contrast-agent 3.9.1 → 3.12.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (319) hide show
  1. checksums.yaml +4 -4
  2. data/.flayignore +1 -0
  3. data/.simplecov +5 -2
  4. data/ext/build_funchook.rb +12 -7
  5. data/ext/cs__assess_active_record_named/cs__active_record_named.c +12 -14
  6. data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
  7. data/ext/cs__assess_active_record_named/extconf.rb +3 -0
  8. data/ext/cs__assess_array/cs__assess_array.c +5 -6
  9. data/ext/cs__assess_array/cs__assess_array.h +1 -0
  10. data/ext/cs__assess_array/extconf.rb +3 -0
  11. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +13 -11
  12. data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
  13. data/ext/cs__assess_basic_object/extconf.rb +3 -0
  14. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
  15. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
  16. data/ext/cs__assess_fiber_track/extconf.rb +3 -0
  17. data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
  18. data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
  19. data/ext/cs__assess_hash/extconf.rb +3 -0
  20. data/ext/cs__assess_kernel/cs__assess_kernel.c +11 -9
  21. data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
  22. data/ext/cs__assess_kernel/extconf.rb +3 -0
  23. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
  24. data/ext/cs__assess_marshal_module/extconf.rb +3 -0
  25. data/ext/cs__assess_module/cs__assess_module.c +16 -14
  26. data/ext/cs__assess_module/cs__assess_module.h +3 -0
  27. data/ext/cs__assess_module/extconf.rb +3 -0
  28. data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
  29. data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
  30. data/ext/cs__assess_regexp/extconf.rb +3 -0
  31. data/ext/cs__assess_string/cs__assess_string.c +5 -8
  32. data/ext/cs__assess_string/cs__assess_string.h +2 -1
  33. data/ext/cs__assess_string/extconf.rb +3 -0
  34. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
  35. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
  36. data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
  37. data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
  38. data/ext/cs__assess_yield_track/extconf.rb +3 -0
  39. data/ext/cs__common/cs__common.c +80 -1
  40. data/ext/cs__common/cs__common.h +34 -0
  41. data/ext/cs__common/extconf.rb +9 -8
  42. data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
  43. data/ext/cs__contrast_patch/extconf.rb +3 -0
  44. data/ext/cs__protect_kernel/cs__protect_kernel.c +23 -12
  45. data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
  46. data/ext/cs__protect_kernel/extconf.rb +3 -0
  47. data/ext/extconf_common.rb +10 -8
  48. data/funchook/autom4te.cache/requests +48 -48
  49. data/funchook/config.log +4 -4
  50. data/lib/contrast.rb +1 -1
  51. data/lib/contrast/agent.rb +32 -29
  52. data/lib/contrast/agent/assess.rb +1 -11
  53. data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
  54. data/lib/contrast/agent/assess/contrast_event.rb +20 -68
  55. data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
  56. data/lib/contrast/agent/assess/events/source_event.rb +83 -0
  57. data/lib/contrast/agent/assess/insulator.rb +0 -4
  58. data/lib/contrast/agent/assess/policy/patcher.rb +6 -2
  59. data/lib/contrast/agent/assess/policy/policy_node.rb +1 -8
  60. data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -2
  61. data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
  62. data/lib/contrast/agent/assess/policy/propagation_method.rb +68 -33
  63. data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
  64. data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
  65. data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
  66. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
  67. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
  68. data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
  69. data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
  70. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
  71. data/lib/contrast/agent/assess/policy/rewriter_patch.rb +40 -27
  72. data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
  73. data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
  74. data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
  75. data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
  76. data/lib/contrast/agent/assess/policy/trigger_method.rb +30 -45
  77. data/lib/contrast/agent/assess/policy/trigger_node.rb +7 -7
  78. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
  79. data/lib/contrast/agent/assess/properties.rb +5 -3
  80. data/lib/contrast/agent/assess/rule/base.rb +1 -20
  81. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +23 -6
  82. data/lib/contrast/agent/assess/rule/redos.rb +4 -5
  83. data/lib/contrast/agent/assess/tag.rb +24 -14
  84. data/lib/contrast/agent/at_exit_hook.rb +16 -13
  85. data/lib/contrast/agent/class_reopener.rb +24 -10
  86. data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
  87. data/lib/contrast/agent/disable_reaction.rb +3 -4
  88. data/lib/contrast/agent/exclusion_matcher.rb +7 -48
  89. data/lib/contrast/agent/inventory/policy/datastores.rb +54 -0
  90. data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
  91. data/lib/contrast/agent/middleware.rb +101 -260
  92. data/lib/contrast/agent/module_data.rb +2 -1
  93. data/lib/contrast/agent/patching/policy/after_load_patch.rb +13 -3
  94. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +59 -47
  95. data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
  96. data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
  97. data/lib/contrast/agent/patching/policy/patch.rb +97 -23
  98. data/lib/contrast/agent/patching/policy/patcher.rb +28 -30
  99. data/lib/contrast/agent/patching/policy/policy.rb +7 -7
  100. data/lib/contrast/agent/patching/policy/policy_node.rb +3 -11
  101. data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -5
  102. data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
  103. data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
  104. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
  105. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
  106. data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
  107. data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
  108. data/lib/contrast/agent/protect/policy/policy.rb +6 -6
  109. data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
  110. data/lib/contrast/agent/protect/rule.rb +0 -5
  111. data/lib/contrast/agent/protect/rule/base.rb +19 -37
  112. data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
  113. data/lib/contrast/agent/protect/rule/cmd_injection.rb +12 -15
  114. data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
  115. data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
  116. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
  117. data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
  118. data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
  119. data/lib/contrast/agent/protect/rule/sqli.rb +5 -4
  120. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
  121. data/lib/contrast/agent/protect/rule/xss.rb +2 -0
  122. data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
  123. data/lib/contrast/agent/railtie.rb +3 -8
  124. data/lib/contrast/agent/reaction_processor.rb +5 -5
  125. data/lib/contrast/agent/request.rb +11 -18
  126. data/lib/contrast/agent/request_context.rb +16 -19
  127. data/lib/contrast/agent/request_handler.rb +35 -0
  128. data/lib/contrast/agent/response.rb +39 -86
  129. data/lib/contrast/agent/rewriter.rb +25 -11
  130. data/lib/contrast/agent/rule_set.rb +49 -0
  131. data/lib/contrast/agent/scope.rb +4 -12
  132. data/lib/contrast/agent/service_heartbeat.rb +3 -4
  133. data/lib/contrast/agent/socket_client.rb +25 -19
  134. data/lib/contrast/agent/static_analysis.rb +41 -0
  135. data/lib/contrast/agent/thread.rb +1 -1
  136. data/lib/contrast/agent/tracepoint_hook.rb +1 -5
  137. data/lib/contrast/agent/version.rb +1 -1
  138. data/lib/contrast/api.rb +1 -1
  139. data/lib/contrast/api/decorators.rb +14 -0
  140. data/lib/contrast/api/decorators/application_settings.rb +37 -0
  141. data/lib/contrast/api/decorators/application_update.rb +66 -0
  142. data/lib/contrast/api/decorators/input_analysis.rb +17 -0
  143. data/lib/contrast/api/decorators/server_features.rb +24 -0
  144. data/lib/contrast/api/speedracer.rb +32 -30
  145. data/lib/contrast/api/tcp_socket.rb +0 -2
  146. data/lib/contrast/components/agent.rb +34 -24
  147. data/lib/contrast/components/app_context.rb +45 -38
  148. data/lib/contrast/components/assess.rb +25 -15
  149. data/lib/contrast/components/config.rb +7 -5
  150. data/lib/contrast/components/contrast_service.rb +23 -71
  151. data/lib/contrast/components/heap_dump.rb +12 -8
  152. data/lib/contrast/components/interface.rb +15 -22
  153. data/lib/contrast/components/inventory.rb +5 -1
  154. data/lib/contrast/components/logger.rb +3 -68
  155. data/lib/contrast/components/protect.rb +40 -4
  156. data/lib/contrast/components/sampling.rb +22 -11
  157. data/lib/contrast/components/scope.rb +2 -52
  158. data/lib/contrast/components/settings.rb +42 -23
  159. data/lib/contrast/config/base_configuration.rb +1 -0
  160. data/lib/contrast/config/default_value.rb +1 -0
  161. data/lib/contrast/config/protect_rule_configuration.rb +0 -14
  162. data/lib/contrast/config/protect_rules_configuration.rb +0 -1
  163. data/lib/contrast/configuration.rb +3 -5
  164. data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -15
  165. data/lib/contrast/extension/assess/array.rb +77 -0
  166. data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +29 -24
  167. data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -8
  168. data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
  169. data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +7 -9
  170. data/lib/contrast/extension/assess/fiber.rb +113 -0
  171. data/lib/contrast/extension/assess/hash.rb +39 -0
  172. data/lib/contrast/extension/assess/kernel.rb +110 -0
  173. data/lib/contrast/extension/assess/regexp.rb +84 -0
  174. data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +18 -10
  175. data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
  176. data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -2
  177. data/lib/contrast/extension/kernel.rb +54 -0
  178. data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
  179. data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
  180. data/lib/contrast/extension/protect/kernel.rb +44 -0
  181. data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
  182. data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
  183. data/lib/contrast/framework/base_support.rb +32 -0
  184. data/lib/contrast/framework/manager.rb +59 -8
  185. data/lib/contrast/framework/platform_version.rb +1 -0
  186. data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
  187. data/lib/contrast/framework/rack/patch/support.rb +24 -0
  188. data/lib/contrast/framework/rack/support.rb +22 -0
  189. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +43 -0
  190. data/lib/contrast/framework/rails/patch/assess_configuration.rb +103 -0
  191. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
  192. data/lib/contrast/framework/rails/patch/support.rb +67 -0
  193. data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
  194. data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
  195. data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
  196. data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
  197. data/lib/contrast/framework/rails/support.rb +115 -0
  198. data/lib/contrast/framework/sinatra/application_helper.rb +51 -0
  199. data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
  200. data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
  201. data/lib/contrast/framework/sinatra/support.rb +109 -0
  202. data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
  203. data/lib/contrast/logger/application.rb +80 -0
  204. data/lib/contrast/logger/log.rb +142 -0
  205. data/lib/contrast/logger/time.rb +50 -0
  206. data/lib/contrast/tasks/config.rb +54 -0
  207. data/lib/contrast/tasks/service.rb +3 -13
  208. data/lib/contrast/utils/assess/sampling_util.rb +4 -9
  209. data/lib/contrast/utils/assess/tracking_util.rb +7 -1
  210. data/lib/contrast/utils/boolean_util.rb +2 -5
  211. data/lib/contrast/utils/cache.rb +0 -11
  212. data/lib/contrast/utils/class_util.rb +21 -2
  213. data/lib/contrast/utils/gemfile_reader.rb +7 -5
  214. data/lib/contrast/utils/hash_digest.rb +2 -11
  215. data/lib/contrast/utils/heap_dump_util.rb +12 -11
  216. data/lib/contrast/utils/invalid_configuration_util.rb +4 -4
  217. data/lib/contrast/utils/inventory_util.rb +2 -2
  218. data/lib/contrast/utils/io_util.rb +1 -11
  219. data/lib/contrast/utils/job_servers_running.rb +6 -4
  220. data/lib/contrast/utils/object_share.rb +1 -38
  221. data/lib/contrast/utils/os.rb +1 -25
  222. data/lib/contrast/utils/ruby_ast_rewriter.rb +5 -1
  223. data/lib/contrast/utils/service_response_util.rb +36 -60
  224. data/lib/contrast/utils/service_sender_util.rb +84 -23
  225. data/lib/contrast/utils/sinatra_helper.rb +0 -6
  226. data/lib/contrast/utils/stack_trace_utils.rb +86 -182
  227. data/lib/contrast/utils/string_utils.rb +18 -2
  228. data/lib/contrast/utils/tag_util.rb +11 -1
  229. data/lib/contrast/utils/thread_tracker.rb +2 -2
  230. data/lib/contrast/utils/timer.rb +0 -40
  231. data/resources/assess/policy.json +42 -71
  232. data/resources/inventory/policy.json +2 -2
  233. data/resources/protect/policy.json +15 -15
  234. data/ruby-agent.gemspec +12 -5
  235. data/service_executables/VERSION +1 -1
  236. data/service_executables/linux/contrast-service +0 -0
  237. data/service_executables/mac/contrast-service +0 -0
  238. metadata +123 -112
  239. data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
  240. data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
  241. data/ext/cs__assess_regexp_track/extconf.rb +0 -2
  242. data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
  243. data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
  244. data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
  245. data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
  246. data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
  247. data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
  248. data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
  249. data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
  250. data/lib/contrast/agent/feature_state.rb +0 -379
  251. data/lib/contrast/agent/logger_manager.rb +0 -116
  252. data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
  253. data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
  254. data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
  255. data/lib/contrast/agent/settings_state.rb +0 -152
  256. data/lib/contrast/delegators.rb +0 -9
  257. data/lib/contrast/delegators/application_update.rb +0 -32
  258. data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
  259. data/lib/contrast/extensions/framework/rack/request.rb +0 -24
  260. data/lib/contrast/extensions/framework/rack/response.rb +0 -23
  261. data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
  262. data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
  263. data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
  264. data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
  265. data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
  266. data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
  267. data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
  268. data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
  269. data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
  270. data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
  271. data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
  272. data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
  273. data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
  274. data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
  275. data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
  276. data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
  277. data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
  278. data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
  279. data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
  280. data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
  281. data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
  282. data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
  283. data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
  284. data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
  285. data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
  286. data/lib/contrast/framework/rails_support.rb +0 -88
  287. data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
  288. data/lib/contrast/framework/sinatra_support.rb +0 -94
  289. data/lib/contrast/utils/comment_range.rb +0 -19
  290. data/lib/contrast/utils/data_store_util.rb +0 -23
  291. data/lib/contrast/utils/environment_util.rb +0 -82
  292. data/lib/contrast/utils/performs_logging.rb +0 -152
  293. data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
  294. data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
  295. data/lib/contrast/utils/random_util.rb +0 -22
  296. data/resources/csrf/inject.js +0 -44
  297. data/resources/factory-bot-spec/spec_helper.rb +0 -30
  298. data/resources/rubocops/kernel/catch_cop.rb +0 -37
  299. data/resources/rubocops/kernel/require_cop.rb +0 -37
  300. data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
  301. data/resources/rubocops/module/autoload_cop.rb +0 -37
  302. data/resources/rubocops/module/const_defined_cop.rb +0 -37
  303. data/resources/rubocops/module/const_get_cop.rb +0 -37
  304. data/resources/rubocops/module/const_set_cop.rb +0 -37
  305. data/resources/rubocops/module/constants_cop.rb +0 -37
  306. data/resources/rubocops/module/name_cop.rb +0 -37
  307. data/resources/rubocops/object/class_cop.rb +0 -37
  308. data/resources/rubocops/object/freeze_cop.rb +0 -37
  309. data/resources/rubocops/object/frozen_cop.rb +0 -37
  310. data/resources/rubocops/object/is_a_cop.rb +0 -37
  311. data/resources/rubocops/object/method_cop.rb +0 -37
  312. data/resources/rubocops/object/respond_to_cop.rb +0 -37
  313. data/resources/rubocops/object/singleton_class_cop.rb +0 -37
  314. data/resources/rubocops/regexp/spelling_cop.rb +0 -44
  315. data/resources/rubocops/thread/new_cop.rb +0 -39
  316. data/resources/ruby-spec/ancestors_spec.rb +0 -70
  317. data/resources/ruby-spec/modulo_spec.rb +0 -831
  318. data/resources/ruby-spec/parameters_spec.rb +0 -261
  319. data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
@@ -1,116 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- cs__scoped_require 'logger'
5
-
6
- cs__scoped_require 'contrast/extensions/ruby_core/module'
7
- cs__scoped_require 'contrast/components/interface'
8
-
9
- module Contrast
10
- module Agent
11
- # This class functions to serve as a wrapper around our logging, as we need
12
- # to be able to dynamically update level based on updates to TeamServer.
13
- class LoggerManager
14
- include Contrast::Components::Interface
15
- access_component :app_context, :logging, :config
16
-
17
- DEFAULT_NAME = 'contrast.log'
18
- DEFAULT_LEVEL = ::Logger::INFO
19
- VALID_LEVELS = %w[INFO WARN DEBUG FATAL UNKNOWN ERROR].cs__freeze
20
- STDOUT_STR = 'STDOUT'
21
- STDERR_STR = 'STDERR'
22
-
23
- attr_reader :current,
24
- :previous_path,
25
- :previous_level
26
-
27
- def initialize
28
- update
29
- rescue StandardError => e
30
- Contrast::Agent::FeatureState::Logging::FALLBACK.puts 'Unable to initialize regular logger in LoggerManager.'
31
- Contrast::Agent::FeatureState::Logging::FALLBACK.puts e.backtrace.join(Contrast::Utils::ObjectShare::NEW_LINE)
32
- end
33
-
34
- def update log_file = nil, log_level = nil
35
- config = CONFIG.root.agent.logger
36
-
37
- config_path = config.path&.length.to_i.positive? ? config.path : nil
38
- config_level = config.level&.length&.positive? ? config.level : nil
39
-
40
- # config > settings > default
41
- path = valid_path(config_path || log_file)
42
- level_const = valid_level(config_level || log_level)
43
-
44
- # don't needlessly recreate logger
45
- return if @current && (path == previous_path) && (level_const == previous_level)
46
-
47
- @previous_path = path
48
- @previous_level = level_const
49
-
50
- @current = build(path: path, level_const: level_const)
51
-
52
- @current.debug { 'Initialized new contrast agent logger' }
53
-
54
- self
55
- rescue StandardError => e
56
- Contrast::Agent::FeatureState::Logging::FALLBACK.puts 'Unable to process update to LoggerManager.'
57
- Contrast::Agent::FeatureState::Logging::FALLBACK.puts e.backtrace.join(Contrast::Utils::ObjectShare::NEW_LINE)
58
- end
59
-
60
- private
61
-
62
- def default_progname
63
- 'Contrast Agent'
64
- end
65
-
66
- def build path: STDOUT_STR, progname: default_progname, level_const: DEFAULT_LEVEL
67
- current = case path
68
- when STDOUT_STR, STDERR_STR
69
- ::Logger.new(Object.cs__const_get(path))
70
- else
71
- ::Logger.new(path)
72
- end
73
-
74
- current.progname = progname
75
- current.level = level_const
76
-
77
- current.formatter = proc do |severity_f, datetime_f, progname_f, msg_f|
78
- "#{ datetime_f.strftime('%Y-%m-%d %H:%M:%S,%L') } [#{ progname_f }] #{ severity_f } - #{ msg_f }\n"
79
- end
80
-
81
- current
82
- end
83
-
84
- def valid_path path
85
- path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
86
- return path if path == STDOUT_STR
87
- return path if path == STDERR_STR
88
-
89
- path = DEFAULT_NAME if path.empty?
90
- if Contrast::Utils::IOUtil.write_permission?(path)
91
- path
92
- else
93
- if File.directory?(path)
94
- Contrast::Agent::FeatureState::Logging::FALLBACK.puts "Unable to create log in directory: #{ path }. \n Writing to standard out instead"
95
- else
96
- Contrast::Agent::FeatureState::Logging::FALLBACK.puts "Unable to write to log file: #{ path } \n Writing to standard out instead"
97
- end
98
-
99
- STDOUT_STR
100
- end
101
- end
102
-
103
- def valid_level level
104
- level = level.nil? ? DEFAULT_LEVEL : level
105
- level = 'DEBUG' if level == 'TRACE'
106
- if VALID_LEVELS.include?(level)
107
- Object.cs__const_get("::Logger::#{ level }")
108
- else
109
- DEFAULT_LEVEL
110
- end
111
- rescue StandardError
112
- DEFAULT_LEVEL
113
- end
114
- end
115
- end
116
- end
@@ -1,118 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- cs__scoped_require 'rack'
5
- cs__scoped_require 'contrast/utils/object_share'
6
- cs__scoped_require 'contrast/agent/request'
7
- cs__scoped_require 'contrast/agent/response'
8
- cs__scoped_require 'contrast/utils/stack_trace_utils'
9
- cs__scoped_require 'contrast/utils/timer'
10
-
11
- module Contrast
12
- module Agent
13
- module Protect
14
- module Rule
15
- # The Ruby implementation of the Protect Cross-Site Request Forgery
16
- # rule.
17
- class Csrf < Contrast::Agent::Protect::Rule::Base
18
- NAME = 'csrf'
19
-
20
- def name
21
- NAME
22
- end
23
-
24
- def stream_safe?
25
- false
26
- end
27
-
28
- def request_evaluator
29
- @_request_evaluator ||= Contrast::Agent::Protect::Rule::Csrf::CsrfEvaluator.new
30
- end
31
-
32
- def token_injector
33
- @_token_injector ||= Contrast::Agent::Protect::Rule::Csrf::CsrfTokenInjector.new
34
- end
35
-
36
- BLOCK_MESSAGE = 'CSRF rule triggered. Request blocked.'
37
-
38
- def prefilter context
39
- return unless enabled? && mode != :NO_ACTION
40
-
41
- request = context.request
42
- return if request_evaluator.can_ignore_check?(request)
43
-
44
- parameters = request.parameters
45
- return unless parameters&.any?
46
-
47
- tokens = parameters[token_injector.token_name]
48
- expected_token = token_injector.get_expected_token(context)
49
- return if valid_token?(expected_token, tokens)
50
-
51
- # unexpected token is interpreted as an attack with a match
52
- ia_result = Contrast::Api::Settings::InputAnalysisResult.new
53
- ia_result.input_type = :BODY
54
- ia_result.value = build_attack_string(context.request)
55
-
56
- result = build_attack_with_match(
57
- context,
58
- ia_result,
59
- nil,
60
- expected_token,
61
- details: build_details(expected_token, tokens))
62
-
63
- append_to_activity(context, result)
64
-
65
- raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
66
- end
67
-
68
- def valid_token? expected, actual_tokens
69
- actual_tokens&.include?(expected)
70
- end
71
-
72
- def postfilter context
73
- return unless enabled? && POSTFILTER_MODES.include?(mode)
74
-
75
- token_injector.do_injection(context)
76
- end
77
-
78
- def build_sample context, evaluation, _url, **kwargs
79
- sample = build_base_sample(context, evaluation)
80
- sample.csrf = kwargs[:details]
81
- sample
82
- end
83
-
84
- # Build a subclass of the RaspRuleSample using the query string and the
85
- # evaluation
86
- def build_details expected, actual_tokens
87
- details = Contrast::Api::Dtm::CsrfDetails.new
88
- details.name = Contrast::Utils::StringUtils.protobuf_safe_string(token_injector.token_name)
89
- details.expected = Contrast::Utils::StringUtils.protobuf_safe_string(expected)
90
- presented = build_presented_token(actual_tokens)
91
- details.presented = Contrast::Utils::StringUtils.protobuf_safe_string(presented)
92
- details
93
- end
94
-
95
- def build_presented_token actual_tokens
96
- return Contrast::Utils::ObjectShare::EMPTY_STRING unless actual_tokens&.any?
97
-
98
- actual_tokens.first
99
- end
100
-
101
- # Convert the request parameters into an attack string
102
- def build_attack_string request
103
- arr = []
104
- request.dtm.normalized_request_params.each_with_index do |(name, value), index|
105
- arr << Contrast::Utils::ObjectShare::AND unless index.zero?
106
- arr += [name.to_s, Contrast::Utils::ObjectShare::EQUALS, value.values.to_s]
107
- end
108
- if arr.empty?
109
- request.query_string
110
- else
111
- arr.join
112
- end
113
- end
114
- end
115
- end
116
- end
117
- end
118
- end
@@ -1,103 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- cs__scoped_require 'contrast/utils/object_share'
5
- cs__scoped_require 'contrast/components/interface'
6
- cs__scoped_require 'uri'
7
-
8
- # This class is used by the CSRF rule to determine if the given Request is
9
- # susceptible to CSRF / if the rule applies to it.
10
- class Contrast::Agent::Protect::Rule::Csrf::CsrfEvaluator # rubocop:disable Style/ClassAndModuleChildren
11
- include Contrast::Components::Interface
12
- access_component :logging
13
-
14
- def can_ignore_check? request
15
- if !form_submittable_method?(request)
16
- logger.debug("Ignoring method #{ request.request_method } for URI #{ request.uri }")
17
- true
18
- elsif ajax_request?(request)
19
- logger.debug("Ignoring Ajax request for URI #{ request.uri }")
20
- true
21
- elsif empty_post?(request)
22
- logger.debug("Ignoring empty POST request for URI #{ request.uri }")
23
- true
24
- elsif !form_content_type?(request)
25
- logger.debug("Ignoring POST request with Content-Type #{ request.content_type } for URI #{ request.uri }")
26
- true
27
- elsif request.static_request?
28
- logger.debug("Ignoring static request for URI #{ request.uri }")
29
- true
30
- elsif origin_is_referer?(request)
31
- logger.debug("Ignoring equivalent origin-referer for URI #{ request.uri }")
32
- true
33
- elsif login_page?(request)
34
- logger.debug("Ignoring possible login page for URI #{ request.uri }")
35
- true
36
- else
37
- false
38
- end
39
- rescue StandardError => e
40
- logger.warn(e, 'Unable to determine if CSRF can be ignored')
41
- end
42
-
43
- POST_METHOD = 'POST'
44
- def form_submittable_method? request
45
- POST_METHOD == request.request_method
46
- end
47
-
48
- REQUESTED_WITH = 'X-REQUESTED-WITH'
49
- def ajax_request? request
50
- requested_with = request.header_value(REQUESTED_WITH)
51
- !requested_with.nil? && !requested_with.empty?
52
- end
53
-
54
- USER_AGENT = 'USER-AGENT'
55
- def empty_user_agent? request
56
- agent = request.header_value(USER_AGENT)
57
- agent.nil? || agent.empty?
58
- end
59
-
60
- def empty_post? request
61
- request.request_body_str.empty? && (request.query_string.nil? || request.query_string.empty?)
62
- end
63
-
64
- FORM_CONTENT_TYPES = %w[text/plain multipart/form-data application/x-www-form-urlencoded].cs__freeze
65
-
66
- def form_content_type? request
67
- content_type = request.content_type
68
- return true if content_type.nil? || content_type.empty?
69
-
70
- content_type.start_with?(*FORM_CONTENT_TYPES)
71
- end
72
-
73
- ORIGIN = 'ORIGIN'
74
- REFERER = 'REFERER'
75
- def origin_is_referer? request
76
- origin = request.header_value(ORIGIN)
77
- referer = request.header_value(REFERER)
78
- return false unless origin && referer
79
- return false if origin.empty? || referer.empty?
80
-
81
- origin = trim_origin(origin)
82
- referer = URI(referer).host
83
- origin == referer
84
- end
85
-
86
- HTTP = 'http://'
87
- HTTPS = 'https://'
88
- def trim_origin origin_header
89
- origin_header = if origin_header.to_s.start_with?(HTTP, HTTPS)
90
- URI(origin_header).host
91
- else
92
- idx = origin_header.index(Contrast::Utils::ObjectShare::COLON)
93
- idx.nil? ? origin_header : origin_header[0, idx]
94
- end
95
- origin_header
96
- end
97
-
98
- LOGIN_MARKERS = %w[login auth j_security verify validate sessions].cs__freeze
99
- def login_page? request
100
- url = request.url.downcase
101
- LOGIN_MARKERS.any? { |marker| url.index(marker) }
102
- end
103
- end
@@ -1,85 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- cs__scoped_require 'contrast/utils/object_share'
5
- cs__scoped_require 'contrast/utils/random_util'
6
-
7
- # This class is used by the CSRF rule to inject the Contrast CSRF token into
8
- # the Response's body, allowing for the detection of CSRF attacks.
9
- class Contrast::Agent::Protect::Rule::Csrf::CsrfTokenInjector # rubocop:disable Style/ClassAndModuleChildren
10
- TKN_NAME = 'cs_csrf_tkn'
11
- def token_name
12
- TKN_NAME
13
- end
14
-
15
- SESSION_TOKEN_PREFIX = '__CONTRAST__'
16
- def token_key
17
- @_token_key ||= SESSION_TOKEN_PREFIX + token_name
18
- end
19
-
20
- def javascript
21
- @_javascript ||= build_javascript
22
- end
23
-
24
- SCRIPT_LOC = File.join('csrf', 'inject.js').cs__freeze
25
- NAME_MARKER = '!TOKEN_NAME!'
26
- VALUE_MARKER = '!TOKEN_VALUE!'
27
- def build_javascript
28
- script = Contrast::Utils::ResourceLoader.load(SCRIPT_LOC)
29
- script&.sub!(NAME_MARKER, TKN_NAME)
30
- script
31
- end
32
-
33
- CSRF_TOKEN_LENGTH = 8
34
- def get_expected_token context
35
- cookies = context.request.request_cookies
36
- token = cookies[token_key]
37
- return token if token
38
- return unless context.response
39
-
40
- build_token(context)
41
- end
42
-
43
- def build_token context
44
- token = Contrast::Utils::RandomUtil.secure_random_string(CSRF_TOKEN_LENGTH)
45
- context&.response&.set_header(token_key, token)
46
- token
47
- end
48
-
49
- CONTENT_TYPE = 'CONTENT-TYPE'
50
-
51
- def wedge_token? response
52
- return true unless response
53
-
54
- content_type = response.header(CONTENT_TYPE)
55
- return true unless content_type
56
-
57
- content_type = content_type.to_s
58
- !content_type.start_with?(*DATA_CONTENT_TYPES)
59
- end
60
-
61
- END_BODY_TAG = %r{</body>}i.cs__freeze
62
- def do_injection context
63
- return unless wedge_token?(context&.response)
64
-
65
- body_string = context&.response&.body
66
- return unless body_string
67
-
68
- index = body_string.index(END_BODY_TAG)
69
- return unless index
70
-
71
- injection = get_expected_token(context)
72
- return unless injection
73
-
74
- injection = javascript.sub(VALUE_MARKER, injection)
75
- body_string.insert(index, injection)
76
- context&.response&.update_body(body_string)
77
- end
78
-
79
- DATA_CONTENT_TYPES = [
80
- 'image/', 'audio/', 'video/',
81
- 'application/json', 'application/xml',
82
- 'application/octet', 'application/force',
83
- 'text/json', 'text/xml'
84
- ].cs__freeze
85
- end
@@ -1,152 +0,0 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- cs__scoped_require 'securerandom'
5
- cs__scoped_require 'set'
6
-
7
- cs__scoped_require 'contrast/utils/assess/sampling_util'
8
- cs__scoped_require 'contrast/utils/assess/tracking_util'
9
- cs__scoped_require 'contrast/utils/environment_util'
10
- cs__scoped_require 'contrast/utils/env_configuration_item'
11
- cs__scoped_require 'contrast/utils/gemfile_reader'
12
- cs__scoped_require 'contrast/utils/object_share'
13
- cs__scoped_require 'contrast/utils/performs_logging'
14
- cs__scoped_require 'contrast/utils/string_utils'
15
- cs__scoped_require 'contrast/agent/reaction_processor'
16
- cs__scoped_require 'contrast/agent/require_state'
17
- cs__scoped_require 'contrast/agent/assess/policy/patcher'
18
- cs__scoped_require 'contrast/agent/patching/policy/patcher'
19
- cs__scoped_require 'contrast/components/interface'
20
-
21
- module Contrast
22
- module Agent
23
- # This class functions as a way to query the Agent for its current
24
- # configuration without having to expose other sections of code to the
25
- # decision tree needed to make that determination.
26
- # It should not be accessed directly, but should instead be inherited from
27
- #
28
- # @abstract Use the methods in FeatureState to access this data
29
- class SettingsState
30
- include Contrast::Utils::PerformsLogging
31
- include Contrast::Components::Interface
32
-
33
- INVALID_CONFIG = '!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!'
34
-
35
- access_component :agent, :analysis, :settings, :config, :contrast_service
36
-
37
- MODE_WHITELIST = %i[NO_ACTION BLOCK_AT_PERIMETER MONITOR BLOCK].cs__freeze
38
-
39
- # These are components.
40
- attr_accessor :last_update,
41
- :log_file,
42
- :log_level
43
-
44
- # These represent process-level attributes,
45
- # not directly related to Contrast function itself.
46
- attr_reader :pid,
47
- :ppid
48
-
49
- def initialize
50
- @instrumentation_mutex = Mutex.new
51
- @instrumented_packages = {}
52
-
53
- # Last we heard from the Contrast Service
54
- @last_update = nil
55
-
56
- # keep track of which process instantiated this instance
57
- @pid = Process.pid.to_i
58
- @ppid = Process.ppid.to_i
59
-
60
- init_log_queueing
61
-
62
- check_config
63
-
64
- flush_log_queues
65
- end
66
-
67
- def check_config
68
- SETTINGS.reset_state
69
-
70
- if CONFIG.invalid?
71
- AGENT.disable!
72
- self.class.log_error(INVALID_CONFIG)
73
- abort_log_queues
74
- elseif CONFIG.disabled?
75
- AGENT.disable!
76
- self.class.log_warn(LOG_CONFIGURATION_DISABLED)
77
- else
78
- AGENT.enable!
79
- end
80
- end
81
-
82
- # workaround to mixed use of class/instance
83
- def self.logger
84
- instance.logger
85
- end
86
-
87
- def logger
88
- logger_manager.current
89
- end
90
-
91
- def logger_manager
92
- (@_logger_manager ||= Contrast::Agent::LoggerManager.new.tap(&:update))
93
- end
94
-
95
- def assess_rule name
96
- ASSESS.rule name
97
- end
98
-
99
- def instrument package
100
- return if @instrumented_packages[package] # double check is intentional
101
-
102
- @instrumentation_mutex.synchronize do
103
- return if @instrumented_packages[package]
104
-
105
- @instrumented_packages[package] = true
106
- end
107
-
108
- self.class.debug_with_time("instrumenting #{ package }") do
109
- cs__scoped_require(package)
110
- end
111
- rescue LoadError, StandardError => e
112
- @instrumented_packages[package] = false
113
- self.class.log_error("[e.class: #{ e.class }] unable to instrument: #{ package }", e)
114
- end
115
-
116
- def protect_rule name
117
- PROTECT.rule name
118
- end
119
-
120
- def send_inventory_message
121
- return unless INVENTORY.enabled?
122
-
123
- app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.new
124
-
125
- # TODO: RUBY-770
126
- Contrast::Utils::EnvironmentUtil.add_library_to_app_update(app_update_msg, protobuf_format(CONFIG.root.inventory.tags))
127
-
128
- Contrast::Delegators::ApplicationUpdate.new(app_update_msg).instance_eval do
129
- append_view_technology_descriptor_data(Contrast::Agent.framework_manager.find_applicable_view_technologies) if INVENTORY.enabled?
130
- append_route_coverage_data(Contrast::Agent.framework_manager.find_route_discovery_data) if INVENTORY.enabled?
131
- append_platform_version(Contrast::Agent.framework_manager.platform_version)
132
- end
133
-
134
- Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
135
-
136
- CONTRAST_SERVICE.queue_message app_update_msg
137
- end
138
-
139
- def present? str
140
- Contrast::Utils::EnvironmentUtil.present?(str)
141
- end
142
-
143
- # CONTRAST-35326, move this responsibility toward the protobuf object
144
- def protobuf_format param, truncate: true
145
- param = param&.to_s
146
- param = Contrast::Utils::StringUtils.force_utf8(param)
147
- param = Contrast::Utils::StringUtils.truncate(param) if truncate
148
- param
149
- end
150
- end
151
- end
152
- end