Class: Contrast::Agent::Protect::WorthWatchingInputAnalyzer

Inherits:
WorkerThread show all
Includes:
Rule::InputClassification::Base, Utils::Reporting::ApplicationActivityBatchUtils, Timeout
Defined in:
lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

Overview

WorthWatchingInputAnalyzer Perform analysis of input tracing v2 worthwatching results in a separate thread, should only be run at the end of the request. Currently only includes: cmd_injection & sqli_injection rules

Constant Summary collapse

QUEUE_SIZE = 
1000.cs__freeze
AGENTLIB_TIMEOUT = 
5.cs__freeze
INPUT_BYTESIZE_THRESHOLD =

max size of inputs to evaluate

100_000.cs__freeze
REPORT_INTERVAL_SECOND = 
30.cs__freeze

Constants included from Utils::Reporting::ApplicationActivityBatchUtils

Utils::Reporting::ApplicationActivityBatchUtils::DEFAULT_REPORTING_INTERVAL_MS

Constants included from Rule::InputClassification::Base

Rule::InputClassification::Base::BASE64_INPUT_TYPES, Rule::InputClassification::Base::KEYS_NEEDED, Rule::InputClassification::Base::UNKNOWN_KEY

Constants included from Reporting::InputType

Reporting::InputType::BODY, Reporting::InputType::COOKIE_NAME, Reporting::InputType::COOKIE_VALUE, Reporting::InputType::DWR_VALUE, Reporting::InputType::HEADER, Reporting::InputType::JSON_ARRAYED_VALUE, Reporting::InputType::JSON_VALUE, Reporting::InputType::METHOD, Reporting::InputType::MULTIPART_CONTENT_TYPE, Reporting::InputType::MULTIPART_FIELD_NAME, Reporting::InputType::MULTIPART_NAME, Reporting::InputType::MULTIPART_VALUE, Reporting::InputType::PARAMETER_NAME, Reporting::InputType::PARAMETER_VALUE, Reporting::InputType::QUERYSTRING, Reporting::InputType::REQUEST, Reporting::InputType::SOCKET, Reporting::InputType::UNDEFINED_TYPE, Reporting::InputType::UNKNOWN, Reporting::InputType::URI, Reporting::InputType::URL_PARAMETER, Reporting::InputType::XML_VALUE

Constants included from Rule::InputClassification::Encoding

Rule::InputClassification::Encoding::KNOWN_DECODING_EXCEPTIONS

Constants included from Rule::InputClassification::Extendable

Rule::InputClassification::Extendable::THRESHOLD, Rule::InputClassification::Extendable::WORTHWATCHING_THRESHOLD

Constants included from Reporting::ScoreLevel

Reporting::ScoreLevel::DEFINITEATTACK, Reporting::ScoreLevel::IGNORE, Reporting::ScoreLevel::WORTHWATCHING

Instance Method Summary collapse

Methods included from Utils::Reporting::ApplicationActivityBatchUtils

#activity_batch, #add_activity_to_batch, #batch_age, #report_batch

Methods included from Rule::InputClassification::Base

#add_needed_key, #classify, convert_input_type, find_key

Methods included from Reporting::InputType

to_a

Methods included from Components::Logger::InstanceMethods

#cef_logger, #logger

Methods included from Rule::InputClassification::Encoding

#cs__base64?, #cs__decode64

Methods included from Rule::InputClassification::Extendable

#build_ia_result, #build_input_eval, #new_ia_result

Methods included from Reporting::ScoreLevel

to_a

Methods inherited from WorkerThread

#attempt_to_start?, #clean_properties, #initialize, #running?, #stop!

Constructor Details

This class inherits a constructor from Contrast::Agent::WorkerThread

Instance Method Details

#add_to_queue(context) ⇒ Object

Parameters:



78
79
80
81
82
83
84
85
86
87
88
89
90
 
# File 'lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb', line 78

def add_to_queue context
  return unless context

  if queue.size >= QUEUE_SIZE
    logger.debug('[WorthWatchingAnalyzer] queue at max size, skip input_result')
    return
  end
  # There will be no results here because of the delay of the protect rule analysis,
  # we need to save the ia which contains the request and saved extracted user inputs to
  # be evaluated on the thread rather than building results here. This way we allow the
  # request to continue and will build the attack results later.
  queue << context.dup
end

#extract_from_contextArray<stored_context, stored_ia, results, activity>

build attack_results for all infilter active protect rules. Stored Context will update the logger context and build attack results for protect rules. Note: call only in thread loop as it extracts from the queue.

Returns:

  • (Array<stored_context, stored_ia, results, activity>) 


69
70
71
72
73
74
75
 
# File 'lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb', line 69

def extract_from_context
  stored_context = queue.pop
  stored_ia = stored_context.agent_input_analysis
  results = build_results(stored_ia)
  activity = Contrast::Agent::Reporting::ApplicationActivity.new(ia_request: stored_ia.request)
  [stored_context, stored_ia, results, activity]
end

#start_thread!Object

Thread that will process all the InputAnalysisResults that have a score level of WORTHWATCHING and sends results to TeamServer



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb', line 32

def start_thread!
  return unless attempt_to_start?
  return if running?

  @_thread = Contrast::Agent::Thread.new do
    logger.info('[WorthWatchingAnalyzer] Starting thread.')
    loop do
      break unless attempt_to_start?

      sleep(REPORT_INTERVAL_SECOND)
      next if queue.empty?

      report = false
      stored_context, stored_ia, results, activity = extract_from_context

      results.each do |result|
        next unless (attack_result = eval_input(stored_context, result, stored_ia))

        activity.attach_defend(attack_result)
        report = true
      end

      report_activity(activity) if report
      # Handle reporting of IA Cache statistics:
      enqueue_cache_event(stored_ia.request)
      enqueue_encoding_event(stored_ia.request)
    rescue StandardError => e
      logger.error('[WorthWatchingAnalyzer] thread could not process result because of:', e)
    end
  end
end