contrast-agent 3.10.2 → 3.11.0

data/lib/contrast/agent/railtie.rb

@@ -12,19 +12,13 @@ module Contrast
       access_component :agent, :app_context, :logging
 
       initializer 'Contrast Ruby Agent Initializer' do |app|
-        if defined?(Rails) && defined?(Rails.logger)
-          Rails.logger.debug('In railtie ::')
-          Rails.logger.debug(app.middleware.inspect)
-        end
+        Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
 
-        # TODO: RUBY-564 This logic is not specific to Rails and should be used more broadly
-        # with all web frameworks. Move this check to be a part of our new initialization
-        # routine.
         if APP_CONTEXT.instrument_middleware_stack?
           AGENT.insert_middleware(app)
         else
           Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
-          logger.debug(nil, "Disabling Contrast for process #{ Process.pid }")
+          logger.debug('Disabling Contrast for process', p_id: Process.pid)
         end
       end
 

data/lib/contrast/agent/reaction_processor.rb

@@ -25,20 +25,20 @@ module Contrast
         return nil unless application_settings&.reactions&.any?
 
         application_settings.reactions.each do |reaction|
-          logger.debug(nil, "Received the following reaction: #{ reaction.operation }")
-
           # the enums are all uppercase, we need to downcase them before attempting to log
           level = reaction.log_level.nil? ? :error : reaction.log_level.downcase
 
-          logger.with_level(nil, reaction.message, level) if reaction.message
+          logger.with_level(level, reaction.message) if reaction.message
 
           case reaction.operation
           when :DISABLE
             Contrast::Agent::DisableReaction.run reaction, level
-          when :NOOP # rubocop:disable Lint/EmptyWhen
+          when :NOOP
             # NOOP
           else
-            logger.warn(nil, "ReactionProcessor received a reaction with an unknown operation: #{ reaction.operation }")
+            logger.warn(
+                'ReactionProcessor received a reaction with an unknown operation',
+                operation: reaction.operation)
           end
         end
       end

data/lib/contrast/agent/request.rb

@@ -6,7 +6,6 @@ cs__scoped_require 'timeout'
 
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/utils/string_utils'
-cs__scoped_require 'contrast/utils/comment_range'
 cs__scoped_require 'contrast/utils/hash_digest'
 cs__scoped_require 'contrast/components/interface'
 
@@ -108,7 +107,7 @@ module Contrast
       def request_method
         rack_request.get_header(Rack::REQUEST_METHOD)
       rescue StandardError => e
-        logger.warn("Unable to extract request method: #{ e }")
+        logger.warn('Unable to extract request method', e)
         UNKNOWN_REQUEST_METHOD
       end
 
@@ -209,15 +208,15 @@ module Contrast
           body = @rack_request.body
           if defined?(Rack::Multipart)
             if defined?(Rack::Multipart::UploadedFile) && body.is_a?(Rack::Multipart::UploadedFile)
-              logger.debug("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
+              logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
               @_request_body = nil
             else
-              logger.debug("parsing body from request :: #{ body.cs__class.cs__name }")
-              @_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body), logger)
+              logger.trace("parsing body from request :: #{ body.cs__class.cs__name }")
+              @_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
             end
           else
-            logger.debug('Rack before 1.3.x does not support Rack::Multipart')
-            @_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body), logger)
+            logger.trace('Rack before 1.3.x does not support Rack::Multipart')
+            @_request_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
           end
 
           true
@@ -352,10 +351,8 @@ module Contrast
             address.host = Contrast::Utils::StringUtils.force_utf8(Socket.gethostname)
             address.ip = Contrast::Utils::StringUtils.force_utf8(Resolv.getaddress(address.host))
           end
-        rescue Timeout::Error
-          logger.warn(nil, "Timeout resolving host or ip in #{ address }")
         rescue StandardError => e
-          logger.warn(e, "Error resolving address for #{ address }")
+          logger.warn('Unable to resolve host or ip', e, address: address)
         end
         address
       end
@@ -444,8 +441,8 @@ module Contrast
           body.rewind if can_rewind
           body.read
         rescue StandardError => e
-          logger.error("Error in attempt to read body :: #{ e.message }")
-          logger.debug(e.backtrace.join(Contrast::Utils::ObjectShare::NEW_LINE))
+          logger.error('Error in attempt to read body', message: e.message)
+          logger.trace('With Stack', e)
           body.to_s
         ensure
           # be a good citizen and rewind

data/lib/contrast/agent/request_context.rb

@@ -4,7 +4,6 @@
 cs__scoped_require 'contrast/utils/timer'
 cs__scoped_require 'contrast/agent/request'
 cs__scoped_require 'contrast/agent/response'
-cs__scoped_require 'contrast/utils/comment_range'
 cs__scoped_require 'contrast/utils/inventory_util'
 cs__scoped_require 'contrast/components/interface'
 
@@ -15,7 +14,7 @@ module Contrast
     # in a standardized and normalized format which the Agent understands.
     class RequestContext
       include Contrast::Components::Interface
-      access_component :logging, :analysis, :scope, :contrast_service
+      access_component :analysis, :contrast_service, :logging, :scope
 
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
 
@@ -46,6 +45,7 @@ module Contrast
           # build analyzer
           @do_not_track = false
           @speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
+          speedracer_input_analysis.request = request
 
           # flag to indicate whether the app is fully loaded
           @app_loaded = !!app_loaded
@@ -67,10 +67,6 @@ module Contrast
         @app_loaded
       end
 
-      def analyze?
-        @sample_request || @sample_response
-      end
-
       def analyze_request?
         @sample_request
       end
@@ -115,6 +111,7 @@ module Contrast
       end
 
       def service_extract_request
+        return false unless PROTECT.enabled?
         return false if @do_not_track
 
         service_response = CONTRAST_SERVICE.send_message(@activity.http_request)
@@ -123,17 +120,18 @@ module Contrast
         handle_protect_state(service_response)
         ia = service_response.input_analysis
         if ia
-          logger.debug(nil, "Analysis from Contrast Service: evaluations=#{ ia.results.length }")
-          logger.debug(nil, "IA=#{ ia.inspect }")
+          logger.trace("Analysis from Contrast Service: evaluations=#{ ia.results.length }")
+          logger.trace('Results', input_analysis: ia.inspect)
           @speedracer_input_analysis = ia
+          speedracer_input_analysis.request = request
         else
-          logger.debug(nil, 'Analysis from Contrast Service was empty.')
+          logger.trace('Analysis from Contrast Service was empty.')
           false
         end
       rescue Contrast::SecurityException
         raise
       rescue StandardError => e
-        logger.warn(e, 'Unable to extract Contrast Service information from request')
+        logger.warn('Unable to extract Contrast Service information from request', e)
         false
       end
 
@@ -154,7 +152,7 @@ module Contrast
         build_attack_results(agent_settings)
 
         msg = agent_settings.protect_state.security_message
-        logger.warn(nil, 'Contrast Service said to block this request')
+        logger.warn('Contrast Service said to block this request')
         raise Contrast::SecurityException.new(nil, (msg || 'Blocking suspicious behavior'))
       end
 
@@ -165,7 +163,7 @@ module Contrast
         @response = Contrast::Agent::Response.new(rack_response)
         activity.http_response = @response.dtm if @sample_response
       rescue StandardError => e
-        logger.error(e, 'Unable to extract information after request')
+        logger.error('Unable to extract information after request', e)
       end
 
       def add_property key, value
@@ -195,7 +193,7 @@ module Contrast
           rule = PROTECT.rule(rule_id)
           next unless rule
 
-          logger.debug(nil, "Building attack result from Contrast Service input analysis: result=#{ ia_result.inspect }")
+          logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
 
           attack_result = if rule.mode == :BLOCK
                             # special case for rules (like reflected xss)
@@ -216,7 +214,7 @@ module Contrast
         end
 
         attack_results_by_rule.each_pair do |_, attack_result|
-          logger.debug(nil, "Blocking for #{ attack_result.rule_id }")
+          logger.info('Blocking attack result', rule: attack_result.rule_id)
           activity.results << attack_result
         end
       end

data/lib/contrast/agent/request_handler.rb

@@ -0,0 +1,35 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    # This class is instantiated when we receive a request and the agent is enabled to process
+    # that request. It holds the ruleset that we perform filtering operations on (currently
+    # prefilter and postfilter).
+    class RequestHandler
+      include Contrast::Components::Interface
+      access_component :agent, :contrast_service, :logging, :scope
+
+      attr_reader :ruleset, :context
+
+      def initialize context
+        @context = context
+        @ruleset = AGENT.ruleset
+      end
+
+      def send_activity_messages
+        Contrast::Utils::GemfileReader.instance.generate_library_usage(context.activity)
+        [context.server_activity, context.activity, context.observed_route].each do |message|
+          CONTRAST_SERVICE.send_message message
+        end
+      end
+
+      # If the response is streaming, we should only perform filtering on our stream safe rules
+      def stream_safe_postfilter
+        stream_safe_ruleset = ruleset.select(&:stream_safe?)
+        postfilter_ruleset = Contrast::Agent::RuleSet.new(stream_safe_ruleset)
+        postfilter_ruleset.postfilter
+      end
+    end
+  end
+end

data/lib/contrast/agent/response.rb

@@ -6,7 +6,6 @@ cs__scoped_require 'timeout'
 
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/utils/string_utils'
-cs__scoped_require 'contrast/utils/comment_range'
 cs__scoped_require 'contrast/utils/hash_digest'
 cs__scoped_require 'contrast/components/interface'
 
@@ -61,18 +60,18 @@ module Contrast
       end
 
       def response_code
-        return unless @rack_response
+        return unless rack_response
 
-        @is_array ? @rack_response[0].to_i : @rack_response.status
+        @is_array ? rack_response[0].to_i : rack_response.status
       end
 
       def headers
-        return unless @rack_response
+        return unless rack_response
 
         if @is_array
-          @rack_response[1]
+          rack_response[1]
         else
-          @rack_response.headers
+          rack_response.headers
         end
       end
 
@@ -89,32 +88,32 @@ module Contrast
 
       CONTENT_TYPE_HEADER = 'CONTENT-TYPE'.cs__freeze
       def content_type
-        return unless @rack_response
+        return unless rack_response
 
         if @is_array
           normalized_headers[CONTENT_TYPE_HEADER]
         else
-          @rack_response.content_type
+          rack_response.content_type
         end
       end
 
       def header key
-        return unless @rack_response
+        return unless rack_response
 
         if @is_array
           normalized_headers[Contrast::Utils::StringUtils.normalized_key(key)]
         else
-          @rack_response.get_header(key)
+          rack_response.get_header(key)
         end
       end
 
       def set_header key, value
-        return unless @rack_response
+        return unless rack_response
 
         if @is_array
-          Rack::Utils.set_cookie_header!(@rack_response[1], key, value)
-        elsif @rack_response.is_a?(Rack::Response)
-          @rack_response.set_header(key, value)
+          Rack::Utils.set_cookie_header!(rack_response[1], key, value)
+        elsif rack_response.is_a?(Rack::Response)
+          rack_response.set_header(key, value)
         end
       end
 
@@ -122,26 +121,26 @@ module Contrast
       # We should not extract it out as a variable here, or we'll miss those
       # changes.
       def body
-        return unless @rack_response
+        return unless rack_response
 
-        body_content = @is_array ? @rack_response[2] : @rack_response.body
+        body_content = @is_array ? rack_response[2] : rack_response.body
         extract_body(body_content)
       end
 
       def update_body body_string
-        return unless @rack_response
+        return unless rack_response
 
         successfully_updated_body = true
         if @is_array
-          if @rack_response[2].is_a?(Rack::BodyProxy)
+          if rack_response[2].is_a?(Rack::BodyProxy)
             successfully_updated_body = update_rack_body_proxy(body_string, true)
           else
-            @rack_response[2] = [body_string]
+            rack_response[2] = [body_string]
           end
-        elsif @rack_response.body.is_a?(Rack::BodyProxy)
+        elsif rack_response.body.is_a?(Rack::BodyProxy)
           successfully_updated_body = update_rack_body_proxy(body_string)
         else
-          @rack_response.body = body_string
+          rack_response.body = body_string
         end
         update_content_length(body_string.bytesize) if successfully_updated_body
       end
@@ -159,7 +158,7 @@ module Contrast
       HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
 
       def update_rack_body_proxy body_string, is_array = false
-        top_body_proxy = is_array ? @rack_response[2] : @rack_response
+        top_body_proxy = is_array ? rack_response[2] : rack_response
         parent_body_proxy = top_body_proxy
         until (next_body = parent_body_proxy.instance_variable_get(:@body)).cs__class != Rack::BodyProxy
           parent_body_proxy = next_body
@@ -175,7 +174,7 @@ module Contrast
           new_body = ActionView::OutputBuffer.new(body_string)
           next_body[0] = new_body
         else
-          logger.warn("Detected unsupported Rack::BodyProxy internal response class #{ next_body.cs__class }")
+          logger.warn('Detected unsupported Rack::BodyProxy internal response class', module: next_body.cs__class)
           return false
         end
         true
@@ -195,13 +194,7 @@ module Contrast
           # not sure what to do in this situation, so don't do anything.
           nil
         elsif body.is_a?(Rack::BodyProxy)
-          next_body = body.instance_variable_get(:@body)
-          case next_body
-          when Array
-            extract_body(next_body[0])
-          else
-            extract_body(next_body)
-          end
+          handle_rack_body_proxy(body)
         elsif defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)
           extract_body(body.body)
         elsif body.is_a?(Rack::Response)
@@ -218,6 +211,16 @@ module Contrast
         end
       end
 
+      def handle_rack_body_proxy body
+        next_body = body.instance_variable_get(:@body)
+        case next_body
+        when Array
+          extract_body(next_body[0])
+        else
+          extract_body(next_body)
+        end
+      end
+
       def read_or_string obj
         return nil unless obj
 

data/lib/contrast/agent/rewriter.rb

@@ -57,20 +57,28 @@ module Contrast
         rescue SyntaxError, StandardError => e
           opener = nil
           mod ||= module_data.mod
-          logger.debug(e, "Reopening #{ mod } threw a handled exception - skipping rewriting")
+          logger.debug('Reopening threw a handled exception - skipping rewriting', e, module: module_data.name)
           status ||= Contrast::Agent::Patching::Policy::PatchStatus.get_status(mod)
           status.failed_rewrite!
         ensure
           with_contrast_scope do
             opener&.commit_patches
           end
-          logger.debug(
-              nil,
-              "Rewriting #{ module_data.name } resulted in #{ Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod).rewrite_status }")
+          logger.trace('Rewriting complete',
+                       module: module_data.name,
+                       result: Contrast::Agent::Patching::Policy::PatchStatus.get_status(
+                           module_data.mod).rewrite_status)
         end
 
         private
 
+        def location_available? location
+          return unless location
+          return false if location.empty? || location[0].empty? || location[0].include?('eval')
+
+          true
+        end
+
         def rewrite_all_methods opener, clazz, methods, type
           methods.each do |method|
             # Skip contrast woven methods.
@@ -93,19 +101,23 @@ module Contrast
           return nil if method_instance.nil?
 
           location = method_instance.source_location
-          return nil if location.nil?
-          return nil if location.empty? || location[0].empty? || location[0].include?('eval')
+          return nil unless location_available?(location)
           return nil if opener.written_from_location?(location)
 
           opener.written_from_location!(location)
           opener.source_code(location, method_name)
         rescue SyntaxError
-          logger.debug(nil, "SyntaxError: Can't parse method source from #{ clazz }##{ method_name }")
+          logger.debug('Can\'t parse method source', error: 'SyntaxError', module: clazz.cs__name, method: method_name)
         rescue StandardError => e
           if defined?(MethodSource) && defined?(MethodSource::SourceNotFoundError)
-            logger.debug(nil, "SourceNotFoundError: Can't parse method source from #{ clazz }##{ method_name }")
+            logger.debug(
+                'Can\'t parse method source',
+                e,
+                error: 'SourceNotFoundError',
+                module: clazz.cs__name,
+                method: method_name)
           else
-            logger.debug(e, "Method source lookup of #{ clazz }##{ method_name } failed")
+            logger.debug('Can\'t lookup method source', module: clazz.cs__name, method: method_name)
           end
         end
 
@@ -146,7 +158,7 @@ module Contrast
             opener.private_instance_methods << new_method_source
           end
         rescue StandardError => e
-          logger.debug(e, "Error in rewriter class_eval for of #{ clazz }##{ method }")
+          logger.debug('Can\'t rewrite in class_eval', e, module: clazz.cs__name, method: method)
         end
 
         def rewrite_method original_source_code