contrast-agent 3.10.0 → 3.12.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.flayignore +1 -0
- data/.simplecov +5 -2
- data/ext/build_funchook.rb +12 -7
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +12 -14
- data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
- data/ext/cs__assess_active_record_named/extconf.rb +3 -0
- data/ext/cs__assess_array/cs__assess_array.c +5 -6
- data/ext/cs__assess_array/cs__assess_array.h +1 -0
- data/ext/cs__assess_array/extconf.rb +3 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +13 -11
- data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
- data/ext/cs__assess_basic_object/extconf.rb +3 -0
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
- data/ext/cs__assess_fiber_track/extconf.rb +3 -0
- data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
- data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
- data/ext/cs__assess_hash/extconf.rb +3 -0
- data/ext/cs__assess_kernel/cs__assess_kernel.c +11 -9
- data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
- data/ext/cs__assess_kernel/extconf.rb +3 -0
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
- data/ext/cs__assess_marshal_module/extconf.rb +3 -0
- data/ext/cs__assess_module/cs__assess_module.c +16 -14
- data/ext/cs__assess_module/cs__assess_module.h +3 -0
- data/ext/cs__assess_module/extconf.rb +3 -0
- data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
- data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
- data/ext/cs__assess_regexp/extconf.rb +3 -0
- data/ext/cs__assess_string/cs__assess_string.c +5 -8
- data/ext/cs__assess_string/cs__assess_string.h +2 -1
- data/ext/cs__assess_string/extconf.rb +3 -0
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
- data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
- data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +3 -0
- data/ext/cs__common/cs__common.c +80 -1
- data/ext/cs__common/cs__common.h +34 -0
- data/ext/cs__common/extconf.rb +9 -8
- data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
- data/ext/cs__contrast_patch/extconf.rb +3 -0
- data/ext/cs__protect_kernel/cs__protect_kernel.c +23 -12
- data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
- data/ext/cs__protect_kernel/extconf.rb +3 -0
- data/ext/extconf_common.rb +10 -8
- data/funchook/autom4te.cache/requests +45 -45
- data/funchook/config.log +4 -4
- data/lib/contrast.rb +1 -1
- data/lib/contrast/agent.rb +32 -29
- data/lib/contrast/agent/assess.rb +1 -11
- data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
- data/lib/contrast/agent/assess/contrast_event.rb +16 -62
- data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
- data/lib/contrast/agent/assess/events/source_event.rb +83 -0
- data/lib/contrast/agent/assess/insulator.rb +0 -4
- data/lib/contrast/agent/assess/policy/patcher.rb +6 -2
- data/lib/contrast/agent/assess/policy/policy_node.rb +1 -8
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -2
- data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagation_method.rb +68 -33
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
- data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
- data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +37 -26
- data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
- data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
- data/lib/contrast/agent/assess/policy/trigger_method.rb +30 -45
- data/lib/contrast/agent/assess/policy/trigger_node.rb +7 -7
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
- data/lib/contrast/agent/assess/properties.rb +5 -3
- data/lib/contrast/agent/assess/rule/base.rb +1 -20
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +23 -6
- data/lib/contrast/agent/assess/rule/redos.rb +4 -5
- data/lib/contrast/agent/assess/tag.rb +24 -14
- data/lib/contrast/agent/at_exit_hook.rb +16 -13
- data/lib/contrast/agent/class_reopener.rb +23 -8
- data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
- data/lib/contrast/agent/disable_reaction.rb +3 -4
- data/lib/contrast/agent/exclusion_matcher.rb +7 -48
- data/lib/contrast/agent/inventory/policy/datastores.rb +54 -0
- data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
- data/lib/contrast/agent/middleware.rb +101 -260
- data/lib/contrast/agent/module_data.rb +2 -1
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +13 -3
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +59 -47
- data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
- data/lib/contrast/agent/patching/policy/patch.rb +97 -23
- data/lib/contrast/agent/patching/policy/patcher.rb +28 -30
- data/lib/contrast/agent/patching/policy/policy.rb +7 -7
- data/lib/contrast/agent/patching/policy/policy_node.rb +3 -11
- data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -5
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
- data/lib/contrast/agent/protect/policy/policy.rb +6 -6
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
- data/lib/contrast/agent/protect/rule.rb +0 -5
- data/lib/contrast/agent/protect/rule/base.rb +19 -37
- data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +12 -15
- data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
- data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
- data/lib/contrast/agent/protect/rule/sqli.rb +5 -4
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
- data/lib/contrast/agent/protect/rule/xss.rb +2 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
- data/lib/contrast/agent/railtie.rb +3 -8
- data/lib/contrast/agent/reaction_processor.rb +5 -5
- data/lib/contrast/agent/request.rb +11 -18
- data/lib/contrast/agent/request_context.rb +16 -19
- data/lib/contrast/agent/request_handler.rb +35 -0
- data/lib/contrast/agent/response.rb +39 -86
- data/lib/contrast/agent/rewriter.rb +22 -10
- data/lib/contrast/agent/rule_set.rb +49 -0
- data/lib/contrast/agent/scope.rb +0 -6
- data/lib/contrast/agent/service_heartbeat.rb +3 -4
- data/lib/contrast/agent/socket_client.rb +25 -19
- data/lib/contrast/agent/static_analysis.rb +41 -0
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/tracepoint_hook.rb +1 -5
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/decorators.rb +14 -0
- data/lib/contrast/api/decorators/application_settings.rb +37 -0
- data/lib/contrast/api/decorators/application_update.rb +66 -0
- data/lib/contrast/api/decorators/input_analysis.rb +17 -0
- data/lib/contrast/api/decorators/server_features.rb +24 -0
- data/lib/contrast/api/speedracer.rb +28 -24
- data/lib/contrast/api/tcp_socket.rb +0 -2
- data/lib/contrast/components/agent.rb +34 -24
- data/lib/contrast/components/app_context.rb +45 -38
- data/lib/contrast/components/assess.rb +25 -15
- data/lib/contrast/components/config.rb +7 -5
- data/lib/contrast/components/contrast_service.rb +23 -71
- data/lib/contrast/components/heap_dump.rb +12 -8
- data/lib/contrast/components/interface.rb +15 -22
- data/lib/contrast/components/inventory.rb +5 -1
- data/lib/contrast/components/logger.rb +3 -68
- data/lib/contrast/components/protect.rb +40 -4
- data/lib/contrast/components/sampling.rb +22 -11
- data/lib/contrast/components/scope.rb +2 -52
- data/lib/contrast/components/settings.rb +42 -23
- data/lib/contrast/config/base_configuration.rb +1 -0
- data/lib/contrast/config/default_value.rb +1 -0
- data/lib/contrast/config/protect_rule_configuration.rb +0 -14
- data/lib/contrast/config/protect_rules_configuration.rb +0 -1
- data/lib/contrast/configuration.rb +2 -2
- data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -15
- data/lib/contrast/extension/assess/array.rb +77 -0
- data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +29 -24
- data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -8
- data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
- data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +7 -9
- data/lib/contrast/extension/assess/fiber.rb +113 -0
- data/lib/contrast/extension/assess/hash.rb +39 -0
- data/lib/contrast/extension/assess/kernel.rb +110 -0
- data/lib/contrast/extension/assess/regexp.rb +84 -0
- data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +18 -10
- data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
- data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -2
- data/lib/contrast/extension/kernel.rb +54 -0
- data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
- data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
- data/lib/contrast/extension/protect/kernel.rb +44 -0
- data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
- data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
- data/lib/contrast/framework/base_support.rb +32 -0
- data/lib/contrast/framework/manager.rb +59 -8
- data/lib/contrast/framework/platform_version.rb +1 -0
- data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
- data/lib/contrast/framework/rack/patch/support.rb +24 -0
- data/lib/contrast/framework/rack/support.rb +22 -0
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +43 -0
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +103 -0
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
- data/lib/contrast/framework/rails/patch/support.rb +67 -0
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
- data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
- data/lib/contrast/framework/rails/support.rb +115 -0
- data/lib/contrast/framework/sinatra/application_helper.rb +51 -0
- data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
- data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
- data/lib/contrast/framework/sinatra/support.rb +109 -0
- data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
- data/lib/contrast/logger/application.rb +80 -0
- data/lib/contrast/logger/log.rb +143 -0
- data/lib/contrast/logger/time.rb +50 -0
- data/lib/contrast/tasks/config.rb +54 -0
- data/lib/contrast/tasks/service.rb +3 -13
- data/lib/contrast/utils/assess/sampling_util.rb +4 -9
- data/lib/contrast/utils/assess/tracking_util.rb +7 -1
- data/lib/contrast/utils/boolean_util.rb +2 -2
- data/lib/contrast/utils/cache.rb +0 -11
- data/lib/contrast/utils/class_util.rb +21 -2
- data/lib/contrast/utils/gemfile_reader.rb +7 -5
- data/lib/contrast/utils/hash_digest.rb +2 -11
- data/lib/contrast/utils/heap_dump_util.rb +12 -11
- data/lib/contrast/utils/invalid_configuration_util.rb +4 -4
- data/lib/contrast/utils/inventory_util.rb +2 -2
- data/lib/contrast/utils/io_util.rb +1 -11
- data/lib/contrast/utils/job_servers_running.rb +6 -4
- data/lib/contrast/utils/object_share.rb +1 -28
- data/lib/contrast/utils/os.rb +1 -25
- data/lib/contrast/utils/service_response_util.rb +36 -60
- data/lib/contrast/utils/service_sender_util.rb +84 -23
- data/lib/contrast/utils/sinatra_helper.rb +0 -6
- data/lib/contrast/utils/stack_trace_utils.rb +86 -182
- data/lib/contrast/utils/string_utils.rb +18 -2
- data/lib/contrast/utils/tag_util.rb +11 -1
- data/lib/contrast/utils/thread_tracker.rb +2 -2
- data/lib/contrast/utils/timer.rb +0 -40
- data/resources/assess/policy.json +42 -71
- data/resources/inventory/policy.json +2 -2
- data/resources/protect/policy.json +15 -15
- data/ruby-agent.gemspec +11 -4
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +122 -111
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
- data/ext/cs__assess_regexp_track/extconf.rb +0 -2
- data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
- data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
- data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
- data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
- data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
- data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
- data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
- data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
- data/lib/contrast/agent/feature_state.rb +0 -376
- data/lib/contrast/agent/logger_manager.rb +0 -116
- data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
- data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
- data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
- data/lib/contrast/agent/settings_state.rb +0 -152
- data/lib/contrast/delegators.rb +0 -9
- data/lib/contrast/delegators/application_update.rb +0 -32
- data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
- data/lib/contrast/extensions/framework/rack/request.rb +0 -24
- data/lib/contrast/extensions/framework/rack/response.rb +0 -23
- data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
- data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
- data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
- data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
- data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
- data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
- data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
- data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
- data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
- data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
- data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
- data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
- data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
- data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
- data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
- data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
- data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
- data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
- data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
- data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
- data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
- data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
- data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
- data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
- data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
- data/lib/contrast/framework/rails_support.rb +0 -88
- data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
- data/lib/contrast/framework/sinatra_support.rb +0 -94
- data/lib/contrast/utils/comment_range.rb +0 -19
- data/lib/contrast/utils/data_store_util.rb +0 -23
- data/lib/contrast/utils/environment_util.rb +0 -81
- data/lib/contrast/utils/performs_logging.rb +0 -152
- data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
- data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
- data/lib/contrast/utils/random_util.rb +0 -22
- data/resources/csrf/inject.js +0 -44
- data/resources/factory-bot-spec/spec_helper.rb +0 -30
- data/resources/rubocops/kernel/catch_cop.rb +0 -37
- data/resources/rubocops/kernel/require_cop.rb +0 -37
- data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
- data/resources/rubocops/module/autoload_cop.rb +0 -37
- data/resources/rubocops/module/const_defined_cop.rb +0 -37
- data/resources/rubocops/module/const_get_cop.rb +0 -37
- data/resources/rubocops/module/const_set_cop.rb +0 -37
- data/resources/rubocops/module/constants_cop.rb +0 -37
- data/resources/rubocops/module/name_cop.rb +0 -37
- data/resources/rubocops/object/class_cop.rb +0 -37
- data/resources/rubocops/object/freeze_cop.rb +0 -37
- data/resources/rubocops/object/frozen_cop.rb +0 -37
- data/resources/rubocops/object/is_a_cop.rb +0 -37
- data/resources/rubocops/object/method_cop.rb +0 -37
- data/resources/rubocops/object/respond_to_cop.rb +0 -37
- data/resources/rubocops/object/singleton_class_cop.rb +0 -37
- data/resources/rubocops/regexp/spelling_cop.rb +0 -44
- data/resources/rubocops/thread/new_cop.rb +0 -39
- data/resources/ruby-spec/ancestors_spec.rb +0 -70
- data/resources/ruby-spec/modulo_spec.rb +0 -831
- data/resources/ruby-spec/parameters_spec.rb +0 -261
- data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
@@ -3,9 +3,9 @@
|
|
3
3
|
|
4
4
|
cs__scoped_require 'contrast/framework/view_technologies_descriptor'
|
5
5
|
cs__scoped_require 'contrast/framework/platform_version'
|
6
|
-
cs__scoped_require 'contrast/framework/
|
7
|
-
cs__scoped_require 'contrast/framework/
|
8
|
-
cs__scoped_require 'contrast/framework/
|
6
|
+
cs__scoped_require 'contrast/framework/rack/support'
|
7
|
+
cs__scoped_require 'contrast/framework/rails/support'
|
8
|
+
cs__scoped_require 'contrast/framework/sinatra/support'
|
9
9
|
cs__scoped_require 'contrast/components/interface'
|
10
10
|
cs__scoped_require 'contrast/utils/class_util'
|
11
11
|
|
@@ -14,26 +14,51 @@ module Contrast
|
|
14
14
|
# Allows access to framework specific information
|
15
15
|
class Manager
|
16
16
|
include Contrast::Components::Interface
|
17
|
-
access_component :
|
17
|
+
access_component :analysis, :logging
|
18
18
|
|
19
19
|
# Order here does matter as the first framework listed will be the first one we pull information from
|
20
20
|
# Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
|
21
21
|
# do not exist
|
22
22
|
SUPPORTED_FRAMEWORKS = [
|
23
|
-
Contrast::Framework::
|
24
|
-
Contrast::Framework::
|
23
|
+
Contrast::Framework::Rails::Support,
|
24
|
+
Contrast::Framework::Sinatra::Support,
|
25
|
+
Contrast::Framework::Rack::Support
|
25
26
|
].cs__freeze
|
26
27
|
|
27
28
|
def initialize
|
28
29
|
@_frameworks = SUPPORTED_FRAMEWORKS.map do |framework_klass|
|
29
30
|
next unless enable_framework_support?(framework_klass.detection_class)
|
30
31
|
|
31
|
-
logger.
|
32
|
+
logger.info('Framework detected. Enabling support.', framework: framework_klass.detection_class)
|
32
33
|
framework_klass
|
33
34
|
end
|
34
35
|
@_frameworks.compact!
|
35
36
|
end
|
36
37
|
|
38
|
+
# Patches that have to be applied as early as possible to catch calls
|
39
|
+
# that happen prior to the first Request, typically those around
|
40
|
+
# configuration.
|
41
|
+
def before_load_patches!
|
42
|
+
@_before_load_patches ||= begin
|
43
|
+
SUPPORTED_FRAMEWORKS.each(&:before_load_patches)
|
44
|
+
true
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
# Return all the After Load Patches for all the Frameworks we know, even
|
49
|
+
# if that Framework hasn't been detected.
|
50
|
+
#
|
51
|
+
# @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the
|
52
|
+
# AfterLoadPatches of each framework
|
53
|
+
def find_after_load_patches
|
54
|
+
patches = Set.new
|
55
|
+
SUPPORTED_FRAMEWORKS.each do |framework|
|
56
|
+
framework_patches = framework.after_load_patches
|
57
|
+
patches.merge(framework_patches) if framework_patches && !framework_patches.empty?
|
58
|
+
end
|
59
|
+
patches
|
60
|
+
end
|
61
|
+
|
37
62
|
def find_applicable_view_technologies
|
38
63
|
scan_views_for_all_frameworks
|
39
64
|
end
|
@@ -56,11 +81,37 @@ module Contrast
|
|
56
81
|
first_framework_result :application_name, 'root'
|
57
82
|
end
|
58
83
|
|
84
|
+
def app_root
|
85
|
+
found = first_framework_result :application_root, nil
|
86
|
+
found || ::Rack::Directory.new('').root
|
87
|
+
end
|
88
|
+
|
89
|
+
# If we have 0 or n > 1 frameworks, we need to use the default rack request
|
90
|
+
# @param env [Hash] the various variables stored by this and other Middlewares to know the state
|
91
|
+
# and values of this particular Request
|
92
|
+
def retrieve_request env
|
93
|
+
return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
|
94
|
+
|
95
|
+
::Rack::Request.new(env)
|
96
|
+
end
|
97
|
+
|
98
|
+
# @param env [Hash] the various variables stored by this and other Middlewares to know the state
|
99
|
+
# and values of this particular Request
|
100
|
+
# @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
|
101
|
+
def streaming? env
|
102
|
+
result = false
|
103
|
+
@_frameworks.each do |framework|
|
104
|
+
result = framework.streaming?(env)
|
105
|
+
break if result
|
106
|
+
end
|
107
|
+
result
|
108
|
+
end
|
109
|
+
|
59
110
|
def get_route_dtm request
|
60
111
|
result = nil
|
61
112
|
@_frameworks.find do |framework_klass|
|
62
113
|
# TODO: RUBY-763 Sinatra::Base#call patch adds the Route report
|
63
|
-
next if framework_klass == Contrast::Framework::
|
114
|
+
next if framework_klass == Contrast::Framework::Sinatra::Support
|
64
115
|
|
65
116
|
result = framework_klass.current_route(request)
|
66
117
|
end
|
@@ -0,0 +1,126 @@
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
cs__scoped_require 'contrast/components/interface'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Framework
|
8
|
+
module Rack
|
9
|
+
module Patch
|
10
|
+
# Our patch into the Rack::Session::Cookie Class, allowing for the
|
11
|
+
# runtime detection of insecure configurations on individual cookies
|
12
|
+
# within the application
|
13
|
+
class SessionCookie
|
14
|
+
include Contrast::Components::Interface
|
15
|
+
|
16
|
+
access_component :agent, :analysis, :logging, :scope
|
17
|
+
|
18
|
+
CS__SECURE_RULE_NAME = 'secure-flag-missing'
|
19
|
+
CS__HTTPONLY_NAME = 'rails-http-only-disabled'
|
20
|
+
CS__SESSION_TIMEOUT_NAME = 'session-timeout'
|
21
|
+
SAFE_SESSION_TIMEOUT = (30 * 60 * 60)
|
22
|
+
class << self
|
23
|
+
include Contrast::Utils::InvalidConfigurationUtil
|
24
|
+
|
25
|
+
def instrument
|
26
|
+
@_instrument ||= begin
|
27
|
+
::Rack::Session::Cookie.class_eval do
|
28
|
+
alias_method :cs__patched_initialize, :initialize
|
29
|
+
def initialize app, options = {}
|
30
|
+
Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
|
31
|
+
cs__patched_initialize(app, options)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
true
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
def analyze options
|
39
|
+
return unless AGENT.enabled?
|
40
|
+
return if PROTECT.enabled?
|
41
|
+
|
42
|
+
apply_session_timeout(options)
|
43
|
+
apply_httponly(options)
|
44
|
+
apply_secure_session(options)
|
45
|
+
end
|
46
|
+
|
47
|
+
private
|
48
|
+
|
49
|
+
def vulnerable_setting?(setting_key,
|
50
|
+
safe_settings_value,
|
51
|
+
options, safe_default: true,
|
52
|
+
comparison_type: nil)
|
53
|
+
# In most cases, Rack is pretty nice and the default value is safe
|
54
|
+
return !safe_default unless options&.key?(setting_key)
|
55
|
+
|
56
|
+
value = options[setting_key]
|
57
|
+
|
58
|
+
return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
|
59
|
+
|
60
|
+
value != safe_settings_value
|
61
|
+
end
|
62
|
+
|
63
|
+
def apply_secure_session options
|
64
|
+
return unless vulnerable_setting?(
|
65
|
+
:secure,
|
66
|
+
true,
|
67
|
+
options,
|
68
|
+
safe_default: false)
|
69
|
+
|
70
|
+
with_contrast_scope do
|
71
|
+
cs__report_finding(
|
72
|
+
CS__SECURE_RULE_NAME,
|
73
|
+
options,
|
74
|
+
caller_locations(10, 9)[0])
|
75
|
+
end
|
76
|
+
rescue StandardError => e
|
77
|
+
begin
|
78
|
+
logger.error('Unable to track call to secure session', e)
|
79
|
+
rescue StandardError
|
80
|
+
nil
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
def apply_session_timeout options
|
85
|
+
return unless vulnerable_setting?(:expire_after,
|
86
|
+
SAFE_SESSION_TIMEOUT,
|
87
|
+
options,
|
88
|
+
safe_default: false,
|
89
|
+
comparison_type: :greater_than)
|
90
|
+
|
91
|
+
with_contrast_scope do
|
92
|
+
cs__report_finding(
|
93
|
+
CS__SESSION_TIMEOUT_NAME,
|
94
|
+
options,
|
95
|
+
caller_locations(10, 9)[0])
|
96
|
+
end
|
97
|
+
rescue StandardError => e
|
98
|
+
begin
|
99
|
+
logger.error('Unable to track call to set session timeout', e)
|
100
|
+
rescue StandardError
|
101
|
+
nil
|
102
|
+
end
|
103
|
+
end
|
104
|
+
|
105
|
+
def apply_httponly options
|
106
|
+
return unless vulnerable_setting?(:httponly, true, options)
|
107
|
+
|
108
|
+
with_contrast_scope do
|
109
|
+
cs__report_finding(
|
110
|
+
CS__HTTPONLY_NAME,
|
111
|
+
options,
|
112
|
+
caller_locations(10, 9)[0])
|
113
|
+
end
|
114
|
+
rescue StandardError => e
|
115
|
+
begin
|
116
|
+
logger.error('Unable to track call to httponly', e)
|
117
|
+
rescue StandardError
|
118
|
+
nil
|
119
|
+
end
|
120
|
+
end
|
121
|
+
end
|
122
|
+
end
|
123
|
+
end
|
124
|
+
end
|
125
|
+
end
|
126
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
cs__scoped_require 'contrast/agent/patching/policy/after_load_patch'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Framework
|
8
|
+
module Rack
|
9
|
+
module Patch
|
10
|
+
# Extension point allowing for the registration of Patches required to
|
11
|
+
# support the Rack framework.
|
12
|
+
module Support
|
13
|
+
# (See BaseSupport#after_load_patches)
|
14
|
+
def after_load_patches
|
15
|
+
Set.new([Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
|
16
|
+
'Rack::Session::Cookie',
|
17
|
+
'contrast/framework/rack/patch/session_cookie',
|
18
|
+
instrumenting_module: 'Contrast::Framework::Rack::Patch::SessionCookie')])
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
cs__scoped_require 'contrast/framework/base_support'
|
5
|
+
cs__scoped_require 'contrast/framework/rack/patch/support'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Framework
|
9
|
+
module Rack
|
10
|
+
# Used when Rack is present to define framework specific behavior. For
|
11
|
+
# now, the only part of this implemented is the Patch Support.
|
12
|
+
class Support < BaseSupport
|
13
|
+
extend Contrast::Framework::Rack::Patch::Support
|
14
|
+
class << self
|
15
|
+
def detection_class
|
16
|
+
'don\'t let me be detected'
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,43 @@
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
cs__scoped_require 'contrast/utils/service_sender_util'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Framework
|
8
|
+
module Rails
|
9
|
+
module Patch
|
10
|
+
# This class acts as our patch into the ActionController::Live::Buffer
|
11
|
+
# class, allowing us to track the close event on streamed responses.
|
12
|
+
class ActionControllerLiveBuffer
|
13
|
+
class << self
|
14
|
+
def send_messages
|
15
|
+
return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
|
16
|
+
|
17
|
+
[context.server_activity, context.activity, context.observed_route].each do |msg|
|
18
|
+
Contrast::Utils::ServiceSenderUtil.send_event_immediately(msg)
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
def instrument
|
23
|
+
@_instrument ||= begin
|
24
|
+
::ActionController::Live::Buffer.class_eval do
|
25
|
+
# normally pre->in->post filters are applied however, in a streamed response
|
26
|
+
# we can run into a case where it's pre -> in -> post -> more infilters
|
27
|
+
# in order to submit anything found during the infilters after the response has
|
28
|
+
# been written we need to explicitly send them
|
29
|
+
alias_method :cs__close, :close
|
30
|
+
def close
|
31
|
+
Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages
|
32
|
+
cs__close
|
33
|
+
end
|
34
|
+
end
|
35
|
+
true
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
@@ -0,0 +1,103 @@
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
cs__scoped_require 'contrast/components/interface'
|
5
|
+
cs__scoped_require 'contrast/utils/invalid_configuration_util'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Framework
|
9
|
+
module Rails
|
10
|
+
module Patch
|
11
|
+
# This module is used to analyze rails session storage configuration for assess vulnerabilities
|
12
|
+
module AssessConfiguration
|
13
|
+
include Contrast::Components::Interface
|
14
|
+
|
15
|
+
access_component :agent, :analysis, :logging, :scope
|
16
|
+
|
17
|
+
CS__SESSION_TIMEOUT_NAME = 'session-timeout'
|
18
|
+
SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
|
19
|
+
CS__SECURE_RULE_NAME = 'secure-flag-missing'
|
20
|
+
CS__HTTPONLY_RULE_NAME = 'rails-http-only-disabled'
|
21
|
+
|
22
|
+
class << self
|
23
|
+
include Contrast::Utils::InvalidConfigurationUtil
|
24
|
+
|
25
|
+
def analyze_session_store *args
|
26
|
+
return unless AGENT.enabled?
|
27
|
+
return if PROTECT.enabled?
|
28
|
+
|
29
|
+
apply_httponly_disabled(*args)
|
30
|
+
apply_secure_cookie_disabled(*args)
|
31
|
+
apply_session_timeout(*args)
|
32
|
+
end
|
33
|
+
|
34
|
+
private
|
35
|
+
|
36
|
+
def vulnerable_setting? setting_key, safe_settings_value, original_args, safe_default: true, comparison_type: nil
|
37
|
+
# In most cases, Rails is pretty nice and the default value is safe
|
38
|
+
return !safe_default unless original_args && original_args.length > 1
|
39
|
+
|
40
|
+
# If the user overrode some args, but not ours, fall back on the default
|
41
|
+
rails_session_settings = original_args[1]
|
42
|
+
return !safe_default unless rails_session_settings&.key?(setting_key)
|
43
|
+
|
44
|
+
value = rails_session_settings[setting_key]
|
45
|
+
|
46
|
+
return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
|
47
|
+
|
48
|
+
value != safe_settings_value
|
49
|
+
end
|
50
|
+
|
51
|
+
def apply_session_timeout *args
|
52
|
+
return if ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
|
53
|
+
return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args, comparison_type: :greater_than, safe_default: false)
|
54
|
+
|
55
|
+
rails_session_settings = args[1]
|
56
|
+
with_contrast_scope do
|
57
|
+
cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(5, 4)[0])
|
58
|
+
end
|
59
|
+
rescue StandardError => e
|
60
|
+
begin
|
61
|
+
logger.error('Unable to track call to set session timeout', e)
|
62
|
+
rescue StandardError
|
63
|
+
nil
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
def apply_secure_cookie_disabled *args
|
68
|
+
return if ASSESS.rule_disabled? CS__SECURE_RULE_NAME
|
69
|
+
return unless vulnerable_setting?(:secure, true, args)
|
70
|
+
|
71
|
+
rails_session_settings = args[1]
|
72
|
+
with_contrast_scope do
|
73
|
+
cs__report_finding(CS__SECURE_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
|
74
|
+
end
|
75
|
+
rescue StandardError => e
|
76
|
+
begin
|
77
|
+
logger.error('Unable to track call to disable secure cookies', e)
|
78
|
+
rescue StandardError
|
79
|
+
nil
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
def apply_httponly_disabled *args
|
84
|
+
return if ASSESS.rule_disabled? CS__HTTPONLY_RULE_NAME
|
85
|
+
return unless vulnerable_setting?(:httponly, true, args)
|
86
|
+
|
87
|
+
rails_session_settings = args[1]
|
88
|
+
with_contrast_scope do
|
89
|
+
cs__report_finding(CS__HTTPONLY_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
|
90
|
+
end
|
91
|
+
rescue StandardError => e
|
92
|
+
begin
|
93
|
+
logger.error('Unable to track call to disable httponly in session cookie', e)
|
94
|
+
rescue StandardError
|
95
|
+
nil
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|
102
|
+
end
|
103
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
cs__scoped_require 'contrast/framework/rails/patch/assess_configuration'
|
5
|
+
module Contrast
|
6
|
+
module Framework
|
7
|
+
module Rails
|
8
|
+
module Patch
|
9
|
+
# Our patch into the Rails::Application::Configuration Class, allowing
|
10
|
+
# for the runtime detection of insecure configurations on individual
|
11
|
+
# ActionDispatch::Session::AbstractStore instances within the
|
12
|
+
# application.
|
13
|
+
class RailsApplicationConfiguration
|
14
|
+
def self.instrument
|
15
|
+
@_instrument ||= begin
|
16
|
+
::Rails::Application::Configuration.class_eval do
|
17
|
+
alias_method :cs__patched_session_store, :session_store
|
18
|
+
def session_store *args
|
19
|
+
ret = cs__patched_session_store(*args)
|
20
|
+
Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args)
|
21
|
+
ret
|
22
|
+
end
|
23
|
+
end
|
24
|
+
true
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|