RubyGems - contrast-agent - Versions diffs - 3.8.4 → 6.9.0 - Mend

contrast-agent 3.8.4 → 6.9.0

Files changed (676) hide show

checksums.yaml +4 -4
data/.dockerignore +0 -1
data/.flayignore +1 -0
data/.gitignore +8 -5
data/.gitmodules +0 -3
data/.rspec +0 -1
data/.rspec_parallel +6 -0
data/.simplecov +6 -2
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +5 -2
data/ext/build_funchook.rb +27 -11
data/ext/cs__assess_array/cs__assess_array.c +45 -7
data/ext/cs__assess_array/cs__assess_array.h +5 -1
data/ext/cs__assess_array/extconf.rb +3 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +39 -17
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
data/ext/cs__assess_basic_object/extconf.rb +3 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +9 -13
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -4
data/ext/cs__assess_fiber_track/extconf.rb +3 -0
data/ext/cs__assess_hash/cs__assess_hash.c +46 -21
data/ext/cs__assess_hash/cs__assess_hash.h +5 -6
data/ext/cs__assess_hash/extconf.rb +3 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +29 -15
data/ext/cs__assess_kernel/cs__assess_kernel.h +3 -0
data/ext/cs__assess_kernel/extconf.rb +3 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +55 -23
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +6 -3
data/ext/cs__assess_marshal_module/extconf.rb +3 -0
data/ext/cs__assess_module/cs__assess_module.c +82 -23
data/ext/cs__assess_module/cs__assess_module.h +10 -0
data/ext/cs__assess_module/extconf.rb +3 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +28 -9
data/ext/cs__assess_regexp/cs__assess_regexp.h +3 -0
data/ext/cs__assess_regexp/extconf.rb +3 -0
data/ext/cs__assess_string/cs__assess_string.c +53 -21
data/ext/cs__assess_string/cs__assess_string.h +7 -1
data/ext/cs__assess_string/extconf.rb +3 -0
data/ext/cs__assess_string_interpolation/cs__assess_string_interpolation.c +39 -0
data/ext/cs__assess_string_interpolation/cs__assess_string_interpolation.h +13 -0
data/ext/cs__assess_string_interpolation/extconf.rb +5 -0
data/ext/cs__assess_test/cs__assess_test.h +9 -0
data/ext/cs__assess_test/cs__assess_tests.c +22 -0
data/ext/cs__assess_test/extconf.rb +5 -0
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +30 -0
data/ext/cs__assess_yield_track/cs__assess_yield_track.h +11 -0
data/ext/cs__assess_yield_track/extconf.rb +5 -0
data/ext/cs__common/cs__common.c +246 -10
data/ext/cs__common/cs__common.h +71 -2
data/ext/cs__common/extconf.rb +3 -16
data/ext/cs__contrast_patch/cs__contrast_patch.c +255 -155
data/ext/cs__contrast_patch/cs__contrast_patch.h +13 -14
data/ext/cs__contrast_patch/extconf.rb +3 -0
data/ext/cs__os_information/cs__os_information.c +34 -0
data/ext/cs__os_information/cs__os_information.h +7 -0
data/ext/cs__os_information/extconf.rb +5 -0
data/ext/cs__scope/cs__scope.c +755 -55
data/ext/cs__scope/cs__scope.h +75 -20
data/ext/cs__scope/extconf.rb +3 -0
data/ext/cs__tests/cs__tests.c +12 -0
data/ext/cs__tests/cs__tests.h +3 -0
data/ext/cs__tests/extconf.rb +5 -0
data/ext/extconf_common.rb +4 -34
data/lib/contrast/agent/assess/contrast_object.rb +54 -0
data/lib/contrast/agent/assess/events/event_data.rb +30 -0
data/lib/contrast/agent/assess/finalizers/freeze.rb +15 -0
data/lib/contrast/agent/assess/finalizers/hash.rb +107 -0
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +58 -36
data/lib/contrast/agent/assess/policy/patcher.rb +13 -48
data/lib/contrast/agent/assess/policy/policy.rb +20 -37
data/lib/contrast/agent/assess/policy/policy_node.rb +96 -200
data/lib/contrast/agent/assess/policy/policy_node_utils.rb +50 -0
data/lib/contrast/agent/assess/policy/policy_scanner.rb +15 -12
data/lib/contrast/agent/assess/policy/preshift.rb +50 -19
data/lib/contrast/agent/assess/policy/propagation_method.rb +200 -192
data/lib/contrast/agent/assess/policy/propagation_node.rb +49 -41
data/lib/contrast/agent/assess/policy/propagator/append.rb +32 -15
data/lib/contrast/agent/assess/policy/propagator/base.rb +5 -3
data/lib/contrast/agent/assess/policy/propagator/buffer.rb +119 -0
data/lib/contrast/agent/assess/policy/propagator/center.rb +12 -8
data/lib/contrast/agent/assess/policy/propagator/custom.rb +7 -3
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +34 -25
data/lib/contrast/agent/assess/policy/propagator/insert.rb +15 -11
data/lib/contrast/agent/assess/policy/propagator/keep.rb +23 -6
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +118 -0
data/lib/contrast/agent/assess/policy/propagator/next.rb +7 -6
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +13 -6
data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/remove.rb +53 -41
data/lib/contrast/agent/assess/policy/propagator/replace.rb +5 -3
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +7 -6
data/lib/contrast/agent/assess/policy/propagator/select.rb +45 -36
data/lib/contrast/agent/assess/policy/propagator/splat.rb +44 -21
data/lib/contrast/agent/assess/policy/propagator/split.rb +176 -22
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +7 -132
data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +190 -0
data/lib/contrast/agent/assess/policy/propagator/trim.rb +74 -52
data/lib/contrast/agent/assess/policy/propagator.rb +21 -18
data/lib/contrast/agent/assess/policy/source_method.rb +176 -177
data/lib/contrast/agent/assess/policy/source_node.rb +3 -17
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +32 -0
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +34 -0
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +102 -0
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +160 -173
data/lib/contrast/agent/assess/policy/trigger_node.rb +162 -39
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +8 -38
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +22 -7
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +6 -15
data/lib/contrast/agent/assess/properties.rb +15 -354
data/lib/contrast/agent/assess/property/evented.rb +58 -0
data/lib/contrast/agent/assess/property/tagged.rb +246 -0
data/lib/contrast/agent/assess/property/updated.rb +131 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +58 -19
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +22 -17
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +93 -81
data/lib/contrast/agent/assess/rule/provider.rb +4 -4
data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +69 -0
data/lib/contrast/agent/assess/rule/response/base_rule.rb +121 -0
data/lib/contrast/agent/assess/rule/response/body_rule.rb +107 -0
data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +195 -0
data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +100 -0
data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +26 -0
data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +34 -0
data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +36 -0
data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +61 -0
data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +34 -0
data/lib/contrast/agent/assess/tag.rb +84 -41
data/lib/contrast/agent/assess/tracker.rb +70 -0
data/lib/contrast/agent/assess.rb +7 -29
data/lib/contrast/agent/at_exit_hook.rb +28 -17
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +11 -6
data/lib/contrast/agent/deadzone/policy/policy.rb +11 -7
data/lib/contrast/agent/disable_reaction.rb +6 -10
data/lib/contrast/agent/excluder.rb +224 -0
data/lib/contrast/agent/exclusion_matcher.rb +40 -74
data/lib/contrast/agent/inventory/database_config.rb +174 -0
data/lib/contrast/agent/inventory/dependencies.rb +52 -0
data/lib/contrast/agent/inventory/dependency_analysis.rb +34 -0
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +120 -0
data/lib/contrast/agent/inventory/policy/datastores.rb +51 -0
data/lib/contrast/agent/inventory/policy/policy.rb +5 -5
data/lib/contrast/agent/inventory/policy/trigger_node.rb +2 -2
data/lib/contrast/agent/inventory.rb +14 -0
data/lib/contrast/agent/middleware.rb +146 -299
data/lib/contrast/agent/module_data.rb +5 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +54 -7
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +103 -27
data/lib/contrast/agent/patching/policy/method_policy.rb +53 -64
data/lib/contrast/agent/patching/policy/method_policy_extend.rb +113 -0
data/lib/contrast/agent/patching/policy/module_policy.rb +27 -47
data/lib/contrast/agent/patching/policy/patch.rb +147 -241
data/lib/contrast/agent/patching/policy/patch_status.rb +21 -45
data/lib/contrast/agent/patching/policy/patcher.rb +126 -161
data/lib/contrast/agent/patching/policy/policy.rb +66 -57
data/lib/contrast/agent/patching/policy/policy_node.rb +63 -32
data/lib/contrast/agent/patching/policy/trigger_node.rb +32 -15
data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +170 -0
data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +116 -0
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +65 -0
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +97 -0
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +69 -0
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +138 -0
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +55 -0
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +125 -0
data/lib/contrast/agent/protect/policy/policy.rb +10 -10
data/lib/contrast/agent/protect/policy/rule_applicator.rb +102 -0
data/lib/contrast/agent/protect/policy/trigger_node.rb +2 -2
data/lib/contrast/agent/protect/rule/base.rb +205 -95
data/lib/contrast/agent/protect/rule/base_service.rb +73 -14
data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
data/lib/contrast/agent/protect/rule/cmd_injection.rb +53 -123
data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +132 -0
data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +169 -0
data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +64 -0
data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +63 -0
data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +27 -0
data/lib/contrast/agent/protect/rule/default_scanner.rb +69 -25
data/lib/contrast/agent/protect/rule/deserialization.rb +32 -48
data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +65 -62
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -3
data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +226 -0
data/lib/contrast/agent/protect/rule/no_sqli.rb +47 -53
data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
data/lib/contrast/agent/protect/rule/path_traversal.rb +57 -26
data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +155 -0
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +37 -0
data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +28 -0
data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb +67 -0
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli.rb +78 -62
data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +58 -0
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +19 -2
data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
data/lib/contrast/agent/protect/rule/xss.rb +20 -2
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +25 -21
data/lib/contrast/agent/protect/rule/xxe.rb +69 -39
data/lib/contrast/agent/protect/rule.rb +22 -25
data/lib/contrast/agent/reporting/attack_result/attack_result.rb +71 -0
data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +86 -0
data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
data/lib/contrast/agent/reporting/attack_result/user_input.rb +98 -0
data/lib/contrast/agent/reporting/details/bot_blocker_details.rb +29 -0
data/lib/contrast/agent/reporting/details/cmd_injection_details.rb +30 -0
data/lib/contrast/agent/reporting/details/details.rb +18 -0
data/lib/contrast/agent/reporting/details/http_method_tempering_details.rb +27 -0
data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +35 -0
data/lib/contrast/agent/reporting/details/no_sqli_details.rb +36 -0
data/lib/contrast/agent/reporting/details/path_traversal_details.rb +24 -0
data/lib/contrast/agent/reporting/details/path_traversal_semantic_analysis_details.rb +32 -0
data/lib/contrast/agent/reporting/details/protect_rule_details.rb +17 -0
data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb +22 -0
data/lib/contrast/agent/reporting/details/sqli_details.rb +36 -0
data/lib/contrast/agent/reporting/details/untrusted_deserialization_details.rb +27 -0
data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +30 -0
data/lib/contrast/agent/reporting/details/xss_details.rb +33 -0
data/lib/contrast/agent/reporting/details/xss_match.rb +30 -0
data/lib/contrast/agent/reporting/details/xxe_details.rb +36 -0
data/lib/contrast/agent/reporting/details/xxe_match.rb +25 -0
data/lib/contrast/agent/reporting/details/xxe_wrapper.rb +25 -0
data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +43 -0
data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +129 -0
data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
data/lib/contrast/agent/reporting/masker/masker.rb +258 -0
data/lib/contrast/agent/reporting/masker/masker_utils.rb +33 -0
data/lib/contrast/agent/reporting/report.rb +31 -0
data/lib/contrast/agent/reporting/reporter.rb +165 -0
data/lib/contrast/agent/reporting/reporter_heartbeat.rb +47 -0
data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +34 -0
data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +120 -0
data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +85 -0
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +65 -0
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +102 -0
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +68 -0
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +62 -0
data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +42 -0
data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +57 -0
data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +27 -0
data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +44 -0
data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
data/lib/contrast/agent/reporting/reporting_events/application_update.rb +56 -0
data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +72 -0
data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +126 -0
data/lib/contrast/agent/reporting/reporting_events/finding.rb +210 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +449 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +104 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +49 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +51 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +106 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +74 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb +68 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb +71 -0
data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range_tags.rb +105 -0
data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +134 -0
data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +89 -0
data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +48 -0
data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +45 -0
data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +89 -0
data/lib/contrast/agent/reporting/reporting_events/poll.rb +23 -0
data/lib/contrast/agent/reporting/reporting_events/preflight.rb +41 -0
data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +74 -0
data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +66 -0
data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +89 -0
data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +63 -0
data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +53 -0
data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +35 -0
data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +130 -0
data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +35 -0
data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +176 -0
data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +54 -0
data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +143 -0
data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +144 -0
data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +66 -0
data/lib/contrast/agent/reporting/reporting_utilities/response.rb +98 -0
data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +176 -0
data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +117 -0
data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +342 -0
data/lib/contrast/agent/reporting/server_settings_worker.rb +44 -0
data/lib/contrast/agent/reporting/settings/application_settings.rb +61 -0
data/lib/contrast/agent/reporting/settings/assess.rb +45 -0
data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +114 -0
data/lib/contrast/agent/reporting/settings/bot_blocker.rb +68 -0
data/lib/contrast/agent/reporting/settings/code_exclusion.rb +32 -0
data/lib/contrast/agent/reporting/settings/exclusion_base.rb +51 -0
data/lib/contrast/agent/reporting/settings/exclusions.rb +106 -0
data/lib/contrast/agent/reporting/settings/helpers.rb +63 -0
data/lib/contrast/agent/reporting/settings/input_exclusion.rb +43 -0
data/lib/contrast/agent/reporting/settings/ip_filter.rb +35 -0
data/lib/contrast/agent/reporting/settings/keyword.rb +74 -0
data/lib/contrast/agent/reporting/settings/log_enhancer.rb +65 -0
data/lib/contrast/agent/reporting/settings/protect.rb +106 -0
data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +227 -0
data/lib/contrast/agent/reporting/settings/reaction.rb +39 -0
data/lib/contrast/agent/reporting/settings/rule_definition.rb +66 -0
data/lib/contrast/agent/reporting/settings/sampling.rb +46 -0
data/lib/contrast/agent/reporting/settings/sanitizer.rb +38 -0
data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +118 -0
data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +65 -0
data/lib/contrast/agent/reporting/settings/server_features.rb +95 -0
data/lib/contrast/agent/reporting/settings/syslog.rb +205 -0
data/lib/contrast/agent/reporting/settings/url_exclusion.rb +42 -0
data/lib/contrast/agent/reporting/settings/validator.rb +17 -0
data/lib/contrast/agent/request.rb +107 -411
data/lib/contrast/agent/request_context.rb +78 -162
data/lib/contrast/agent/request_context_extend.rb +85 -0
data/lib/contrast/agent/request_handler.rb +41 -0
data/lib/contrast/agent/response.rb +37 -165
data/lib/contrast/agent/rule_set.rb +52 -0
data/lib/contrast/agent/scope.rb +142 -20
data/lib/contrast/agent/static_analysis.rb +51 -0
data/lib/contrast/agent/telemetry/base.rb +155 -0
data/lib/contrast/agent/telemetry/events/event.rb +35 -0
data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +61 -0
data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +46 -0
data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +118 -0
data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +86 -0
data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +67 -0
data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb +19 -0
data/lib/contrast/agent/telemetry/events/metric_event.rb +28 -0
data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +123 -0
data/lib/contrast/agent/thread.rb +4 -6
data/lib/contrast/agent/thread_watcher.rb +117 -0
data/lib/contrast/agent/tracepoint_hook.rb +19 -13
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +42 -0
data/lib/contrast/agent.rb +83 -50
data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
data/lib/contrast/agent_lib/api/init.rb +101 -0
data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
data/lib/contrast/agent_lib/api/panic.rb +87 -0
data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
data/lib/contrast/agent_lib/interface.rb +260 -0
data/lib/contrast/agent_lib/interface_base.rb +118 -0
data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
data/lib/contrast/agent_lib/test.rb +29 -0
data/lib/contrast/api/communication/connection_status.rb +59 -0
data/lib/contrast/components/agent.rb +108 -36
data/lib/contrast/components/api.rb +159 -0
data/lib/contrast/components/app_context.rb +124 -134
data/lib/contrast/components/app_context_extend.rb +53 -0
data/lib/contrast/components/assess.rb +187 -24
data/lib/contrast/components/assess_rules.rb +54 -0
data/lib/contrast/components/base.rb +103 -0
data/lib/contrast/components/config/sources.rb +95 -0
data/lib/contrast/components/config.rb +182 -60
data/lib/contrast/components/heap_dump.rb +77 -12
data/lib/contrast/components/inventory.rb +37 -10
data/lib/contrast/components/logger.rb +46 -76
data/lib/contrast/components/polling.rb +36 -0
data/lib/contrast/components/protect.rb +142 -16
data/lib/contrast/components/ruby_component.rb +96 -0
data/lib/contrast/components/sampling.rb +156 -15
data/lib/contrast/components/scope.rb +116 -85
data/lib/contrast/components/security_logger.rb +36 -0
data/lib/contrast/components/settings.rb +197 -90
data/lib/contrast/config/api_proxy_configuration.rb +27 -0
data/lib/contrast/config/base_configuration.rb +20 -94
data/lib/contrast/config/certification_configuration.rb +47 -0
data/lib/contrast/config/config.rb +46 -0
data/lib/contrast/config/diagnostics.rb +114 -0
data/lib/contrast/config/diagnostics_tools.rb +98 -0
data/lib/contrast/config/effective_config.rb +65 -0
data/lib/contrast/config/effective_config_value.rb +32 -0
data/lib/contrast/config/env_variables.rb +18 -0
data/lib/contrast/config/exception_configuration.rb +34 -12
data/lib/contrast/config/protect_rule_configuration.rb +45 -24
data/lib/contrast/config/protect_rules_configuration.rb +97 -22
data/lib/contrast/config/request_audit_configuration.rb +57 -0
data/lib/contrast/config/server_configuration.rb +67 -15
data/lib/contrast/config.rb +6 -22
data/lib/contrast/configuration.rb +231 -108
data/lib/contrast/extension/assess/array.rb +75 -0
data/lib/contrast/extension/assess/erb.rb +61 -0
data/lib/contrast/extension/assess/eval_trigger.rb +47 -0
data/lib/contrast/{core_extensions → extension}/assess/exec_trigger.rb +9 -21
data/lib/contrast/extension/assess/fiber.rb +95 -0
data/lib/contrast/extension/assess/hash.rb +33 -0
data/lib/contrast/extension/assess/kernel.rb +124 -0
data/lib/contrast/extension/assess/marshal.rb +80 -0
data/lib/contrast/extension/assess/regexp.rb +71 -0
data/lib/contrast/extension/assess/string.rb +84 -0
data/lib/contrast/extension/assess.rb +47 -0
data/lib/contrast/{core_extensions → extension}/delegator.rb +3 -1
data/lib/contrast/extension/extension.rb +59 -0
data/lib/contrast/extension/inventory.rb +21 -0
data/lib/contrast/extension/module.rb +16 -0
data/lib/contrast/extension/object.rb +19 -0
data/lib/contrast/extension/protect/psych.rb +7 -0
data/lib/contrast/{core_extensions → extension}/protect.rb +6 -6
data/lib/contrast/extension/thread.rb +50 -0
data/lib/contrast/framework/base_support.rb +78 -0
data/lib/contrast/framework/grape/support.rb +176 -0
data/lib/contrast/framework/manager.rb +158 -0
data/lib/contrast/framework/manager_extend.rb +50 -0
data/lib/contrast/framework/rack/patch/session_cookie.rb +107 -0
data/lib/contrast/framework/rack/patch/support.rb +26 -0
data/lib/contrast/framework/rack/support.rb +23 -0
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +46 -0
data/lib/contrast/framework/rails/patch/assess_configuration.rb +98 -0
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
data/lib/contrast/framework/rails/patch/support.rb +46 -0
data/lib/contrast/framework/rails/railtie.rb +33 -0
data/lib/contrast/framework/rails/support.rb +187 -0
data/lib/contrast/framework/sinatra/support.rb +165 -0
data/lib/contrast/funchook/funchook.rb +45 -0
data/lib/contrast/logger/aliased_logging.rb +101 -0
data/lib/contrast/logger/application.rb +84 -0
data/lib/contrast/logger/cef_log.rb +169 -0
data/lib/contrast/logger/format.rb +61 -0
data/lib/contrast/logger/log.rb +90 -0
data/lib/contrast/logger/request.rb +25 -0
data/lib/contrast/logger/time.rb +57 -0
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +144 -0
data/lib/contrast/utils/assess/event_limit_utils.rb +134 -0
data/lib/contrast/utils/assess/object_store.rb +36 -0
data/lib/contrast/utils/assess/propagation_method_utils.rb +155 -0
data/lib/contrast/utils/assess/property/tagged_utils.rb +165 -0
data/lib/contrast/utils/assess/sampling_util.rb +11 -17
data/lib/contrast/utils/assess/source_method_utils.rb +74 -0
data/lib/contrast/utils/assess/split_utils.rb +23 -0
data/lib/contrast/utils/assess/tracking_util.rb +95 -19
data/lib/contrast/utils/assess/trigger_method_utils.rb +132 -0
data/lib/contrast/utils/class_util.rb +125 -38
data/lib/contrast/utils/duck_utils.rb +54 -43
data/lib/contrast/utils/env_configuration_item.rb +4 -3
data/lib/contrast/utils/findings.rb +66 -0
data/lib/contrast/utils/hash_digest.rb +52 -100
data/lib/contrast/utils/hash_digest_extend.rb +129 -0
data/lib/contrast/utils/head_dump_utils_extend.rb +74 -0
data/lib/contrast/utils/heap_dump_util.rb +44 -88
data/lib/contrast/utils/input_classification_base.rb +155 -0
data/lib/contrast/utils/invalid_configuration_util.rb +36 -50
data/lib/contrast/utils/io_util.rb +47 -51
data/lib/contrast/utils/job_servers_running.rb +47 -0
data/lib/contrast/utils/log_utils.rb +254 -0
data/lib/contrast/utils/lru_cache.rb +48 -0
data/lib/contrast/utils/metrics_hash.rb +59 -0
data/lib/contrast/utils/middleware_utils.rb +89 -0
data/lib/contrast/utils/net_http_base.rb +167 -0
data/lib/contrast/utils/object_share.rb +7 -48
data/lib/contrast/utils/os.rb +14 -24
data/lib/contrast/utils/patching/policy/patch_utils.rb +175 -0
data/lib/contrast/utils/patching/policy/patcher_utils.rb +54 -0
data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +81 -0
data/lib/contrast/utils/request_utils.rb +96 -0
data/lib/contrast/utils/resource_loader.rb +2 -2
data/lib/contrast/utils/response_utils.rb +79 -0
data/lib/contrast/utils/routes_sent.rb +60 -0
data/lib/contrast/utils/sha256_builder.rb +9 -21
data/lib/contrast/utils/stack_trace_utils.rb +68 -184
data/lib/contrast/utils/string_utils.rb +82 -52
data/lib/contrast/utils/tag_util.rb +58 -44
data/lib/contrast/utils/telemetry.rb +103 -0
data/lib/contrast/utils/telemetry_client.rb +107 -0
data/lib/contrast/utils/telemetry_hash.rb +65 -0
data/lib/contrast/utils/telemetry_identifier.rb +153 -0
data/lib/contrast/utils/thread_tracker.rb +27 -23
data/lib/contrast/utils/timer.rb +20 -55
data/lib/contrast-agent.rb +2 -2
data/lib/contrast.rb +105 -43
data/resources/assess/policy.json +523 -137
data/resources/deadzone/policy.json +280 -10
data/resources/inventory/policy.json +2 -2
data/resources/protect/policy.json +30 -17
data/ruby-agent.gemspec +114 -45
data/sonar-project.properties +9 -0
metadata +694 -287
data/exe/contrast_service +0 -29
data/ext/cs__assess_active_record_named/cs__active_record_named.c +0 -47
data/ext/cs__assess_active_record_named/cs__active_record_named.h +0 -10
data/ext/cs__assess_active_record_named/extconf.rb +0 -2
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
data/ext/cs__assess_regexp_track/extconf.rb +0 -2
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +0 -31
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +0 -13
data/ext/cs__assess_string_interpolation26/extconf.rb +0 -2
data/ext/cs__protect_kernel/cs__protect_kernel.c +0 -37
data/ext/cs__protect_kernel/cs__protect_kernel.h +0 -11
data/ext/cs__protect_kernel/extconf.rb +0 -2
data/funchook/Makefile +0 -29
data/funchook/autom4te.cache/output.0 +0 -4976
data/funchook/autom4te.cache/requests +0 -78
data/funchook/autom4te.cache/traces.0 +0 -364
data/funchook/config.log +0 -490
data/funchook/config.status +0 -1016
data/funchook/configure +0 -4976
data/funchook/src/Makefile +0 -70
data/funchook/src/config.h +0 -101
data/funchook/src/config.h.in +0 -100
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.so +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +0 -43
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.o +0 -0
data/lib/contrast/agent/assess/adjusted_span.rb +0 -25
data/lib/contrast/agent/assess/class_reverter.rb +0 -82
data/lib/contrast/agent/assess/contrast_event.rb +0 -398
data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
data/lib/contrast/agent/assess/insulator.rb +0 -53
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +0 -79
data/lib/contrast/agent/assess/rule/base.rb +0 -72
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -69
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
data/lib/contrast/agent/assess/rule/redos.rb +0 -68
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/class_reopener.rb +0 -195
data/lib/contrast/agent/feature_state.rb +0 -379
data/lib/contrast/agent/logger_manager.rb +0 -116
data/lib/contrast/agent/patching/policy/policy_unpatcher.rb +0 -28
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
data/lib/contrast/agent/railtie.rb +0 -30
data/lib/contrast/agent/reaction_processor.rb +0 -47
data/lib/contrast/agent/require_state.rb +0 -61
data/lib/contrast/agent/rewriter.rb +0 -244
data/lib/contrast/agent/service_heartbeat.rb +0 -37
data/lib/contrast/agent/settings_state.rb +0 -148
data/lib/contrast/agent/socket_client.rb +0 -125
data/lib/contrast/api/connection_status.rb +0 -49
data/lib/contrast/api/dtm_pb.rb +0 -718
data/lib/contrast/api/settings_pb.rb +0 -416
data/lib/contrast/api/socket.rb +0 -43
data/lib/contrast/api/speedracer.rb +0 -206
data/lib/contrast/api/tcp_socket.rb +0 -31
data/lib/contrast/api/unix_socket.rb +0 -25
data/lib/contrast/api.rb +0 -17
data/lib/contrast/common_agent_configuration.rb +0 -86
data/lib/contrast/components/contrast_service.rb +0 -113
data/lib/contrast/components/interface.rb +0 -178
data/lib/contrast/config/agent_configuration.rb +0 -24
data/lib/contrast/config/application_configuration.rb +0 -27
data/lib/contrast/config/assess_configuration.rb +0 -22
data/lib/contrast/config/assess_rules_configuration.rb +0 -18
data/lib/contrast/config/default_value.rb +0 -16
data/lib/contrast/config/heap_dump_configuration.rb +0 -23
data/lib/contrast/config/inventory_configuration.rb +0 -20
data/lib/contrast/config/logger_configuration.rb +0 -20
data/lib/contrast/config/protect_configuration.rb +0 -20
data/lib/contrast/config/root_configuration.rb +0 -26
data/lib/contrast/config/ruby_configuration.rb +0 -39
data/lib/contrast/config/sampling_configuration.rb +0 -22
data/lib/contrast/config/service_configuration.rb +0 -22
data/lib/contrast/core_extensions/assess/array.rb +0 -58
data/lib/contrast/core_extensions/assess/assess_extension.rb +0 -145
data/lib/contrast/core_extensions/assess/basic_object.rb +0 -15
data/lib/contrast/core_extensions/assess/erb.rb +0 -42
data/lib/contrast/core_extensions/assess/fiber.rb +0 -125
data/lib/contrast/core_extensions/assess/hash.rb +0 -22
data/lib/contrast/core_extensions/assess/kernel.rb +0 -95
data/lib/contrast/core_extensions/assess/module.rb +0 -14
data/lib/contrast/core_extensions/assess/regexp.rb +0 -206
data/lib/contrast/core_extensions/assess/string.rb +0 -75
data/lib/contrast/core_extensions/assess/tilt_template_trigger.rb +0 -73
data/lib/contrast/core_extensions/assess.rb +0 -51
data/lib/contrast/core_extensions/eval_trigger.rb +0 -52
data/lib/contrast/core_extensions/inventory/datastores.rb +0 -37
data/lib/contrast/core_extensions/inventory.rb +0 -22
data/lib/contrast/core_extensions/module.rb +0 -42
data/lib/contrast/core_extensions/object.rb +0 -27
data/lib/contrast/core_extensions/protect/applies_command_injection_rule.rb +0 -70
data/lib/contrast/core_extensions/protect/applies_deserialization_rule.rb +0 -58
data/lib/contrast/core_extensions/protect/applies_no_sqli_rule.rb +0 -81
data/lib/contrast/core_extensions/protect/applies_path_traversal_rule.rb +0 -119
data/lib/contrast/core_extensions/protect/applies_sqli_rule.rb +0 -63
data/lib/contrast/core_extensions/protect/applies_xxe_rule.rb +0 -141
data/lib/contrast/core_extensions/protect/kernel.rb +0 -30
data/lib/contrast/core_extensions/protect/psych.rb +0 -7
data/lib/contrast/core_extensions/thread.rb +0 -31
data/lib/contrast/internal_exception.rb +0 -8
data/lib/contrast/rails_extensions/assess/action_controller_inheritance.rb +0 -48
data/lib/contrast/rails_extensions/assess/active_record.rb +0 -32
data/lib/contrast/rails_extensions/assess/active_record_named.rb +0 -61
data/lib/contrast/rails_extensions/assess/configuration.rb +0 -26
data/lib/contrast/rails_extensions/buffer.rb +0 -30
data/lib/contrast/rails_extensions/rack.rb +0 -45
data/lib/contrast/sinatra_extensions/assess/cookie.rb +0 -26
data/lib/contrast/sinatra_extensions/inventory/sinatra_base.rb +0 -59
data/lib/contrast/tasks/service.rb +0 -95
data/lib/contrast/utils/boolean_util.rb +0 -33
data/lib/contrast/utils/cache.rb +0 -69
data/lib/contrast/utils/comment_range.rb +0 -19
data/lib/contrast/utils/data_store_util.rb +0 -23
data/lib/contrast/utils/environment_util.rb +0 -152
data/lib/contrast/utils/freeze_util.rb +0 -36
data/lib/contrast/utils/gemfile_reader.rb +0 -191
data/lib/contrast/utils/inventory_util.rb +0 -126
data/lib/contrast/utils/operating_environment.rb +0 -38
data/lib/contrast/utils/path_util.rb +0 -151
data/lib/contrast/utils/performs_logging.rb +0 -152
data/lib/contrast/utils/preflight_util.rb +0 -13
data/lib/contrast/utils/prevent_serialization.rb +0 -52
data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
data/lib/contrast/utils/random_util.rb +0 -22
data/lib/contrast/utils/ruby_ast_rewriter.rb +0 -74
data/lib/contrast/utils/scope_util.rb +0 -99
data/lib/contrast/utils/service_response_util.rb +0 -116
data/lib/contrast/utils/service_sender_util.rb +0 -98
data/lib/contrast/utils/sinatra_helper.rb +0 -49
data/resources/csrf/inject.js +0 -44
data/resources/factory-bot-spec/spec_helper.rb +0 -30
data/resources/rubocops/kernel/catch_cop.rb +0 -37
data/resources/rubocops/kernel/require_cop.rb +0 -37
data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
data/resources/rubocops/module/autoload_cop.rb +0 -37
data/resources/rubocops/module/const_defined_cop.rb +0 -37
data/resources/rubocops/module/const_get_cop.rb +0 -37
data/resources/rubocops/module/const_set_cop.rb +0 -37
data/resources/rubocops/module/constants_cop.rb +0 -37
data/resources/rubocops/module/name_cop.rb +0 -37
data/resources/rubocops/object/class_cop.rb +0 -37
data/resources/rubocops/object/freeze_cop.rb +0 -37
data/resources/rubocops/object/frozen_cop.rb +0 -37
data/resources/rubocops/object/is_a_cop.rb +0 -37
data/resources/rubocops/object/method_cop.rb +0 -37
data/resources/rubocops/object/respond_to_cop.rb +0 -37
data/resources/rubocops/object/singleton_class_cop.rb +0 -37
data/resources/rubocops/regexp/spelling_cop.rb +0 -44
data/resources/rubocops/thread/new_cop.rb +0 -39
data/resources/ruby-spec/ancestors_spec.rb +0 -70
data/resources/ruby-spec/modulo_spec.rb +0 -831
data/resources/ruby-spec/parameters_spec.rb +0 -261
data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
data/service_executables/.gitkeep +0 -0
data/service_executables/VERSION +0 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/shared_libraries/funchook.h +0 -123
data/shared_libraries/libfunchook.so +0 -0

data/lib/contrast/agent/assess/policy/trigger_node.rb CHANGED Viewed

@@ -1,6 +1,11 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+require 'contrast/agent/assess/policy/trigger/reflected_xss'
+require 'contrast/agent/assess/policy/trigger/xpath'
+require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
+require 'contrast/components/logger'
 module Contrast
   module Agent
     module Assess
@@ -10,18 +15,37 @@ module Contrast
         # specifically for those methods which result in the trigger of a
         # vulnerability (indicate points in the application where uncontrolled
         # user input can do damage).
-        class TriggerNode < PolicyNode
+        class TriggerNode < PolicyNode # rubocop:disable Metrics/ClassLength
+          include Contrast::Components::Logger::InstanceMethods
           JSON_BAD_VALUE = 'bad_value'
           JSON_GOOD_VALUE = 'good_value'
           JSON_DISALLOWED_TAGS = 'disallowed_tags'
           JSON_REQUIRED_TAGS = 'required_tags'
-          JSON_NODES = 'nodes'
           JSON_RULE_NAME = 'name'
           JSON_CUSTOM_PATCH = 'custom_patch'
-          attr_reader :rule_id
-          attr_accessor :required_tags, :disallowed_tags, :good_value, :bad_value
+          # Our list with rules to be collected and reported back when we have response
+          # from the application. Some rules rely on Content-Type validation.
+          COLLECTABLE_RULES = %w[reflected-xss].cs__freeze
+          attr_reader :rule_id, :required_tags, :disallowed_tags, :good_value, :bad_value
+          ENCODER_START = 'CUSTOM_ENCODED_'
+          # By default, any rule will be triggered if the source
+          # of the rule event has an untrusted tag range that is
+          # not covered by one of its disallowed tags.
+          UNTRUSTED = 'UNTRUSTED'
+          TRIGGER = 'Trigger'
+          VALIDATOR_START = 'CUSTOM_VALIDATED_'
+          # If a level 1 rule comes from TeamServer, it will have the
+          # tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
+          # All rules should take this into account.
+          # Additionally, if something is marked 'limited-chars' it means
+          # it has been properly vetted to not contain dangerous input.
+          LIMITED_CHARS = 'LIMITED_CHARS'
+          CUSTOM_ENCODED = 'CUSTOM_ENCODED'
+          CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
             good_value = trigger_hash[JSON_GOOD_VALUE]
@@ -38,15 +62,17 @@ module Contrast
             @trigger_method = trigger_hash['trigger_method']
             @trigger_method = @trigger_method.to_sym if @trigger_method
             validate
+          rescue ArgumentError => e
+            logger.error('Trigger Node initialization failed with: ', e)
+            nil
           end
-          TRIGGER = 'Trigger'
           def node_class
             TRIGGER
           end
-          def apply_custom_trigger context, trigger_node, source, object, ret, invoked, *args
-            custom_trigger_class.send(@trigger_method, context, trigger_node, source, object, ret, invoked, *args)
+          def apply_custom_trigger trigger_node, source, object, ret, *args
+            custom_trigger_class.send(@trigger_method, trigger_node, source, object, ret, *args)
           end
           def custom_trigger_class
@@ -65,8 +91,12 @@ module Contrast
             :TYPE_METHOD
           end
+          def collectable?
+            COLLECTABLE_RULES.include?(rule_id)
+          end
           def rule_disabled?
-            Contrast::Agent::FeatureState.instance.assess_disabled_rules.include?(rule_id)
+            ::Contrast::ASSESS.rule_disabled?(rule_id)
           end
           # Indicate if this is a dataflow based trigger, meaning it has a proper
@@ -98,16 +128,17 @@ module Contrast
             # if the source isn't tracked, there can't be a violation
             # this condition may not hold true forever, but for now it's
             # a nice optimization
-            return false unless source.cs__tracked?
+            return false unless Contrast::Agent::Assess::Tracker.tracked?(source)
+            properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = find_ranges_by_tag(source.cs__properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
             # find the ranges that are exempt from the rule
             # (validated, sanitized, etc)
-            secure_ranges = find_ranges_by_tag(source.cs__properties, disallowed_tags)
+            secure_ranges = ranges_with_any_tag(properties, disallowed_tags)
             # if there are vulnerable ranges and no secure, report
             return true if secure_ranges.empty?
@@ -118,6 +149,7 @@ module Contrast
           # Standard validation + TS trace version two rules:
           # Must have source
+          # @raise[ArgumentError] raises if any of the required fields is invalid or missing
           def validate
             super
             # If this isn't a dataflow rule, it can't have a source
@@ -127,70 +159,161 @@ module Contrast
           private
-          # By default, any rule will be triggered if the source
-          # of the rule event has an untrusted tag range that is
-          # not covered by one of its disallowed tags.
-          UNTRUSTED = 'UNTRUSTED'
           def populate_tags required_tags
             return unless dataflow?
             validate_rule_tags(required_tags)
-            @required_tags = required_tags || []
+            @required_tags = Set.new(required_tags)
             @required_tags << UNTRUSTED
           end
-          ENCODER_START = 'CUSTOM_ENCODED_'
-          VALIDATOR_START = 'CUSTOM_VALIDATED_'
-          # If a level 1 rule comes from TeamServer, it will have the
-          # tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
-          # All rules should take this into account.
-          # Additionally, if something is marked 'limited-chars' it means
-          # it has been properly vetted to not contain dangerous input.
-          LIMITED_CHARS = 'LIMITED_CHARS'
-          CUSTOM_ENCODED = 'CUSTOM_ENCODED'
-          CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
           def populate_disallowed disallowed_tags
             return unless dataflow?
             validate_rule_tags(disallowed_tags)
-            @disallowed_tags = disallowed_tags || []
+            @disallowed_tags = Set.new(disallowed_tags)
             @disallowed_tags << LIMITED_CHARS
             @disallowed_tags << CUSTOM_ENCODED
             @disallowed_tags << CUSTOM_VALIDATED
-            @disallowed_tags << ENCODER_START + loud_name
-            @disallowed_tags << VALIDATOR_START + loud_name
+            @disallowed_tags << (ENCODER_START + loud_name)
+            @disallowed_tags << (VALIDATOR_START + loud_name)
           end
-          ENCODED_MARKER = '_ENCODED'
+          # @raise[ArgumentError] raises if any of the tags is invalid
           def validate_rule_tags tags
             return unless tags
             tags.each do |tag|
               raise(ArgumentError, "Rule #{ rule_id } had an invalid tag. #{ tag } is not a known value.") unless
-                  Contrast::Agent::Assess::Policy::PolicyNode::VALID_TAGS.include?(tag) ||
-                      Contrast::Agent::Assess::Policy::PolicyNode::VALID_SOURCE_TAGS.include?(tag)
+                Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_TAGS.include?(tag) ||
+                    Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
             end
           end
-          def find_ranges_by_tag cs__properties, tags
+          # Find the ranges that satisfy all of the given tags.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the
+          #   properties to check for the tags
+          # @param required_tags [Set<String>] the list of tags on which to match
+          # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
+          #   by the given conditions
+          def ranges_with_all_tags properties, required_tags
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
+            chunking = false
             ranges = []
+            # find the start and end range of required tags:
+            search_ranges = find_required_ranges(properties, required_tags)
+            start_range = search_ranges.first
+            end_range = search_ranges.last + 1
+            # find all the indicies on the source that have all the given tags
+            while start_range < end_range
+              tags_at = properties.tags_at(start_range).to_a
+              # only those that have all the required tags in the tags_at
+              # satisfy the requirement
+              satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
+              # if this range matches all the required tags and we're already
+              # chunking, meaning the previous range matched, do nothing
+              # if we are satisfied and we were not chunking, this represents
+              # the start of the next range, so create a new entry.
+              if satisfied
+                if chunking
+                  start_range += 1
+                  next
+                end
+                ranges << Contrast::Agent::Assess::Tag.new('required', 0, start_range)
+                chunking = true
+                # if we are chunking and not satisfied, this represents the end
+                # of the range, meaning the last index is what satisfied the
+                # range. Because the range is exclusive end, we can just use this
+                # index.
+              elsif chunking
+                ranges[-1]&.update_end(start_range)
+                chunking = false
+              end
+              start_range += 1
+            end
+            ranges
+          end
+          # Find the ranges that satisfy any of the given tags.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the
+          #   properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
+          #   by the given conditions
+          def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return ranges unless cs__properties.tracked?
-            return ranges unless tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless search_tags?(properties, tags)
-            # find all tags that match the desired ones
+            ranges = []
             tags.each do |desired|
-              found = cs__properties.fetch_tag(desired)
+              found = properties.fetch_tag(desired)
               next unless found
               # we need to dup here so that we don't change the tags if target is
               # used in another trace
               ranges = Contrast::Utils::TagUtil.ordered_merge(ranges, found.dup)
             end
             ranges
           end
+          # We should only try to match tags on properties if those properties have any tags (are tracked) and there
+          # are tags to try and match on. Some rules, like regexp rules, have no tags. Some rules, like trigger, have
+          # no properties.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def search_tags? properties, tags
+            return false unless properties.tracked?
+            return false unless tags&.any?
+            true
+          end
+          # Determine if the given properties have instances of all the given tags or not.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def matches_tags? properties, tags
+            return false unless search_tags?(properties, tags)
+            return false unless tags.all? { |tag| properties.tag_keys.include?(tag) }
+            true
+          end
+          # Range finder helper for #ranges_with_all_tags
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param required_tags [Set<String>] the list of tags on which to match
+          # @return [Array] of required tags ranges to search
+          def find_required_ranges properties, required_tags
+            start_range = 0
+            end_range = 0
+            required_tags_arr = required_tags.to_a
+            idx = 0
+            while idx < required_tags_arr.length
+              # find the start and end range of required tags:
+              start_temp = properties.fetch_tag(required_tags_arr[idx])[0].start_idx
+              end_temp = properties.fetch_tag(required_tags_arr[idx])[0].end_idx
+              # first iteration only
+              start_range = start_temp if idx.zero?
+              end_range = end_temp if idx.zero?
+              # find the tag with smallest ranges
+              start_range = start_temp if start_range < start_temp
+              end_range = end_temp if end_range > end_temp
+              idx += 1
+            end
+            [start_range, end_range]
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb ADDED Viewed

@@ -0,0 +1,60 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module TriggerValidation
+          # Validator used to assert a REDOS finding is actually vulnerable
+          # before serializing that finding as a DTM to report to the TeamServer.
+          module REDOSValidator
+            RULE_NAME = 'redos'
+            class << self
+              def valid? _patcher, object, _ret, args
+                # Can arrive here from either:
+                #   regexp =~ string
+                #   string =~ regexp
+                #   regexp.match string
+                #
+                # Thus object/args[0] can be string/regexp or regexp/string.
+                regexp = object.is_a?(Regexp) ? object : args[0]
+                # regexp must be exploitable.
+                return false unless regexp_vulnerable?(regexp)
+                true
+              end
+              protected
+              VULNERABLE_PATTERN = /[\[(].*?[\[(].*?[\])][*+?].*?[\])][*+?]/.cs__freeze
+              # Does the regexp
+              # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
+              def regexp_vulnerable? regexp
+                # A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
+                # A level is defined as any set of opening and closing control characters immediately followed by a
+                #   multi match control character.
+                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS, or MULTI_MATCH_CHARS that
+                #   is not immediately preceded by an escaping \ character.
+                # OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
+                # Nota bene about Regexp#to_s:  it doesn't necessarily give you the original Regexp back
+                # (in the sense of `my_str == Regexp.new(my_str).to_s`), it gives you a Regexp that
+                # will have the same functional characteristics as the original.
+                # Regexp#inspect gives you a "more nicely formatted" version than #to_s.
+                # Regexp#source will give you the original source.
+                # Use #match? because it doesn't fill out global variables
+                # in the way match or =~ do.
+                VULNERABLE_PATTERN.match?(regexp.source)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -7,11 +7,10 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a SSRF finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module SSRFValidator
-            SSRF_RULE = 'ssrf'
-            URL_PATTERN =
-              %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze
+            RULE_NAME = 'ssrf'
+            URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength
             # The Net::HTTP class validates host format on instantiation. Since
             # our triggers for that class are on the instance, they already
             # have this validation done for them. We do not need to apply the
@@ -23,7 +22,6 @@ module Contrast
             # querystring
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/server_side_request_forgery.md
             def self.valid? patcher, _object, _ret, args
-              return true unless SSRF_RULE == patcher&.rule_id
               return true if patcher.id.to_s.start_with?(PATH_ONLY_PATCH_MARKER)
               url = args[0].to_s
@@ -32,42 +30,14 @@ module Contrast
               # It is dangerous for the user to control a section of the URL
               # between the start of the protocol and the beginning of the
-              # querystring. If there is no querystring, then the entire URL is
+              # querystring. If there is no path, then the entire URL is
               # dangerous for the User to control.
               start = match.begin(:protocol)
-              finish = match.begin(:query_string)
+              finish = match.begin(:path)
               finish ||= url.length
-              args[0].cs__properties.any_tags_between?(start, finish)
-            end
-            # Some SSRF triggers take multiple parameters to build the URL.
-            # For the net_http_# sources, if the first parameter is a String,
-            # the URL is built by appending the first and second parameters.
-            def self.composite? patcher, args
-              id = patcher.id.to_s
-              return false unless id.start_with?(PATH_ONLY_PATCH_MARKER)
-              args[0].is_a?(String)
-            end
-            def self.build_single_source args
-              return nil unless args[0].cs__respond_to?(:cs__properties)
-              args[0].to_s
-            end
-            def self.build_composite_source args
-              if args.length > 1
-                return nil unless args[0].cs__respond_to?(:cs__properties) ||
-                    args[1].cs__respond_to?(:cs__properties)
-                args[0] + args[1]
-              else
-                return nil unless args[0].cs__respond_to?(:cs__properties)
-                args[0].to_s
-              end
+              properties = Contrast::Agent::Assess::Tracker.properties(args[0])
+              properties&.any_tags_between?(start, finish)
             end
           end
         end

data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb CHANGED Viewed

@@ -1,8 +1,9 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-cs__scoped_require 'contrast/agent/assess/policy/trigger_validation/ssrf_validator'
-cs__scoped_require 'contrast/agent/assess/policy/trigger_validation/xss_validator'
+require 'contrast/agent/assess/policy/trigger_validation/ssrf_validator'
+require 'contrast/agent/assess/policy/trigger_validation/xss_validator'
+require 'contrast/agent/assess/policy/trigger_validation/redos_validator'
 module Contrast
   module Agent
@@ -15,13 +16,27 @@ module Contrast
         module TriggerValidation
           VALIDATORS = [
             Contrast::Agent::Assess::Policy::TriggerValidation::SSRFValidator,
-            Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator
+            Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator,
+            Contrast::Agent::Assess::Policy::TriggerValidation::REDOSValidator
           ].cs__freeze
+          # Determines if the conditions in which this trigger was called are
+          # valid and should result in the generation of a
+          # Contrast::Api::Dtm::Finding.
+          #
+          # @param patcher [Contrast::Agent::Assess::Policy::TriggerNode] the
+          #   Node which applies to the Trigger Method
+          # @param object [Object] the Object on which the Trigger Method was
+          #   invoked
+          # @param ret [Object] the return of the Trigger Method
+          # @param args [Array<Object>] the Arguments with which the Trigger
+          #   Method was invoked
+          # @return [Boolean] if the conditions are valid for the generation of
+          #   a Contrast::Api::Dtm::Finding
           def self.valid? patcher, object, ret, args
-            VALIDATORS.each do |validator|
-              return false unless validator.valid?(patcher, object, ret, args)
-            end
+            specific_validator = VALIDATORS.find { |validator| validator::RULE_NAME == patcher&.rule_id }
+            return specific_validator.valid?(patcher, object, ret, args) if specific_validator
             true
           end
         end

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -8,26 +8,17 @@ module Contrast
         module TriggerValidation
           # Validator used to assert a Reflected XSS finding is actually
           # vulnerable before serializing that finding as a DTM to report to
-          # the service.
+          # the TeamServer.
           module XSSValidator
-            XSS_RULE = 'reflected-xss'
-            SAFE_CONTENT_TYPES = %w[
-              /csv
-              /javascript
-              /json
-              /pdf
-              /x-javascript
-              /x-json
-            ].cs__freeze
+            RULE_NAME = 'reflected-xss'
+            SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze
             # A finding is valid for XSS if the response type is not one of
             # those assumed to be safe
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
-            def self.valid? patcher, _object, _ret, _args
-              return true unless XSS_RULE == patcher&.rule_id
+            def self.valid? _patcher, _object, _ret, _args
               content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
-              return true unless content_type
+              return false unless content_type
               content_type = content_type.downcase
               SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }