lib/contrast/agent/protect/rule/base_service.rb in contrast-agent-6.1.0 vs lib/contrast/agent/protect/rule/base_service.rb in contrast-agent-6.1.1
- old
+ new
@@ -19,22 +19,27 @@
def block_message
'Contrast Security Protect Rule Triggered. Response blocked.'
end
+ # @param context [Contrast::Agent::RequestContext]
def infilter? context
- return false unless context&.speedracer_input_analysis&.results
return false unless enabled?
+ return false unless context&.speedracer_input_analysis&.results&.any? do |result|
+ result.rule_id == rule_name
+ end
+
return false if protect_excluded_by_code?
true
end
# Override for rules that need the response
- # Currently postfilter can be applied to streamed responses,
- # if any logic within postfilter changes to modify the response
- # streamed responses will break
+ # Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify
+ # the response streamed responses will break
+ # @param context [Contrast::Agent::RequestContext]
+ # @raise [Contrast::SecurityException]
def postfilter context
return unless enabled? && POSTFILTER_MODES.include?(mode)
if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
@@ -42,31 +47,42 @@
end
result = find_postfilter_attacker(context, nil)
return unless result&.samples&.any?
- cef_logging result
+ cef_logging(result)
append_to_activity(context, result)
return unless result.response == :BLOCKED
- raise Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")
+ raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
end
protected
+ # @param context [Contrast::Agent::RequestContext]
+ # @return [Array<Contrast::Api::Settings::InputAnalysis>]
def gather_ia_results context
context.speedracer_input_analysis.results.select do |ia_result|
ia_result.rule_id == rule_name
end
end
+ # @param context [Contrast::Agent::RequestContext]
+ # @param potential_attack_string [String, nil]
+ # @param **kwargs
+ # @return [Contrast::Api::Dtm::AttackResult]
def find_attacker context, potential_attack_string, **kwargs
ia_results = gather_ia_results(context)
find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
end
# Allows for the InputAnalysis from service to be extracted early
+ # @param context [Contrast::Agent::RequestContext]
+ # @param potential_attack_string [String, nil]
+ # @param ia_results [Array<Contrast::Api::Settings::InputAnalysis>]
+ # @param **kwargs
+ # @return [Contrast::Api::Dtm::AttackResult, nil]
def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
result = nil
ia_results.each do |ia_result|
@@ -82,20 +98,21 @@
result
end
private
+ # @param context [Contrast::Agent::RequestContext]
+ # @param potential_attack_string [String, nil]
+ # @return [Contrast::Api::Dtm::AttackResult, nil]
def find_postfilter_attacker context, potential_attack_string, **kwargs
ia_results = gather_ia_results(context)
ia_results.select! do |ia_result|
- ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME ||
- ia_result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
-
- Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
- else
- # legacy implementation for DEFINITEATATACK
- Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
- end
+ required_level = if ia_result.cs__is_a?(Contrast::Api::Settings::InputAnalysisResult)
+ Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+ else
+ Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
+ end
+ ia_result.score_level == required_level
end
find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
end
end
end