RubyGems - contrast-agent - Versions diffs - 3.10.1 → 3.12.2 - Mend

contrast-agent 3.10.1 → 3.12.2

Files changed (350) hide show

checksums.yaml +4 -4
data/.flayignore +1 -0
data/.simplecov +5 -2
data/ext/build_funchook.rb +13 -17
data/ext/cs__assess_active_record_named/cs__active_record_named.c +12 -14
data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
data/ext/cs__assess_active_record_named/extconf.rb +3 -0
data/ext/cs__assess_array/cs__assess_array.c +5 -6
data/ext/cs__assess_array/cs__assess_array.h +1 -0
data/ext/cs__assess_array/extconf.rb +3 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +13 -11
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
data/ext/cs__assess_basic_object/extconf.rb +3 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
data/ext/cs__assess_fiber_track/extconf.rb +3 -0
data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
data/ext/cs__assess_hash/extconf.rb +3 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +11 -9
data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
data/ext/cs__assess_kernel/extconf.rb +3 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
data/ext/cs__assess_marshal_module/extconf.rb +3 -0
data/ext/cs__assess_module/cs__assess_module.c +16 -14
data/ext/cs__assess_module/cs__assess_module.h +3 -0
data/ext/cs__assess_module/extconf.rb +3 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
data/ext/cs__assess_regexp/extconf.rb +3 -0
data/ext/cs__assess_string/cs__assess_string.c +5 -8
data/ext/cs__assess_string/cs__assess_string.h +2 -1
data/ext/cs__assess_string/extconf.rb +3 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
data/ext/cs__assess_yield_track/extconf.rb +3 -0
data/ext/cs__common/cs__common.c +80 -1
data/ext/cs__common/cs__common.h +34 -0
data/ext/cs__common/extconf.rb +9 -8
data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
data/ext/cs__contrast_patch/extconf.rb +3 -0
data/ext/cs__protect_kernel/cs__protect_kernel.c +23 -12
data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
data/ext/cs__protect_kernel/extconf.rb +3 -0
data/ext/extconf_common.rb +10 -8
data/funchook/autom4te.cache/output.0 +1 -13
data/funchook/autom4te.cache/requests +50 -51
data/funchook/autom4te.cache/traces.0 +0 -3
data/funchook/config.log +378 -217
data/funchook/config.status +23 -24
data/funchook/configure +1 -13
data/funchook/src/Makefile +7 -7
data/funchook/src/config.h +2 -2
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.dylib +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +2 -2
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/libfunchook_test.so.dSYM/Contents/Info.plist +20 -0
data/funchook/test/libfunchook_test.so.dSYM/Contents/Resources/DWARF/libfunchook_test.so +0 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.o +0 -0
data/lib/contrast.rb +1 -1
data/lib/contrast/agent.rb +32 -29
data/lib/contrast/agent/assess.rb +1 -11
data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
data/lib/contrast/agent/assess/contrast_event.rb +16 -62
data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
data/lib/contrast/agent/assess/events/source_event.rb +83 -0
data/lib/contrast/agent/assess/insulator.rb +0 -4
data/lib/contrast/agent/assess/policy/patcher.rb +6 -2
data/lib/contrast/agent/assess/policy/policy_node.rb +1 -8
data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -2
data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
data/lib/contrast/agent/assess/policy/propagation_method.rb +68 -33
data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +37 -26
data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +30 -45
data/lib/contrast/agent/assess/policy/trigger_node.rb +7 -7
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
data/lib/contrast/agent/assess/properties.rb +5 -3
data/lib/contrast/agent/assess/rule/base.rb +1 -20
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +23 -6
data/lib/contrast/agent/assess/rule/redos.rb +4 -5
data/lib/contrast/agent/assess/tag.rb +24 -14
data/lib/contrast/agent/at_exit_hook.rb +16 -13
data/lib/contrast/agent/class_reopener.rb +23 -8
data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
data/lib/contrast/agent/disable_reaction.rb +3 -4
data/lib/contrast/agent/exclusion_matcher.rb +7 -48
data/lib/contrast/agent/inventory/policy/datastores.rb +54 -0
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/middleware.rb +101 -260
data/lib/contrast/agent/module_data.rb +2 -1
data/lib/contrast/agent/patching/policy/after_load_patch.rb +13 -3
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +59 -47
data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
data/lib/contrast/agent/patching/policy/patch.rb +97 -23
data/lib/contrast/agent/patching/policy/patcher.rb +28 -30
data/lib/contrast/agent/patching/policy/policy.rb +7 -7
data/lib/contrast/agent/patching/policy/policy_node.rb +3 -11
data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -5
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
data/lib/contrast/agent/protect/policy/policy.rb +6 -6
data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
data/lib/contrast/agent/protect/rule.rb +0 -5
data/lib/contrast/agent/protect/rule/base.rb +19 -37
data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
data/lib/contrast/agent/protect/rule/cmd_injection.rb +12 -15
data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
data/lib/contrast/agent/protect/rule/sqli.rb +5 -4
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
data/lib/contrast/agent/protect/rule/xss.rb +2 -0
data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
data/lib/contrast/agent/railtie.rb +3 -8
data/lib/contrast/agent/reaction_processor.rb +5 -5
data/lib/contrast/agent/request.rb +11 -18
data/lib/contrast/agent/request_context.rb +16 -19
data/lib/contrast/agent/request_handler.rb +35 -0
data/lib/contrast/agent/response.rb +39 -86
data/lib/contrast/agent/rewriter.rb +22 -10
data/lib/contrast/agent/rule_set.rb +49 -0
data/lib/contrast/agent/scope.rb +0 -6
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/socket_client.rb +25 -19
data/lib/contrast/agent/static_analysis.rb +41 -0
data/lib/contrast/agent/thread.rb +1 -1
data/lib/contrast/agent/tracepoint_hook.rb +1 -5
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/decorators.rb +14 -0
data/lib/contrast/api/decorators/application_settings.rb +37 -0
data/lib/contrast/api/decorators/application_update.rb +66 -0
data/lib/contrast/api/decorators/input_analysis.rb +17 -0
data/lib/contrast/api/decorators/server_features.rb +24 -0
data/lib/contrast/api/speedracer.rb +28 -24
data/lib/contrast/api/tcp_socket.rb +0 -2
data/lib/contrast/components/agent.rb +34 -24
data/lib/contrast/components/app_context.rb +45 -38
data/lib/contrast/components/assess.rb +25 -15
data/lib/contrast/components/config.rb +7 -5
data/lib/contrast/components/contrast_service.rb +23 -71
data/lib/contrast/components/heap_dump.rb +12 -8
data/lib/contrast/components/interface.rb +15 -22
data/lib/contrast/components/inventory.rb +5 -1
data/lib/contrast/components/logger.rb +3 -68
data/lib/contrast/components/protect.rb +40 -4
data/lib/contrast/components/sampling.rb +22 -11
data/lib/contrast/components/scope.rb +2 -52
data/lib/contrast/components/settings.rb +42 -23
data/lib/contrast/config/base_configuration.rb +1 -0
data/lib/contrast/config/default_value.rb +1 -0
data/lib/contrast/config/protect_rule_configuration.rb +0 -14
data/lib/contrast/config/protect_rules_configuration.rb +0 -1
data/lib/contrast/configuration.rb +2 -2
data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -15
data/lib/contrast/extension/assess/array.rb +77 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +29 -24
data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -8
data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +7 -9
data/lib/contrast/extension/assess/fiber.rb +113 -0
data/lib/contrast/extension/assess/hash.rb +39 -0
data/lib/contrast/extension/assess/kernel.rb +110 -0
data/lib/contrast/extension/assess/regexp.rb +84 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +18 -10
data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -2
data/lib/contrast/extension/kernel.rb +54 -0
data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
data/lib/contrast/extension/protect/kernel.rb +44 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
data/lib/contrast/framework/base_support.rb +32 -0
data/lib/contrast/framework/manager.rb +59 -8
data/lib/contrast/framework/platform_version.rb +1 -0
data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
data/lib/contrast/framework/rack/patch/support.rb +24 -0
data/lib/contrast/framework/rack/support.rb +22 -0
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +43 -0
data/lib/contrast/framework/rails/patch/assess_configuration.rb +103 -0
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
data/lib/contrast/framework/rails/patch/support.rb +67 -0
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
data/lib/contrast/framework/rails/support.rb +115 -0
data/lib/contrast/framework/sinatra/application_helper.rb +51 -0
data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
data/lib/contrast/framework/sinatra/support.rb +109 -0
data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
data/lib/contrast/logger/application.rb +80 -0
data/lib/contrast/logger/log.rb +143 -0
data/lib/contrast/logger/time.rb +50 -0
data/lib/contrast/tasks/config.rb +54 -0
data/lib/contrast/tasks/service.rb +3 -13
data/lib/contrast/utils/assess/sampling_util.rb +4 -9
data/lib/contrast/utils/assess/tracking_util.rb +7 -1
data/lib/contrast/utils/boolean_util.rb +2 -2
data/lib/contrast/utils/cache.rb +0 -11
data/lib/contrast/utils/class_util.rb +24 -3
data/lib/contrast/utils/gemfile_reader.rb +7 -5
data/lib/contrast/utils/hash_digest.rb +2 -11
data/lib/contrast/utils/heap_dump_util.rb +12 -11
data/lib/contrast/utils/invalid_configuration_util.rb +4 -4
data/lib/contrast/utils/inventory_util.rb +2 -2
data/lib/contrast/utils/io_util.rb +1 -11
data/lib/contrast/utils/job_servers_running.rb +6 -4
data/lib/contrast/utils/object_share.rb +1 -28
data/lib/contrast/utils/os.rb +1 -25
data/lib/contrast/utils/service_response_util.rb +36 -60
data/lib/contrast/utils/service_sender_util.rb +84 -23
data/lib/contrast/utils/sinatra_helper.rb +0 -6
data/lib/contrast/utils/stack_trace_utils.rb +86 -182
data/lib/contrast/utils/string_utils.rb +18 -2
data/lib/contrast/utils/tag_util.rb +11 -1
data/lib/contrast/utils/thread_tracker.rb +2 -2
data/lib/contrast/utils/timer.rb +0 -40
data/resources/assess/policy.json +42 -71
data/resources/inventory/policy.json +2 -2
data/resources/protect/policy.json +15 -15
data/ruby-agent.gemspec +11 -4
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +126 -113
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
data/ext/cs__assess_regexp_track/extconf.rb +0 -2
data/funchook/src/libfunchook.so +0 -0
data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
data/lib/contrast/agent/feature_state.rb +0 -376
data/lib/contrast/agent/logger_manager.rb +0 -116
data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
data/lib/contrast/agent/settings_state.rb +0 -152
data/lib/contrast/delegators.rb +0 -9
data/lib/contrast/delegators/application_update.rb +0 -32
data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
data/lib/contrast/extensions/framework/rack/request.rb +0 -24
data/lib/contrast/extensions/framework/rack/response.rb +0 -23
data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
data/lib/contrast/framework/rails_support.rb +0 -88
data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
data/lib/contrast/framework/sinatra_support.rb +0 -94
data/lib/contrast/utils/comment_range.rb +0 -19
data/lib/contrast/utils/data_store_util.rb +0 -23
data/lib/contrast/utils/environment_util.rb +0 -81
data/lib/contrast/utils/performs_logging.rb +0 -152
data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
data/lib/contrast/utils/random_util.rb +0 -22
data/resources/csrf/inject.js +0 -44
data/resources/factory-bot-spec/spec_helper.rb +0 -30
data/resources/rubocops/kernel/catch_cop.rb +0 -37
data/resources/rubocops/kernel/require_cop.rb +0 -37
data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
data/resources/rubocops/module/autoload_cop.rb +0 -37
data/resources/rubocops/module/const_defined_cop.rb +0 -37
data/resources/rubocops/module/const_get_cop.rb +0 -37
data/resources/rubocops/module/const_set_cop.rb +0 -37
data/resources/rubocops/module/constants_cop.rb +0 -37
data/resources/rubocops/module/name_cop.rb +0 -37
data/resources/rubocops/object/class_cop.rb +0 -37
data/resources/rubocops/object/freeze_cop.rb +0 -37
data/resources/rubocops/object/frozen_cop.rb +0 -37
data/resources/rubocops/object/is_a_cop.rb +0 -37
data/resources/rubocops/object/method_cop.rb +0 -37
data/resources/rubocops/object/respond_to_cop.rb +0 -37
data/resources/rubocops/object/singleton_class_cop.rb +0 -37
data/resources/rubocops/regexp/spelling_cop.rb +0 -44
data/resources/rubocops/thread/new_cop.rb +0 -39
data/resources/ruby-spec/ancestors_spec.rb +0 -70
data/resources/ruby-spec/modulo_spec.rb +0 -831
data/resources/ruby-spec/parameters_spec.rb +0 -261
data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35

data/lib/contrast/agent/protect/rule/csrf.rb DELETED

@@ -1,118 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'rack'
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/agent/request'
-cs__scoped_require 'contrast/agent/response'
-cs__scoped_require 'contrast/utils/stack_trace_utils'
-cs__scoped_require 'contrast/utils/timer'
-module Contrast
-  module Agent
-    module Protect
-      module Rule
-        # The Ruby implementation of the Protect Cross-Site Request Forgery
-        # rule.
-        class Csrf < Contrast::Agent::Protect::Rule::Base
-          NAME = 'csrf'
-          def name
-            NAME
-          end
-          def stream_safe?
-            false
-          end
-          def request_evaluator
-            @_request_evaluator ||= Contrast::Agent::Protect::Rule::Csrf::CsrfEvaluator.new
-          end
-          def token_injector
-            @_token_injector ||= Contrast::Agent::Protect::Rule::Csrf::CsrfTokenInjector.new
-          end
-          BLOCK_MESSAGE = 'CSRF rule triggered. Request blocked.'
-          def prefilter context
-            return unless enabled? && mode != :NO_ACTION
-            request = context.request
-            return if request_evaluator.can_ignore_check?(request)
-            parameters = request.parameters
-            return unless parameters&.any?
-            tokens = parameters[token_injector.token_name]
-            expected_token = token_injector.get_expected_token(context)
-            return if valid_token?(expected_token, tokens)
-            # unexpected token is interpreted as an attack with a match
-            ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.input_type = :BODY
-            ia_result.value = build_attack_string(context.request)
-            result = build_attack_with_match(
-                context,
-                ia_result,
-                nil,
-                expected_token,
-                details: build_details(expected_token, tokens))
-            append_to_activity(context, result)
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
-          end
-          def valid_token? expected, actual_tokens
-            actual_tokens&.include?(expected)
-          end
-          def postfilter context
-            return unless enabled? && POSTFILTER_MODES.include?(mode)
-            token_injector.do_injection(context)
-          end
-          def build_sample context, evaluation, _url, **kwargs
-            sample = build_base_sample(context, evaluation)
-            sample.csrf = kwargs[:details]
-            sample
-          end
-          # Build a subclass of the RaspRuleSample using the query string and the
-          # evaluation
-          def build_details expected, actual_tokens
-            details = Contrast::Api::Dtm::CsrfDetails.new
-            details.name = Contrast::Utils::StringUtils.protobuf_safe_string(token_injector.token_name)
-            details.expected = Contrast::Utils::StringUtils.protobuf_safe_string(expected)
-            presented = build_presented_token(actual_tokens)
-            details.presented = Contrast::Utils::StringUtils.protobuf_safe_string(presented)
-            details
-          end
-          def build_presented_token actual_tokens
-            return Contrast::Utils::ObjectShare::EMPTY_STRING unless actual_tokens&.any?
-            actual_tokens.first
-          end
-          # Convert the request parameters into an attack string
-          def build_attack_string request
-            arr = []
-            request.dtm.normalized_request_params.each_with_index do |(name, value), index|
-              arr << Contrast::Utils::ObjectShare::AND unless index.zero?
-              arr += [name.to_s, Contrast::Utils::ObjectShare::EQUALS, value.values.to_s]
-            end
-            if arr.empty?
-              request.query_string
-            else
-              arr.join
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb DELETED

@@ -1,103 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'uri'
-# This class is used by the CSRF rule to determine if the given Request is
-# susceptible to CSRF / if the rule applies to it.
-class Contrast::Agent::Protect::Rule::Csrf::CsrfEvaluator # rubocop:disable Style/ClassAndModuleChildren
-  include Contrast::Components::Interface
-  access_component :logging
-  def can_ignore_check? request
-    if !form_submittable_method?(request)
-      logger.debug("Ignoring method #{ request.request_method } for URI #{ request.uri }")
-      true
-    elsif ajax_request?(request)
-      logger.debug("Ignoring Ajax request for URI #{ request.uri }")
-      true
-    elsif empty_post?(request)
-      logger.debug("Ignoring empty POST request for URI #{ request.uri }")
-      true
-    elsif !form_content_type?(request)
-      logger.debug("Ignoring POST request with Content-Type #{ request.content_type } for URI #{ request.uri }")
-      true
-    elsif request.static_request?
-      logger.debug("Ignoring static request for URI #{ request.uri }")
-      true
-    elsif origin_is_referer?(request)
-      logger.debug("Ignoring equivalent origin-referer for URI #{ request.uri }")
-      true
-    elsif login_page?(request)
-      logger.debug("Ignoring possible login page for URI #{ request.uri }")
-      true
-    else
-      false
-    end
-  rescue StandardError => e
-    logger.warn(e, 'Unable to determine if CSRF can be ignored')
-  end
-  POST_METHOD = 'POST'
-  def form_submittable_method? request
-    POST_METHOD == request.request_method
-  end
-  REQUESTED_WITH = 'X-REQUESTED-WITH'
-  def ajax_request? request
-    requested_with = request.header_value(REQUESTED_WITH)
-    !requested_with.nil? && !requested_with.empty?
-  end
-  USER_AGENT = 'USER-AGENT'
-  def empty_user_agent? request
-    agent = request.header_value(USER_AGENT)
-    agent.nil? || agent.empty?
-  end
-  def empty_post? request
-    request.request_body_str.empty? && (request.query_string.nil? || request.query_string.empty?)
-  end
-  FORM_CONTENT_TYPES = %w[text/plain multipart/form-data application/x-www-form-urlencoded].cs__freeze
-  def form_content_type? request
-    content_type = request.content_type
-    return true if content_type.nil? || content_type.empty?
-    content_type.start_with?(*FORM_CONTENT_TYPES)
-  end
-  ORIGIN = 'ORIGIN'
-  REFERER = 'REFERER'
-  def origin_is_referer? request
-    origin = request.header_value(ORIGIN)
-    referer = request.header_value(REFERER)
-    return false unless origin && referer
-    return false if origin.empty? || referer.empty?
-    origin = trim_origin(origin)
-    referer = URI(referer).host
-    origin == referer
-  end
-  HTTP = 'http://'
-  HTTPS = 'https://'
-  def trim_origin origin_header
-    origin_header = if origin_header.to_s.start_with?(HTTP, HTTPS)
-                      URI(origin_header).host
-                    else
-                      idx = origin_header.index(Contrast::Utils::ObjectShare::COLON)
-                      idx.nil? ? origin_header : origin_header[0, idx]
-                    end
-    origin_header
-  end
-  LOGIN_MARKERS = %w[login auth j_security verify validate sessions].cs__freeze
-  def login_page? request
-    url = request.url.downcase
-    LOGIN_MARKERS.any? { |marker| url.index(marker) }
-  end
-end

data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb DELETED

@@ -1,85 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/utils/random_util'
-# This class is used by the CSRF rule to inject the Contrast CSRF token into
-# the Response's body, allowing for the detection of CSRF attacks.
-class Contrast::Agent::Protect::Rule::Csrf::CsrfTokenInjector # rubocop:disable Style/ClassAndModuleChildren
-  TKN_NAME = 'cs_csrf_tkn'
-  def token_name
-    TKN_NAME
-  end
-  SESSION_TOKEN_PREFIX = '__CONTRAST__'
-  def token_key
-    @_token_key ||= SESSION_TOKEN_PREFIX + token_name
-  end
-  def javascript
-    @_javascript ||= build_javascript
-  end
-  SCRIPT_LOC = File.join('csrf', 'inject.js').cs__freeze
-  NAME_MARKER = '!TOKEN_NAME!'
-  VALUE_MARKER = '!TOKEN_VALUE!'
-  def build_javascript
-    script = Contrast::Utils::ResourceLoader.load(SCRIPT_LOC)
-    script&.sub!(NAME_MARKER, TKN_NAME)
-    script
-  end
-  CSRF_TOKEN_LENGTH = 8
-  def get_expected_token context
-    cookies = context.request.request_cookies
-    token = cookies[token_key]
-    return token if token
-    return unless context.response
-    build_token(context)
-  end
-  def build_token context
-    token = Contrast::Utils::RandomUtil.secure_random_string(CSRF_TOKEN_LENGTH)
-    context&.response&.set_header(token_key, token)
-    token
-  end
-  CONTENT_TYPE = 'CONTENT-TYPE'
-  def wedge_token? response
-    return true unless response
-    content_type = response.header(CONTENT_TYPE)
-    return true unless content_type
-    content_type = content_type.to_s
-    !content_type.start_with?(*DATA_CONTENT_TYPES)
-  end
-  END_BODY_TAG = %r{</body>}i.cs__freeze
-  def do_injection context
-    return unless wedge_token?(context&.response)
-    body_string = context&.response&.body
-    return unless body_string
-    index = body_string.index(END_BODY_TAG)
-    return unless index
-    injection = get_expected_token(context)
-    return unless injection
-    injection = javascript.sub(VALUE_MARKER, injection)
-    body_string.insert(index, injection)
-    context&.response&.update_body(body_string)
-  end
-  DATA_CONTENT_TYPES = [
-    'image/', 'audio/', 'video/',
-    'application/json', 'application/xml',
-    'application/octet', 'application/force',
-    'text/json', 'text/xml'
-  ].cs__freeze
-end

data/lib/contrast/agent/settings_state.rb DELETED

@@ -1,152 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'securerandom'
-cs__scoped_require 'set'
-cs__scoped_require 'contrast/utils/assess/sampling_util'
-cs__scoped_require 'contrast/utils/assess/tracking_util'
-cs__scoped_require 'contrast/utils/environment_util'
-cs__scoped_require 'contrast/utils/env_configuration_item'
-cs__scoped_require 'contrast/utils/gemfile_reader'
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/utils/performs_logging'
-cs__scoped_require 'contrast/utils/string_utils'
-cs__scoped_require 'contrast/agent/reaction_processor'
-cs__scoped_require 'contrast/agent/require_state'
-cs__scoped_require 'contrast/agent/assess/policy/patcher'
-cs__scoped_require 'contrast/agent/patching/policy/patcher'
-cs__scoped_require 'contrast/components/interface'
-module Contrast
-  module Agent
-    # This class functions as a way to query the Agent for its current
-    # configuration without having to expose other sections of code to the
-    # decision tree needed to make that determination.
-    # It should not be accessed directly, but should instead be inherited from
-    #
-    # @abstract Use the methods in FeatureState to access this data
-    class SettingsState
-      include Contrast::Utils::PerformsLogging
-      include Contrast::Components::Interface
-      INVALID_CONFIG = '!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!'
-      access_component :agent, :analysis, :settings, :config, :contrast_service
-      MODE_WHITELIST = %i[NO_ACTION BLOCK_AT_PERIMETER MONITOR BLOCK].cs__freeze
-      # These are components.
-      attr_accessor :last_update,
-                    :log_file,
-                    :log_level
-      # These represent process-level attributes,
-      # not directly related to Contrast function itself.
-      attr_reader :pid,
-                  :ppid
-      def initialize
-        @instrumentation_mutex = Mutex.new
-        @instrumented_packages = {}
-        # Last we heard from the Contrast Service
-        @last_update = nil
-        # keep track of which process instantiated this instance
-        @pid  = Process.pid.to_i
-        @ppid = Process.ppid.to_i
-        init_log_queueing
-        check_config
-        flush_log_queues
-      end
-      def check_config
-        SETTINGS.reset_state
-        if CONFIG.invalid?
-          AGENT.disable!
-          self.class.log_error(INVALID_CONFIG)
-          abort_log_queues
-          elseif CONFIG.disabled?
-          AGENT.disable!
-          self.class.log_warn(LOG_CONFIGURATION_DISABLED)
-        else
-          AGENT.enable!
-        end
-      end
-      # workaround to mixed use of class/instance
-      def self.logger
-        instance.logger
-      end
-      def logger
-        logger_manager.current
-      end
-      def logger_manager
-        (@_logger_manager ||= Contrast::Agent::LoggerManager.new.tap(&:update))
-      end
-      def assess_rule name
-        ASSESS.rule name
-      end
-      def instrument package
-        return if @instrumented_packages[package] # double check is intentional
-        @instrumentation_mutex.synchronize do
-          return if @instrumented_packages[package]
-          @instrumented_packages[package] = true
-        end
-        self.class.debug_with_time("instrumenting #{ package }") do
-          cs__scoped_require(package)
-        end
-      rescue LoadError, StandardError => e
-        @instrumented_packages[package] = false
-        self.class.log_error("[e.class: #{ e.class }] unable to instrument: #{ package }", e)
-      end
-      def protect_rule name
-        PROTECT.rule name
-      end
-      def send_inventory_message
-        return unless INVENTORY.enabled?
-        app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.new
-        # TODO: RUBY-770
-        Contrast::Utils::EnvironmentUtil.add_library_to_app_update(app_update_msg, protobuf_format(CONFIG.root.inventory.tags))
-        Contrast::Delegators::ApplicationUpdate.new(app_update_msg).instance_eval do
-          append_view_technology_descriptor_data(Contrast::Agent.framework_manager.find_applicable_view_technologies) if INVENTORY.enabled?
-          append_route_coverage_data(Contrast::Agent.framework_manager.find_route_discovery_data) if INVENTORY.enabled?
-          append_platform_version(Contrast::Agent.framework_manager.platform_version)
-        end
-        Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
-        CONTRAST_SERVICE.queue_message app_update_msg
-      end
-      def present? str
-        Contrast::Utils::EnvironmentUtil.present?(str)
-      end
-      # CONTRAST-35326, move this responsibility toward the protobuf object
-      def protobuf_format param, truncate: true
-        param = param&.to_s
-        param = Contrast::Utils::StringUtils.force_utf8(param)
-        param = Contrast::Utils::StringUtils.truncate(param) if truncate
-        param
-      end
-    end
-  end
-end