RubyGems - contrast-agent - Versions diffs - 3.9.1 → 3.12.0 - Mend

contrast-agent 3.9.1 → 3.12.0

Files changed (319) hide show

checksums.yaml +4 -4
data/.flayignore +1 -0
data/.simplecov +5 -2
data/ext/build_funchook.rb +12 -7
data/ext/cs__assess_active_record_named/cs__active_record_named.c +12 -14
data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
data/ext/cs__assess_active_record_named/extconf.rb +3 -0
data/ext/cs__assess_array/cs__assess_array.c +5 -6
data/ext/cs__assess_array/cs__assess_array.h +1 -0
data/ext/cs__assess_array/extconf.rb +3 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +13 -11
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
data/ext/cs__assess_basic_object/extconf.rb +3 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
data/ext/cs__assess_fiber_track/extconf.rb +3 -0
data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
data/ext/cs__assess_hash/extconf.rb +3 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +11 -9
data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
data/ext/cs__assess_kernel/extconf.rb +3 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
data/ext/cs__assess_marshal_module/extconf.rb +3 -0
data/ext/cs__assess_module/cs__assess_module.c +16 -14
data/ext/cs__assess_module/cs__assess_module.h +3 -0
data/ext/cs__assess_module/extconf.rb +3 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
data/ext/cs__assess_regexp/extconf.rb +3 -0
data/ext/cs__assess_string/cs__assess_string.c +5 -8
data/ext/cs__assess_string/cs__assess_string.h +2 -1
data/ext/cs__assess_string/extconf.rb +3 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
data/ext/cs__assess_yield_track/extconf.rb +3 -0
data/ext/cs__common/cs__common.c +80 -1
data/ext/cs__common/cs__common.h +34 -0
data/ext/cs__common/extconf.rb +9 -8
data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
data/ext/cs__contrast_patch/extconf.rb +3 -0
data/ext/cs__protect_kernel/cs__protect_kernel.c +23 -12
data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
data/ext/cs__protect_kernel/extconf.rb +3 -0
data/ext/extconf_common.rb +10 -8
data/funchook/autom4te.cache/requests +48 -48
data/funchook/config.log +4 -4
data/lib/contrast.rb +1 -1
data/lib/contrast/agent.rb +32 -29
data/lib/contrast/agent/assess.rb +1 -11
data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
data/lib/contrast/agent/assess/contrast_event.rb +20 -68
data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
data/lib/contrast/agent/assess/events/source_event.rb +83 -0
data/lib/contrast/agent/assess/insulator.rb +0 -4
data/lib/contrast/agent/assess/policy/patcher.rb +6 -2
data/lib/contrast/agent/assess/policy/policy_node.rb +1 -8
data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -2
data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
data/lib/contrast/agent/assess/policy/propagation_method.rb +68 -33
data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +40 -27
data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +30 -45
data/lib/contrast/agent/assess/policy/trigger_node.rb +7 -7
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
data/lib/contrast/agent/assess/properties.rb +5 -3
data/lib/contrast/agent/assess/rule/base.rb +1 -20
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +23 -6
data/lib/contrast/agent/assess/rule/redos.rb +4 -5
data/lib/contrast/agent/assess/tag.rb +24 -14
data/lib/contrast/agent/at_exit_hook.rb +16 -13
data/lib/contrast/agent/class_reopener.rb +24 -10
data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
data/lib/contrast/agent/disable_reaction.rb +3 -4
data/lib/contrast/agent/exclusion_matcher.rb +7 -48
data/lib/contrast/agent/inventory/policy/datastores.rb +54 -0
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/middleware.rb +101 -260
data/lib/contrast/agent/module_data.rb +2 -1
data/lib/contrast/agent/patching/policy/after_load_patch.rb +13 -3
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +59 -47
data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
data/lib/contrast/agent/patching/policy/patch.rb +97 -23
data/lib/contrast/agent/patching/policy/patcher.rb +28 -30
data/lib/contrast/agent/patching/policy/policy.rb +7 -7
data/lib/contrast/agent/patching/policy/policy_node.rb +3 -11
data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -5
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
data/lib/contrast/agent/protect/policy/policy.rb +6 -6
data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
data/lib/contrast/agent/protect/rule.rb +0 -5
data/lib/contrast/agent/protect/rule/base.rb +19 -37
data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
data/lib/contrast/agent/protect/rule/cmd_injection.rb +12 -15
data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
data/lib/contrast/agent/protect/rule/sqli.rb +5 -4
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
data/lib/contrast/agent/protect/rule/xss.rb +2 -0
data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
data/lib/contrast/agent/railtie.rb +3 -8
data/lib/contrast/agent/reaction_processor.rb +5 -5
data/lib/contrast/agent/request.rb +11 -18
data/lib/contrast/agent/request_context.rb +16 -19
data/lib/contrast/agent/request_handler.rb +35 -0
data/lib/contrast/agent/response.rb +39 -86
data/lib/contrast/agent/rewriter.rb +25 -11
data/lib/contrast/agent/rule_set.rb +49 -0
data/lib/contrast/agent/scope.rb +4 -12
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/socket_client.rb +25 -19
data/lib/contrast/agent/static_analysis.rb +41 -0
data/lib/contrast/agent/thread.rb +1 -1
data/lib/contrast/agent/tracepoint_hook.rb +1 -5
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/decorators.rb +14 -0
data/lib/contrast/api/decorators/application_settings.rb +37 -0
data/lib/contrast/api/decorators/application_update.rb +66 -0
data/lib/contrast/api/decorators/input_analysis.rb +17 -0
data/lib/contrast/api/decorators/server_features.rb +24 -0
data/lib/contrast/api/speedracer.rb +32 -30
data/lib/contrast/api/tcp_socket.rb +0 -2
data/lib/contrast/components/agent.rb +34 -24
data/lib/contrast/components/app_context.rb +45 -38
data/lib/contrast/components/assess.rb +25 -15
data/lib/contrast/components/config.rb +7 -5
data/lib/contrast/components/contrast_service.rb +23 -71
data/lib/contrast/components/heap_dump.rb +12 -8
data/lib/contrast/components/interface.rb +15 -22
data/lib/contrast/components/inventory.rb +5 -1
data/lib/contrast/components/logger.rb +3 -68
data/lib/contrast/components/protect.rb +40 -4
data/lib/contrast/components/sampling.rb +22 -11
data/lib/contrast/components/scope.rb +2 -52
data/lib/contrast/components/settings.rb +42 -23
data/lib/contrast/config/base_configuration.rb +1 -0
data/lib/contrast/config/default_value.rb +1 -0
data/lib/contrast/config/protect_rule_configuration.rb +0 -14
data/lib/contrast/config/protect_rules_configuration.rb +0 -1
data/lib/contrast/configuration.rb +3 -5
data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -15
data/lib/contrast/extension/assess/array.rb +77 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +29 -24
data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -8
data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +7 -9
data/lib/contrast/extension/assess/fiber.rb +113 -0
data/lib/contrast/extension/assess/hash.rb +39 -0
data/lib/contrast/extension/assess/kernel.rb +110 -0
data/lib/contrast/extension/assess/regexp.rb +84 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +18 -10
data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -2
data/lib/contrast/extension/kernel.rb +54 -0
data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
data/lib/contrast/extension/protect/kernel.rb +44 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
data/lib/contrast/framework/base_support.rb +32 -0
data/lib/contrast/framework/manager.rb +59 -8
data/lib/contrast/framework/platform_version.rb +1 -0
data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
data/lib/contrast/framework/rack/patch/support.rb +24 -0
data/lib/contrast/framework/rack/support.rb +22 -0
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +43 -0
data/lib/contrast/framework/rails/patch/assess_configuration.rb +103 -0
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
data/lib/contrast/framework/rails/patch/support.rb +67 -0
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
data/lib/contrast/framework/rails/support.rb +115 -0
data/lib/contrast/framework/sinatra/application_helper.rb +51 -0
data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
data/lib/contrast/framework/sinatra/support.rb +109 -0
data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
data/lib/contrast/logger/application.rb +80 -0
data/lib/contrast/logger/log.rb +142 -0
data/lib/contrast/logger/time.rb +50 -0
data/lib/contrast/tasks/config.rb +54 -0
data/lib/contrast/tasks/service.rb +3 -13
data/lib/contrast/utils/assess/sampling_util.rb +4 -9
data/lib/contrast/utils/assess/tracking_util.rb +7 -1
data/lib/contrast/utils/boolean_util.rb +2 -5
data/lib/contrast/utils/cache.rb +0 -11
data/lib/contrast/utils/class_util.rb +21 -2
data/lib/contrast/utils/gemfile_reader.rb +7 -5
data/lib/contrast/utils/hash_digest.rb +2 -11
data/lib/contrast/utils/heap_dump_util.rb +12 -11
data/lib/contrast/utils/invalid_configuration_util.rb +4 -4
data/lib/contrast/utils/inventory_util.rb +2 -2
data/lib/contrast/utils/io_util.rb +1 -11
data/lib/contrast/utils/job_servers_running.rb +6 -4
data/lib/contrast/utils/object_share.rb +1 -38
data/lib/contrast/utils/os.rb +1 -25
data/lib/contrast/utils/ruby_ast_rewriter.rb +5 -1
data/lib/contrast/utils/service_response_util.rb +36 -60
data/lib/contrast/utils/service_sender_util.rb +84 -23
data/lib/contrast/utils/sinatra_helper.rb +0 -6
data/lib/contrast/utils/stack_trace_utils.rb +86 -182
data/lib/contrast/utils/string_utils.rb +18 -2
data/lib/contrast/utils/tag_util.rb +11 -1
data/lib/contrast/utils/thread_tracker.rb +2 -2
data/lib/contrast/utils/timer.rb +0 -40
data/resources/assess/policy.json +42 -71
data/resources/inventory/policy.json +2 -2
data/resources/protect/policy.json +15 -15
data/ruby-agent.gemspec +12 -5
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +123 -112
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
data/ext/cs__assess_regexp_track/extconf.rb +0 -2
data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
data/lib/contrast/agent/feature_state.rb +0 -379
data/lib/contrast/agent/logger_manager.rb +0 -116
data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
data/lib/contrast/agent/settings_state.rb +0 -152
data/lib/contrast/delegators.rb +0 -9
data/lib/contrast/delegators/application_update.rb +0 -32
data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
data/lib/contrast/extensions/framework/rack/request.rb +0 -24
data/lib/contrast/extensions/framework/rack/response.rb +0 -23
data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
data/lib/contrast/framework/rails_support.rb +0 -88
data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
data/lib/contrast/framework/sinatra_support.rb +0 -94
data/lib/contrast/utils/comment_range.rb +0 -19
data/lib/contrast/utils/data_store_util.rb +0 -23
data/lib/contrast/utils/environment_util.rb +0 -82
data/lib/contrast/utils/performs_logging.rb +0 -152
data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
data/lib/contrast/utils/random_util.rb +0 -22
data/resources/csrf/inject.js +0 -44
data/resources/factory-bot-spec/spec_helper.rb +0 -30
data/resources/rubocops/kernel/catch_cop.rb +0 -37
data/resources/rubocops/kernel/require_cop.rb +0 -37
data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
data/resources/rubocops/module/autoload_cop.rb +0 -37
data/resources/rubocops/module/const_defined_cop.rb +0 -37
data/resources/rubocops/module/const_get_cop.rb +0 -37
data/resources/rubocops/module/const_set_cop.rb +0 -37
data/resources/rubocops/module/constants_cop.rb +0 -37
data/resources/rubocops/module/name_cop.rb +0 -37
data/resources/rubocops/object/class_cop.rb +0 -37
data/resources/rubocops/object/freeze_cop.rb +0 -37
data/resources/rubocops/object/frozen_cop.rb +0 -37
data/resources/rubocops/object/is_a_cop.rb +0 -37
data/resources/rubocops/object/method_cop.rb +0 -37
data/resources/rubocops/object/respond_to_cop.rb +0 -37
data/resources/rubocops/object/singleton_class_cop.rb +0 -37
data/resources/rubocops/regexp/spelling_cop.rb +0 -44
data/resources/rubocops/thread/new_cop.rb +0 -39
data/resources/ruby-spec/ancestors_spec.rb +0 -70
data/resources/ruby-spec/modulo_spec.rb +0 -831
data/resources/ruby-spec/parameters_spec.rb +0 -261
data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35

data/lib/contrast/framework/manager.rb CHANGED

@@ -3,9 +3,9 @@
 cs__scoped_require 'contrast/framework/view_technologies_descriptor'
 cs__scoped_require 'contrast/framework/platform_version'
-cs__scoped_require 'contrast/framework/base_support'
-cs__scoped_require 'contrast/framework/rails_support'
-cs__scoped_require 'contrast/framework/sinatra_support'
+cs__scoped_require 'contrast/framework/rack/support'
+cs__scoped_require 'contrast/framework/rails/support'
+cs__scoped_require 'contrast/framework/sinatra/support'
 cs__scoped_require 'contrast/components/interface'
 cs__scoped_require 'contrast/utils/class_util'
@@ -14,26 +14,51 @@ module Contrast
     # Allows access to framework specific information
     class Manager
       include Contrast::Components::Interface
-      access_component :logging, :analysis
+      access_component :analysis, :logging
       # Order here does matter as the first framework listed will be the first one we pull information from
       # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
       # do not exist
       SUPPORTED_FRAMEWORKS = [
-        Contrast::Framework::RailsSupport,
-        Contrast::Framework::SinatraSupport
+        Contrast::Framework::Rails::Support,
+        Contrast::Framework::Sinatra::Support,
+        Contrast::Framework::Rack::Support
       ].cs__freeze
       def initialize
         @_frameworks = SUPPORTED_FRAMEWORKS.map do |framework_klass|
           next unless enable_framework_support?(framework_klass.detection_class)
-          logger.debug("Detected framework #{ framework_klass.detection_class } - enabling support")
+          logger.info('Framework detected. Enabling support.', framework: framework_klass.detection_class)
           framework_klass
         end
         @_frameworks.compact!
       end
+      # Patches that have to be applied as early as possible to catch calls
+      # that happen prior to the first Request, typically those around
+      # configuration.
+      def before_load_patches!
+        @_before_load_patches ||= begin
+                                    SUPPORTED_FRAMEWORKS.each(&:before_load_patches)
+                                    true
+                                  end
+      end
+      # Return all the After Load Patches for all the Frameworks we know, even
+      # if that Framework hasn't been detected.
+      #
+      # @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the
+      #   AfterLoadPatches of each framework
+      def find_after_load_patches
+        patches = Set.new
+        SUPPORTED_FRAMEWORKS.each do |framework|
+          framework_patches = framework.after_load_patches
+          patches.merge(framework_patches) if framework_patches && !framework_patches.empty?
+        end
+        patches
+      end
       def find_applicable_view_technologies
         scan_views_for_all_frameworks
       end
@@ -56,11 +81,37 @@ module Contrast
         first_framework_result :application_name, 'root'
       end
+      def app_root
+        found = first_framework_result :application_root, nil
+        found || ::Rack::Directory.new('').root
+      end
+      # If we have 0 or n > 1 frameworks, we need to use the default rack request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
+      #   and values of this particular Request
+      def retrieve_request env
+        return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
+        ::Rack::Request.new(env)
+      end
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
+      #   and values of this particular Request
+      # @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
+      def streaming? env
+        result = false
+        @_frameworks.each do |framework|
+          result = framework.streaming?(env)
+          break if result
+        end
+        result
+      end
       def get_route_dtm request
         result = nil
         @_frameworks.find do |framework_klass|
           # TODO: RUBY-763 Sinatra::Base#call patch adds the Route report
-          next if framework_klass == Contrast::Framework::SinatraSupport
+          next if framework_klass == Contrast::Framework::Sinatra::Support
           result = framework_klass.current_route(request)
         end

data/lib/contrast/framework/platform_version.rb CHANGED

@@ -6,6 +6,7 @@ module Contrast
     # Used to map version strings from frameworks to ApplicationUpdate dtm
     class PlatformVersion
       attr_reader :major, :minor, :patch
       def initialize major, minor, patch
         @major = major || ''
         @minor = minor || ''

data/lib/contrast/framework/rack/patch/session_cookie.rb ADDED

@@ -0,0 +1,126 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+module Contrast
+  module Framework
+    module Rack
+      module Patch
+        # Our patch into the Rack::Session::Cookie Class, allowing for the
+        # runtime detection of insecure configurations on individual cookies
+        # within the application
+        class SessionCookie
+          include Contrast::Components::Interface
+          access_component :agent, :analysis, :logging, :scope
+          CS__SECURE_RULE_NAME = 'secure-flag-missing'
+          CS__HTTPONLY_NAME = 'rails-http-only-disabled'
+          CS__SESSION_TIMEOUT_NAME = 'session-timeout'
+          SAFE_SESSION_TIMEOUT = (30 * 60 * 60)
+          class << self
+            include Contrast::Utils::InvalidConfigurationUtil
+            def instrument
+              @_instrument ||= begin
+                                 ::Rack::Session::Cookie.class_eval do
+                                   alias_method :cs__patched_initialize, :initialize
+                                   def initialize app, options = {}
+                                     Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
+                                     cs__patched_initialize(app, options)
+                                   end
+                                 end
+                                 true
+                               end
+            end
+            def analyze options
+              return unless AGENT.enabled?
+              return if PROTECT.enabled?
+              apply_session_timeout(options)
+              apply_httponly(options)
+              apply_secure_session(options)
+            end
+            private
+            def vulnerable_setting?(setting_key,
+                                    safe_settings_value,
+                                    options, safe_default: true,
+                                    comparison_type: nil)
+              # In most cases, Rack is pretty nice and the default value is safe
+              return !safe_default unless options&.key?(setting_key)
+              value = options[setting_key]
+              return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
+              value != safe_settings_value
+            end
+            def apply_secure_session options
+              return unless vulnerable_setting?(
+                  :secure,
+                  true,
+                  options,
+                  safe_default: false)
+              with_contrast_scope do
+                cs__report_finding(
+                    CS__SECURE_RULE_NAME,
+                    options,
+                    caller_locations(10, 9)[0])
+              end
+            rescue StandardError => e
+              begin
+                logger.error('Unable to track call to secure session', e)
+              rescue StandardError
+                nil
+              end
+            end
+            def apply_session_timeout options
+              return unless vulnerable_setting?(:expire_after,
+                                                SAFE_SESSION_TIMEOUT,
+                                                options,
+                                                safe_default: false,
+                                                comparison_type: :greater_than)
+              with_contrast_scope do
+                cs__report_finding(
+                    CS__SESSION_TIMEOUT_NAME,
+                    options,
+                    caller_locations(10, 9)[0])
+              end
+            rescue StandardError => e
+              begin
+                logger.error('Unable to track call to set session timeout', e)
+              rescue StandardError
+                nil
+              end
+            end
+            def apply_httponly options
+              return unless vulnerable_setting?(:httponly, true, options)
+              with_contrast_scope do
+                cs__report_finding(
+                    CS__HTTPONLY_NAME,
+                    options,
+                    caller_locations(10, 9)[0])
+              end
+            rescue StandardError => e
+              begin
+                logger.error('Unable to track call to httponly', e)
+              rescue StandardError
+                nil
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/rack/patch/support.rb ADDED

@@ -0,0 +1,24 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/agent/patching/policy/after_load_patch'
+module Contrast
+  module Framework
+    module Rack
+      module Patch
+        # Extension point allowing for the registration of Patches required to
+        # support the Rack framework.
+        module Support
+          # (See BaseSupport#after_load_patches)
+          def after_load_patches
+            Set.new([Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                'Rack::Session::Cookie',
+                'contrast/framework/rack/patch/session_cookie',
+                instrumenting_module: 'Contrast::Framework::Rack::Patch::SessionCookie')])
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/rack/support.rb ADDED

@@ -0,0 +1,22 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/framework/base_support'
+cs__scoped_require 'contrast/framework/rack/patch/support'
+module Contrast
+  module Framework
+    module Rack
+      # Used when Rack is present to define framework specific behavior. For
+      # now, the only part of this implemented is the Patch Support.
+      class Support < BaseSupport
+        extend Contrast::Framework::Rack::Patch::Support
+        class << self
+          def detection_class
+            'don\'t let me be detected'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb ADDED

@@ -0,0 +1,43 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/utils/service_sender_util'
+module Contrast
+  module Framework
+    module Rails
+      module Patch
+        # This class acts as our patch into the ActionController::Live::Buffer
+        # class, allowing us to track the close event on streamed responses.
+        class ActionControllerLiveBuffer
+          class << self
+            def send_messages
+              return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
+              [context.server_activity, context.activity, context.observed_route].each do |msg|
+                Contrast::Utils::ServiceSenderUtil.send_event_immediately(msg)
+              end
+            end
+            def instrument
+              @_instrument ||= begin
+                                 ::ActionController::Live::Buffer.class_eval do
+                                   # normally pre->in->post filters are applied however, in a streamed response
+                                   # we can run into a case where it's pre -> in -> post -> more infilters
+                                   # in order to submit anything found during the infilters after the response has
+                                   # been written we need to explicitly send them
+                                   alias_method :cs__close, :close
+                                   def close
+                                     Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages
+                                     cs__close
+                                   end
+                                 end
+                                 true
+                               end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/rails/patch/assess_configuration.rb ADDED

@@ -0,0 +1,103 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/invalid_configuration_util'
+module Contrast
+  module Framework
+    module Rails
+      module Patch
+        # This module is used to analyze rails session storage configuration for assess vulnerabilities
+        module AssessConfiguration
+          include Contrast::Components::Interface
+          access_component :agent, :analysis, :logging, :scope
+          CS__SESSION_TIMEOUT_NAME = 'session-timeout'
+          SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
+          CS__SECURE_RULE_NAME = 'secure-flag-missing'
+          CS__HTTPONLY_RULE_NAME = 'rails-http-only-disabled'
+          class << self
+            include Contrast::Utils::InvalidConfigurationUtil
+            def analyze_session_store *args
+              return unless AGENT.enabled?
+              return if PROTECT.enabled?
+              apply_httponly_disabled(*args)
+              apply_secure_cookie_disabled(*args)
+              apply_session_timeout(*args)
+            end
+            private
+            def vulnerable_setting? setting_key, safe_settings_value, original_args, safe_default: true, comparison_type: nil
+              # In most cases, Rails is pretty nice and the default value is safe
+              return !safe_default unless original_args && original_args.length > 1
+              # If the user overrode some args, but not ours, fall back on the default
+              rails_session_settings = original_args[1]
+              return !safe_default unless rails_session_settings&.key?(setting_key)
+              value = rails_session_settings[setting_key]
+              return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than
+              value != safe_settings_value
+            end
+            def apply_session_timeout *args
+              return if ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
+              return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args, comparison_type: :greater_than, safe_default: false)
+              rails_session_settings = args[1]
+              with_contrast_scope do
+                cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(5, 4)[0])
+              end
+            rescue StandardError => e
+              begin
+                logger.error('Unable to track call to set session timeout', e)
+              rescue StandardError
+                nil
+              end
+            end
+            def apply_secure_cookie_disabled *args
+              return if ASSESS.rule_disabled? CS__SECURE_RULE_NAME
+              return unless vulnerable_setting?(:secure, true, args)
+              rails_session_settings = args[1]
+              with_contrast_scope do
+                cs__report_finding(CS__SECURE_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
+              end
+            rescue StandardError => e
+              begin
+                logger.error('Unable to track call to disable secure cookies', e)
+              rescue StandardError
+                nil
+              end
+            end
+            def apply_httponly_disabled *args
+              return if ASSESS.rule_disabled? CS__HTTPONLY_RULE_NAME
+              return unless vulnerable_setting?(:httponly, true, args)
+              rails_session_settings = args[1]
+              with_contrast_scope do
+                cs__report_finding(CS__HTTPONLY_RULE_NAME, rails_session_settings, caller_locations(5, 4)[0])
+              end
+            rescue StandardError => e
+              begin
+                logger.error('Unable to track call to disable httponly in session cookie', e)
+              rescue StandardError
+                nil
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/rails/patch/rails_application_configuration.rb ADDED

@@ -0,0 +1,31 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/framework/rails/patch/assess_configuration'
+module Contrast
+  module Framework
+    module Rails
+      module Patch
+        # Our patch into the Rails::Application::Configuration Class, allowing
+        # for the runtime detection of insecure configurations on individual
+        # ActionDispatch::Session::AbstractStore instances within the
+        # application.
+        class RailsApplicationConfiguration
+          def self.instrument
+            @_instrument ||= begin
+                               ::Rails::Application::Configuration.class_eval do
+                                 alias_method :cs__patched_session_store, :session_store
+                                 def session_store *args
+                                   ret = cs__patched_session_store(*args)
+                                   Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args)
+                                   ret
+                                 end
+                               end
+                               true
+                             end
+          end
+        end
+      end
+    end
+  end
+end