contrast-agent 4.10.0 → 4.13.1

data/lib/contrast/agent/request_handler.rb

@@ -6,19 +6,23 @@ require 'contrast/components/scope'
 
 module Contrast
   module Agent
-    # This class is instantiated when we receive a request and the agent is enabled to process
-    # that request. It holds the ruleset that we perform filtering operations on (currently
-    # prefilter and postfilter).
+    # This class is instantiated when we receive a request and the agent is enabled to process that request. It holds
+    # the ruleset that we perform filtering operations on (currently prefilter and postfilter).
     class RequestHandler
       include Contrast::Components::Logger::InstanceMethods
 
       attr_reader :ruleset, :context
 
+      # @param context [Contrast::Agent::RequestContext] the context of the request for which this handler applies
       def initialize context
         @context = context
         @ruleset = ::Contrast::AGENT.ruleset
       end
 
+      # TODO: RUBY-1353
+      # TODO: RUBY-1355
+      # TODO: RUBY-1357
+      # TODO: RUBY-1358
       def send_activity_messages
         Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
         [context.server_activity, context.activity, context.observed_route].each do |message|

data/lib/contrast/agent/rule_set.rb

@@ -16,8 +16,7 @@ module Contrast
       # terminate requests on attack detection if set to block at perimeter
       def prefilter
         context = Contrast::Agent::REQUEST_TRACKER.current
-        # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
-        return unless context&.analyze_request? || ::Contrast::PROTECT.enabled?
+        return unless context&.analyze_request?
 
         logger.trace_with_time('Running prefilter...') do
           map { |rule| rule.prefilter(context) }
@@ -33,8 +32,7 @@ module Contrast
       # has been created. The main actions here are analyzing the response for unsafe state or actions.
       def postfilter
         context = Contrast::Agent::REQUEST_TRACKER.current
-        # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
-        return unless context&.analyze_response? || ::Contrast::PROTECT.enabled?
+        return unless context&.analyze_response?
 
         logger.trace_with_time('Running postfilter...') do
           map { |rule| rule.postfilter(context) }

data/lib/contrast/agent/scope.rb

@@ -104,39 +104,51 @@ module Contrast
         exit_split_scope!
       end
 
-      # Dynamic versions of the above.
-      # These are equivalent, but they're slower and riskier.
-      # Prefer the static methods if you know what scope you need at the call site.
+      # Static methods to be used, the cases are defined by the usage from the above methods
+      # if more methods are added - please extend the case statements as they are no longed dynamic
       def in_scope? name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"in_#{ name }_scope?" }
-        send(call)
+        case name
+        when :contrast
+          in_contrast_scope?
+        when :deserialization
+          in_deserialization_scope?
+        when :split
+          in_split_scope?
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       def enter_scope! name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"enter_#{ name }_scope!" }
-        send(call)
+        case name
+        when :contrast
+          enter_contrast_scope!
+        when :deserialization
+          enter_deserialization_scope!
+        when :split
+          enter_split_scope!
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       def exit_scope! name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"exit_#{ name }_scope!" }
-        send(call)
+        case name
+        when :contrast
+          exit_contrast_scope!
+        when :deserialization
+          exit_deserialization_scope!
+        when :split
+          exit_split_scope!
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       class << self
         def valid_scope? scope_sym
           Contrast::Agent::Scope::SCOPE_LIST.include? scope_sym
         end
-
-        def ensure_valid_scope! scope_sym
-          unless valid_scope? scope_sym # rubocop:disable Style/GuardClause
-            with_contrast_scope do
-              raise NoMethodError, "Scope '#{ scope_sym.inspect }' is not registered as a scope."
-            end
-          end
-        end
       end
     end
   end

data/lib/contrast/agent/startup_metrics_telemetry_event.rb

@@ -0,0 +1,71 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/metrics_hash'
+require 'contrast/agent/metric_telemetry_event'
+require 'contrast/agent/version'
+require 'contrast/utils/os'
+
+module Contrast
+  module Agent
+    # This class will hold the Startup Metrics Telemetry Event
+    # The class will include initialization of the agent version, language version
+    # os type, arch and version
+    # application framework and version and server framework
+    # It will be initialized and send in Middleware#agent_startup_routine
+    class StartupMetricsTelemetryEvent < Contrast::Agent::MetricTelemetryEvent
+      include Contrast::Utils::OS
+
+      APP_AND_SERVER_DATA = ::Contrast::APP_CONTEXT.app_and_server_information.cs__freeze
+      SAAS_DEFAULT = { addr: 'app.contrastsecuirty.com', type: 'SAAS_DEFAULT' }.cs__freeze
+      SAAS_CE = { addr: 'ce.contrastsecurity.com', type: 'SAAS_CE' }.cs__freeze
+      SAAS_CUSTOM = { addr: 'contrastsecurite.com', type: 'SAAS_CUSTOM' }.cs__freeze
+      SAAS_POV = { addr: 'eval.contrastsecuirty.com', type: 'SAAS_POV' }.cs__freeze
+      EOP = 'EOP'
+
+      def initialize
+        super
+        add_tags
+      end
+
+      def path
+        '/startup'
+      end
+
+      def add_tags
+        @tags['teamserver'] = teamserver_type
+        @tags['agent_version'] = VERSION
+        @tags['ruby_version'] = RUBY_VERSION
+        @tags['os_type'] = sys_info['os_type'] == 'Darwin' ? 'MacOS' : 'Linux'
+        @tags['os_arch'] = sys_info['os_arch']
+        @tags['os_version'] = sys_info['os_version']
+        @tags['app_framework_and_version'] = APP_AND_SERVER_DATA[:application_info].to_s
+        @tags['server_framework_and_version'] = APP_AND_SERVER_DATA[:server_info].to_s
+      end
+
+      def sys_info
+        @sys_info ||= get_system_information if @sys_info.nil?
+        @sys_info
+      end
+
+      private
+
+      # Here we extract the Teamserver url type
+      #
+      # @return[String] type, it could be SAAS_DEFAULT, SAAS_POV, SAAS_CE, SAAS_CUSTOM, or EOP
+      def teamserver_type
+        @_teamserver_type ||= if Contrast::API.api_url.include?(SAAS_DEFAULT[:addr])
+                                SAAS_DEFAULT[:type]
+                              elsif Contrast::API.api_url.include?(SAAS_POV[:addr])
+                                SAAS_POV[:type]
+                              elsif Contrast::API.api_url.include?(SAAS_CE[:addr])
+                                SAAS_CE[:type]
+                              elsif Contrast::API.api_url.end_with? SAAS_CUSTOM[:addr]
+                                SAAS_CUSTOM[:type]
+                              else
+                                EOP
+                              end
+      end
+    end
+  end
+end

data/lib/contrast/agent/static_analysis.rb

@@ -14,8 +14,8 @@ module Contrast
       include Contrast::Components::Scope::InstanceMethods
 
       class << self
-        # After the first request is complete, we do a one-time manual catchup to review and
-        # report the already-loaded gems.
+        # After the first request is complete, we do a one-time manual catchup to review and report the already-loaded
+        # gems.
         def catchup
           @_catchup ||= begin
             threaded_analysis!
@@ -23,6 +23,8 @@ module Contrast
           end
         end
 
+        # TODO: RUBY-1354
+        # TODO: RUBY-1356
         def send_inventory_message
           return unless ::Contrast::INVENTORY.enabled?
 

data/lib/contrast/agent/telemetry.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/config/env_variables'
+require 'contrast/components/logger'
+require 'contrast/utils/requests_client'
+require 'contrast/agent/worker_thread'
+require 'contrast/utils/telemetry'
+
+module Contrast
+  module Agent
+    # This class will initialize and hold everything needed for the telemetry
+    class Telemetry < WorkerThread
+      include Contrast::Utils::RequestsClient
+      include Contrast::Components::Logger::InstanceMethods
+      # this is where we will send the data from the agents
+      URL = 'https://telemetry.ruby.contrastsecurity.com/'
+      # Suggested timeout after each send is to be 3 hours (10800 seconds)
+      SUGGESTED_TIMEOUT = 10_800
+
+      class << self
+        include Contrast::Components::Logger::InstanceMethods
+        include Contrast::Config::EnvVariables
+
+        def application_id
+          @_application_id ||= begin
+            id = nil
+            mac = Contrast::Utils::Telemetry::Identifier.mac
+            app_name = Contrast::Utils::Telemetry::Identifier.app_name
+            id = mac + app_name if mac && app_name
+            Digest::SHA2.new(256).hexdigest(id || '_' + SecureRandom.uuid)
+          end
+        end
+
+        def instance_id
+          @_instance_id ||= Digest::SHA2.new(256).hexdigest(Contrast::Utils::Telemetry::Identifier.mac ||
+                                                                  '_' + SecureRandom.uuid)
+        end
+
+        def enabled?
+          @_enabled = telemetry_enabled? if @_enabled.nil?
+          @_enabled
+        end
+
+        private
+
+        def telemetry_enabled?
+          opt_out_telemetry = return_value(:telemetry_opt_outs)
+          return false if opt_out_telemetry.to_s.casecmp('true').zero?
+          return false if opt_out_telemetry.to_s.casecmp('1').zero?
+
+          # In case of connection error, do not create the background thread or queue,
+          # as if the opt-out env var was set
+          ip_opt_out_telemetry = Contrast::Utils::RequestsClient.initialize_connection(URL)
+          if ip_opt_out_telemetry.nil?
+            logger.warn('Connection was not established properly!!!')
+            logger.warn('THE SERVICE IS GOING TO BE TERMINATED!!')
+            return false
+          end
+
+          true
+        end
+      end
+
+      def attempt_to_start?
+        unless cs__class.enabled?
+          logger.warn('Telemetry service is disabled!')
+          return false
+        end
+
+        logger.debug('Attempting to start telemetry thread') unless running?
+        true
+      end
+
+      def start_thread!
+        return if running?
+
+        # It is recommended that implementations send a single payload of
+        # general metrics every 3 hours, starting from implementation startup.
+        @_thread = Contrast::Agent::Thread.new do
+          logger.debug('Starting background telemetry thread.')
+          event = queue.pop
+
+          begin
+            logger.debug('This is the current processed event', event)
+            res = Contrast::Utils::RequestsClient.send_request event, connection
+            sleep_time = Contrast::Utils::RequestsClient.handle_response res
+            sleep(sleep_time) unless sleep_time.nil?
+          rescue StandardError => e
+            logger.error('Could not send message to service from telemetry queue.', e)
+          end
+          sleep(SUGGESTED_TIMEOUT)
+        end
+      end
+
+      def send_event event
+        if ::Contrast::AGENT.disabled?
+          logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
+          return
+        end
+
+        return unless cs__class.enabled?
+
+        logger.debug('Enqueued event for sending', event_type: event.cs__class)
+
+        queue << event if event
+      end
+
+      def delete_queue!
+        @_queue&.clear
+        @_queue&.close
+        @_queue = nil
+      end
+
+      def stop!
+        return unless running?
+
+        super
+        delete_queue!
+      end
+
+      private
+
+      def queue
+        @_queue ||= Queue.new
+      end
+    end
+  end
+end

data/lib/contrast/agent/telemetry_event.rb

@@ -0,0 +1,34 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/metrics_hash'
+
+module Contrast
+  module Agent
+    # This class will hold the basic information for a Telemetry Event
+    class TelemetryEvent
+      include Contrast::Utils
+
+      attr_reader :timestamp, :tags
+
+      # The instance_id comes from the Telemetry Instance
+      def initialize
+        @tags = MetricsHash.new(String)
+        @timestamp = format_date
+        @instance_id = Contrast::Agent.telemetry_queue.__id__
+      end
+
+      def path
+        ''
+      end
+
+      def to_json **_args
+        { tags: @tags, timestamp: @timestamp, instance_id: @instance_id }
+      end
+
+      def format_date
+        Time.now.strftime('%Y-%m-%d %H:%M:%S.%L')
+      end
+    end
+  end
+end

data/lib/contrast/agent/thread_watcher.rb

@@ -4,6 +4,7 @@
 require 'contrast/components/logger'
 require 'contrast/agent/service_heartbeat'
 require 'contrast/api/communication/messaging_queue'
+require 'contrast/agent/telemetry'
 
 module Contrast
   module Agent
@@ -22,28 +23,22 @@ module Contrast
         @heapdump_util = Contrast::Utils::HeapDumpUtil.new
         @heartbeat = Contrast::Agent::ServiceHeartbeat.new
         @messaging_queue = Contrast::Api::Communication::MessagingQueue.new
+        @telemetry = Contrast::Agent::Telemetry.new if Contrast::Agent::Telemetry.enabled?
       end
 
       def startup!
         return unless ::Contrast::AGENT.enabled?
 
-        unless heartbeat.running?
-          logger.debug('Attempting to start heartbeat thread')
-          heartbeat.start_thread!
-        end
-        heartbeat_result = heartbeat.running?
-        logger.debug('Heartbeat thread status', alive: heartbeat_result)
-
-        unless messaging_queue.running?
-          logger.debug('Attempting to start messaging queue thread')
-          messaging_queue.start_thread!
-        end
-        messaging_result = messaging_queue.running?
-        logger.debug('Messaging thread status', alive: messaging_result)
+        telemetry_thread_status = telemetry_thread_init
+        heartbeat_thread_status = heartbeat_thread_init
+        messaging_thread_status = messaging_thread_init
 
         logger.debug('ThreadWatcher started threads')
 
-        @pids[Process.pid] = messaging_result && heartbeat_result
+        @pids[Process.pid] = messaging_thread_status && heartbeat_thread_status
+        return @pids unless Contrast::Agent::Telemetry.enabled?
+
+        @pids[Process.pid] = messaging_thread_status && heartbeat_thread_status && telemetry_thread_status
       end
 
       def ensure_running?
@@ -57,6 +52,40 @@ module Contrast
         heartbeat.stop!
         messaging_queue.stop!
         heapdump_util.stop!
+        telemetry_queue&.stop!
+      end
+
+      def heartbeat_thread_init
+        unless heartbeat.running?
+          logger.debug('Attempting to start heartbeat thread')
+          heartbeat.start_thread!
+        end
+        heartbeat_result = heartbeat.running?
+        logger.debug('Heartbeat thread status', alive: heartbeat_result)
+        heartbeat_result
+      end
+
+      def telemetry_thread_init
+        @telemetry.start_thread! if @telemetry&.attempt_to_start?
+        telemetry_result = @telemetry&.running?
+        logger.debug('Telemetry thread status', alive: telemetry_result)
+        telemetry_result
+      end
+
+      def messaging_thread_init
+        unless messaging_queue.running?
+          logger.debug('Attempting to start messaging queue thread')
+          messaging_queue.start_thread!
+        end
+        messaging_result = messaging_queue.running?
+        logger.debug('Messaging thread status', alive: messaging_result)
+        messaging_result
+      end
+
+      def telemetry_queue
+        return if @telemetry.nil?
+
+        @telemetry
       end
     end
   end

data/lib/contrast/agent/tracepoint_hook.rb

@@ -27,14 +27,22 @@ module Contrast
 
         private
 
+        # Use the TracePoint from the :end event, meaning the completion of a definition of a Class or Module (or
+        # really the completion of that piece of a definition, as determined by an `end` statement since there could be
+        # definitions across multiple files) to carry out actions required on definition. This typically involves
+        # patching and usage analysis
+        #
+        # @param tracepoint_event [TracePoint] the TracePoint from the :end
         def process tracepoint_event
           with_contrast_scope do
-            logger.trace('Received TracePoint end event', module: tracepoint_event.self.to_s)
-
+            # the Module or Class that was loaded during this event
             loaded_module = tracepoint_event.self
+            # the file being loaded that contained this definition
             path = tracepoint_event.path
             return if path&.include?('contrast')
 
+            logger.trace('Received TracePoint end event', module: loaded_module, path: path)
+
             Contrast::Agent.framework_manager.register_late_framework(loaded_module)
             Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.associate_file(path) if path
             Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
@@ -43,7 +51,7 @@ module Contrast
             end
             Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)
           rescue StandardError => e
-            logger.error('Unable to complete TracePoint analysis', e, module: loaded_module)
+            logger.error('Unable to complete TracePoint analysis', e, module: loaded_module, path: path)
           end
         end
       end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.10.0'
+    VERSION = '4.13.1'
   end
 end

data/lib/contrast/agent.rb

@@ -20,7 +20,6 @@ require 'contrast/extension/delegator'
 require 'contrast/extension/inventory'
 require 'contrast/extension/module'
 require 'contrast/extension/protect'
-require 'contrast/extension/protect/kernel'
 
 require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
@@ -62,6 +61,12 @@ module Contrast
       thread_watcher.messaging_queue
     end
 
+    def self.telemetry_queue
+      return unless thread_watcher.telemetry_queue
+
+      thread_watcher.telemetry_queue
+    end
+
     def self.thread_watcher
       @_thread_watcher ||= Contrast::Agent::ThreadWatcher.new
     end

data/lib/contrast/components/api.rb

@@ -0,0 +1,34 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/base'
+require 'contrast/components/config'
+
+module Contrast
+  module Components
+    module Api
+      # A wrapper build around the Common Agent Configuration project to allow
+      # for Api keys to be mapped with their values contained in their
+      # parent_configuration_spec.yaml.
+      class Interface
+        include Contrast::Components::ComponentBase
+
+        def api_url
+          @_api_url ||= ::Contrast::CONFIG.root.api.url
+        end
+
+        def api_key
+          @_api_key ||= ::Contrast::CONFIG.root.api.api_key
+        end
+
+        def service_key
+          @_service_key ||= ::Contrast::CONFIG.root.api.service_key
+        end
+
+        def username
+          @_username ||= ::Contrast::CONFIG.root.api.user_name
+        end
+      end
+    end
+  end
+end

data/lib/contrast/components/app_context.rb

@@ -23,6 +23,10 @@ module Contrast
         DEFAULT_SERVER_NAME = 'localhost'
         DEFAULT_SERVER_PATH = '/'
 
+        SUPPORTED_FRAMEWORKS = %w[rails sinatra grape rack].cs__freeze
+
+        SUPPORTED_SERVERS = %w[passenger puma thin unicorn].cs__freeze
+
         def initialize
           original_pid
         end
@@ -109,6 +113,26 @@ module Contrast
           @_client_id ||= [app_name, pgid].join('-')
         end
 
+        def app_and_server_information
+          {
+              application_info: find_gem_information(SUPPORTED_FRAMEWORKS),
+              server_info: find_gem_information(SUPPORTED_SERVERS)
+          }
+        end
+
+        def find_gem_information arr
+          arr.each do |framework|
+            next unless Gem.loaded_specs.key?(framework)
+
+            loaded = Gem.loaded_specs[framework]
+            next unless loaded
+
+            name = loaded.instance_variable_get(:@name)
+            version = loaded.instance_variable_get(:@version).to_s
+            return [name, version].join(' ')
+          end
+        end
+
         def instrument_middleware_stack?
           !Contrast::Utils::JobServersRunning.job_servers_running?
         end

data/lib/contrast/components/assess.rb

@@ -88,6 +88,13 @@ module Contrast
           @_require_scan
         end
 
+        def require_dynamic_sources?
+          if @_require_dynamic_sources.nil?
+            @_require_dynamic_sources = !false?(::Contrast::CONFIG.root.assess.enable_dynamic_sources)
+          end
+          @_require_dynamic_sources
+        end
+
         def tags
           ::Contrast::CONFIG.root.assess&.tags
         end