contrast-agent 3.10.2 → 3.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +5 -2
- data/ext/build_funchook.rb +13 -17
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +5 -12
- data/ext/cs__assess_active_record_named/extconf.rb +3 -0
- data/ext/cs__assess_array/cs__assess_array.c +3 -5
- data/ext/cs__assess_array/extconf.rb +3 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +10 -4
- data/ext/cs__assess_basic_object/extconf.rb +3 -0
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
- data/ext/cs__assess_fiber_track/extconf.rb +3 -0
- data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
- data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
- data/ext/cs__assess_hash/extconf.rb +3 -0
- data/ext/cs__assess_kernel/cs__assess_kernel.c +10 -8
- data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
- data/ext/cs__assess_kernel/extconf.rb +3 -0
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
- data/ext/cs__assess_marshal_module/extconf.rb +3 -0
- data/ext/cs__assess_module/cs__assess_module.c +13 -9
- data/ext/cs__assess_module/extconf.rb +3 -0
- data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
- data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
- data/ext/cs__assess_regexp/extconf.rb +3 -0
- data/ext/cs__assess_string/cs__assess_string.c +5 -8
- data/ext/cs__assess_string/cs__assess_string.h +2 -1
- data/ext/cs__assess_string/extconf.rb +3 -0
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
- data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
- data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +3 -0
- data/ext/cs__common/cs__common.c +79 -0
- data/ext/cs__common/cs__common.h +34 -0
- data/ext/cs__common/extconf.rb +9 -8
- data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
- data/ext/cs__contrast_patch/extconf.rb +3 -0
- data/ext/cs__protect_kernel/cs__protect_kernel.c +20 -11
- data/ext/cs__protect_kernel/extconf.rb +3 -0
- data/ext/extconf_common.rb +10 -8
- data/funchook/autom4te.cache/output.0 +1 -13
- data/funchook/autom4te.cache/requests +44 -45
- data/funchook/autom4te.cache/traces.0 +0 -3
- data/funchook/config.log +378 -217
- data/funchook/config.status +23 -24
- data/funchook/configure +1 -13
- data/funchook/src/Makefile +7 -7
- data/funchook/src/config.h +2 -2
- data/funchook/src/decoder.o +0 -0
- data/funchook/src/distorm.o +0 -0
- data/funchook/src/funchook.o +0 -0
- data/funchook/src/funchook_io.o +0 -0
- data/funchook/src/funchook_syscall.o +0 -0
- data/funchook/src/funchook_unix.o +0 -0
- data/funchook/src/funchook_x86.o +0 -0
- data/funchook/src/instructions.o +0 -0
- data/funchook/src/insts.o +0 -0
- data/funchook/src/libfunchook.dylib +0 -0
- data/funchook/src/mnemonics.o +0 -0
- data/funchook/src/operands.o +0 -0
- data/funchook/src/os_func.o +0 -0
- data/funchook/src/os_func_unix.o +0 -0
- data/funchook/src/prefix.o +0 -0
- data/funchook/src/printf_base.o +0 -0
- data/funchook/src/textdefs.o +0 -0
- data/funchook/src/wstring.o +0 -0
- data/funchook/test/Makefile +2 -2
- data/funchook/test/funchook_test +0 -0
- data/funchook/test/libfunchook_test.so +0 -0
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Info.plist +20 -0
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Resources/DWARF/libfunchook_test.so +0 -0
- data/funchook/test/test_main.o +0 -0
- data/funchook/test/x86_64_test.o +0 -0
- data/lib/contrast.rb +1 -0
- data/lib/contrast/agent.rb +21 -15
- data/lib/contrast/agent/assess.rb +1 -2
- data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
- data/lib/contrast/agent/assess/contrast_event.rb +16 -62
- data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
- data/lib/contrast/agent/assess/events/source_event.rb +83 -0
- data/lib/contrast/agent/assess/insulator.rb +0 -4
- data/lib/contrast/agent/assess/policy/patcher.rb +5 -2
- data/lib/contrast/agent/assess/policy/policy_node.rb +0 -7
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagation_method.rb +65 -33
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
- data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
- data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +37 -26
- data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
- data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
- data/lib/contrast/agent/assess/policy/trigger_method.rb +29 -40
- data/lib/contrast/agent/assess/policy/trigger_node.rb +3 -6
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
- data/lib/contrast/agent/assess/properties.rb +5 -3
- data/lib/contrast/agent/assess/rule/base.rb +1 -5
- data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +2 -22
- data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +5 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +2 -2
- data/lib/contrast/agent/assess/rule/redos.rb +4 -4
- data/lib/contrast/agent/assess/tag.rb +24 -14
- data/lib/contrast/agent/at_exit_hook.rb +16 -13
- data/lib/contrast/agent/class_reopener.rb +14 -4
- data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
- data/lib/contrast/agent/disable_reaction.rb +3 -4
- data/lib/contrast/agent/exclusion_matcher.rb +8 -48
- data/lib/contrast/agent/feature_state.rb +45 -75
- data/lib/contrast/agent/logger.rb +173 -0
- data/lib/contrast/agent/middleware.rb +87 -250
- data/lib/contrast/agent/module_data.rb +2 -1
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +2 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +21 -4
- data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
- data/lib/contrast/agent/patching/policy/patch.rb +96 -23
- data/lib/contrast/agent/patching/policy/patcher.rb +19 -19
- data/lib/contrast/agent/patching/policy/policy.rb +7 -7
- data/lib/contrast/agent/patching/policy/policy_node.rb +2 -10
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -4
- data/lib/contrast/agent/protect/rule/base.rb +14 -33
- data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +10 -13
- data/lib/contrast/agent/protect/rule/csrf.rb +2 -1
- data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +11 -14
- data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
- data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +5 -4
- data/lib/contrast/agent/protect/rule/sqli.rb +1 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
- data/lib/contrast/agent/protect/rule/xss.rb +2 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
- data/lib/contrast/agent/railtie.rb +2 -8
- data/lib/contrast/agent/reaction_processor.rb +5 -5
- data/lib/contrast/agent/request.rb +9 -12
- data/lib/contrast/agent/request_context.rb +12 -14
- data/lib/contrast/agent/request_handler.rb +35 -0
- data/lib/contrast/agent/response.rb +33 -30
- data/lib/contrast/agent/rewriter.rb +22 -10
- data/lib/contrast/agent/rule_set.rb +49 -0
- data/lib/contrast/agent/scope.rb +0 -6
- data/lib/contrast/agent/service_heartbeat.rb +1 -2
- data/lib/contrast/agent/settings_state.rb +10 -74
- data/lib/contrast/agent/socket_client.rb +17 -11
- data/lib/contrast/agent/static_analysis.rb +42 -0
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/tracepoint_hook.rb +1 -5
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/decorators.rb +14 -0
- data/lib/contrast/api/decorators/application_settings.rb +37 -0
- data/lib/contrast/api/decorators/application_update.rb +66 -0
- data/lib/contrast/api/decorators/exclusion.rb +20 -0
- data/lib/contrast/api/decorators/input_analysis.rb +17 -0
- data/lib/contrast/api/decorators/server_features.rb +24 -0
- data/lib/contrast/api/speedracer.rb +27 -23
- data/lib/contrast/api/tcp_socket.rb +0 -2
- data/lib/contrast/components/agent.rb +27 -22
- data/lib/contrast/components/app_context.rb +18 -43
- data/lib/contrast/components/config.rb +7 -5
- data/lib/contrast/components/contrast_service.rb +0 -4
- data/lib/contrast/components/heap_dump.rb +12 -8
- data/lib/contrast/components/interface.rb +11 -10
- data/lib/contrast/components/logger.rb +3 -68
- data/lib/contrast/components/sampling.rb +22 -11
- data/lib/contrast/components/settings.rb +18 -5
- data/lib/contrast/config/base_configuration.rb +1 -0
- data/lib/contrast/config/default_value.rb +1 -0
- data/lib/contrast/config/protect_rule_configuration.rb +0 -14
- data/lib/contrast/extensions/framework/rails/action_controller_inheritance.rb +39 -0
- data/lib/contrast/extensions/framework/rails/active_record_named.rb +13 -8
- data/lib/contrast/extensions/ruby_core/assess.rb +1 -2
- data/lib/contrast/extensions/ruby_core/assess/assess_extension.rb +27 -22
- data/lib/contrast/extensions/ruby_core/assess/erb.rb +0 -8
- data/lib/contrast/extensions/ruby_core/assess/exec_trigger.rb +6 -8
- data/lib/contrast/extensions/ruby_core/assess/fiber.rb +88 -100
- data/lib/contrast/extensions/ruby_core/assess/hash.rb +32 -15
- data/lib/contrast/extensions/ruby_core/assess/kernel.rb +28 -27
- data/lib/contrast/extensions/ruby_core/assess/regexp.rb +74 -196
- data/lib/contrast/extensions/ruby_core/assess/string.rb +15 -7
- data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +29 -24
- data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +2 -2
- data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -1
- data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +2 -2
- data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +9 -20
- data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +9 -19
- data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +10 -27
- data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +13 -21
- data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +11 -23
- data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +62 -78
- data/lib/contrast/extensions/ruby_core/protect/rule_applicator.rb +50 -0
- data/lib/contrast/framework/base_support.rb +10 -0
- data/lib/contrast/framework/manager.rb +28 -2
- data/lib/contrast/framework/platform_version.rb +1 -0
- data/lib/contrast/framework/rails_support.rb +16 -0
- data/lib/contrast/framework/sinatra_support.rb +12 -2
- data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
- data/lib/contrast/tasks/service.rb +2 -8
- data/lib/contrast/utils/assess/sampling_util.rb +4 -9
- data/lib/contrast/utils/assess/tracking_util.rb +7 -1
- data/lib/contrast/utils/boolean_util.rb +2 -2
- data/lib/contrast/utils/cache.rb +0 -11
- data/lib/contrast/utils/class_util.rb +20 -1
- data/lib/contrast/utils/gemfile_reader.rb +5 -3
- data/lib/contrast/utils/hash_digest.rb +0 -4
- data/lib/contrast/utils/heap_dump_util.rb +12 -11
- data/lib/contrast/utils/invalid_configuration_util.rb +1 -1
- data/lib/contrast/utils/inventory_util.rb +2 -2
- data/lib/contrast/utils/io_util.rb +1 -11
- data/lib/contrast/utils/job_servers_running.rb +2 -2
- data/lib/contrast/utils/object_share.rb +1 -27
- data/lib/contrast/utils/os.rb +1 -25
- data/lib/contrast/utils/rack_assess_session_cookie.rb +3 -3
- data/lib/contrast/utils/rails_assess_configuration.rb +3 -3
- data/lib/contrast/utils/service_response_util.rb +27 -53
- data/lib/contrast/utils/service_sender_util.rb +9 -5
- data/lib/contrast/utils/sinatra_helper.rb +0 -6
- data/lib/contrast/utils/stack_trace_utils.rb +86 -182
- data/lib/contrast/utils/string_utils.rb +18 -2
- data/lib/contrast/utils/tag_util.rb +11 -1
- data/lib/contrast/utils/thread_tracker.rb +2 -2
- data/lib/contrast/utils/timer.rb +0 -40
- data/resources/assess/policy.json +33 -21
- data/resources/protect/policy.json +9 -9
- data/ruby-agent.gemspec +6 -3
- metadata +76 -51
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
- data/ext/cs__assess_regexp_track/extconf.rb +0 -2
- data/funchook/src/libfunchook.so +0 -0
- data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
- data/lib/contrast/agent/logger_manager.rb +0 -116
- data/lib/contrast/delegators.rb +0 -9
- data/lib/contrast/delegators/application_update.rb +0 -32
- data/lib/contrast/utils/comment_range.rb +0 -19
- data/lib/contrast/utils/environment_util.rb +0 -81
- data/lib/contrast/utils/performs_logging.rb +0 -152
- data/resources/factory-bot-spec/spec_helper.rb +0 -30
- data/resources/rubocops/kernel/catch_cop.rb +0 -37
- data/resources/rubocops/kernel/require_cop.rb +0 -37
- data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
- data/resources/rubocops/module/autoload_cop.rb +0 -37
- data/resources/rubocops/module/const_defined_cop.rb +0 -37
- data/resources/rubocops/module/const_get_cop.rb +0 -37
- data/resources/rubocops/module/const_set_cop.rb +0 -37
- data/resources/rubocops/module/constants_cop.rb +0 -37
- data/resources/rubocops/module/name_cop.rb +0 -37
- data/resources/rubocops/object/class_cop.rb +0 -37
- data/resources/rubocops/object/freeze_cop.rb +0 -37
- data/resources/rubocops/object/frozen_cop.rb +0 -37
- data/resources/rubocops/object/is_a_cop.rb +0 -37
- data/resources/rubocops/object/method_cop.rb +0 -37
- data/resources/rubocops/object/respond_to_cop.rb +0 -37
- data/resources/rubocops/object/singleton_class_cop.rb +0 -37
- data/resources/rubocops/regexp/spelling_cop.rb +0 -44
- data/resources/rubocops/thread/new_cop.rb +0 -39
- data/resources/ruby-spec/ancestors_spec.rb +0 -70
- data/resources/ruby-spec/modulo_spec.rb +0 -831
- data/resources/ruby-spec/parameters_spec.rb +0 -261
- data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
@@ -12,19 +12,13 @@ module Contrast
|
|
12
12
|
access_component :agent, :app_context, :logging
|
13
13
|
|
14
14
|
initializer 'Contrast Ruby Agent Initializer' do |app|
|
15
|
-
if defined?(Rails) && defined?(Rails.logger)
|
16
|
-
Rails.logger.debug('In railtie ::')
|
17
|
-
Rails.logger.debug(app.middleware.inspect)
|
18
|
-
end
|
15
|
+
Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
|
19
16
|
|
20
|
-
# TODO: RUBY-564 This logic is not specific to Rails and should be used more broadly
|
21
|
-
# with all web frameworks. Move this check to be a part of our new initialization
|
22
|
-
# routine.
|
23
17
|
if APP_CONTEXT.instrument_middleware_stack?
|
24
18
|
AGENT.insert_middleware(app)
|
25
19
|
else
|
26
20
|
Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
|
27
|
-
logger.debug(
|
21
|
+
logger.debug('Disabling Contrast for process', p_id: Process.pid)
|
28
22
|
end
|
29
23
|
end
|
30
24
|
|
@@ -25,20 +25,20 @@ module Contrast
|
|
25
25
|
return nil unless application_settings&.reactions&.any?
|
26
26
|
|
27
27
|
application_settings.reactions.each do |reaction|
|
28
|
-
logger.debug(nil, "Received the following reaction: #{ reaction.operation }")
|
29
|
-
|
30
28
|
# the enums are all uppercase, we need to downcase them before attempting to log
|
31
29
|
level = reaction.log_level.nil? ? :error : reaction.log_level.downcase
|
32
30
|
|
33
|
-
logger.with_level(
|
31
|
+
logger.with_level(level, reaction.message) if reaction.message
|
34
32
|
|
35
33
|
case reaction.operation
|
36
34
|
when :DISABLE
|
37
35
|
Contrast::Agent::DisableReaction.run reaction, level
|
38
|
-
when :NOOP
|
36
|
+
when :NOOP
|
39
37
|
# NOOP
|
40
38
|
else
|
41
|
-
logger.warn(
|
39
|
+
logger.warn(
|
40
|
+
'ReactionProcessor received a reaction with an unknown operation',
|
41
|
+
operation: reaction.operation)
|
42
42
|
end
|
43
43
|
end
|
44
44
|
end
|
@@ -6,7 +6,6 @@ cs__scoped_require 'timeout'
|
|
6
6
|
|
7
7
|
cs__scoped_require 'contrast/utils/object_share'
|
8
8
|
cs__scoped_require 'contrast/utils/string_utils'
|
9
|
-
cs__scoped_require 'contrast/utils/comment_range'
|
10
9
|
cs__scoped_require 'contrast/utils/hash_digest'
|
11
10
|
cs__scoped_require 'contrast/components/interface'
|
12
11
|
|
@@ -108,7 +107,7 @@ module Contrast
|
|
108
107
|
def request_method
|
109
108
|
rack_request.get_header(Rack::REQUEST_METHOD)
|
110
109
|
rescue StandardError => e
|
111
|
-
logger.warn(
|
110
|
+
logger.warn('Unable to extract request method', e)
|
112
111
|
UNKNOWN_REQUEST_METHOD
|
113
112
|
end
|
114
113
|
|
@@ -209,15 +208,15 @@ module Contrast
|
|
209
208
|
body = @rack_request.body
|
210
209
|
if defined?(Rack::Multipart)
|
211
210
|
if defined?(Rack::Multipart::UploadedFile) && body.is_a?(Rack::Multipart::UploadedFile)
|
212
|
-
logger.
|
211
|
+
logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
|
213
212
|
@_request_body = nil
|
214
213
|
else
|
215
|
-
logger.
|
216
|
-
@_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body)
|
214
|
+
logger.trace("parsing body from request :: #{ body.cs__class.cs__name }")
|
215
|
+
@_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
|
217
216
|
end
|
218
217
|
else
|
219
|
-
logger.
|
220
|
-
@_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body)
|
218
|
+
logger.trace('Rack before 1.3.x does not support Rack::Multipart')
|
219
|
+
@_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
|
221
220
|
end
|
222
221
|
|
223
222
|
true
|
@@ -352,10 +351,8 @@ module Contrast
|
|
352
351
|
address.host = Contrast::Utils::StringUtils.force_utf8(Socket.gethostname)
|
353
352
|
address.ip = Contrast::Utils::StringUtils.force_utf8(Resolv.getaddress(address.host))
|
354
353
|
end
|
355
|
-
rescue Timeout::Error
|
356
|
-
logger.warn(nil, "Timeout resolving host or ip in #{ address }")
|
357
354
|
rescue StandardError => e
|
358
|
-
logger.warn(
|
355
|
+
logger.warn('Unable to resolve host or ip', e, address: address)
|
359
356
|
end
|
360
357
|
address
|
361
358
|
end
|
@@ -444,8 +441,8 @@ module Contrast
|
|
444
441
|
body.rewind if can_rewind
|
445
442
|
body.read
|
446
443
|
rescue StandardError => e
|
447
|
-
logger.error(
|
448
|
-
logger.
|
444
|
+
logger.error('Error in attempt to read body', message: e.message)
|
445
|
+
logger.trace('With Stack', e)
|
449
446
|
body.to_s
|
450
447
|
ensure
|
451
448
|
# be a good citizen and rewind
|
@@ -4,7 +4,6 @@
|
|
4
4
|
cs__scoped_require 'contrast/utils/timer'
|
5
5
|
cs__scoped_require 'contrast/agent/request'
|
6
6
|
cs__scoped_require 'contrast/agent/response'
|
7
|
-
cs__scoped_require 'contrast/utils/comment_range'
|
8
7
|
cs__scoped_require 'contrast/utils/inventory_util'
|
9
8
|
cs__scoped_require 'contrast/components/interface'
|
10
9
|
|
@@ -15,7 +14,7 @@ module Contrast
|
|
15
14
|
# in a standardized and normalized format which the Agent understands.
|
16
15
|
class RequestContext
|
17
16
|
include Contrast::Components::Interface
|
18
|
-
access_component :
|
17
|
+
access_component :analysis, :contrast_service, :logging, :scope
|
19
18
|
|
20
19
|
EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
|
21
20
|
|
@@ -46,6 +45,7 @@ module Contrast
|
|
46
45
|
# build analyzer
|
47
46
|
@do_not_track = false
|
48
47
|
@speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
|
48
|
+
speedracer_input_analysis.request = request
|
49
49
|
|
50
50
|
# flag to indicate whether the app is fully loaded
|
51
51
|
@app_loaded = !!app_loaded
|
@@ -67,10 +67,6 @@ module Contrast
|
|
67
67
|
@app_loaded
|
68
68
|
end
|
69
69
|
|
70
|
-
def analyze?
|
71
|
-
@sample_request || @sample_response
|
72
|
-
end
|
73
|
-
|
74
70
|
def analyze_request?
|
75
71
|
@sample_request
|
76
72
|
end
|
@@ -115,6 +111,7 @@ module Contrast
|
|
115
111
|
end
|
116
112
|
|
117
113
|
def service_extract_request
|
114
|
+
return false unless PROTECT.enabled?
|
118
115
|
return false if @do_not_track
|
119
116
|
|
120
117
|
service_response = CONTRAST_SERVICE.send_message(@activity.http_request)
|
@@ -123,17 +120,18 @@ module Contrast
|
|
123
120
|
handle_protect_state(service_response)
|
124
121
|
ia = service_response.input_analysis
|
125
122
|
if ia
|
126
|
-
logger.
|
127
|
-
logger.
|
123
|
+
logger.trace("Analysis from Contrast Service: evaluations=#{ ia.results.length }")
|
124
|
+
logger.trace('Results', input_analysis: ia.inspect)
|
128
125
|
@speedracer_input_analysis = ia
|
126
|
+
speedracer_input_analysis.request = request
|
129
127
|
else
|
130
|
-
logger.
|
128
|
+
logger.trace('Analysis from Contrast Service was empty.')
|
131
129
|
false
|
132
130
|
end
|
133
131
|
rescue Contrast::SecurityException
|
134
132
|
raise
|
135
133
|
rescue StandardError => e
|
136
|
-
logger.warn(
|
134
|
+
logger.warn('Unable to extract Contrast Service information from request', e)
|
137
135
|
false
|
138
136
|
end
|
139
137
|
|
@@ -154,7 +152,7 @@ module Contrast
|
|
154
152
|
build_attack_results(agent_settings)
|
155
153
|
|
156
154
|
msg = agent_settings.protect_state.security_message
|
157
|
-
logger.warn(
|
155
|
+
logger.warn('Contrast Service said to block this request')
|
158
156
|
raise Contrast::SecurityException.new(nil, (msg || 'Blocking suspicious behavior'))
|
159
157
|
end
|
160
158
|
|
@@ -165,7 +163,7 @@ module Contrast
|
|
165
163
|
@response = Contrast::Agent::Response.new(rack_response)
|
166
164
|
activity.http_response = @response.dtm if @sample_response
|
167
165
|
rescue StandardError => e
|
168
|
-
logger.error(
|
166
|
+
logger.error('Unable to extract information after request', e)
|
169
167
|
end
|
170
168
|
|
171
169
|
def add_property key, value
|
@@ -195,7 +193,7 @@ module Contrast
|
|
195
193
|
rule = PROTECT.rule(rule_id)
|
196
194
|
next unless rule
|
197
195
|
|
198
|
-
logger.debug(
|
196
|
+
logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
|
199
197
|
|
200
198
|
attack_result = if rule.mode == :BLOCK
|
201
199
|
# special case for rules (like reflected xss)
|
@@ -216,7 +214,7 @@ module Contrast
|
|
216
214
|
end
|
217
215
|
|
218
216
|
attack_results_by_rule.each_pair do |_, attack_result|
|
219
|
-
logger.
|
217
|
+
logger.info('Blocking attack result', rule: attack_result.rule_id)
|
220
218
|
activity.results << attack_result
|
221
219
|
end
|
222
220
|
end
|
@@ -0,0 +1,35 @@
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Agent
|
6
|
+
# This class is instantiated when we receive a request and the agent is enabled to process
|
7
|
+
# that request. It holds the ruleset that we perform filtering operations on (currently
|
8
|
+
# prefilter and postfilter).
|
9
|
+
class RequestHandler
|
10
|
+
include Contrast::Components::Interface
|
11
|
+
access_component :agent, :contrast_service, :logging, :scope
|
12
|
+
|
13
|
+
attr_reader :ruleset, :context
|
14
|
+
|
15
|
+
def initialize context
|
16
|
+
@context = context
|
17
|
+
@ruleset = AGENT.ruleset
|
18
|
+
end
|
19
|
+
|
20
|
+
def send_activity_messages
|
21
|
+
Contrast::Utils::GemfileReader.instance.generate_library_usage(context.activity)
|
22
|
+
[context.server_activity, context.activity, context.observed_route].each do |message|
|
23
|
+
CONTRAST_SERVICE.send_message message
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
# If the response is streaming, we should only perform filtering on our stream safe rules
|
28
|
+
def stream_safe_postfilter
|
29
|
+
stream_safe_ruleset = ruleset.select(&:stream_safe?)
|
30
|
+
postfilter_ruleset = Contrast::Agent::RuleSet.new(stream_safe_ruleset)
|
31
|
+
postfilter_ruleset.postfilter
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
@@ -6,7 +6,6 @@ cs__scoped_require 'timeout'
|
|
6
6
|
|
7
7
|
cs__scoped_require 'contrast/utils/object_share'
|
8
8
|
cs__scoped_require 'contrast/utils/string_utils'
|
9
|
-
cs__scoped_require 'contrast/utils/comment_range'
|
10
9
|
cs__scoped_require 'contrast/utils/hash_digest'
|
11
10
|
cs__scoped_require 'contrast/components/interface'
|
12
11
|
|
@@ -61,18 +60,18 @@ module Contrast
|
|
61
60
|
end
|
62
61
|
|
63
62
|
def response_code
|
64
|
-
return unless
|
63
|
+
return unless rack_response
|
65
64
|
|
66
|
-
@is_array ?
|
65
|
+
@is_array ? rack_response[0].to_i : rack_response.status
|
67
66
|
end
|
68
67
|
|
69
68
|
def headers
|
70
|
-
return unless
|
69
|
+
return unless rack_response
|
71
70
|
|
72
71
|
if @is_array
|
73
|
-
|
72
|
+
rack_response[1]
|
74
73
|
else
|
75
|
-
|
74
|
+
rack_response.headers
|
76
75
|
end
|
77
76
|
end
|
78
77
|
|
@@ -89,32 +88,32 @@ module Contrast
|
|
89
88
|
|
90
89
|
CONTENT_TYPE_HEADER = 'CONTENT-TYPE'.cs__freeze
|
91
90
|
def content_type
|
92
|
-
return unless
|
91
|
+
return unless rack_response
|
93
92
|
|
94
93
|
if @is_array
|
95
94
|
normalized_headers[CONTENT_TYPE_HEADER]
|
96
95
|
else
|
97
|
-
|
96
|
+
rack_response.content_type
|
98
97
|
end
|
99
98
|
end
|
100
99
|
|
101
100
|
def header key
|
102
|
-
return unless
|
101
|
+
return unless rack_response
|
103
102
|
|
104
103
|
if @is_array
|
105
104
|
normalized_headers[Contrast::Utils::StringUtils.normalized_key(key)]
|
106
105
|
else
|
107
|
-
|
106
|
+
rack_response.get_header(key)
|
108
107
|
end
|
109
108
|
end
|
110
109
|
|
111
110
|
def set_header key, value
|
112
|
-
return unless
|
111
|
+
return unless rack_response
|
113
112
|
|
114
113
|
if @is_array
|
115
|
-
Rack::Utils.set_cookie_header!(
|
116
|
-
elsif
|
117
|
-
|
114
|
+
Rack::Utils.set_cookie_header!(rack_response[1], key, value)
|
115
|
+
elsif rack_response.is_a?(Rack::Response)
|
116
|
+
rack_response.set_header(key, value)
|
118
117
|
end
|
119
118
|
end
|
120
119
|
|
@@ -122,26 +121,26 @@ module Contrast
|
|
122
121
|
# We should not extract it out as a variable here, or we'll miss those
|
123
122
|
# changes.
|
124
123
|
def body
|
125
|
-
return unless
|
124
|
+
return unless rack_response
|
126
125
|
|
127
|
-
body_content = @is_array ?
|
126
|
+
body_content = @is_array ? rack_response[2] : rack_response.body
|
128
127
|
extract_body(body_content)
|
129
128
|
end
|
130
129
|
|
131
130
|
def update_body body_string
|
132
|
-
return unless
|
131
|
+
return unless rack_response
|
133
132
|
|
134
133
|
successfully_updated_body = true
|
135
134
|
if @is_array
|
136
|
-
if
|
135
|
+
if rack_response[2].is_a?(Rack::BodyProxy)
|
137
136
|
successfully_updated_body = update_rack_body_proxy(body_string, true)
|
138
137
|
else
|
139
|
-
|
138
|
+
rack_response[2] = [body_string]
|
140
139
|
end
|
141
|
-
elsif
|
140
|
+
elsif rack_response.body.is_a?(Rack::BodyProxy)
|
142
141
|
successfully_updated_body = update_rack_body_proxy(body_string)
|
143
142
|
else
|
144
|
-
|
143
|
+
rack_response.body = body_string
|
145
144
|
end
|
146
145
|
update_content_length(body_string.bytesize) if successfully_updated_body
|
147
146
|
end
|
@@ -159,7 +158,7 @@ module Contrast
|
|
159
158
|
HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
|
160
159
|
|
161
160
|
def update_rack_body_proxy body_string, is_array = false
|
162
|
-
top_body_proxy = is_array ?
|
161
|
+
top_body_proxy = is_array ? rack_response[2] : rack_response
|
163
162
|
parent_body_proxy = top_body_proxy
|
164
163
|
until (next_body = parent_body_proxy.instance_variable_get(:@body)).cs__class != Rack::BodyProxy
|
165
164
|
parent_body_proxy = next_body
|
@@ -175,7 +174,7 @@ module Contrast
|
|
175
174
|
new_body = ActionView::OutputBuffer.new(body_string)
|
176
175
|
next_body[0] = new_body
|
177
176
|
else
|
178
|
-
logger.warn(
|
177
|
+
logger.warn('Detected unsupported Rack::BodyProxy internal response class', module: next_body.cs__class)
|
179
178
|
return false
|
180
179
|
end
|
181
180
|
true
|
@@ -195,13 +194,7 @@ module Contrast
|
|
195
194
|
# not sure what to do in this situation, so don't do anything.
|
196
195
|
nil
|
197
196
|
elsif body.is_a?(Rack::BodyProxy)
|
198
|
-
|
199
|
-
case next_body
|
200
|
-
when Array
|
201
|
-
extract_body(next_body[0])
|
202
|
-
else
|
203
|
-
extract_body(next_body)
|
204
|
-
end
|
197
|
+
handle_rack_body_proxy(body)
|
205
198
|
elsif defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)
|
206
199
|
extract_body(body.body)
|
207
200
|
elsif body.is_a?(Rack::Response)
|
@@ -218,6 +211,16 @@ module Contrast
|
|
218
211
|
end
|
219
212
|
end
|
220
213
|
|
214
|
+
def handle_rack_body_proxy body
|
215
|
+
next_body = body.instance_variable_get(:@body)
|
216
|
+
case next_body
|
217
|
+
when Array
|
218
|
+
extract_body(next_body[0])
|
219
|
+
else
|
220
|
+
extract_body(next_body)
|
221
|
+
end
|
222
|
+
end
|
223
|
+
|
221
224
|
def read_or_string obj
|
222
225
|
return nil unless obj
|
223
226
|
|
@@ -57,20 +57,28 @@ module Contrast
|
|
57
57
|
rescue SyntaxError, StandardError => e
|
58
58
|
opener = nil
|
59
59
|
mod ||= module_data.mod
|
60
|
-
logger.debug(
|
60
|
+
logger.debug('Reopening threw a handled exception - skipping rewriting', e, module: module_data.name)
|
61
61
|
status ||= Contrast::Agent::Patching::Policy::PatchStatus.get_status(mod)
|
62
62
|
status.failed_rewrite!
|
63
63
|
ensure
|
64
64
|
with_contrast_scope do
|
65
65
|
opener&.commit_patches
|
66
66
|
end
|
67
|
-
logger.
|
68
|
-
|
69
|
-
|
67
|
+
logger.trace('Rewriting complete',
|
68
|
+
module: module_data.name,
|
69
|
+
result: Contrast::Agent::Patching::Policy::PatchStatus.get_status(
|
70
|
+
module_data.mod).rewrite_status)
|
70
71
|
end
|
71
72
|
|
72
73
|
private
|
73
74
|
|
75
|
+
def location_available? location
|
76
|
+
return unless location
|
77
|
+
return false if location.empty? || location[0].empty? || location[0].include?('eval')
|
78
|
+
|
79
|
+
true
|
80
|
+
end
|
81
|
+
|
74
82
|
def rewrite_all_methods opener, clazz, methods, type
|
75
83
|
methods.each do |method|
|
76
84
|
# Skip contrast woven methods.
|
@@ -93,19 +101,23 @@ module Contrast
|
|
93
101
|
return nil if method_instance.nil?
|
94
102
|
|
95
103
|
location = method_instance.source_location
|
96
|
-
return nil
|
97
|
-
return nil if location.empty? || location[0].empty? || location[0].include?('eval')
|
104
|
+
return nil unless location_available?(location)
|
98
105
|
return nil if opener.written_from_location?(location)
|
99
106
|
|
100
107
|
opener.written_from_location!(location)
|
101
108
|
opener.source_code(location, method_name)
|
102
109
|
rescue SyntaxError
|
103
|
-
logger.debug(
|
110
|
+
logger.debug('Can\'t parse method source', error: 'SyntaxError', module: clazz.cs__name, method: method_name)
|
104
111
|
rescue StandardError => e
|
105
112
|
if defined?(MethodSource) && defined?(MethodSource::SourceNotFoundError)
|
106
|
-
logger.debug(
|
113
|
+
logger.debug(
|
114
|
+
'Can\'t parse method source',
|
115
|
+
e,
|
116
|
+
error: 'SourceNotFoundError',
|
117
|
+
module: clazz.cs__name,
|
118
|
+
method: method_name)
|
107
119
|
else
|
108
|
-
logger.debug(
|
120
|
+
logger.debug('Can\'t lookup method source', module: clazz.cs__name, method: method_name)
|
109
121
|
end
|
110
122
|
end
|
111
123
|
|
@@ -146,7 +158,7 @@ module Contrast
|
|
146
158
|
opener.private_instance_methods << new_method_source
|
147
159
|
end
|
148
160
|
rescue StandardError => e
|
149
|
-
logger.debug(
|
161
|
+
logger.debug('Can\'t rewrite in class_eval', e, module: clazz.cs__name, method: method)
|
150
162
|
end
|
151
163
|
|
152
164
|
def rewrite_method original_source_code
|