RubyGems - contrast-agent - Versions diffs - 3.11.0 → 3.13.1 - Mend

contrast-agent 3.11.0 → 3.13.1

Files changed (298) hide show

checksums.yaml +4 -4
data/.dockerignore +0 -1
data/.flayignore +1 -0
data/.gitignore +1 -1
data/.simplecov +1 -1
data/Rakefile +31 -0
data/ext/build_funchook.rb +0 -2
data/ext/cs__assess_active_record_named/cs__active_record_named.c +7 -2
data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
data/ext/cs__assess_array/cs__assess_array.c +2 -1
data/ext/cs__assess_array/cs__assess_array.h +1 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +3 -7
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +2 -8
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +0 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_module/cs__assess_module.c +5 -7
data/ext/cs__assess_module/cs__assess_module.h +3 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -6
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -5
data/ext/cs__assess_yield_track/cs__assess_yield_track.h +0 -1
data/ext/cs__common/cs__common.c +25 -1
data/ext/cs__common/cs__common.h +3 -0
data/ext/cs__common/extconf.rb +0 -14
data/ext/cs__protect_kernel/cs__protect_kernel.c +4 -2
data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
data/ext/extconf_common.rb +0 -28
data/lib/contrast.rb +3 -2
data/lib/contrast/agent.rb +33 -24
data/lib/contrast/agent/assess.rb +0 -9
data/lib/contrast/agent/assess/contrast_event.rb +28 -167
data/lib/contrast/agent/assess/events/source_event.rb +3 -7
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +1 -1
data/lib/contrast/agent/assess/policy/patcher.rb +1 -0
data/lib/contrast/agent/assess/policy/policy_node.rb +5 -99
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/propagation_method.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_node.rb +5 -1
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
data/lib/contrast/agent/assess/policy/propagator/insert.rb +1 -4
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +9 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +6 -11
data/lib/contrast/agent/assess/policy/propagator/select.rb +4 -4
data/lib/contrast/agent/assess/policy/propagator/split.rb +2 -2
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +4 -4
data/lib/contrast/agent/assess/policy/propagator/trim.rb +6 -10
data/lib/contrast/agent/assess/policy/source_method.rb +1 -2
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +2 -14
data/lib/contrast/agent/assess/policy/trigger_node.rb +20 -5
data/lib/contrast/agent/assess/properties.rb +4 -382
data/lib/contrast/agent/assess/property/evented.rb +78 -0
data/lib/contrast/agent/assess/property/tagged.rb +339 -0
data/lib/contrast/agent/assess/rule/base.rb +0 -15
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +5 -6
data/lib/contrast/agent/assess/rule/redos.rb +0 -1
data/lib/contrast/agent/assess/tag.rb +27 -12
data/lib/contrast/agent/at_exit_hook.rb +4 -2
data/lib/contrast/agent/class_reopener.rb +9 -4
data/lib/contrast/agent/exclusion_matcher.rb +2 -3
data/lib/contrast/agent/inventory/policy/datastores.rb +53 -0
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/middleware.rb +36 -44
data/lib/contrast/agent/patching/policy/after_load_patch.rb +11 -2
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +51 -56
data/lib/contrast/agent/patching/policy/patch.rb +3 -2
data/lib/contrast/agent/patching/policy/patcher.rb +10 -12
data/lib/contrast/agent/patching/policy/policy.rb +3 -3
data/lib/contrast/agent/patching/policy/policy_node.rb +3 -3
data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
data/lib/contrast/agent/protect/policy/policy.rb +6 -6
data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
data/lib/contrast/agent/protect/rule.rb +0 -5
data/lib/contrast/agent/protect/rule/base.rb +25 -36
data/lib/contrast/agent/protect/rule/base_service.rb +1 -1
data/lib/contrast/agent/protect/rule/cmd_injection.rb +3 -3
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -7
data/lib/contrast/agent/protect/rule/path_traversal.rb +2 -7
data/lib/contrast/agent/protect/rule/sqli.rb +4 -4
data/lib/contrast/agent/protect/rule/xxe.rb +1 -0
data/lib/contrast/agent/railtie.rb +1 -0
data/lib/contrast/agent/reaction_processor.rb +3 -3
data/lib/contrast/agent/request.rb +91 -334
data/lib/contrast/agent/request_context.rb +17 -18
data/lib/contrast/agent/request_handler.rb +2 -2
data/lib/contrast/agent/response.rb +2 -83
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +8 -10
data/lib/contrast/agent/static_analysis.rb +2 -3
data/lib/contrast/agent/thread_watcher.rb +49 -0
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/agent/worker_thread.rb +24 -0
data/lib/contrast/api.rb +3 -5
data/lib/contrast/api/communication.rb +20 -0
data/lib/contrast/api/communication/connection_status.rb +41 -0
data/lib/contrast/api/communication/messaging_queue.rb +79 -0
data/lib/contrast/{utils/service_response_util.rb → api/communication/response_processor.rb} +15 -22
data/lib/contrast/api/communication/service_lifecycle.rb +61 -0
data/lib/contrast/api/communication/socket.rb +45 -0
data/lib/contrast/api/communication/socket_client.rb +76 -0
data/lib/contrast/api/communication/speedracer.rb +111 -0
data/lib/contrast/api/communication/tcp_socket.rb +31 -0
data/lib/contrast/api/communication/unix_socket.rb +27 -0
data/lib/contrast/api/decorators.rb +10 -0
data/lib/contrast/api/decorators/address.rb +60 -0
data/lib/contrast/api/decorators/application_settings.rb +7 -3
data/lib/contrast/api/decorators/application_update.rb +0 -9
data/lib/contrast/api/decorators/http_request.rb +139 -0
data/lib/contrast/api/decorators/message.rb +75 -0
data/lib/contrast/api/decorators/rasp_rule_sample.rb +28 -0
data/lib/contrast/api/decorators/route_coverage.rb +57 -0
data/lib/contrast/api/decorators/trace_event.rb +99 -0
data/lib/contrast/api/decorators/trace_event_object.rb +57 -0
data/lib/contrast/api/decorators/trace_event_signature.rb +46 -0
data/lib/contrast/api/decorators/trace_taint_range.rb +51 -0
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +109 -0
data/lib/contrast/api/decorators/user_input.rb +40 -0
data/lib/contrast/components/agent.rb +17 -12
data/lib/contrast/components/app_context.rb +27 -2
data/lib/contrast/components/assess.rb +25 -15
data/lib/contrast/components/config.rb +4 -9
data/lib/contrast/components/contrast_service.rb +23 -67
data/lib/contrast/components/interface.rb +5 -13
data/lib/contrast/components/inventory.rb +5 -1
data/lib/contrast/components/logger.rb +2 -2
data/lib/contrast/components/protect.rb +40 -4
data/lib/contrast/components/scope.rb +2 -52
data/lib/contrast/components/settings.rb +18 -18
data/lib/contrast/config/protect_rules_configuration.rb +0 -1
data/lib/contrast/configuration.rb +2 -2
data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -15
data/lib/contrast/extension/assess/array.rb +77 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +3 -4
data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -0
data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +1 -1
data/lib/contrast/{extensions/ruby_core → extension}/assess/fiber.rb +7 -6
data/lib/contrast/{extensions/ruby_core → extension}/assess/hash.rb +2 -2
data/lib/contrast/extension/assess/kernel.rb +110 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/regexp.rb +4 -4
data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +6 -6
data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -3
data/lib/contrast/extension/kernel.rb +54 -0
data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
data/lib/contrast/extension/protect/kernel.rb +44 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
data/lib/contrast/framework/base_support.rb +22 -23
data/lib/contrast/framework/manager.rb +31 -15
data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
data/lib/contrast/framework/rack/patch/support.rb +24 -0
data/lib/contrast/framework/rack/support.rb +22 -0
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +41 -0
data/lib/contrast/framework/rails/patch/assess_configuration.rb +102 -0
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
data/lib/contrast/framework/rails/patch/support.rb +67 -0
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
data/lib/contrast/framework/rails/support.rb +86 -0
data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
data/lib/contrast/framework/sinatra/support.rb +98 -0
data/lib/contrast/funchook/funchook.rb +45 -0
data/lib/contrast/logger/application.rb +80 -0
data/lib/contrast/logger/format.rb +51 -0
data/lib/contrast/{agent/logger.rb → logger/log.rb} +39 -63
data/lib/contrast/logger/time.rb +50 -0
data/lib/contrast/tasks/config.rb +54 -0
data/lib/contrast/tasks/service.rb +1 -5
data/lib/contrast/utils/assess/tracking_util.rb +45 -20
data/lib/contrast/utils/class_util.rb +4 -2
data/lib/contrast/utils/gemfile_reader.rb +2 -2
data/lib/contrast/utils/hash_digest.rb +13 -9
data/lib/contrast/utils/invalid_configuration_util.rb +2 -18
data/lib/contrast/utils/inventory_util.rb +2 -7
data/lib/contrast/utils/job_servers_running.rb +4 -2
data/lib/contrast/utils/object_share.rb +0 -2
data/lib/contrast/utils/os.rb +16 -4
data/lib/contrast/utils/stack_trace_utils.rb +0 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -14
data/lib/contrast/utils/timer.rb +1 -17
data/resources/assess/policy.json +9 -50
data/resources/inventory/policy.json +2 -2
data/resources/protect/policy.json +6 -6
data/ruby-agent.gemspec +9 -5
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +103 -139
data/funchook/Makefile +0 -29
data/funchook/autom4te.cache/output.0 +0 -4964
data/funchook/autom4te.cache/requests +0 -77
data/funchook/autom4te.cache/traces.0 +0 -361
data/funchook/config.log +0 -651
data/funchook/config.status +0 -1015
data/funchook/configure +0 -4964
data/funchook/src/Makefile +0 -70
data/funchook/src/config.h +0 -101
data/funchook/src/config.h.in +0 -100
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.dylib +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +0 -43
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/libfunchook_test.so.dSYM/Contents/Info.plist +0 -20
data/funchook/test/libfunchook_test.so.dSYM/Contents/Resources/DWARF/libfunchook_test.so +0 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.o +0 -0
data/lib/contrast/agent/assess/adjusted_span.rb +0 -27
data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -53
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -136
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
data/lib/contrast/agent/feature_state.rb +0 -346
data/lib/contrast/agent/protect/rule/csrf.rb +0 -119
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -100
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
data/lib/contrast/agent/settings_state.rb +0 -88
data/lib/contrast/agent/socket_client.rb +0 -134
data/lib/contrast/api/connection_status.rb +0 -49
data/lib/contrast/api/decorators/exclusion.rb +0 -20
data/lib/contrast/api/socket.rb +0 -43
data/lib/contrast/api/speedracer.rb +0 -188
data/lib/contrast/api/tcp_socket.rb +0 -29
data/lib/contrast/api/unix_socket.rb +0 -25
data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
data/lib/contrast/extensions/framework/rack/request.rb +0 -24
data/lib/contrast/extensions/framework/rack/response.rb +0 -23
data/lib/contrast/extensions/framework/rails/action_controller_inheritance.rb +0 -39
data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -58
data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -96
data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -78
data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -51
data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -61
data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -50
data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -66
data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -115
data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -53
data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -127
data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
data/lib/contrast/extensions/ruby_core/protect/rule_applicator.rb +0 -50
data/lib/contrast/framework/rails_support.rb +0 -104
data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
data/lib/contrast/framework/sinatra_support.rb +0 -104
data/lib/contrast/framework/view_technologies_descriptor.rb +0 -21
data/lib/contrast/internal_exception.rb +0 -8
data/lib/contrast/utils/cache.rb +0 -58
data/lib/contrast/utils/data_store_util.rb +0 -23
data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
data/lib/contrast/utils/random_util.rb +0 -22
data/lib/contrast/utils/service_sender_util.rb +0 -110
data/lib/contrast/utils/sinatra_helper.rb +0 -49
data/resources/csrf/inject.js +0 -44

data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb DELETED

@@ -1,40 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/components/interface'
-# This module acts a trigger to handle the special cases of the XPath library gem
-# and the Oga gem. Untrusted data may come into either of the trigger methods from
-# these classes as an array or hash, respectively. Since untrusted user input comes
-# into these triggers as a splat argument or an options hash, we need to iterate
-# thorugh these objects to see if we were tracking on any of them and report a finding
-# if so.
-module XPathLibraryTrigger
-  include Contrast::Components::Interface
-  class << self
-    def xpath_trigger_check context, trigger_node, _source, object, ret, *args
-      return ret unless args
-      # convert the options arg in Oga::XML::CharacterNode#initialize into an
-      # array of its values so we can check if any are unsafe
-      args = args.first.values if oga_defined? && object.cs__is_a?(Oga::XML::CharacterNode) && args.first.cs__is_a?(Hash)
-      args.each do |arg|
-        next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
-        next unless arg.cs__tracked?
-        next unless trigger_node.violated?(arg)
-        Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-            context, trigger_node, arg, object, ret, args)
-      end
-      ret
-    end
-    private
-    def oga_defined?
-      @_oga_defined ||= defined?(Oga::XML::CharacterNode)
-    end
-  end
-end

data/lib/contrast/extensions/ruby_core/eval_trigger.rb DELETED

@@ -1,51 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-module Contrast
-  module CoreExtensions
-    module Assess
-      # This Module allows us to track calls to the BasicObject#eval method,
-      # which violates the design of most methods we track in that we have to
-      # apply the trigger in a custom patch over one of the generic triggers in
-      # TriggerMethod.
-      module EvalTrigger
-        def instance_eval_trigger_check source, ret
-          apply_trigger(source, ret, 'BasicObject', :instance_eval)
-        end
-        def eval_trigger_check source, ret, method
-          apply_trigger(source, ret, 'Module', method)
-        end
-        def apply_trigger source, ret, clazz, method
-          current_context = Contrast::Agent::REQUEST_TRACKER.current
-          return unless current_context
-          # Since we know this is the source of the trigger, we can do some
-          # optimization here and return when it is not tracked
-          return unless Contrast::Utils::Assess::TrackingUtil.tracked?(source)
-          # source might not be all the args passed in, but it is the one we care
-          # about. we could pass in all the args in the last param here if it
-          # becomes an issue in rendering on TS
-          Contrast::Agent::Assess::Policy::TriggerMethod.apply_eval_trigger(
-              current_context,
-              trigger_node(clazz, method),
-              source,
-              self,
-              ret,
-              source)
-        end
-        private
-        def trigger_node clazz, method
-          triggers = Contrast::Agent::Assess::Policy::Policy.instance.triggers
-          return unless triggers
-          triggers.find { |node| node.class_name == clazz && node.method_name == method }
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extensions/ruby_core/inventory/datastores.rb DELETED

@@ -1,37 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/utils/data_store_util'
-module Contrast
-  module CoreExtensions
-    module Inventory
-      # This Module is how we apply the Data Store detection required for the
-      # FlowMap feature. It is called from our patches of the targeted methods
-      # in which database operations occur. It is responsible for deciding if
-      # the given invocation is worth reporting or not.
-      module DataStores
-        class << self
-          include Contrast::Components::Interface
-          access_component :analysis, :logging
-          # The key used in policy.json to indicate the database type to
-          # report.
-          DATA_STORE_MARKER = 'data_store'
-          def patched_report_data_store _method, _exception, properties, object, _args
-            return unless INVENTORY.enabled?
-            marker = properties[DATA_STORE_MARKER]
-            return unless marker
-            Contrast::Utils::DataStoreUtil.report_data_store(marker)
-          rescue StandardError => e
-            logger.error('Error reporting database call', e, object: object)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb DELETED

@@ -1,61 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/agent/protect/rule/cmd_injection'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_deserialization_rule'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/rule_applicator'
-module Contrast
-  module CoreExtensions
-    module Protect
-      # This Module is how we apply the Command Injection rule. It is called
-      # from our patches of the targeted methods in which command execution
-      # occurs. It is responsible for deciding if the infilter methods of the
-      # rule should be invoked.
-      # In addition, b/c of the nature of Deserialization's sand boxing
-      # function, this Module's apply methods call through to the
-      # {#apply_deserialization_command_check} method of the
-      # Deserialization applicator.
-      module AppliesCommandInjectionRule
-        extend Contrast::CoreExtensions::Protect::RuleApplicator
-        CS__SEMICOLON = '; '
-        class << self
-          def invoke method, _exception, _properties, object, args
-            return unless valid_command?(args)
-            command = build_command(args)
-            Contrast::CoreExtensions::Protect::AppliesDeserializationRule.apply_deserialization_command_check(command)
-            return if skip_analysis?
-            begin
-              clazz = object.is_a?(Module) ? object : object.cs__class
-              class_name = clazz.cs__name
-              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
-            end
-          end
-          protected
-          def name
-            Contrast::Agent::Protect::Rule::CmdInjection::NAME
-          end
-          private
-          def valid_command? command
-            command && (command.is_a?(String) || command.is_a?(Array))
-          end
-          def build_command command
-            return command if command.is_a?(String)
-            command = command.drop(1) if command.length > 1
-            command.join(CS__SEMICOLON)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb DELETED

@@ -1,50 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/agent/protect/rule/deserialization'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/rule_applicator'
-module Contrast
-  module CoreExtensions
-    module Protect
-      # This Module is how we apply the Deserialization rule. It is called from
-      # our patches of the targeted methods in which deserialization occurs.
-      # It is responsible for deciding if the infilter methods of the rule
-      # should be invoked.
-      module AppliesDeserializationRule
-        extend Contrast::CoreExtensions::Protect::RuleApplicator
-        class << self
-          def invoke _method, _exception, _properties, _object, args
-            return unless valid_input?(args)
-            return if skip_analysis?
-            rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
-          end
-          def apply_deserialization_command_check command
-            return unless command
-            return if skip_analysis?
-            rule.check_command_scope(command)
-          end
-          protected
-          def name
-            Contrast::Agent::Protect::Rule::Deserialization::NAME
-          end
-          private
-          def valid_input? args
-            return false unless args&.any?
-            input = args[0]
-            input.is_a?(String)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb DELETED

@@ -1,66 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/agent/protect/rule/no_sqli'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/rule_applicator'
-module Contrast
-  module CoreExtensions
-    module Protect
-      # This Module is how we apply the NoSQL Injection rule. It is called from
-      # our patches of the targeted methods in which the execution of String
-      # based NoSQL queries occur. It is responsible for deciding if the
-      # infilter methods of the rule should be invoked.
-      module AppliesNoSqliRule
-        extend Contrast::CoreExtensions::Protect::RuleApplicator
-        class << self
-          def invoke method, _exception, properties, _object, args
-            return unless valid_input?(args)
-            return if skip_analysis?
-            database = properties['database']
-            operations = args[0]
-            context = Contrast::Agent::REQUEST_TRACKER.current
-            if operations.is_a?(Array)
-              operations.each do |m|
-                handle_operation(context, database, method, m)
-              end
-            else
-              handle_operation(context, database, method, operations)
-            end
-          end
-          protected
-          def name
-            Contrast::Agent::Protect::Rule::NoSqli::NAME
-          end
-          private
-          def valid_input? args
-            return false unless args&.any?
-            args[0]
-          end
-          def handle_operation context, database, _action, operation
-            data = extract_mongo_data(operation)
-            return unless data && !data.empty?
-            rule.infilter(context, database, data)
-          end
-          def extract_mongo_data operation
-            if operation.cs__respond_to? :selector
-              operation.selector
-            elsif operation.cs__respond_to? :documents
-              operation.documents
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb DELETED

@@ -1,115 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/agent/protect/rule/path_traversal'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/rule_applicator'
-cs__scoped_require 'contrast/utils/object_share'
-module Contrast
-  module CoreExtensions
-    module Protect
-      # This Module is how we apply the Path Traversal rule. It is called from
-      # our patches of the targeted methods in which File or IO access occur.
-      # It is responsible for deciding if the infilter methods of the rule
-      # should be invoked.
-      module AppliesPathTraversalRule
-        extend Contrast::CoreExtensions::Protect::RuleApplicator
-        class << self
-          def invoke method, _exception, properties, object, args
-            return unless args&.any?
-            path = args[0]
-            return unless path.is_a?(String)
-            return if skip_analysis?
-            action = properties['action']
-            write_marker = write?(action, *args)
-            possible_write = write_marker && possible_write(write_marker)
-            path_traversal_rule(path, possible_write, object, method)
-            # If the action was copy, we need to handle the write half of it.
-            # We handled read in line above.
-            return unless action == COPY
-            return unless args.length > 1
-            dst = args[1]
-            return unless dst.is_a?(String)
-            path_traversal_rule(dst, true, object, method)
-          end
-          protected
-          def name
-            Contrast::Agent::Protect::Rule::PathTraversal::NAME
-          end
-          private
-          def possible_write input
-            input.cs__respond_to?(:to_s) &&
-                input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
-          end
-          READ = 'read'
-          WRITE = 'write'
-          COPY = 'copy'
-          def write? action, *args
-            return false if action == READ
-            return false if action == COPY
-            return true if action == WRITE
-            write_marker = args.length > 1 ? args[1] : nil
-            write_marker && possible_write(write_marker)
-          end
-          def path_traversal_rule path, possible_write, object, method
-            return unless applies_to?(path, possible_write)
-            rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
-          rescue Contrast::SecurityException => e
-            raise e
-          rescue StandardError => e
-            logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
-          end
-          CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
-          def safer_abs_paths
-            @_safer_abs_paths ||= begin
-              pwd = ENV['PWD']
-              if pwd
-                tmp = CS__SAFER_REL_PATHS.map { |r| "#{ pwd }/#{ r }" }
-                gems = ENV['GEM_PATH']
-                tmp += gems.split(Contrast::Utils::ObjectShare::COLON) if gems
-                tmp
-              else
-                []
-              end
-            end
-          end
-          def applies_to? path, possible_write = false
-            # any possible write is a potential risk
-            return true if possible_write
-            # any path that moves 'up' is a potential risk
-            return true if path.index(Contrast::Utils::ObjectShare::PARENT_PATH)
-            path = path.downcase
-            if path.start_with?(Contrast::Utils::ObjectShare::SLASH)
-              safer_abs_paths.each do |prefix|
-                return false if path.start_with?(prefix)
-              end
-            else
-              CS__SAFER_REL_PATHS.each do |prefix|
-                return false if path.start_with?(prefix)
-              end
-            end
-            true
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb DELETED

@@ -1,53 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/agent/protect/rule/sqli'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/rule_applicator'
-cs__scoped_require 'contrast/utils/data_store_util'
-module Contrast
-  module CoreExtensions
-    module Protect
-      # This Module is how we apply the SQL Injection rule. It is called from
-      # our patches of the targeted methods in which the execution of String
-      # based SQL queries occur. It is responsible for deciding if the infilter
-      # methods of the rule should be invoked.
-      class AppliesSqliRule
-        extend Contrast::CoreExtensions::Protect::RuleApplicator
-        DATABASE_MYSQL =    'MySQL'
-        DATABASE_SQLITE =   'SQLite3'
-        DATABASE_PG =       'PostgreSQL'
-        class << self
-          def invoke _method, _exception, properties, _object, args
-            database = properties['database']
-            return unless database
-            index = properties[Contrast::Utils::ObjectShare::INDEX]
-            return unless valid_input?(index, args)
-            return if skip_analysis?
-            sql = args[index]
-            rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
-          end
-          protected
-          def name
-            Contrast::Agent::Protect::Rule::Sqli::NAME
-          end
-          private
-          def valid_input? index, args
-            return false unless args && args.length > index
-            sql = args[index]
-            sql && !sql.empty?
-          end
-        end
-      end
-    end
-  end
-end