contrast-agent 3.12.2 → 3.15.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.dockerignore +0 -1
- data/.gitignore +1 -1
- data/.simplecov +1 -1
- data/Rakefile +31 -0
- data/exe/contrast_service +1 -7
- data/ext/build_funchook.rb +0 -2
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +8 -7
- data/ext/cs__assess_array/cs__assess_array.c +6 -5
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +5 -5
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -9
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +0 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +18 -17
- data/ext/cs__assess_hash/cs__assess_hash.h +2 -1
- data/ext/cs__assess_kernel/cs__assess_kernel.c +7 -8
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +18 -16
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +1 -0
- data/ext/cs__assess_module/cs__assess_module.c +6 -6
- data/ext/cs__assess_regexp/cs__assess_regexp.c +4 -4
- data/ext/cs__assess_string/cs__assess_string.c +31 -16
- data/ext/cs__assess_string/cs__assess_string.h +6 -1
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +4 -7
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +3 -7
- data/ext/cs__assess_yield_track/cs__assess_yield_track.h +0 -1
- data/ext/cs__common/cs__common.c +63 -30
- data/ext/cs__common/cs__common.h +19 -21
- data/ext/cs__common/extconf.rb +0 -14
- data/ext/cs__contrast_patch/cs__contrast_patch.c +27 -25
- data/ext/cs__contrast_patch/cs__contrast_patch.h +5 -7
- data/ext/cs__protect_kernel/cs__protect_kernel.c +11 -12
- data/ext/cs__protect_kernel/cs__protect_kernel.h +2 -2
- data/ext/extconf_common.rb +0 -28
- data/lib/contrast-agent.rb +1 -1
- data/lib/contrast.rb +15 -23
- data/lib/contrast/agent.rb +51 -39
- data/lib/contrast/agent/assess.rb +12 -12
- data/lib/contrast/agent/assess/contrast_event.rb +40 -185
- data/lib/contrast/agent/assess/events/event_factory.rb +2 -2
- data/lib/contrast/agent/assess/events/source_event.rb +5 -9
- data/lib/contrast/agent/assess/finalizers/freeze.rb +15 -0
- data/lib/contrast/agent/assess/finalizers/hash.rb +97 -0
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +2 -2
- data/lib/contrast/agent/assess/policy/patcher.rb +6 -6
- data/lib/contrast/agent/assess/policy/policy.rb +9 -11
- data/lib/contrast/agent/assess/policy/policy_node.rb +5 -99
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -3
- data/lib/contrast/agent/assess/policy/preshift.rb +13 -7
- data/lib/contrast/agent/assess/policy/propagation_method.rb +64 -45
- data/lib/contrast/agent/assess/policy/propagation_node.rb +6 -2
- data/lib/contrast/agent/assess/policy/propagator.rb +18 -18
- data/lib/contrast/agent/assess/policy/propagator/append.rb +8 -5
- data/lib/contrast/agent/assess/policy/propagator/base.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator/center.rb +9 -5
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +6 -4
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +7 -7
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +4 -1
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +18 -9
- data/lib/contrast/agent/assess/policy/propagator/next.rb +7 -5
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +13 -5
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +14 -15
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +5 -2
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +7 -5
- data/lib/contrast/agent/assess/policy/propagator/select.rb +19 -11
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +14 -8
- data/lib/contrast/agent/assess/policy/propagator/split.rb +19 -13
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +36 -26
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +17 -15
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +5 -5
- data/lib/contrast/agent/assess/policy/source_method.rb +90 -73
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +16 -11
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +2 -2
- data/lib/contrast/agent/assess/policy/trigger_method.rb +41 -26
- data/lib/contrast/agent/assess/policy/trigger_node.rb +30 -17
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +2 -2
- data/lib/contrast/agent/assess/properties.rb +15 -383
- data/lib/contrast/agent/assess/property/evented.rb +78 -0
- data/lib/contrast/agent/assess/property/tagged.rb +339 -0
- data/lib/contrast/agent/assess/property/updated.rb +136 -0
- data/lib/contrast/agent/assess/rule.rb +2 -2
- data/lib/contrast/agent/assess/rule/base.rb +3 -4
- data/lib/contrast/agent/assess/rule/provider.rb +3 -3
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -22
- data/lib/contrast/agent/assess/tag.rb +27 -12
- data/lib/contrast/agent/assess/tracker.rb +66 -0
- data/lib/contrast/agent/at_exit_hook.rb +4 -2
- data/lib/contrast/agent/class_reopener.rb +14 -11
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
- data/lib/contrast/agent/disable_reaction.rb +1 -1
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/inventory/policy/datastores.rb +2 -3
- data/lib/contrast/agent/inventory/policy/policy.rb +3 -3
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/middleware.rb +36 -48
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -5
- data/lib/contrast/agent/patching/policy/module_policy.rb +1 -1
- data/lib/contrast/agent/patching/policy/patch.rb +16 -16
- data/lib/contrast/agent/patching/policy/patcher.rb +43 -44
- data/lib/contrast/agent/patching/policy/policy.rb +10 -13
- data/lib/contrast/agent/patching/policy/policy_node.rb +3 -3
- data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/policy.rb +8 -8
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +3 -3
- data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/rule.rb +18 -18
- data/lib/contrast/agent/protect/rule/base.rb +21 -32
- data/lib/contrast/agent/protect/rule/base_service.rb +2 -2
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +5 -5
- data/lib/contrast/agent/protect/rule/deserialization.rb +1 -1
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +3 -8
- data/lib/contrast/agent/protect/rule/no_sqli.rb +1 -1
- data/lib/contrast/agent/protect/rule/path_traversal.rb +4 -5
- data/lib/contrast/agent/protect/rule/sqli.rb +2 -2
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +1 -1
- data/lib/contrast/agent/protect/rule/xss.rb +1 -1
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -5
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -2
- data/lib/contrast/agent/railtie.rb +1 -1
- data/lib/contrast/agent/reaction_processor.rb +5 -5
- data/lib/contrast/agent/request.rb +103 -340
- data/lib/contrast/agent/request_context.rb +25 -21
- data/lib/contrast/agent/request_handler.rb +1 -1
- data/lib/contrast/agent/response.rb +25 -26
- data/lib/contrast/agent/rewriter.rb +6 -9
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +8 -10
- data/lib/contrast/agent/static_analysis.rb +4 -4
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +49 -0
- data/lib/contrast/agent/tracepoint_hook.rb +1 -1
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent/worker_thread.rb +24 -0
- data/lib/contrast/api.rb +4 -6
- data/lib/contrast/api/communication.rb +20 -0
- data/lib/contrast/api/communication/connection_status.rb +41 -0
- data/lib/contrast/api/communication/messaging_queue.rb +76 -0
- data/lib/contrast/{utils/service_response_util.rb → api/communication/response_processor.rb} +10 -19
- data/lib/contrast/api/communication/service_lifecycle.rb +61 -0
- data/lib/contrast/api/communication/socket.rb +45 -0
- data/lib/contrast/api/communication/socket_client.rb +76 -0
- data/lib/contrast/api/communication/speedracer.rb +111 -0
- data/lib/contrast/api/communication/tcp_socket.rb +31 -0
- data/lib/contrast/api/communication/unix_socket.rb +27 -0
- data/lib/contrast/api/decorators.rb +14 -4
- data/lib/contrast/api/decorators/address.rb +61 -0
- data/lib/contrast/api/decorators/application_settings.rb +10 -5
- data/lib/contrast/api/decorators/application_update.rb +7 -17
- data/lib/contrast/api/decorators/http_request.rb +140 -0
- data/lib/contrast/api/decorators/input_analysis.rb +3 -2
- data/lib/contrast/api/decorators/message.rb +76 -0
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +29 -0
- data/lib/contrast/api/decorators/route_coverage.rb +58 -0
- data/lib/contrast/api/decorators/server_features.rb +3 -2
- data/lib/contrast/api/decorators/trace_event.rb +100 -0
- data/lib/contrast/api/decorators/trace_event_object.rb +58 -0
- data/lib/contrast/api/decorators/trace_event_signature.rb +47 -0
- data/lib/contrast/api/decorators/trace_taint_range.rb +52 -0
- data/lib/contrast/api/decorators/trace_taint_range_tags.rb +109 -0
- data/lib/contrast/api/decorators/user_input.rb +40 -0
- data/lib/contrast/common_agent_configuration.rb +2 -2
- data/lib/contrast/components/agent.rb +2 -2
- data/lib/contrast/components/app_context.rb +12 -17
- data/lib/contrast/components/config.rb +8 -23
- data/lib/contrast/components/contrast_service.rb +3 -3
- data/lib/contrast/components/interface.rb +16 -16
- data/lib/contrast/components/logger.rb +1 -1
- data/lib/contrast/components/scope.rb +3 -3
- data/lib/contrast/components/settings.rb +0 -6
- data/lib/contrast/config.rb +18 -18
- data/lib/contrast/config/application_configuration.rb +5 -2
- data/lib/contrast/config/base_configuration.rb +2 -2
- data/lib/contrast/config/protect_rule_configuration.rb +1 -1
- data/lib/contrast/config/service_configuration.rb +8 -2
- data/lib/contrast/configuration.rb +93 -52
- data/lib/contrast/extension/assess.rb +21 -23
- data/lib/contrast/extension/assess/array.rb +12 -9
- data/lib/contrast/extension/assess/erb.rb +6 -3
- data/lib/contrast/extension/assess/eval_trigger.rb +3 -3
- data/lib/contrast/extension/assess/exec_trigger.rb +1 -1
- data/lib/contrast/extension/assess/fiber.rb +12 -12
- data/lib/contrast/extension/assess/hash.rb +5 -4
- data/lib/contrast/extension/assess/kernel.rb +19 -11
- data/lib/contrast/extension/assess/marshal.rb +63 -0
- data/lib/contrast/extension/assess/regexp.rb +8 -7
- data/lib/contrast/extension/assess/string.rb +13 -15
- data/lib/contrast/extension/inventory.rb +4 -5
- data/lib/contrast/extension/kernel.rb +1 -1
- data/lib/contrast/extension/module.rb +1 -1
- data/lib/contrast/extension/protect.rb +3 -3
- data/lib/contrast/extension/protect/kernel.rb +2 -2
- data/lib/contrast/extension/protect/psych.rb +2 -2
- data/lib/contrast/framework/base_support.rb +0 -23
- data/lib/contrast/framework/manager.rb +7 -17
- data/lib/contrast/framework/rack/patch/session_cookie.rb +13 -19
- data/lib/contrast/framework/rack/patch/support.rb +1 -1
- data/lib/contrast/framework/rack/support.rb +2 -2
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -3
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +6 -13
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +3 -3
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +2 -2
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +2 -2
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +2 -2
- data/lib/contrast/framework/rails/support.rb +58 -37
- data/lib/contrast/framework/sinatra/patch/base.rb +2 -2
- data/lib/contrast/framework/sinatra/patch/support.rb +1 -1
- data/lib/contrast/framework/sinatra/support.rb +13 -24
- data/lib/contrast/funchook/funchook.rb +45 -0
- data/lib/contrast/logger/application.rb +13 -5
- data/lib/contrast/logger/format.rb +64 -0
- data/lib/contrast/logger/log.rb +17 -9
- data/lib/contrast/logger/request.rb +30 -0
- data/lib/contrast/tasks/config.rb +1 -1
- data/lib/contrast/tasks/service.rb +2 -2
- data/lib/contrast/utils/assess/sampling_util.rb +2 -2
- data/lib/contrast/utils/assess/tracking_util.rb +89 -19
- data/lib/contrast/utils/boolean_util.rb +1 -1
- data/lib/contrast/utils/class_util.rb +2 -2
- data/lib/contrast/utils/duck_utils.rb +0 -10
- data/lib/contrast/utils/env_configuration_item.rb +2 -1
- data/lib/contrast/utils/gemfile_reader.rb +5 -5
- data/lib/contrast/utils/hash_digest.rb +13 -3
- data/lib/contrast/utils/heap_dump_util.rb +2 -2
- data/lib/contrast/utils/invalid_configuration_util.rb +21 -35
- data/lib/contrast/utils/inventory_util.rb +6 -11
- data/lib/contrast/utils/io_util.rb +1 -1
- data/lib/contrast/utils/object_share.rb +0 -1
- data/lib/contrast/utils/os.rb +16 -4
- data/lib/contrast/utils/ruby_ast_rewriter.rb +1 -1
- data/lib/contrast/utils/sha256_builder.rb +2 -2
- data/lib/contrast/utils/stack_trace_utils.rb +2 -3
- data/lib/contrast/utils/string_utils.rb +11 -6
- data/lib/contrast/utils/tag_util.rb +1 -1
- data/lib/contrast/utils/thread_tracker.rb +1 -14
- data/lib/contrast/utils/timer.rb +1 -17
- data/resources/assess/policy.json +0 -10
- data/resources/deadzone/policy.json +5 -0
- data/ruby-agent.gemspec +24 -23
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +92 -92
- data/funchook/Makefile +0 -29
- data/funchook/autom4te.cache/output.0 +0 -4964
- data/funchook/autom4te.cache/requests +0 -77
- data/funchook/autom4te.cache/traces.0 +0 -361
- data/funchook/config.log +0 -651
- data/funchook/config.status +0 -1015
- data/funchook/configure +0 -4964
- data/funchook/src/Makefile +0 -70
- data/funchook/src/config.h +0 -101
- data/funchook/src/config.h.in +0 -100
- data/funchook/src/decoder.o +0 -0
- data/funchook/src/distorm.o +0 -0
- data/funchook/src/funchook.o +0 -0
- data/funchook/src/funchook_io.o +0 -0
- data/funchook/src/funchook_syscall.o +0 -0
- data/funchook/src/funchook_unix.o +0 -0
- data/funchook/src/funchook_x86.o +0 -0
- data/funchook/src/instructions.o +0 -0
- data/funchook/src/insts.o +0 -0
- data/funchook/src/libfunchook.dylib +0 -0
- data/funchook/src/mnemonics.o +0 -0
- data/funchook/src/operands.o +0 -0
- data/funchook/src/os_func.o +0 -0
- data/funchook/src/os_func_unix.o +0 -0
- data/funchook/src/prefix.o +0 -0
- data/funchook/src/printf_base.o +0 -0
- data/funchook/src/textdefs.o +0 -0
- data/funchook/src/wstring.o +0 -0
- data/funchook/test/Makefile +0 -43
- data/funchook/test/funchook_test +0 -0
- data/funchook/test/libfunchook_test.so +0 -0
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Info.plist +0 -20
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Resources/DWARF/libfunchook_test.so +0 -0
- data/funchook/test/test_main.o +0 -0
- data/funchook/test/x86_64_test.o +0 -0
- data/lib/contrast/agent/assess/adjusted_span.rb +0 -27
- data/lib/contrast/agent/assess/insulator.rb +0 -49
- data/lib/contrast/agent/require_state.rb +0 -61
- data/lib/contrast/agent/socket_client.rb +0 -134
- data/lib/contrast/api/connection_status.rb +0 -49
- data/lib/contrast/api/socket.rb +0 -43
- data/lib/contrast/api/speedracer.rb +0 -188
- data/lib/contrast/api/tcp_socket.rb +0 -29
- data/lib/contrast/api/unix_socket.rb +0 -25
- data/lib/contrast/extension/assess/assess_extension.rb +0 -148
- data/lib/contrast/framework/sinatra/application_helper.rb +0 -51
- data/lib/contrast/framework/view_technologies_descriptor.rb +0 -21
- data/lib/contrast/internal_exception.rb +0 -8
- data/lib/contrast/utils/cache.rb +0 -58
- data/lib/contrast/utils/freeze_util.rb +0 -32
- data/lib/contrast/utils/service_sender_util.rb +0 -167
- data/lib/contrast/utils/sinatra_helper.rb +0 -49
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ac8fc7d0e9c127859cf7bdb149c7ac519286c4329bd81ad28db4963128e0cd63
|
|
4
|
+
data.tar.gz: 784afc67ef269df8dfbaed392e8ad28e2e3b679113ed8679625f95033e324929
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c1a5563b34a4eba33fdf8094986362f70c88bda53102899bb01ad0096588d26883b5e7ad475e41afa15b95674b8c2810cfe6546c6779b8e3b2030bf7bb1e33d6
|
|
7
|
+
data.tar.gz: 1a1eb220719c1caf3f7153108bff4ac5132130d6879dc2b425e6dd31720e4c76bda9c27c0ac65fa00ccb846a31cb173e04dc7d3320ba3079ea9b785a62991f00
|
data/.dockerignore
CHANGED
data/.gitignore
CHANGED
data/.simplecov
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
-
SimpleCov.minimum_coverage line:
|
|
4
|
+
SimpleCov.minimum_coverage line: 94.75
|
|
5
5
|
SimpleCov.start do
|
|
6
6
|
add_filter '/spec/'
|
|
7
7
|
end
|
data/Rakefile
CHANGED
|
@@ -1,9 +1,13 @@
|
|
|
1
1
|
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
$stdout.sync = true
|
|
5
|
+
|
|
4
6
|
require 'bundler/gem_tasks'
|
|
5
7
|
require 'rspec/core/rake_task'
|
|
6
8
|
require 'rake/extensiontask'
|
|
9
|
+
load 'protobuf/tasks/compile.rake'
|
|
10
|
+
require 'fileutils'
|
|
7
11
|
|
|
8
12
|
CLOBBER << 'shared_libraries/*'
|
|
9
13
|
|
|
@@ -13,3 +17,30 @@ Dir['ext/cs__*'].each do |extension|
|
|
|
13
17
|
ext.lib_dir = "lib/#{ name }"
|
|
14
18
|
end
|
|
15
19
|
end
|
|
20
|
+
|
|
21
|
+
task :contrast_pb_compile do
|
|
22
|
+
# do some stuff before compile
|
|
23
|
+
|
|
24
|
+
# Invoke the protobuf compile task with your sensible defaults
|
|
25
|
+
::Rake::Task['protobuf:compile'].invoke('lib',
|
|
26
|
+
'./agent-service-api/protobuf ./agent-service-api/protobuf/dtm.proto',
|
|
27
|
+
'lib/contrast/api',
|
|
28
|
+
nil)
|
|
29
|
+
|
|
30
|
+
::Rake::Task['protobuf:compile'].reenable
|
|
31
|
+
|
|
32
|
+
::Rake::Task['protobuf:compile'].invoke('lib',
|
|
33
|
+
'./agent-service-api/protobuf ./agent-service-api/protobuf/settings.proto',
|
|
34
|
+
'lib/contrast/api',
|
|
35
|
+
nil)
|
|
36
|
+
|
|
37
|
+
['dtm.pb.rb', 'settings.pb.rb'].each do |target_file|
|
|
38
|
+
target_path = File.absolute_path(File.join(__dir__, "./lib/contrast/api/#{ target_file }"))
|
|
39
|
+
unless File.exist?(target_path)
|
|
40
|
+
puts "File not found #{ target_path }"
|
|
41
|
+
exit 1
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
puts 'Protobuf copied successfully'
|
|
46
|
+
end
|
data/exe/contrast_service
CHANGED
|
@@ -3,19 +3,13 @@
|
|
|
3
3
|
# frozen_string_literal: true
|
|
4
4
|
|
|
5
5
|
def mac?
|
|
6
|
-
RUBY_PLATFORM.
|
|
7
|
-
end
|
|
8
|
-
|
|
9
|
-
def windows?
|
|
10
|
-
RUBY_PLATFORM.match?(/cygwin|mswin|mingw|bccwin|wince|emx/)
|
|
6
|
+
RUBY_PLATFORM.include?('darwin')
|
|
11
7
|
end
|
|
12
8
|
|
|
13
9
|
def path
|
|
14
10
|
base_path = "#{ File.dirname(__FILE__) }/.."
|
|
15
11
|
if mac?
|
|
16
12
|
"#{ base_path }/service_executables/mac/contrast-service"
|
|
17
|
-
elsif windows?
|
|
18
|
-
"#{ base_path }/service_executables/windows/contrast-service.exe"
|
|
19
13
|
else
|
|
20
14
|
"#{ base_path }/service_executables/linux/contrast-service"
|
|
21
15
|
end
|
data/ext/build_funchook.rb
CHANGED
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
* https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
|
|
3
3
|
|
|
4
4
|
#include "cs__active_record_named.h"
|
|
5
|
-
#include <ruby.h>
|
|
6
5
|
#include "../cs__common/cs__common.h"
|
|
6
|
+
#include <ruby.h>
|
|
7
7
|
|
|
8
8
|
VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
|
|
9
9
|
const VALUE self) {
|
|
@@ -19,7 +19,8 @@ VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
|
|
|
19
19
|
*/
|
|
20
20
|
VALUE new_body, ret;
|
|
21
21
|
VALUE new_args[3];
|
|
22
|
-
new_body = rb_funcall(active_record_named, rb_sym_assess_rewrite, 3, self,
|
|
22
|
+
new_body = rb_funcall(active_record_named, rb_sym_assess_rewrite, 3, self,
|
|
23
|
+
argv[0], argv[1]);
|
|
23
24
|
new_args[0] = argv[0];
|
|
24
25
|
if (NIL_P(new_body)) {
|
|
25
26
|
new_args[1] = argv[1];
|
|
@@ -36,10 +37,10 @@ void Init_cs__assess_active_record_named(void) {
|
|
|
36
37
|
framework = rb_define_module_under(contrast, "Framework");
|
|
37
38
|
rails = rb_define_module_under(framework, "Rails");
|
|
38
39
|
rewrite = rb_define_module_under(rails, "Rewrite");
|
|
39
|
-
active_record_named =
|
|
40
|
+
active_record_named =
|
|
41
|
+
rb_define_class_under(rewrite, "ActiveRecordNamed", rb_cObject);
|
|
40
42
|
rb_sym_assess_rewrite = rb_intern("rewrite");
|
|
41
|
-
rb_sym_assess_scope
|
|
42
|
-
|
|
43
|
-
|
|
43
|
+
rb_sym_assess_scope =
|
|
44
|
+
contrast_register_patch("ActiveRecord::Scoping::Named::ClassMethods",
|
|
45
|
+
"scope", contrast_assess_active_record_scope);
|
|
44
46
|
}
|
|
45
|
-
|
|
@@ -23,15 +23,16 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
|
|
|
23
23
|
/* Finally, default to empty String. Implicit since nil.to_s is ''*/
|
|
24
24
|
|
|
25
25
|
result = rb_funcall2(ary, rb_sym_assess_array_join, argc, argv);
|
|
26
|
-
result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3,
|
|
26
|
+
result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3,
|
|
27
|
+
ary, sep, result);
|
|
27
28
|
|
|
28
29
|
return result;
|
|
29
30
|
}
|
|
30
31
|
|
|
31
32
|
void Init_cs__assess_array(void) {
|
|
32
|
-
array_propagator =
|
|
33
|
+
array_propagator =
|
|
34
|
+
rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
|
|
33
35
|
rb_sym_assess_track_array_join = rb_intern("cs__track_join");
|
|
34
|
-
rb_sym_assess_array_join =
|
|
35
|
-
|
|
36
|
-
contrast_assess_array_join);
|
|
36
|
+
rb_sym_assess_array_join =
|
|
37
|
+
contrast_register_patch("Array", "join", contrast_assess_array_join);
|
|
37
38
|
}
|
|
@@ -7,7 +7,8 @@
|
|
|
7
7
|
|
|
8
8
|
void contrast_assess_instance_eval_trigger_check(VALUE self, VALUE source,
|
|
9
9
|
VALUE ret) {
|
|
10
|
-
rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self,
|
|
10
|
+
rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self,
|
|
11
|
+
source, ret);
|
|
11
12
|
}
|
|
12
13
|
|
|
13
14
|
VALUE
|
|
@@ -36,7 +37,8 @@ contrast_assess_basic_object_instance_eval(const int argc, const VALUE *argv,
|
|
|
36
37
|
}
|
|
37
38
|
|
|
38
39
|
void Init_cs__assess_basic_object(void) {
|
|
39
|
-
basic_eval_trigger =
|
|
40
|
+
basic_eval_trigger =
|
|
41
|
+
rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
|
|
40
42
|
instance_trigger_check_method = rb_intern("instance_eval_trigger_check");
|
|
41
43
|
|
|
42
44
|
/* We don't keep a reference to the underlying method.
|
|
@@ -45,8 +47,6 @@ void Init_cs__assess_basic_object(void) {
|
|
|
45
47
|
* but if someone else patched BasicObject#instance_eval,
|
|
46
48
|
* IDK if this is intentional... noting it. -ajm
|
|
47
49
|
*/
|
|
48
|
-
contrast_register_patch("BasicObject",
|
|
49
|
-
"instance_eval",
|
|
50
|
+
contrast_register_patch("BasicObject", "instance_eval",
|
|
50
51
|
contrast_assess_basic_object_instance_eval);
|
|
51
|
-
|
|
52
52
|
}
|
|
@@ -3,7 +3,6 @@
|
|
|
3
3
|
|
|
4
4
|
#include "cs__assess_fiber_track.h"
|
|
5
5
|
#include "../cs__common/cs__common.h"
|
|
6
|
-
#include <funchook.h>
|
|
7
6
|
#include <ruby.h>
|
|
8
7
|
|
|
9
8
|
VALUE rb_fiber_new_hook(VALUE (*func)(ANYARGS), VALUE obj) {
|
|
@@ -64,22 +63,18 @@ VALUE rb_fiber_yield_hook(int argc, const VALUE *argv) {
|
|
|
64
63
|
}
|
|
65
64
|
|
|
66
65
|
int install_fiber_hooks() {
|
|
67
|
-
funchook_t *funchook = funchook_create();
|
|
68
|
-
|
|
69
66
|
rb_fiber_new_original = rb_fiber_new;
|
|
70
|
-
|
|
71
|
-
rb_fiber_new_hook);
|
|
67
|
+
patch_via_funchook(&rb_fiber_new_original, &rb_fiber_new_hook);
|
|
72
68
|
|
|
73
69
|
rb_fiber_yield_original = rb_fiber_yield;
|
|
74
|
-
|
|
75
|
-
rb_fiber_yield_hook);
|
|
70
|
+
patch_via_funchook(&rb_fiber_yield_original, &rb_fiber_yield_hook);
|
|
76
71
|
|
|
77
|
-
funchook_install(funchook, 0);
|
|
78
72
|
return 0;
|
|
79
73
|
}
|
|
80
74
|
|
|
81
75
|
void Init_cs__assess_fiber_track(void) {
|
|
82
|
-
fiber_propagator =
|
|
76
|
+
fiber_propagator =
|
|
77
|
+
rb_define_class_under(core_assess, "FiberPropagator", rb_cObject);
|
|
83
78
|
track_rb_fiber_new = rb_intern("track_rb_fiber_new");
|
|
84
79
|
track_rb_fiber_yield = rb_intern("track_rb_fiber_yield");
|
|
85
80
|
rb_sym_next = rb_intern("next");
|
|
@@ -12,23 +12,24 @@
|
|
|
12
12
|
* This method instruments that unique bracket-construction style
|
|
13
13
|
* of initializing a hash.
|
|
14
14
|
*/
|
|
15
|
-
static VALUE contrast_assess_hash_bracket_constructor(const int argc,
|
|
16
|
-
|
|
15
|
+
static VALUE contrast_assess_hash_bracket_constructor(const int argc,
|
|
16
|
+
VALUE *argv,
|
|
17
|
+
const VALUE hash) {
|
|
17
18
|
VALUE result;
|
|
18
19
|
|
|
19
20
|
/* Array of Arrays: Hash[ [ [key, value], ... ] ] -> new_hash */
|
|
20
21
|
if (RB_TYPE_P(argv[0], T_ARRAY)) {
|
|
21
22
|
int i;
|
|
22
23
|
for (i = 0; i < argc; i++) {
|
|
23
|
-
argv[i] =
|
|
24
|
-
|
|
24
|
+
argv[i] = rb_funcall(hash_propagator,
|
|
25
|
+
rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
|
|
25
26
|
}
|
|
26
27
|
/* Hash[ key, value, ... ] -> new_hash */
|
|
27
28
|
} else if (argc > 1) {
|
|
28
29
|
int i;
|
|
29
30
|
for (i = 0; i < argc; i += 2) {
|
|
30
|
-
argv[i] =
|
|
31
|
-
|
|
31
|
+
argv[i] = rb_funcall(hash_propagator,
|
|
32
|
+
rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
|
|
32
33
|
}
|
|
33
34
|
}
|
|
34
35
|
|
|
@@ -36,7 +37,8 @@ static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *arg
|
|
|
36
37
|
* String keys
|
|
37
38
|
* # Hash[ object ] -> new_hash
|
|
38
39
|
*/
|
|
39
|
-
result =
|
|
40
|
+
result =
|
|
41
|
+
rb_funcall2(hash, rb_sym_assess_hash_bracket_constructor, argc, argv);
|
|
40
42
|
|
|
41
43
|
return result;
|
|
42
44
|
}
|
|
@@ -61,8 +63,9 @@ static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
|
61
63
|
* We haven't revisited this approach since we started more extensively
|
|
62
64
|
* hooking public C functions.)
|
|
63
65
|
*/
|
|
64
|
-
if(argc > 0) {
|
|
65
|
-
argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze,
|
|
66
|
+
if (argc > 0) {
|
|
67
|
+
argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze,
|
|
68
|
+
1, argv[0]);
|
|
66
69
|
}
|
|
67
70
|
/* This is the underlying assignment, w/ our instrumented key. */
|
|
68
71
|
result = rb_funcall2(hash, rb_sym_assess_hash_bracket_equals, argc, argv);
|
|
@@ -71,17 +74,15 @@ static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
|
71
74
|
}
|
|
72
75
|
|
|
73
76
|
void Init_cs__assess_hash(void) {
|
|
74
|
-
hash_propagator =
|
|
77
|
+
hash_propagator =
|
|
78
|
+
rb_define_class_under(core_assess, "HashPropagator", rb_cObject);
|
|
75
79
|
rb_sym_assess_hash_dup_and_freeze = rb_intern("cs__duplicate_and_freeze");
|
|
76
80
|
|
|
77
81
|
VALUE hash_class = rb_define_class("Hash", rb_cObject);
|
|
78
82
|
|
|
79
|
-
rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch(
|
|
80
|
-
|
|
81
|
-
contrast_assess_hash_bracket_constructor);
|
|
82
|
-
|
|
83
|
-
rb_sym_assess_hash_bracket_equals = contrast_register_patch("Hash",
|
|
84
|
-
"[]=",
|
|
85
|
-
contrast_assess_hash_bracket_set);
|
|
83
|
+
rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch(
|
|
84
|
+
"Hash", "[]", contrast_assess_hash_bracket_constructor);
|
|
86
85
|
|
|
86
|
+
rb_sym_assess_hash_bracket_equals = contrast_register_patch(
|
|
87
|
+
"Hash", "[]=", contrast_assess_hash_bracket_set);
|
|
87
88
|
}
|
|
@@ -13,7 +13,8 @@ static VALUE hash_propagator;
|
|
|
13
13
|
* ahead of time should avoid this, similar to the behavior of the -@ Strings
|
|
14
14
|
* -HM
|
|
15
15
|
*/
|
|
16
|
-
static VALUE contrast_assess_hash_bracket_constructor(const int argc,
|
|
16
|
+
static VALUE contrast_assess_hash_bracket_constructor(const int argc,
|
|
17
|
+
VALUE *argv,
|
|
17
18
|
const VALUE hash);
|
|
18
19
|
|
|
19
20
|
static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
@@ -18,8 +18,9 @@ contrast_patched_kernel_exec(const int argc, const VALUE *argv,
|
|
|
18
18
|
rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
|
|
19
19
|
}
|
|
20
20
|
|
|
21
|
-
/* maybe this should be rb_funcall2. this works right now because *argv ==
|
|
22
|
-
* exec shouldn't ever be called with != 1 argc, so not a huge
|
|
21
|
+
/* maybe this should be rb_funcall2. this works right now because *argv ==
|
|
22
|
+
* argv[0]. exec shouldn't ever be called with != 1 argc, so not a huge
|
|
23
|
+
* problem */
|
|
23
24
|
return rb_funcall(self, rb_sym_assess_kernel_exec, argc, *argv);
|
|
24
25
|
}
|
|
25
26
|
|
|
@@ -27,12 +28,10 @@ void Init_cs__assess_kernel(void) {
|
|
|
27
28
|
kernel_propagator = rb_define_module_under(core_assess, "KernelPropagator");
|
|
28
29
|
exec_apply_trigger = rb_intern("apply_trigger");
|
|
29
30
|
|
|
30
|
-
rb_sym_assess_kernel_exec =
|
|
31
|
-
|
|
32
|
-
contrast_patched_kernel_exec);
|
|
31
|
+
rb_sym_assess_kernel_exec =
|
|
32
|
+
contrast_register_patch("Kernel", "exec", contrast_patched_kernel_exec);
|
|
33
33
|
|
|
34
34
|
/* should return the same value as above */
|
|
35
|
-
rb_sym_assess_kernel_exec = contrast_register_singleton_patch(
|
|
36
|
-
|
|
37
|
-
contrast_patched_kernel_exec);
|
|
35
|
+
rb_sym_assess_kernel_exec = contrast_register_singleton_patch(
|
|
36
|
+
"Kernel", "exec", contrast_patched_kernel_exec);
|
|
38
37
|
}
|
|
@@ -9,26 +9,24 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
|
|
|
9
9
|
const VALUE *argv) {
|
|
10
10
|
VALUE result;
|
|
11
11
|
VALUE source_string;
|
|
12
|
-
|
|
13
12
|
result = rb_call_super(argc, argv);
|
|
14
13
|
|
|
15
14
|
if (argc >= 1) {
|
|
16
15
|
source_string = argv[0];
|
|
17
16
|
|
|
18
|
-
|
|
19
|
-
|
|
17
|
+
VALUE tracked =
|
|
18
|
+
rb_funcall(properties_hash, rb_sym_hash_tracked, 1, source_string);
|
|
20
19
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
if (tracked == Qtrue) {
|
|
21
|
+
VALUE skip =
|
|
22
|
+
rb_funcall(contrast_patcher(), rb_sym_skip_assess_analysis, 0);
|
|
24
23
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
}
|
|
24
|
+
if (skip == Qfalse) {
|
|
25
|
+
VALUE scope =
|
|
26
|
+
rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
|
|
27
|
+
rb_funcall(marshal_module, rb_sym_assess_load_trigger_check, 2,
|
|
28
|
+
source_string, result);
|
|
29
|
+
rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
|
|
32
30
|
}
|
|
33
31
|
}
|
|
34
32
|
}
|
|
@@ -36,9 +34,13 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
|
|
|
36
34
|
}
|
|
37
35
|
|
|
38
36
|
void Init_cs__assess_marshal_module(void) {
|
|
37
|
+
// Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
|
|
38
|
+
VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
|
|
39
|
+
properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
|
|
40
|
+
marshal_module =
|
|
41
|
+
rb_define_class_under(core_assess, "MarshalPropagator", rb_cObject);
|
|
39
42
|
rb_sym_assess_load_trigger_check = rb_intern("cs__load_trigger_check");
|
|
40
43
|
|
|
41
|
-
contrast_register_singleton_prepend_patch(
|
|
42
|
-
|
|
43
|
-
&contrast_assess_marshal_module_load);
|
|
44
|
+
contrast_register_singleton_prepend_patch(
|
|
45
|
+
"Marshal", "load", &contrast_assess_marshal_module_load);
|
|
44
46
|
}
|
|
@@ -21,7 +21,8 @@ void contrast_assess_eval_trigger_check(VALUE module, VALUE source, VALUE ret) {
|
|
|
21
21
|
/* If this method ever throws an exception, the scope-leave
|
|
22
22
|
* needs to be moved within a rescue call.
|
|
23
23
|
*/
|
|
24
|
-
rb_funcall(module_eval_trigger, trigger_check_method, 4, module, source,
|
|
24
|
+
rb_funcall(module_eval_trigger, trigger_check_method, 4, module, source,
|
|
25
|
+
ret, method);
|
|
25
26
|
}
|
|
26
27
|
|
|
27
28
|
rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
|
|
@@ -57,7 +58,8 @@ contrast_assess_module_module_eval(const int argc, const VALUE *argv,
|
|
|
57
58
|
}
|
|
58
59
|
|
|
59
60
|
void Init_cs__assess_module(void) {
|
|
60
|
-
module_eval_trigger =
|
|
61
|
+
module_eval_trigger =
|
|
62
|
+
rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
|
|
61
63
|
trigger_check_method = rb_intern("eval_trigger_check");
|
|
62
64
|
|
|
63
65
|
rb_sym_assess_patch_eval = rb_intern("patch_assess_on_eval");
|
|
@@ -69,11 +71,9 @@ void Init_cs__assess_module(void) {
|
|
|
69
71
|
* See similar comments in basic_object C ext patch.
|
|
70
72
|
*/
|
|
71
73
|
|
|
72
|
-
contrast_register_patch("Module",
|
|
73
|
-
"class_eval",
|
|
74
|
+
contrast_register_patch("Module", "class_eval",
|
|
74
75
|
contrast_assess_module_class_eval);
|
|
75
76
|
|
|
76
|
-
contrast_register_patch("Module",
|
|
77
|
-
"module_eval",
|
|
77
|
+
contrast_register_patch("Module", "module_eval",
|
|
78
78
|
contrast_assess_module_module_eval);
|
|
79
79
|
}
|