RubyGems - contrast-agent - Versions diffs - 3.8.4 - Mend

contrast-agent 3.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (500) hide show

checksums.yaml +7 -0
data/.clang-format +5 -0
data/.dockerignore +10 -0
data/.gitignore +58 -0
data/.gitmodules +6 -0
data/.rspec +6 -0
data/.simplecov +4 -0
data/Gemfile +7 -0
data/LICENSE.txt +12 -0
data/Rakefile +15 -0
data/exe/contrast_service +29 -0
data/ext/build_funchook.rb +48 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.c +47 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.h +10 -0
data/ext/cs__assess_active_record_named/extconf.rb +2 -0
data/ext/cs__assess_array/cs__assess_array.c +38 -0
data/ext/cs__assess_array/cs__assess_array.h +9 -0
data/ext/cs__assess_array/extconf.rb +2 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +50 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +17 -0
data/ext/cs__assess_basic_object/extconf.rb +2 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +86 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +34 -0
data/ext/cs__assess_fiber_track/extconf.rb +2 -0
data/ext/cs__assess_hash/cs__assess_hash.c +64 -0
data/ext/cs__assess_hash/cs__assess_hash.h +24 -0
data/ext/cs__assess_hash/extconf.rb +2 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +36 -0
data/ext/cs__assess_kernel/cs__assess_kernel.h +10 -0
data/ext/cs__assess_kernel/extconf.rb +2 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +47 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +18 -0
data/ext/cs__assess_marshal_module/extconf.rb +2 -0
data/ext/cs__assess_module/cs__assess_module.c +78 -0
data/ext/cs__assess_module/cs__assess_module.h +25 -0
data/ext/cs__assess_module/extconf.rb +2 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +48 -0
data/ext/cs__assess_regexp/cs__assess_regexp.h +22 -0
data/ext/cs__assess_regexp/extconf.rb +2 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +63 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +29 -0
data/ext/cs__assess_regexp_track/extconf.rb +2 -0
data/ext/cs__assess_string/cs__assess_string.c +38 -0
data/ext/cs__assess_string/cs__assess_string.h +19 -0
data/ext/cs__assess_string/extconf.rb +2 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +31 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +13 -0
data/ext/cs__assess_string_interpolation26/extconf.rb +2 -0
data/ext/cs__common/cs__common.c +60 -0
data/ext/cs__common/cs__common.h +28 -0
data/ext/cs__common/extconf.rb +20 -0
data/ext/cs__contrast_patch/cs__contrast_patch.c +445 -0
data/ext/cs__contrast_patch/cs__contrast_patch.h +196 -0
data/ext/cs__contrast_patch/extconf.rb +2 -0
data/ext/cs__protect_kernel/cs__protect_kernel.c +37 -0
data/ext/cs__protect_kernel/cs__protect_kernel.h +11 -0
data/ext/cs__protect_kernel/extconf.rb +2 -0
data/ext/cs__scope/cs__scope.c +96 -0
data/ext/cs__scope/cs__scope.h +33 -0
data/ext/cs__scope/extconf.rb +2 -0
data/ext/extconf_common.rb +49 -0
data/funchook/LICENSE +360 -0
data/funchook/Makefile +29 -0
data/funchook/Makefile.in +29 -0
data/funchook/README.md +121 -0
data/funchook/appveyor.yml +42 -0
data/funchook/autogen.sh +3 -0
data/funchook/autom4te.cache/output.0 +4976 -0
data/funchook/autom4te.cache/requests +78 -0
data/funchook/autom4te.cache/traces.0 +364 -0
data/funchook/config.guess +1530 -0
data/funchook/config.log +490 -0
data/funchook/config.status +1016 -0
data/funchook/config.sub +1773 -0
data/funchook/configure +4976 -0
data/funchook/configure.ac +59 -0
data/funchook/distorm/COPYING +26 -0
data/funchook/distorm/MANIFEST +25 -0
data/funchook/distorm/MANIFEST.in +4 -0
data/funchook/distorm/README.md +12 -0
data/funchook/distorm/disOps/disOps.py +795 -0
data/funchook/distorm/disOps/x86db.py +404 -0
data/funchook/distorm/disOps/x86header.py +247 -0
data/funchook/distorm/disOps/x86sets.py +1664 -0
data/funchook/distorm/examples/cs/TestdiStorm/Program.cs +79 -0
data/funchook/distorm/examples/cs/TestdiStorm/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/TestdiStorm/TestdiStorm.csproj +69 -0
data/funchook/distorm/examples/cs/distorm-net.sln +26 -0
data/funchook/distorm/examples/cs/distorm-net/CodeInfo.cs +23 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedInst.cs +15 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedInst.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.cs +1268 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.tt +37 -0
data/funchook/distorm/examples/cs/distorm-net/Operand.cs +25 -0
data/funchook/distorm/examples/cs/distorm-net/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/diStorm3.cs +411 -0
data/funchook/distorm/examples/cs/distorm-net/distorm-net.csproj +80 -0
data/funchook/distorm/examples/cs/readme +3 -0
data/funchook/distorm/examples/ddk/README +48 -0
data/funchook/distorm/examples/ddk/distorm.ini +11 -0
data/funchook/distorm/examples/ddk/dummy.c +15 -0
data/funchook/distorm/examples/ddk/main.c +91 -0
data/funchook/distorm/examples/ddk/makefile +1 -0
data/funchook/distorm/examples/ddk/sources +10 -0
data/funchook/distorm/examples/java/Makefile +23 -0
data/funchook/distorm/examples/java/distorm/src/Main.java +43 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/CodeInfo.java +27 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedInst.java +32 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedInst.java +89 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/OpcodeEnum.java +131 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Opcodes.java +1123 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Operand.java +24 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/distorm3.java +41 -0
data/funchook/distorm/examples/java/jdistorm.c +405 -0
data/funchook/distorm/examples/java/jdistorm.h +40 -0
data/funchook/distorm/examples/java/jdistorm.sln +20 -0
data/funchook/distorm/examples/java/jdistorm.vcproj +208 -0
data/funchook/distorm/examples/linux/Makefile +15 -0
data/funchook/distorm/examples/linux/main.c +181 -0
data/funchook/distorm/examples/tests/Makefile +15 -0
data/funchook/distorm/examples/tests/main.cpp +42 -0
data/funchook/distorm/examples/tests/main.py +66 -0
data/funchook/distorm/examples/tests/test_distorm3.py +1672 -0
data/funchook/distorm/examples/tests/tests.sln +20 -0
data/funchook/distorm/examples/tests/tests.vcxproj +82 -0
data/funchook/distorm/examples/tests/tests.vcxproj.filters +22 -0
data/funchook/distorm/examples/win32/disasm.sln +25 -0
data/funchook/distorm/examples/win32/disasm.vcxproj +201 -0
data/funchook/distorm/examples/win32/disasm.vcxproj.filters +14 -0
data/funchook/distorm/examples/win32/main.cpp +163 -0
data/funchook/distorm/include/distorm.h +482 -0
data/funchook/distorm/include/mnemonics.h +301 -0
data/funchook/distorm/make/linux/Makefile +28 -0
data/funchook/distorm/make/mac/Makefile +24 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj +239 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj.filters +80 -0
data/funchook/distorm/make/win32/distorm.sln +25 -0
data/funchook/distorm/make/win32/resource.h +14 -0
data/funchook/distorm/make/win32/resource.rc +99 -0
data/funchook/distorm/python/distorm3/__init__.py +957 -0
data/funchook/distorm/python/distorm3/sample.py +51 -0
data/funchook/distorm/setup.cfg +10 -0
data/funchook/distorm/setup.py +266 -0
data/funchook/distorm/src/config.h +169 -0
data/funchook/distorm/src/decoder.c +641 -0
data/funchook/distorm/src/decoder.h +33 -0
data/funchook/distorm/src/distorm.c +413 -0
data/funchook/distorm/src/instructions.c +597 -0
data/funchook/distorm/src/instructions.h +463 -0
data/funchook/distorm/src/insts.c +7939 -0
data/funchook/distorm/src/insts.h +64 -0
data/funchook/distorm/src/mnemonics.c +284 -0
data/funchook/distorm/src/operands.c +1290 -0
data/funchook/distorm/src/operands.h +28 -0
data/funchook/distorm/src/prefix.c +368 -0
data/funchook/distorm/src/prefix.h +64 -0
data/funchook/distorm/src/textdefs.c +172 -0
data/funchook/distorm/src/textdefs.h +57 -0
data/funchook/distorm/src/wstring.c +47 -0
data/funchook/distorm/src/wstring.h +35 -0
data/funchook/distorm/src/x86defs.h +82 -0
data/funchook/include/funchook.h +123 -0
data/funchook/install-sh +527 -0
data/funchook/src/Makefile +70 -0
data/funchook/src/Makefile.in +70 -0
data/funchook/src/__strerror.h +109 -0
data/funchook/src/config.h +101 -0
data/funchook/src/config.h.in +100 -0
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.c +440 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_internal.h +155 -0
data/funchook/src/funchook_io.c +182 -0
data/funchook/src/funchook_io.h +64 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.S +134 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.c +480 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_windows.c +397 -0
data/funchook/src/funchook_x86.c +622 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.so +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.c +115 -0
data/funchook/src/os_func.h +75 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.c +94 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/os_func_windows.c +32 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.c +1688 -0
data/funchook/src/printf_base.h +46 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +43 -0
data/funchook/test/Makefile.in +43 -0
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.c +25 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/libfunchook_test2.c +18 -0
data/funchook/test/suffix.list +600 -0
data/funchook/test/test_main.c +430 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.S +10 -0
data/funchook/test/x86_64_test.o +0 -0
data/funchook/test/x86_test.S +339 -0
data/funchook/win32/config.h +1 -0
data/funchook/win32/funchook.sln +52 -0
data/funchook/win32/funchook.vcxproj +188 -0
data/funchook/win32/funchook.vcxproj.filters +84 -0
data/funchook/win32/funchook_test.vcxproj +170 -0
data/funchook/win32/funchook_test.vcxproj.filters +22 -0
data/funchook/win32/funchook_test_dll.vcxproj +184 -0
data/funchook/win32/funchook_test_dll.vcxproj.filters +30 -0
data/funchook/win32/funchook_test_exe.def +3 -0
data/lib/contrast-agent.rb +8 -0
data/lib/contrast.rb +57 -0
data/lib/contrast/agent.rb +80 -0
data/lib/contrast/agent/assess.rb +45 -0
data/lib/contrast/agent/assess/adjusted_span.rb +25 -0
data/lib/contrast/agent/assess/class_reverter.rb +82 -0
data/lib/contrast/agent/assess/contrast_event.rb +398 -0
data/lib/contrast/agent/assess/frozen_properties.rb +41 -0
data/lib/contrast/agent/assess/insulator.rb +53 -0
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +78 -0
data/lib/contrast/agent/assess/policy/patcher.rb +85 -0
data/lib/contrast/agent/assess/policy/policy.rb +116 -0
data/lib/contrast/agent/assess/policy/policy_node.rb +289 -0
data/lib/contrast/agent/assess/policy/policy_scanner.rb +44 -0
data/lib/contrast/agent/assess/policy/preshift.rb +94 -0
data/lib/contrast/agent/assess/policy/propagation_method.rb +260 -0
data/lib/contrast/agent/assess/policy/propagation_node.rb +127 -0
data/lib/contrast/agent/assess/policy/propagator.rb +35 -0
data/lib/contrast/agent/assess/policy/propagator/append.rb +54 -0
data/lib/contrast/agent/assess/policy/propagator/base.rb +37 -0
data/lib/contrast/agent/assess/policy/propagator/center.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +36 -0
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +62 -0
data/lib/contrast/agent/assess/policy/propagator/insert.rb +55 -0
data/lib/contrast/agent/assess/policy/propagator/keep.rb +26 -0
data/lib/contrast/agent/assess/policy/propagator/next.rb +42 -0
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +50 -0
data/lib/contrast/agent/assess/policy/propagator/remove.rb +76 -0
data/lib/contrast/agent/assess/policy/propagator/replace.rb +27 -0
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +38 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +86 -0
data/lib/contrast/agent/assess/policy/propagator/splat.rb +60 -0
data/lib/contrast/agent/assess/policy/propagator/split.rb +49 -0
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +169 -0
data/lib/contrast/agent/assess/policy/propagator/trim.rb +81 -0
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +79 -0
data/lib/contrast/agent/assess/policy/source_method.rb +209 -0
data/lib/contrast/agent/assess/policy/source_node.rb +62 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +209 -0
data/lib/contrast/agent/assess/policy/trigger_node.rb +198 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +77 -0
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +31 -0
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +40 -0
data/lib/contrast/agent/assess/properties.rb +392 -0
data/lib/contrast/agent/assess/rule.rb +18 -0
data/lib/contrast/agent/assess/rule/base.rb +72 -0
data/lib/contrast/agent/assess/rule/csrf.rb +66 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +28 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +69 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +132 -0
data/lib/contrast/agent/assess/rule/provider.rb +21 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +62 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +73 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +121 -0
data/lib/contrast/agent/assess/rule/redos.rb +68 -0
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +47 -0
data/lib/contrast/agent/assess/rule/response_watcher.rb +36 -0
data/lib/contrast/agent/assess/rule/watcher.rb +36 -0
data/lib/contrast/agent/assess/tag.rb +151 -0
data/lib/contrast/agent/at_exit_hook.rb +33 -0
data/lib/contrast/agent/class_reopener.rb +195 -0
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +26 -0
data/lib/contrast/agent/deadzone/policy/policy.rb +57 -0
data/lib/contrast/agent/disable_reaction.rb +24 -0
data/lib/contrast/agent/exclusion_matcher.rb +190 -0
data/lib/contrast/agent/feature_state.rb +379 -0
data/lib/contrast/agent/inventory/policy/policy.rb +32 -0
data/lib/contrast/agent/inventory/policy/trigger_node.rb +22 -0
data/lib/contrast/agent/logger_manager.rb +116 -0
data/lib/contrast/agent/middleware.rb +352 -0
data/lib/contrast/agent/module_data.rb +16 -0
data/lib/contrast/agent/patching/policy/after_load_patch.rb +37 -0
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +58 -0
data/lib/contrast/agent/patching/policy/method_policy.rb +94 -0
data/lib/contrast/agent/patching/policy/module_policy.rb +116 -0
data/lib/contrast/agent/patching/policy/patch.rb +312 -0
data/lib/contrast/agent/patching/policy/patch_status.rb +192 -0
data/lib/contrast/agent/patching/policy/patcher.rb +310 -0
data/lib/contrast/agent/patching/policy/policy.rb +138 -0
data/lib/contrast/agent/patching/policy/policy_node.rb +80 -0
data/lib/contrast/agent/patching/policy/policy_unpatcher.rb +28 -0
data/lib/contrast/agent/patching/policy/trigger_node.rb +81 -0
data/lib/contrast/agent/protect/policy/policy.rb +37 -0
data/lib/contrast/agent/protect/policy/trigger_node.rb +23 -0
data/lib/contrast/agent/protect/rule.rb +58 -0
data/lib/contrast/agent/protect/rule/base.rb +300 -0
data/lib/contrast/agent/protect/rule/base_service.rb +88 -0
data/lib/contrast/agent/protect/rule/cmd_injection.rb +156 -0
data/lib/contrast/agent/protect/rule/csrf.rb +118 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +103 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +85 -0
data/lib/contrast/agent/protect/rule/default_scanner.rb +300 -0
data/lib/contrast/agent/protect/rule/deserialization.rb +193 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +80 -0
data/lib/contrast/agent/protect/rule/no_sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +40 -0
data/lib/contrast/agent/protect/rule/path_traversal.rb +143 -0
data/lib/contrast/agent/protect/rule/sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +16 -0
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +38 -0
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +22 -0
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +19 -0
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
data/lib/contrast/agent/protect/rule/xss.rb +24 -0
data/lib/contrast/agent/protect/rule/xxe.rb +120 -0
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +82 -0
data/lib/contrast/agent/railtie.rb +30 -0
data/lib/contrast/agent/reaction_processor.rb +47 -0
data/lib/contrast/agent/request.rb +493 -0
data/lib/contrast/agent/request_context.rb +225 -0
data/lib/contrast/agent/require_state.rb +61 -0
data/lib/contrast/agent/response.rb +215 -0
data/lib/contrast/agent/rewriter.rb +244 -0
data/lib/contrast/agent/scope.rb +28 -0
data/lib/contrast/agent/service_heartbeat.rb +37 -0
data/lib/contrast/agent/settings_state.rb +148 -0
data/lib/contrast/agent/socket_client.rb +125 -0
data/lib/contrast/agent/thread.rb +26 -0
data/lib/contrast/agent/tracepoint_hook.rb +51 -0
data/lib/contrast/agent/version.rb +8 -0
data/lib/contrast/api.rb +17 -0
data/lib/contrast/api/.gitkeep +0 -0
data/lib/contrast/api/connection_status.rb +49 -0
data/lib/contrast/api/socket.rb +43 -0
data/lib/contrast/api/speedracer.rb +206 -0
data/lib/contrast/api/tcp_socket.rb +31 -0
data/lib/contrast/api/unix_socket.rb +25 -0
data/lib/contrast/common_agent_configuration.rb +86 -0
data/lib/contrast/components/agent.rb +85 -0
data/lib/contrast/components/app_context.rb +188 -0
data/lib/contrast/components/assess.rb +67 -0
data/lib/contrast/components/config.rb +135 -0
data/lib/contrast/components/contrast_service.rb +113 -0
data/lib/contrast/components/heap_dump.rb +34 -0
data/lib/contrast/components/interface.rb +178 -0
data/lib/contrast/components/inventory.rb +23 -0
data/lib/contrast/components/logger.rb +92 -0
data/lib/contrast/components/protect.rb +38 -0
data/lib/contrast/components/sampling.rb +41 -0
data/lib/contrast/components/scope.rb +106 -0
data/lib/contrast/components/settings.rb +140 -0
data/lib/contrast/config.rb +33 -0
data/lib/contrast/config/agent_configuration.rb +24 -0
data/lib/contrast/config/application_configuration.rb +27 -0
data/lib/contrast/config/assess_configuration.rb +22 -0
data/lib/contrast/config/assess_rules_configuration.rb +18 -0
data/lib/contrast/config/base_configuration.rb +105 -0
data/lib/contrast/config/default_value.rb +16 -0
data/lib/contrast/config/exception_configuration.rb +21 -0
data/lib/contrast/config/heap_dump_configuration.rb +23 -0
data/lib/contrast/config/inventory_configuration.rb +20 -0
data/lib/contrast/config/logger_configuration.rb +20 -0
data/lib/contrast/config/protect_configuration.rb +20 -0
data/lib/contrast/config/protect_rule_configuration.rb +37 -0
data/lib/contrast/config/protect_rules_configuration.rb +30 -0
data/lib/contrast/config/root_configuration.rb +26 -0
data/lib/contrast/config/ruby_configuration.rb +39 -0
data/lib/contrast/config/sampling_configuration.rb +22 -0
data/lib/contrast/config/server_configuration.rb +23 -0
data/lib/contrast/config/service_configuration.rb +22 -0
data/lib/contrast/configuration.rb +214 -0
data/lib/contrast/core_extensions/assess.rb +51 -0
data/lib/contrast/core_extensions/assess/array.rb +58 -0
data/lib/contrast/core_extensions/assess/assess_extension.rb +145 -0
data/lib/contrast/core_extensions/assess/basic_object.rb +15 -0
data/lib/contrast/core_extensions/assess/erb.rb +42 -0
data/lib/contrast/core_extensions/assess/exec_trigger.rb +48 -0
data/lib/contrast/core_extensions/assess/fiber.rb +125 -0
data/lib/contrast/core_extensions/assess/hash.rb +22 -0
data/lib/contrast/core_extensions/assess/kernel.rb +95 -0
data/lib/contrast/core_extensions/assess/module.rb +14 -0
data/lib/contrast/core_extensions/assess/regexp.rb +206 -0
data/lib/contrast/core_extensions/assess/string.rb +75 -0
data/lib/contrast/core_extensions/assess/tilt_template_trigger.rb +73 -0
data/lib/contrast/core_extensions/delegator.rb +14 -0
data/lib/contrast/core_extensions/eval_trigger.rb +52 -0
data/lib/contrast/core_extensions/inventory.rb +22 -0
data/lib/contrast/core_extensions/inventory/datastores.rb +37 -0
data/lib/contrast/core_extensions/module.rb +42 -0
data/lib/contrast/core_extensions/object.rb +27 -0
data/lib/contrast/core_extensions/protect.rb +20 -0
data/lib/contrast/core_extensions/protect/applies_command_injection_rule.rb +70 -0
data/lib/contrast/core_extensions/protect/applies_deserialization_rule.rb +58 -0
data/lib/contrast/core_extensions/protect/applies_no_sqli_rule.rb +81 -0
data/lib/contrast/core_extensions/protect/applies_path_traversal_rule.rb +119 -0
data/lib/contrast/core_extensions/protect/applies_sqli_rule.rb +63 -0
data/lib/contrast/core_extensions/protect/applies_xxe_rule.rb +141 -0
data/lib/contrast/core_extensions/protect/kernel.rb +30 -0
data/lib/contrast/core_extensions/protect/psych.rb +7 -0
data/lib/contrast/core_extensions/thread.rb +31 -0
data/lib/contrast/internal_exception.rb +8 -0
data/lib/contrast/rails_extensions/assess/action_controller_inheritance.rb +48 -0
data/lib/contrast/rails_extensions/assess/active_record.rb +32 -0
data/lib/contrast/rails_extensions/assess/active_record_named.rb +61 -0
data/lib/contrast/rails_extensions/assess/configuration.rb +26 -0
data/lib/contrast/rails_extensions/buffer.rb +30 -0
data/lib/contrast/rails_extensions/rack.rb +45 -0
data/lib/contrast/security_exception.rb +14 -0
data/lib/contrast/sinatra_extensions/assess/cookie.rb +26 -0
data/lib/contrast/sinatra_extensions/inventory/sinatra_base.rb +59 -0
data/lib/contrast/tasks/service.rb +95 -0
data/lib/contrast/utils/assess/sampling_util.rb +96 -0
data/lib/contrast/utils/assess/tracking_util.rb +39 -0
data/lib/contrast/utils/boolean_util.rb +33 -0
data/lib/contrast/utils/cache.rb +69 -0
data/lib/contrast/utils/class_util.rb +58 -0
data/lib/contrast/utils/comment_range.rb +19 -0
data/lib/contrast/utils/data_store_util.rb +23 -0
data/lib/contrast/utils/duck_utils.rb +58 -0
data/lib/contrast/utils/env_configuration_item.rb +52 -0
data/lib/contrast/utils/environment_util.rb +152 -0
data/lib/contrast/utils/freeze_util.rb +36 -0
data/lib/contrast/utils/gemfile_reader.rb +191 -0
data/lib/contrast/utils/hash_digest.rb +148 -0
data/lib/contrast/utils/heap_dump_util.rb +113 -0
data/lib/contrast/utils/invalid_configuration_util.rb +88 -0
data/lib/contrast/utils/inventory_util.rb +126 -0
data/lib/contrast/utils/io_util.rb +61 -0
data/lib/contrast/utils/object_share.rb +117 -0
data/lib/contrast/utils/operating_environment.rb +38 -0
data/lib/contrast/utils/os.rb +49 -0
data/lib/contrast/utils/path_util.rb +151 -0
data/lib/contrast/utils/performs_logging.rb +152 -0
data/lib/contrast/utils/preflight_util.rb +13 -0
data/lib/contrast/utils/prevent_serialization.rb +52 -0
data/lib/contrast/utils/rack_assess_session_cookie.rb +104 -0
data/lib/contrast/utils/rails_assess_configuration.rb +95 -0
data/lib/contrast/utils/random_util.rb +22 -0
data/lib/contrast/utils/resource_loader.rb +23 -0
data/lib/contrast/utils/ruby_ast_rewriter.rb +74 -0
data/lib/contrast/utils/scope_util.rb +99 -0
data/lib/contrast/utils/service_response_util.rb +116 -0
data/lib/contrast/utils/service_sender_util.rb +98 -0
data/lib/contrast/utils/sha256_builder.rb +69 -0
data/lib/contrast/utils/sinatra_helper.rb +49 -0
data/lib/contrast/utils/stack_trace_utils.rb +209 -0
data/lib/contrast/utils/string_utils.rb +72 -0
data/lib/contrast/utils/tag_util.rb +139 -0
data/lib/contrast/utils/thread_tracker.rb +54 -0
data/lib/contrast/utils/timer.rb +78 -0
data/resources/assess/policy.json +1673 -0
data/resources/csrf/inject.js +44 -0
data/resources/deadzone/policy.json +55 -0
data/resources/factory-bot-spec/spec_helper.rb +30 -0
data/resources/inventory/policy.json +110 -0
data/resources/protect/policy.json +417 -0
data/resources/rubocops/kernel/catch_cop.rb +37 -0
data/resources/rubocops/kernel/require_cop.rb +37 -0
data/resources/rubocops/kernel/require_relative_cop.rb +33 -0
data/resources/rubocops/module/autoload_cop.rb +37 -0
data/resources/rubocops/module/const_defined_cop.rb +37 -0
data/resources/rubocops/module/const_get_cop.rb +37 -0
data/resources/rubocops/module/const_set_cop.rb +37 -0
data/resources/rubocops/module/constants_cop.rb +37 -0
data/resources/rubocops/module/name_cop.rb +37 -0
data/resources/rubocops/object/class_cop.rb +37 -0
data/resources/rubocops/object/freeze_cop.rb +37 -0
data/resources/rubocops/object/frozen_cop.rb +37 -0
data/resources/rubocops/object/is_a_cop.rb +37 -0
data/resources/rubocops/object/method_cop.rb +37 -0
data/resources/rubocops/object/respond_to_cop.rb +37 -0
data/resources/rubocops/object/singleton_class_cop.rb +37 -0
data/resources/rubocops/regexp/spelling_cop.rb +44 -0
data/resources/rubocops/thread/new_cop.rb +39 -0
data/resources/ruby-spec/ancestors_spec.rb +70 -0
data/resources/ruby-spec/modulo_spec.rb +831 -0
data/resources/ruby-spec/parameters_spec.rb +261 -0
data/resources/ruby-spec/ruby_spec_spec_helper.rb +35 -0
data/resources/test_marker.txt +1 -0
data/ruby-agent.gemspec +129 -0
data/service_executables/.gitkeep +0 -0
data/service_executables/VERSION +1 -0
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +945 -0

data/lib/contrast/agent/protect/rule/deserialization.rb ADDED

@@ -0,0 +1,193 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This class handles our implementation of the Untrusted
+        # Deserialization Protect rule.
+        class Deserialization < Contrast::Agent::Protect::Rule::Base
+          # The TeamServer recognized name of this rule
+          NAME = 'untrusted-deserialization'
+          # The rule specific reason for raising a security exception.
+          BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
+          # Gadgets that map to ERB modules
+          ERB_GADGETS = %w[
+            object:ERB
+          ].cs__freeze
+          # Gadgets that map to ActionDispatch modules
+          ACTION_DISPATCH_GADGETS = %w[
+            object:ActionDispatch::Routing::RouteSet::NamedRouteCollection
+          ].cs__freeze
+          # Gadgets that map to Arel Modules
+          AREL_GADGETS = %w[
+            string:Arel::Nodes::SqlLiteral
+            object:Arel::Nodes
+          ].cs__freeze
+          # Used to indicate to TeamServer the gadget is an ERB module
+          ERB = 'ERB'
+          # Used to indicate to TeamServer the gadget is an ActionDispatch
+          # module
+          DISPATCH = 'ActionDispatch'
+          # Used to indicate to TeamServer the gadget is an Arel module
+          AREL = 'Arel'
+          # Return the TeamServer understood id / name of this rule.
+          # @return [String] the TeamServer understood id / name of this rule.
+          def name
+            NAME
+          end
+          # Return the specific blocking message for this rule.
+          # @return [String] the reason for the raised security exception.
+          def block_message
+            BLOCK_MESSAGE
+          end
+          # Per the spec, this rule applies regardless of input. Only the mode
+          # of the rule and code exclusions apply at this point.
+          # @return [Boolean] should the rule apply to this call.
+          def infilter? _context
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+            true
+          end
+          # Determine if the input being deserialized is an attack and take
+          # appropriate actions.
+          # @param context [Contrast::Agent::RequestContext] the request
+          #   context in which this attack is occurring.
+          # @param serialized_input [String] the string being deserialized.
+          # @raise [Contrast::SecurityException] if attack detected while in
+          #   block mode.
+          def infilter context, serialized_input
+            return unless infilter?(context)
+            gadget = find_gadget(serialized_input)
+            # If there isn't a gadget, this isn't an attack, so we have nothing
+            # to do here. Let the application carry on business as usual.
+            return unless gadget
+            ia_result = build_evaluation(serialized_input)
+            kwargs = { GADGET_TYPE: gadget }
+            result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
+            append_to_activity(context, result)
+            raise Contrast::SecurityException.new(self, block_message) if blocked?
+          end
+          # Determine if the issued command was called while we're
+          # deserializing. If we are, treat this as an attack.
+          # @param gadget_command [String] the command being executed during
+          #   the deserialization call.
+          # @raise [Contrast::SecurityException] if attack detected while in
+          #   block mode.
+          def check_command_scope gadget_command
+            return unless deserializing?
+            context = Contrast::Agent::REQUEST_TRACKER.current
+            kwargs = { COMMAND_SCOPE: true }
+            ia_result = build_evaluation(gadget_command)
+            result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
+            append_to_activity(context, result)
+            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+          end
+          # I don't know a better way to do this without introducing another
+          # scope.
+          # The policy files are designed around using the Module names, not
+          # the file names, but stack is built using filenames. These are the
+          # files and methods we patch for this rule.
+          #
+          # There's not real test for this since I can't figure out how to get
+          # a command to execute from within the .load methods
+          # Assuming someone else does, this should just work (tested with
+          # Screener and the combination "%w[erb.rb `result']")
+          DESERIALIZER_STACK = [
+            %w[/psych.rb: `load'],
+            %w[/marshal.rb: `load']
+          ].cs__freeze
+          # We're considered deserializing if the call stack includes a
+          # reference to the file in which a serializer is defined and
+          # the method of that serializer responsible for deserializing.
+          # @return [Boolean] if the caller indicates deserialization.
+          def deserializing?
+            Kernel.caller.product(DESERIALIZER_STACK).find do |(frame, (class_signature_form, method_signature_form))|
+              frame.end_with?(method_signature_form) && frame.include?(class_signature_form)
+            end
+          end
+          protected
+          # Build the RaspRuleSample for the detected Deserialization attack.
+          # @param context [Contrast::Agent::RequestContext] the request
+          #   context in which this attack is occurring.
+          # @param input_analysis_result [Contrast::Api::Settings::InputAnalysisResult]
+          #   the result of the analysis done by this rule.
+          # @param _candidate_string [nil] unused.
+          # @param kwargs [Hash, nil] Hash of inputs used by this rule to flesh
+          #   out the report to TeamServer in order to provide specific
+          #   information for this rule.
+          # @return [Contrast::Api::Dtm::RaspRuleSample] the information needed
+          #   to render this attack event in TeamServer.
+          def build_sample context, input_analysis_result, _candidate_string, **kwargs
+            sample = build_base_sample(context, input_analysis_result)
+            sample.untrusted_deserialization = Contrast::Api::Dtm::UntrustedDeserializationDetails.new
+            deserializer = kwargs[:GADGET_TYPE]
+            sample.untrusted_deserialization.deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(deserializer)
+            command = !!kwargs[:COMMAND_SCOPE]
+            sample.untrusted_deserialization.command = command
+            sample
+          end
+          private
+          # Used to name this input since input analysis isn't done for this
+          # rule
+          INPUT_NAME = 'Serialized Gadget'
+          # We know that this attack happened, so the result is always matched
+          # and the level is always critical. Only variable is the Gadget
+          # supplied by the attacker.
+          # @param gadget_string [String] the input to be deserialized in which
+          #   the gadget exists or the command that resulted from deserializing
+          #   an input not detected in the initial infilter.
+          # @return [Contrast::Api::Settings::InputAnalysisResult] the result
+          #   of the analysis done by this rule.
+          def build_evaluation gadget_string
+            ia_result = Contrast::Api::Settings::InputAnalysisResult.new
+            ia_result.rule_id = name
+            ia_result.input_type = :UNKNOWN
+            ia_result.key = INPUT_NAME
+            ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(gadget_string)
+            ia_result
+          end
+          # Find the gadget within the serialized input, if such a gadget
+          # exists.
+          # @param serialized_input [String] the string being deserialized in
+          #   which the gadget may exist.
+          # @return [String, nil] the gadget, if found.
+          def find_gadget serialized_input
+            if ERB_GADGETS.any? { |gadget| serialized_input.index(gadget) }
+              ERB
+            elsif ACTION_DISPATCH_GADGETS.any? { |gadget| serialized_input.index(gadget) }
+              DISPATCH
+            elsif AREL_GADGETS.any? { |gadget| serialized_input.index(gadget) }
+              AREL
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/http_method_tampering.rb ADDED

@@ -0,0 +1,80 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect HTTP Method Tampering rule.
+        class HttpMethodTampering < Contrast::Agent::Protect::Rule::BaseService
+          NAME = 'method-tampering'
+          STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
+          def name
+            NAME
+          end
+          def postfilter context
+            return unless enabled? && POSTFILTER_MODES.include?(mode)
+            logger.debug("#{ name } postfilter...")
+            return if normal_request?(context)
+            # The only way to be here in postfilter with a result is if the rule mode was MONITOR
+            ia_results = gather_ia_results(context)
+            return if ia_results.empty?
+            # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
+            response_code = context&.response&.response_code
+            return unless response_code
+            method = ia_results.first.value
+            result = if response_code.to_s.start_with?('4', '5')
+                       build_attack_without_match(
+                           context,
+                           nil,
+                           nil,
+                           method: method,
+                           response_code: response_code)
+                     else
+                       build_attack_with_match(
+                           context,
+                           nil,
+                           nil,
+                           nil,
+                           method: method,
+                           response_code: response_code)
+                     end
+            append_to_activity(context, result) if result
+          end
+          protected
+          def build_sample context, evaluation, _candidate_string, **kwargs
+            sample = build_base_sample(context, evaluation)
+            sample.user_input.value = kwargs[:method]
+            sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
+            sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
+            code = kwargs[:response_code] || -1
+            sample.method_tampering.response_code = code.to_i
+            sample
+          end
+          def build_user_input _evaluation
+            input = Contrast::Api::Dtm::UserInput.new
+            input.input_type = :METHOD
+            input
+          end
+          private
+          def normal_request? context
+            method = context.request.request_method
+            context.request.static_request? || method.nil? || STANDARD_METHODS.include?(method.upcase)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/no_sqli.rb ADDED

@@ -0,0 +1,101 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+# This could be useful for making patterns maybe?
+# https://github.com/cr0hn/nosqlinjection_wordlists
+# https://www.owasp.org/index.php/Testing_for_NoSQL_injection
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect NoSQL Injection rule.
+        class NoSqli < Contrast::Agent::Protect::Rule::BaseService
+          NAME = 'nosql-injection'
+          BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
+          def name
+            NAME
+          end
+          def block_message
+            BLOCK_MESSAGE
+          end
+          def infilter context, database, query_string
+            return nil unless infilter?(context)
+            result = find_attacker(context, query_string, database: database)
+            return nil unless result
+            append_to_activity(context, result)
+            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+          end
+          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
+            return result if mode == :NO_ACTION || mode == :PERMIT
+            attack_string = input_analysis_result.value
+            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
+            return nil unless query_string.match?(regexp)
+            scanner = select_scanner
+            ss = StringScanner.new(query_string)
+            length = attack_string.length
+            while ss.scan_until(regexp)
+              # the pos of StringScanner is at the end of the regexp (input string),
+              # we need the beginning
+              idx = ss.pos - attack_string.length
+              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
+              next unless last_boundary && boundary
+              kwargs[:start_idx] = idx
+              kwargs[:end_idx] = idx + length
+              kwargs[:boundary_overrun_idx] = boundary
+              kwargs[:input_boundary_idx] = last_boundary
+              result ||= build_attack_result(context)
+              update_successful_attack_response(context, input_analysis_result, result, query_string)
+              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+            end
+            result
+          end
+          protected
+          def find_attacker context, potential_attack_string, **kwargs
+            if potential_attack_string
+              # We need the query hash to be a JSON string to match on JSON input attacks
+              begin
+                potential_attack_string = JSON.generate(potential_attack_string).to_s
+              rescue JSON::GeneratorError
+                logger.debug("Error in JSON::generate from input #{ potential_attack_string }")
+              end
+            end
+            super(context, potential_attack_string, **kwargs)
+          end
+          def build_sample context, input_analysis_result, candidate_string, **kwargs
+            input = input_analysis_result.value
+            sample = build_base_sample(context, input_analysis_result)
+            sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
+            sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+            sample.no_sqli.start_idx = sample.no_sqli.query.index(input).to_i
+            sample.no_sqli.boundary_overrun_idx = sample.no_sqli.start_idx + input.length
+            sample.no_sqli.input_boundary_idx = kwargs[:boundary].to_i
+            sample.no_sqli.input_boundary_idx = kwargs[:last_boundary].to_i
+            sample
+          end
+          private
+          def select_scanner
+            @_select_scanner ||= Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb ADDED

@@ -0,0 +1,40 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        class NoSqli
+          # The Mongo specific NoSQL scanner, used by the NoSQLI rule to
+          # determine if a NoSQL attack was performed against a Mongo database.
+          #
+          # @deprecated RUBY-356
+          class MongoNoSqlScanner < Contrast::Agent::Protect::Rule::DefaultScanner
+            # Is the current & next character '//' or are the current and
+            # subsequent characters '<--' ?
+            def start_line_comment? char, index, query
+              if char == Contrast::Utils::ObjectShare::SLASH &&
+                    query[index + 1] == Contrast::Utils::ObjectShare::SLASH
+                return true
+              end
+              char == Contrast::Utils::ObjectShare::LEFT_ANGLE &&
+                  query[index + 1] == Contrast::Utils::ObjectShare::DASH &&
+                  query[index + 2] == Contrast::Utils::ObjectShare::DASH
+            end
+            def start_block_comment? _char, _index, _query
+              false
+            end
+            # Indicates if '""' inside of double quotes is the equivalent of '\"'
+            def double_quote_escape_in_double_quote?
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/path_traversal.rb ADDED

@@ -0,0 +1,143 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/utils/stack_trace_utils'
+cs__scoped_require 'contrast/components/interface'
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This class handles our implementation of the Path Traversal
+        # Protect rule.
+        class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Components::Interface
+          access_component :logging, :agent
+          NAME = 'path-traversal'
+          SYSTEM_PATHS = %w[
+            /proc/self
+            etc/passwd
+            etc/shadow
+            etc/hosts
+            etc/groups
+            etc/gshadow
+            ntuser.dat
+            /Windows/win.ini
+            /windows/system32/
+            /windows/repair/
+          ].cs__freeze
+          KNOWN_SECURITY_BYPASS_MARKERS = ['::$DATA', '::$Index', '', '\x00'].cs__freeze
+          def name
+            NAME
+          end
+          def infilter context, method, path
+            return unless infilter?(context)
+            result = find_attacker(context, path)
+            return unless result
+            append_to_activity(context, result)
+            return unless blocked?
+            raise Contrast::SecurityException.new(
+                self,
+                "Path Traversal rule triggered. Call to File.#{ method } blocked.")
+          end
+          protected
+          def find_attacker context, path
+            attack_result = nil
+            attack_result = super(context, path) if infilter?(context)
+            attack_result = check_rep_features(context, path, attack_result)
+            attack_result
+          end
+          # Build a subclass of the RaspRuleSample using the query string and the
+          # evaluation
+          def build_sample context, input_analysis_result, path, **_kwargs
+            sample = build_base_sample(context, input_analysis_result)
+            sample.path_traversal = Contrast::Api::Dtm::PathTraversalDetails.new
+            path ||= input_analysis_result.value
+            sample.path_traversal.path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
+            sample
+          end
+          private
+          # Build a subclass of the RaspRuleSample if the sample matches
+          # TODO: SPEED-? delete me when implemented in Speedracer.
+          #   this implementation duplicates logic that is moving to Speedracer
+          #   the reason it is still here is Speedracer doesn't yet have a method to correlate
+          #   and (update) attack results that are generated because the evaluation results
+          #   from REP, it can only forward the attack results are generated by the agent.
+          def build_rep_sample context, path
+            sample = build_base_sample(context, nil)
+            sample.path_traversal_semantic = Contrast::Api::Dtm::PathTraversalSemanticAnalysisDetails.new
+            path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
+            sample.path_traversal_semantic.path = path
+            if custom_code_access_sysfile_enabled? && custom_code_accessing_system_file?(path)
+              sample.path_traversal_semantic.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
+              return sample
+            end
+            if common_file_exploits_enabled? && contains_known_attack_signatures?(path)
+              sample.path_traversal_semantic.findings << :COMMON_FILE_EXPLOITS
+              return sample
+            end
+            nil
+          end
+          def check_rep_features context, path, attack_result
+            rep_sample = build_rep_sample(context, path)
+            if rep_sample
+              attack_result = build_attack_result(context) if attack_result.nil?
+              build_attack_with_match(context, nil, attack_result, path)
+            end
+            attack_result
+          end
+          def custom_code_access_sysfile_enabled?
+            AGENT.report_custom_code_sysfile_access?
+          end
+          def custom_code_accessing_system_file? input
+            system_file?(input) && Contrast::Utils::StackTraceUtils.custom_code_context?
+          end
+          def system_file? path
+            return false unless path
+            SYSTEM_PATHS.any? { |sys_path| sys_path.include?(path) }
+          end
+          def common_file_exploits_enabled?
+            false
+          end
+          def contains_known_attack_signatures? input
+            utf8 = Contrast::Utils::StringUtils.force_utf8(input)
+            _ = CGI.unescape(utf8)
+            # TODO: RUBY-318 implement REP for known attack signatures
+            #   try:
+            #     realpath = os.path.realpath(unescaped).lower().rstrip('/')
+            #   except ValueError as e:
+            #     return 'embedded null byte' == str(e)
+            #   except TypeError as e:
+            #     return 'NUL' in str(e) or 'null byte' in str(e) or (PY34 and 'embedded NUL character' == str(e))
+            #   except Exception as e:
+            #     return 'null byte' in str(e).lower()
+            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
+            false
+          end
+        end
+      end
+    end
+  end
+end