contrast-agent 6.9.0 → 6.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -1
- data/ext/build_funchook.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +1 -4
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +1 -1
- data/lib/contrast/agent/middleware.rb +5 -3
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +6 -2
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +76 -83
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +40 -35
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +6 -3
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +5 -2
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +3 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +12 -0
- data/lib/contrast/agent/protect/rule/base.rb +19 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +7 -2
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +8 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +9 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -2
- data/lib/contrast/agent/protect/rule/no_sqli.rb +24 -2
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/path_traversal.rb +8 -0
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +0 -1
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +0 -1
- data/lib/contrast/agent/protect/rule/sqli.rb +6 -10
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +6 -2
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/xss.rb +8 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +2 -2
- data/lib/contrast/agent/protect/rule.rb +0 -3
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +0 -1
- data/lib/contrast/agent/reporting/details/details.rb +0 -1
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +12 -0
- data/lib/contrast/agent/reporting/report.rb +1 -0
- data/lib/contrast/agent/reporting/reporter.rb +12 -15
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +4 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +13 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +20 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +5 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +10 -1
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +10 -0
- data/lib/contrast/agent/reporting/reporting_events/application_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +9 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +8 -5
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +7 -7
- data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb +137 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +12 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +100 -107
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +5 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +101 -67
- data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +46 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb +14 -0
- data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +46 -0
- data/lib/contrast/agent/reporting/settings/assess.rb +14 -1
- data/lib/contrast/agent/reporting/settings/assess_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/helpers.rb +4 -2
- data/lib/contrast/agent/reporting/settings/protect.rb +17 -12
- data/lib/contrast/agent/reporting/settings/protect_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +1 -1
- data/lib/contrast/agent/reporting/settings/virtual_patch.rb +56 -0
- data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb +47 -0
- data/lib/contrast/agent/request_context_extend.rb +20 -0
- data/lib/contrast/agent/telemetry/base.rb +13 -15
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +108 -103
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +16 -10
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +12 -0
- data/lib/contrast/agent_lib/api/init.rb +1 -7
- data/lib/contrast/agent_lib/api/input_tracing.rb +2 -4
- data/lib/contrast/agent_lib/interface.rb +1 -16
- data/lib/contrast/agent_lib/interface_base.rb +52 -39
- data/lib/contrast/agent_lib/return_types/eval_result.rb +2 -2
- data/lib/contrast/components/assess.rb +26 -4
- data/lib/contrast/components/config.rb +1 -1
- data/lib/contrast/components/polling.rb +4 -1
- data/lib/contrast/components/settings.rb +46 -3
- data/lib/contrast/config/config.rb +2 -2
- data/lib/contrast/config/protect_rule_configuration.rb +1 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +3 -3
- data/lib/contrast/extension/assess/regexp.rb +2 -2
- data/lib/contrast/framework/rack/patch/session_cookie.rb +2 -1
- data/lib/contrast/logger/aliased_logging.rb +48 -15
- data/lib/contrast/utils/duck_utils.rb +18 -0
- data/lib/contrast/utils/heap_dump_util.rb +1 -1
- data/lib/contrast/utils/input_classification_base.rb +21 -4
- data/lib/contrast/utils/log_utils.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +1 -1
- data/lib/contrast/utils/patching/policy/patch_utils.rb +2 -2
- data/lib/contrast/utils/routes_sent.rb +6 -2
- data/lib/contrast/utils/telemetry.rb +2 -2
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/resources/protect/policy.json +8 -0
- data/ruby-agent.gemspec +6 -6
- metadata +40 -30
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +0 -96
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -83
- data/lib/contrast/agent/reporting/details/http_method_tempering_details.rb +0 -27
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +0 -47
- data/lib/contrast/agent/reporting/server_settings_worker.rb +0 -44
- data/lib/contrast/agent_lib/api/method_tempering.rb +0 -29
@@ -70,7 +70,7 @@ module Contrast
|
|
70
70
|
# @raise [Contrast::SecurityException]
|
71
71
|
def raise_error classname, method
|
72
72
|
raise(Contrast::SecurityException.new(self,
|
73
|
-
'Command Injection Command Backdoor rule triggered. '\
|
73
|
+
'Command Injection Command Backdoor rule triggered. ' \
|
74
74
|
"Call to #{ classname }.#{ method } blocked."))
|
75
75
|
end
|
76
76
|
|
@@ -3,6 +3,7 @@
|
|
3
3
|
|
4
4
|
require 'contrast/agent/reporting/details/cmd_injection_details'
|
5
5
|
require 'contrast/agent/reporting/attack_result/user_input'
|
6
|
+
require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
|
6
7
|
|
7
8
|
module Contrast
|
8
9
|
module Agent
|
@@ -21,6 +22,13 @@ module Contrast
|
|
21
22
|
MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
|
22
23
|
].cs__freeze
|
23
24
|
|
25
|
+
# CMDI input classification
|
26
|
+
#
|
27
|
+
# @return [module<Contrast::Agent::Protect::Rule::CmdiInputClassification>]
|
28
|
+
def classification
|
29
|
+
@_classification ||= Contrast::Agent::Protect::Rule::CmdiInputClassification.cs__freeze
|
30
|
+
end
|
31
|
+
|
24
32
|
# CMDI infilter:
|
25
33
|
#
|
26
34
|
# @param context [Contrast::Agent::RequestContext] current request contest
|
@@ -70,7 +78,7 @@ module Contrast
|
|
70
78
|
# @raise [Contrast::SecurityException]
|
71
79
|
def raise_error classname, method
|
72
80
|
raise(Contrast::SecurityException.new(self,
|
73
|
-
'Command Injection Rule triggered. '\
|
81
|
+
'Command Injection Rule triggered. ' \
|
74
82
|
"Call to #{ classname }.#{ method } blocked."))
|
75
83
|
end
|
76
84
|
|
@@ -32,7 +32,7 @@ module Contrast
|
|
32
32
|
# @raise [Contrast::SecurityException]
|
33
33
|
def raise_error classname, method
|
34
34
|
raise(Contrast::SecurityException.new(self,
|
35
|
-
'Command Injection Semantic Chained Commands rule triggered. '\
|
35
|
+
'Command Injection Semantic Chained Commands rule triggered. ' \
|
36
36
|
"Call to #{ classname }.#{ method } blocked."))
|
37
37
|
end
|
38
38
|
|
@@ -32,7 +32,7 @@ module Contrast
|
|
32
32
|
# @raise [Contrast::SecurityException]
|
33
33
|
def raise_error classname, method
|
34
34
|
raise(Contrast::SecurityException.new(self,
|
35
|
-
'Command Injection Dangerous Path rule triggered. '\
|
35
|
+
'Command Injection Dangerous Path rule triggered. ' \
|
36
36
|
"Call to #{ classname }.#{ method } blocked."))
|
37
37
|
end
|
38
38
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/protect/rule/
|
4
|
+
require 'contrast/agent/protect/rule/base_service'
|
5
5
|
require 'contrast/agent/reporting/details/untrusted_deserialization_details'
|
6
6
|
require 'contrast/components/logger'
|
7
7
|
|
@@ -11,7 +11,7 @@ module Contrast
|
|
11
11
|
module Rule
|
12
12
|
# This class handles our implementation of the Untrusted
|
13
13
|
# Deserialization Protect rule.
|
14
|
-
class Deserialization < Contrast::Agent::Protect::Rule::
|
14
|
+
class Deserialization < Contrast::Agent::Protect::Rule::BaseService
|
15
15
|
# The TeamServer recognized name of this rule
|
16
16
|
include Contrast::Components::Logger::InstanceMethods
|
17
17
|
# Used to name this input since input analysis isn't done for this
|
@@ -4,6 +4,7 @@
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
5
5
|
require 'contrast/agent/protect/rule/sql_sample_builder'
|
6
6
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
7
|
+
require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
|
7
8
|
|
8
9
|
module Contrast
|
9
10
|
module Agent
|
@@ -39,6 +40,13 @@ module Contrast
|
|
39
40
|
APPLICABLE_USER_INPUTS
|
40
41
|
end
|
41
42
|
|
43
|
+
# NoSQLI input classification
|
44
|
+
#
|
45
|
+
# @return [module<Contrast::Agent::Protect::Rule::NoSqliInputClassification>]
|
46
|
+
def classification
|
47
|
+
@_classification ||= Contrast::Agent::Protect::Rule::NoSqliInputClassification.cs__freeze
|
48
|
+
end
|
49
|
+
|
42
50
|
# @raise [Contrast::SecurityException] if the attack is blocked
|
43
51
|
# raised with BLOCK_MESSAGE
|
44
52
|
def infilter context, database, query_string
|
@@ -78,9 +86,14 @@ module Contrast
|
|
78
86
|
|
79
87
|
def find_attacker context, potential_attack_string, **kwargs
|
80
88
|
if potential_attack_string
|
81
|
-
# We need the query hash to be a JSON string to match on JSON input attacks
|
89
|
+
# We need the query hash to be a JSON string to match on JSON input attacks.
|
90
|
+
# Before that we need to check if a string is already in json form.
|
82
91
|
begin
|
83
|
-
potential_attack_string =
|
92
|
+
potential_attack_string = if json?(potential_attack_string)
|
93
|
+
potential_attack_string
|
94
|
+
else
|
95
|
+
JSON.generate(potential_attack_string).to_s
|
96
|
+
end
|
84
97
|
rescue JSON::GeneratorError
|
85
98
|
logger.trace('Error in JSON::generate', input: potential_attack_string)
|
86
99
|
nil
|
@@ -88,6 +101,15 @@ module Contrast
|
|
88
101
|
end
|
89
102
|
super(context, potential_attack_string, **kwargs)
|
90
103
|
end
|
104
|
+
|
105
|
+
# Check to see if a string is in JSON form.
|
106
|
+
#
|
107
|
+
# @return [Boolean]
|
108
|
+
def json? string
|
109
|
+
return true if JSON.parse(string)
|
110
|
+
rescue StandardError
|
111
|
+
false
|
112
|
+
end
|
91
113
|
end
|
92
114
|
end
|
93
115
|
end
|
@@ -34,7 +34,7 @@ module Contrast
|
|
34
34
|
input_eval = Contrast::AGENT_LIB.eval_input(value,
|
35
35
|
convert_input_type(input_type),
|
36
36
|
Contrast::AGENT_LIB.rule_set[rule_id],
|
37
|
-
Contrast::AGENT_LIB.eval_option[:
|
37
|
+
Contrast::AGENT_LIB.eval_option[:PREFER_WORTH_WATCHING])
|
38
38
|
|
39
39
|
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
40
40
|
score = input_eval&.score || 0
|
@@ -8,6 +8,7 @@ require 'contrast/agent/reporting/input_analysis/score_level'
|
|
8
8
|
require 'contrast/utils/stack_trace_utils'
|
9
9
|
require 'contrast/agent/reporting/details/path_traversal_details'
|
10
10
|
require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
|
11
|
+
require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
|
11
12
|
require 'contrast/utils/string_utils'
|
12
13
|
|
13
14
|
module Contrast
|
@@ -52,6 +53,13 @@ module Contrast
|
|
52
53
|
APPLICABLE_USER_INPUTS
|
53
54
|
end
|
54
55
|
|
56
|
+
# Path Traversal input classification
|
57
|
+
#
|
58
|
+
# @return [module<Contrast::Agent::Protect::Rule::PathTraversalInputClassification>]
|
59
|
+
def classification
|
60
|
+
@_classification ||= Contrast::Agent::Protect::Rule::PathTraversalInputClassification.cs__freeze
|
61
|
+
end
|
62
|
+
|
55
63
|
def infilter context, method, path
|
56
64
|
return unless infilter?(context)
|
57
65
|
|
@@ -3,7 +3,6 @@
|
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
5
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
|
-
require 'contrast/agent/protect/rule/sqli'
|
7
6
|
require 'contrast/agent/reporting/input_analysis/score_level'
|
8
7
|
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
9
8
|
require 'contrast/utils/input_classification_base'
|
@@ -7,6 +7,7 @@ require 'contrast/agent/protect/rule/sql_sample_builder'
|
|
7
7
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
8
8
|
require 'contrast/agent/protect/rule/sqli/sqli_base_rule'
|
9
9
|
require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
|
10
|
+
require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
|
10
11
|
|
11
12
|
module Contrast
|
12
13
|
module Agent
|
@@ -45,16 +46,11 @@ module Contrast
|
|
45
46
|
APPLICABLE_USER_INPUTS
|
46
47
|
end
|
47
48
|
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
append_to_activity(context, result)
|
55
|
-
|
56
|
-
cef_logging(result, :successful_attack, value: query_string)
|
57
|
-
raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
|
49
|
+
# SQLI input classification
|
50
|
+
#
|
51
|
+
# @return [module<Contrast::Agent::Protect::Rule::SqliInputClassification>]
|
52
|
+
def classification
|
53
|
+
@_classification ||= Contrast::Agent::Protect::Rule::SqliInputClassification.cs__freeze
|
58
54
|
end
|
59
55
|
|
60
56
|
# Allows for the InputAnalysis from Agent Library to be extracted early
|
data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb
CHANGED
@@ -43,11 +43,15 @@ module Contrast
|
|
43
43
|
else
|
44
44
|
ia_result.score_level = IGNORE
|
45
45
|
end
|
46
|
-
ia_result.key =
|
46
|
+
ia_result.key = case input_type
|
47
|
+
when MULTIPART_FIELD_NAME
|
47
48
|
Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
|
48
|
-
|
49
|
+
when MULTIPART_NAME
|
49
50
|
Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
|
51
|
+
else
|
52
|
+
Contrast::Utils::ObjectShare::EMPTY_STRING
|
50
53
|
end
|
54
|
+
|
51
55
|
ia_result
|
52
56
|
end
|
53
57
|
end
|
@@ -4,6 +4,7 @@
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
5
5
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
6
|
require 'contrast/agent/reporting/input_analysis/score_level'
|
7
|
+
require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
|
7
8
|
|
8
9
|
module Contrast
|
9
10
|
module Agent
|
@@ -30,6 +31,25 @@ module Contrast
|
|
30
31
|
def block_message
|
31
32
|
BLOCK_MESSAGE
|
32
33
|
end
|
34
|
+
|
35
|
+
# Unsafe File Upload input classification
|
36
|
+
#
|
37
|
+
# @return [module<Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification>]
|
38
|
+
def classification
|
39
|
+
@_classification ||= Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification.cs__freeze
|
40
|
+
end
|
41
|
+
|
42
|
+
private
|
43
|
+
|
44
|
+
# @param context [Contrast::Agent::RequestContext]
|
45
|
+
# @return [Boolean]
|
46
|
+
def prefilter? context
|
47
|
+
return false unless context
|
48
|
+
return false unless enabled?
|
49
|
+
return false if protect_excluded_by_code?
|
50
|
+
|
51
|
+
true
|
52
|
+
end
|
33
53
|
end
|
34
54
|
end
|
35
55
|
end
|
@@ -33,7 +33,7 @@ module Contrast
|
|
33
33
|
convert_input_type(input_type),
|
34
34
|
Contrast::AGENT_LIB.rule_set[rule_id],
|
35
35
|
Contrast::AGENT_LIB.
|
36
|
-
eval_option[:
|
36
|
+
eval_option[:PREFER_WORTH_WATCHING])
|
37
37
|
|
38
38
|
score = input_eval&.score || 0
|
39
39
|
ia_result = new_ia_result(rule_id, input_type, request.path, value)
|
@@ -2,6 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/base_service'
|
5
|
+
require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
|
5
6
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
6
7
|
|
7
8
|
module Contrast
|
@@ -28,6 +29,13 @@ module Contrast
|
|
28
29
|
BLOCK_MESSAGE
|
29
30
|
end
|
30
31
|
|
32
|
+
# XSS Upload input classification
|
33
|
+
#
|
34
|
+
# @return [module<Contrast::Agent::Protect::Rule::ReflectedXssInputClassification>]
|
35
|
+
def classification
|
36
|
+
@_classification ||= Contrast::Agent::Protect::Rule::ReflectedXssInputClassification.cs__freeze
|
37
|
+
end
|
38
|
+
|
31
39
|
def stream_safe?
|
32
40
|
false
|
33
41
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/protect/rule/
|
4
|
+
require 'contrast/agent/protect/rule/base_service'
|
5
5
|
require 'contrast/agent/reporting/details/xxe_details'
|
6
6
|
require 'contrast/agent/reporting/details/xxe_match'
|
7
7
|
require 'contrast/agent/reporting/details/xxe_wrapper'
|
@@ -14,7 +14,7 @@ module Contrast
|
|
14
14
|
module Rule
|
15
15
|
# Implementation of the XXE Protect Rule used to evaluate XML calls for exploit
|
16
16
|
# of unsafe external entity resolution.
|
17
|
-
class Xxe < Contrast::Agent::Protect::Rule::
|
17
|
+
class Xxe < Contrast::Agent::Protect::Rule::BaseService
|
18
18
|
include Contrast::Components::Logger::InstanceMethods
|
19
19
|
INPUT_NAME = 'XML Prolog'
|
20
20
|
|
@@ -48,8 +48,5 @@ require 'contrast/agent/protect/rule/deserialization'
|
|
48
48
|
require 'contrast/agent/protect/rule/no_sqli'
|
49
49
|
require 'contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner'
|
50
50
|
|
51
|
-
# The classes required for Http Method Tampering
|
52
|
-
require 'contrast/agent/protect/rule/http_method_tampering'
|
53
|
-
|
54
51
|
# The classes required for Unsafe File Upload
|
55
52
|
require 'contrast/agent/protect/rule/unsafe_file_upload'
|
@@ -3,7 +3,6 @@
|
|
3
3
|
|
4
4
|
require 'contrast/agent/reporting/details/bot_blocker_details'
|
5
5
|
require 'contrast/agent/reporting/details/cmd_injection_details'
|
6
|
-
require 'contrast/agent/reporting/details/http_method_tempering_details'
|
7
6
|
require 'contrast/agent/reporting/details/no_sqli_details'
|
8
7
|
require 'contrast/agent/reporting/details/path_traversal_details'
|
9
8
|
require 'contrast/agent/reporting/details/protect_rule_details'
|
@@ -9,6 +9,18 @@ module Contrast
|
|
9
9
|
module Reporting
|
10
10
|
# This class will do ia analysis for our protect rules
|
11
11
|
class InputAnalysis
|
12
|
+
def inputs
|
13
|
+
@_inputs
|
14
|
+
end
|
15
|
+
|
16
|
+
def inputs= extracted_inputs
|
17
|
+
@_inputs = extracted_inputs
|
18
|
+
end
|
19
|
+
|
20
|
+
def triggered_rules
|
21
|
+
@_triggered_rules ||= []
|
22
|
+
end
|
23
|
+
|
12
24
|
# result from input analysis
|
13
25
|
#
|
14
26
|
# @return @_results [Array<Contrast::Agent::Reporting::Settings::InputAnalysisResult>]
|
@@ -27,5 +27,6 @@ require 'contrast/agent/reporting/reporting_events/route_coverage'
|
|
27
27
|
require 'contrast/agent/reporting/reporting_events/observed_library_usage'
|
28
28
|
require 'contrast/agent/reporting/reporting_events/poll'
|
29
29
|
require 'contrast/agent/reporting/reporting_events/server_settings'
|
30
|
+
require 'contrast/agent/reporting/reporting_events/application_settings'
|
30
31
|
# Sensitive data masking
|
31
32
|
require 'contrast/agent/reporting/masker/masker'
|
@@ -40,13 +40,13 @@ module Contrast
|
|
40
40
|
|
41
41
|
client.startup!(connection)
|
42
42
|
@_thread = Contrast::Agent::Thread.new do
|
43
|
-
logger.debug('Starting background Reporter thread.')
|
43
|
+
logger.debug('[Reporter] Starting background Reporter thread.')
|
44
44
|
loop do
|
45
45
|
next unless connected?
|
46
46
|
|
47
47
|
process_event(queue.pop)
|
48
48
|
rescue StandardError => e
|
49
|
-
logger.debug('Reporter thread could not process because of:', e)
|
49
|
+
logger.debug('[Reporter] thread could not process because of:', e)
|
50
50
|
end
|
51
51
|
end
|
52
52
|
end
|
@@ -67,19 +67,17 @@ module Contrast
|
|
67
67
|
# @param event [Contrast::Agent::Reporting::ReportingEvent]
|
68
68
|
def send_event event
|
69
69
|
if ::Contrast::AGENT.disabled?
|
70
|
-
logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
|
70
|
+
logger.warn('[Reporter] Attempted to queue event with Agent disabled', caller: caller, event: event)
|
71
71
|
return
|
72
72
|
end
|
73
73
|
return unless event
|
74
74
|
|
75
75
|
if queue.size >= MAX_QUEUE_SIZE
|
76
|
-
|
77
|
-
|
78
|
-
end
|
76
|
+
Contrast::Agent::Telemetry::Base.enabled? && Contrast::Agent.thread_watcher.telemetry_queue.
|
77
|
+
send_event(queue_limit_telemetry_event)
|
79
78
|
|
80
79
|
return
|
81
80
|
end
|
82
|
-
|
83
81
|
queue << event
|
84
82
|
end
|
85
83
|
|
@@ -89,14 +87,15 @@ module Contrast
|
|
89
87
|
# @return [Net::HTTPResponse, nil]
|
90
88
|
def send_event_immediately event
|
91
89
|
if ::Contrast::AGENT.disabled?
|
92
|
-
logger.warn('Reporter attempted to send event immediately with Agent disabled', caller: caller,
|
90
|
+
logger.warn('[Reporter] attempted to send event immediately with Agent disabled', caller: caller,
|
91
|
+
event: event)
|
93
92
|
return
|
94
93
|
end
|
95
94
|
return unless event
|
96
95
|
|
97
96
|
client.send_event(event, connection)
|
98
97
|
rescue StandardError => e
|
99
|
-
logger.error('Could not send message to TeamServer from
|
98
|
+
logger.error('[Reporter] Could not send message to TeamServer from reporting queue.', e)
|
100
99
|
end
|
101
100
|
|
102
101
|
def delete_queue!
|
@@ -126,7 +125,7 @@ module Contrast
|
|
126
125
|
def connected?
|
127
126
|
return true if client && connection
|
128
127
|
|
129
|
-
logger.debug('No client/connection; sleeping', client: client, connection: connection)
|
128
|
+
logger.debug('[Reporter] No client/connection; sleeping...', client: client, connection: connection)
|
130
129
|
sleep(5)
|
131
130
|
false
|
132
131
|
end
|
@@ -136,14 +135,14 @@ module Contrast
|
|
136
135
|
client.send_event(event, connection)
|
137
136
|
handle_resend(event) if client.mode.status == client.mode.resending
|
138
137
|
rescue StandardError => e
|
139
|
-
logger.error('Could not send message to TeamServer from
|
138
|
+
logger.error('[Reporter] Could not send message to TeamServer from reporting queue.', e)
|
140
139
|
end
|
141
140
|
|
142
141
|
# @return [Contrast::Agent::Telemetry::TelemetryException::Event]
|
143
142
|
def queue_limit_telemetry_event
|
144
143
|
message_exception = Contrast::Agent::Telemetry::TelemetryException::MessageException.build(
|
145
144
|
'String',
|
146
|
-
"Maximum queue size (#{ MAX_QUEUE_SIZE }) reached for reporting events", nil, stack_frame)
|
145
|
+
"[Reporter] Maximum queue size (#{ MAX_QUEUE_SIZE }) reached for reporting events", nil, stack_frame)
|
147
146
|
message = Contrast::Agent::Telemetry::TelemetryException::Message.build({}, [message_exception])
|
148
147
|
Contrast::Agent::Telemetry::TelemetryException::Event.new(message)
|
149
148
|
end
|
@@ -153,10 +152,8 @@ module Contrast
|
|
153
152
|
stack_frame_type = if stack_trace.nil? || stack_trace[1].nil?
|
154
153
|
'none'
|
155
154
|
else
|
156
|
-
|
157
|
-
stack_trace[1].path.delete_prefix(Dir.pwd))
|
155
|
+
stack_trace[1].path.delete_prefix(Dir.pwd)
|
158
156
|
end
|
159
|
-
|
160
157
|
stack_frame_function = stack_trace.nil? || stack_trace[1].nil? ? 'none' : stack_trace[1].label
|
161
158
|
Contrast::Agent::Telemetry::TelemetryException::StackFrame.build(stack_frame_function, stack_frame_type, nil)
|
162
159
|
end
|
@@ -14,6 +14,7 @@ module Contrast
|
|
14
14
|
# system to report
|
15
15
|
class ApplicationActivity < Contrast::Agent::Reporting::ApplicationReportingEvent
|
16
16
|
include Contrast::Agent::Reporting::ResponseType
|
17
|
+
include Contrast::Components::Logger::InstanceMethods
|
17
18
|
|
18
19
|
# @return [Integer]
|
19
20
|
attr_accessor :query_count
|
@@ -55,8 +56,8 @@ module Contrast
|
|
55
56
|
|
56
57
|
def to_controlled_hash
|
57
58
|
hsh = { lastUpdate: since_last_update }
|
58
|
-
hsh[:defend] =
|
59
|
-
hsh[:inventory] =
|
59
|
+
hsh[:defend] = defend&.to_controlled_hash
|
60
|
+
hsh[:inventory] = inventory&.to_controlled_hash
|
60
61
|
hsh
|
61
62
|
end
|
62
63
|
|
@@ -94,9 +95,7 @@ module Contrast
|
|
94
95
|
#
|
95
96
|
# @return [Array<[Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]>]
|
96
97
|
def attack_results
|
97
|
-
|
98
|
-
defend.attackers.each { |a| results << a.protection_rules.values }
|
99
|
-
results
|
98
|
+
defend.attackers.map { |a| a.protection_rules.values }
|
100
99
|
end
|
101
100
|
|
102
101
|
# This is primary used for attaching new data and merging existing
|
@@ -13,22 +13,34 @@ module Contrast
|
|
13
13
|
# @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackerActivity>]
|
14
14
|
attr_reader :attackers
|
15
15
|
|
16
|
+
# @return [Boolean]
|
17
|
+
attr_reader :existing_attacker_activity
|
18
|
+
|
16
19
|
def initialize
|
17
20
|
@attackers = []
|
21
|
+
@existing_attacker_activity = false
|
18
22
|
@event_type = :application_defend_activity
|
19
23
|
end
|
20
24
|
|
21
25
|
def to_controlled_hash
|
26
|
+
validate
|
22
27
|
{
|
23
28
|
attackers: attackers.map(&:to_controlled_hash)
|
24
29
|
}
|
25
30
|
end
|
26
31
|
|
32
|
+
def validate
|
33
|
+
raise(ArgumentError, 'Attackers data must be populated') if existing_attacker_activity && attackers.empty?
|
34
|
+
end
|
35
|
+
|
27
36
|
# @param attack_result [Contrast::Agent::Reporting::AttackResult]
|
28
37
|
def attach_data attack_result
|
38
|
+
return unless attack_result&.cs__is_a?(Contrast::Agent::Reporting::AttackResult)
|
39
|
+
|
29
40
|
attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.new
|
30
41
|
attacker_activity.attach_data(attack_result)
|
31
42
|
|
43
|
+
@existing_attacker_activity = true
|
32
44
|
if (existing_attacker_activity = find_existing_attacker_activity(attacker_activity))
|
33
45
|
attach_existing(existing_attacker_activity, attacker_activity, attack_result.rule_id)
|
34
46
|
else
|
@@ -37,7 +49,7 @@ module Contrast
|
|
37
49
|
end
|
38
50
|
|
39
51
|
# Find an existing attacker if it matches on source details
|
40
|
-
# @param
|
52
|
+
# @param new_attacker_activity [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]
|
41
53
|
def find_existing_attacker_activity new_attacker_activity
|
42
54
|
attackers.find do |existing|
|
43
55
|
existing.source_forwarded_for == new_attacker_activity.source_forwarded_for &&
|
@@ -9,6 +9,7 @@ module Contrast
|
|
9
9
|
module Reporting
|
10
10
|
# This is the new ApplicationDefendAttackActivity class which will include the attacks sent by the source.
|
11
11
|
class ApplicationDefendAttackActivity
|
12
|
+
include Contrast::Components::Logger::InstanceMethods
|
12
13
|
# @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
|
13
14
|
attr_accessor :blocked
|
14
15
|
# @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
|
@@ -27,15 +28,29 @@ module Contrast
|
|
27
28
|
end
|
28
29
|
|
29
30
|
def to_controlled_hash
|
31
|
+
blocked_hash = blocked&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
|
32
|
+
exploited_hash = exploited&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
|
33
|
+
ineffective_hash = ineffective&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
|
34
|
+
suspicious_hash = suspicious&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
|
35
|
+
validate(blocked_hash, exploited_hash, ineffective_hash, suspicious_hash)
|
36
|
+
|
30
37
|
{
|
31
38
|
startTime: @start_time,
|
32
|
-
blocked:
|
33
|
-
exploited:
|
34
|
-
ineffective:
|
35
|
-
suspicious:
|
39
|
+
blocked: blocked_hash,
|
40
|
+
exploited: exploited_hash,
|
41
|
+
ineffective: ineffective_hash,
|
42
|
+
suspicious: suspicious_hash
|
36
43
|
}
|
37
44
|
end
|
38
45
|
|
46
|
+
def validate blocked_hash, exploited_hash, ineffective_hash, suspicious_hash
|
47
|
+
return unless [blocked_hash, exploited_hash, ineffective_hash, suspicious_hash].all?(&:empty?)
|
48
|
+
|
49
|
+
raise(ArgumentError, 'Start Time for is not presented') unless start_time
|
50
|
+
|
51
|
+
raise(ArgumentError, 'At least one of the samples must be populated')
|
52
|
+
end
|
53
|
+
|
39
54
|
# @param attack_result [Contrast::Agent::Reporting::AttackResult]
|
40
55
|
# @return [Contrast::Agent::Reporting::Defend::AttackSampleActivity]
|
41
56
|
def attach_data attack_result
|
@@ -57,7 +72,7 @@ module Contrast
|
|
57
72
|
end
|
58
73
|
|
59
74
|
def start_time
|
60
|
-
Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms
|
75
|
+
Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0
|
61
76
|
end
|
62
77
|
end
|
63
78
|
end
|
@@ -3,7 +3,6 @@
|
|
3
3
|
|
4
4
|
require 'contrast/agent/protect/rule/cmd_injection'
|
5
5
|
require 'contrast/agent/protect/rule/deserialization'
|
6
|
-
require 'contrast/agent/protect/rule/http_method_tampering'
|
7
6
|
require 'contrast/agent/protect/rule/no_sqli'
|
8
7
|
require 'contrast/agent/reporting/attack_result/user_input'
|
9
8
|
require 'contrast/agent/reporting/attack_result/response_type'
|
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb
CHANGED
@@ -24,6 +24,7 @@ module Contrast
|
|
24
24
|
end
|
25
25
|
|
26
26
|
def to_controlled_hash
|
27
|
+
validate
|
27
28
|
{
|
28
29
|
attackTimeMap: time_map,
|
29
30
|
samples: samples.map(&:to_controlled_hash),
|
@@ -32,6 +33,10 @@ module Contrast
|
|
32
33
|
}
|
33
34
|
end
|
34
35
|
|
36
|
+
def validate
|
37
|
+
raise(ArgumentError, 'Start Time is not presented') unless @start_time
|
38
|
+
end
|
39
|
+
|
35
40
|
# @param attack_result [Contrast::Agent::Reporting::AttackResult]
|
36
41
|
def attach_data attack_result
|
37
42
|
attack_result.samples.each do |attack_sample|
|