contrast-agent 3.11.0 → 3.12.0

data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb

@@ -1,28 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        class Csrf
-          # CSRF is only reported on those Requests which also result in a
-          # state changing action (database call). This class servers as a
-          # record of that action.
-          class CsrfAction
-            attr_accessor :type, :evidence
-
-            TYPE = 'type'
-            EVIDENCE = 'evidence'
-            def to_h
-              {
-                  TYPE => type,
-                  EVIDENCE => evidence
-              }
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb

@@ -1,53 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/components/interface'
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        class Csrf
-          # This class is called by our patches to determine if a CSRF
-          # vulnerability exists within an application. It is used through a
-          # CUSTOM propagation in order to capture that a Database call was
-          # made in response to a request that did not have the Contrast CSRF
-          # token.
-          class CsrfApplicator
-            include Contrast::Components::Interface
-            access_component :analysis, :logging, :scope
-
-            class << self
-              def csrf_tagger patcher, preshift, _ret, _block
-                return unless rule&.enabled?
-
-                idx = patcher.sources[0].to_i
-                args = preshift.args
-                return unless args&.length.to_i > idx
-
-                sql = args[idx]
-                return unless sql
-
-                with_contrast_scope do
-                  rule.record_db_state_change(
-                      Contrast::Agent::REQUEST_TRACKER.current,
-                      sql)
-                end
-              rescue StandardError => e
-                logger.warn('Error running CSRF assess rule', e)
-              end
-
-              private
-
-              def rule
-                @_rule ||= Contrast::Agent::FeatureState.instance.assess_rule(
-                    Contrast::Agent::Assess::Rule::Csrf::NAME)
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb

@@ -1,136 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-cs__scoped_require 'contrast/agent/assess/rule/response_watcher'
-cs__scoped_require 'contrast/components/interface'
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        class Csrf
-          # Watchers are how those Rules which do not act on dataflow function.
-          # This one is used by the CSRF rule to determine if a request was
-          # made in a way that is susceptible to a CSRF attack.
-          class Watcher < Contrast::Agent::Assess::Rule::ResponseWatcher
-            include Contrast::Components::Interface
-            access_component :logging
-
-            def supports? context
-              return false unless super(context)
-              return false unless user_agent?(context)
-              return false unless form_content_type?(context)
-              return false unless form_method?(context)
-              return false if empty_get?(context)
-
-              true
-            end
-
-            X_REQUESTED_WITH = 'X-REQUESTED-WITH'
-            # ignore this request if X-Requested-With is set
-            def x_requested_with? context
-              !context.request.normalized_request_headers[X_REQUESTED_WITH].nil?
-            end
-
-            USER_AGENT = 'USER-AGENT'
-            # ignore this request if User-Agent is NOT set
-            # since that indicates this isn't a browser interaction
-            def user_agent? context
-              !context.request.normalized_request_headers[USER_AGENT].nil?
-            end
-
-            CONTENT_TYPE = 'CONTENT-TYPE'
-            FORM_TYPES = %w[
-              text/plain
-              multipart/form-data
-              application/x-www-form-urlencoded
-            ].cs__freeze
-            # ignore this request if the Content-Type is NOT set
-            # to a form content type
-            def form_content_type? context
-              type = context.request.content_type
-              # We need to account for the charset being part of the header. It doesn't
-              # affect how we determine CSRF-ability or not
-              type = type.split(Contrast::Utils::ObjectShare::SEMICOLON)[0] if type
-              FORM_TYPES.include?(type)
-            end
-
-            FORM_METHODS = %w[GET POST].cs__freeze
-            # ignore this request if the request method
-            # is not one that can be set with forms
-            def form_method? context
-              FORM_METHODS.include?(context.request.request_method)
-            end
-
-            GET = 'GET'
-            # ignore this request if the method is get
-            # and the query string is empty
-            def empty_get? context
-              request = context.request
-              request.request_method ==
-                  GET &&
-                  (request.query_string.nil? || request.query_string.empty?)
-            end
-
-            # If a parameter contains 'csrf' or 'token', we consider
-            # it to be a guard against CSRF and therefore determine
-            # that this request is not vulnerable.
-            CSRF_PATTERN = /csrf/i.cs__freeze
-            TOKEN_PATTERN = /token/i.cs__freeze
-            def vulnerable? context
-              # having the property 'csrf.token.checked' indicates
-              # that a CSRF check was preformed at some point during
-              # this request, so we consider it to not be vulnerable
-              return false if context.get_property(CHECKED)
-
-              params = context.request.parameters
-              params.each_key do |key|
-                return false if key.match?(CSRF_PATTERN)
-                return false if key.match?(TOKEN_PATTERN) && looks_like_token?(params[key])
-              end
-              # having no actions means there's no vulnerability
-              return false unless context.get_property(STATE_CHANGING_ACTIONS_KEY)&.any?
-
-              true
-            end
-
-            MINIMUM_CSRF_TOKEN_SIZE = 8
-            MAXIMUM_CSRF_TOKEN_SIZE = 24
-            TOKEN_REGEXP = /^[A-Za-z0-9]*$/.cs__freeze
-            def looks_like_token? value
-              return false unless value
-
-              values = [value]
-              values.each do |parameter|
-                next unless parameter
-
-                length = parameter.length
-                next if length < MINIMUM_CSRF_TOKEN_SIZE
-                next if length > MAXIMUM_CSRF_TOKEN_SIZE
-                return true if parameter.match?(TOKEN_REGEXP)
-              end
-              false
-            end
-
-            DATA_KEY = 'actions'
-            def build_finding context
-              actions = context.get_property(STATE_CHANGING_ACTIONS_KEY)
-              return if actions.nil? || actions.empty?
-
-              string = actions.map(&:to_h).to_json
-              finding = Contrast::Api::Dtm::Finding.new
-              finding.rule_id = Contrast::Agent::Assess::Rule::Csrf::NAME
-              finding.session_id = Contrast::Agent::FeatureState.instance.current_session_id
-              hash_code = Contrast::Utils::HashDigest.generate_response_hash(finding)
-              finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
-              finding.properties[DATA_KEY] = Contrast::Utils::StringUtils.force_utf8(string)
-              finding
-            rescue StandardError => e
-              logger.error('Unable to build a finding for CSRF', e)
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/rule/response_scanning_rule.rb

@@ -1,47 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        # Those rules which function by scanning the Response body in order to
-        # detect vulnerabilities. These rules should each have their own
-        # Contrast::Agent::Assess::RuleResponseWatcher.
-        #
-        # Note: Most have been moved to the Service, as they typically watch
-        #   the Request or Response bodies, parsing out vulnerabilities
-        #   therein. CSRF is an exception to this as the rule requires a change
-        #   to the Response body to function.
-        class ResponseScanningRule < Contrast::Agent::Assess::Rule::Base
-          def watcher
-            # raise(
-            #     NotImplementedError,
-            #     'A child rule should have overridden the watcher method')
-          end
-
-          def stream_safe?
-            false
-          end
-
-          def generate_hash finding
-            Contrast::Utils::HashDigest.generate_response_hash(finding)
-          end
-
-          def postfilter context
-            findings = watcher.postfilter(context) if watcher && context
-            return unless findings
-
-            if findings.is_a?(Array)
-              findings.each do |finding|
-                send_report(finding) if finding
-              end
-            else
-              send_report(findings)
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/rule/response_watcher.rb

@@ -1,36 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        # A watcher focused on the Response body, parsing out vulnerabilities
-        # therein.
-        #
-        # Note: Most have been moved to the Service, as they typically watch
-        #   the Request or Response bodies, parsing out vulnerabilities
-        #   therein. CSRF is an exception to this as the rule requires a change
-        #   to the Response body to function.
-        class ResponseWatcher < Contrast::Agent::Assess::Rule::Watcher
-          def postfilter context
-            return unless supports?(context)
-            return unless vulnerable?(context)
-
-            build_finding(context)
-          end
-
-          def vulnerable? _context
-            raise(
-                NotImplementedError,
-                'A child rule should have overridden the vulnerable? method')
-          end
-
-          def build_finding _context
-            Contrast::Api::Dtm::Finding.new
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/rule/watcher.rb

@@ -1,36 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        # Watchers are how those Rules which do not act on dataflow function.
-        #
-        # Note: Most have been moved to the Service, as they typically watch
-        #   the Request or Response bodies, parsing out vulnerabilities
-        #   therein. CSRF is an exception to this as the rule requires a change
-        #   to the Response body to function.
-        class Watcher
-          def supports? context
-            return false if context.request.static_request?
-            return false unless context.response
-            return false if undesired_response_code? context.response.response_code
-            return false if undesired_response_type? context.response.content_type
-
-            true
-          end
-
-          UNDESIRED_RESPONSE_CODES = [301, 302, 307, 404, 410, 500].cs__freeze
-          def undesired_response_code? code
-            UNDESIRED_RESPONSE_CODES.include?(code)
-          end
-
-          def undesired_response_type? _type
-            false
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/feature_state.rb

@@ -1,346 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-cs__scoped_require 'contrast/agent/settings_state'
-cs__scoped_require 'contrast/utils/boolean_util'
-
-module Contrast
-  module Agent
-    # This class functions as a way to query the Agent for its current feature
-    # set without having to expose other sections of code to the decision tree
-    # needed to make that determination.
-    class FeatureState < SettingsState
-      include Singleton
-
-      # FeatureState methods are grouped in modules,
-      # and these modules are organized roughly in ascending order
-      # according to their complexity - where more complex
-      # methods call simpler ones.
-
-      module ConfigWrappers
-        # Wrapper to provide convenience for boolean values, allowing for the
-        # handling of nil defaults that behave like true and other strange
-        # cases.
-        module Booleans
-          include Contrast::Components::Interface
-          access_component :config
-
-          def false? config
-            Contrast::Utils::BooleanUtil.false?(config)
-          end
-
-          def true? config
-            Contrast::Utils::BooleanUtil.true?(config)
-          end
-
-          def inventory_enabled?
-            @_inventory_enabled = !false?(CONFIG.root.inventory.enable) if @_inventory_enabled.nil?
-            @_inventory_enabled
-          end
-
-          def protect_forcibly_enabled?
-            @_protect_forcibly_enabled = true?(CONFIG.root.protect.enable) if @_protect_forcibly_enabled.nil?
-            @_protect_forcibly_enabled
-          end
-
-          def protect_forcibly_disabled?
-            @_protect_forcibly_disabled = false?(CONFIG.root.protect.enable) if @_protect_forcibly_disabled.nil?
-            @_protect_forcibly_disabled
-          end
-
-          def assess_forcibly_enabled?
-            @_assess_forcibly_enabled = true?(CONFIG.root.assess.enable) if @_assess_forcibly_enabled.nil?
-            @_assess_forcibly_enabled
-          end
-
-          def assess_forcibly_disabled?
-            @_assess_forcibly_disabled = false?(CONFIG.root.assess.enable) if @_assess_forcibly_disabled.nil?
-            @_assess_forcibly_disabled
-          end
-
-          def assess_track_frozen_sources?
-            @_assess_track_frozen_sources = !false?(CONFIG.root.agent.ruby.track_frozen_sources) if @_assess_track_frozen_sources.nil?
-            @_assess_track_frozen_sources
-          end
-
-          def scan_response?
-            @_scan_response = !false?(CONFIG.root.assess.enable_scan_response) if @_scan_response.nil?
-            @_scan_response
-          end
-
-          def omit_body?
-            @_omit_body = true?(CONFIG.root.agent.omit_body) if @_omit_body.nil?
-            @_omit_body
-          end
-
-          def require_scanning_enabled?
-            @_require_scanning_enabled = !false?(CONFIG.root.agent.ruby.require_scan) if @_require_scanning_enabled.nil?
-            @_require_scanning_enabled
-          end
-
-          def service_forcibly_disabled?
-            @_service_forcibly_disabled = false?(CONFIG.root.agent.start_bundled_service) if @_service_forcibly_disabled.nil?
-            @_service_forcibly_disabled
-          end
-
-          def report_any_command_execution?
-            if @_report_any_command_execution.nil?
-              ctrl = protect_rule_config[Contrast::Agent::Protect::Rule::CmdInjection::NAME]
-              @_report_any_command_execution = true?(ctrl.disable_system_commands)
-            end
-            @_report_any_command_execution
-          end
-
-          def report_custom_code_sysfile_access?
-            if @_report_custom_code_sysfile_access.nil?
-              ctrl = protect_rule_config[Contrast::Agent::Protect::Rule::PathTraversal::NAME]
-              @_report_custom_code_sysfile_access = true?(ctrl.detect_custom_code_accessing_system_files)
-            end
-            @_report_custom_code_sysfile_access
-          end
-
-          # Determines if the Process we're currently in matches that of the
-          # Process in which the FeatureState instance was created.
-          # If it doesn't, that indicates the running context is in a new
-          # Process.
-          # @return [Boolean] if we're in the original Process in which the
-          #   FeaturesState instance was initialized.
-          def in_new_process?
-            current_pid = Process.pid
-            original_pid = pid
-            current_pid != original_pid
-          end
-        end
-
-        # Wrapper for configurations regarding assess & protect rules
-        module Parameters
-          include Contrast::Components::Interface
-          access_component :settings, :config
-
-          def protect_rule_config
-            CONFIG.root.protect.rules || []
-          end
-
-          def assess_rule_disabled? name
-            assess_disabled_rules.include? name
-          end
-
-          def protect_rule_enabled? rule_id
-            protect_rule_mode(rule_id).to_sym != :NO_ACTION
-          end
-
-          def assess_tags
-            CONFIG.root.assess&.tags
-          end
-
-          def assess_disabled_rules
-            CONFIG.root.assess&.rules&.disabled_rules || SETTINGS.disabled_assess_rules || []
-          end
-
-          def current_session_id
-            Contrast::Utils::StringUtils.force_utf8(SETTINGS.session_id)
-          end
-
-          def disabled_agent_rake_tasks
-            CONFIG.root.agent.ruby.disabled_agent_rake_tasks
-          end
-
-          def exclusions
-            SETTINGS.exclusion_matchers
-          end
-
-          def code_exclusions
-            exclusions.select(&:code?)
-          end
-        end
-      end
-
-      # Wrapper for the Assess & Protect states
-      module SettingWrappers
-        include Contrast::Components::Interface
-        access_component :settings, :config
-
-        def protect_setting_enabled?
-          SETTINGS.protect_state[:enabled]
-        end
-
-        def assess_setting_enabled?
-          SETTINGS.assess_state[:enabled]
-        end
-      end
-
-      # whether it's connected to the Contrast Service,
-      # whether config succeeded,
-      # whether writable paths are actually writeable, etc.
-      module AgentState
-        # Indicates the status of the Agent - initialized & ready - as well as
-        # the mode(s) in which it is functioning
-        module Operation
-          include Contrast::Components::Interface
-          access_component :agent
-
-          # Return true if the agent is ready to protect the application
-          def agent_ready?
-            AGENT.enabled? && connection_established? && update_received?
-          end
-
-          def protect_enabled?
-            return false unless AGENT.enabled?
-
-            # config overrides if forcibly set
-            return false if protect_forcibly_disabled?
-            return true  if protect_forcibly_enabled?
-
-            !!protect_setting_enabled?
-          end
-
-          def assess_enabled?
-            return false unless AGENT.enabled?
-
-            # config overrides if forcibly set
-            return false if assess_forcibly_disabled?
-            return true  if assess_forcibly_enabled?
-
-            !!assess_setting_enabled?
-          end
-        end
-
-        # Wrapper for the state of our Service settings and a way to access the
-        # Contrast::Agent::SocketClient responsible for interactions between
-        # the Agent & Service.
-        module Service
-          include Contrast::Components::Interface
-          access_component :agent
-
-          def service_enabled?
-            AGENT.enabled? && !service_forcibly_disabled?
-          end
-
-          def client
-            @_client ||= Contrast::Agent::SocketClient.new
-          end
-
-          # Return true if the agent has connected with the service
-          def connection_established?
-            client.connection_established?
-          end
-
-          # Return true if the agent has processed a response from the service
-          def update_received?
-            !@last_update.nil?
-          end
-        end
-      end
-
-      # 'Controls' synthesize all of the above into parameter sets.
-      # These can have more complex logic.
-      module Controls
-        include Contrast::Components::Interface
-        access_component :config
-
-        DEFAULT_LOG_FILENAME = 'contrast_service.log'
-        def service_control
-          @_service_control ||= {
-              host: CONFIG.root.agent.service.host || Contrast::Configuration::DEFAULT_HOST,
-              port: CONFIG.root.agent.service.port || Contrast::Configuration::DEFAULT_PORT,
-              socket_path: CONFIG.root.agent.service.socket,
-              logger_path: CONFIG.root.agent.service.logger.path || DEFAULT_LOG_FILENAME
-          }
-        end
-
-        def exception_control
-          @_exception_control ||= {
-              enable: true?(CONFIG.root.agent.ruby.exceptions.capture),
-              status: CONFIG.root.agent.ruby.exceptions.override_status || 403,
-              message: CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
-          }
-        end
-      end
-
-      # Wrapper for the state of our diagnostics settings
-      module Diagnostic
-        include Contrast::Components::Interface
-        access_component :config
-
-        def uninstrument_namespaces
-          tmp = CONFIG.root.agent.ruby.uninstrument_namespace.map(&:to_sym)
-          tmp.select! { |sym| Object.cs__const_defined?(sym) }
-          tmp.map!    { |sym| Object.cs__const_get(sym) }
-          tmp
-        end
-      end
-
-      # Wrapper for the state of our logging settings and holder for utility
-      # methods for logging state.
-      module Logging
-        include Contrast::Components::Interface
-        access_component :config, :logging
-
-        ENV_KEYS = %w[HOME PWD RACK_ENV RAILS_ENV RUBY_VERSION GEM_HOME GEM_PATH].cs__freeze
-        # Utility method to log some current ruby and rails information from environment
-        def log_environment
-          return unless logger.info?
-
-          logger.info('Process environment information',
-                      p_id: Process.pid,
-                      pp_id: Process.ppid,
-                      agent_version: Contrast::Agent::VERSION)
-          ENV.each do |env_key, env_value|
-            env_key = env_key.to_s
-            next unless ENV_KEYS.include?(env_key) ||
-                (env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) &&
-                    !env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER + 'API'))
-
-            logger.info('Environment settings', key: env_key, value: env_value)
-          end
-        end
-
-        def log_configuration
-          return unless logger.info?
-
-          loggable = CONFIG.raw.send(:load_config)
-          loggable.delete('api')
-          logger.info('Current configuration', configruation: JSON.pretty_generate(loggable))
-        end
-
-        FRAMEWORKS = %w[rails sinatra grape].cs__freeze
-        WEB_SERVERS = %w[agoo falcon hoof iodine mongrel mongrel2 passenger puma rack skinny thin trinidad unicorn webrick yarn].cs__freeze
-        LIBRARIES = %w[excon json mongo moped mysql nokogiri oga ox pg psych sqlite3 typhoeus yaml].cs__freeze
-        def log_specific_libraries
-          FRAMEWORKS.each(&cs__method(:log_gem_data))
-          WEB_SERVERS.each(&cs__method(:log_gem_data))
-          LIBRARIES.each(&cs__method(:log_gem_data))
-        end
-
-        def log_all_libraries
-          return unless logger.debug?
-
-          Gem.loaded_specs.each_pair do |_name, gem_spec|
-            logger.debug('Gem loaded',
-                         gem_name: gem_spec.name,
-                         gem_version: gem_spec.version.to_s)
-          end
-        end
-
-        def log_gem_data gem_name
-          gem_spec = Gem.loaded_specs[gem_name]
-          return unless gem_spec
-
-          logger.info('Gem loaded',
-                      gem_name: gem_spec.name,
-                      gem_version: gem_spec.version.to_s)
-        end
-      end
-
-      # Methods that query the config.
-      include ConfigWrappers::Booleans    # These check boolean config options.
-      include ConfigWrappers::Parameters  # These check against the config and return parameters.
-      include SettingWrappers             # Methods that query settings from TeamServer.
-      include AgentState::Operation       # Enable/disable the agent, ask if the agent can run.
-      include AgentState::Service         # Agent's client that talks to the service.
-      include Controls                    # Syntheses of the above.
-      include Diagnostic                  # Misc.
-      include Logging                     # Logging.
-    end
-  end
-end