contrast-agent 3.10.0 → 3.12.1

data/lib/contrast/agent/protect/rule/default_scanner.rb

@@ -35,7 +35,6 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
     @_token_boundaries ||= scan_token_boundaries(query)
   end
 
-  CANARY = "select * from tbl where bar='bar';#' and pwd='sec3r3t'; # CANARY"
   def scan_token_boundaries query
     boundaries = []
     return boundaries unless query && !query.empty?
@@ -268,24 +267,12 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
     true
   end
 
-  # Does this language let the user redefine the escape character
-  # We assume no by default
-  def redefines_escape_char?
-    false
-  end
-
   # Is the character provided an escape character?
   # By default, we'll assume
   def escape_char? char
     char == Contrast::Utils::ObjectShare::BACK_SLASH
   end
 
-  # Does this language support string escape sequences?
-  # We assume no by default
-  def support_string_escape_sequence?
-    false
-  end
-
   # Is this the start of a string escape sequence?
   # Since escape sequences aren't supported, the answer is always false
   def escape_sequence_start? _char

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base'
+
 module Contrast
   module Agent
     module Protect

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect
@@ -16,8 +18,6 @@ module Contrast
 
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-
-            logger.debug("#{ name } postfilter...")
             return if normal_request?(context)
 
             # The only way to be here in postfilter with a result is if the rule mode was MONITOR

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -1,9 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# This could be useful for making patterns maybe?
-# https://github.com/cr0hn/nosqlinjection_wordlists
-# https://www.owasp.org/index.php/Testing_for_NoSQL_injection
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect
@@ -70,7 +69,8 @@ module Contrast
               begin
                 potential_attack_string = JSON.generate(potential_attack_string).to_s
               rescue JSON::GeneratorError
-                logger.debug("Error in JSON::generate from input #{ potential_attack_string }")
+                logger.trace('Error in JSON::generate', input: potential_attack_string)
+                nil
               end
             end
             super(context, potential_attack_string, **kwargs)

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -1,8 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/utils/stack_trace_utils'
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
 cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/stack_trace_utils'
 
 module Contrast
   module Agent
@@ -12,7 +13,7 @@ module Contrast
         # Protect rule.
         class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Components::Interface
-          access_component :logging, :agent
+          access_component :agent, :analysis
 
           NAME = 'path-traversal'
           SYSTEM_PATHS = %w[
@@ -28,8 +29,6 @@ module Contrast
             /windows/repair/
           ].cs__freeze
 
-          KNOWN_SECURITY_BYPASS_MARKERS = ['::$DATA', '::$Index', '', '\x00'].cs__freeze
-
           def name
             NAME
           end
@@ -70,11 +69,6 @@ module Contrast
           private
 
           # Build a subclass of the RaspRuleSample if the sample matches
-          # TODO: SPEED-? delete me when implemented in Speedracer.
-          #   this implementation duplicates logic that is moving to Speedracer
-          #   the reason it is still here is Speedracer doesn't yet have a method to correlate
-          #   and (update) attack results that are generated because the evaluation results
-          #   from REP, it can only forward the attack results are generated by the agent.
           def build_rep_sample context, path
             sample = build_base_sample(context, nil)
             sample.path_traversal_semantic = Contrast::Api::Dtm::PathTraversalSemanticAnalysisDetails.new
@@ -104,7 +98,7 @@ module Contrast
           end
 
           def custom_code_access_sysfile_enabled?
-            AGENT.report_custom_code_sysfile_access?
+            PROTECT.report_custom_code_sysfile_access?
           end
 
           def custom_code_accessing_system_file? input
@@ -121,6 +115,8 @@ module Contrast
             false
           end
 
+          # TODO: RUBY-318
+          # KNOWN_SECURITY_BYPASS_MARKERS = ['::$DATA', '::$Index', '', '\x00'].cs__freeze
           def contains_known_attack_signatures? input
             utf8 = Contrast::Utils::StringUtils.force_utf8(input)
             _ = CGI.unescape(utf8)

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -1,7 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_sqli_rule'
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+cs__scoped_require 'contrast/agent/protect/policy/applies_sqli_rule'
 
 module Contrast
   module Agent
@@ -83,11 +84,11 @@ module Contrast
 
           def select_scanner database
             @sql_scanners ||= {
-                Contrast::CoreExtensions::Protect::AppliesSqliRule::DATABASE_MYSQL =>
+                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>
                     Contrast::Agent::Protect::Rule::Sqli::MysqlSqlScanner.new,
-                Contrast::CoreExtensions::Protect::AppliesSqliRule::DATABASE_PG =>
+                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_PG =>
                     Contrast::Agent::Protect::Rule::Sqli::PostgresSqlScanner.new,
-                Contrast::CoreExtensions::Protect::AppliesSqliRule::DATABASE_SQLITE =>
+                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_SQLITE =>
                     Contrast::Agent::Protect::Rule::Sqli::SqliteSqlScanner.new
             }.cs__freeze
 

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect

data/lib/contrast/agent/protect/rule/xss.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/protect/rule/base'
 cs__scoped_require 'contrast/utils/timer'
 
 module Contrast
@@ -11,7 +12,6 @@ module Contrast
         # of unsafe external entity resolution.
         class Xxe < Contrast::Agent::Protect::Rule::Base
           NAME = 'xxe'
-          EXPLOIT_CHARACTERS = Contrast::Utils::ObjectShare::EMPTY_ARRAY
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
 
@@ -19,6 +19,14 @@ module Contrast
             NAME
           end
 
+          # Given an xml, evaluate it for an XXE attack.
+          #
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param framework [Object] the name of the Parser being used.
+          # @param xml [Object] the container of the XML to be checked.
+          # @raise [Contrast::SecurityException] Security exception if an XXE
+          #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
             result = find_attacker(context, xml, framework: framework)
             return nil unless result
@@ -31,12 +39,10 @@ module Contrast
 
           protected
 
-          def find_attacker context, xml, **kwargs
+          def find_attacker context, xml, **_kwargs
             return nil unless xml
             return nil if protect_excluded_by_code?
 
-            logger.debug("checking: #{ name } in '#{ kwargs[:framework] }'")
-
             xxe_details, last_idx = build_details(xml)
             return nil unless xxe_details
 

data/lib/contrast/agent/railtie.rb

@@ -12,24 +12,19 @@ module Contrast
       access_component :agent, :app_context, :logging
 
       initializer 'Contrast Ruby Agent Initializer' do |app|
-        if defined?(Rails) && defined?(Rails.logger)
-          Rails.logger.debug('In railtie ::')
-          Rails.logger.debug(app.middleware.inspect)
-        end
+        Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
 
-        # TODO: RUBY-564 This logic is not specific to Rails and should be used more broadly
-        # with all web frameworks. Move this check to be a part of our new initialization
-        # routine.
         if APP_CONTEXT.instrument_middleware_stack?
           AGENT.insert_middleware(app)
         else
           Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
-          logger.debug(nil, "Disabling Contrast for process #{ Process.pid }")
+          logger.debug('Disabling Contrast for process', p_id: Process.pid)
         end
       end
 
       rake_tasks do
         load 'contrast/tasks/service.rb'
+        load 'contrast/tasks/config.rb'
       end
     end
   end

data/lib/contrast/agent/reaction_processor.rb

@@ -25,20 +25,20 @@ module Contrast
         return nil unless application_settings&.reactions&.any?
 
         application_settings.reactions.each do |reaction|
-          logger.debug(nil, "Received the following reaction: #{ reaction.operation }")
-
           # the enums are all uppercase, we need to downcase them before attempting to log
           level = reaction.log_level.nil? ? :error : reaction.log_level.downcase
 
-          logger.with_level(nil, reaction.message, level) if reaction.message
+          logger.with_level(level, reaction.message) if reaction.message
 
           case reaction.operation
           when :DISABLE
             Contrast::Agent::DisableReaction.run reaction, level
-          when :NOOP # rubocop:disable Lint/EmptyWhen
+          when :NOOP
             # NOOP
           else
-            logger.warn(nil, "ReactionProcessor received a reaction with an unknown operation: #{ reaction.operation }")
+            logger.warn(
+                'ReactionProcessor received a reaction with an unknown operation',
+                operation: reaction.operation)
           end
         end
       end

data/lib/contrast/agent/request.rb

@@ -6,7 +6,6 @@ cs__scoped_require 'timeout'
 
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/utils/string_utils'
-cs__scoped_require 'contrast/utils/comment_range'
 cs__scoped_require 'contrast/utils/hash_digest'
 cs__scoped_require 'contrast/components/interface'
 
@@ -18,7 +17,7 @@ module Contrast
     # order to avoid repeatedly creating Strings & thrashing GC.
     class Request
       include Contrast::Components::Interface
-      access_component :logging, :scope
+      access_component :agent, :logging, :scope
 
       extend Forwardable
 
@@ -108,7 +107,7 @@ module Contrast
       def request_method
         rack_request.get_header(Rack::REQUEST_METHOD)
       rescue StandardError => e
-        logger.warn("Unable to extract request method: #{ e }")
+        logger.warn('Unable to extract request method', e)
         UNKNOWN_REQUEST_METHOD
       end
 
@@ -160,10 +159,6 @@ module Contrast
         end
       end
 
-      def header_value key
-        normalized_request_headers[Contrast::Utils::StringUtils.normalized_key(key)]
-      end
-
       # Return a flattened hash of params with realized paths for keys, in
       # addition to a separate, valueless, entry for each nest key.
       # See RUBY-621 for more details.
@@ -209,15 +204,15 @@ module Contrast
           body = @rack_request.body
           if defined?(Rack::Multipart)
             if defined?(Rack::Multipart::UploadedFile) && body.is_a?(Rack::Multipart::UploadedFile)
-              logger.debug("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
+              logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
               @_request_body = nil
             else
-              logger.debug("parsing body from request :: #{ body.cs__class.cs__name }")
-              @_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body), logger)
+              logger.trace("parsing body from request :: #{ body.cs__class.cs__name }")
+              @_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
             end
           else
-            logger.debug('Rack before 1.3.x does not support Rack::Multipart')
-            @_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body), logger)
+            logger.trace('Rack before 1.3.x does not support Rack::Multipart')
+            @_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
           end
 
           true
@@ -336,7 +331,7 @@ module Contrast
       end
 
       def omit_body?
-        return true if Contrast::Agent::FeatureState.instance.omit_body?
+        return true if AGENT.omit_body?
         return false if document_type == :XML
         return false if document_type == :JSON
 
@@ -352,10 +347,8 @@ module Contrast
             address.host = Contrast::Utils::StringUtils.force_utf8(Socket.gethostname)
             address.ip = Contrast::Utils::StringUtils.force_utf8(Resolv.getaddress(address.host))
           end
-        rescue Timeout::Error
-          logger.warn(nil, "Timeout resolving host or ip in #{ address }")
         rescue StandardError => e
-          logger.warn(e, "Error resolving address for #{ address }")
+          logger.warn('Unable to resolve host or ip', e, address: address)
         end
         address
       end
@@ -444,8 +437,8 @@ module Contrast
           body.rewind if can_rewind
           body.read
         rescue StandardError => e
-          logger.error("Error in attempt to read body :: #{ e.message }")
-          logger.debug(e.backtrace.join(Contrast::Utils::ObjectShare::NEW_LINE))
+          logger.error('Error in attempt to read body', message: e.message)
+          logger.trace('With Stack', e)
           body.to_s
         ensure
           # be a good citizen and rewind

data/lib/contrast/agent/request_context.rb

@@ -4,7 +4,6 @@
 cs__scoped_require 'contrast/utils/timer'
 cs__scoped_require 'contrast/agent/request'
 cs__scoped_require 'contrast/agent/response'
-cs__scoped_require 'contrast/utils/comment_range'
 cs__scoped_require 'contrast/utils/inventory_util'
 cs__scoped_require 'contrast/components/interface'
 
@@ -15,7 +14,7 @@ module Contrast
     # in a standardized and normalized format which the Agent understands.
     class RequestContext
       include Contrast::Components::Interface
-      access_component :logging, :analysis, :scope, :contrast_service
+      access_component :agent, :analysis, :logging, :settings, :scope
 
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
 
@@ -46,6 +45,7 @@ module Contrast
           # build analyzer
           @do_not_track = false
           @speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
+          speedracer_input_analysis.request = request
 
           # flag to indicate whether the app is fully loaded
           @app_loaded = !!app_loaded
@@ -67,10 +67,6 @@ module Contrast
         @app_loaded
       end
 
-      def analyze?
-        @sample_request || @sample_response
-      end
-
       def analyze_request?
         @sample_request
       end
@@ -94,10 +90,8 @@ module Contrast
         # For TS routes
         @observed_route.signature  = route.route
         @observed_route.verb       = route.verb
-        @observed_route.session_id = Contrast::Agent::FeatureState.instance.current_session_id
-
-        # TODO: SPEED-273: deprecate when SR handles this. ContrastUI API currently does not allow empty url, so we have to provide a default
-        @observed_route.url        = route.url.empty? ? Contrast::Utils::ObjectShare::SLASH : route.url
+        @observed_route.session_id = SETTINGS.session_id
+        @observed_route.url        = route.url if route.url
       end
 
       # Collect the results for the given rule with the given action
@@ -115,25 +109,28 @@ module Contrast
       end
 
       def service_extract_request
+        return false unless AGENT.enabled?
+        return false unless PROTECT.enabled?
         return false if @do_not_track
 
-        service_response = CONTRAST_SERVICE.send_message(@activity.http_request)
+        service_response = Contrast::Utils::ServiceSenderUtil.send_event_immediately(@activity.http_request)
         return false unless service_response
 
         handle_protect_state(service_response)
         ia = service_response.input_analysis
         if ia
-          logger.debug(nil, "Analysis from Contrast Service: evaluations=#{ ia.results.length }")
-          logger.debug(nil, "IA=#{ ia.inspect }")
+          logger.trace("Analysis from Contrast Service: evaluations=#{ ia.results.length }")
+          logger.trace('Results', input_analysis: ia.inspect)
           @speedracer_input_analysis = ia
+          speedracer_input_analysis.request = request
         else
-          logger.debug(nil, 'Analysis from Contrast Service was empty.')
+          logger.trace('Analysis from Contrast Service was empty.')
           false
         end
       rescue Contrast::SecurityException
         raise
       rescue StandardError => e
-        logger.warn(e, 'Unable to extract Contrast Service information from request')
+        logger.warn('Unable to extract Contrast Service information from request', e)
         false
       end
 
@@ -154,7 +151,7 @@ module Contrast
         build_attack_results(agent_settings)
 
         msg = agent_settings.protect_state.security_message
-        logger.warn(nil, 'Contrast Service said to block this request')
+        logger.warn('Contrast Service said to block this request')
         raise Contrast::SecurityException.new(nil, (msg || 'Blocking suspicious behavior'))
       end
 
@@ -165,7 +162,7 @@ module Contrast
         @response = Contrast::Agent::Response.new(rack_response)
         activity.http_response = @response.dtm if @sample_response
       rescue StandardError => e
-        logger.error(e, 'Unable to extract information after request')
+        logger.error('Unable to extract information after request', e)
       end
 
       def add_property key, value
@@ -195,7 +192,7 @@ module Contrast
           rule = PROTECT.rule(rule_id)
           next unless rule
 
-          logger.debug(nil, "Building attack result from Contrast Service input analysis: result=#{ ia_result.inspect }")
+          logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
 
           attack_result = if rule.mode == :BLOCK
                             # special case for rules (like reflected xss)
@@ -216,7 +213,7 @@ module Contrast
         end
 
         attack_results_by_rule.each_pair do |_, attack_result|
-          logger.debug(nil, "Blocking for #{ attack_result.rule_id }")
+          logger.info('Blocking attack result', rule: attack_result.rule_id)
           activity.results << attack_result
         end
       end