contrast-agent 3.10.0 → 3.12.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (318) hide show
  1. checksums.yaml +4 -4
  2. data/.flayignore +1 -0
  3. data/.simplecov +5 -2
  4. data/ext/build_funchook.rb +12 -7
  5. data/ext/cs__assess_active_record_named/cs__active_record_named.c +12 -14
  6. data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
  7. data/ext/cs__assess_active_record_named/extconf.rb +3 -0
  8. data/ext/cs__assess_array/cs__assess_array.c +5 -6
  9. data/ext/cs__assess_array/cs__assess_array.h +1 -0
  10. data/ext/cs__assess_array/extconf.rb +3 -0
  11. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +13 -11
  12. data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
  13. data/ext/cs__assess_basic_object/extconf.rb +3 -0
  14. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
  15. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
  16. data/ext/cs__assess_fiber_track/extconf.rb +3 -0
  17. data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
  18. data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
  19. data/ext/cs__assess_hash/extconf.rb +3 -0
  20. data/ext/cs__assess_kernel/cs__assess_kernel.c +11 -9
  21. data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
  22. data/ext/cs__assess_kernel/extconf.rb +3 -0
  23. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
  24. data/ext/cs__assess_marshal_module/extconf.rb +3 -0
  25. data/ext/cs__assess_module/cs__assess_module.c +16 -14
  26. data/ext/cs__assess_module/cs__assess_module.h +3 -0
  27. data/ext/cs__assess_module/extconf.rb +3 -0
  28. data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
  29. data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
  30. data/ext/cs__assess_regexp/extconf.rb +3 -0
  31. data/ext/cs__assess_string/cs__assess_string.c +5 -8
  32. data/ext/cs__assess_string/cs__assess_string.h +2 -1
  33. data/ext/cs__assess_string/extconf.rb +3 -0
  34. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
  35. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
  36. data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
  37. data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
  38. data/ext/cs__assess_yield_track/extconf.rb +3 -0
  39. data/ext/cs__common/cs__common.c +80 -1
  40. data/ext/cs__common/cs__common.h +34 -0
  41. data/ext/cs__common/extconf.rb +9 -8
  42. data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
  43. data/ext/cs__contrast_patch/extconf.rb +3 -0
  44. data/ext/cs__protect_kernel/cs__protect_kernel.c +23 -12
  45. data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
  46. data/ext/cs__protect_kernel/extconf.rb +3 -0
  47. data/ext/extconf_common.rb +10 -8
  48. data/funchook/autom4te.cache/requests +45 -45
  49. data/funchook/config.log +4 -4
  50. data/lib/contrast.rb +1 -1
  51. data/lib/contrast/agent.rb +32 -29
  52. data/lib/contrast/agent/assess.rb +1 -11
  53. data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
  54. data/lib/contrast/agent/assess/contrast_event.rb +16 -62
  55. data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
  56. data/lib/contrast/agent/assess/events/source_event.rb +83 -0
  57. data/lib/contrast/agent/assess/insulator.rb +0 -4
  58. data/lib/contrast/agent/assess/policy/patcher.rb +6 -2
  59. data/lib/contrast/agent/assess/policy/policy_node.rb +1 -8
  60. data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -2
  61. data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
  62. data/lib/contrast/agent/assess/policy/propagation_method.rb +68 -33
  63. data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
  64. data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
  65. data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
  66. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
  67. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
  68. data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
  69. data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
  70. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
  71. data/lib/contrast/agent/assess/policy/rewriter_patch.rb +37 -26
  72. data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
  73. data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
  74. data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
  75. data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
  76. data/lib/contrast/agent/assess/policy/trigger_method.rb +30 -45
  77. data/lib/contrast/agent/assess/policy/trigger_node.rb +7 -7
  78. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
  79. data/lib/contrast/agent/assess/properties.rb +5 -3
  80. data/lib/contrast/agent/assess/rule/base.rb +1 -20
  81. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +23 -6
  82. data/lib/contrast/agent/assess/rule/redos.rb +4 -5
  83. data/lib/contrast/agent/assess/tag.rb +24 -14
  84. data/lib/contrast/agent/at_exit_hook.rb +16 -13
  85. data/lib/contrast/agent/class_reopener.rb +23 -8
  86. data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
  87. data/lib/contrast/agent/disable_reaction.rb +3 -4
  88. data/lib/contrast/agent/exclusion_matcher.rb +7 -48
  89. data/lib/contrast/agent/inventory/policy/datastores.rb +54 -0
  90. data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
  91. data/lib/contrast/agent/middleware.rb +101 -260
  92. data/lib/contrast/agent/module_data.rb +2 -1
  93. data/lib/contrast/agent/patching/policy/after_load_patch.rb +13 -3
  94. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +59 -47
  95. data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
  96. data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
  97. data/lib/contrast/agent/patching/policy/patch.rb +97 -23
  98. data/lib/contrast/agent/patching/policy/patcher.rb +28 -30
  99. data/lib/contrast/agent/patching/policy/policy.rb +7 -7
  100. data/lib/contrast/agent/patching/policy/policy_node.rb +3 -11
  101. data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -5
  102. data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
  103. data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
  104. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
  105. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
  106. data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
  107. data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
  108. data/lib/contrast/agent/protect/policy/policy.rb +6 -6
  109. data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
  110. data/lib/contrast/agent/protect/rule.rb +0 -5
  111. data/lib/contrast/agent/protect/rule/base.rb +19 -37
  112. data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
  113. data/lib/contrast/agent/protect/rule/cmd_injection.rb +12 -15
  114. data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
  115. data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
  116. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
  117. data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
  118. data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
  119. data/lib/contrast/agent/protect/rule/sqli.rb +5 -4
  120. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
  121. data/lib/contrast/agent/protect/rule/xss.rb +2 -0
  122. data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
  123. data/lib/contrast/agent/railtie.rb +3 -8
  124. data/lib/contrast/agent/reaction_processor.rb +5 -5
  125. data/lib/contrast/agent/request.rb +11 -18
  126. data/lib/contrast/agent/request_context.rb +16 -19
  127. data/lib/contrast/agent/request_handler.rb +35 -0
  128. data/lib/contrast/agent/response.rb +39 -86
  129. data/lib/contrast/agent/rewriter.rb +22 -10
  130. data/lib/contrast/agent/rule_set.rb +49 -0
  131. data/lib/contrast/agent/scope.rb +0 -6
  132. data/lib/contrast/agent/service_heartbeat.rb +3 -4
  133. data/lib/contrast/agent/socket_client.rb +25 -19
  134. data/lib/contrast/agent/static_analysis.rb +41 -0
  135. data/lib/contrast/agent/thread.rb +1 -1
  136. data/lib/contrast/agent/tracepoint_hook.rb +1 -5
  137. data/lib/contrast/agent/version.rb +1 -1
  138. data/lib/contrast/api.rb +1 -1
  139. data/lib/contrast/api/decorators.rb +14 -0
  140. data/lib/contrast/api/decorators/application_settings.rb +37 -0
  141. data/lib/contrast/api/decorators/application_update.rb +66 -0
  142. data/lib/contrast/api/decorators/input_analysis.rb +17 -0
  143. data/lib/contrast/api/decorators/server_features.rb +24 -0
  144. data/lib/contrast/api/speedracer.rb +28 -24
  145. data/lib/contrast/api/tcp_socket.rb +0 -2
  146. data/lib/contrast/components/agent.rb +34 -24
  147. data/lib/contrast/components/app_context.rb +45 -38
  148. data/lib/contrast/components/assess.rb +25 -15
  149. data/lib/contrast/components/config.rb +7 -5
  150. data/lib/contrast/components/contrast_service.rb +23 -71
  151. data/lib/contrast/components/heap_dump.rb +12 -8
  152. data/lib/contrast/components/interface.rb +15 -22
  153. data/lib/contrast/components/inventory.rb +5 -1
  154. data/lib/contrast/components/logger.rb +3 -68
  155. data/lib/contrast/components/protect.rb +40 -4
  156. data/lib/contrast/components/sampling.rb +22 -11
  157. data/lib/contrast/components/scope.rb +2 -52
  158. data/lib/contrast/components/settings.rb +42 -23
  159. data/lib/contrast/config/base_configuration.rb +1 -0
  160. data/lib/contrast/config/default_value.rb +1 -0
  161. data/lib/contrast/config/protect_rule_configuration.rb +0 -14
  162. data/lib/contrast/config/protect_rules_configuration.rb +0 -1
  163. data/lib/contrast/configuration.rb +2 -2
  164. data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -15
  165. data/lib/contrast/extension/assess/array.rb +77 -0
  166. data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +29 -24
  167. data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -8
  168. data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
  169. data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +7 -9
  170. data/lib/contrast/extension/assess/fiber.rb +113 -0
  171. data/lib/contrast/extension/assess/hash.rb +39 -0
  172. data/lib/contrast/extension/assess/kernel.rb +110 -0
  173. data/lib/contrast/extension/assess/regexp.rb +84 -0
  174. data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +18 -10
  175. data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
  176. data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -2
  177. data/lib/contrast/extension/kernel.rb +54 -0
  178. data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
  179. data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
  180. data/lib/contrast/extension/protect/kernel.rb +44 -0
  181. data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
  182. data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
  183. data/lib/contrast/framework/base_support.rb +32 -0
  184. data/lib/contrast/framework/manager.rb +59 -8
  185. data/lib/contrast/framework/platform_version.rb +1 -0
  186. data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
  187. data/lib/contrast/framework/rack/patch/support.rb +24 -0
  188. data/lib/contrast/framework/rack/support.rb +22 -0
  189. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +43 -0
  190. data/lib/contrast/framework/rails/patch/assess_configuration.rb +103 -0
  191. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
  192. data/lib/contrast/framework/rails/patch/support.rb +67 -0
  193. data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
  194. data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
  195. data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
  196. data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
  197. data/lib/contrast/framework/rails/support.rb +115 -0
  198. data/lib/contrast/framework/sinatra/application_helper.rb +51 -0
  199. data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
  200. data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
  201. data/lib/contrast/framework/sinatra/support.rb +109 -0
  202. data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
  203. data/lib/contrast/logger/application.rb +80 -0
  204. data/lib/contrast/logger/log.rb +143 -0
  205. data/lib/contrast/logger/time.rb +50 -0
  206. data/lib/contrast/tasks/config.rb +54 -0
  207. data/lib/contrast/tasks/service.rb +3 -13
  208. data/lib/contrast/utils/assess/sampling_util.rb +4 -9
  209. data/lib/contrast/utils/assess/tracking_util.rb +7 -1
  210. data/lib/contrast/utils/boolean_util.rb +2 -2
  211. data/lib/contrast/utils/cache.rb +0 -11
  212. data/lib/contrast/utils/class_util.rb +21 -2
  213. data/lib/contrast/utils/gemfile_reader.rb +7 -5
  214. data/lib/contrast/utils/hash_digest.rb +2 -11
  215. data/lib/contrast/utils/heap_dump_util.rb +12 -11
  216. data/lib/contrast/utils/invalid_configuration_util.rb +4 -4
  217. data/lib/contrast/utils/inventory_util.rb +2 -2
  218. data/lib/contrast/utils/io_util.rb +1 -11
  219. data/lib/contrast/utils/job_servers_running.rb +6 -4
  220. data/lib/contrast/utils/object_share.rb +1 -28
  221. data/lib/contrast/utils/os.rb +1 -25
  222. data/lib/contrast/utils/service_response_util.rb +36 -60
  223. data/lib/contrast/utils/service_sender_util.rb +84 -23
  224. data/lib/contrast/utils/sinatra_helper.rb +0 -6
  225. data/lib/contrast/utils/stack_trace_utils.rb +86 -182
  226. data/lib/contrast/utils/string_utils.rb +18 -2
  227. data/lib/contrast/utils/tag_util.rb +11 -1
  228. data/lib/contrast/utils/thread_tracker.rb +2 -2
  229. data/lib/contrast/utils/timer.rb +0 -40
  230. data/resources/assess/policy.json +42 -71
  231. data/resources/inventory/policy.json +2 -2
  232. data/resources/protect/policy.json +15 -15
  233. data/ruby-agent.gemspec +11 -4
  234. data/service_executables/VERSION +1 -1
  235. data/service_executables/linux/contrast-service +0 -0
  236. data/service_executables/mac/contrast-service +0 -0
  237. metadata +122 -111
  238. data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
  239. data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
  240. data/ext/cs__assess_regexp_track/extconf.rb +0 -2
  241. data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
  242. data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
  243. data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
  244. data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
  245. data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
  246. data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
  247. data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
  248. data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
  249. data/lib/contrast/agent/feature_state.rb +0 -376
  250. data/lib/contrast/agent/logger_manager.rb +0 -116
  251. data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
  252. data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
  253. data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
  254. data/lib/contrast/agent/settings_state.rb +0 -152
  255. data/lib/contrast/delegators.rb +0 -9
  256. data/lib/contrast/delegators/application_update.rb +0 -32
  257. data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
  258. data/lib/contrast/extensions/framework/rack/request.rb +0 -24
  259. data/lib/contrast/extensions/framework/rack/response.rb +0 -23
  260. data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
  261. data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
  262. data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
  263. data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
  264. data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
  265. data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
  266. data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
  267. data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
  268. data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
  269. data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
  270. data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
  271. data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
  272. data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
  273. data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
  274. data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
  275. data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
  276. data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
  277. data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
  278. data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
  279. data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
  280. data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
  281. data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
  282. data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
  283. data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
  284. data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
  285. data/lib/contrast/framework/rails_support.rb +0 -88
  286. data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
  287. data/lib/contrast/framework/sinatra_support.rb +0 -94
  288. data/lib/contrast/utils/comment_range.rb +0 -19
  289. data/lib/contrast/utils/data_store_util.rb +0 -23
  290. data/lib/contrast/utils/environment_util.rb +0 -81
  291. data/lib/contrast/utils/performs_logging.rb +0 -152
  292. data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
  293. data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
  294. data/lib/contrast/utils/random_util.rb +0 -22
  295. data/resources/csrf/inject.js +0 -44
  296. data/resources/factory-bot-spec/spec_helper.rb +0 -30
  297. data/resources/rubocops/kernel/catch_cop.rb +0 -37
  298. data/resources/rubocops/kernel/require_cop.rb +0 -37
  299. data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
  300. data/resources/rubocops/module/autoload_cop.rb +0 -37
  301. data/resources/rubocops/module/const_defined_cop.rb +0 -37
  302. data/resources/rubocops/module/const_get_cop.rb +0 -37
  303. data/resources/rubocops/module/const_set_cop.rb +0 -37
  304. data/resources/rubocops/module/constants_cop.rb +0 -37
  305. data/resources/rubocops/module/name_cop.rb +0 -37
  306. data/resources/rubocops/object/class_cop.rb +0 -37
  307. data/resources/rubocops/object/freeze_cop.rb +0 -37
  308. data/resources/rubocops/object/frozen_cop.rb +0 -37
  309. data/resources/rubocops/object/is_a_cop.rb +0 -37
  310. data/resources/rubocops/object/method_cop.rb +0 -37
  311. data/resources/rubocops/object/respond_to_cop.rb +0 -37
  312. data/resources/rubocops/object/singleton_class_cop.rb +0 -37
  313. data/resources/rubocops/regexp/spelling_cop.rb +0 -44
  314. data/resources/rubocops/thread/new_cop.rb +0 -39
  315. data/resources/ruby-spec/ancestors_spec.rb +0 -70
  316. data/resources/ruby-spec/modulo_spec.rb +0 -831
  317. data/resources/ruby-spec/parameters_spec.rb +0 -261
  318. data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
@@ -3,9 +3,9 @@
3
3
 
4
4
  cs__scoped_require 'contrast/framework/view_technologies_descriptor'
5
5
  cs__scoped_require 'contrast/framework/platform_version'
6
- cs__scoped_require 'contrast/framework/base_support'
7
- cs__scoped_require 'contrast/framework/rails_support'
8
- cs__scoped_require 'contrast/framework/sinatra_support'
6
+ cs__scoped_require 'contrast/framework/rack/support'
7
+ cs__scoped_require 'contrast/framework/rails/support'
8
+ cs__scoped_require 'contrast/framework/sinatra/support'
9
9
  cs__scoped_require 'contrast/components/interface'
10
10
  cs__scoped_require 'contrast/utils/class_util'
11
11
 
@@ -14,26 +14,51 @@ module Contrast
14
14
  # Allows access to framework specific information
15
15
  class Manager
16
16
  include Contrast::Components::Interface
17
- access_component :logging, :analysis
17
+ access_component :analysis, :logging
18
18
 
19
19
  # Order here does matter as the first framework listed will be the first one we pull information from
20
20
  # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
21
21
  # do not exist
22
22
  SUPPORTED_FRAMEWORKS = [
23
- Contrast::Framework::RailsSupport,
24
- Contrast::Framework::SinatraSupport
23
+ Contrast::Framework::Rails::Support,
24
+ Contrast::Framework::Sinatra::Support,
25
+ Contrast::Framework::Rack::Support
25
26
  ].cs__freeze
26
27
 
27
28
  def initialize
28
29
  @_frameworks = SUPPORTED_FRAMEWORKS.map do |framework_klass|
29
30
  next unless enable_framework_support?(framework_klass.detection_class)
30
31
 
31
- logger.debug("Detected framework #{ framework_klass.detection_class } - enabling support")
32
+ logger.info('Framework detected. Enabling support.', framework: framework_klass.detection_class)
32
33
  framework_klass
33
34
  end
34
35
  @_frameworks.compact!
35
36
  end
36
37
 
38
+ # Patches that have to be applied as early as possible to catch calls
39
+ # that happen prior to the first Request, typically those around
40
+ # configuration.
41
+ def before_load_patches!
42
+ @_before_load_patches ||= begin
43
+ SUPPORTED_FRAMEWORKS.each(&:before_load_patches)
44
+ true
45
+ end
46
+ end
47
+
48
+ # Return all the After Load Patches for all the Frameworks we know, even
49
+ # if that Framework hasn't been detected.
50
+ #
51
+ # @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the
52
+ # AfterLoadPatches of each framework
53
+ def find_after_load_patches
54
+ patches = Set.new
55
+ SUPPORTED_FRAMEWORKS.each do |framework|
56
+ framework_patches = framework.after_load_patches
57
+ patches.merge(framework_patches) if framework_patches && !framework_patches.empty?
58
+ end
59
+ patches
60
+ end
61
+
37
62
  def find_applicable_view_technologies
38
63
  scan_views_for_all_frameworks
39
64
  end
@@ -56,11 +81,37 @@ module Contrast
56
81
  first_framework_result :application_name, 'root'
57
82
  end
58
83
 
84
+ def app_root
85
+ found = first_framework_result :application_root, nil
86
+ found || ::Rack::Directory.new('').root
87
+ end
88
+
89
+ # If we have 0 or n > 1 frameworks, we need to use the default rack request
90
+ # @param env [Hash] the various variables stored by this and other Middlewares to know the state
91
+ # and values of this particular Request
92
+ def retrieve_request env
93
+ return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
94
+
95
+ ::Rack::Request.new(env)
96
+ end
97
+
98
+ # @param env [Hash] the various variables stored by this and other Middlewares to know the state
99
+ # and values of this particular Request
100
+ # @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
101
+ def streaming? env
102
+ result = false
103
+ @_frameworks.each do |framework|
104
+ result = framework.streaming?(env)
105
+ break if result
106
+ end
107
+ result
108
+ end
109
+
59
110
  def get_route_dtm request
60
111
  result = nil
61
112
  @_frameworks.find do |framework_klass|
62
113
  # TODO: RUBY-763 Sinatra::Base#call patch adds the Route report
63
- next if framework_klass == Contrast::Framework::SinatraSupport
114
+ next if framework_klass == Contrast::Framework::Sinatra::Support
64
115
 
65
116
  result = framework_klass.current_route(request)
66
117
  end
@@ -6,6 +6,7 @@ module Contrast
6
6
  # Used to map version strings from frameworks to ApplicationUpdate dtm
7
7
  class PlatformVersion
8
8
  attr_reader :major, :minor, :patch
9
+
9
10
  def initialize major, minor, patch
10
11
  @major = major || ''
11
12
  @minor = minor || ''
@@ -0,0 +1,126 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ cs__scoped_require 'contrast/components/interface'
5
+
6
+ module Contrast
7
+ module Framework
8
+ module Rack
9
+ module Patch
10
+ # Our patch into the Rack::Session::Cookie Class, allowing for the
11
+ # runtime detection of insecure configurations on individual cookies
12
+ # within the application
13
+ class SessionCookie
14
+ include Contrast::Components::Interface
15
+
16
+ access_component :agent, :analysis, :logging, :scope
17
+
18
+ CS__SECURE_RULE_NAME = 'secure-flag-missing'
19
+ CS__HTTPONLY_NAME = 'rails-http-only-disabled'
20
+ CS__SESSION_TIMEOUT_NAME = 'session-timeout'
21
+ SAFE_SESSION_TIMEOUT = (30 * 60 * 60)
22
+ class << self
23
+ include Contrast::Utils::InvalidConfigurationUtil
24
+
25
+ def instrument
26
+ @_instrument ||= begin
27
+ ::Rack::Session::Cookie.class_eval do
28
+ alias_method :cs__patched_initialize, :initialize
29
+ def initialize app, options = {}
30
+ Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
31
+ cs__patched_initialize(app, options)
32
+ end
33
+ end
34
+ true
35
+ end
36
+ end
37
+
38
+ def analyze options
39
+ return unless AGENT.enabled?
40
+ return if PROTECT.enabled?
41
+
42
+ apply_session_timeout(options)
43
+ apply_httponly(options)
44
+ apply_secure_session(options)
45
+ end
46
+
47
+ private
48
+
49
+ def vulnerable_setting?(setting_key,
50
+ safe_settings_value,
51
+ options, safe_default: true,
52
+ comparison_type: nil)
53
+ # In most cases, Rack is pretty nice and the default value is safe
54
+ return !safe_default unless options&.key?(setting_key)
55
+
56
+ value = options[setting_key]
57
+
58
+ return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
59
+
60
+ value != safe_settings_value
61
+ end
62
+
63
+ def apply_secure_session options
64
+ return unless vulnerable_setting?(
65
+ :secure,
66
+ true,
67
+ options,
68
+ safe_default: false)
69
+
70
+ with_contrast_scope do
71
+ cs__report_finding(
72
+ CS__SECURE_RULE_NAME,
73
+ options,
74
+ caller_locations(10, 9)[0])
75
+ end
76
+ rescue StandardError => e
77
+ begin
78
+ logger.error('Unable to track call to secure session', e)
79
+ rescue StandardError
80
+ nil
81
+ end
82
+ end
83
+
84
+ def apply_session_timeout options
85
+ return unless vulnerable_setting?(:expire_after,
86
+ SAFE_SESSION_TIMEOUT,
87
+ options,
88
+ safe_default: false,
89
+ comparison_type: :greater_than)
90
+
91
+ with_contrast_scope do
92
+ cs__report_finding(
93
+ CS__SESSION_TIMEOUT_NAME,
94
+ options,
95
+ caller_locations(10, 9)[0])
96
+ end
97
+ rescue StandardError => e
98
+ begin
99
+ logger.error('Unable to track call to set session timeout', e)
100
+ rescue StandardError
101
+ nil
102
+ end
103
+ end
104
+
105
+ def apply_httponly options
106
+ return unless vulnerable_setting?(:httponly, true, options)
107
+
108
+ with_contrast_scope do
109
+ cs__report_finding(
110
+ CS__HTTPONLY_NAME,
111
+ options,
112
+ caller_locations(10, 9)[0])
113
+ end
114
+ rescue StandardError => e
115
+ begin
116
+ logger.error('Unable to track call to httponly', e)
117
+ rescue StandardError
118
+ nil
119
+ end
120
+ end
121
+ end
122
+ end
123
+ end
124
+ end
125
+ end
126
+ end
@@ -0,0 +1,24 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ cs__scoped_require 'contrast/agent/patching/policy/after_load_patch'
5
+
6
+ module Contrast
7
+ module Framework
8
+ module Rack
9
+ module Patch
10
+ # Extension point allowing for the registration of Patches required to
11
+ # support the Rack framework.
12
+ module Support
13
+ # (See BaseSupport#after_load_patches)
14
+ def after_load_patches
15
+ Set.new([Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
16
+ 'Rack::Session::Cookie',
17
+ 'contrast/framework/rack/patch/session_cookie',
18
+ instrumenting_module: 'Contrast::Framework::Rack::Patch::SessionCookie')])
19
+ end
20
+ end
21
+ end
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,22 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ cs__scoped_require 'contrast/framework/base_support'
5
+ cs__scoped_require 'contrast/framework/rack/patch/support'
6
+
7
+ module Contrast
8
+ module Framework
9
+ module Rack
10
+ # Used when Rack is present to define framework specific behavior. For
11
+ # now, the only part of this implemented is the Patch Support.
12
+ class Support < BaseSupport
13
+ extend Contrast::Framework::Rack::Patch::Support
14
+ class << self
15
+ def detection_class
16
+ 'don\'t let me be detected'
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
22
+ end
@@ -0,0 +1,43 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ cs__scoped_require 'contrast/utils/service_sender_util'
5
+
6
+ module Contrast
7
+ module Framework
8
+ module Rails
9
+ module Patch
10
+ # This class acts as our patch into the ActionController::Live::Buffer
11
+ # class, allowing us to track the close event on streamed responses.
12
+ class ActionControllerLiveBuffer
13
+ class << self
14
+ def send_messages
15
+ return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
16
+
17
+ [context.server_activity, context.activity, context.observed_route].each do |msg|
18
+ Contrast::Utils::ServiceSenderUtil.send_event_immediately(msg)
19
+ end
20
+ end
21
+
22
+ def instrument
23
+ @_instrument ||= begin
24
+ ::ActionController::Live::Buffer.class_eval do
25
+ # normally pre->in->post filters are applied however, in a streamed response
26
+ # we can run into a case where it's pre -> in -> post -> more infilters
27
+ # in order to submit anything found during the infilters after the response has
28
+ # been written we need to explicitly send them
29
+ alias_method :cs__close, :close
30
+ def close
31
+ Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages
32
+ cs__close
33
+ end
34
+ end
35
+ true
36
+ end
37
+ end
38
+ end
39
+ end
40
+ end
41
+ end
42
+ end
43
+ end
@@ -0,0 +1,103 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ cs__scoped_require 'contrast/components/interface'
5
+ cs__scoped_require 'contrast/utils/invalid_configuration_util'
6
+
7
+ module Contrast
8
+ module Framework
9
+ module Rails
10
+ module Patch
11
+ # This module is used to analyze rails session storage configuration for assess vulnerabilities
12
+ module AssessConfiguration
13
+ include Contrast::Components::Interface
14
+
15
+ access_component :agent, :analysis, :logging, :scope
16
+
17
+ CS__SESSION_TIMEOUT_NAME = 'session-timeout'
18
+ SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
19
+ CS__SECURE_RULE_NAME = 'secure-flag-missing'
20
+ CS__HTTPONLY_RULE_NAME = 'rails-http-only-disabled'
21
+
22
+ class << self
23
+ include Contrast::Utils::InvalidConfigurationUtil
24
+
25
+ def analyze_session_store *args
26
+ return unless AGENT.enabled?
27
+ return if PROTECT.enabled?
28
+
29
+ apply_httponly_disabled(*args)
30
+ apply_secure_cookie_disabled(*args)
31
+ apply_session_timeout(*args)
32
+ end
33
+
34
+ private
35
+
36
+ def vulnerable_setting? setting_key, safe_settings_value, original_args, safe_default: true, comparison_type: nil
37
+ # In most cases, Rails is pretty nice and the default value is safe
38
+ return !safe_default unless original_args && original_args.length > 1
39
+
40
+ # If the user overrode some args, but not ours, fall back on the default
41
+ rails_session_settings = original_args[1]
42
+ return !safe_default unless rails_session_settings&.key?(setting_key)
43
+
44
+ value = rails_session_settings[setting_key]
45
+
46
+ return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
47
+
48
+ value != safe_settings_value
49
+ end
50
+
51
+ def apply_session_timeout *args
52
+ return if ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
53
+ return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args, comparison_type: :greater_than, safe_default: false)
54
+
55
+ rails_session_settings = args[1]
56
+ with_contrast_scope do
57
+ cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(5, 4)[0])
58
+ end
59
+ rescue StandardError => e
60
+ begin
61
+ logger.error('Unable to track call to set session timeout', e)
62
+ rescue StandardError
63
+ nil
64
+ end
65
+ end
66
+
67
+ def apply_secure_cookie_disabled *args
68
+ return if ASSESS.rule_disabled? CS__SECURE_RULE_NAME
69
+ return unless vulnerable_setting?(:secure, true, args)
70
+
71
+ rails_session_settings = args[1]
72
+ with_contrast_scope do
73
+ cs__report_finding(CS__SECURE_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
74
+ end
75
+ rescue StandardError => e
76
+ begin
77
+ logger.error('Unable to track call to disable secure cookies', e)
78
+ rescue StandardError
79
+ nil
80
+ end
81
+ end
82
+
83
+ def apply_httponly_disabled *args
84
+ return if ASSESS.rule_disabled? CS__HTTPONLY_RULE_NAME
85
+ return unless vulnerable_setting?(:httponly, true, args)
86
+
87
+ rails_session_settings = args[1]
88
+ with_contrast_scope do
89
+ cs__report_finding(CS__HTTPONLY_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
90
+ end
91
+ rescue StandardError => e
92
+ begin
93
+ logger.error('Unable to track call to disable httponly in session cookie', e)
94
+ rescue StandardError
95
+ nil
96
+ end
97
+ end
98
+ end
99
+ end
100
+ end
101
+ end
102
+ end
103
+ end
@@ -0,0 +1,31 @@
1
+ # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ cs__scoped_require 'contrast/framework/rails/patch/assess_configuration'
5
+ module Contrast
6
+ module Framework
7
+ module Rails
8
+ module Patch
9
+ # Our patch into the Rails::Application::Configuration Class, allowing
10
+ # for the runtime detection of insecure configurations on individual
11
+ # ActionDispatch::Session::AbstractStore instances within the
12
+ # application.
13
+ class RailsApplicationConfiguration
14
+ def self.instrument
15
+ @_instrument ||= begin
16
+ ::Rails::Application::Configuration.class_eval do
17
+ alias_method :cs__patched_session_store, :session_store
18
+ def session_store *args
19
+ ret = cs__patched_session_store(*args)
20
+ Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args)
21
+ ret
22
+ end
23
+ end
24
+ true
25
+ end
26
+ end
27
+ end
28
+ end
29
+ end
30
+ end
31
+ end