# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true module Contrast module Agent module Protect module Rule # Module to hold required generic filters (prefilter, infilter, postfilter) module Filters POSTFILTER_MODES = Set.new(%i[BLOCK MONITOR]).cs__freeze # Actions required for the rules that have to happen before the # application has completed its processing of the request. # # For most rules, these actions are performed within the analysis # engine and communicated as an input analysis result. Those that # require specific action need to provide that action. # # @param context [Contrast::Agent::RequestContext] the context for # the current request def prefilter context return unless prefilter?(context) ia_results = gather_ia_results(context) ia_results.each do |ia_result| result = build_attack_result(context) build_attack_without_match(context, ia_result, result) append_to_activity(context, result) cef_logging(result, :successful_attack) raise(Contrast::SecurityException.new(self, block_message)) if blocked? end end # Prefilter check always called before infilter to check if the rule is infilter # capable, not disabled or in other way excluded by url or input exclusions. # # @param context [Contrast::Agent::RequestContext] # @return [Boolean] def prefilter? context return false unless context return false unless enabled? return false unless (results = gather_ia_results(context)) && results.any? return false if protect_excluded_by_url?(rule_name) return false if protect_excluded_by_input?(results) true end # This should only ever be called directly from patched code and will # have a different implementation based on the rule. As such, there # is not parent implementation. # # @param _context [Contrast::Agent::RequestContext] the context for # the current request # @param _match_string [String] the input that violated the rule and # matched the attack detection logic # @param _kwargs [Hash] key-value pairs used by the rule to build a # report. def infilter _context, _match_string, **_kwargs; end # Infilter check always called before infilter to check if the rule is infilter # capable, not disabled or in other way excluded by url or input exclusions. # # @param context [Contrast::Agent::RequestContext] # @return [Boolean] def infilter? context return false unless enabled? return false unless (results = gather_ia_results(context)) && results.any? return false if protect_excluded_by_url?(rule_name) return false if protect_excluded_by_input?(results) true end # Actions required for the rules that have to happen after the # application has completed its processing of the request. # # Any implementation here needs to account for the fact that # responses may be streaming and, as such, transformations of the # response itself may not be permissible. # # Override for rules that need the response # Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify # the response streamed responses will break # # @param context [Contrast::Agent::RequestContext] # @raise [Contrast::SecurityException] def postfilter context return unless enabled? && POSTFILTER_MODES.include?(mode) return false if protect_excluded_by_url?(rule_name) return if protect_excluded_by_input?(gather_ia_results(context)) return if mode == :NO_ACTION || mode == :PERMIT result = find_postfilter_attacker(context, nil) return unless result&.samples&.any? cef_logging(result) append_to_activity(context, result) return unless result.response == :BLOCKED raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")) end end end end end end