contrast-agent 3.12.2 → 3.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.dockerignore +0 -1
- data/.gitignore +1 -1
- data/.simplecov +1 -1
- data/Rakefile +31 -0
- data/exe/contrast_service +1 -7
- data/ext/build_funchook.rb +0 -2
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +8 -7
- data/ext/cs__assess_array/cs__assess_array.c +6 -5
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +5 -5
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -9
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +0 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +18 -17
- data/ext/cs__assess_hash/cs__assess_hash.h +2 -1
- data/ext/cs__assess_kernel/cs__assess_kernel.c +7 -8
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +18 -16
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +1 -0
- data/ext/cs__assess_module/cs__assess_module.c +6 -6
- data/ext/cs__assess_regexp/cs__assess_regexp.c +4 -4
- data/ext/cs__assess_string/cs__assess_string.c +31 -16
- data/ext/cs__assess_string/cs__assess_string.h +6 -1
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +4 -7
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +3 -7
- data/ext/cs__assess_yield_track/cs__assess_yield_track.h +0 -1
- data/ext/cs__common/cs__common.c +63 -30
- data/ext/cs__common/cs__common.h +19 -21
- data/ext/cs__common/extconf.rb +0 -14
- data/ext/cs__contrast_patch/cs__contrast_patch.c +27 -25
- data/ext/cs__contrast_patch/cs__contrast_patch.h +5 -7
- data/ext/cs__protect_kernel/cs__protect_kernel.c +11 -12
- data/ext/cs__protect_kernel/cs__protect_kernel.h +2 -2
- data/ext/extconf_common.rb +0 -28
- data/lib/contrast-agent.rb +1 -1
- data/lib/contrast.rb +15 -23
- data/lib/contrast/agent.rb +51 -39
- data/lib/contrast/agent/assess.rb +12 -12
- data/lib/contrast/agent/assess/contrast_event.rb +40 -185
- data/lib/contrast/agent/assess/events/event_factory.rb +2 -2
- data/lib/contrast/agent/assess/events/source_event.rb +5 -9
- data/lib/contrast/agent/assess/finalizers/freeze.rb +15 -0
- data/lib/contrast/agent/assess/finalizers/hash.rb +97 -0
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +2 -2
- data/lib/contrast/agent/assess/policy/patcher.rb +6 -6
- data/lib/contrast/agent/assess/policy/policy.rb +9 -11
- data/lib/contrast/agent/assess/policy/policy_node.rb +5 -99
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -3
- data/lib/contrast/agent/assess/policy/preshift.rb +13 -7
- data/lib/contrast/agent/assess/policy/propagation_method.rb +64 -45
- data/lib/contrast/agent/assess/policy/propagation_node.rb +6 -2
- data/lib/contrast/agent/assess/policy/propagator.rb +18 -18
- data/lib/contrast/agent/assess/policy/propagator/append.rb +8 -5
- data/lib/contrast/agent/assess/policy/propagator/base.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator/center.rb +9 -5
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +6 -4
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +7 -7
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +4 -1
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +18 -9
- data/lib/contrast/agent/assess/policy/propagator/next.rb +7 -5
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +13 -5
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +14 -15
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +5 -2
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +7 -5
- data/lib/contrast/agent/assess/policy/propagator/select.rb +19 -11
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +14 -8
- data/lib/contrast/agent/assess/policy/propagator/split.rb +19 -13
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +36 -26
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +17 -15
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +5 -5
- data/lib/contrast/agent/assess/policy/source_method.rb +90 -73
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +16 -11
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +2 -2
- data/lib/contrast/agent/assess/policy/trigger_method.rb +41 -26
- data/lib/contrast/agent/assess/policy/trigger_node.rb +30 -17
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +2 -2
- data/lib/contrast/agent/assess/properties.rb +15 -383
- data/lib/contrast/agent/assess/property/evented.rb +78 -0
- data/lib/contrast/agent/assess/property/tagged.rb +339 -0
- data/lib/contrast/agent/assess/property/updated.rb +136 -0
- data/lib/contrast/agent/assess/rule.rb +2 -2
- data/lib/contrast/agent/assess/rule/base.rb +3 -4
- data/lib/contrast/agent/assess/rule/provider.rb +3 -3
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -22
- data/lib/contrast/agent/assess/tag.rb +27 -12
- data/lib/contrast/agent/assess/tracker.rb +66 -0
- data/lib/contrast/agent/at_exit_hook.rb +4 -2
- data/lib/contrast/agent/class_reopener.rb +14 -11
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
- data/lib/contrast/agent/disable_reaction.rb +1 -1
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/inventory/policy/datastores.rb +2 -3
- data/lib/contrast/agent/inventory/policy/policy.rb +3 -3
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/middleware.rb +36 -48
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -5
- data/lib/contrast/agent/patching/policy/module_policy.rb +1 -1
- data/lib/contrast/agent/patching/policy/patch.rb +16 -16
- data/lib/contrast/agent/patching/policy/patcher.rb +43 -44
- data/lib/contrast/agent/patching/policy/policy.rb +10 -13
- data/lib/contrast/agent/patching/policy/policy_node.rb +3 -3
- data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/policy.rb +8 -8
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +3 -3
- data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/rule.rb +18 -18
- data/lib/contrast/agent/protect/rule/base.rb +21 -32
- data/lib/contrast/agent/protect/rule/base_service.rb +2 -2
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +5 -5
- data/lib/contrast/agent/protect/rule/deserialization.rb +1 -1
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +3 -8
- data/lib/contrast/agent/protect/rule/no_sqli.rb +1 -1
- data/lib/contrast/agent/protect/rule/path_traversal.rb +4 -5
- data/lib/contrast/agent/protect/rule/sqli.rb +2 -2
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +1 -1
- data/lib/contrast/agent/protect/rule/xss.rb +1 -1
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -5
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -2
- data/lib/contrast/agent/railtie.rb +1 -1
- data/lib/contrast/agent/reaction_processor.rb +5 -5
- data/lib/contrast/agent/request.rb +103 -340
- data/lib/contrast/agent/request_context.rb +25 -21
- data/lib/contrast/agent/request_handler.rb +1 -1
- data/lib/contrast/agent/response.rb +25 -26
- data/lib/contrast/agent/rewriter.rb +6 -9
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +8 -10
- data/lib/contrast/agent/static_analysis.rb +4 -4
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +49 -0
- data/lib/contrast/agent/tracepoint_hook.rb +1 -1
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent/worker_thread.rb +24 -0
- data/lib/contrast/api.rb +4 -6
- data/lib/contrast/api/communication.rb +20 -0
- data/lib/contrast/api/communication/connection_status.rb +41 -0
- data/lib/contrast/api/communication/messaging_queue.rb +76 -0
- data/lib/contrast/{utils/service_response_util.rb → api/communication/response_processor.rb} +10 -19
- data/lib/contrast/api/communication/service_lifecycle.rb +61 -0
- data/lib/contrast/api/communication/socket.rb +45 -0
- data/lib/contrast/api/communication/socket_client.rb +76 -0
- data/lib/contrast/api/communication/speedracer.rb +111 -0
- data/lib/contrast/api/communication/tcp_socket.rb +31 -0
- data/lib/contrast/api/communication/unix_socket.rb +27 -0
- data/lib/contrast/api/decorators.rb +14 -4
- data/lib/contrast/api/decorators/address.rb +61 -0
- data/lib/contrast/api/decorators/application_settings.rb +10 -5
- data/lib/contrast/api/decorators/application_update.rb +7 -17
- data/lib/contrast/api/decorators/http_request.rb +140 -0
- data/lib/contrast/api/decorators/input_analysis.rb +3 -2
- data/lib/contrast/api/decorators/message.rb +76 -0
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +29 -0
- data/lib/contrast/api/decorators/route_coverage.rb +58 -0
- data/lib/contrast/api/decorators/server_features.rb +3 -2
- data/lib/contrast/api/decorators/trace_event.rb +100 -0
- data/lib/contrast/api/decorators/trace_event_object.rb +58 -0
- data/lib/contrast/api/decorators/trace_event_signature.rb +47 -0
- data/lib/contrast/api/decorators/trace_taint_range.rb +52 -0
- data/lib/contrast/api/decorators/trace_taint_range_tags.rb +109 -0
- data/lib/contrast/api/decorators/user_input.rb +40 -0
- data/lib/contrast/common_agent_configuration.rb +2 -2
- data/lib/contrast/components/agent.rb +2 -2
- data/lib/contrast/components/app_context.rb +12 -17
- data/lib/contrast/components/config.rb +8 -23
- data/lib/contrast/components/contrast_service.rb +3 -3
- data/lib/contrast/components/interface.rb +16 -16
- data/lib/contrast/components/logger.rb +1 -1
- data/lib/contrast/components/scope.rb +3 -3
- data/lib/contrast/components/settings.rb +0 -6
- data/lib/contrast/config.rb +18 -18
- data/lib/contrast/config/application_configuration.rb +5 -2
- data/lib/contrast/config/base_configuration.rb +2 -2
- data/lib/contrast/config/protect_rule_configuration.rb +1 -1
- data/lib/contrast/config/service_configuration.rb +8 -2
- data/lib/contrast/configuration.rb +93 -52
- data/lib/contrast/extension/assess.rb +21 -23
- data/lib/contrast/extension/assess/array.rb +12 -9
- data/lib/contrast/extension/assess/erb.rb +6 -3
- data/lib/contrast/extension/assess/eval_trigger.rb +3 -3
- data/lib/contrast/extension/assess/exec_trigger.rb +1 -1
- data/lib/contrast/extension/assess/fiber.rb +12 -12
- data/lib/contrast/extension/assess/hash.rb +5 -4
- data/lib/contrast/extension/assess/kernel.rb +19 -11
- data/lib/contrast/extension/assess/marshal.rb +63 -0
- data/lib/contrast/extension/assess/regexp.rb +8 -7
- data/lib/contrast/extension/assess/string.rb +13 -15
- data/lib/contrast/extension/inventory.rb +4 -5
- data/lib/contrast/extension/kernel.rb +1 -1
- data/lib/contrast/extension/module.rb +1 -1
- data/lib/contrast/extension/protect.rb +3 -3
- data/lib/contrast/extension/protect/kernel.rb +2 -2
- data/lib/contrast/extension/protect/psych.rb +2 -2
- data/lib/contrast/framework/base_support.rb +0 -23
- data/lib/contrast/framework/manager.rb +7 -17
- data/lib/contrast/framework/rack/patch/session_cookie.rb +13 -19
- data/lib/contrast/framework/rack/patch/support.rb +1 -1
- data/lib/contrast/framework/rack/support.rb +2 -2
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -3
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +6 -13
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +3 -3
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +2 -2
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +2 -2
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +2 -2
- data/lib/contrast/framework/rails/support.rb +58 -37
- data/lib/contrast/framework/sinatra/patch/base.rb +2 -2
- data/lib/contrast/framework/sinatra/patch/support.rb +1 -1
- data/lib/contrast/framework/sinatra/support.rb +13 -24
- data/lib/contrast/funchook/funchook.rb +45 -0
- data/lib/contrast/logger/application.rb +13 -5
- data/lib/contrast/logger/format.rb +64 -0
- data/lib/contrast/logger/log.rb +17 -9
- data/lib/contrast/logger/request.rb +30 -0
- data/lib/contrast/tasks/config.rb +1 -1
- data/lib/contrast/tasks/service.rb +2 -2
- data/lib/contrast/utils/assess/sampling_util.rb +2 -2
- data/lib/contrast/utils/assess/tracking_util.rb +89 -19
- data/lib/contrast/utils/boolean_util.rb +1 -1
- data/lib/contrast/utils/class_util.rb +2 -2
- data/lib/contrast/utils/duck_utils.rb +0 -10
- data/lib/contrast/utils/env_configuration_item.rb +2 -1
- data/lib/contrast/utils/gemfile_reader.rb +5 -5
- data/lib/contrast/utils/hash_digest.rb +13 -3
- data/lib/contrast/utils/heap_dump_util.rb +2 -2
- data/lib/contrast/utils/invalid_configuration_util.rb +21 -35
- data/lib/contrast/utils/inventory_util.rb +6 -11
- data/lib/contrast/utils/io_util.rb +1 -1
- data/lib/contrast/utils/object_share.rb +0 -1
- data/lib/contrast/utils/os.rb +16 -4
- data/lib/contrast/utils/ruby_ast_rewriter.rb +1 -1
- data/lib/contrast/utils/sha256_builder.rb +2 -2
- data/lib/contrast/utils/stack_trace_utils.rb +2 -3
- data/lib/contrast/utils/string_utils.rb +11 -6
- data/lib/contrast/utils/tag_util.rb +1 -1
- data/lib/contrast/utils/thread_tracker.rb +1 -14
- data/lib/contrast/utils/timer.rb +1 -17
- data/resources/assess/policy.json +0 -10
- data/resources/deadzone/policy.json +5 -0
- data/ruby-agent.gemspec +24 -23
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +92 -92
- data/funchook/Makefile +0 -29
- data/funchook/autom4te.cache/output.0 +0 -4964
- data/funchook/autom4te.cache/requests +0 -77
- data/funchook/autom4te.cache/traces.0 +0 -361
- data/funchook/config.log +0 -651
- data/funchook/config.status +0 -1015
- data/funchook/configure +0 -4964
- data/funchook/src/Makefile +0 -70
- data/funchook/src/config.h +0 -101
- data/funchook/src/config.h.in +0 -100
- data/funchook/src/decoder.o +0 -0
- data/funchook/src/distorm.o +0 -0
- data/funchook/src/funchook.o +0 -0
- data/funchook/src/funchook_io.o +0 -0
- data/funchook/src/funchook_syscall.o +0 -0
- data/funchook/src/funchook_unix.o +0 -0
- data/funchook/src/funchook_x86.o +0 -0
- data/funchook/src/instructions.o +0 -0
- data/funchook/src/insts.o +0 -0
- data/funchook/src/libfunchook.dylib +0 -0
- data/funchook/src/mnemonics.o +0 -0
- data/funchook/src/operands.o +0 -0
- data/funchook/src/os_func.o +0 -0
- data/funchook/src/os_func_unix.o +0 -0
- data/funchook/src/prefix.o +0 -0
- data/funchook/src/printf_base.o +0 -0
- data/funchook/src/textdefs.o +0 -0
- data/funchook/src/wstring.o +0 -0
- data/funchook/test/Makefile +0 -43
- data/funchook/test/funchook_test +0 -0
- data/funchook/test/libfunchook_test.so +0 -0
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Info.plist +0 -20
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Resources/DWARF/libfunchook_test.so +0 -0
- data/funchook/test/test_main.o +0 -0
- data/funchook/test/x86_64_test.o +0 -0
- data/lib/contrast/agent/assess/adjusted_span.rb +0 -27
- data/lib/contrast/agent/assess/insulator.rb +0 -49
- data/lib/contrast/agent/require_state.rb +0 -61
- data/lib/contrast/agent/socket_client.rb +0 -134
- data/lib/contrast/api/connection_status.rb +0 -49
- data/lib/contrast/api/socket.rb +0 -43
- data/lib/contrast/api/speedracer.rb +0 -188
- data/lib/contrast/api/tcp_socket.rb +0 -29
- data/lib/contrast/api/unix_socket.rb +0 -25
- data/lib/contrast/extension/assess/assess_extension.rb +0 -148
- data/lib/contrast/framework/sinatra/application_helper.rb +0 -51
- data/lib/contrast/framework/view_technologies_descriptor.rb +0 -21
- data/lib/contrast/internal_exception.rb +0 -8
- data/lib/contrast/utils/cache.rb +0 -58
- data/lib/contrast/utils/freeze_util.rb +0 -32
- data/lib/contrast/utils/service_sender_util.rb +0 -167
- data/lib/contrast/utils/sinatra_helper.rb +0 -49
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ac8fc7d0e9c127859cf7bdb149c7ac519286c4329bd81ad28db4963128e0cd63
|
|
4
|
+
data.tar.gz: 784afc67ef269df8dfbaed392e8ad28e2e3b679113ed8679625f95033e324929
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c1a5563b34a4eba33fdf8094986362f70c88bda53102899bb01ad0096588d26883b5e7ad475e41afa15b95674b8c2810cfe6546c6779b8e3b2030bf7bb1e33d6
|
|
7
|
+
data.tar.gz: 1a1eb220719c1caf3f7153108bff4ac5132130d6879dc2b425e6dd31720e4c76bda9c27c0ac65fa00ccb846a31cb173e04dc7d3320ba3079ea9b785a62991f00
|
data/.dockerignore
CHANGED
data/.gitignore
CHANGED
data/.simplecov
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
-
SimpleCov.minimum_coverage line:
|
|
4
|
+
SimpleCov.minimum_coverage line: 94.75
|
|
5
5
|
SimpleCov.start do
|
|
6
6
|
add_filter '/spec/'
|
|
7
7
|
end
|
data/Rakefile
CHANGED
|
@@ -1,9 +1,13 @@
|
|
|
1
1
|
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
$stdout.sync = true
|
|
5
|
+
|
|
4
6
|
require 'bundler/gem_tasks'
|
|
5
7
|
require 'rspec/core/rake_task'
|
|
6
8
|
require 'rake/extensiontask'
|
|
9
|
+
load 'protobuf/tasks/compile.rake'
|
|
10
|
+
require 'fileutils'
|
|
7
11
|
|
|
8
12
|
CLOBBER << 'shared_libraries/*'
|
|
9
13
|
|
|
@@ -13,3 +17,30 @@ Dir['ext/cs__*'].each do |extension|
|
|
|
13
17
|
ext.lib_dir = "lib/#{ name }"
|
|
14
18
|
end
|
|
15
19
|
end
|
|
20
|
+
|
|
21
|
+
task :contrast_pb_compile do
|
|
22
|
+
# do some stuff before compile
|
|
23
|
+
|
|
24
|
+
# Invoke the protobuf compile task with your sensible defaults
|
|
25
|
+
::Rake::Task['protobuf:compile'].invoke('lib',
|
|
26
|
+
'./agent-service-api/protobuf ./agent-service-api/protobuf/dtm.proto',
|
|
27
|
+
'lib/contrast/api',
|
|
28
|
+
nil)
|
|
29
|
+
|
|
30
|
+
::Rake::Task['protobuf:compile'].reenable
|
|
31
|
+
|
|
32
|
+
::Rake::Task['protobuf:compile'].invoke('lib',
|
|
33
|
+
'./agent-service-api/protobuf ./agent-service-api/protobuf/settings.proto',
|
|
34
|
+
'lib/contrast/api',
|
|
35
|
+
nil)
|
|
36
|
+
|
|
37
|
+
['dtm.pb.rb', 'settings.pb.rb'].each do |target_file|
|
|
38
|
+
target_path = File.absolute_path(File.join(__dir__, "./lib/contrast/api/#{ target_file }"))
|
|
39
|
+
unless File.exist?(target_path)
|
|
40
|
+
puts "File not found #{ target_path }"
|
|
41
|
+
exit 1
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
puts 'Protobuf copied successfully'
|
|
46
|
+
end
|
data/exe/contrast_service
CHANGED
|
@@ -3,19 +3,13 @@
|
|
|
3
3
|
# frozen_string_literal: true
|
|
4
4
|
|
|
5
5
|
def mac?
|
|
6
|
-
RUBY_PLATFORM.
|
|
7
|
-
end
|
|
8
|
-
|
|
9
|
-
def windows?
|
|
10
|
-
RUBY_PLATFORM.match?(/cygwin|mswin|mingw|bccwin|wince|emx/)
|
|
6
|
+
RUBY_PLATFORM.include?('darwin')
|
|
11
7
|
end
|
|
12
8
|
|
|
13
9
|
def path
|
|
14
10
|
base_path = "#{ File.dirname(__FILE__) }/.."
|
|
15
11
|
if mac?
|
|
16
12
|
"#{ base_path }/service_executables/mac/contrast-service"
|
|
17
|
-
elsif windows?
|
|
18
|
-
"#{ base_path }/service_executables/windows/contrast-service.exe"
|
|
19
13
|
else
|
|
20
14
|
"#{ base_path }/service_executables/linux/contrast-service"
|
|
21
15
|
end
|
data/ext/build_funchook.rb
CHANGED
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
* https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
|
|
3
3
|
|
|
4
4
|
#include "cs__active_record_named.h"
|
|
5
|
-
#include <ruby.h>
|
|
6
5
|
#include "../cs__common/cs__common.h"
|
|
6
|
+
#include <ruby.h>
|
|
7
7
|
|
|
8
8
|
VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
|
|
9
9
|
const VALUE self) {
|
|
@@ -19,7 +19,8 @@ VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
|
|
|
19
19
|
*/
|
|
20
20
|
VALUE new_body, ret;
|
|
21
21
|
VALUE new_args[3];
|
|
22
|
-
new_body = rb_funcall(active_record_named, rb_sym_assess_rewrite, 3, self,
|
|
22
|
+
new_body = rb_funcall(active_record_named, rb_sym_assess_rewrite, 3, self,
|
|
23
|
+
argv[0], argv[1]);
|
|
23
24
|
new_args[0] = argv[0];
|
|
24
25
|
if (NIL_P(new_body)) {
|
|
25
26
|
new_args[1] = argv[1];
|
|
@@ -36,10 +37,10 @@ void Init_cs__assess_active_record_named(void) {
|
|
|
36
37
|
framework = rb_define_module_under(contrast, "Framework");
|
|
37
38
|
rails = rb_define_module_under(framework, "Rails");
|
|
38
39
|
rewrite = rb_define_module_under(rails, "Rewrite");
|
|
39
|
-
active_record_named =
|
|
40
|
+
active_record_named =
|
|
41
|
+
rb_define_class_under(rewrite, "ActiveRecordNamed", rb_cObject);
|
|
40
42
|
rb_sym_assess_rewrite = rb_intern("rewrite");
|
|
41
|
-
rb_sym_assess_scope
|
|
42
|
-
|
|
43
|
-
|
|
43
|
+
rb_sym_assess_scope =
|
|
44
|
+
contrast_register_patch("ActiveRecord::Scoping::Named::ClassMethods",
|
|
45
|
+
"scope", contrast_assess_active_record_scope);
|
|
44
46
|
}
|
|
45
|
-
|
|
@@ -23,15 +23,16 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
|
|
|
23
23
|
/* Finally, default to empty String. Implicit since nil.to_s is ''*/
|
|
24
24
|
|
|
25
25
|
result = rb_funcall2(ary, rb_sym_assess_array_join, argc, argv);
|
|
26
|
-
result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3,
|
|
26
|
+
result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3,
|
|
27
|
+
ary, sep, result);
|
|
27
28
|
|
|
28
29
|
return result;
|
|
29
30
|
}
|
|
30
31
|
|
|
31
32
|
void Init_cs__assess_array(void) {
|
|
32
|
-
array_propagator =
|
|
33
|
+
array_propagator =
|
|
34
|
+
rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
|
|
33
35
|
rb_sym_assess_track_array_join = rb_intern("cs__track_join");
|
|
34
|
-
rb_sym_assess_array_join =
|
|
35
|
-
|
|
36
|
-
contrast_assess_array_join);
|
|
36
|
+
rb_sym_assess_array_join =
|
|
37
|
+
contrast_register_patch("Array", "join", contrast_assess_array_join);
|
|
37
38
|
}
|
|
@@ -7,7 +7,8 @@
|
|
|
7
7
|
|
|
8
8
|
void contrast_assess_instance_eval_trigger_check(VALUE self, VALUE source,
|
|
9
9
|
VALUE ret) {
|
|
10
|
-
rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self,
|
|
10
|
+
rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self,
|
|
11
|
+
source, ret);
|
|
11
12
|
}
|
|
12
13
|
|
|
13
14
|
VALUE
|
|
@@ -36,7 +37,8 @@ contrast_assess_basic_object_instance_eval(const int argc, const VALUE *argv,
|
|
|
36
37
|
}
|
|
37
38
|
|
|
38
39
|
void Init_cs__assess_basic_object(void) {
|
|
39
|
-
basic_eval_trigger =
|
|
40
|
+
basic_eval_trigger =
|
|
41
|
+
rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
|
|
40
42
|
instance_trigger_check_method = rb_intern("instance_eval_trigger_check");
|
|
41
43
|
|
|
42
44
|
/* We don't keep a reference to the underlying method.
|
|
@@ -45,8 +47,6 @@ void Init_cs__assess_basic_object(void) {
|
|
|
45
47
|
* but if someone else patched BasicObject#instance_eval,
|
|
46
48
|
* IDK if this is intentional... noting it. -ajm
|
|
47
49
|
*/
|
|
48
|
-
contrast_register_patch("BasicObject",
|
|
49
|
-
"instance_eval",
|
|
50
|
+
contrast_register_patch("BasicObject", "instance_eval",
|
|
50
51
|
contrast_assess_basic_object_instance_eval);
|
|
51
|
-
|
|
52
52
|
}
|
|
@@ -3,7 +3,6 @@
|
|
|
3
3
|
|
|
4
4
|
#include "cs__assess_fiber_track.h"
|
|
5
5
|
#include "../cs__common/cs__common.h"
|
|
6
|
-
#include <funchook.h>
|
|
7
6
|
#include <ruby.h>
|
|
8
7
|
|
|
9
8
|
VALUE rb_fiber_new_hook(VALUE (*func)(ANYARGS), VALUE obj) {
|
|
@@ -64,22 +63,18 @@ VALUE rb_fiber_yield_hook(int argc, const VALUE *argv) {
|
|
|
64
63
|
}
|
|
65
64
|
|
|
66
65
|
int install_fiber_hooks() {
|
|
67
|
-
funchook_t *funchook = funchook_create();
|
|
68
|
-
|
|
69
66
|
rb_fiber_new_original = rb_fiber_new;
|
|
70
|
-
|
|
71
|
-
rb_fiber_new_hook);
|
|
67
|
+
patch_via_funchook(&rb_fiber_new_original, &rb_fiber_new_hook);
|
|
72
68
|
|
|
73
69
|
rb_fiber_yield_original = rb_fiber_yield;
|
|
74
|
-
|
|
75
|
-
rb_fiber_yield_hook);
|
|
70
|
+
patch_via_funchook(&rb_fiber_yield_original, &rb_fiber_yield_hook);
|
|
76
71
|
|
|
77
|
-
funchook_install(funchook, 0);
|
|
78
72
|
return 0;
|
|
79
73
|
}
|
|
80
74
|
|
|
81
75
|
void Init_cs__assess_fiber_track(void) {
|
|
82
|
-
fiber_propagator =
|
|
76
|
+
fiber_propagator =
|
|
77
|
+
rb_define_class_under(core_assess, "FiberPropagator", rb_cObject);
|
|
83
78
|
track_rb_fiber_new = rb_intern("track_rb_fiber_new");
|
|
84
79
|
track_rb_fiber_yield = rb_intern("track_rb_fiber_yield");
|
|
85
80
|
rb_sym_next = rb_intern("next");
|
|
@@ -12,23 +12,24 @@
|
|
|
12
12
|
* This method instruments that unique bracket-construction style
|
|
13
13
|
* of initializing a hash.
|
|
14
14
|
*/
|
|
15
|
-
static VALUE contrast_assess_hash_bracket_constructor(const int argc,
|
|
16
|
-
|
|
15
|
+
static VALUE contrast_assess_hash_bracket_constructor(const int argc,
|
|
16
|
+
VALUE *argv,
|
|
17
|
+
const VALUE hash) {
|
|
17
18
|
VALUE result;
|
|
18
19
|
|
|
19
20
|
/* Array of Arrays: Hash[ [ [key, value], ... ] ] -> new_hash */
|
|
20
21
|
if (RB_TYPE_P(argv[0], T_ARRAY)) {
|
|
21
22
|
int i;
|
|
22
23
|
for (i = 0; i < argc; i++) {
|
|
23
|
-
argv[i] =
|
|
24
|
-
|
|
24
|
+
argv[i] = rb_funcall(hash_propagator,
|
|
25
|
+
rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
|
|
25
26
|
}
|
|
26
27
|
/* Hash[ key, value, ... ] -> new_hash */
|
|
27
28
|
} else if (argc > 1) {
|
|
28
29
|
int i;
|
|
29
30
|
for (i = 0; i < argc; i += 2) {
|
|
30
|
-
argv[i] =
|
|
31
|
-
|
|
31
|
+
argv[i] = rb_funcall(hash_propagator,
|
|
32
|
+
rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
|
|
32
33
|
}
|
|
33
34
|
}
|
|
34
35
|
|
|
@@ -36,7 +37,8 @@ static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *arg
|
|
|
36
37
|
* String keys
|
|
37
38
|
* # Hash[ object ] -> new_hash
|
|
38
39
|
*/
|
|
39
|
-
result =
|
|
40
|
+
result =
|
|
41
|
+
rb_funcall2(hash, rb_sym_assess_hash_bracket_constructor, argc, argv);
|
|
40
42
|
|
|
41
43
|
return result;
|
|
42
44
|
}
|
|
@@ -61,8 +63,9 @@ static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
|
61
63
|
* We haven't revisited this approach since we started more extensively
|
|
62
64
|
* hooking public C functions.)
|
|
63
65
|
*/
|
|
64
|
-
if(argc > 0) {
|
|
65
|
-
argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze,
|
|
66
|
+
if (argc > 0) {
|
|
67
|
+
argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze,
|
|
68
|
+
1, argv[0]);
|
|
66
69
|
}
|
|
67
70
|
/* This is the underlying assignment, w/ our instrumented key. */
|
|
68
71
|
result = rb_funcall2(hash, rb_sym_assess_hash_bracket_equals, argc, argv);
|
|
@@ -71,17 +74,15 @@ static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
|
71
74
|
}
|
|
72
75
|
|
|
73
76
|
void Init_cs__assess_hash(void) {
|
|
74
|
-
hash_propagator =
|
|
77
|
+
hash_propagator =
|
|
78
|
+
rb_define_class_under(core_assess, "HashPropagator", rb_cObject);
|
|
75
79
|
rb_sym_assess_hash_dup_and_freeze = rb_intern("cs__duplicate_and_freeze");
|
|
76
80
|
|
|
77
81
|
VALUE hash_class = rb_define_class("Hash", rb_cObject);
|
|
78
82
|
|
|
79
|
-
rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch(
|
|
80
|
-
|
|
81
|
-
contrast_assess_hash_bracket_constructor);
|
|
82
|
-
|
|
83
|
-
rb_sym_assess_hash_bracket_equals = contrast_register_patch("Hash",
|
|
84
|
-
"[]=",
|
|
85
|
-
contrast_assess_hash_bracket_set);
|
|
83
|
+
rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch(
|
|
84
|
+
"Hash", "[]", contrast_assess_hash_bracket_constructor);
|
|
86
85
|
|
|
86
|
+
rb_sym_assess_hash_bracket_equals = contrast_register_patch(
|
|
87
|
+
"Hash", "[]=", contrast_assess_hash_bracket_set);
|
|
87
88
|
}
|
|
@@ -13,7 +13,8 @@ static VALUE hash_propagator;
|
|
|
13
13
|
* ahead of time should avoid this, similar to the behavior of the -@ Strings
|
|
14
14
|
* -HM
|
|
15
15
|
*/
|
|
16
|
-
static VALUE contrast_assess_hash_bracket_constructor(const int argc,
|
|
16
|
+
static VALUE contrast_assess_hash_bracket_constructor(const int argc,
|
|
17
|
+
VALUE *argv,
|
|
17
18
|
const VALUE hash);
|
|
18
19
|
|
|
19
20
|
static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
@@ -18,8 +18,9 @@ contrast_patched_kernel_exec(const int argc, const VALUE *argv,
|
|
|
18
18
|
rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
|
|
19
19
|
}
|
|
20
20
|
|
|
21
|
-
/* maybe this should be rb_funcall2. this works right now because *argv ==
|
|
22
|
-
* exec shouldn't ever be called with != 1 argc, so not a huge
|
|
21
|
+
/* maybe this should be rb_funcall2. this works right now because *argv ==
|
|
22
|
+
* argv[0]. exec shouldn't ever be called with != 1 argc, so not a huge
|
|
23
|
+
* problem */
|
|
23
24
|
return rb_funcall(self, rb_sym_assess_kernel_exec, argc, *argv);
|
|
24
25
|
}
|
|
25
26
|
|
|
@@ -27,12 +28,10 @@ void Init_cs__assess_kernel(void) {
|
|
|
27
28
|
kernel_propagator = rb_define_module_under(core_assess, "KernelPropagator");
|
|
28
29
|
exec_apply_trigger = rb_intern("apply_trigger");
|
|
29
30
|
|
|
30
|
-
rb_sym_assess_kernel_exec =
|
|
31
|
-
|
|
32
|
-
contrast_patched_kernel_exec);
|
|
31
|
+
rb_sym_assess_kernel_exec =
|
|
32
|
+
contrast_register_patch("Kernel", "exec", contrast_patched_kernel_exec);
|
|
33
33
|
|
|
34
34
|
/* should return the same value as above */
|
|
35
|
-
rb_sym_assess_kernel_exec = contrast_register_singleton_patch(
|
|
36
|
-
|
|
37
|
-
contrast_patched_kernel_exec);
|
|
35
|
+
rb_sym_assess_kernel_exec = contrast_register_singleton_patch(
|
|
36
|
+
"Kernel", "exec", contrast_patched_kernel_exec);
|
|
38
37
|
}
|
|
@@ -9,26 +9,24 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
|
|
|
9
9
|
const VALUE *argv) {
|
|
10
10
|
VALUE result;
|
|
11
11
|
VALUE source_string;
|
|
12
|
-
|
|
13
12
|
result = rb_call_super(argc, argv);
|
|
14
13
|
|
|
15
14
|
if (argc >= 1) {
|
|
16
15
|
source_string = argv[0];
|
|
17
16
|
|
|
18
|
-
|
|
19
|
-
|
|
17
|
+
VALUE tracked =
|
|
18
|
+
rb_funcall(properties_hash, rb_sym_hash_tracked, 1, source_string);
|
|
20
19
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
if (tracked == Qtrue) {
|
|
21
|
+
VALUE skip =
|
|
22
|
+
rb_funcall(contrast_patcher(), rb_sym_skip_assess_analysis, 0);
|
|
24
23
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
}
|
|
24
|
+
if (skip == Qfalse) {
|
|
25
|
+
VALUE scope =
|
|
26
|
+
rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
|
|
27
|
+
rb_funcall(marshal_module, rb_sym_assess_load_trigger_check, 2,
|
|
28
|
+
source_string, result);
|
|
29
|
+
rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
|
|
32
30
|
}
|
|
33
31
|
}
|
|
34
32
|
}
|
|
@@ -36,9 +34,13 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
|
|
|
36
34
|
}
|
|
37
35
|
|
|
38
36
|
void Init_cs__assess_marshal_module(void) {
|
|
37
|
+
// Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
|
|
38
|
+
VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
|
|
39
|
+
properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
|
|
40
|
+
marshal_module =
|
|
41
|
+
rb_define_class_under(core_assess, "MarshalPropagator", rb_cObject);
|
|
39
42
|
rb_sym_assess_load_trigger_check = rb_intern("cs__load_trigger_check");
|
|
40
43
|
|
|
41
|
-
contrast_register_singleton_prepend_patch(
|
|
42
|
-
|
|
43
|
-
&contrast_assess_marshal_module_load);
|
|
44
|
+
contrast_register_singleton_prepend_patch(
|
|
45
|
+
"Marshal", "load", &contrast_assess_marshal_module_load);
|
|
44
46
|
}
|
|
@@ -21,7 +21,8 @@ void contrast_assess_eval_trigger_check(VALUE module, VALUE source, VALUE ret) {
|
|
|
21
21
|
/* If this method ever throws an exception, the scope-leave
|
|
22
22
|
* needs to be moved within a rescue call.
|
|
23
23
|
*/
|
|
24
|
-
rb_funcall(module_eval_trigger, trigger_check_method, 4, module, source,
|
|
24
|
+
rb_funcall(module_eval_trigger, trigger_check_method, 4, module, source,
|
|
25
|
+
ret, method);
|
|
25
26
|
}
|
|
26
27
|
|
|
27
28
|
rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
|
|
@@ -57,7 +58,8 @@ contrast_assess_module_module_eval(const int argc, const VALUE *argv,
|
|
|
57
58
|
}
|
|
58
59
|
|
|
59
60
|
void Init_cs__assess_module(void) {
|
|
60
|
-
module_eval_trigger =
|
|
61
|
+
module_eval_trigger =
|
|
62
|
+
rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
|
|
61
63
|
trigger_check_method = rb_intern("eval_trigger_check");
|
|
62
64
|
|
|
63
65
|
rb_sym_assess_patch_eval = rb_intern("patch_assess_on_eval");
|
|
@@ -69,11 +71,9 @@ void Init_cs__assess_module(void) {
|
|
|
69
71
|
* See similar comments in basic_object C ext patch.
|
|
70
72
|
*/
|
|
71
73
|
|
|
72
|
-
contrast_register_patch("Module",
|
|
73
|
-
"class_eval",
|
|
74
|
+
contrast_register_patch("Module", "class_eval",
|
|
74
75
|
contrast_assess_module_class_eval);
|
|
75
76
|
|
|
76
|
-
contrast_register_patch("Module",
|
|
77
|
-
"module_eval",
|
|
77
|
+
contrast_register_patch("Module", "module_eval",
|
|
78
78
|
contrast_assess_module_module_eval);
|
|
79
79
|
}
|