RubyGems - contrast-agent - Versions diffs - 3.11.0 → 3.12.0 - Mend

contrast-agent 3.11.0 → 3.12.0

Files changed (217) hide show

checksums.yaml +4 -4
data/.flayignore +1 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.c +7 -2
data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
data/ext/cs__assess_array/cs__assess_array.c +2 -1
data/ext/cs__assess_array/cs__assess_array.h +1 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +3 -7
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_module/cs__assess_module.c +5 -7
data/ext/cs__assess_module/cs__assess_module.h +3 -0
data/ext/cs__common/cs__common.c +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +4 -2
data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
data/funchook/autom4te.cache/output.0 +13 -1
data/funchook/autom4te.cache/requests +49 -48
data/funchook/autom4te.cache/traces.0 +3 -0
data/funchook/config.log +217 -378
data/funchook/config.status +24 -23
data/funchook/configure +13 -1
data/funchook/src/Makefile +7 -7
data/funchook/src/config.h +2 -2
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.so +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +2 -2
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.o +0 -0
data/lib/contrast.rb +0 -1
data/lib/contrast/agent.rb +19 -22
data/lib/contrast/agent/assess.rb +0 -9
data/lib/contrast/agent/assess/policy/patcher.rb +1 -0
data/lib/contrast/agent/assess/policy/policy_node.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/propagation_method.rb +3 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -7
data/lib/contrast/agent/assess/policy/trigger_node.rb +4 -1
data/lib/contrast/agent/assess/rule/base.rb +0 -15
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +22 -5
data/lib/contrast/agent/assess/rule/redos.rb +0 -1
data/lib/contrast/agent/at_exit_hook.rb +2 -2
data/lib/contrast/agent/class_reopener.rb +9 -4
data/lib/contrast/agent/exclusion_matcher.rb +0 -1
data/lib/contrast/agent/inventory/policy/datastores.rb +54 -0
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/middleware.rb +38 -34
data/lib/contrast/agent/patching/policy/after_load_patch.rb +11 -2
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +51 -56
data/lib/contrast/agent/patching/policy/patch.rb +2 -1
data/lib/contrast/agent/patching/policy/patcher.rb +10 -12
data/lib/contrast/agent/patching/policy/policy_node.rb +1 -1
data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
data/lib/contrast/agent/protect/policy/policy.rb +6 -6
data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
data/lib/contrast/agent/protect/rule.rb +0 -5
data/lib/contrast/agent/protect/rule/base.rb +6 -5
data/lib/contrast/agent/protect/rule/cmd_injection.rb +3 -3
data/lib/contrast/agent/protect/rule/path_traversal.rb +2 -7
data/lib/contrast/agent/protect/rule/sqli.rb +4 -4
data/lib/contrast/agent/railtie.rb +1 -0
data/lib/contrast/agent/request.rb +2 -6
data/lib/contrast/agent/request_context.rb +5 -6
data/lib/contrast/agent/request_handler.rb +2 -2
data/lib/contrast/agent/response.rb +0 -69
data/lib/contrast/agent/service_heartbeat.rb +2 -2
data/lib/contrast/agent/socket_client.rb +8 -8
data/lib/contrast/agent/static_analysis.rb +2 -3
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/speedracer.rb +1 -1
data/lib/contrast/components/agent.rb +17 -12
data/lib/contrast/components/app_context.rb +33 -1
data/lib/contrast/components/assess.rb +25 -15
data/lib/contrast/components/contrast_service.rb +23 -67
data/lib/contrast/components/interface.rb +4 -12
data/lib/contrast/components/inventory.rb +5 -1
data/lib/contrast/components/logger.rb +2 -2
data/lib/contrast/components/protect.rb +40 -4
data/lib/contrast/components/scope.rb +2 -52
data/lib/contrast/components/settings.rb +24 -18
data/lib/contrast/config/protect_rules_configuration.rb +0 -1
data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -14
data/lib/contrast/extension/assess/array.rb +77 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +2 -2
data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -0
data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +1 -1
data/lib/contrast/{extensions/ruby_core → extension}/assess/fiber.rb +6 -5
data/lib/contrast/{extensions/ruby_core → extension}/assess/hash.rb +2 -2
data/lib/contrast/extension/assess/kernel.rb +110 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/regexp.rb +4 -4
data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +5 -5
data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -2
data/lib/contrast/extension/kernel.rb +54 -0
data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
data/lib/contrast/extension/protect/kernel.rb +44 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
data/lib/contrast/framework/base_support.rb +22 -0
data/lib/contrast/framework/manager.rb +33 -8
data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
data/lib/contrast/framework/rack/patch/support.rb +24 -0
data/lib/contrast/framework/rack/support.rb +22 -0
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +43 -0
data/lib/contrast/framework/rails/patch/assess_configuration.rb +103 -0
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
data/lib/contrast/framework/rails/patch/support.rb +67 -0
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
data/lib/contrast/framework/rails/support.rb +115 -0
data/lib/contrast/framework/sinatra/application_helper.rb +51 -0
data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
data/lib/contrast/framework/sinatra/support.rb +109 -0
data/lib/contrast/logger/application.rb +80 -0
data/lib/contrast/{agent/logger.rb → logger/log.rb} +23 -54
data/lib/contrast/logger/time.rb +50 -0
data/lib/contrast/tasks/config.rb +54 -0
data/lib/contrast/tasks/service.rb +1 -5
data/lib/contrast/utils/class_util.rb +1 -1
data/lib/contrast/utils/gemfile_reader.rb +2 -2
data/lib/contrast/utils/hash_digest.rb +2 -7
data/lib/contrast/utils/invalid_configuration_util.rb +3 -3
data/lib/contrast/utils/job_servers_running.rb +4 -2
data/lib/contrast/utils/object_share.rb +0 -1
data/lib/contrast/utils/service_response_util.rb +14 -12
data/lib/contrast/utils/service_sender_util.rb +78 -21
data/resources/assess/policy.json +9 -50
data/resources/inventory/policy.json +2 -2
data/resources/protect/policy.json +6 -6
data/ruby-agent.gemspec +5 -1
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +69 -83
data/funchook/src/libfunchook.dylib +0 -0
data/funchook/test/libfunchook_test.so.dSYM/Contents/Info.plist +0 -20
data/funchook/test/libfunchook_test.so.dSYM/Contents/Resources/DWARF/libfunchook_test.so +0 -0
data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -53
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -136
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
data/lib/contrast/agent/feature_state.rb +0 -346
data/lib/contrast/agent/protect/rule/csrf.rb +0 -119
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -100
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
data/lib/contrast/agent/settings_state.rb +0 -88
data/lib/contrast/api/decorators/exclusion.rb +0 -20
data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
data/lib/contrast/extensions/framework/rack/request.rb +0 -24
data/lib/contrast/extensions/framework/rack/response.rb +0 -23
data/lib/contrast/extensions/framework/rails/action_controller_inheritance.rb +0 -39
data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -58
data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -96
data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -78
data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -51
data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -61
data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -50
data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -66
data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -115
data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -53
data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -127
data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
data/lib/contrast/extensions/ruby_core/protect/rule_applicator.rb +0 -50
data/lib/contrast/framework/rails_support.rb +0 -104
data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
data/lib/contrast/framework/sinatra_support.rb +0 -104
data/lib/contrast/utils/data_store_util.rb +0 -23
data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
data/lib/contrast/utils/random_util.rb +0 -22
data/resources/csrf/inject.js +0 -44

data/lib/contrast/utils/data_store_util.rb DELETED

@@ -1,23 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-module Contrast
-  module Utils
-    # Utility class used to determine information about the current data store
-    # on which a query was executed or to which the application is connected.
-    module DataStoreUtil
-      def self.report_data_store data_store
-        return unless data_store
-        context = Contrast::Agent::REQUEST_TRACKER.current
-        return unless context&.activity
-        context.activity.technologies[data_store] = true
-        context.activity.query_count += 1
-        return unless context.activity.query_count == 1
-        Contrast::Utils::InventoryUtil.append_db_config(context.activity)
-      end
-    end
-  end
-end

data/lib/contrast/utils/rack_assess_session_cookie.rb DELETED

@@ -1,104 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/components/interface'
-module Contrast
-  module Utils
-    # This module is used to analyze non-rails session storage configuration for assess vulnerabilities
-    module RackAssessSessionCookie
-      include Contrast::Components::Interface
-      access_component :analysis, :logging, :scope
-      CS__SECURE_RULE_NAME = 'secure-flag-missing'
-      CS__HTTPONLY_NAME = 'rails-http-only-disabled'
-      CS__SESSION_TIMEOUT_NAME = 'session-timeout'
-      SAFE_SESSION_TIMEOUT = (30 * 60 * 60)
-      class << self
-        include Contrast::Utils::InvalidConfigurationUtil
-        def analyze_cookie_initialization options
-          return if PROTECT.enabled?
-          apply_session_timeout(options)
-          apply_httponly(options)
-          apply_secure_session(options)
-        end
-        def vulnerable_setting?(setting_key,
-                                safe_settings_value,
-                                options, safe_default: true,
-                                comparison_type: nil)
-          # In most cases, Rack is pretty nice and the default value is safe
-          return !safe_default unless options&.key?(setting_key)
-          value = options[setting_key]
-          return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
-          value != safe_settings_value
-        end
-        def apply_secure_session options
-          return unless vulnerable_setting?(
-              :secure,
-              true,
-              options,
-              safe_default: false)
-          with_contrast_scope do
-            cs__report_finding(
-                CS__SECURE_RULE_NAME,
-                options,
-                caller_locations(10, 9)[0])
-          end
-        rescue StandardError => e
-          begin
-            logger.error('Unable to track call to secure session', e)
-          rescue StandardError
-            nil
-          end
-        end
-        def apply_session_timeout options
-          return unless vulnerable_setting?(:expire_after,
-                                            SAFE_SESSION_TIMEOUT,
-                                            options,
-                                            safe_default: false,
-                                            comparison_type: :greater_than)
-          with_contrast_scope do
-            cs__report_finding(
-                CS__SESSION_TIMEOUT_NAME,
-                options,
-                caller_locations(10, 9)[0])
-          end
-        rescue StandardError => e
-          begin
-            logger.error('Unable to track call to set session timeout', e)
-          rescue StandardError
-            nil
-          end
-        end
-        def apply_httponly options
-          return unless vulnerable_setting?(:httponly, true, options)
-          with_contrast_scope do
-            cs__report_finding(
-                CS__HTTPONLY_NAME,
-                options,
-                caller_locations(10, 9)[0])
-          end
-        rescue StandardError => e
-          begin
-            logger.error('Unable to track call to httponly', e)
-          rescue StandardError
-            nil
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/rails_assess_configuration.rb DELETED

@@ -1,95 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/components/interface'
-module Contrast
-  module Utils
-    # This module is used to analyze rails session storage configuration for assess vulnerabilities
-    module RailsAssessConfiguration
-      include Contrast::Components::Interface
-      access_component :analysis, :logging, :scope
-      CS__SESSION_TIMEOUT_NAME = 'session-timeout'
-      SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
-      CS__SECURE_RULE_NAME = 'secure-flag-missing'
-      CS__HTTPONLY_RULE_NAME = 'rails-http-only-disabled'
-      class << self
-        include Contrast::Utils::InvalidConfigurationUtil
-        def analyze_session_store *args
-          return if PROTECT.enabled?
-          apply_httponly_disabled(*args)
-          apply_secure_cookie_disabled(*args)
-          apply_session_timeout(*args)
-        end
-        def vulnerable_setting? setting_key, safe_settings_value, original_args, safe_default: true, comparison_type: nil
-          # In most cases, Rails is pretty nice and the default value is safe
-          return !safe_default unless original_args && original_args.length > 1
-          # If the user overrode some args, but not ours, fall back on the default
-          rails_session_settings = original_args[1]
-          return !safe_default unless rails_session_settings&.key?(setting_key)
-          value = rails_session_settings[setting_key]
-          return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
-          value != safe_settings_value
-        end
-        def apply_session_timeout *args
-          return if ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
-          return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args, comparison_type: :greater_than, safe_default: false)
-          rails_session_settings = args[1]
-          with_contrast_scope do
-            cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(5, 4)[0])
-          end
-        rescue StandardError => e
-          begin
-            logger.error('Unable to track call to set session timeout', e)
-          rescue StandardError
-            nil
-          end
-        end
-        def apply_secure_cookie_disabled *args
-          return if ASSESS.rule_disabled? CS__SECURE_RULE_NAME
-          return unless vulnerable_setting?(:secure, true, args)
-          rails_session_settings = args[1]
-          with_contrast_scope do
-            cs__report_finding(CS__SECURE_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
-          end
-        rescue StandardError => e
-          begin
-            logger.error('Unable to track call to disable secure cookies', e)
-          rescue StandardError
-            nil
-          end
-        end
-        def apply_httponly_disabled *args
-          return if ASSESS.rule_disabled? CS__HTTPONLY_RULE_NAME
-          return unless vulnerable_setting?(:httponly, true, args)
-          rails_session_settings = args[1]
-          with_contrast_scope do
-            cs__report_finding(CS__HTTPONLY_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
-          end
-        rescue StandardError => e
-          begin
-            logger.error('Unable to track call to disable httponly in session cookie', e)
-          rescue StandardError
-            nil
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/random_util.rb DELETED

@@ -1,22 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'securerandom'
-module Contrast
-  module Utils
-    # Utilites for generating random strings
-    class RandomUtil
-      RANDOM_CHARS = (('0'..'9').to_a + ('A'..'Z').to_a).cs__freeze
-      RANDOM_LENGTH = RANDOM_CHARS.length
-      def self.secure_random_string len
-        arr = []
-        len.to_i.times do
-          arr << RANDOM_CHARS[SecureRandom.random_number(RANDOM_LENGTH)]
-        end
-        arr.join
-      end
-    end
-  end
-end

data/resources/csrf/inject.js DELETED

@@ -1,44 +0,0 @@
-<script>
-  function _contrast_isSameOrigin(action) {
-    var thisDomain = document.domain;
-    var parser = document.createElement('a');
-    parser.href = action;
-    return parser.hostname == thisDomain;
-  }
-  function _contrast_addTokenToForms() {
-    for(var i=0;i<document.forms.length;i++) {
-      var form = document.forms[i];
-      var action = form.action;
-      if(!!action || _contrast_isSameOrigin(action)) {
-        if(!form._contrast_tokenized) {
-          var input = document.createElement("input");
-          input.setAttribute("type", "hidden");
-          input.setAttribute("name", "!TOKEN_NAME!");
-          input.setAttribute("value", "!TOKEN_VALUE!");
-          form.appendChild(input);
-          form._contrast_tokenized = true;
-        }
-      }
-    }
-  }
-  (function() {_contrast_addTokenToForms();})();
-  var _contrast_watchNewForms = (function() {
-    var MutationObserver = window.MutationObserver || window.WebKitMutationObserver, eventListenerSupported = window.addEventListener;
-    return function(obj, callback) {
-      if(MutationObserver) {
-        var obs = new MutationObserver(function(mutations, observer) {
-          if( mutations[0].addedNodes.length )
-            callback();
-        });
-        obs.observe(obj, { childList:true, subtree:true });
-      } else if(eventListenerSupported) {
-        obj.addEventListener('DOMNodeInserted', callback, false);
-      }
-    }
-  })();
-  _contrast_watchNewForms(document.body, function() { _contrast_addTokenToForms(); });
-</script>