RubyGems - contrast-agent - Versions diffs - 3.8.4 - Mend

contrast-agent 3.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (500) hide show

checksums.yaml +7 -0
data/.clang-format +5 -0
data/.dockerignore +10 -0
data/.gitignore +58 -0
data/.gitmodules +6 -0
data/.rspec +6 -0
data/.simplecov +4 -0
data/Gemfile +7 -0
data/LICENSE.txt +12 -0
data/Rakefile +15 -0
data/exe/contrast_service +29 -0
data/ext/build_funchook.rb +48 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.c +47 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.h +10 -0
data/ext/cs__assess_active_record_named/extconf.rb +2 -0
data/ext/cs__assess_array/cs__assess_array.c +38 -0
data/ext/cs__assess_array/cs__assess_array.h +9 -0
data/ext/cs__assess_array/extconf.rb +2 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +50 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +17 -0
data/ext/cs__assess_basic_object/extconf.rb +2 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +86 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +34 -0
data/ext/cs__assess_fiber_track/extconf.rb +2 -0
data/ext/cs__assess_hash/cs__assess_hash.c +64 -0
data/ext/cs__assess_hash/cs__assess_hash.h +24 -0
data/ext/cs__assess_hash/extconf.rb +2 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +36 -0
data/ext/cs__assess_kernel/cs__assess_kernel.h +10 -0
data/ext/cs__assess_kernel/extconf.rb +2 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +47 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +18 -0
data/ext/cs__assess_marshal_module/extconf.rb +2 -0
data/ext/cs__assess_module/cs__assess_module.c +78 -0
data/ext/cs__assess_module/cs__assess_module.h +25 -0
data/ext/cs__assess_module/extconf.rb +2 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +48 -0
data/ext/cs__assess_regexp/cs__assess_regexp.h +22 -0
data/ext/cs__assess_regexp/extconf.rb +2 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +63 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +29 -0
data/ext/cs__assess_regexp_track/extconf.rb +2 -0
data/ext/cs__assess_string/cs__assess_string.c +38 -0
data/ext/cs__assess_string/cs__assess_string.h +19 -0
data/ext/cs__assess_string/extconf.rb +2 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +31 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +13 -0
data/ext/cs__assess_string_interpolation26/extconf.rb +2 -0
data/ext/cs__common/cs__common.c +60 -0
data/ext/cs__common/cs__common.h +28 -0
data/ext/cs__common/extconf.rb +20 -0
data/ext/cs__contrast_patch/cs__contrast_patch.c +445 -0
data/ext/cs__contrast_patch/cs__contrast_patch.h +196 -0
data/ext/cs__contrast_patch/extconf.rb +2 -0
data/ext/cs__protect_kernel/cs__protect_kernel.c +37 -0
data/ext/cs__protect_kernel/cs__protect_kernel.h +11 -0
data/ext/cs__protect_kernel/extconf.rb +2 -0
data/ext/cs__scope/cs__scope.c +96 -0
data/ext/cs__scope/cs__scope.h +33 -0
data/ext/cs__scope/extconf.rb +2 -0
data/ext/extconf_common.rb +49 -0
data/funchook/LICENSE +360 -0
data/funchook/Makefile +29 -0
data/funchook/Makefile.in +29 -0
data/funchook/README.md +121 -0
data/funchook/appveyor.yml +42 -0
data/funchook/autogen.sh +3 -0
data/funchook/autom4te.cache/output.0 +4976 -0
data/funchook/autom4te.cache/requests +78 -0
data/funchook/autom4te.cache/traces.0 +364 -0
data/funchook/config.guess +1530 -0
data/funchook/config.log +490 -0
data/funchook/config.status +1016 -0
data/funchook/config.sub +1773 -0
data/funchook/configure +4976 -0
data/funchook/configure.ac +59 -0
data/funchook/distorm/COPYING +26 -0
data/funchook/distorm/MANIFEST +25 -0
data/funchook/distorm/MANIFEST.in +4 -0
data/funchook/distorm/README.md +12 -0
data/funchook/distorm/disOps/disOps.py +795 -0
data/funchook/distorm/disOps/x86db.py +404 -0
data/funchook/distorm/disOps/x86header.py +247 -0
data/funchook/distorm/disOps/x86sets.py +1664 -0
data/funchook/distorm/examples/cs/TestdiStorm/Program.cs +79 -0
data/funchook/distorm/examples/cs/TestdiStorm/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/TestdiStorm/TestdiStorm.csproj +69 -0
data/funchook/distorm/examples/cs/distorm-net.sln +26 -0
data/funchook/distorm/examples/cs/distorm-net/CodeInfo.cs +23 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedInst.cs +15 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedInst.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.cs +1268 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.tt +37 -0
data/funchook/distorm/examples/cs/distorm-net/Operand.cs +25 -0
data/funchook/distorm/examples/cs/distorm-net/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/diStorm3.cs +411 -0
data/funchook/distorm/examples/cs/distorm-net/distorm-net.csproj +80 -0
data/funchook/distorm/examples/cs/readme +3 -0
data/funchook/distorm/examples/ddk/README +48 -0
data/funchook/distorm/examples/ddk/distorm.ini +11 -0
data/funchook/distorm/examples/ddk/dummy.c +15 -0
data/funchook/distorm/examples/ddk/main.c +91 -0
data/funchook/distorm/examples/ddk/makefile +1 -0
data/funchook/distorm/examples/ddk/sources +10 -0
data/funchook/distorm/examples/java/Makefile +23 -0
data/funchook/distorm/examples/java/distorm/src/Main.java +43 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/CodeInfo.java +27 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedInst.java +32 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedInst.java +89 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/OpcodeEnum.java +131 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Opcodes.java +1123 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Operand.java +24 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/distorm3.java +41 -0
data/funchook/distorm/examples/java/jdistorm.c +405 -0
data/funchook/distorm/examples/java/jdistorm.h +40 -0
data/funchook/distorm/examples/java/jdistorm.sln +20 -0
data/funchook/distorm/examples/java/jdistorm.vcproj +208 -0
data/funchook/distorm/examples/linux/Makefile +15 -0
data/funchook/distorm/examples/linux/main.c +181 -0
data/funchook/distorm/examples/tests/Makefile +15 -0
data/funchook/distorm/examples/tests/main.cpp +42 -0
data/funchook/distorm/examples/tests/main.py +66 -0
data/funchook/distorm/examples/tests/test_distorm3.py +1672 -0
data/funchook/distorm/examples/tests/tests.sln +20 -0
data/funchook/distorm/examples/tests/tests.vcxproj +82 -0
data/funchook/distorm/examples/tests/tests.vcxproj.filters +22 -0
data/funchook/distorm/examples/win32/disasm.sln +25 -0
data/funchook/distorm/examples/win32/disasm.vcxproj +201 -0
data/funchook/distorm/examples/win32/disasm.vcxproj.filters +14 -0
data/funchook/distorm/examples/win32/main.cpp +163 -0
data/funchook/distorm/include/distorm.h +482 -0
data/funchook/distorm/include/mnemonics.h +301 -0
data/funchook/distorm/make/linux/Makefile +28 -0
data/funchook/distorm/make/mac/Makefile +24 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj +239 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj.filters +80 -0
data/funchook/distorm/make/win32/distorm.sln +25 -0
data/funchook/distorm/make/win32/resource.h +14 -0
data/funchook/distorm/make/win32/resource.rc +99 -0
data/funchook/distorm/python/distorm3/__init__.py +957 -0
data/funchook/distorm/python/distorm3/sample.py +51 -0
data/funchook/distorm/setup.cfg +10 -0
data/funchook/distorm/setup.py +266 -0
data/funchook/distorm/src/config.h +169 -0
data/funchook/distorm/src/decoder.c +641 -0
data/funchook/distorm/src/decoder.h +33 -0
data/funchook/distorm/src/distorm.c +413 -0
data/funchook/distorm/src/instructions.c +597 -0
data/funchook/distorm/src/instructions.h +463 -0
data/funchook/distorm/src/insts.c +7939 -0
data/funchook/distorm/src/insts.h +64 -0
data/funchook/distorm/src/mnemonics.c +284 -0
data/funchook/distorm/src/operands.c +1290 -0
data/funchook/distorm/src/operands.h +28 -0
data/funchook/distorm/src/prefix.c +368 -0
data/funchook/distorm/src/prefix.h +64 -0
data/funchook/distorm/src/textdefs.c +172 -0
data/funchook/distorm/src/textdefs.h +57 -0
data/funchook/distorm/src/wstring.c +47 -0
data/funchook/distorm/src/wstring.h +35 -0
data/funchook/distorm/src/x86defs.h +82 -0
data/funchook/include/funchook.h +123 -0
data/funchook/install-sh +527 -0
data/funchook/src/Makefile +70 -0
data/funchook/src/Makefile.in +70 -0
data/funchook/src/__strerror.h +109 -0
data/funchook/src/config.h +101 -0
data/funchook/src/config.h.in +100 -0
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.c +440 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_internal.h +155 -0
data/funchook/src/funchook_io.c +182 -0
data/funchook/src/funchook_io.h +64 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.S +134 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.c +480 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_windows.c +397 -0
data/funchook/src/funchook_x86.c +622 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.so +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.c +115 -0
data/funchook/src/os_func.h +75 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.c +94 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/os_func_windows.c +32 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.c +1688 -0
data/funchook/src/printf_base.h +46 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +43 -0
data/funchook/test/Makefile.in +43 -0
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.c +25 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/libfunchook_test2.c +18 -0
data/funchook/test/suffix.list +600 -0
data/funchook/test/test_main.c +430 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.S +10 -0
data/funchook/test/x86_64_test.o +0 -0
data/funchook/test/x86_test.S +339 -0
data/funchook/win32/config.h +1 -0
data/funchook/win32/funchook.sln +52 -0
data/funchook/win32/funchook.vcxproj +188 -0
data/funchook/win32/funchook.vcxproj.filters +84 -0
data/funchook/win32/funchook_test.vcxproj +170 -0
data/funchook/win32/funchook_test.vcxproj.filters +22 -0
data/funchook/win32/funchook_test_dll.vcxproj +184 -0
data/funchook/win32/funchook_test_dll.vcxproj.filters +30 -0
data/funchook/win32/funchook_test_exe.def +3 -0
data/lib/contrast-agent.rb +8 -0
data/lib/contrast.rb +57 -0
data/lib/contrast/agent.rb +80 -0
data/lib/contrast/agent/assess.rb +45 -0
data/lib/contrast/agent/assess/adjusted_span.rb +25 -0
data/lib/contrast/agent/assess/class_reverter.rb +82 -0
data/lib/contrast/agent/assess/contrast_event.rb +398 -0
data/lib/contrast/agent/assess/frozen_properties.rb +41 -0
data/lib/contrast/agent/assess/insulator.rb +53 -0
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +78 -0
data/lib/contrast/agent/assess/policy/patcher.rb +85 -0
data/lib/contrast/agent/assess/policy/policy.rb +116 -0
data/lib/contrast/agent/assess/policy/policy_node.rb +289 -0
data/lib/contrast/agent/assess/policy/policy_scanner.rb +44 -0
data/lib/contrast/agent/assess/policy/preshift.rb +94 -0
data/lib/contrast/agent/assess/policy/propagation_method.rb +260 -0
data/lib/contrast/agent/assess/policy/propagation_node.rb +127 -0
data/lib/contrast/agent/assess/policy/propagator.rb +35 -0
data/lib/contrast/agent/assess/policy/propagator/append.rb +54 -0
data/lib/contrast/agent/assess/policy/propagator/base.rb +37 -0
data/lib/contrast/agent/assess/policy/propagator/center.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +36 -0
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +62 -0
data/lib/contrast/agent/assess/policy/propagator/insert.rb +55 -0
data/lib/contrast/agent/assess/policy/propagator/keep.rb +26 -0
data/lib/contrast/agent/assess/policy/propagator/next.rb +42 -0
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +50 -0
data/lib/contrast/agent/assess/policy/propagator/remove.rb +76 -0
data/lib/contrast/agent/assess/policy/propagator/replace.rb +27 -0
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +38 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +86 -0
data/lib/contrast/agent/assess/policy/propagator/splat.rb +60 -0
data/lib/contrast/agent/assess/policy/propagator/split.rb +49 -0
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +169 -0
data/lib/contrast/agent/assess/policy/propagator/trim.rb +81 -0
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +79 -0
data/lib/contrast/agent/assess/policy/source_method.rb +209 -0
data/lib/contrast/agent/assess/policy/source_node.rb +62 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +209 -0
data/lib/contrast/agent/assess/policy/trigger_node.rb +198 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +77 -0
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +31 -0
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +40 -0
data/lib/contrast/agent/assess/properties.rb +392 -0
data/lib/contrast/agent/assess/rule.rb +18 -0
data/lib/contrast/agent/assess/rule/base.rb +72 -0
data/lib/contrast/agent/assess/rule/csrf.rb +66 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +28 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +69 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +132 -0
data/lib/contrast/agent/assess/rule/provider.rb +21 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +62 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +73 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +121 -0
data/lib/contrast/agent/assess/rule/redos.rb +68 -0
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +47 -0
data/lib/contrast/agent/assess/rule/response_watcher.rb +36 -0
data/lib/contrast/agent/assess/rule/watcher.rb +36 -0
data/lib/contrast/agent/assess/tag.rb +151 -0
data/lib/contrast/agent/at_exit_hook.rb +33 -0
data/lib/contrast/agent/class_reopener.rb +195 -0
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +26 -0
data/lib/contrast/agent/deadzone/policy/policy.rb +57 -0
data/lib/contrast/agent/disable_reaction.rb +24 -0
data/lib/contrast/agent/exclusion_matcher.rb +190 -0
data/lib/contrast/agent/feature_state.rb +379 -0
data/lib/contrast/agent/inventory/policy/policy.rb +32 -0
data/lib/contrast/agent/inventory/policy/trigger_node.rb +22 -0
data/lib/contrast/agent/logger_manager.rb +116 -0
data/lib/contrast/agent/middleware.rb +352 -0
data/lib/contrast/agent/module_data.rb +16 -0
data/lib/contrast/agent/patching/policy/after_load_patch.rb +37 -0
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +58 -0
data/lib/contrast/agent/patching/policy/method_policy.rb +94 -0
data/lib/contrast/agent/patching/policy/module_policy.rb +116 -0
data/lib/contrast/agent/patching/policy/patch.rb +312 -0
data/lib/contrast/agent/patching/policy/patch_status.rb +192 -0
data/lib/contrast/agent/patching/policy/patcher.rb +310 -0
data/lib/contrast/agent/patching/policy/policy.rb +138 -0
data/lib/contrast/agent/patching/policy/policy_node.rb +80 -0
data/lib/contrast/agent/patching/policy/policy_unpatcher.rb +28 -0
data/lib/contrast/agent/patching/policy/trigger_node.rb +81 -0
data/lib/contrast/agent/protect/policy/policy.rb +37 -0
data/lib/contrast/agent/protect/policy/trigger_node.rb +23 -0
data/lib/contrast/agent/protect/rule.rb +58 -0
data/lib/contrast/agent/protect/rule/base.rb +300 -0
data/lib/contrast/agent/protect/rule/base_service.rb +88 -0
data/lib/contrast/agent/protect/rule/cmd_injection.rb +156 -0
data/lib/contrast/agent/protect/rule/csrf.rb +118 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +103 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +85 -0
data/lib/contrast/agent/protect/rule/default_scanner.rb +300 -0
data/lib/contrast/agent/protect/rule/deserialization.rb +193 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +80 -0
data/lib/contrast/agent/protect/rule/no_sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +40 -0
data/lib/contrast/agent/protect/rule/path_traversal.rb +143 -0
data/lib/contrast/agent/protect/rule/sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +16 -0
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +38 -0
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +22 -0
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +19 -0
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
data/lib/contrast/agent/protect/rule/xss.rb +24 -0
data/lib/contrast/agent/protect/rule/xxe.rb +120 -0
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +82 -0
data/lib/contrast/agent/railtie.rb +30 -0
data/lib/contrast/agent/reaction_processor.rb +47 -0
data/lib/contrast/agent/request.rb +493 -0
data/lib/contrast/agent/request_context.rb +225 -0
data/lib/contrast/agent/require_state.rb +61 -0
data/lib/contrast/agent/response.rb +215 -0
data/lib/contrast/agent/rewriter.rb +244 -0
data/lib/contrast/agent/scope.rb +28 -0
data/lib/contrast/agent/service_heartbeat.rb +37 -0
data/lib/contrast/agent/settings_state.rb +148 -0
data/lib/contrast/agent/socket_client.rb +125 -0
data/lib/contrast/agent/thread.rb +26 -0
data/lib/contrast/agent/tracepoint_hook.rb +51 -0
data/lib/contrast/agent/version.rb +8 -0
data/lib/contrast/api.rb +17 -0
data/lib/contrast/api/.gitkeep +0 -0
data/lib/contrast/api/connection_status.rb +49 -0
data/lib/contrast/api/socket.rb +43 -0
data/lib/contrast/api/speedracer.rb +206 -0
data/lib/contrast/api/tcp_socket.rb +31 -0
data/lib/contrast/api/unix_socket.rb +25 -0
data/lib/contrast/common_agent_configuration.rb +86 -0
data/lib/contrast/components/agent.rb +85 -0
data/lib/contrast/components/app_context.rb +188 -0
data/lib/contrast/components/assess.rb +67 -0
data/lib/contrast/components/config.rb +135 -0
data/lib/contrast/components/contrast_service.rb +113 -0
data/lib/contrast/components/heap_dump.rb +34 -0
data/lib/contrast/components/interface.rb +178 -0
data/lib/contrast/components/inventory.rb +23 -0
data/lib/contrast/components/logger.rb +92 -0
data/lib/contrast/components/protect.rb +38 -0
data/lib/contrast/components/sampling.rb +41 -0
data/lib/contrast/components/scope.rb +106 -0
data/lib/contrast/components/settings.rb +140 -0
data/lib/contrast/config.rb +33 -0
data/lib/contrast/config/agent_configuration.rb +24 -0
data/lib/contrast/config/application_configuration.rb +27 -0
data/lib/contrast/config/assess_configuration.rb +22 -0
data/lib/contrast/config/assess_rules_configuration.rb +18 -0
data/lib/contrast/config/base_configuration.rb +105 -0
data/lib/contrast/config/default_value.rb +16 -0
data/lib/contrast/config/exception_configuration.rb +21 -0
data/lib/contrast/config/heap_dump_configuration.rb +23 -0
data/lib/contrast/config/inventory_configuration.rb +20 -0
data/lib/contrast/config/logger_configuration.rb +20 -0
data/lib/contrast/config/protect_configuration.rb +20 -0
data/lib/contrast/config/protect_rule_configuration.rb +37 -0
data/lib/contrast/config/protect_rules_configuration.rb +30 -0
data/lib/contrast/config/root_configuration.rb +26 -0
data/lib/contrast/config/ruby_configuration.rb +39 -0
data/lib/contrast/config/sampling_configuration.rb +22 -0
data/lib/contrast/config/server_configuration.rb +23 -0
data/lib/contrast/config/service_configuration.rb +22 -0
data/lib/contrast/configuration.rb +214 -0
data/lib/contrast/core_extensions/assess.rb +51 -0
data/lib/contrast/core_extensions/assess/array.rb +58 -0
data/lib/contrast/core_extensions/assess/assess_extension.rb +145 -0
data/lib/contrast/core_extensions/assess/basic_object.rb +15 -0
data/lib/contrast/core_extensions/assess/erb.rb +42 -0
data/lib/contrast/core_extensions/assess/exec_trigger.rb +48 -0
data/lib/contrast/core_extensions/assess/fiber.rb +125 -0
data/lib/contrast/core_extensions/assess/hash.rb +22 -0
data/lib/contrast/core_extensions/assess/kernel.rb +95 -0
data/lib/contrast/core_extensions/assess/module.rb +14 -0
data/lib/contrast/core_extensions/assess/regexp.rb +206 -0
data/lib/contrast/core_extensions/assess/string.rb +75 -0
data/lib/contrast/core_extensions/assess/tilt_template_trigger.rb +73 -0
data/lib/contrast/core_extensions/delegator.rb +14 -0
data/lib/contrast/core_extensions/eval_trigger.rb +52 -0
data/lib/contrast/core_extensions/inventory.rb +22 -0
data/lib/contrast/core_extensions/inventory/datastores.rb +37 -0
data/lib/contrast/core_extensions/module.rb +42 -0
data/lib/contrast/core_extensions/object.rb +27 -0
data/lib/contrast/core_extensions/protect.rb +20 -0
data/lib/contrast/core_extensions/protect/applies_command_injection_rule.rb +70 -0
data/lib/contrast/core_extensions/protect/applies_deserialization_rule.rb +58 -0
data/lib/contrast/core_extensions/protect/applies_no_sqli_rule.rb +81 -0
data/lib/contrast/core_extensions/protect/applies_path_traversal_rule.rb +119 -0
data/lib/contrast/core_extensions/protect/applies_sqli_rule.rb +63 -0
data/lib/contrast/core_extensions/protect/applies_xxe_rule.rb +141 -0
data/lib/contrast/core_extensions/protect/kernel.rb +30 -0
data/lib/contrast/core_extensions/protect/psych.rb +7 -0
data/lib/contrast/core_extensions/thread.rb +31 -0
data/lib/contrast/internal_exception.rb +8 -0
data/lib/contrast/rails_extensions/assess/action_controller_inheritance.rb +48 -0
data/lib/contrast/rails_extensions/assess/active_record.rb +32 -0
data/lib/contrast/rails_extensions/assess/active_record_named.rb +61 -0
data/lib/contrast/rails_extensions/assess/configuration.rb +26 -0
data/lib/contrast/rails_extensions/buffer.rb +30 -0
data/lib/contrast/rails_extensions/rack.rb +45 -0
data/lib/contrast/security_exception.rb +14 -0
data/lib/contrast/sinatra_extensions/assess/cookie.rb +26 -0
data/lib/contrast/sinatra_extensions/inventory/sinatra_base.rb +59 -0
data/lib/contrast/tasks/service.rb +95 -0
data/lib/contrast/utils/assess/sampling_util.rb +96 -0
data/lib/contrast/utils/assess/tracking_util.rb +39 -0
data/lib/contrast/utils/boolean_util.rb +33 -0
data/lib/contrast/utils/cache.rb +69 -0
data/lib/contrast/utils/class_util.rb +58 -0
data/lib/contrast/utils/comment_range.rb +19 -0
data/lib/contrast/utils/data_store_util.rb +23 -0
data/lib/contrast/utils/duck_utils.rb +58 -0
data/lib/contrast/utils/env_configuration_item.rb +52 -0
data/lib/contrast/utils/environment_util.rb +152 -0
data/lib/contrast/utils/freeze_util.rb +36 -0
data/lib/contrast/utils/gemfile_reader.rb +191 -0
data/lib/contrast/utils/hash_digest.rb +148 -0
data/lib/contrast/utils/heap_dump_util.rb +113 -0
data/lib/contrast/utils/invalid_configuration_util.rb +88 -0
data/lib/contrast/utils/inventory_util.rb +126 -0
data/lib/contrast/utils/io_util.rb +61 -0
data/lib/contrast/utils/object_share.rb +117 -0
data/lib/contrast/utils/operating_environment.rb +38 -0
data/lib/contrast/utils/os.rb +49 -0
data/lib/contrast/utils/path_util.rb +151 -0
data/lib/contrast/utils/performs_logging.rb +152 -0
data/lib/contrast/utils/preflight_util.rb +13 -0
data/lib/contrast/utils/prevent_serialization.rb +52 -0
data/lib/contrast/utils/rack_assess_session_cookie.rb +104 -0
data/lib/contrast/utils/rails_assess_configuration.rb +95 -0
data/lib/contrast/utils/random_util.rb +22 -0
data/lib/contrast/utils/resource_loader.rb +23 -0
data/lib/contrast/utils/ruby_ast_rewriter.rb +74 -0
data/lib/contrast/utils/scope_util.rb +99 -0
data/lib/contrast/utils/service_response_util.rb +116 -0
data/lib/contrast/utils/service_sender_util.rb +98 -0
data/lib/contrast/utils/sha256_builder.rb +69 -0
data/lib/contrast/utils/sinatra_helper.rb +49 -0
data/lib/contrast/utils/stack_trace_utils.rb +209 -0
data/lib/contrast/utils/string_utils.rb +72 -0
data/lib/contrast/utils/tag_util.rb +139 -0
data/lib/contrast/utils/thread_tracker.rb +54 -0
data/lib/contrast/utils/timer.rb +78 -0
data/resources/assess/policy.json +1673 -0
data/resources/csrf/inject.js +44 -0
data/resources/deadzone/policy.json +55 -0
data/resources/factory-bot-spec/spec_helper.rb +30 -0
data/resources/inventory/policy.json +110 -0
data/resources/protect/policy.json +417 -0
data/resources/rubocops/kernel/catch_cop.rb +37 -0
data/resources/rubocops/kernel/require_cop.rb +37 -0
data/resources/rubocops/kernel/require_relative_cop.rb +33 -0
data/resources/rubocops/module/autoload_cop.rb +37 -0
data/resources/rubocops/module/const_defined_cop.rb +37 -0
data/resources/rubocops/module/const_get_cop.rb +37 -0
data/resources/rubocops/module/const_set_cop.rb +37 -0
data/resources/rubocops/module/constants_cop.rb +37 -0
data/resources/rubocops/module/name_cop.rb +37 -0
data/resources/rubocops/object/class_cop.rb +37 -0
data/resources/rubocops/object/freeze_cop.rb +37 -0
data/resources/rubocops/object/frozen_cop.rb +37 -0
data/resources/rubocops/object/is_a_cop.rb +37 -0
data/resources/rubocops/object/method_cop.rb +37 -0
data/resources/rubocops/object/respond_to_cop.rb +37 -0
data/resources/rubocops/object/singleton_class_cop.rb +37 -0
data/resources/rubocops/regexp/spelling_cop.rb +44 -0
data/resources/rubocops/thread/new_cop.rb +39 -0
data/resources/ruby-spec/ancestors_spec.rb +70 -0
data/resources/ruby-spec/modulo_spec.rb +831 -0
data/resources/ruby-spec/parameters_spec.rb +261 -0
data/resources/ruby-spec/ruby_spec_spec_helper.rb +35 -0
data/resources/test_marker.txt +1 -0
data/ruby-agent.gemspec +129 -0
data/service_executables/.gitkeep +0 -0
data/service_executables/VERSION +1 -0
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +945 -0

data/lib/contrast/utils/rack_assess_session_cookie.rb ADDED

@@ -0,0 +1,104 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+module Contrast
+  module Utils
+    # This module is used to analyze non-rails session storage configuration for assess vulnerabilities
+    module RackAssessSessionCookie
+      include Contrast::Components::Interface
+      access_component :analysis, :logging, :scope
+      CS__SECURE_RULE_NAME = 'secure-flag-missing'
+      CS__HTTPONLY_NAME = 'rails-http-only-disabled'
+      CS__SESSION_TIMEOUT_NAME = 'session-timeout'
+      SAFE_SESSION_TIMEOUT = (30 * 60 * 60)
+      class << self
+        include Contrast::Utils::InvalidConfigurationUtil
+        def analyze_cookie_initialization options
+          return if PROTECT.enabled?
+          apply_session_timeout(options)
+          apply_httponly(options)
+          apply_secure_session(options)
+        end
+        def vulnerable_setting?(setting_key,
+                                safe_settings_value,
+                                options, safe_default: true,
+                                comparison_type: nil)
+          # In most cases, Rack is pretty nice and the default value is safe
+          return !safe_default unless options&.key?(setting_key)
+          value = options[setting_key]
+          return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
+          value != safe_settings_value
+        end
+        def apply_secure_session options
+          return unless vulnerable_setting?(
+              :secure,
+              true,
+              options,
+              safe_default: false)
+          with_contrast_scope do
+            cs__report_finding(
+                CS__SECURE_RULE_NAME,
+                options,
+                caller_locations(10, 9)[0])
+          end
+        rescue StandardError => e
+          begin
+            logger.log_error('Unable to track call to secure session', e)
+          rescue StandardError
+            nil
+          end
+        end
+        def apply_session_timeout options
+          return unless vulnerable_setting?(:expire_after,
+                                            SAFE_SESSION_TIMEOUT,
+                                            options,
+                                            safe_default: false,
+                                            comparison_type: :greater_than)
+          with_contrast_scope do
+            cs__report_finding(
+                CS__SESSION_TIMEOUT_NAME,
+                options,
+                caller_locations(10, 9)[0])
+          end
+        rescue StandardError => e
+          begin
+            logger.log_error('Unable to track call to set session timeout', e)
+          rescue StandardError
+            nil
+          end
+        end
+        def apply_httponly options
+          return unless vulnerable_setting?(:httponly, true, options)
+          with_contrast_scope do
+            cs__report_finding(
+                CS__HTTPONLY_NAME,
+                options,
+                caller_locations(10, 9)[0])
+          end
+        rescue StandardError => e
+          begin
+            logger.log_error('Unable to track call to httponly', e)
+          rescue StandardError
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/rails_assess_configuration.rb ADDED

@@ -0,0 +1,95 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+module Contrast
+  module Utils
+    # This module is used to analyze rails session storage configuration for assess vulnerabilities
+    module RailsAssessConfiguration
+      include Contrast::Components::Interface
+      access_component :analysis, :logging, :scope
+      CS__SESSION_TIMEOUT_NAME = 'session-timeout'
+      SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
+      CS__SECURE_RULE_NAME = 'secure-flag-missing'
+      CS__HTTPONLY_RULE_NAME = 'rails-http-only-disabled'
+      class << self
+        include Contrast::Utils::InvalidConfigurationUtil
+        def analyze_session_store *args
+          return if PROTECT.enabled?
+          apply_httponly_disabled(*args)
+          apply_secure_cookie_disabled(*args)
+          apply_session_timeout(*args)
+        end
+        def vulnerable_setting? setting_key, safe_settings_value, original_args, safe_default: true, comparison_type: nil
+          # In most cases, Rails is pretty nice and the default value is safe
+          return !safe_default unless original_args && original_args.length > 1
+          # If the user overrode some args, but not ours, fall back on the default
+          rails_session_settings = original_args[1]
+          return !safe_default unless rails_session_settings&.key?(setting_key)
+          value = rails_session_settings[setting_key]
+          return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
+          value != safe_settings_value
+        end
+        def apply_session_timeout *args
+          return if ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
+          return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args, comparison_type: :greater_than, safe_default: false)
+          rails_session_settings = args[1]
+          with_contrast_scope do
+            cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(5, 4)[0])
+          end
+        rescue StandardError => e
+          begin
+            logger.log_error('Unable to track call to set session timeout', e)
+          rescue StandardError
+            nil
+          end
+        end
+        def apply_secure_cookie_disabled *args
+          return if ASSESS.rule_disabled? CS__SECURE_RULE_NAME
+          return unless vulnerable_setting?(:secure, true, args)
+          rails_session_settings = args[1]
+          with_contrast_scope do
+            cs__report_finding(CS__SECURE_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
+          end
+        rescue StandardError => e
+          begin
+            logger.log_error('Unable to track call to disable secure cookies', e)
+          rescue StandardError
+            nil
+          end
+        end
+        def apply_httponly_disabled *args
+          return if ASSESS.rule_disabled? CS__HTTPONLY_RULE_NAME
+          return unless vulnerable_setting?(:httponly, true, args)
+          rails_session_settings = args[1]
+          with_contrast_scope do
+            cs__report_finding(CS__HTTPONLY_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
+          end
+        rescue StandardError => e
+          begin
+            logger.log_error('Unable to track call to disable httponly in session cookie', e)
+          rescue StandardError
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/random_util.rb ADDED

@@ -0,0 +1,22 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'securerandom'
+module Contrast
+  module Utils
+    # Utilites for generating random strings
+    class RandomUtil
+      RANDOM_CHARS = (('0'..'9').to_a + ('A'..'Z').to_a).cs__freeze
+      RANDOM_LENGTH = RANDOM_CHARS.length
+      def self.secure_random_string len
+        arr = []
+        len.to_i.times do
+          arr << RANDOM_CHARS[SecureRandom.random_number(RANDOM_LENGTH)]
+        end
+        arr.join
+      end
+    end
+  end
+end

data/lib/contrast/utils/resource_loader.rb ADDED

@@ -0,0 +1,23 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Utils
+    # ResourceLoader can attempt to read a file from a predefined resource directory
+    class ResourceLoader
+      RESOURCES = 'resources'
+      # __FILE__/../../../resources
+      RESOURCE_ROOT = File.join(
+          File.dirname(__FILE__),
+          Contrast::Utils::ObjectShare::PARENT_PATH,
+          Contrast::Utils::ObjectShare::PARENT_PATH,
+          Contrast::Utils::ObjectShare::PARENT_PATH,
+          RESOURCES).cs__freeze
+      def self.load resource
+        File.read(File.join(RESOURCE_ROOT, resource))
+      end
+    end
+  end
+end

data/lib/contrast/utils/ruby_ast_rewriter.rb ADDED

@@ -0,0 +1,74 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+cs__scoped_require 'parser/current'
+module Contrast
+  module Utils
+    # This utility allows us to parse and rewrite the AST in Ruby 2.4 & 2.5,
+    # allowing us to track String interpolation propagation by replacing those
+    # events with String#+ events instead.
+    class RubyAstRewriter < Parser::TreeRewriter
+      VARIABLES = %i[ivar cvar gvar].cs__freeze
+      # Rewrite the given source_string, converting the interpolation action
+      # therein to a concatenation action
+      #
+      # @param source_string [String] the String to rewrite
+      # @return [String] either the rewritten string or the original on error.
+      def rewrite source_string
+        ast = Parser::CurrentRuby.parse(source_string)
+        buffer = Parser::Source::Buffer.new('rewrite')
+        buffer.source = source_string
+        begin
+          super(buffer, ast)
+        rescue StandardError => _e
+          source_string
+        end
+      end
+      # This overloads the on_dstr method in Parser::AST::Processor to handle
+      # the replace within the given node.
+      def on_dstr node
+        return if node.children.all? { |child_node| child_node.type == :str }
+        new_content = '('
+        node.children.each_with_index do |child_node, index|
+          # A begin node looks like #{some_code} in ruby, we do a substring
+          # from [2...-1] to get rid of the #{ & trailing }.
+          if child_node.type == :begin
+            code = child_node.
+                location.
+                expression.
+                source_buffer.
+                source[child_node.location.begin.begin_pos...child_node.location.end.end_pos]
+            code = code[2...-1]
+            new_content += "((#{ code }).to_s)"
+          # For interpolations that use class, instance, or global variables,
+          # those are NOT within a begin block, but instead are a ivar, cvar,
+          # or gvar node, not stripping of interpolation markers required.
+          elsif VARIABLES.include?(child_node.type)
+            variable = child_node.children.first
+            new_content << "((#{ variable }).to_s)"
+          # When interpolation includes strings before or after an
+          # interpolation they are simple :str nodes, in order to preserve
+          # escaping we need to do a dump of the string value.
+          elsif child_node.type == :str
+            literal_value = child_node.children.first
+            literal_value = literal_value.dump[1...-1]
+            new_content <<  "\"#{ literal_value }\""
+          end
+          new_content << ' + ' unless index == node.children.length - 1
+        end
+        new_content << ')'
+        if node.location.cs__respond_to?(:heredoc_body)
+          replace(node.location.heredoc_body, new_content)
+        else
+          replace(node.location.expression, new_content)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/scope_util.rb ADDED

@@ -0,0 +1,99 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+module Kernel # :nodoc:
+  include Contrast::Components::Interface
+  access_component :scope
+  alias_method :cs__catch, :catch
+  # In the event of a `throw`, we need to override `catch`
+  # to save & restore scope state:
+  #
+  #   scope_level == 0
+  #
+  #   catch(:abc) do
+  #     with_contrast_scope do
+  #       throw :abc # will leak
+  #     end
+  #   end
+  #
+  #   scope_level == 1
+  #
+  # While this will fix /all/ scope leaks, not just ones caused by `throw`,
+  # it shouldn't be relied upon as a catch-all (lmao) solution.
+  private
+  def catch *args, &block
+    # Save current scope level
+    scope_level = SCOPE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
+    # Run original catch with block.
+    retval = cs__catch(*args, &block)
+    # Restore scope.
+    SCOPE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
+    retval
+  end
+end
+# ScopeUtil should probably be merged into Scope component.
+module Contrast
+  module Utils
+    module ScopeUtil # :nodoc:
+      include Contrast::Components::Interface
+      access_component :analysis, :scope
+      # @return [Boolean]
+      def skip_contrast_analysis?
+        return true if in_contrast_scope?
+        return true unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
+        false
+      end
+      # Skip if we should skip_contrast_analysis?, sampling says to ignore this
+      # request, or assess has been disabled.
+      #
+      # @return [Boolean]
+      def skip_assess_analysis?
+        return true if skip_contrast_analysis?
+        current_context = Contrast::Agent::REQUEST_TRACKER.current
+        return true unless current_context.analyze_request?
+        !ASSESS.enabled?
+      end
+      def cs__enter_scope
+        enter_contrast_scope!
+      end
+      def cs__leave_scope
+        exit_contrast_scope!
+      end
+      def cs__enter_assess_scope
+        # If we shouldn't be doing assess things, don't propagate or whatever
+        disable_contrast = skip_assess_analysis?
+        return nil if disable_contrast
+        enter_contrast_scope!
+      end
+      def cs__enter_scope_contrast_patch
+        # If we're already in Contrast scope, don't propagate or whatever
+        disable_contrast = skip_contrast_analysis?
+        return nil if disable_contrast
+        enter_contrast_scope!
+      end
+    end
+  end
+end

data/lib/contrast/utils/service_response_util.rb ADDED

@@ -0,0 +1,116 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Utils
+    # Utility class for processing responses from the Contrast Service. Specifically, this class
+    # processes Server and Application settings and updates the Settings component.
+    module ServiceResponseUtil
+      include Contrast::Components::Interface
+      access_component :contrast_service, :logging, :settings, :analysis
+      class << self
+        # TODO: RUBY-119
+        def process_response response
+          fs = Contrast::Agent::FeatureState.instance
+          fs.last_update = response&.sent_ms
+          server_features = process_server_response(response)
+          app_settings = process_application_response(response)
+          # ReactionProcessor is a design pattern from TeamServer.
+          # Right now, there's one potential reaction, which is disabling the agent
+          Contrast::Agent::ReactionProcessor.process(response&.application_settings)
+          # Determine new accumulator state
+          if (new_accum = response&.accumulator_settings)
+            SETTINGS.accumulator_settings.replace(new_accum)
+          end
+          fs.logger_manager.update(server_features&.log_file, server_features&.log_level)
+          update_features(server_features, app_settings)
+          logger.debug("Agent modes: P-#{ fs.protect_enabled? ? 'ENABLED' : 'DISABLED' }, A-#{ fs.assess_enabled? ? 'ENABLED' : 'DISABLED' }")
+        end
+        private
+        # Given some protobuf messages, update settings.
+        # This is the bridge between Contrast Service <-> Settings.
+        LOG_SERVER_SETTINGS_UPDATE = 'Agent: Received updated server features'
+        LOG_UPDATE_PROTECT         = 'Updating Protect state'
+        LOG_UPDATE_ASSESS          = 'Updating Assess state'
+        def process_server_response response
+          server_features = response&.server_features
+          return unless server_features
+          logger.debug(LOG_SERVER_SETTINGS_UPDATE)
+          # 'defend' is legacy for 'protect' in the dtm.
+          protect = server_features.defend
+          assess = server_features.assess
+          protect_enable = !!protect.enabled
+          assess_enable =  !!assess.enabled
+          # protect
+          begin
+            logger.debug(LOG_UPDATE_PROTECT)
+            SETTINGS.protect_state[:enabled] = protect_enable
+          end
+          # assess
+          begin
+            logger.debug(LOG_UPDATE_ASSESS)
+            SETTINGS.assess_state[:enabled] = assess_enable
+            SETTINGS.assess_state[:sampling_settings] = assess.sampling
+          end
+          server_features
+        end
+        MODE_WHITELIST = %i[NO_ACTION BLOCK_AT_PERIMETER MONITOR BLOCK].cs__freeze
+        LOG_APP_SETTINGS_UPDATE = 'Agent: Received updated application settings'
+        def process_application_response response
+          app_settings = response&.application_settings
+          return unless app_settings
+          logger.debug(LOG_APP_SETTINGS_UPDATE)
+          exclusion_matchers = app_settings.exclusions.map { |exc| Contrast::Agent::ExclusionMatcher.new(exc) }
+          protection_rules = app_settings.protection_rules.map { |pr, _hash| [pr.id, pr.mode] }
+          protection_rules.select! { |(_id, mode)| MODE_WHITELIST.include? mode }
+          modes_by_id = protection_rules.to_h
+          SETTINGS.application_state.merge!(
+              modes_by_id: modes_by_id,
+              exclusion_matchers: exclusion_matchers,
+              disabled_assess_rules: app_settings.disabled_assess_rules,
+              session_id: app_settings.session_id)
+          app_settings
+        end
+        # This is can also go into settings/c.service, but it
+        # requires protobuf decorators to be pretty and decomposed.
+        LOG_INFO_RULE_SETTINGS = 'Current rule settings:'
+        def update_features server_features, app_settings
+          if !!(server_features || app_settings)
+            logger.debug_with_time('Rebuilding rule modes') do
+              SETTINGS.build_protect_rules if PROTECT.enabled?
+              SETTINGS.build_assess_rules  if ASSESS.enabled?
+              logger.info(LOG_INFO_RULE_SETTINGS)
+              PROTECT.rules.each { |k, v| logger.info(".. protect: #{ k } (#{ v.mode })") }
+              ASSESS.rules.each { |k, v| logger.info(".. assess:  #{ k } (#{ v.enabled? })") }
+            end
+          end
+          if (dynamic_sources_map_pb = server_features&.assess&.dynamic_sources_map)
+            dynamic_sources_map = dynamic_sources_map_pb.keys.inject({}) do |hsh, key|
+              hsh[key] = dynamic_sources_map_pb[key]
+            end
+            Contrast::Agent::Assess::Policy::Policy.instance.update_dynamic_sources dynamic_sources_map
+          end
+          # This is for assess
+          # PERF, we could avoid here with dirty-tracking.
+          Contrast::Utils::Assess::SamplingUtil.instance.update
+        end
+      end
+    end
+  end
+end