contrast-agent 6.9.0 → 6.10.0

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb

@@ -34,7 +34,7 @@ module Contrast
               input_eval = Contrast::AGENT_LIB.eval_input(value,
                                                           convert_input_type(input_type),
                                                           Contrast::AGENT_LIB.rule_set[rule_id],
-                                                          Contrast::AGENT_LIB.eval_option[:WORTHWATCHING])
+                                                          Contrast::AGENT_LIB.eval_option[:PREFER_WORTH_WATCHING])
 
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
               score = input_eval&.score || 0

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -8,6 +8,7 @@ require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/agent/reporting/details/path_traversal_details'
 require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
 require 'contrast/utils/string_utils'
 
 module Contrast
@@ -52,6 +53,13 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
+          # Path Traversal input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::PathTraversalInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::PathTraversalInputClassification.cs__freeze
+          end
+
           def infilter context, method, path
             return unless infilter?(context)
 

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/input_analysis/input_type'
-require 'contrast/agent/protect/rule/sqli'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
 require 'contrast/utils/input_classification_base'

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -7,6 +7,7 @@ require 'contrast/agent/protect/rule/sql_sample_builder'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/protect/rule/sqli/sqli_base_rule'
 require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
+require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
 
 module Contrast
   module Agent
@@ -45,16 +46,11 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
-          def infilter context, database, query_string
-            return unless infilter?(context)
-
-            result = find_attacker(context, query_string, database: database)
-            return unless result
-
-            append_to_activity(context, result)
-
-            cef_logging(result, :successful_attack, value: query_string)
-            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          # SQLI input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::SqliInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::SqliInputClassification.cs__freeze
           end
 
           # Allows for the InputAnalysis from Agent Library to be extracted early

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb

@@ -43,11 +43,15 @@ module Contrast
               else
                 ia_result.score_level = IGNORE
               end
-              ia_result.key = if input_type == MULTIPART_FIELD_NAME
+              ia_result.key = case input_type
+                              when MULTIPART_FIELD_NAME
                                 Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
-                              else
+                              when MULTIPART_NAME
                                 Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
+                              else
+                                Contrast::Utils::ObjectShare::EMPTY_STRING
                               end
+
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb

@@ -4,6 +4,7 @@
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
 
 module Contrast
   module Agent
@@ -30,6 +31,25 @@ module Contrast
           def block_message
             BLOCK_MESSAGE
           end
+
+          # Unsafe File Upload input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification.cs__freeze
+          end
+
+          private
+
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Boolean]
+          def prefilter? context
+            return false unless context
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+
+            true
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb

@@ -33,7 +33,7 @@ module Contrast
                                                           convert_input_type(input_type),
                                                           Contrast::AGENT_LIB.rule_set[rule_id],
                                                           Contrast::AGENT_LIB.
-                                                            eval_option[:WORTHWATCHING])
+                                                            eval_option[:PREFER_WORTH_WATCHING])
 
               score = input_eval&.score || 0
               ia_result = new_ia_result(rule_id, input_type, request.path, value)

data/lib/contrast/agent/protect/rule/xss.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
@@ -28,6 +29,13 @@ module Contrast
             BLOCK_MESSAGE
           end
 
+          # XSS Upload input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::ReflectedXssInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::ReflectedXssInputClassification.cs__freeze
+          end
+
           def stream_safe?
             false
           end

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/reporting/details/xxe_details'
 require 'contrast/agent/reporting/details/xxe_match'
 require 'contrast/agent/reporting/details/xxe_wrapper'
@@ -14,7 +14,7 @@ module Contrast
       module Rule
         # Implementation of the XXE Protect Rule used to evaluate XML calls for exploit
         # of unsafe external entity resolution.
-        class Xxe < Contrast::Agent::Protect::Rule::Base
+        class Xxe < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Components::Logger::InstanceMethods
           INPUT_NAME = 'XML Prolog'
 

data/lib/contrast/agent/protect/rule.rb

@@ -48,8 +48,5 @@ require 'contrast/agent/protect/rule/deserialization'
 require 'contrast/agent/protect/rule/no_sqli'
 require 'contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner'
 
-# The classes required for Http Method Tampering
-require 'contrast/agent/protect/rule/http_method_tampering'
-
 # The classes required for Unsafe File Upload
 require 'contrast/agent/protect/rule/unsafe_file_upload'

data/lib/contrast/agent/reporting/attack_result/user_input.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/input_analysis/input_type'
-require 'contrast/agent/request_context'
 
 module Contrast
   module Agent

data/lib/contrast/agent/reporting/details/details.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/agent/reporting/details/bot_blocker_details'
 require 'contrast/agent/reporting/details/cmd_injection_details'
-require 'contrast/agent/reporting/details/http_method_tempering_details'
 require 'contrast/agent/reporting/details/no_sqli_details'
 require 'contrast/agent/reporting/details/path_traversal_details'
 require 'contrast/agent/reporting/details/protect_rule_details'

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb

@@ -9,6 +9,18 @@ module Contrast
     module Reporting
       # This class will do ia analysis for our protect rules
       class InputAnalysis
+        def inputs
+          @_inputs
+        end
+
+        def inputs= extracted_inputs
+          @_inputs = extracted_inputs
+        end
+
+        def triggered_rules
+          @_triggered_rules ||= []
+        end
+
         # result from input analysis
         #
         # @return @_results [Array<Contrast::Agent::Reporting::Settings::InputAnalysisResult>]

data/lib/contrast/agent/reporting/report.rb

@@ -27,5 +27,6 @@ require 'contrast/agent/reporting/reporting_events/route_coverage'
 require 'contrast/agent/reporting/reporting_events/observed_library_usage'
 require 'contrast/agent/reporting/reporting_events/poll'
 require 'contrast/agent/reporting/reporting_events/server_settings'
+require 'contrast/agent/reporting/reporting_events/application_settings'
 # Sensitive data masking
 require 'contrast/agent/reporting/masker/masker'

data/lib/contrast/agent/reporting/reporter.rb

@@ -40,13 +40,13 @@ module Contrast
 
         client.startup!(connection)
         @_thread = Contrast::Agent::Thread.new do
-          logger.debug('Starting background Reporter thread.')
+          logger.debug('[Reporter] Starting background Reporter thread.')
           loop do
             next unless connected?
 
             process_event(queue.pop)
           rescue StandardError => e
-            logger.debug('Reporter thread could not process because of:', e)
+            logger.debug('[Reporter] thread could not process because of:', e)
           end
         end
       end
@@ -67,7 +67,7 @@ module Contrast
       # @param event [Contrast::Agent::Reporting::ReportingEvent]
       def send_event event
         if ::Contrast::AGENT.disabled?
-          logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
+          logger.warn('[Reporter] Attempted to queue event with Agent disabled', caller: caller, event: event)
           return
         end
         return unless event
@@ -89,14 +89,16 @@ module Contrast
       # @return [Net::HTTPResponse, nil]
       def send_event_immediately event
         if ::Contrast::AGENT.disabled?
-          logger.warn('Reporter attempted to send event immediately with Agent disabled', caller: caller, event: event)
+          logger.warn('[Reporter] attempted to send event immediately with Agent disabled',
+                      caller: caller,
+                      event: event)
           return
         end
         return unless event
 
         client.send_event(event, connection)
       rescue StandardError => e
-        logger.error('Could not send message to TeamServer from Reporter queue.', e)
+        logger.error('[Reporter] Could not send message to TeamServer from reporting queue.', e)
       end
 
       def delete_queue!
@@ -126,7 +128,7 @@ module Contrast
       def connected?
         return true if client && connection
 
-        logger.debug('No client/connection; sleeping', client: client, connection: connection)
+        logger.debug('[Reporter] No client/connection; sleeping...', client: client, connection: connection)
         sleep(5)
         false
       end
@@ -136,14 +138,14 @@ module Contrast
         client.send_event(event, connection)
         handle_resend(event) if client.mode.status == client.mode.resending
       rescue StandardError => e
-        logger.error('Could not send message to TeamServer from Reporter queue.', e)
+        logger.error('[Reporter] Could not send message to TeamServer from reporting queue.', e)
       end
 
       # @return [Contrast::Agent::Telemetry::TelemetryException::Event]
       def queue_limit_telemetry_event
         message_exception = Contrast::Agent::Telemetry::TelemetryException::MessageException.build(
             'String',
-            "Maximum queue size (#{ MAX_QUEUE_SIZE }) reached for reporting events", nil, stack_frame)
+            "[Reporter] Maximum queue size (#{ MAX_QUEUE_SIZE }) reached for reporting events", nil, stack_frame)
         message = Contrast::Agent::Telemetry::TelemetryException::Message.build({}, [message_exception])
         Contrast::Agent::Telemetry::TelemetryException::Event.new(message)
       end
@@ -153,8 +155,7 @@ module Contrast
         stack_frame_type = if stack_trace.nil? || stack_trace[1].nil?
                              'none'
                            else
-                             Contrast::Agent::Telemetry::TelemetryException::Obfuscate.obfuscate_type(
-                                 stack_trace[1].path.delete_prefix(Dir.pwd))
+                             stack_trace[1].path.delete_prefix(Dir.pwd)
                            end
 
         stack_frame_function = stack_trace.nil? || stack_trace[1].nil? ? 'none' : stack_trace[1].label

data/lib/contrast/agent/reporting/reporting_events/application_activity.rb

@@ -14,6 +14,7 @@ module Contrast
       # system to report
       class ApplicationActivity < Contrast::Agent::Reporting::ApplicationReportingEvent
         include Contrast::Agent::Reporting::ResponseType
+        include Contrast::Components::Logger::InstanceMethods
 
         # @return [Integer]
         attr_accessor :query_count
@@ -55,8 +56,8 @@ module Contrast
 
         def to_controlled_hash
           hsh = { lastUpdate: since_last_update }
-          hsh[:defend] = @_defend&.to_controlled_hash if @_defend
-          hsh[:inventory] = @_inventory&.to_controlled_hash if @_inventory
+          hsh[:defend] = defend&.to_controlled_hash
+          hsh[:inventory] = inventory&.to_controlled_hash
           hsh
         end
 
@@ -94,9 +95,7 @@ module Contrast
         #
         # @return [Array<[Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]>]
         def attack_results
-          results = []
-          defend.attackers.each { |a| results << a.protection_rules.values }
-          results
+          defend.attackers.map { |a| a.protection_rules.values }
         end
 
         # This is primary used for attaching new data and merging existing

data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb

@@ -13,22 +13,34 @@ module Contrast
         # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackerActivity>]
         attr_reader :attackers
 
+        # @return [Boolean]
+        attr_reader :existing_attacker_activity
+
         def initialize
           @attackers = []
+          @existing_attacker_activity = false
           @event_type = :application_defend_activity
         end
 
         def to_controlled_hash
+          validate
           {
               attackers: attackers.map(&:to_controlled_hash)
           }
         end
 
+        def validate
+          raise(ArgumentError, 'Attackers data must be populated') if existing_attacker_activity && attackers.empty?
+        end
+
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
+          return unless attack_result&.cs__is_a?(Contrast::Agent::Reporting::AttackResult)
+
           attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.new
           attacker_activity.attach_data(attack_result)
 
+          @existing_attacker_activity = true
           if (existing_attacker_activity = find_existing_attacker_activity(attacker_activity))
             attach_existing(existing_attacker_activity, attacker_activity, attack_result.rule_id)
           else
@@ -37,7 +49,7 @@ module Contrast
         end
 
         # Find an existing attacker if it matches on source details
-        # @param attacker_activity [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]
+        # @param new_attacker_activity [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]
         def find_existing_attacker_activity new_attacker_activity
           attackers.find do |existing|
             existing.source_forwarded_for == new_attacker_activity.source_forwarded_for &&

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb

@@ -9,6 +9,7 @@ module Contrast
     module Reporting
       # This is the new ApplicationDefendAttackActivity class which will include the attacks sent by the source.
       class ApplicationDefendAttackActivity
+        include Contrast::Components::Logger::InstanceMethods
         # @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
         attr_accessor :blocked
         # @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
@@ -27,15 +28,29 @@ module Contrast
         end
 
         def to_controlled_hash
+          blocked_hash = blocked&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
+          exploited_hash = exploited&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
+          ineffective_hash = ineffective&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
+          suspicious_hash = suspicious&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
+          validate(blocked_hash, exploited_hash, ineffective_hash, suspicious_hash)
+
           {
               startTime: @start_time,
-              blocked: @blocked&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              exploited: @exploited&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              ineffective: @ineffective&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              suspicious: @suspicious&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
+              blocked: blocked_hash,
+              exploited: exploited_hash,
+              ineffective: ineffective_hash,
+              suspicious: suspicious_hash
           }
         end
 
+        def validate blocked_hash, exploited_hash, ineffective_hash, suspicious_hash
+          return unless [blocked_hash, exploited_hash, ineffective_hash, suspicious_hash].all?(&:empty?)
+
+          raise(ArgumentError, 'Start Time for is not presented') unless start_time
+
+          raise(ArgumentError, 'At least one of the samples must be populated')
+        end
+
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         # @return [Contrast::Agent::Reporting::Defend::AttackSampleActivity]
         def attach_data attack_result
@@ -57,7 +72,7 @@ module Contrast
         end
 
         def start_time
-          Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms
+          Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/agent/protect/rule/cmd_injection'
 require 'contrast/agent/protect/rule/deserialization'
-require 'contrast/agent/protect/rule/http_method_tampering'
 require 'contrast/agent/protect/rule/no_sqli'
 require 'contrast/agent/reporting/attack_result/user_input'
 require 'contrast/agent/reporting/attack_result/response_type'

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb

@@ -24,6 +24,7 @@ module Contrast
         end
 
         def to_controlled_hash
+          validate
           {
               attackTimeMap: time_map,
               samples: samples.map(&:to_controlled_hash),
@@ -32,6 +33,10 @@ module Contrast
           }
         end
 
+        def validate
+          raise(ArgumentError, 'Start Time is not presented') unless @start_time
+        end
+
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
           attack_result.samples.each do |attack_sample|

data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb

@@ -11,6 +11,7 @@ module Contrast
       # This is the new AttackerActivity class which will includes the attacker information discovered during this
       # activity period.
       class ApplicationDefendAttackerActivity
+        include Contrast::Components::Logger::InstanceMethods
         # @return [Hash<String,Contrast::Agent::Reporting::ApplicationDefendAttackActivity>] map of rule-id to violated
         #   samples for that rule
         attr_accessor :protection_rules
@@ -32,8 +33,11 @@ module Contrast
         end
 
         def to_controlled_hash
+          processed_rules = process_protection_rules
+          validate(processed_rules)
+
           {
-              protectionRules: process_protection_rules,
+              protectionRules: processed_rules,
               source: {
                   ip: source_ip,
                   xForwardedFor: source_forwarded_for
@@ -41,6 +45,11 @@ module Contrast
           }
         end
 
+        def validate processed_rules
+          raise(ArgumentError, 'Protection Rules are not presented') if processed_rules.empty?
+          raise(ArgumentError, 'Source is not presented') unless source_ip
+        end
+
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
           @protection_rules[attack_result.rule_id] = Contrast::Agent::Reporting::ApplicationDefendAttackActivity.new.

data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb

@@ -22,7 +22,7 @@ module Contrast
           @event_method = :POST
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_inventory
           # The API spec limits us to 500 routes, so we'll enforce that here to not hold on to superfulous data.
-          @routes = Contrast::Agent.framework_manager.find_route_discovery_data.take(500)
+          @routes = Contrast::Agent.framework_manager.find_route_discovery_data&.take(500)
           super
         end
 
@@ -33,6 +33,7 @@ module Contrast
         def to_controlled_hash
           {
               session_id: ::Contrast::ASSESS.session_id,
+              # documentation lists routes as deprecated from the agent_ng_endpoints.yml
               routes: routes.map(&:to_controlled_hash)
           }
         end

data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb

@@ -17,10 +17,20 @@ module Contrast
         # The timestamp field is a bit of a misnomer. It's really the time, in ms, since the settings for this
         # application have been updated. If I've never updated, then it's been 0ms since then.
         #
+        #
         # @return [Integer]
         def since_last_update
           (update_time = Contrast::SETTINGS.last_app_update_ms) ? Contrast::Utils::Timer.now_ms - update_time : 0
         end
+
+        # Human readable last time update for header set. Set to 0 if the agent is just starting and have not received
+        # the latest header from TS.
+        #
+        #
+        # @return [String]
+        def since_last_update_httpdate
+          Contrast::SETTINGS.app_settings_last_httpdate || Contrast::Utils::Timer.ms_to_httpdate(0)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/application_settings.rb

@@ -0,0 +1,40 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/application_reporting_event'
+require 'contrast/agent/reporting/reporting_utilities/endpoints'
+require 'contrast/utils/timer'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will initialize a GET request to be send to TS. The application settings endpoint is the way
+      # the Agent receives application sittings
+      class ApplicationSettings < Contrast::Agent::Reporting::ApplicationReportingEvent
+        def initialize
+          @event_method = :GET
+          @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_settings
+          super
+        end
+
+        def file_name
+          'application-settings'
+        end
+
+        # Attach the last server settings received timestamp to the request as it is required.
+        #
+        # If-Modified-Since: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
+        # @param request [Net::HTTPRequest]
+        def attach_headers request
+          request['If-Modified-Since'] = since_last_update_httpdate
+        end
+
+        # @return [Hash]
+        # @raise [ArgumentError]
+        def to_controlled_hash
+          {}
+        end
+      end
+    end
+  end
+end