contrast-agent 7.4.0 → 7.4.1

data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb

@@ -26,9 +26,8 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-
-            cef_logging(result, :successful_attack)
-            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+            record_triggered(context)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked_violation?(result)
           end
 
           protected
@@ -39,8 +38,8 @@ module Contrast
 
           def build_violation context, potential_attack_string
             result = build_attack_result(context)
-            update_successful_attack_response(context, nil, result, potential_attack_string)
             append_sample(context, nil, result, potential_attack_string)
+            update_successful_attack_response(context, nil, result, potential_attack_string)
             result
           end
 

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload.rb

@@ -28,6 +28,9 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
           def block_message
             BLOCK_MESSAGE
           end

data/lib/contrast/agent/protect/rule/utils/builders.rb

@@ -29,8 +29,8 @@ module Contrast
           #   this input
           def build_attack_with_match context, ia_result, result, candidate_string, **kwargs
             result ||= build_attack_result(context)
-            update_successful_attack_response(context, ia_result, result, candidate_string)
             append_sample(context, ia_result, result, candidate_string, **kwargs)
+            update_successful_attack_response(context, ia_result, result, candidate_string)
 
             result
           end
@@ -53,8 +53,8 @@ module Contrast
           #   this input
           def build_attack_without_match context, ia_result, result, **kwargs
             result ||= build_attack_result(context)
-            update_perimeter_attack_response(context, ia_result, result)
             append_sample(context, ia_result, result, nil, **kwargs)
+            update_perimeter_attack_response(context, ia_result, result)
 
             result
           end
@@ -97,11 +97,10 @@ module Contrast
           # @param potential_attack_string [String]
           def build_violation context, potential_attack_string
             result = build_attack_result(context)
+            append_sample(context, nil, result, potential_attack_string)
             update_successful_attack_response(context, nil, result, potential_attack_string)
             return unless result
 
-            append_sample(context, nil, result, potential_attack_string)
-            cef_logging(result, :successful_attack)
             result
           end
         end

data/lib/contrast/agent/protect/rule/utils/filters.rb

@@ -25,11 +25,12 @@ module Contrast
 
             ia_results.each do |ia_result|
               result = build_attack_result(context)
-              build_attack_without_match(context, ia_result, result)
-              append_to_activity(context, result)
+              result = build_attack_without_match(context, ia_result, result)
+              next unless result
 
-              cef_logging(result, :successful_attack)
-              raise(Contrast::SecurityException.new(self, block_message)) if blocked?
+              append_to_activity(context, result)
+              record_triggered(context)
+              raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
             end
           end
 
@@ -39,10 +40,10 @@ module Contrast
           # @param context [Contrast::Agent::RequestContext]
           # @return [Boolean]
           def prefilter? context
-            return false unless context
             return false unless enabled?
-            return false unless (results = gather_ia_results(context)) && results.any?
             return false if protect_excluded_by_url?(rule_name)
+            return false unless context
+            return false unless (results = gather_ia_results(context)) && results.any?
             return false if protect_excluded_by_input?(results)
 
             true
@@ -52,13 +53,20 @@ module Contrast
           # have a different implementation based on the rule. As such, there
           # is not parent implementation.
           #
-          # @param _context [Contrast::Agent::RequestContext] the context for
+          # @param context [Contrast::Agent::RequestContext] the context for
           #   the current request
-          # @param _match_string [String] the input that violated the rule and
+          # @param match_string [String] the input that violated the rule and
           #   matched the attack detection logic
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
-          def infilter _context, _match_string, **_kwargs; end
+          def infilter context, match_string, _kwargs
+            return unless infilter?(context)
+            return unless (result = build_violation(context, match_string))
+
+            append_to_activity(context, result)
+            record_triggered(context)
+            raise(Contrast::SecurityException.new(self, block_message)) if blocked?
+          end
 
           # Infilter check always called before infilter to check if the rule is infilter
           # capable, not disabled or in other way excluded by url or input exclusions.
@@ -74,6 +82,18 @@ module Contrast
             true
           end
 
+          # Check befor commiting infilter
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          def postfilter? context
+            return false unless enabled? && POSTFILTER_MODES.include?(mode)
+            return false if protect_excluded_by_url?(rule_name)
+            return false if protect_excluded_by_input?(gather_ia_results(context))
+            return false if mode == :NO_ACTION || mode == :PERMIT
+
+            true
+          end
+
           # Actions required for the rules that have to happen after the
           # application has completed its processing of the request.
           #
@@ -88,18 +108,14 @@ module Contrast
           # @param context [Contrast::Agent::RequestContext]
           # @raise [Contrast::SecurityException]
           def postfilter context
-            return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return false if protect_excluded_by_url?(rule_name)
-            return if protect_excluded_by_input?(gather_ia_results(context))
-
-            return if mode == :NO_ACTION || mode == :PERMIT
+            return unless postfilter?(context)
 
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
 
-            cef_logging(result)
             append_to_activity(context, result)
-            return unless result.response == :BLOCKED
+            record_triggered(context)
+            return unless blocked_violation?(result)
 
             raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
           end

data/lib/contrast/agent/protect/rule/xss/xss.rb

@@ -3,6 +3,8 @@
 
 require 'contrast/agent/protect/rule/base'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
+require 'contrast/agent/reporting/details/xss_details'
+require 'contrast/agent/reporting/details/xss_match'
 require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
@@ -25,10 +27,56 @@ module Contrast
             NAME
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
           def block_message
             BLOCK_MESSAGE
           end
 
+          # Prefilter check always called before infilter to check if the rule is infilter
+          # capable, not disabled or in other way excluded by url or input exclusions.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Boolean]
+          def prefilter? context
+            return false unless enabled?
+            return false if protect_excluded_by_url?(rule_name)
+            return false unless context
+            return false unless (results = gather_ia_results(context)) && results.any?
+            return false if protect_excluded_by_input?(results)
+
+            true
+          end
+
+          def prefilter context
+            return unless prefilter?(context)
+
+            ia_results = gather_ia_results(context)
+
+            ia_results.each do |ia_result|
+              result = build_attack_result(context)
+              result = build_attack_without_match(context, ia_result, result)
+              next unless result
+
+              append_to_activity(context, result)
+              # XSS is being triggered, so we need to add it to the triggered rules,
+              # So the IA won't be done for this rule again for the current request.
+              record_triggered(context)
+              raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
+            end
+          end
+
+          # XSS is evaluated only on prefilter
+          def infilter? _context
+            false
+          end
+
+          # XSS is evaluated only on prefilter
+          def postfilter? _context
+            false
+          end
+
           # XSS Upload input classification
           #
           # @return [module<Contrast::Agent::Protect::Rule::ReflectedXssInputClassification>]
@@ -43,6 +91,38 @@ module Contrast
           def applicable_user_inputs
             APPLICABLE_USER_INPUTS
           end
+
+          # Adding XSS details
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysisResult]
+          # @param _xss_string
+          # @param **_kwargs
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
+          def build_sample context, ia_result, _xss_string, **_kwargs
+            sample = build_base_sample(context, ia_result)
+            sample.details = Contrast::Agent::Reporting::Details::XssDetails.new
+            sample.details.input = ia_result.value
+
+            # TODO: RUBY-99999 check the if the ReflectedXss matches are needed.
+            xss_match = Contrast::Agent::Reporting::Details::XssMatch.new(ia_result.value)
+            sample.details.matches << xss_match unless xss_match.empty?
+
+            sample
+          end
+
+          private
+
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @return [Contrast::Agent::Reporting::AttackResult, nil]
+          def find_postfilter_attacker context, potential_attack_string, **kwargs
+            ia_results = gather_ia_results(context)
+            ia_results.reject! do |ia_result|
+              ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::IGNORE
+            end
+            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xxe/xxe.rb

@@ -26,6 +26,13 @@ module Contrast
             NAME
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
+          def block_message
+            BLOCK_MESSAGE
+          end
+
           # Given an xml, evaluate it for an XXE attack. There's no return here
           # as this method handles appending the evaluation to the request
           # context, connecting it to the reporting mechanism at request end.
@@ -43,9 +50,9 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-            return unless blocked?
+            record_triggered(context)
+            return unless blocked_violation?(result)
 
-            cef_logging(result, :successful_attack, value: xml)
             raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE))
           end
 

data/lib/contrast/agent/reporting/details/xss_match.rb

@@ -9,6 +9,9 @@ module Contrast
       module Details
         # Matcher data for XSS rule.
         class XssMatch
+          EVIDENCE_START = /<script.*?>/i.cs__freeze
+          EVIDENCE_END = %r{</script.*?>}i.cs__freeze
+
           # @return [Integer] in ms
           attr_accessor :evidence_start
           # @return [String]
@@ -16,6 +19,16 @@ module Contrast
           # @return [Integer]
           attr_accessor :offset
 
+          # @param xss_string [String] to check for matches.
+          def initialize xss_string = ''
+            return if xss_string.empty?
+
+            @evidence_start = xss_string.index(EVIDENCE_START)
+            @offset = (xss_string[0...@evidence_start] || '').length
+            @evidence = xss_string[@evidence_start...xss_string.index(EVIDENCE_END)].gsub(EVIDENCE_START, '').
+                gsub(EVIDENCE_END, '')
+          end
+
           def to_controlled_hash
             {
                 evidenceStart: evidence_start,
@@ -23,6 +36,10 @@ module Contrast
                 offset: offset
             }
           end
+
+          def empty?
+            evidence_start.nil? || evidence.nil? || offset.nil?
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 require 'contrast/agent/reporting/input_analysis/input_analysis_result'
 
 module Contrast
@@ -12,10 +13,20 @@ module Contrast
         # @return [Hash] Stored request inputs for this context.
         attr_accessor :inputs
 
+        # Records rules triggered on sink.
+        #
+        # @return [Array<String>] array with rule names.
         def triggered_rules
           @_triggered_rules ||= []
         end
 
+        # Records rules with input analysis for current request.
+        #
+        # @return [Array<String>] array with rule names.
+        def analysed_rules
+          @_analysed_rules ||= []
+        end
+
         # result from input analysis
         #
         # @return @_results [Array<Contrast::Agent::Reporting::Settings::InputAnalysisResult>]
@@ -44,6 +55,27 @@ module Contrast
         def request= request
           @_request = request if request.instance_of?(Contrast::Agent::Request)
         end
+
+        # Check if the InputAnalysis is empty.
+        def no_inputs?
+          Contrast::Utils::DuckUtils.empty_duck?(inputs)
+        end
+
+        # We add the analysed rules to the list. The IA won't be build for this rule,
+        # since already it's already available.
+        #
+        # @param rule_name [String] name to record.
+        def record_analysed_rule rule_name
+          analysed_rules << rule_name unless triggered_rules.include?(rule_name)
+        end
+
+        # We add the triggered rules to the list. After request analysis will skip this rule
+        # as already triggered.
+        #
+        # @param rule_name [String] name to record.
+        def record_rule_triggered rule_name
+          triggered_rules << rule_name unless triggered_rules.include?(rule_name)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/finding.rb

@@ -119,16 +119,12 @@ module Contrast
               ruleId: rule_id,
               session_id: ::Contrast::ASSESS.session_id,
               version: 4
-          }
+          }.compact
         end
 
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
-
-          unless ::Contrast::ASSESS.session_id
-            raise(ArgumentError, "#{ self } did not have a proper session id. Unable to continue.")
-          end
           if event_based? && events.empty?
             raise(ArgumentError, "#{ self } did not have proper events for #{ @rule_id }. Unable to continue.")
           end

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -47,7 +47,7 @@ module Contrast
               key: 0,
               session_id: ::Contrast::ASSESS.session_id,
               routes: @routes.map(&:to_controlled_hash)
-          }
+          }.compact
         end
 
         # @raise [ArgumentError]
@@ -55,9 +55,6 @@ module Contrast
           unless Contrast::Utils::StringUtils.present?(data)
             raise(ArgumentError, "#{ cs__class } did not have a proper data. Unable to continue.")
           end
-          unless ::Contrast::ASSESS.session_id
-            raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")
-          end
           unless Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
             raise(ArgumentError, "#{ cs__class } did not have a proper Application Name. Unable to continue.")
           end

data/lib/contrast/agent/request/request_context_extend.rb

@@ -52,8 +52,6 @@ module Contrast
         if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
           # Handle prefilter
           Contrast::Agent::Protect::InputAnalyzer.input_classification(ia, prefilter: true)
-          # Reflected xss infilter
-          Contrast::Agent::Protect::InputAnalyzer.input_classification_for('reflected-xss', ia)
           @agent_input_analysis = ia
         else
           logger.trace('Analysis from Agent was empty.')

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.4.0'
+    VERSION = '7.4.1'
   end
 end

data/lib/contrast/components/assess.rb

@@ -237,6 +237,10 @@ module Contrast
 
         # The id for this process, based on the session metadata or id provided by the user, as indicated in
         # application startup.
+        #
+        # The ID of the current application run, as returned by the application settings endpoint or set by
+        # application.session_id. If there is no session associated with this run, this field should be omitted
+        # when reporting to TS.
         def session_id
           ::Contrast::SETTINGS.assess_state.session_id
         end

data/lib/contrast/framework/rails/support.rb

@@ -59,7 +59,7 @@ module Contrast
             # ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
             match, _params, route, path = get_full_route(request.rack_request)
             unless route
-              logger.warn("Unable to determine the current route of this request: #{ request.rack_request }")
+              logger.debug("Unable to determine the current route of this request: #{ request.rack_request }")
               return
             end
 
@@ -77,7 +77,7 @@ module Contrast
             new_route_coverage&.attach_rails_data(route, original_url)
             new_route_coverage
           rescue StandardError => e
-            logger.warn('Unable to determine the current route of this request due to exception: ', e)
+            logger.error('Unable to determine the current route of this request due to exception: ', e)
             nil
           end
 

data/lib/contrast/logger/cef_log.rb

@@ -131,7 +131,16 @@ module Contrast
         log([message, block_entry, outcome], ::Logger::Severity::DEBUG)
       end
 
-      def successful_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log successful attack attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def successful_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           successful_attack_with_input = "#{ input_type } had a value that successfully exploited" \
                                          "#{ rule_id } - #{ input_value }"
@@ -142,7 +151,16 @@ module Contrast
         end
       end
 
-      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log ineffective attack attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           ineffective_attack_with_input = "#{ input_type } had a value that matched a signature for, " \
                                           "but did not successfully exploit #{ rule_id } - #{ input_value }"
@@ -153,8 +171,16 @@ module Contrast
         end
       end
 
-      # newer - currently not in the agent, currently is a probe for us
-      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log suspicious attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           suspicious_attack_with = "#{ input_type } included a potential attack value that was detected" \
                                    "as suspicious using #{ rule_id } - #{ input_value }"

data/lib/contrast/utils/io_util.rb

@@ -7,6 +7,8 @@ module Contrast
   module Utils
     # Util for information about an IO
     module IOUtil
+      UNKNOWN_IO = 'unknown'
+
       extend Contrast::Components::Logger::InstanceMethods
 
       class << self
@@ -48,6 +50,7 @@ module Contrast
           return false unless status
           return false if status.pipe?
           return false if status.socket?
+          return false if status.ftype == UNKNOWN_IO
 
           true
         end

data/lib/contrast/utils/log_utils.rb

@@ -146,6 +146,7 @@ module Contrast
       private
 
       def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        context = Contrast::Agent::REQUEST_TRACKER.current
         logger = case path
                  when STDOUT_STR, STDERR_STR
                    ::Logger.new(Object.cs__const_get(path))
@@ -154,15 +155,23 @@ module Contrast
                  end
         logger.progname = PROGNAME
         logger.level = level_const
-        change_logger_formatter(logger)
+        update_logger_formatter(logger, new_context: context)
         logger
       end
 
       def context
-        Contrast::Agent::REQUEST_TRACKER.current
+        @_context ||= Contrast::Agent::REQUEST_TRACKER.current
       end
 
-      def change_logger_formatter logger
+      def context_update new_context
+        @_context = new_context unless new_context.nil?
+      end
+
+      # @param logger [Logger]
+      # @param new_context [Contrast::Agent::RequestContext]
+      def update_logger_formatter logger, new_context: nil
+        context_update(new_context) if new_context
+
         ip_address = extract_ip_address
         logger.formatter = proc do |severity, datetime, progname, msg|
           date_format = datetime.strftime(DATE_TIME_FORMAT)
@@ -206,7 +215,7 @@ module Contrast
         request_method = assign_request_method(context)
         app_name = ::Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
         attach_request_and_sender_info(message, sender_info)
-        message << "request=#{ context.request.url } "
+        message << "request=#{ context&.request&.url } "
         message << "requestMethod=#{ request_method } "
         message << "app=#{ app_name } "
         message << "outcome=#{ outcome } "
@@ -238,16 +247,18 @@ module Contrast
       end
 
       def extract_sender_ip
-        request_headers = context.activity.request.headers&.transform_keys(&:to_s)
+        request_headers = context&.activity&.request&.headers&.transform_keys(&:to_s)
+        return unless request_headers
+
         request_headers['X-Forwarded-For']
       end
 
       def assign_request_method context
-        if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
-          context.request.rack_request.env['REQUEST_METHOD']
-        else
-          DEFAULT_METADATA
-        end
+        request_method = context&.request&.rack_request&.env
+        request_method = request_method['REQUEST_METHOD'] if request_method
+        return DEFAULT_METADATA if request_method.nil? || !request_method.length.positive?
+
+        request_method
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.4.0
+  version: 7.4.1
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-09-12 00:00:00.000000000 Z
+date: 2023-09-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler