# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true cs__scoped_require 'contrast/utils/timer' module Contrast module Agent module Protect module Rule # Implementation of the XXE Protect Rule used to evaluate XML calls for exploit # of unsafe external entity resolution. class Xxe < Contrast::Agent::Protect::Rule::Base NAME = 'xxe' EXPLOIT_CHARACTERS = Contrast::Utils::ObjectShare::EMPTY_ARRAY BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.' EXTERNAL_ENTITY_PATTERN = //.cs__freeze def name NAME end def infilter context, framework, xml result = find_attacker(context, xml, framework: framework) return nil unless result append_to_activity(context, result) return unless blocked? raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) end protected def find_attacker context, xml, **kwargs return nil unless xml return nil if protect_excluded_by_code? logger.debug("checking: #{ name } in '#{ kwargs[:framework] }'") xxe_details, last_idx = build_details(xml) return nil unless xxe_details # For our definition, the prolog goes from the start of the XML # string to the end of the last entity declaration. xxe_details.xml = Contrast::Utils::StringUtils.protobuf_safe_string(xml[0, last_idx]) ia_result = build_evaluation(xxe_details.xml) result = build_attack_with_match( context, ia_result, nil, nil, details: xxe_details) result end def build_details xml, _evaluation = nil last_idx = 0 ss = StringScanner.new(xml) while ss.scan_until(EXTERNAL_ENTITY_PATTERN) last_idx = ss.pos entity_wrapper = Contrast::Agent::Protect::Rule::Xxe::EntityWrapper.new(ss.matched) next unless entity_wrapper.external_entity? xxe_details ||= Contrast::Api::Dtm::XxeDetails.new xxe_details.declared_entities << build_match(ss) xxe_details.entities_resolved << build_wrapper(entity_wrapper) end [xxe_details, last_idx] end def build_sample context, ia_result, _url, **kwargs sample = build_base_sample(context, ia_result) sample.xxe = kwargs[:details] sample end INPUT_NAME = 'XML Prolog' def build_user_input ia_result input = Contrast::Api::Dtm::UserInput.new input.key = INPUT_NAME input.input_type = :UNKNOWN input.document_type = :XML input.value = ia_result.value input end private # We know that this attack happened, so the result is always matched # and the level is always critical. Only variable is the XML value # supplied by the attacker. def build_evaluation xml ia_result = Contrast::Api::Settings::InputAnalysisResult.new ia_result.rule_id = name ia_result.input_type = :UNKNOWN ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(xml) ia_result end def build_match string_scanner match = Contrast::Api::Dtm::XxeMatch.new match.end_idx = string_scanner.pos.to_i match.start_idx = match.end_idx - string_scanner.matched_size match end def build_wrapper entity_wrapper wrapper = Contrast::Api::Dtm::XxeWrapper.new wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string( entity_wrapper.system_id) wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string( entity_wrapper.public_id) wrapper end end end end end end