # @kwargs [Hash] key - value pairs of context individual rules need to build out details
22
- # to send to the Service to tell the story of the attack
22
+ # to send to TeamServer to tell the story of the attack
23
23
  # @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
24
24
  module SqliSample
25
25
  def build_sample context, input_analysis_result, candidate_string, **kwargs
@@ -38,11 +38,11 @@ module Contrast
38
38
  # by TeamServer
39
39
  #
40
40
  # @param context [Contrast::Agent::RequestContext] the context for the current request
41
- # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
41
+ # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
42
42
  # if one exists, in the case of multiple inputs being found to violate the protection criteria
43
43
  # @candidate_string [String] the value of the input which may be an attack
44
44
  # @kwargs [Hash] key - value pairs of context individual rules need to build out details
45
- # to send to the Service to tell the story of the attack
45
+ # to send to TeamServer to tell the story of the attack
46
46
  # @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
47
47
  module NoSqliSample
48
48
  def build_sample context, input_analysis_result, candidate_string, **kwargs
@@ -63,24 +63,21 @@ module Contrast
63
63
  # Set up an attack result and assigns Database scanner for the No-SQL and SQLI injection detection rules
64
64
  #
65
65
  # @param context [Contrast::Agent::RequestContext] the context for the current request
66
- # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
66
+ # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
67
67
  # if one exists, in the case of multiple inputs being found to violate the protection criteria
68
- # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
68
+ # @param result [Contrast::Agent::Reporting, nil] previous attack result for this rule, if one exists,
69
69
  # in the case of multiple inputs being found to violate the protection criteria
70
70
  # @param query_string [String] the value of the input which may be an attack
71
71
  # @param kwargs [Hash] key - value pairs of context individual rules need to build out details to send
72
- # to the Service to tell the story of the attack
73
- # @return [Contrast::Api::Dtm::AttackResult] the result from this attack
72
+ # to TeamServer to tell the story of the attack
73
+ # @return [Contrast::Agent::Reporting] the result from this attack
74
74
  def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
75
- if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
76
- mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
77
-
78
- return result
79
- end
75
+ return result if mode == :NO_ACTION || mode == :PERMIT
80
76
 
81
77
  attack_string = input_analysis_result.value
82
78
  regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
83
-
79
+ # extract struct result from kwargs
80
+ agent_lib_struct_result = kwargs[:result_struct]
84
81
  return unless query_string.match?(regexp)
85
82
 
86
83
  database = kwargs[:database]
@@ -94,7 +91,14 @@ module Contrast
94
91
  next unless last_boundary && boundary
95
92
 
96
93
  result ||= build_attack_result(context)
97
- record_match(idx, length, boundary, last_boundary, kwargs)
94
+
95
+ # if the struct actually has the needed data in it - use it
96
+ if agent_lib_struct_result.cs__is_a?(Hash)
97
+ record_agent_lib_match(agent_lib_struct_result, length, kwargs)
98
+ else
99
+ record_match(idx, length, boundary, last_boundary, kwargs)
100
+ end
101
+
98
102
  append_match(context, input_analysis_result, result, query_string, **kwargs)
99
103
  end
100
104
 
@@ -124,6 +128,20 @@ module Contrast
124
128
  kwargs[:input_boundary_idx] = last_boundary
125
129
  end
126
130
 
131
+ # all the agent_lib checks methods needed
132
+
133
+ # @param struct[ResultingStruct] The struct including all the data from the agent_lib scan
134
+ def record_agent_lib_match struct, length, kwargs
135
+ kwargs[:start_idx] = struct[:start_index]
136
+ kwargs[:end_idx] = if (struct[:end_index]).zero?
137
+ struct[:start_index] + length
138
+ else
139
+ struct[:end_index]
140
+ end
141
+ kwargs[:boundary_overrun_idx] = struct[:boundary_overrun_index]
142
+ kwargs[:input_boundary_idx] = struct[:input_boundary_index]
143
+ end
144
+
127
145
  def append_match context, input_analysis_result, result, query_string, **kwargs
128
146
  input_analysis_result.attack_count = input_analysis_result.attack_count + 1
129
147
  update_successful_attack_response(context, input_analysis_result, result, query_string)
@@ -19,20 +19,6 @@ module Contrast
19
19
  XML_VALUE, DWR_VALUE
20
20
  ].cs__freeze
21
21
 
22
- class << self
23
- # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
24
- # @return [Hash] the details for this specific rule
25
- def extract_details attack_sample
26
- {
27
- start: attack_sample.sqli.start_idx,
28
- end: attack_sample.sqli.end_idx,
29
- boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
30
- inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
31
- query: attack_sample.sqli.query
32
- }
33
- end
34
- end
35
-
36
22
  def infilter context, database, query_string
37
23
  return unless infilter?(context)
38
24
 
@@ -5,10 +5,8 @@ require 'contrast/utils/object_share'
5
5
  require 'contrast/agent/reporting/input_analysis/input_type'
6
6
  require 'contrast/agent/protect/rule/sqli'
7
7
  require 'contrast/agent/reporting/input_analysis/score_level'
8
- require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
9
8
  require 'contrast/agent/protect/input_analyzer/input_analyzer'
10
- require 'contrast/utils/input_classification'
11
- require 'contrast/components/logger'
9
+ require 'contrast/utils/input_classification_base'
12
10
 
13
11
  module Contrast
14
12
  module Agent
@@ -18,68 +16,10 @@ module Contrast
18
16
  # as a result input would be marked as WORTHWATCHING or IGNORE,
19
17
  # to be analyzed at the sink level.
20
18
  module SqliInputClassification
19
+ WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'.cs__freeze
21
20
  class << self
22
21
  include InputClassificationBase
23
- include Contrast::Agent::Protect::Rule::SqliWorthWatching
24
22
  include Contrast::Components::Logger::InstanceMethods
25
-
26
- WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
27
- SQLI_KEYS_NEEDED = [
28
- COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
29
- ].cs__freeze
30
-
31
- # Input Classification stage is done to determine if an user input is
32
- # WORTHWATCHING or to be ignored.
33
- #
34
- # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
35
- # @param value [String, Array<String>] the value of the input.
36
- # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
37
- # agent analysis from the current
38
- # Request.
39
- # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
40
- def classify input_type, value, input_analysis
41
- return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
42
- return unless super
43
-
44
- rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
45
-
46
- # double check the input to avoid calling match? on array
47
- Array(value).each do |val|
48
- Array(val).each do |v|
49
- input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
50
- end
51
- end
52
-
53
- input_analysis
54
- rescue StandardError => e
55
- logger.debug('An Error was recorded in the input classification of the sqli.')
56
- logger.debug(e)
57
- end
58
-
59
- private
60
-
61
- # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
62
- # key if needed and Creates new isntance of InputAnalysisResult.
63
- #
64
- # @param request [Contrast::Agent::Request] the current request context.
65
- # @param rule_id [String] The name of the Protect Rule.
66
- # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
67
- # @param value [String, Array<String>] the value of the input.
68
- #
69
- # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
70
- def sqli_create_new_input_result request, rule_id, input_type, value
71
- ia_result = new_ia_result(rule_id, input_type, request.path, value)
72
- if sqli_worth_watching?(value)
73
- ia_result.ids << WORTHWATCHING_MATCH
74
- ia_result.score_level = WORTHWATCHING
75
- ia_result
76
- else
77
- ia_result.score_level = IGNORE
78
- end
79
-
80
- add_needed_key(request, ia_result, input_type, value) if SQLI_KEYS_NEEDED.include?(input_type)
81
- ia_result
82
- end
83
23
  end
84
24
  end
85
25
  end
@@ -26,8 +26,6 @@ module Contrast
26
26
 
27
27
  NAME = 'sql-injection'
28
28
 
29
- SUB_RULES = [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
30
-
31
29
  def rule_name
32
30
  NAME
33
31
  end
@@ -36,8 +34,81 @@ module Contrast
36
34
  BLOCK_MESSAGE
37
35
  end
38
36
 
37
+ # Array of sub_rules
38
+ #
39
+ # @return [Array]
39
40
  def sub_rules
40
- SUB_RULES
41
+ @_sub_rules ||= [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
42
+ end
43
+
44
+ def applicable_user_inputs
45
+ APPLICABLE_USER_INPUTS
46
+ end
47
+
48
+ def infilter context, database, query_string
49
+ return unless infilter?(context)
50
+
51
+ result = find_attacker(context, query_string, database: database)
52
+ return unless result
53
+
54
+ append_to_activity(context, result)
55
+
56
+ cef_logging(result, :successful_attack, value: query_string)
57
+ raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
58
+ end
59
+
60
+ # Allows for the InputAnalysis from Agent Library to be extracted early
61
+ # @param context [Contrast::Agent::RequestContext]
62
+ # @param potential_attack_string [String, nil]
63
+ # @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
64
+ # @param **kwargs
65
+ # @return [Contrast::Agent::Reporting, nil]
66
+ def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
67
+ logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
68
+
69
+ result = nil
70
+ ia_results.each do |ia_result|
71
+ if potential_attack_string
72
+ idx = potential_attack_string.index(ia_result.value)
73
+ next unless idx
74
+
75
+ database_type = kwargs[:database].to_sym
76
+ input_length = ia_result.value.length
77
+ lib_result = check_sql_input_with_agent(potential_attack_string, database_type, idx, input_length)
78
+
79
+ kwargs[:result_struct] = lib_result
80
+ result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
81
+ else
82
+ result = build_attack_without_match(context, ia_result, result, **kwargs)
83
+ end
84
+ end
85
+ result
86
+ end
87
+
88
+ # We'll need a second place, where we need to check the token boundaries if are being crossed and
89
+ # worth-watching.
90
+ #
91
+ # @param sql[String] SQL coming from parameter
92
+ # @param database[String] Type of database
93
+ # @param input_index[String] index in the sqlQuery string where user input was found
94
+ # @param input_length[Number] length of the input value
95
+ # @return [Hash, Boolean]
96
+ def check_sql_input_with_agent sql, database, input_index, input_length
97
+ return false unless (agent_lib = Contrast::AGENT_LIB) && sql && database
98
+
99
+ agent_lib.check_sql_query(input_index, input_length, database, sql)
100
+ end
101
+
102
+ # @param context [Contrast::Agent::RequestContext]
103
+ def infilter? context
104
+ return false unless enabled?
105
+ return false unless context&.agent_input_analysis&.results&.any? do |result|
106
+ result.rule_id == rule_name
107
+ end
108
+
109
+ return false if protect_excluded_by_code?
110
+
111
+ true
41
112
  end
42
113
  end
43
114
  end
@@ -3,9 +3,8 @@
3
3
 
4
4
  require 'contrast/utils/object_share'
5
5
  require 'contrast/agent/protect/rule/unsafe_file_upload'
6
- require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
7
6
  require 'contrast/agent/protect/input_analyzer/input_analyzer'
8
- require 'contrast/utils/input_classification'
7
+ require 'contrast/utils/input_classification_base'
9
8
 
10
9
  module Contrast
11
10
  module Agent
@@ -14,67 +13,44 @@ module Contrast
14
13
  # This module will do the Input Classification stage of Unsafe File Upload
15
14
  # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
16
15
  module UnsafeFileUploadInputClassification
17
- # UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
18
- #
19
- # class << self
20
- # include InputClassificationBase
21
- # include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
22
- #
23
- # # Input Classification stage is done to determine if an user input is
24
- # # DEFINITEATTACK or to be ignored.
25
- # #
26
- # # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
27
- # # @param value [String, Array<String>] the value of the input.
28
- # # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
29
- # # agent analysis from the current
30
- # # Request.
31
- # # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
32
- # def classify input_type, value, input_analysis
33
- # unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
34
- # return
35
- # end
36
- # return unless input_analysis.request
37
- #
38
- # rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
39
- # results = []
40
- #
41
- # Array(value).each do |val|
42
- # Array(val).each do |v|
43
- # results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
44
- # end
45
- # end
46
- #
47
- # input_analysis.results = results
48
- # input_analysis
49
- # end
50
- #
51
- # private
52
- #
53
- # # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
54
- # # key if needed and Creates new isntance of InputAnalysisResult.
55
- # #
56
- # # @param request [Contrast::Agent::Request] the current request context.
57
- # # @param rule_id [String] The name of the Protect Rule.
58
- # # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
59
- # # @param value [String, Array<String>] the value of the input.
60
- # #
61
- # # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
62
- # def create_new_input_result request, rule_id, input_type, value
63
- # ia_result = new_ia_result rule_id, input_type, request.path, value
64
- # if unsafe_match? value
65
- # ia_result.score_level = DEFINITEATTACK
66
- # ia_result.ids << UNSAFE_UPLOAD_MATCH
67
- # else
68
- # ia_result.score_level = IGNORE
69
- # end
70
- # ia_result.key = if input_type == MULTIPART_FIELD_NAME
71
- # Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
72
- # else
73
- # Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
74
- # end
75
- # ia_result
76
- # end
77
- # end
16
+ UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
17
+
18
+ class << self
19
+ include InputClassificationBase
20
+
21
+ private
22
+
23
+ # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
24
+ # key if needed and Creates new isntance of InputAnalysisResult.
25
+ #
26
+ # @param request [Contrast::Agent::Request] the current request context.
27
+ # @param rule_id [String] The name of the Protect Rule.
28
+ # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
29
+ # @param value [String, Array<String>] the value of the input.
30
+ #
31
+ # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
32
+ def create_new_input_result request, rule_id, input_type, value
33
+ return unless Contrast::AGENT_LIB
34
+ return unless (input_eval = Contrast::AGENT_LIB.eval_input(value,
35
+ Contrast::AGENT_LIB.input_set[:MULTIPART_NAME],
36
+ Contrast::AGENT_LIB.rule_set[rule_id],
37
+ Contrast::AGENT_LIB.eval_option[:NONE]))
38
+
39
+ ia_result = new_ia_result(rule_id, input_type, request.path, value)
40
+ if input_eval.score >= THRESHOLD
41
+ ia_result.score_level = DEFINITEATTACK
42
+ ia_result.ids << UNSAFE_UPLOAD_MATCH
43
+ else
44
+ ia_result.score_level = IGNORE
45
+ end
46
+ ia_result.key = if input_type == MULTIPART_FIELD_NAME
47
+ Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
48
+ else
49
+ Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
50
+ end
51
+ ia_result
52
+ end
53
+ end
78
54
  end
79
55
  end
80
56
  end