contrast-agent 3.10.0 → 3.12.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (318) hide show
  1. checksums.yaml +4 -4
  2. data/.flayignore +1 -0
  3. data/.simplecov +5 -2
  4. data/ext/build_funchook.rb +12 -7
  5. data/ext/cs__assess_active_record_named/cs__active_record_named.c +12 -14
  6. data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
  7. data/ext/cs__assess_active_record_named/extconf.rb +3 -0
  8. data/ext/cs__assess_array/cs__assess_array.c +5 -6
  9. data/ext/cs__assess_array/cs__assess_array.h +1 -0
  10. data/ext/cs__assess_array/extconf.rb +3 -0
  11. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +13 -11
  12. data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
  13. data/ext/cs__assess_basic_object/extconf.rb +3 -0
  14. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
  15. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
  16. data/ext/cs__assess_fiber_track/extconf.rb +3 -0
  17. data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
  18. data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
  19. data/ext/cs__assess_hash/extconf.rb +3 -0
  20. data/ext/cs__assess_kernel/cs__assess_kernel.c +11 -9
  21. data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
  22. data/ext/cs__assess_kernel/extconf.rb +3 -0
  23. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
  24. data/ext/cs__assess_marshal_module/extconf.rb +3 -0
  25. data/ext/cs__assess_module/cs__assess_module.c +16 -14
  26. data/ext/cs__assess_module/cs__assess_module.h +3 -0
  27. data/ext/cs__assess_module/extconf.rb +3 -0
  28. data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
  29. data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
  30. data/ext/cs__assess_regexp/extconf.rb +3 -0
  31. data/ext/cs__assess_string/cs__assess_string.c +5 -8
  32. data/ext/cs__assess_string/cs__assess_string.h +2 -1
  33. data/ext/cs__assess_string/extconf.rb +3 -0
  34. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
  35. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
  36. data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
  37. data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
  38. data/ext/cs__assess_yield_track/extconf.rb +3 -0
  39. data/ext/cs__common/cs__common.c +80 -1
  40. data/ext/cs__common/cs__common.h +34 -0
  41. data/ext/cs__common/extconf.rb +9 -8
  42. data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
  43. data/ext/cs__contrast_patch/extconf.rb +3 -0
  44. data/ext/cs__protect_kernel/cs__protect_kernel.c +23 -12
  45. data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
  46. data/ext/cs__protect_kernel/extconf.rb +3 -0
  47. data/ext/extconf_common.rb +10 -8
  48. data/funchook/autom4te.cache/requests +45 -45
  49. data/funchook/config.log +4 -4
  50. data/lib/contrast.rb +1 -1
  51. data/lib/contrast/agent.rb +32 -29
  52. data/lib/contrast/agent/assess.rb +1 -11
  53. data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
  54. data/lib/contrast/agent/assess/contrast_event.rb +16 -62
  55. data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
  56. data/lib/contrast/agent/assess/events/source_event.rb +83 -0
  57. data/lib/contrast/agent/assess/insulator.rb +0 -4
  58. data/lib/contrast/agent/assess/policy/patcher.rb +6 -2
  59. data/lib/contrast/agent/assess/policy/policy_node.rb +1 -8
  60. data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -2
  61. data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
  62. data/lib/contrast/agent/assess/policy/propagation_method.rb +68 -33
  63. data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
  64. data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
  65. data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
  66. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
  67. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
  68. data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
  69. data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
  70. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
  71. data/lib/contrast/agent/assess/policy/rewriter_patch.rb +37 -26
  72. data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
  73. data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
  74. data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
  75. data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
  76. data/lib/contrast/agent/assess/policy/trigger_method.rb +30 -45
  77. data/lib/contrast/agent/assess/policy/trigger_node.rb +7 -7
  78. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
  79. data/lib/contrast/agent/assess/properties.rb +5 -3
  80. data/lib/contrast/agent/assess/rule/base.rb +1 -20
  81. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +23 -6
  82. data/lib/contrast/agent/assess/rule/redos.rb +4 -5
  83. data/lib/contrast/agent/assess/tag.rb +24 -14
  84. data/lib/contrast/agent/at_exit_hook.rb +16 -13
  85. data/lib/contrast/agent/class_reopener.rb +23 -8
  86. data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
  87. data/lib/contrast/agent/disable_reaction.rb +3 -4
  88. data/lib/contrast/agent/exclusion_matcher.rb +7 -48
  89. data/lib/contrast/agent/inventory/policy/datastores.rb +54 -0
  90. data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
  91. data/lib/contrast/agent/middleware.rb +101 -260
  92. data/lib/contrast/agent/module_data.rb +2 -1
  93. data/lib/contrast/agent/patching/policy/after_load_patch.rb +13 -3
  94. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +59 -47
  95. data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
  96. data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
  97. data/lib/contrast/agent/patching/policy/patch.rb +97 -23
  98. data/lib/contrast/agent/patching/policy/patcher.rb +28 -30
  99. data/lib/contrast/agent/patching/policy/policy.rb +7 -7
  100. data/lib/contrast/agent/patching/policy/policy_node.rb +3 -11
  101. data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -5
  102. data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
  103. data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
  104. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
  105. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
  106. data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
  107. data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
  108. data/lib/contrast/agent/protect/policy/policy.rb +6 -6
  109. data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
  110. data/lib/contrast/agent/protect/rule.rb +0 -5
  111. data/lib/contrast/agent/protect/rule/base.rb +19 -37
  112. data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
  113. data/lib/contrast/agent/protect/rule/cmd_injection.rb +12 -15
  114. data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
  115. data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
  116. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
  117. data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
  118. data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
  119. data/lib/contrast/agent/protect/rule/sqli.rb +5 -4
  120. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
  121. data/lib/contrast/agent/protect/rule/xss.rb +2 -0
  122. data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
  123. data/lib/contrast/agent/railtie.rb +3 -8
  124. data/lib/contrast/agent/reaction_processor.rb +5 -5
  125. data/lib/contrast/agent/request.rb +11 -18
  126. data/lib/contrast/agent/request_context.rb +16 -19
  127. data/lib/contrast/agent/request_handler.rb +35 -0
  128. data/lib/contrast/agent/response.rb +39 -86
  129. data/lib/contrast/agent/rewriter.rb +22 -10
  130. data/lib/contrast/agent/rule_set.rb +49 -0
  131. data/lib/contrast/agent/scope.rb +0 -6
  132. data/lib/contrast/agent/service_heartbeat.rb +3 -4
  133. data/lib/contrast/agent/socket_client.rb +25 -19
  134. data/lib/contrast/agent/static_analysis.rb +41 -0
  135. data/lib/contrast/agent/thread.rb +1 -1
  136. data/lib/contrast/agent/tracepoint_hook.rb +1 -5
  137. data/lib/contrast/agent/version.rb +1 -1
  138. data/lib/contrast/api.rb +1 -1
  139. data/lib/contrast/api/decorators.rb +14 -0
  140. data/lib/contrast/api/decorators/application_settings.rb +37 -0
  141. data/lib/contrast/api/decorators/application_update.rb +66 -0
  142. data/lib/contrast/api/decorators/input_analysis.rb +17 -0
  143. data/lib/contrast/api/decorators/server_features.rb +24 -0
  144. data/lib/contrast/api/speedracer.rb +28 -24
  145. data/lib/contrast/api/tcp_socket.rb +0 -2
  146. data/lib/contrast/components/agent.rb +34 -24
  147. data/lib/contrast/components/app_context.rb +45 -38
  148. data/lib/contrast/components/assess.rb +25 -15
  149. data/lib/contrast/components/config.rb +7 -5
  150. data/lib/contrast/components/contrast_service.rb +23 -71
  151. data/lib/contrast/components/heap_dump.rb +12 -8
  152. data/lib/contrast/components/interface.rb +15 -22
  153. data/lib/contrast/components/inventory.rb +5 -1
  154. data/lib/contrast/components/logger.rb +3 -68
  155. data/lib/contrast/components/protect.rb +40 -4
  156. data/lib/contrast/components/sampling.rb +22 -11
  157. data/lib/contrast/components/scope.rb +2 -52
  158. data/lib/contrast/components/settings.rb +42 -23
  159. data/lib/contrast/config/base_configuration.rb +1 -0
  160. data/lib/contrast/config/default_value.rb +1 -0
  161. data/lib/contrast/config/protect_rule_configuration.rb +0 -14
  162. data/lib/contrast/config/protect_rules_configuration.rb +0 -1
  163. data/lib/contrast/configuration.rb +2 -2
  164. data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -15
  165. data/lib/contrast/extension/assess/array.rb +77 -0
  166. data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +29 -24
  167. data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -8
  168. data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
  169. data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +7 -9
  170. data/lib/contrast/extension/assess/fiber.rb +113 -0
  171. data/lib/contrast/extension/assess/hash.rb +39 -0
  172. data/lib/contrast/extension/assess/kernel.rb +110 -0
  173. data/lib/contrast/extension/assess/regexp.rb +84 -0
  174. data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +18 -10
  175. data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
  176. data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -2
  177. data/lib/contrast/extension/kernel.rb +54 -0
  178. data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
  179. data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
  180. data/lib/contrast/extension/protect/kernel.rb +44 -0
  181. data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
  182. data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
  183. data/lib/contrast/framework/base_support.rb +32 -0
  184. data/lib/contrast/framework/manager.rb +59 -8
  185. data/lib/contrast/framework/platform_version.rb +1 -0
  186. data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
  187. data/lib/contrast/framework/rack/patch/support.rb +24 -0
  188. data/lib/contrast/framework/rack/support.rb +22 -0
  189. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +43 -0
  190. data/lib/contrast/framework/rails/patch/assess_configuration.rb +103 -0
  191. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
  192. data/lib/contrast/framework/rails/patch/support.rb +67 -0
  193. data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
  194. data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
  195. data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
  196. data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
  197. data/lib/contrast/framework/rails/support.rb +115 -0
  198. data/lib/contrast/framework/sinatra/application_helper.rb +51 -0
  199. data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
  200. data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
  201. data/lib/contrast/framework/sinatra/support.rb +109 -0
  202. data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
  203. data/lib/contrast/logger/application.rb +80 -0
  204. data/lib/contrast/logger/log.rb +143 -0
  205. data/lib/contrast/logger/time.rb +50 -0
  206. data/lib/contrast/tasks/config.rb +54 -0
  207. data/lib/contrast/tasks/service.rb +3 -13
  208. data/lib/contrast/utils/assess/sampling_util.rb +4 -9
  209. data/lib/contrast/utils/assess/tracking_util.rb +7 -1
  210. data/lib/contrast/utils/boolean_util.rb +2 -2
  211. data/lib/contrast/utils/cache.rb +0 -11
  212. data/lib/contrast/utils/class_util.rb +21 -2
  213. data/lib/contrast/utils/gemfile_reader.rb +7 -5
  214. data/lib/contrast/utils/hash_digest.rb +2 -11
  215. data/lib/contrast/utils/heap_dump_util.rb +12 -11
  216. data/lib/contrast/utils/invalid_configuration_util.rb +4 -4
  217. data/lib/contrast/utils/inventory_util.rb +2 -2
  218. data/lib/contrast/utils/io_util.rb +1 -11
  219. data/lib/contrast/utils/job_servers_running.rb +6 -4
  220. data/lib/contrast/utils/object_share.rb +1 -28
  221. data/lib/contrast/utils/os.rb +1 -25
  222. data/lib/contrast/utils/service_response_util.rb +36 -60
  223. data/lib/contrast/utils/service_sender_util.rb +84 -23
  224. data/lib/contrast/utils/sinatra_helper.rb +0 -6
  225. data/lib/contrast/utils/stack_trace_utils.rb +86 -182
  226. data/lib/contrast/utils/string_utils.rb +18 -2
  227. data/lib/contrast/utils/tag_util.rb +11 -1
  228. data/lib/contrast/utils/thread_tracker.rb +2 -2
  229. data/lib/contrast/utils/timer.rb +0 -40
  230. data/resources/assess/policy.json +42 -71
  231. data/resources/inventory/policy.json +2 -2
  232. data/resources/protect/policy.json +15 -15
  233. data/ruby-agent.gemspec +11 -4
  234. data/service_executables/VERSION +1 -1
  235. data/service_executables/linux/contrast-service +0 -0
  236. data/service_executables/mac/contrast-service +0 -0
  237. metadata +122 -111
  238. data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
  239. data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
  240. data/ext/cs__assess_regexp_track/extconf.rb +0 -2
  241. data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
  242. data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
  243. data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
  244. data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
  245. data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
  246. data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
  247. data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
  248. data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
  249. data/lib/contrast/agent/feature_state.rb +0 -376
  250. data/lib/contrast/agent/logger_manager.rb +0 -116
  251. data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
  252. data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
  253. data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
  254. data/lib/contrast/agent/settings_state.rb +0 -152
  255. data/lib/contrast/delegators.rb +0 -9
  256. data/lib/contrast/delegators/application_update.rb +0 -32
  257. data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
  258. data/lib/contrast/extensions/framework/rack/request.rb +0 -24
  259. data/lib/contrast/extensions/framework/rack/response.rb +0 -23
  260. data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
  261. data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
  262. data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
  263. data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
  264. data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
  265. data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
  266. data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
  267. data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
  268. data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
  269. data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
  270. data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
  271. data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
  272. data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
  273. data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
  274. data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
  275. data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
  276. data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
  277. data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
  278. data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
  279. data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
  280. data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
  281. data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
  282. data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
  283. data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
  284. data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
  285. data/lib/contrast/framework/rails_support.rb +0 -88
  286. data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
  287. data/lib/contrast/framework/sinatra_support.rb +0 -94
  288. data/lib/contrast/utils/comment_range.rb +0 -19
  289. data/lib/contrast/utils/data_store_util.rb +0 -23
  290. data/lib/contrast/utils/environment_util.rb +0 -81
  291. data/lib/contrast/utils/performs_logging.rb +0 -152
  292. data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
  293. data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
  294. data/lib/contrast/utils/random_util.rb +0 -22
  295. data/resources/csrf/inject.js +0 -44
  296. data/resources/factory-bot-spec/spec_helper.rb +0 -30
  297. data/resources/rubocops/kernel/catch_cop.rb +0 -37
  298. data/resources/rubocops/kernel/require_cop.rb +0 -37
  299. data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
  300. data/resources/rubocops/module/autoload_cop.rb +0 -37
  301. data/resources/rubocops/module/const_defined_cop.rb +0 -37
  302. data/resources/rubocops/module/const_get_cop.rb +0 -37
  303. data/resources/rubocops/module/const_set_cop.rb +0 -37
  304. data/resources/rubocops/module/constants_cop.rb +0 -37
  305. data/resources/rubocops/module/name_cop.rb +0 -37
  306. data/resources/rubocops/object/class_cop.rb +0 -37
  307. data/resources/rubocops/object/freeze_cop.rb +0 -37
  308. data/resources/rubocops/object/frozen_cop.rb +0 -37
  309. data/resources/rubocops/object/is_a_cop.rb +0 -37
  310. data/resources/rubocops/object/method_cop.rb +0 -37
  311. data/resources/rubocops/object/respond_to_cop.rb +0 -37
  312. data/resources/rubocops/object/singleton_class_cop.rb +0 -37
  313. data/resources/rubocops/regexp/spelling_cop.rb +0 -44
  314. data/resources/rubocops/thread/new_cop.rb +0 -39
  315. data/resources/ruby-spec/ancestors_spec.rb +0 -70
  316. data/resources/ruby-spec/modulo_spec.rb +0 -831
  317. data/resources/ruby-spec/parameters_spec.rb +0 -261
  318. data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h DELETED
@@ -1,29 +0,0 @@
1
- #include <funchook.h>
2
- #include <ruby.h>
3
-
4
- static VALUE regexp_class;
5
- static VALUE track_rb_n_match;
6
- static VALUE track_rb_pre_match;
7
- static VALUE track_rb_post_match;
8
- static VALUE track_rb_reg_match_last;
9
-
10
- VALUE rb_reg_match_pre(VALUE match);
11
- static VALUE *(*rb_reg_match_pre_original)(VALUE match);
12
-
13
- VALUE rb_reg_match_post(VALUE match);
14
- static VALUE *(*rb_reg_match_post_original)(VALUE match);
15
-
16
- VALUE rb_reg_match_last(VALUE match);
17
- static VALUE *(*rb_reg_match_last_original)(VALUE match);
18
-
19
- VALUE rb_reg_nth_match(int nth, VALUE match);
20
- static VALUE *(*rb_reg_nth_match_original)(int nth, VALUE match);
21
-
22
- static VALUE rb_reg_match_pre_hook(VALUE match);
23
- static VALUE rb_reg_match_post_hook(VALUE match);
24
- static VALUE rb_reg_match_last_hook(VALUE match);
25
- static VALUE rb_reg_nth_match_hook(int nth, VALUE match);
26
-
27
- static int install_regexp_hooks();
28
-
29
- void Init_cs__assess_regexp_track(void);
data/ext/cs__assess_regexp_track/extconf.rb DELETED
@@ -1,2 +0,0 @@
1
- $TO_MAKE = File.basename(__dir__)
2
- require_relative '../extconf_common'
data/lib/contrast/agent/assess/frozen_properties.rb DELETED
@@ -1,41 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- cs__scoped_require 'set'
5
- cs__scoped_require 'base64'
6
- cs__scoped_require 'contrast/utils/tag_util'
7
- cs__scoped_require 'contrast/utils/prevent_serialization'
8
-
9
- module Contrast
10
- module Agent
11
- module Assess
12
- # This class is used as an NoOP version of Properties. We'll pass this to
13
- # any attempt to access Properties on a frozen object including
14
- # AssessExtension iff that object did not have Properties before it was
15
- # placed in a frozen state.
16
- class FrozenProperties
17
- include Contrast::Utils::PreventSerialization
18
-
19
- def events
20
- Contrast::Utils::ObjectShare::EMPTY_ARRAY
21
- end
22
-
23
- def properties
24
- Contrast::Utils::ObjectShare::EMPTY_HASH
25
- end
26
-
27
- def tracked?
28
- false
29
- end
30
-
31
- def tagged? _label
32
- false
33
- end
34
-
35
- def any_tags_between? _start, _finish
36
- false
37
- end
38
- end
39
- end
40
- end
41
- end
data/lib/contrast/agent/assess/rule/csrf.rb DELETED
@@ -1,66 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- module Contrast
5
- module Agent
6
- module Assess
7
- module Rule
8
- # The Ruby implementation of the CSRF Assess Rule.
9
- class Csrf < Contrast::Agent::Assess::Rule::ResponseScanningRule
10
- NAME = 'csrf'
11
- def name
12
- NAME
13
- end
14
-
15
- DB_STATE_CHANGE = 'db'
16
- ACTION_LIMIT = 3
17
- QUERY_SIZE_LIMIT = 50
18
- STATE_CHANGING_ACTIONS_KEY = 'csrf.statechange.actions'
19
- def record_db_state_change context, query
20
- return unless context
21
-
22
- changes = context.get_property(STATE_CHANGING_ACTIONS_KEY)
23
- changes ||= []
24
- return unless changes.length < ACTION_LIMIT
25
-
26
- return unless state_change?(query)
27
-
28
- action = Contrast::Agent::Assess::Rule::Csrf::CsrfAction.new
29
- action.type = DB_STATE_CHANGE
30
- action.evidence = query[0..QUERY_SIZE_LIMIT]
31
-
32
- changes << action
33
-
34
- context.add_property(STATE_CHANGING_ACTIONS_KEY, changes)
35
- end
36
-
37
- STATE_CHANGE_QUERY_ACTIONS = %w[
38
- insert
39
- update
40
- delete
41
- drop
42
- create
43
- alter
44
- upsert
45
- ].cs__freeze
46
- # Returns true if the given query starts with any
47
- # of the STATE_CHANGE_QUERY_ACTIONS listed above
48
- def state_change? query
49
- return false unless query.is_a?(String) && !query.empty?
50
-
51
- query.downcase.start_with?(*STATE_CHANGE_QUERY_ACTIONS)
52
- end
53
-
54
- # some watchers keep state and need to be reset in each request.
55
- # this one is not one of those.
56
- def watcher
57
- @_watcher ||= Contrast::Agent::Assess::Rule::Csrf::Watcher.new
58
- end
59
-
60
- # Indicates if this request has been checked for a CSRF token
61
- CHECKED = 'csrf.token.checked'
62
- end
63
- end
64
- end
65
- end
66
- end
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb DELETED
@@ -1,28 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- module Contrast
5
- module Agent
6
- module Assess
7
- module Rule
8
- class Csrf
9
- # CSRF is only reported on those Requests which also result in a
10
- # state changing action (database call). This class servers as a
11
- # record of that action.
12
- class CsrfAction
13
- attr_accessor :type, :evidence
14
-
15
- TYPE = 'type'
16
- EVIDENCE = 'evidence'
17
- def to_h
18
- {
19
- TYPE => type,
20
- EVIDENCE => evidence
21
- }
22
- end
23
- end
24
- end
25
- end
26
- end
27
- end
28
- end
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb DELETED
@@ -1,73 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- cs__scoped_require 'contrast/utils/object_share'
5
- cs__scoped_require 'contrast/components/interface'
6
-
7
- module Contrast
8
- module Agent
9
- module Assess
10
- module Rule
11
- class Csrf
12
- # This class is called by our patches to determine if a CSRF
13
- # vulnerability exists within an application. It is used through a
14
- # CUSTOM propagation in order to capture that a Database call was
15
- # made in response to a request that did not have the Contrast CSRF
16
- # token.
17
- class CsrfApplicator
18
- include Contrast::Components::Interface
19
- access_component :logging, :analysis, :scope
20
-
21
- CS__CSRF_LOG_MSG = 'applying CSRF assess rule'
22
-
23
- class << self
24
- def csrf_tagger patcher, preshift, _ret, _block
25
- return unless rule&.enabled?
26
-
27
- idx = patcher.sources[0].to_i
28
- args = preshift.args
29
- return unless args&.length.to_i > idx
30
-
31
- sql = args[idx]
32
- return unless sql
33
-
34
- with_contrast_scope do
35
- logger.debug(nil, CS__CSRF_LOG_MSG)
36
- rule.record_db_state_change(
37
- Contrast::Agent::REQUEST_TRACKER.current,
38
- sql)
39
- end
40
- end
41
-
42
- def apply_csrf_rule sql
43
- context = Contrast::Agent::REQUEST_TRACKER.current
44
-
45
- return unless context&.app_loaded?
46
- return unless ASSESS.enabled?
47
- return unless sql
48
-
49
- rule = Contrast::Agent::FeatureState.instance.assess_rule(
50
- Contrast::Agent::Assess::Rule::Csrf::NAME)
51
- return unless rule&.enabled?
52
-
53
- with_contrast_scope do
54
- logger.debug(CS__CSRF_LOG_MSG)
55
- rule.record_db_state_change(context, sql)
56
- end
57
- rescue StandardError => e
58
- logger.warn(e, 'Error running CSRF assess rule')
59
- end
60
-
61
- private
62
-
63
- def rule
64
- @_rule ||= Contrast::Agent::FeatureState.instance.assess_rule(
65
- Contrast::Agent::Assess::Rule::Csrf::NAME)
66
- end
67
- end
68
- end
69
- end
70
- end
71
- end
72
- end
73
- end
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb DELETED
@@ -1,132 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- cs__scoped_require 'contrast/agent/assess/rule/response_watcher'
5
-
6
- module Contrast
7
- module Agent
8
- module Assess
9
- module Rule
10
- class Csrf
11
- # Watchers are how those Rules which do not act on dataflow function.
12
- # This one is used by the CSRF rule to determine if a request was
13
- # made in a way that is susceptible to a CSRF attack.
14
- class Watcher < Contrast::Agent::Assess::Rule::ResponseWatcher
15
- def supports? context
16
- return false unless super(context)
17
- return false unless user_agent?(context)
18
- return false unless form_content_type?(context)
19
- return false unless form_method?(context)
20
- return false if empty_get?(context)
21
-
22
- true
23
- end
24
-
25
- X_REQUESTED_WITH = 'X-REQUESTED-WITH'
26
- # ignore this request if X-Requested-With is set
27
- def x_requested_with? context
28
- !context.request.normalized_request_headers[X_REQUESTED_WITH].nil?
29
- end
30
-
31
- USER_AGENT = 'USER-AGENT'
32
- # ignore this request if User-Agent is NOT set
33
- # since that indicates this isn't a browser interaction
34
- def user_agent? context
35
- !context.request.normalized_request_headers[USER_AGENT].nil?
36
- end
37
-
38
- CONTENT_TYPE = 'CONTENT-TYPE'
39
- FORM_TYPES = %w[
40
- text/plain
41
- multipart/form-data
42
- application/x-www-form-urlencoded
43
- ].cs__freeze
44
- # ignore this request if the Content-Type is NOT set
45
- # to a form content type
46
- def form_content_type? context
47
- type = context.request.content_type
48
- # We need to account for the charset being part of the header. It doesn't
49
- # affect how we determine CSRF-ability or not
50
- type = type.split(Contrast::Utils::ObjectShare::SEMICOLON)[0] if type
51
- FORM_TYPES.include?(type)
52
- end
53
-
54
- FORM_METHODS = %w[GET POST].cs__freeze
55
- # ignore this request if the request method
56
- # is not one that can be set with forms
57
- def form_method? context
58
- FORM_METHODS.include?(context.request.request_method)
59
- end
60
-
61
- GET = 'GET'
62
- # ignore this request if the method is get
63
- # and the query string is empty
64
- def empty_get? context
65
- request = context.request
66
- request.request_method ==
67
- GET &&
68
- (request.query_string.nil? || request.query_string.empty?)
69
- end
70
-
71
- # If a parameter contains 'csrf' or 'token', we consider
72
- # it to be a guard against CSRF and therefore determine
73
- # that this request is not vulnerable.
74
- CSRF_PATTERN = /csrf/i.cs__freeze
75
- TOKEN_PATTERN = /token/i.cs__freeze
76
- def vulnerable? context
77
- # having the property 'csrf.token.checked' indicates
78
- # that a CSRF check was preformed at some point during
79
- # this request, so we consider it to not be vulnerable
80
- return false if context.get_property(CHECKED)
81
-
82
- params = context.request.parameters
83
- params.each_key do |key|
84
- return false if key.match?(CSRF_PATTERN)
85
- return false if key.match?(TOKEN_PATTERN) && looks_like_token?(params[key])
86
- end
87
- # having no actions means there's no vulnerability
88
- return false unless context.get_property(STATE_CHANGING_ACTIONS_KEY)&.any?
89
-
90
- true
91
- end
92
-
93
- MINIMUM_CSRF_TOKEN_SIZE = 8
94
- MAXIMUM_CSRF_TOKEN_SIZE = 24
95
- TOKEN_REGEXP = /^[A-Za-z0-9]*$/.cs__freeze
96
- def looks_like_token? value
97
- return false unless value
98
-
99
- values = [value]
100
- values.each do |parameter|
101
- next unless parameter
102
-
103
- length = parameter.length
104
- next if length < MINIMUM_CSRF_TOKEN_SIZE
105
- next if length > MAXIMUM_CSRF_TOKEN_SIZE
106
- return true if parameter.match?(TOKEN_REGEXP)
107
- end
108
- false
109
- end
110
-
111
- DATA_KEY = 'actions'
112
- def build_finding context
113
- actions = context.get_property(STATE_CHANGING_ACTIONS_KEY)
114
- return if actions.nil? || actions.empty?
115
-
116
- string = actions.map(&:to_h).to_json
117
- finding = Contrast::Api::Dtm::Finding.new
118
- finding.rule_id = Contrast::Agent::Assess::Rule::Csrf::NAME
119
- finding.session_id = Contrast::Agent::FeatureState.instance.current_session_id
120
- hash_code = Contrast::Utils::HashDigest.generate_response_hash(finding)
121
- finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
122
- finding.properties[DATA_KEY] = Contrast::Utils::StringUtils.force_utf8(string)
123
- finding
124
- rescue StandardError => e
125
- logger.error(e, 'Unable to build a finding for CSRF')
126
- end
127
- end
128
- end
129
- end
130
- end
131
- end
132
- end
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb DELETED
@@ -1,47 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- module Contrast
5
- module Agent
6
- module Assess
7
- module Rule
8
- # Those rules which function by scanning the Response body in order to
9
- # detect vulnerabilities. These rules should each have their own
10
- # Contrast::Agent::Assess::RuleResponseWatcher.
11
- #
12
- # Note: Most have been moved to the Service, as they typically watch
13
- # the Request or Response bodies, parsing out vulnerabilities
14
- # therein. CSRF is an exception to this as the rule requires a change
15
- # to the Response body to function.
16
- class ResponseScanningRule < Contrast::Agent::Assess::Rule::Base
17
- def watcher
18
- # raise(
19
- # NotImplementedError,
20
- # 'A child rule should have overridden the watcher method')
21
- end
22
-
23
- def stream_safe?
24
- false
25
- end
26
-
27
- def generate_hash finding
28
- Contrast::Utils::HashDigest.generate_response_hash(finding)
29
- end
30
-
31
- def postfilter context
32
- findings = watcher.postfilter(context) if watcher && context
33
- return unless findings
34
-
35
- if findings.is_a?(Array)
36
- findings.each do |finding|
37
- send_report(finding) if finding
38
- end
39
- else
40
- send_report(findings)
41
- end
42
- end
43
- end
44
- end
45
- end
46
- end
47
- end
data/lib/contrast/agent/assess/rule/response_watcher.rb DELETED
@@ -1,36 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- module Contrast
5
- module Agent
6
- module Assess
7
- module Rule
8
- # A watcher focused on the Response body, parsing out vulnerabilities
9
- # therein.
10
- #
11
- # Note: Most have been moved to the Service, as they typically watch
12
- # the Request or Response bodies, parsing out vulnerabilities
13
- # therein. CSRF is an exception to this as the rule requires a change
14
- # to the Response body to function.
15
- class ResponseWatcher < Contrast::Agent::Assess::Rule::Watcher
16
- def postfilter context
17
- return unless supports?(context)
18
- return unless vulnerable?(context)
19
-
20
- build_finding(context)
21
- end
22
-
23
- def vulnerable? _context
24
- raise(
25
- NotImplementedError,
26
- 'A child rule should have overridden the vulnerable? method')
27
- end
28
-
29
- def build_finding _context
30
- Contrast::Api::Dtm::Finding.new
31
- end
32
- end
33
- end
34
- end
35
- end
36
- end