RubyGems - contrast-agent - Versions diffs - 3.8.4 - Mend

contrast-agent 3.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (500) hide show

checksums.yaml +7 -0
data/.clang-format +5 -0
data/.dockerignore +10 -0
data/.gitignore +58 -0
data/.gitmodules +6 -0
data/.rspec +6 -0
data/.simplecov +4 -0
data/Gemfile +7 -0
data/LICENSE.txt +12 -0
data/Rakefile +15 -0
data/exe/contrast_service +29 -0
data/ext/build_funchook.rb +48 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.c +47 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.h +10 -0
data/ext/cs__assess_active_record_named/extconf.rb +2 -0
data/ext/cs__assess_array/cs__assess_array.c +38 -0
data/ext/cs__assess_array/cs__assess_array.h +9 -0
data/ext/cs__assess_array/extconf.rb +2 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +50 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +17 -0
data/ext/cs__assess_basic_object/extconf.rb +2 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +86 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +34 -0
data/ext/cs__assess_fiber_track/extconf.rb +2 -0
data/ext/cs__assess_hash/cs__assess_hash.c +64 -0
data/ext/cs__assess_hash/cs__assess_hash.h +24 -0
data/ext/cs__assess_hash/extconf.rb +2 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +36 -0
data/ext/cs__assess_kernel/cs__assess_kernel.h +10 -0
data/ext/cs__assess_kernel/extconf.rb +2 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +47 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +18 -0
data/ext/cs__assess_marshal_module/extconf.rb +2 -0
data/ext/cs__assess_module/cs__assess_module.c +78 -0
data/ext/cs__assess_module/cs__assess_module.h +25 -0
data/ext/cs__assess_module/extconf.rb +2 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +48 -0
data/ext/cs__assess_regexp/cs__assess_regexp.h +22 -0
data/ext/cs__assess_regexp/extconf.rb +2 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +63 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +29 -0
data/ext/cs__assess_regexp_track/extconf.rb +2 -0
data/ext/cs__assess_string/cs__assess_string.c +38 -0
data/ext/cs__assess_string/cs__assess_string.h +19 -0
data/ext/cs__assess_string/extconf.rb +2 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +31 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +13 -0
data/ext/cs__assess_string_interpolation26/extconf.rb +2 -0
data/ext/cs__common/cs__common.c +60 -0
data/ext/cs__common/cs__common.h +28 -0
data/ext/cs__common/extconf.rb +20 -0
data/ext/cs__contrast_patch/cs__contrast_patch.c +445 -0
data/ext/cs__contrast_patch/cs__contrast_patch.h +196 -0
data/ext/cs__contrast_patch/extconf.rb +2 -0
data/ext/cs__protect_kernel/cs__protect_kernel.c +37 -0
data/ext/cs__protect_kernel/cs__protect_kernel.h +11 -0
data/ext/cs__protect_kernel/extconf.rb +2 -0
data/ext/cs__scope/cs__scope.c +96 -0
data/ext/cs__scope/cs__scope.h +33 -0
data/ext/cs__scope/extconf.rb +2 -0
data/ext/extconf_common.rb +49 -0
data/funchook/LICENSE +360 -0
data/funchook/Makefile +29 -0
data/funchook/Makefile.in +29 -0
data/funchook/README.md +121 -0
data/funchook/appveyor.yml +42 -0
data/funchook/autogen.sh +3 -0
data/funchook/autom4te.cache/output.0 +4976 -0
data/funchook/autom4te.cache/requests +78 -0
data/funchook/autom4te.cache/traces.0 +364 -0
data/funchook/config.guess +1530 -0
data/funchook/config.log +490 -0
data/funchook/config.status +1016 -0
data/funchook/config.sub +1773 -0
data/funchook/configure +4976 -0
data/funchook/configure.ac +59 -0
data/funchook/distorm/COPYING +26 -0
data/funchook/distorm/MANIFEST +25 -0
data/funchook/distorm/MANIFEST.in +4 -0
data/funchook/distorm/README.md +12 -0
data/funchook/distorm/disOps/disOps.py +795 -0
data/funchook/distorm/disOps/x86db.py +404 -0
data/funchook/distorm/disOps/x86header.py +247 -0
data/funchook/distorm/disOps/x86sets.py +1664 -0
data/funchook/distorm/examples/cs/TestdiStorm/Program.cs +79 -0
data/funchook/distorm/examples/cs/TestdiStorm/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/TestdiStorm/TestdiStorm.csproj +69 -0
data/funchook/distorm/examples/cs/distorm-net.sln +26 -0
data/funchook/distorm/examples/cs/distorm-net/CodeInfo.cs +23 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedInst.cs +15 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedInst.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.cs +1268 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.tt +37 -0
data/funchook/distorm/examples/cs/distorm-net/Operand.cs +25 -0
data/funchook/distorm/examples/cs/distorm-net/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/diStorm3.cs +411 -0
data/funchook/distorm/examples/cs/distorm-net/distorm-net.csproj +80 -0
data/funchook/distorm/examples/cs/readme +3 -0
data/funchook/distorm/examples/ddk/README +48 -0
data/funchook/distorm/examples/ddk/distorm.ini +11 -0
data/funchook/distorm/examples/ddk/dummy.c +15 -0
data/funchook/distorm/examples/ddk/main.c +91 -0
data/funchook/distorm/examples/ddk/makefile +1 -0
data/funchook/distorm/examples/ddk/sources +10 -0
data/funchook/distorm/examples/java/Makefile +23 -0
data/funchook/distorm/examples/java/distorm/src/Main.java +43 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/CodeInfo.java +27 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedInst.java +32 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedInst.java +89 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/OpcodeEnum.java +131 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Opcodes.java +1123 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Operand.java +24 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/distorm3.java +41 -0
data/funchook/distorm/examples/java/jdistorm.c +405 -0
data/funchook/distorm/examples/java/jdistorm.h +40 -0
data/funchook/distorm/examples/java/jdistorm.sln +20 -0
data/funchook/distorm/examples/java/jdistorm.vcproj +208 -0
data/funchook/distorm/examples/linux/Makefile +15 -0
data/funchook/distorm/examples/linux/main.c +181 -0
data/funchook/distorm/examples/tests/Makefile +15 -0
data/funchook/distorm/examples/tests/main.cpp +42 -0
data/funchook/distorm/examples/tests/main.py +66 -0
data/funchook/distorm/examples/tests/test_distorm3.py +1672 -0
data/funchook/distorm/examples/tests/tests.sln +20 -0
data/funchook/distorm/examples/tests/tests.vcxproj +82 -0
data/funchook/distorm/examples/tests/tests.vcxproj.filters +22 -0
data/funchook/distorm/examples/win32/disasm.sln +25 -0
data/funchook/distorm/examples/win32/disasm.vcxproj +201 -0
data/funchook/distorm/examples/win32/disasm.vcxproj.filters +14 -0
data/funchook/distorm/examples/win32/main.cpp +163 -0
data/funchook/distorm/include/distorm.h +482 -0
data/funchook/distorm/include/mnemonics.h +301 -0
data/funchook/distorm/make/linux/Makefile +28 -0
data/funchook/distorm/make/mac/Makefile +24 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj +239 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj.filters +80 -0
data/funchook/distorm/make/win32/distorm.sln +25 -0
data/funchook/distorm/make/win32/resource.h +14 -0
data/funchook/distorm/make/win32/resource.rc +99 -0
data/funchook/distorm/python/distorm3/__init__.py +957 -0
data/funchook/distorm/python/distorm3/sample.py +51 -0
data/funchook/distorm/setup.cfg +10 -0
data/funchook/distorm/setup.py +266 -0
data/funchook/distorm/src/config.h +169 -0
data/funchook/distorm/src/decoder.c +641 -0
data/funchook/distorm/src/decoder.h +33 -0
data/funchook/distorm/src/distorm.c +413 -0
data/funchook/distorm/src/instructions.c +597 -0
data/funchook/distorm/src/instructions.h +463 -0
data/funchook/distorm/src/insts.c +7939 -0
data/funchook/distorm/src/insts.h +64 -0
data/funchook/distorm/src/mnemonics.c +284 -0
data/funchook/distorm/src/operands.c +1290 -0
data/funchook/distorm/src/operands.h +28 -0
data/funchook/distorm/src/prefix.c +368 -0
data/funchook/distorm/src/prefix.h +64 -0
data/funchook/distorm/src/textdefs.c +172 -0
data/funchook/distorm/src/textdefs.h +57 -0
data/funchook/distorm/src/wstring.c +47 -0
data/funchook/distorm/src/wstring.h +35 -0
data/funchook/distorm/src/x86defs.h +82 -0
data/funchook/include/funchook.h +123 -0
data/funchook/install-sh +527 -0
data/funchook/src/Makefile +70 -0
data/funchook/src/Makefile.in +70 -0
data/funchook/src/__strerror.h +109 -0
data/funchook/src/config.h +101 -0
data/funchook/src/config.h.in +100 -0
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.c +440 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_internal.h +155 -0
data/funchook/src/funchook_io.c +182 -0
data/funchook/src/funchook_io.h +64 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.S +134 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.c +480 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_windows.c +397 -0
data/funchook/src/funchook_x86.c +622 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.so +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.c +115 -0
data/funchook/src/os_func.h +75 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.c +94 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/os_func_windows.c +32 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.c +1688 -0
data/funchook/src/printf_base.h +46 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +43 -0
data/funchook/test/Makefile.in +43 -0
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.c +25 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/libfunchook_test2.c +18 -0
data/funchook/test/suffix.list +600 -0
data/funchook/test/test_main.c +430 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.S +10 -0
data/funchook/test/x86_64_test.o +0 -0
data/funchook/test/x86_test.S +339 -0
data/funchook/win32/config.h +1 -0
data/funchook/win32/funchook.sln +52 -0
data/funchook/win32/funchook.vcxproj +188 -0
data/funchook/win32/funchook.vcxproj.filters +84 -0
data/funchook/win32/funchook_test.vcxproj +170 -0
data/funchook/win32/funchook_test.vcxproj.filters +22 -0
data/funchook/win32/funchook_test_dll.vcxproj +184 -0
data/funchook/win32/funchook_test_dll.vcxproj.filters +30 -0
data/funchook/win32/funchook_test_exe.def +3 -0
data/lib/contrast-agent.rb +8 -0
data/lib/contrast.rb +57 -0
data/lib/contrast/agent.rb +80 -0
data/lib/contrast/agent/assess.rb +45 -0
data/lib/contrast/agent/assess/adjusted_span.rb +25 -0
data/lib/contrast/agent/assess/class_reverter.rb +82 -0
data/lib/contrast/agent/assess/contrast_event.rb +398 -0
data/lib/contrast/agent/assess/frozen_properties.rb +41 -0
data/lib/contrast/agent/assess/insulator.rb +53 -0
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +78 -0
data/lib/contrast/agent/assess/policy/patcher.rb +85 -0
data/lib/contrast/agent/assess/policy/policy.rb +116 -0
data/lib/contrast/agent/assess/policy/policy_node.rb +289 -0
data/lib/contrast/agent/assess/policy/policy_scanner.rb +44 -0
data/lib/contrast/agent/assess/policy/preshift.rb +94 -0
data/lib/contrast/agent/assess/policy/propagation_method.rb +260 -0
data/lib/contrast/agent/assess/policy/propagation_node.rb +127 -0
data/lib/contrast/agent/assess/policy/propagator.rb +35 -0
data/lib/contrast/agent/assess/policy/propagator/append.rb +54 -0
data/lib/contrast/agent/assess/policy/propagator/base.rb +37 -0
data/lib/contrast/agent/assess/policy/propagator/center.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +36 -0
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +62 -0
data/lib/contrast/agent/assess/policy/propagator/insert.rb +55 -0
data/lib/contrast/agent/assess/policy/propagator/keep.rb +26 -0
data/lib/contrast/agent/assess/policy/propagator/next.rb +42 -0
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +50 -0
data/lib/contrast/agent/assess/policy/propagator/remove.rb +76 -0
data/lib/contrast/agent/assess/policy/propagator/replace.rb +27 -0
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +38 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +86 -0
data/lib/contrast/agent/assess/policy/propagator/splat.rb +60 -0
data/lib/contrast/agent/assess/policy/propagator/split.rb +49 -0
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +169 -0
data/lib/contrast/agent/assess/policy/propagator/trim.rb +81 -0
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +79 -0
data/lib/contrast/agent/assess/policy/source_method.rb +209 -0
data/lib/contrast/agent/assess/policy/source_node.rb +62 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +209 -0
data/lib/contrast/agent/assess/policy/trigger_node.rb +198 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +77 -0
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +31 -0
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +40 -0
data/lib/contrast/agent/assess/properties.rb +392 -0
data/lib/contrast/agent/assess/rule.rb +18 -0
data/lib/contrast/agent/assess/rule/base.rb +72 -0
data/lib/contrast/agent/assess/rule/csrf.rb +66 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +28 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +69 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +132 -0
data/lib/contrast/agent/assess/rule/provider.rb +21 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +62 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +73 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +121 -0
data/lib/contrast/agent/assess/rule/redos.rb +68 -0
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +47 -0
data/lib/contrast/agent/assess/rule/response_watcher.rb +36 -0
data/lib/contrast/agent/assess/rule/watcher.rb +36 -0
data/lib/contrast/agent/assess/tag.rb +151 -0
data/lib/contrast/agent/at_exit_hook.rb +33 -0
data/lib/contrast/agent/class_reopener.rb +195 -0
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +26 -0
data/lib/contrast/agent/deadzone/policy/policy.rb +57 -0
data/lib/contrast/agent/disable_reaction.rb +24 -0
data/lib/contrast/agent/exclusion_matcher.rb +190 -0
data/lib/contrast/agent/feature_state.rb +379 -0
data/lib/contrast/agent/inventory/policy/policy.rb +32 -0
data/lib/contrast/agent/inventory/policy/trigger_node.rb +22 -0
data/lib/contrast/agent/logger_manager.rb +116 -0
data/lib/contrast/agent/middleware.rb +352 -0
data/lib/contrast/agent/module_data.rb +16 -0
data/lib/contrast/agent/patching/policy/after_load_patch.rb +37 -0
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +58 -0
data/lib/contrast/agent/patching/policy/method_policy.rb +94 -0
data/lib/contrast/agent/patching/policy/module_policy.rb +116 -0
data/lib/contrast/agent/patching/policy/patch.rb +312 -0
data/lib/contrast/agent/patching/policy/patch_status.rb +192 -0
data/lib/contrast/agent/patching/policy/patcher.rb +310 -0
data/lib/contrast/agent/patching/policy/policy.rb +138 -0
data/lib/contrast/agent/patching/policy/policy_node.rb +80 -0
data/lib/contrast/agent/patching/policy/policy_unpatcher.rb +28 -0
data/lib/contrast/agent/patching/policy/trigger_node.rb +81 -0
data/lib/contrast/agent/protect/policy/policy.rb +37 -0
data/lib/contrast/agent/protect/policy/trigger_node.rb +23 -0
data/lib/contrast/agent/protect/rule.rb +58 -0
data/lib/contrast/agent/protect/rule/base.rb +300 -0
data/lib/contrast/agent/protect/rule/base_service.rb +88 -0
data/lib/contrast/agent/protect/rule/cmd_injection.rb +156 -0
data/lib/contrast/agent/protect/rule/csrf.rb +118 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +103 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +85 -0
data/lib/contrast/agent/protect/rule/default_scanner.rb +300 -0
data/lib/contrast/agent/protect/rule/deserialization.rb +193 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +80 -0
data/lib/contrast/agent/protect/rule/no_sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +40 -0
data/lib/contrast/agent/protect/rule/path_traversal.rb +143 -0
data/lib/contrast/agent/protect/rule/sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +16 -0
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +38 -0
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +22 -0
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +19 -0
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
data/lib/contrast/agent/protect/rule/xss.rb +24 -0
data/lib/contrast/agent/protect/rule/xxe.rb +120 -0
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +82 -0
data/lib/contrast/agent/railtie.rb +30 -0
data/lib/contrast/agent/reaction_processor.rb +47 -0
data/lib/contrast/agent/request.rb +493 -0
data/lib/contrast/agent/request_context.rb +225 -0
data/lib/contrast/agent/require_state.rb +61 -0
data/lib/contrast/agent/response.rb +215 -0
data/lib/contrast/agent/rewriter.rb +244 -0
data/lib/contrast/agent/scope.rb +28 -0
data/lib/contrast/agent/service_heartbeat.rb +37 -0
data/lib/contrast/agent/settings_state.rb +148 -0
data/lib/contrast/agent/socket_client.rb +125 -0
data/lib/contrast/agent/thread.rb +26 -0
data/lib/contrast/agent/tracepoint_hook.rb +51 -0
data/lib/contrast/agent/version.rb +8 -0
data/lib/contrast/api.rb +17 -0
data/lib/contrast/api/.gitkeep +0 -0
data/lib/contrast/api/connection_status.rb +49 -0
data/lib/contrast/api/socket.rb +43 -0
data/lib/contrast/api/speedracer.rb +206 -0
data/lib/contrast/api/tcp_socket.rb +31 -0
data/lib/contrast/api/unix_socket.rb +25 -0
data/lib/contrast/common_agent_configuration.rb +86 -0
data/lib/contrast/components/agent.rb +85 -0
data/lib/contrast/components/app_context.rb +188 -0
data/lib/contrast/components/assess.rb +67 -0
data/lib/contrast/components/config.rb +135 -0
data/lib/contrast/components/contrast_service.rb +113 -0
data/lib/contrast/components/heap_dump.rb +34 -0
data/lib/contrast/components/interface.rb +178 -0
data/lib/contrast/components/inventory.rb +23 -0
data/lib/contrast/components/logger.rb +92 -0
data/lib/contrast/components/protect.rb +38 -0
data/lib/contrast/components/sampling.rb +41 -0
data/lib/contrast/components/scope.rb +106 -0
data/lib/contrast/components/settings.rb +140 -0
data/lib/contrast/config.rb +33 -0
data/lib/contrast/config/agent_configuration.rb +24 -0
data/lib/contrast/config/application_configuration.rb +27 -0
data/lib/contrast/config/assess_configuration.rb +22 -0
data/lib/contrast/config/assess_rules_configuration.rb +18 -0
data/lib/contrast/config/base_configuration.rb +105 -0
data/lib/contrast/config/default_value.rb +16 -0
data/lib/contrast/config/exception_configuration.rb +21 -0
data/lib/contrast/config/heap_dump_configuration.rb +23 -0
data/lib/contrast/config/inventory_configuration.rb +20 -0
data/lib/contrast/config/logger_configuration.rb +20 -0
data/lib/contrast/config/protect_configuration.rb +20 -0
data/lib/contrast/config/protect_rule_configuration.rb +37 -0
data/lib/contrast/config/protect_rules_configuration.rb +30 -0
data/lib/contrast/config/root_configuration.rb +26 -0
data/lib/contrast/config/ruby_configuration.rb +39 -0
data/lib/contrast/config/sampling_configuration.rb +22 -0
data/lib/contrast/config/server_configuration.rb +23 -0
data/lib/contrast/config/service_configuration.rb +22 -0
data/lib/contrast/configuration.rb +214 -0
data/lib/contrast/core_extensions/assess.rb +51 -0
data/lib/contrast/core_extensions/assess/array.rb +58 -0
data/lib/contrast/core_extensions/assess/assess_extension.rb +145 -0
data/lib/contrast/core_extensions/assess/basic_object.rb +15 -0
data/lib/contrast/core_extensions/assess/erb.rb +42 -0
data/lib/contrast/core_extensions/assess/exec_trigger.rb +48 -0
data/lib/contrast/core_extensions/assess/fiber.rb +125 -0
data/lib/contrast/core_extensions/assess/hash.rb +22 -0
data/lib/contrast/core_extensions/assess/kernel.rb +95 -0
data/lib/contrast/core_extensions/assess/module.rb +14 -0
data/lib/contrast/core_extensions/assess/regexp.rb +206 -0
data/lib/contrast/core_extensions/assess/string.rb +75 -0
data/lib/contrast/core_extensions/assess/tilt_template_trigger.rb +73 -0
data/lib/contrast/core_extensions/delegator.rb +14 -0
data/lib/contrast/core_extensions/eval_trigger.rb +52 -0
data/lib/contrast/core_extensions/inventory.rb +22 -0
data/lib/contrast/core_extensions/inventory/datastores.rb +37 -0
data/lib/contrast/core_extensions/module.rb +42 -0
data/lib/contrast/core_extensions/object.rb +27 -0
data/lib/contrast/core_extensions/protect.rb +20 -0
data/lib/contrast/core_extensions/protect/applies_command_injection_rule.rb +70 -0
data/lib/contrast/core_extensions/protect/applies_deserialization_rule.rb +58 -0
data/lib/contrast/core_extensions/protect/applies_no_sqli_rule.rb +81 -0
data/lib/contrast/core_extensions/protect/applies_path_traversal_rule.rb +119 -0
data/lib/contrast/core_extensions/protect/applies_sqli_rule.rb +63 -0
data/lib/contrast/core_extensions/protect/applies_xxe_rule.rb +141 -0
data/lib/contrast/core_extensions/protect/kernel.rb +30 -0
data/lib/contrast/core_extensions/protect/psych.rb +7 -0
data/lib/contrast/core_extensions/thread.rb +31 -0
data/lib/contrast/internal_exception.rb +8 -0
data/lib/contrast/rails_extensions/assess/action_controller_inheritance.rb +48 -0
data/lib/contrast/rails_extensions/assess/active_record.rb +32 -0
data/lib/contrast/rails_extensions/assess/active_record_named.rb +61 -0
data/lib/contrast/rails_extensions/assess/configuration.rb +26 -0
data/lib/contrast/rails_extensions/buffer.rb +30 -0
data/lib/contrast/rails_extensions/rack.rb +45 -0
data/lib/contrast/security_exception.rb +14 -0
data/lib/contrast/sinatra_extensions/assess/cookie.rb +26 -0
data/lib/contrast/sinatra_extensions/inventory/sinatra_base.rb +59 -0
data/lib/contrast/tasks/service.rb +95 -0
data/lib/contrast/utils/assess/sampling_util.rb +96 -0
data/lib/contrast/utils/assess/tracking_util.rb +39 -0
data/lib/contrast/utils/boolean_util.rb +33 -0
data/lib/contrast/utils/cache.rb +69 -0
data/lib/contrast/utils/class_util.rb +58 -0
data/lib/contrast/utils/comment_range.rb +19 -0
data/lib/contrast/utils/data_store_util.rb +23 -0
data/lib/contrast/utils/duck_utils.rb +58 -0
data/lib/contrast/utils/env_configuration_item.rb +52 -0
data/lib/contrast/utils/environment_util.rb +152 -0
data/lib/contrast/utils/freeze_util.rb +36 -0
data/lib/contrast/utils/gemfile_reader.rb +191 -0
data/lib/contrast/utils/hash_digest.rb +148 -0
data/lib/contrast/utils/heap_dump_util.rb +113 -0
data/lib/contrast/utils/invalid_configuration_util.rb +88 -0
data/lib/contrast/utils/inventory_util.rb +126 -0
data/lib/contrast/utils/io_util.rb +61 -0
data/lib/contrast/utils/object_share.rb +117 -0
data/lib/contrast/utils/operating_environment.rb +38 -0
data/lib/contrast/utils/os.rb +49 -0
data/lib/contrast/utils/path_util.rb +151 -0
data/lib/contrast/utils/performs_logging.rb +152 -0
data/lib/contrast/utils/preflight_util.rb +13 -0
data/lib/contrast/utils/prevent_serialization.rb +52 -0
data/lib/contrast/utils/rack_assess_session_cookie.rb +104 -0
data/lib/contrast/utils/rails_assess_configuration.rb +95 -0
data/lib/contrast/utils/random_util.rb +22 -0
data/lib/contrast/utils/resource_loader.rb +23 -0
data/lib/contrast/utils/ruby_ast_rewriter.rb +74 -0
data/lib/contrast/utils/scope_util.rb +99 -0
data/lib/contrast/utils/service_response_util.rb +116 -0
data/lib/contrast/utils/service_sender_util.rb +98 -0
data/lib/contrast/utils/sha256_builder.rb +69 -0
data/lib/contrast/utils/sinatra_helper.rb +49 -0
data/lib/contrast/utils/stack_trace_utils.rb +209 -0
data/lib/contrast/utils/string_utils.rb +72 -0
data/lib/contrast/utils/tag_util.rb +139 -0
data/lib/contrast/utils/thread_tracker.rb +54 -0
data/lib/contrast/utils/timer.rb +78 -0
data/resources/assess/policy.json +1673 -0
data/resources/csrf/inject.js +44 -0
data/resources/deadzone/policy.json +55 -0
data/resources/factory-bot-spec/spec_helper.rb +30 -0
data/resources/inventory/policy.json +110 -0
data/resources/protect/policy.json +417 -0
data/resources/rubocops/kernel/catch_cop.rb +37 -0
data/resources/rubocops/kernel/require_cop.rb +37 -0
data/resources/rubocops/kernel/require_relative_cop.rb +33 -0
data/resources/rubocops/module/autoload_cop.rb +37 -0
data/resources/rubocops/module/const_defined_cop.rb +37 -0
data/resources/rubocops/module/const_get_cop.rb +37 -0
data/resources/rubocops/module/const_set_cop.rb +37 -0
data/resources/rubocops/module/constants_cop.rb +37 -0
data/resources/rubocops/module/name_cop.rb +37 -0
data/resources/rubocops/object/class_cop.rb +37 -0
data/resources/rubocops/object/freeze_cop.rb +37 -0
data/resources/rubocops/object/frozen_cop.rb +37 -0
data/resources/rubocops/object/is_a_cop.rb +37 -0
data/resources/rubocops/object/method_cop.rb +37 -0
data/resources/rubocops/object/respond_to_cop.rb +37 -0
data/resources/rubocops/object/singleton_class_cop.rb +37 -0
data/resources/rubocops/regexp/spelling_cop.rb +44 -0
data/resources/rubocops/thread/new_cop.rb +39 -0
data/resources/ruby-spec/ancestors_spec.rb +70 -0
data/resources/ruby-spec/modulo_spec.rb +831 -0
data/resources/ruby-spec/parameters_spec.rb +261 -0
data/resources/ruby-spec/ruby_spec_spec_helper.rb +35 -0
data/resources/test_marker.txt +1 -0
data/ruby-agent.gemspec +129 -0
data/service_executables/.gitkeep +0 -0
data/service_executables/VERSION +1 -0
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +945 -0

data/lib/contrast/agent/protect/rule/base.rb ADDED

@@ -0,0 +1,300 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This is a basic rule for Protect. It's the abstract class which all other
+        # protect rules extend in order to function.
+        #
+        # @abstract Subclass and override {#prefilter}, {#infilter}, {#find_attacker}, {#postfilter} and {#build_details} to implement
+        class Base
+          include Contrast::Components::Interface
+          access_component :logging, :analysis, :settings
+          UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
+            user_input.input_type = :UNKNOWN
+          end.cs__freeze
+          BLOCKING_MODES = Set.new(%i[BLOCK BLOCK_AT_PERIMETER]).cs__freeze
+          PREFILTER_MODES = Set.new(%i[BLOCK_AT_PERIMETER]).cs__freeze
+          POSTFILTER_MODES = Set.new(%i[BLOCK PERMIT MONITOR]).cs__freeze
+          STACK_COLLECTION_RESULTS = Set.new(%i[BLOCKED MONITORED]).cs__freeze
+          attr_reader :mode
+          def initialize default_mode = :NO_ACTION
+            SETTINGS.protect_rules[name] = self
+            @mode = mode_from_settings || default_mode
+          end
+          # Should return the name as it is known to Teamserver; defaults to class
+          def name
+            cs__class.name
+          end
+          OFF = 'off'
+          def enabled?
+            # 1. it is not enabled because protect is not enabled
+            return false unless PROTECT.enabled?
+            rule_configs = Contrast::Agent::FeatureState.instance.protect_rule_config
+            unless rule_configs.nil?
+              # 2. it is not enabled because it is in the list of disabled protect rules
+              disabled_rules = rule_configs.disabled_rules
+              return false if disabled_rules&.include?(name)
+              # 3. it is not enabled because it has been turned "off" explicitly
+              rule_config = rule_configs.send(name)
+              return rule_config.mode != OFF unless rule_config.mode.nil?
+            end
+            # 4. it is not enabled because it's mode is :NO_ACTION
+            @mode != :NO_ACTION
+          end
+          # this rule is excluded if any of the given exclusions have a protection rule that matches this rule name
+          def excluded? exclusions
+            Array(exclusions).any? do |ex|
+              ex.protection_rule?(name)
+            end
+          end
+          def infilter? _context
+            false
+          end
+          # return false for rules that modify or inspect the response body
+          # during postfilter
+          #
+          # @return [Boolean] if the rule can safely be evaluated in streaming
+          #   requests
+          def stream_safe?
+            true
+          end
+          # Actions required for the rules that have to happen before the
+          # application has completed its processing of the request.
+          #
+          # For most rules, these actions are performed within the analysis
+          # engine and communicated as an input analysis result. Those that
+          # require specific action need to provide that action.
+          #
+          # @param _context [Contrast::Agent::RequestContext] the context for
+          #   the current request
+          def prefilter _context; end
+          # This should only ever be called directly from patched code and will
+          # have a different implementation based on the rule. As such, there
+          # is not parent implementation.
+          #
+          # @param _context [Contrast::Agent::RequestContext] the context for
+          #   the current request
+          # @param _match_string [String] the input that violated the rule and
+          #   matched the attack detection logic
+          # @param _kwargs [Hash] key-value pairs used by the rule to build a
+          #   report.
+          def infilter _context, _match_string, **_kwargs; end
+          # Actions required for the rules that have to happen after the
+          # application has completed its processing of the request.
+          #
+          # Any implementation here needs to account for the fact that
+          # responses may be streaming and, as such, transformations of the
+          # response itself may not be permissible.
+          #
+          # @param _context [Contrast::Agent::RequestContext] the context for
+          #    the current request
+          def postfilter _context; end
+          def build_attack_with_match context, ia_result, result, candidate_string, **kwargs
+            result ||= build_attack_result(context)
+            update_successful_attack_response(context, ia_result, result, candidate_string)
+            append_sample(context, ia_result, result, candidate_string, **kwargs)
+            result
+          end
+          def build_attack_without_match context, ia_result, result, **kwargs
+            result ||= build_attack_result(context)
+            update_perimeter_attack_response(context, ia_result, result)
+            append_sample(context, ia_result, result, nil, **kwargs)
+            result
+          end
+          def append_to_activity context, result
+            context.activity.results << result if result
+          end
+          protected
+          def build_details _input_string, _ia_result
+            raise Contrast::InternalException, "Rule #{ name } did not implement build_details"
+          end
+          def mode_from_settings
+            SETTINGS.protect_rule_mode(name).tap do |mode|
+              logger.debug("rule #{ name } mode = #{ mode }")
+            end
+          end
+          def blocked?
+            enabled? && BLOCKING_MODES.include?(mode)
+          end
+          # Determine if there's an exclusion that matches an item in the call
+          # stack
+          #
+          # @return [Boolean] if an exclusion was applicable to this request
+          #   for this rule
+          def protect_excluded_by_code?
+            exclusions = Contrast::Agent::FeatureState.instance.code_exclusions
+            return false unless exclusions
+            for_rule = exclusions.select { |ex| ex.protection_rule?(name) }
+            return false if for_rule.empty?
+            stack = caller_locations
+            for_rule.any? { |ex| ex.match_code?(stack) }
+          end
+          # By default, rules do not have to find attackers as they do not have
+          # Input Analysis. Any attack for the standard rule will be evaluated
+          # at execution time. As such, those rules are expected to implement
+          # this custom behavior
+          #
+          # @param _context [Contrast::Agent::RequestContext] the context for
+          #   the current request
+          # @param _potential_attack_string [String] the input that may violate
+          #   the rule and matched the attack detection logic
+          # @param _kwargs [Hash] key-value pairs used by the rule to build a
+          #   report.
+          def find_attacker _context, _potential_attack_string, **_kwargs
+            raise Contrast::InternalException, "Rule #{ name } did not implement find_attack"
+          end
+          def update_successful_attack_response context, ia_result, result, attack_string = nil
+            if mode == :MONITOR
+              result.response = :MONITORED
+            elsif mode == :BLOCK
+              result.response = :BLOCKED
+            end
+            ia_result.attack_count = ia_result.attack_count + 1 if ia_result
+            log_rule_matched(context, ia_result, result.response, attack_string)
+            result
+          end
+          def update_perimeter_attack_response context, ia_result, result
+            if mode == :BLOCK_AT_PERIMETER
+              result.response = :BLOCKED_AT_PERIMETER
+              log_rule_matched(context, ia_result, result.response)
+            elsif ia_result.nil? || ia_result.attack_count.zero?
+              result.response = :PROBED
+              log_rule_probed(context, ia_result)
+            end
+            result
+          end
+          def build_attack_result _context
+            result = Contrast::Api::Dtm::AttackResult.new
+            result.rule_id = name
+            result
+          end
+          def append_stack sample, result
+            return unless sample
+            return unless STACK_COLLECTION_RESULTS.include?(result&.response)
+            stack = Contrast::Utils::StackTraceUtils.build(ignore: true, class_lookup: true, depth: 50)
+            return unless stack
+            sample.stack_trace_elements += stack
+          end
+          def append_sample context, ia_result, result, candidate_string, **kwargs
+            return nil unless result
+            sample = build_sample(context, ia_result, candidate_string, **kwargs)
+            return nil unless sample
+            append_stack(sample, result)
+            result.samples << sample
+          end
+          # Override if rule can make use of the candidate string or kwargs to
+          # build rasp rule sample.
+          def build_sample context, ia_result, _candidate_string, **_kwargs
+            build_base_sample(context, ia_result)
+          end
+          def build_user_input ia_result
+            return UNKNOWN_USER_INPUT unless ia_result
+            input = Contrast::Api::Dtm::UserInput.new
+            input.input_type = ia_result.input_type.to_sym
+            input.matcher_ids = ia_result.ids
+            input.path = ia_result.path.to_s
+            input.key = ia_result.key.to_s
+            input.value = ia_result.value.to_s
+            input
+          end
+          def build_base_sample context, ia_result
+            sample = Contrast::Api::Dtm::RaspRuleSample.new
+            sample.timestamp_ms = context.timer.start_ms
+            sample.user_input = build_user_input(ia_result)
+            sample.user_input.document_type = context.request.dtm.document_type unless sample.user_input.cs__frozen?
+            sample
+          end
+          def log_rule_matched _context, ia_result, response, _matched_string = nil
+            return unless ia_result
+            # Log to agent logger
+            message = if ia_result
+                        log_msg(ia_result, true)
+                      else
+                        "An effective attack was detected against #{ name }."
+                      end
+            logger.debug([response, message].join)
+          end
+          private
+          def log_rule_probed _context, ia_result
+            message = if ia_result
+                        log_msg(ia_result, false)
+                      else
+                        "An unsuccessful attack was detected against #{ name }"
+                      end
+            logger.debug(message)
+          end
+          def log_msg ia_result, matched
+            key = ia_result.key ? ia_result.key.to_s + ' ' : ''
+            val = ia_result.value.to_s
+            typ = ia_result.input_type.to_s
+            if matched
+              "The #{ typ } #{ key } had a value that successfully exploited #{ name } - #{ val }."
+            else
+              "The #{ typ } #{ key } had a value that matched a signature for, but did not successfully exploit, #{ name } - #{ val }."
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/base_service.rb ADDED

@@ -0,0 +1,88 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # Encapsulate common code for protect rules that do their
+        # input analysis on Speedracer rather in ruby code
+        class BaseService < Contrast::Agent::Protect::Rule::Base
+          def name
+            'base-service'
+          end
+          def block_message
+            'Contrast Security Protect Rule Triggered. Response blocked.'
+          end
+          def infilter? context
+            return false unless context&.speedracer_input_analysis&.results
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+            true
+          end
+          # Override for rules that need the response
+          # Currently postfilter can be applied to streamed responses,
+          # if any logic within postfilter changes to modify the response
+          # streamed responses will break
+          def postfilter context
+            return unless enabled? && POSTFILTER_MODES.include?(mode)
+            return if mode == :NO_ACTION || mode == :PERMIT
+            result = find_postfilter_attacker(context, nil)
+            return unless result&.samples&.any?
+            append_to_activity(context, result)
+            return unless result.response == :BLOCKED
+            raise Contrast::SecurityException.new(self, "#{ name } triggered in postfilter. Response blocked.")
+          end
+          protected
+          def gather_ia_results context
+            context.speedracer_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == name
+            end
+          end
+          def find_attacker context, potential_attack_string, **kwargs
+            ia_results = gather_ia_results(context)
+            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
+          end
+          # Allows for the InputAnalysis from service to be extracted early
+          def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
+            logger.debug("checking: #{ name } vectors=#{ ia_results.length } in '#{ potential_attack_string }'")
+            result = nil
+            ia_results.each do |ia_result|
+              if potential_attack_string
+                idx = potential_attack_string.index(ia_result.value)
+                next unless idx
+                result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
+              else
+                result = build_attack_without_match(context, ia_result, result, **kwargs)
+              end
+            end
+            result
+          end
+          private
+          def find_postfilter_attacker context, potential_attack_string, **kwargs
+            ia_results = gather_ia_results(context)
+            ia_results.select! do |ia_result|
+              ia_result.score_level == :DEFINITEATTACK
+            end
+            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/cmd_injection.rb ADDED

@@ -0,0 +1,156 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/utils/stack_trace_utils'
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/components/interface'
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Command Injection rule.
+        class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Components::Interface
+          access_component :logging, :contrast_service
+          NAME = 'cmd-injection'
+          CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
+          def name
+            NAME
+          end
+          def infilter context, classname, method, command
+            return nil unless infilter?(context)
+            ia_results = gather_ia_results(context)
+            return nil if ia_results.empty?
+            if Contrast::Agent::FeatureState.instance.in_new_process?
+              logger.debug('Running cmd-injection infilter within new process - creating new context')
+              context = Contrast::Agent::RequestContext.new(context.request.rack_request)
+              Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
+            end
+            result = find_attacker_with_results(context, command, ia_results, **{ classname: classname, method: method })
+            result ||= report_command_execution(context, command, **{ classname: classname, method: method })
+            return nil unless result
+            append_to_activity(context, result)
+            if %I[exec `].include?(method)
+              # TODO: RUBY-737
+              # Kernel#exec replaces the current process and does not go through at_exit hooks
+              # Kernel#` runs as a subshell - messages appended here do not seem to be present in the original process?
+              CONTRAST_SERVICE.send_message(context.activity)
+            end
+            return unless blocked?
+            raise Contrast::SecurityException.new(
+                self,
+                "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
+          end
+          def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
+            return result if mode == :NO_ACTION || mode == :PERMIT
+            result ||= build_attack_result(context)
+            update_successful_attack_response(context, input_analysis_result, result, candidate_string)
+            append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
+            result
+          end
+          protected
+          # Because results are not necessarily on the context across
+          # processes; extract early and pass into the method
+          def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
+            logger.debug("checking: #{ name } in '#{ potential_attack_string }'")
+            result = super(context, potential_attack_string, ia_results, **kwargs)
+            if result.nil? && potential_attack_string
+              result = find_probable_attacker(
+                  context,
+                  potential_attack_string,
+                  ia_results,
+                  **kwargs)
+            end
+            result
+          end
+          # Build a subclass of the RaspRuleSample using the query string and the
+          # evaluation
+          def build_sample context, input_analysis_result, candidate_string, **_kwargs
+            sample = build_base_sample(context, input_analysis_result)
+            sample.cmdi = Contrast::Api::Dtm::CmdInjectionDetails.new
+            command = candidate_string || input_analysis_result.value
+            command = Contrast::Utils::StringUtils.protobuf_safe_string(command)
+            sample.cmdi.command = command
+            # This is a special case where the user input is UNKNOWN_USER_INPUT but
+            # we want to send the attack value
+            if input_analysis_result.nil?
+              ui = Contrast::Api::Dtm::UserInput.new
+              ui.input_type = :UNKNOWN
+              ui.value = command
+              sample.user_input = ui
+            end
+            sample
+          end
+          private
+          def report_command_execution context, command, **kwargs
+            return unless report_any_command_execution?
+            return nil if protect_excluded_by_code?
+            build_attack_with_match(context, nil, nil, command, **kwargs)
+          end
+          def find_probable_attacker context, potential_attack_string, ia_results, **kwargs
+            result = nil
+            if chained_command?(potential_attack_string) # this is probably an attack
+              most_likely = nil
+              ia_results.each do |input_analysis_result|
+                next unless chained_command?(input_analysis_result.value)
+                most_likely = input_analysis_result
+                break
+              end
+            end
+            return result unless most_likely
+            result ||= build_attack_with_match(
+                context,
+                most_likely,
+                result,
+                potential_attack_string,
+                **kwargs)
+            return nil if result.nil?
+            log_rule_matched(context, most_likely, mode, potential_attack_string)
+            result
+          end
+          def chained_command? command
+            return true if CHAINED_COMMAND_CHARS.match(command)
+            false
+          end
+          # Part of the Hardening for Command Injection detection is the
+          # ability to detect and prevent any command execution from within the
+          # application. This check determines if that hardening has been
+          # enabled.
+          # @return [Boolean] if the agent should report all command
+          #   executions.
+          def report_any_command_execution?
+            Contrast::Agent::FeatureState.instance.report_any_command_execution?
+          end
+        end
+      end
+    end
+  end
+end