# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/agent/protect/rule/base' require 'contrast/components/logger' module Contrast module Agent module Protect module Rule # Encapsulate common code for protect rules that do their # input analysis on Speedracer rather in ruby code class BaseService < Contrast::Agent::Protect::Rule::Base include Contrast::Components::Logger::InstanceMethods def rule_name 'base-service' end def block_message 'Contrast Security Protect Rule Triggered. Response blocked.' end # @param context [Contrast::Agent::RequestContext] def infilter? context return false unless enabled? return false unless context&.speedracer_input_analysis&.results&.any? do |result| result.rule_id == rule_name end return false if protect_excluded_by_code? return false if protect_excluded_by_url?(context) true end # Override for rules that need the response # Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify # the response streamed responses will break # @param context [Contrast::Agent::RequestContext] # @raise [Contrast::SecurityException] def postfilter context return unless enabled? && POSTFILTER_MODES.include?(mode) if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION || mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT return end result = find_postfilter_attacker(context, nil) return unless result&.samples&.any? cef_logging(result) append_to_activity(context, result) return unless result.response == :BLOCKED raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")) end protected # @param context [Contrast::Agent::RequestContext] # @return [Array] def gather_ia_results context context.speedracer_input_analysis.results.select do |ia_result| ia_result.rule_id == rule_name end end # @param context [Contrast::Agent::RequestContext] # @param potential_attack_string [String, nil] # @param **kwargs # @return [Contrast::Api::Dtm::AttackResult] def find_attacker context, potential_attack_string, **kwargs ia_results = gather_ia_results(context) find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs) end # Allows for the InputAnalysis from service to be extracted early # @param context [Contrast::Agent::RequestContext] # @param potential_attack_string [String, nil] # @param ia_results [Array] # @param **kwargs # @return [Contrast::Api::Dtm::AttackResult, nil] def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string) result = nil ia_results.each do |ia_result| if potential_attack_string idx = potential_attack_string.index(ia_result.value) next unless idx result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs) else result = build_attack_without_match(context, ia_result, result, **kwargs) end end result end private # @param context [Contrast::Agent::RequestContext] # @param potential_attack_string [String, nil] # @return [Contrast::Api::Dtm::AttackResult, nil] def find_postfilter_attacker context, potential_attack_string, **kwargs ia_results = gather_ia_results(context) ia_results.select! do |ia_result| required_level = if ia_result.cs__is_a?(Contrast::Api::Settings::InputAnalysisResult) Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK else Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK end ia_result.score_level == required_level end find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs) end end end end end end