contrast-agent 4.10.0 → 4.13.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/cs__assess_module/cs__assess_module.c +48 -0
- data/ext/cs__assess_module/cs__assess_module.h +7 -0
- data/ext/cs__common/cs__common.c +24 -7
- data/ext/cs__common/cs__common.h +12 -2
- data/ext/cs__contrast_patch/cs__contrast_patch.c +48 -11
- data/ext/cs__contrast_patch/cs__contrast_patch.h +5 -2
- data/ext/cs__os_information/cs__os_information.c +31 -0
- data/ext/cs__os_information/cs__os_information.h +7 -0
- data/ext/{cs__protect_kernel → cs__os_information}/extconf.rb +0 -0
- data/lib/contrast/agent/assess/contrast_event.rb +1 -1
- data/lib/contrast/agent/assess/contrast_object.rb +1 -4
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +2 -0
- data/lib/contrast/agent/assess/policy/preshift.rb +25 -11
- data/lib/contrast/agent/assess/policy/propagation_method.rb +2 -116
- data/lib/contrast/agent/assess/policy/propagation_node.rb +4 -4
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +2 -0
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +4 -4
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +4 -9
- data/lib/contrast/agent/assess/policy/source_method.rb +2 -71
- data/lib/contrast/agent/assess/policy/trigger_method.rb +4 -107
- data/lib/contrast/agent/assess/policy/trigger_node.rb +52 -19
- data/lib/contrast/agent/assess/property/tagged.rb +15 -132
- data/lib/contrast/agent/deadzone/policy/policy.rb +6 -0
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +2 -1
- data/lib/contrast/agent/metric_telemetry_event.rb +26 -0
- data/lib/contrast/agent/middleware.rb +22 -0
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +0 -1
- data/lib/contrast/agent/patching/policy/method_policy.rb +54 -9
- data/lib/contrast/agent/patching/policy/patch.rb +37 -238
- data/lib/contrast/agent/patching/policy/patcher.rb +3 -42
- data/lib/contrast/agent/request.rb +5 -3
- data/lib/contrast/agent/request_context.rb +32 -11
- data/lib/contrast/agent/request_handler.rb +7 -3
- data/lib/contrast/agent/rule_set.rb +2 -4
- data/lib/contrast/agent/scope.rb +32 -20
- data/lib/contrast/agent/startup_metrics_telemetry_event.rb +71 -0
- data/lib/contrast/agent/static_analysis.rb +4 -2
- data/lib/contrast/agent/telemetry.rb +129 -0
- data/lib/contrast/agent/telemetry_event.rb +34 -0
- data/lib/contrast/agent/thread_watcher.rb +43 -14
- data/lib/contrast/agent/tracepoint_hook.rb +11 -3
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +6 -1
- data/lib/contrast/components/api.rb +34 -0
- data/lib/contrast/components/app_context.rb +24 -0
- data/lib/contrast/components/assess.rb +7 -0
- data/lib/contrast/components/config.rb +90 -11
- data/lib/contrast/components/contrast_service.rb +6 -0
- data/lib/contrast/config/api_configuration.rb +22 -0
- data/lib/contrast/config/assess_configuration.rb +1 -0
- data/lib/contrast/config/env_variables.rb +25 -0
- data/lib/contrast/config/root_configuration.rb +1 -0
- data/lib/contrast/config/service_configuration.rb +2 -1
- data/lib/contrast/config.rb +1 -0
- data/lib/contrast/configuration.rb +3 -0
- data/lib/contrast/framework/manager.rb +14 -12
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +9 -6
- data/lib/contrast/framework/rails/patch/support.rb +31 -29
- data/lib/contrast/logger/application.rb +4 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +129 -0
- data/lib/contrast/utils/assess/property/tagged_utils.rb +142 -0
- data/lib/contrast/utils/assess/source_method_utils.rb +83 -0
- data/lib/contrast/utils/assess/trigger_method_utils.rb +138 -0
- data/lib/contrast/utils/class_util.rb +58 -44
- data/lib/contrast/utils/exclude_key.rb +20 -0
- data/lib/contrast/utils/io_util.rb +42 -34
- data/lib/contrast/utils/lru_cache.rb +45 -0
- data/lib/contrast/utils/metrics_hash.rb +59 -0
- data/lib/contrast/utils/os.rb +23 -0
- data/lib/contrast/utils/patching/policy/patch_utils.rb +232 -0
- data/lib/contrast/utils/patching/policy/patcher_utils.rb +54 -0
- data/lib/contrast/utils/requests_client.rb +150 -0
- data/lib/contrast/utils/ruby_ast_rewriter.rb +1 -1
- data/lib/contrast/utils/telemetry.rb +77 -0
- data/lib/contrast/utils/telemetry_identifier.rb +137 -0
- data/lib/contrast.rb +19 -1
- data/resources/assess/policy.json +12 -6
- data/resources/deadzone/policy.json +86 -5
- data/ruby-agent.gemspec +2 -1
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +32 -14
- data/ext/cs__protect_kernel/cs__protect_kernel.c +0 -47
- data/ext/cs__protect_kernel/cs__protect_kernel.h +0 -12
- data/lib/contrast/extension/protect/kernel.rb +0 -29
@@ -0,0 +1,137 @@
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/telemetry'
|
5
|
+
require 'contrast/utils/os'
|
6
|
+
require 'socket'
|
7
|
+
|
8
|
+
module Contrast
|
9
|
+
module Utils
|
10
|
+
# Tools for supporting the Telemetry feature
|
11
|
+
module Telemetry
|
12
|
+
# Gets info about the instrumented application required to build unique identifiers,
|
13
|
+
# used in the agent's Telemetry.
|
14
|
+
module Identifier
|
15
|
+
MAC_REGEX = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
|
16
|
+
LINUX_OS_REG = /hwaddr=.*?(([A-F0-9]{2}:){5}[A-F0-9]{2})/im.cs__freeze
|
17
|
+
MAC_OS_PRIMARY = 'en0'.cs__freeze
|
18
|
+
LINUX_PRIMARY = 'enp'.cs__freeze
|
19
|
+
|
20
|
+
# Sinatra and Grape both use similar approach to identify the app_name.
|
21
|
+
# Rails has a different way of doing it, but to unify this we'll use this one.
|
22
|
+
# If app_name is changed/renamed during production it would still get the
|
23
|
+
# new folder's name.
|
24
|
+
#
|
25
|
+
# @ return [String] name of the application from the current working directory
|
26
|
+
def self.app_name
|
27
|
+
@_app_name ||= File.basename(Dir.pwd)
|
28
|
+
end
|
29
|
+
|
30
|
+
# Returns the MAC address of the primary network interface, depending on the used OS.
|
31
|
+
# If the primary is unknown it finds the first available network interface and gets it's
|
32
|
+
# MAC address instead.
|
33
|
+
#
|
34
|
+
# @return [String, nil] MAC address of the primary network interface or
|
35
|
+
# the first available one, or nil if nothing found
|
36
|
+
def self.mac
|
37
|
+
@_mac = find_mac MAC_OS_PRIMARY if Contrast::Utils::OS.mac? && @_mac.nil?
|
38
|
+
@_mac = find_mac LINUX_PRIMARY if Contrast::Utils::OS.linux? && @_mac.nil?
|
39
|
+
# or find any available
|
40
|
+
@_mac = find_mac if @_mac.nil?
|
41
|
+
@_mac
|
42
|
+
end
|
43
|
+
|
44
|
+
class << self
|
45
|
+
private
|
46
|
+
|
47
|
+
# Finds the primary MAC address of all listed network adapters.
|
48
|
+
# If primary is not set or unknown, use the first MAC address found
|
49
|
+
# from the listed adapters.
|
50
|
+
#
|
51
|
+
# @param primary [nil, String] optional param if set look only for primary
|
52
|
+
# network adapter's name
|
53
|
+
# @return [String, nil] MAC address of the first listed network adapter or
|
54
|
+
# nil if not found
|
55
|
+
def find_mac primary = nil
|
56
|
+
result = nil
|
57
|
+
idx = 0
|
58
|
+
return if interfaces.empty?
|
59
|
+
|
60
|
+
while idx < interfaces.length
|
61
|
+
addr = interfaces[idx].addr
|
62
|
+
name = interfaces[idx].name # rubocop:disable Security/Module/Name
|
63
|
+
# retrieving MAC address from primary network interface or first available
|
64
|
+
mac = retrieve_mac name, addr, primary
|
65
|
+
idx += 1
|
66
|
+
next unless mac
|
67
|
+
|
68
|
+
result = mac if mac && (mac.match? MAC_REGEX)
|
69
|
+
break if result && !primary
|
70
|
+
end
|
71
|
+
result
|
72
|
+
end
|
73
|
+
|
74
|
+
# Retrieves MAC address for primary or any network interface.
|
75
|
+
# This is OS dependent search.
|
76
|
+
#
|
77
|
+
# @param name [Sting] interface name of ifaddr
|
78
|
+
# @param addr [String] address info
|
79
|
+
# example: #<Addrinfo: LINK[en0 aa:bb:cc:00:11:22]>
|
80
|
+
# @param primary [nil, String] optional param if set look only for primary
|
81
|
+
# network adapter's name
|
82
|
+
# @return mac [nil, String] MAC address of primary network interface,
|
83
|
+
# any network interface, or nil if no interface is found.
|
84
|
+
def retrieve_mac name, addr, primary
|
85
|
+
mac = nil
|
86
|
+
# Mac OS allow us to use getnameinfo(sockaddr [, flags]) => [hostname, servicename]
|
87
|
+
#
|
88
|
+
# returned address:
|
89
|
+
# <Socket::Ifaddr en0 UP,BROADCAST,RUNNING,NOTRAILERS,SIMPLEX,MULTICAST LINK[en0 aa:bb:cc:00:11:22]>
|
90
|
+
if Contrast::Utils::OS.mac?
|
91
|
+
mac = addr.getnameinfo[0] unless primary
|
92
|
+
mac = addr.getnameinfo[0] if primary && name.include?(primary)
|
93
|
+
end
|
94
|
+
# In Linux using Socket::addr#getnameinfo results in ai_family not supported exception.
|
95
|
+
# In this case we are relying on match filtering of addresses.
|
96
|
+
#
|
97
|
+
# returned address:
|
98
|
+
# #<Socket::Ifaddr eth0 UP,BROADCAST,RUNNING,MULTICAST,0x10000
|
99
|
+
# PACKET[protocol=0 eth0 hatype=1 HOST hwaddr=aa:bb:cc:00:11:22]>
|
100
|
+
if primary && Contrast::Utils::OS.linux?
|
101
|
+
mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG && name.include?(primary)
|
102
|
+
elsif primary.nil? && Contrast::Utils::OS.linux?
|
103
|
+
mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG
|
104
|
+
end
|
105
|
+
mac
|
106
|
+
end
|
107
|
+
|
108
|
+
# Returns array of network interfaces.
|
109
|
+
# This is OS dependent search.
|
110
|
+
#
|
111
|
+
# @return interfaces [Array] Returns an array of interface addresses.
|
112
|
+
# Socket::Ifaddr - represents a result of getifaddrs().
|
113
|
+
def interfaces
|
114
|
+
@_interfaces = []
|
115
|
+
arr = Socket.getifaddrs
|
116
|
+
idx = 0
|
117
|
+
check_family = 0
|
118
|
+
while idx < arr.length
|
119
|
+
# We need only network adapters MACs. Checking for pfamily of every socket address:
|
120
|
+
# 18 for Mac OS and 17 for Linux.
|
121
|
+
# family should be an address family such as: :INET, :INET6, :UNIX, etc.
|
122
|
+
check_family = 18 if Contrast::Utils::OS.mac?
|
123
|
+
check_family = 17 if Contrast::Utils::OS.linux?
|
124
|
+
if arr[idx].addr.pfamily != check_family
|
125
|
+
idx += 1
|
126
|
+
next
|
127
|
+
end
|
128
|
+
@_interfaces << arr[idx]
|
129
|
+
idx += 1
|
130
|
+
end
|
131
|
+
@_interfaces
|
132
|
+
end
|
133
|
+
end
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|
137
|
+
end
|
data/lib/contrast.rb
CHANGED
@@ -23,7 +23,7 @@ end
|
|
23
23
|
|
24
24
|
if RUBY_VERSION >= '3.0.0'
|
25
25
|
# This fixes Ruby 3.0 issues with Module#(some instance method) patching by preventing the prepending of
|
26
|
-
# a JSON helper on protobuf load. String.instance_method(:+) is one of the most
|
26
|
+
# a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticeable.
|
27
27
|
# TODO: RUBY-1132 Remove this once Ruby 3 is fixed.
|
28
28
|
# See bug here: https://bugs.ruby-lang.org/issues/17725
|
29
29
|
class Class
|
@@ -35,6 +35,7 @@ if RUBY_VERSION >= '3.0.0'
|
|
35
35
|
end
|
36
36
|
|
37
37
|
require 'contrast/components/agent'
|
38
|
+
require 'contrast/components/api'
|
38
39
|
require 'contrast/components/app_context'
|
39
40
|
require 'contrast/components/assess'
|
40
41
|
require 'contrast/components/config'
|
@@ -47,6 +48,7 @@ require 'contrast/components/scope'
|
|
47
48
|
require 'contrast/components/settings'
|
48
49
|
|
49
50
|
module Contrast
|
51
|
+
API = Contrast::Components::Api::Interface.new
|
50
52
|
SCOPE = Contrast::Components::Scope::Interface.new
|
51
53
|
CONFIG = Contrast::Components::Config::Interface.new
|
52
54
|
SETTINGS = Contrast::Components::Settings::Interface.new
|
@@ -76,3 +78,19 @@ if RUBY_VERSION >= '3.0.0'
|
|
76
78
|
Class.alias_method(:prepend, :cs__orig_prepend)
|
77
79
|
Class.remove_method(:cs__orig_prepend)
|
78
80
|
end
|
81
|
+
|
82
|
+
if RUBY_VERSION < '3.0.0'
|
83
|
+
# Better handles ancestors for older ruby versions.
|
84
|
+
# This is called from C, tread lightly.
|
85
|
+
class Module
|
86
|
+
@_included_in = []
|
87
|
+
# Returns array with modules including this instance
|
88
|
+
def included_in
|
89
|
+
@_included_in ||= [] unless cs__frozen?
|
90
|
+
end
|
91
|
+
|
92
|
+
def self.included_in
|
93
|
+
@_included_in ||= [] unless cs__frozen?
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|
@@ -50,7 +50,7 @@
|
|
50
50
|
"target": "R",
|
51
51
|
"type": "COOKIE",
|
52
52
|
"tags":["NO_NEWLINES", "CROSS_SITE"]
|
53
|
-
},
|
53
|
+
}, {
|
54
54
|
"class_name":"Rack::Request::Helpers",
|
55
55
|
"instance_method": true,
|
56
56
|
"method_visibility": "public",
|
@@ -200,8 +200,15 @@
|
|
200
200
|
"source": "O",
|
201
201
|
"target": "R",
|
202
202
|
"action": "KEEP"
|
203
|
-
},
|
204
|
-
|
203
|
+
}, {
|
204
|
+
"class_name": "String",
|
205
|
+
"instance_method": true,
|
206
|
+
"method_visibility": "public",
|
207
|
+
"method_name": "force_encoding",
|
208
|
+
"source": "O",
|
209
|
+
"target": "R",
|
210
|
+
"action": "SPLAT"
|
211
|
+
}, {
|
205
212
|
"class_name": "String",
|
206
213
|
"instance_method": true,
|
207
214
|
"method_visibility": "public",
|
@@ -209,8 +216,7 @@
|
|
209
216
|
"source": "O",
|
210
217
|
"target": "R",
|
211
218
|
"action": "KEEP"
|
212
|
-
},
|
213
|
-
{
|
219
|
+
}, {
|
214
220
|
"class_name": "String",
|
215
221
|
"instance_method": true,
|
216
222
|
"method_visibility": "public",
|
@@ -218,7 +224,7 @@
|
|
218
224
|
"source": "O,P0",
|
219
225
|
"target": "R",
|
220
226
|
"action": "SPLIT"
|
221
|
-
},{
|
227
|
+
}, {
|
222
228
|
"class_name": "String",
|
223
229
|
"instance_method": true,
|
224
230
|
"method_visibility": "public",
|
@@ -1,11 +1,6 @@
|
|
1
1
|
{
|
2
2
|
"deadzones":[
|
3
3
|
{
|
4
|
-
"class_name":"Rspec::Core::BacktraceFormatter",
|
5
|
-
"instance_method":true,
|
6
|
-
"method_visibility": "private",
|
7
|
-
"method_name":"matches?"
|
8
|
-
},{
|
9
4
|
"class_name":"Rspec::Core::Example",
|
10
5
|
"instance_method":true,
|
11
6
|
"method_visibility": "private",
|
@@ -205,6 +200,92 @@
|
|
205
200
|
"method_visibility": "public",
|
206
201
|
"method_name":"exists?",
|
207
202
|
"code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/request/session.rb#L201"
|
203
|
+
},{
|
204
|
+
"class_name": "RSpec::Matchers::BuiltIn::BaseMatcher"
|
205
|
+
},{
|
206
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeAKindOf"
|
207
|
+
},{
|
208
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeAnInstanceOf"
|
209
|
+
},{
|
210
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeBetween"
|
211
|
+
},{
|
212
|
+
"class_name": "RSpec::Matchers::BuiltIn::Be"
|
213
|
+
},{
|
214
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeComparedTo"
|
215
|
+
},{
|
216
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeFalsey"
|
217
|
+
},{
|
218
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeHelpers"
|
219
|
+
},{
|
220
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeNil"
|
221
|
+
},{
|
222
|
+
"class_name": "RSpec::Matchers::BuiltIn::BePredicate"
|
223
|
+
},{
|
224
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeTruthy"
|
225
|
+
},{
|
226
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeWithin"
|
227
|
+
},{
|
228
|
+
"class_name": "RSpec::Matchers::BuiltIn::Change"
|
229
|
+
},{
|
230
|
+
"class_name": "RSpec::Matchers::BuiltIn::ChangeRelatively"
|
231
|
+
},{
|
232
|
+
"class_name": "RSpec::Matchers::BuiltIn::SpecificValuesChange"
|
233
|
+
},{
|
234
|
+
"class_name": "RSpec::Matchers::BuiltIn::Compound"
|
235
|
+
},{
|
236
|
+
"class_name": "RSpec::Matchers::BuiltIn::Compound::And"
|
237
|
+
}, {
|
238
|
+
"class_name": "RSpec::Matchers::BuiltIn::Compound::Or"
|
239
|
+
},{
|
240
|
+
"class_name": "RSpec::Matchers::BuiltIn::ContainExactly"
|
241
|
+
},{
|
242
|
+
"class_name": "RSpec::Matchers::BuiltIn::Cover"
|
243
|
+
},{
|
244
|
+
"class_name": "RSpec::Matchers::BuiltIn::EndWith"
|
245
|
+
},{
|
246
|
+
"class_name": "RSpec::Matchers::BuiltIn::Eq"
|
247
|
+
},{
|
248
|
+
"class_name": "RSpec::Matchers::BuiltIn::Eql"
|
249
|
+
},{
|
250
|
+
"class_name": "RSpec::Matchers::BuiltIn::Equal"
|
251
|
+
},{
|
252
|
+
"class_name": "RSpec::Matchers::BuiltIn::Exist"
|
253
|
+
},{
|
254
|
+
"class_name": "RSpec::Matchers::BuiltIn::Has"
|
255
|
+
},{
|
256
|
+
"class_name": "RSpec::Matchers::BuiltIn::HaveAttributes"
|
257
|
+
},{
|
258
|
+
"class_name": "RSpec::Matchers::BuiltIn::All"
|
259
|
+
},{
|
260
|
+
"class_name": "RSpec::Matchers::BuiltIn::Match"
|
261
|
+
},{
|
262
|
+
"class_name": "RSpec::Matchers::BuiltIn::NegativeOperatorMatcher"
|
263
|
+
},{
|
264
|
+
"class_name": "RSpec::Matchers::BuiltIn::OperatorMatcher"
|
265
|
+
},{
|
266
|
+
"class_name": "RSpec::Matchers::BuiltIn::Output"
|
267
|
+
},{
|
268
|
+
"class_name": "RSpec::Matchers::BuiltIn::PositiveOperatorMatcher"
|
269
|
+
},{
|
270
|
+
"class_name": "RSpec::Matchers::BuiltIn::RaiseError"
|
271
|
+
},{
|
272
|
+
"class_name": "RSpec::Matchers::BuiltIn::RespondTo"
|
273
|
+
},{
|
274
|
+
"class_name": "RSpec::Matchers::BuiltIn::Satisfy"
|
275
|
+
},{
|
276
|
+
"class_name": "RSpec::Matchers::BuiltIn::StartWith"
|
277
|
+
},{
|
278
|
+
"class_name": "RSpec::Matchers::BuiltIn::ThrowSymbol"
|
279
|
+
},{
|
280
|
+
"class_name": "RSpec::Matchers::BuiltIn::YieldControl"
|
281
|
+
},{
|
282
|
+
"class_name": "RSpec::Matchers::BuiltIn::YieldSuccessiveArgs"
|
283
|
+
},{
|
284
|
+
"class_name": "RSpec::Matchers::BuiltIn::YieldWithArgs"
|
285
|
+
},{
|
286
|
+
"class_name": "RSpec::Matchers::BuiltIn::YieldWithNoArgs"
|
287
|
+
},{
|
288
|
+
"class_name": "SimpleCov"
|
208
289
|
}
|
209
290
|
]
|
210
291
|
}
|
data/ruby-agent.gemspec
CHANGED
@@ -150,7 +150,8 @@ def self.add_files spec
|
|
150
150
|
'shared_libraries/libfunchook.so',
|
151
151
|
'shared_libraries/funchook.h',
|
152
152
|
'funchook/src/libfunchook.dylib',
|
153
|
-
'funchook/src/libfunchook.so'
|
153
|
+
'funchook/src/libfunchook.so',
|
154
|
+
'.secrets.baseline')
|
154
155
|
end
|
155
156
|
end
|
156
157
|
|
data/service_executables/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
2.
|
1
|
+
2.27.3
|
Binary file
|
Binary file
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: contrast-agent
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.13.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- galen.palmer@contrastsecurity.com
|
@@ -13,7 +13,7 @@ authors:
|
|
13
13
|
autorequire:
|
14
14
|
bindir: exe
|
15
15
|
cert_chain: []
|
16
|
-
date: 2021-
|
16
|
+
date: 2021-11-19 00:00:00.000000000 Z
|
17
17
|
dependencies:
|
18
18
|
- !ruby/object:Gem::Dependency
|
19
19
|
name: bundler
|
@@ -618,19 +618,19 @@ executables:
|
|
618
618
|
extensions:
|
619
619
|
- ext/cs__common/extconf.rb
|
620
620
|
- ext/cs__assess_fiber_track/extconf.rb
|
621
|
-
- ext/
|
621
|
+
- ext/cs__os_information/extconf.rb
|
622
|
+
- ext/cs__assess_array/extconf.rb
|
623
|
+
- ext/cs__contrast_patch/extconf.rb
|
622
624
|
- ext/cs__assess_kernel/extconf.rb
|
623
|
-
- ext/cs__assess_basic_object/extconf.rb
|
624
|
-
- ext/cs__assess_string/extconf.rb
|
625
625
|
- ext/cs__assess_regexp/extconf.rb
|
626
|
-
- ext/
|
627
|
-
- ext/cs__contrast_patch/extconf.rb
|
628
|
-
- ext/cs__assess_active_record_named/extconf.rb
|
626
|
+
- ext/cs__assess_marshal_module/extconf.rb
|
629
627
|
- ext/cs__assess_module/extconf.rb
|
630
628
|
- ext/cs__assess_hash/extconf.rb
|
631
|
-
- ext/
|
632
|
-
- ext/cs__assess_array/extconf.rb
|
629
|
+
- ext/cs__assess_active_record_named/extconf.rb
|
633
630
|
- ext/cs__assess_yield_track/extconf.rb
|
631
|
+
- ext/cs__assess_string/extconf.rb
|
632
|
+
- ext/cs__assess_basic_object/extconf.rb
|
633
|
+
- ext/cs__assess_string_interpolation26/extconf.rb
|
634
634
|
extra_rdoc_files: []
|
635
635
|
files:
|
636
636
|
- ".clang-format"
|
@@ -688,9 +688,9 @@ files:
|
|
688
688
|
- ext/cs__contrast_patch/cs__contrast_patch.c
|
689
689
|
- ext/cs__contrast_patch/cs__contrast_patch.h
|
690
690
|
- ext/cs__contrast_patch/extconf.rb
|
691
|
-
- ext/
|
692
|
-
- ext/
|
693
|
-
- ext/
|
691
|
+
- ext/cs__os_information/cs__os_information.c
|
692
|
+
- ext/cs__os_information/cs__os_information.h
|
693
|
+
- ext/cs__os_information/extconf.rb
|
694
694
|
- ext/extconf_common.rb
|
695
695
|
- funchook/LICENSE
|
696
696
|
- funchook/Makefile.in
|
@@ -898,6 +898,7 @@ files:
|
|
898
898
|
- lib/contrast/agent/inventory/policy/datastores.rb
|
899
899
|
- lib/contrast/agent/inventory/policy/policy.rb
|
900
900
|
- lib/contrast/agent/inventory/policy/trigger_node.rb
|
901
|
+
- lib/contrast/agent/metric_telemetry_event.rb
|
901
902
|
- lib/contrast/agent/middleware.rb
|
902
903
|
- lib/contrast/agent/module_data.rb
|
903
904
|
- lib/contrast/agent/patching/policy/after_load_patch.rb
|
@@ -948,7 +949,10 @@ files:
|
|
948
949
|
- lib/contrast/agent/rule_set.rb
|
949
950
|
- lib/contrast/agent/scope.rb
|
950
951
|
- lib/contrast/agent/service_heartbeat.rb
|
952
|
+
- lib/contrast/agent/startup_metrics_telemetry_event.rb
|
951
953
|
- lib/contrast/agent/static_analysis.rb
|
954
|
+
- lib/contrast/agent/telemetry.rb
|
955
|
+
- lib/contrast/agent/telemetry_event.rb
|
952
956
|
- lib/contrast/agent/thread.rb
|
953
957
|
- lib/contrast/agent/thread_watcher.rb
|
954
958
|
- lib/contrast/agent/tracepoint_hook.rb
|
@@ -990,6 +994,7 @@ files:
|
|
990
994
|
- lib/contrast/api/dtm.pb.rb
|
991
995
|
- lib/contrast/api/settings.pb.rb
|
992
996
|
- lib/contrast/components/agent.rb
|
997
|
+
- lib/contrast/components/api.rb
|
993
998
|
- lib/contrast/components/app_context.rb
|
994
999
|
- lib/contrast/components/assess.rb
|
995
1000
|
- lib/contrast/components/base.rb
|
@@ -1004,11 +1009,13 @@ files:
|
|
1004
1009
|
- lib/contrast/components/settings.rb
|
1005
1010
|
- lib/contrast/config.rb
|
1006
1011
|
- lib/contrast/config/agent_configuration.rb
|
1012
|
+
- lib/contrast/config/api_configuration.rb
|
1007
1013
|
- lib/contrast/config/application_configuration.rb
|
1008
1014
|
- lib/contrast/config/assess_configuration.rb
|
1009
1015
|
- lib/contrast/config/assess_rules_configuration.rb
|
1010
1016
|
- lib/contrast/config/base_configuration.rb
|
1011
1017
|
- lib/contrast/config/default_value.rb
|
1018
|
+
- lib/contrast/config/env_variables.rb
|
1012
1019
|
- lib/contrast/config/exception_configuration.rb
|
1013
1020
|
- lib/contrast/config/heap_dump_configuration.rb
|
1014
1021
|
- lib/contrast/config/inventory_configuration.rb
|
@@ -1039,7 +1046,6 @@ files:
|
|
1039
1046
|
- lib/contrast/extension/kernel.rb
|
1040
1047
|
- lib/contrast/extension/module.rb
|
1041
1048
|
- lib/contrast/extension/protect.rb
|
1042
|
-
- lib/contrast/extension/protect/kernel.rb
|
1043
1049
|
- lib/contrast/extension/protect/psych.rb
|
1044
1050
|
- lib/contrast/extension/thread.rb
|
1045
1051
|
- lib/contrast/framework/base_support.rb
|
@@ -1069,25 +1075,37 @@ files:
|
|
1069
1075
|
- lib/contrast/security_exception.rb
|
1070
1076
|
- lib/contrast/tasks/config.rb
|
1071
1077
|
- lib/contrast/tasks/service.rb
|
1078
|
+
- lib/contrast/utils/assess/propagation_method_utils.rb
|
1079
|
+
- lib/contrast/utils/assess/property/tagged_utils.rb
|
1072
1080
|
- lib/contrast/utils/assess/sampling_util.rb
|
1081
|
+
- lib/contrast/utils/assess/source_method_utils.rb
|
1073
1082
|
- lib/contrast/utils/assess/tracking_util.rb
|
1083
|
+
- lib/contrast/utils/assess/trigger_method_utils.rb
|
1074
1084
|
- lib/contrast/utils/class_util.rb
|
1075
1085
|
- lib/contrast/utils/duck_utils.rb
|
1076
1086
|
- lib/contrast/utils/env_configuration_item.rb
|
1087
|
+
- lib/contrast/utils/exclude_key.rb
|
1077
1088
|
- lib/contrast/utils/hash_digest.rb
|
1078
1089
|
- lib/contrast/utils/heap_dump_util.rb
|
1079
1090
|
- lib/contrast/utils/invalid_configuration_util.rb
|
1080
1091
|
- lib/contrast/utils/io_util.rb
|
1081
1092
|
- lib/contrast/utils/job_servers_running.rb
|
1093
|
+
- lib/contrast/utils/lru_cache.rb
|
1094
|
+
- lib/contrast/utils/metrics_hash.rb
|
1082
1095
|
- lib/contrast/utils/object_share.rb
|
1083
1096
|
- lib/contrast/utils/os.rb
|
1097
|
+
- lib/contrast/utils/patching/policy/patch_utils.rb
|
1098
|
+
- lib/contrast/utils/patching/policy/patcher_utils.rb
|
1084
1099
|
- lib/contrast/utils/preflight_util.rb
|
1100
|
+
- lib/contrast/utils/requests_client.rb
|
1085
1101
|
- lib/contrast/utils/resource_loader.rb
|
1086
1102
|
- lib/contrast/utils/ruby_ast_rewriter.rb
|
1087
1103
|
- lib/contrast/utils/sha256_builder.rb
|
1088
1104
|
- lib/contrast/utils/stack_trace_utils.rb
|
1089
1105
|
- lib/contrast/utils/string_utils.rb
|
1090
1106
|
- lib/contrast/utils/tag_util.rb
|
1107
|
+
- lib/contrast/utils/telemetry.rb
|
1108
|
+
- lib/contrast/utils/telemetry_identifier.rb
|
1091
1109
|
- lib/contrast/utils/thread_tracker.rb
|
1092
1110
|
- lib/contrast/utils/timer.rb
|
1093
1111
|
- resources/assess/policy.json
|
@@ -1,47 +0,0 @@
|
|
1
|
-
/* Copyright (c) 2021 Contrast Security, Inc. See
|
2
|
-
* https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
|
3
|
-
|
4
|
-
#include "cs__protect_kernel.h"
|
5
|
-
#include "../cs__common/cs__common.h"
|
6
|
-
#include <ruby.h>
|
7
|
-
|
8
|
-
static VALUE contrast_protect_fork(const int argc, const VALUE *argv,
|
9
|
-
const VALUE self) {
|
10
|
-
VALUE ret;
|
11
|
-
if (rb_block_given_p()) {
|
12
|
-
/* We call our hook, but it's a little complicated.
|
13
|
-
* We wrap the fork block with our own lambda in
|
14
|
-
* order to instrument it. There are no public
|
15
|
-
* methods in the Ruby C API to set the prevailing
|
16
|
-
* block, so we have to use rb_funcall_with_block.
|
17
|
-
* Also, rb_funcall_with_block does a public call,
|
18
|
-
* and our method is private.
|
19
|
-
* So we (as a hack) temporarily set it to public.
|
20
|
-
*/
|
21
|
-
VALUE wrapper;
|
22
|
-
wrapper =
|
23
|
-
rb_funcall_with_block(kernel_protect, rb_sym_protect_kernel_wrapper,
|
24
|
-
0, NULL, rb_block_proc());
|
25
|
-
rb_funcall(rb_mKernel, rb_intern("public"), 1,
|
26
|
-
ID2SYM(rb_sym_protect_kernel_fork));
|
27
|
-
ret = rb_funcall_with_block(self, rb_sym_protect_kernel_fork, argc,
|
28
|
-
argv, wrapper);
|
29
|
-
rb_funcall(rb_mKernel, rb_intern("private"), 1,
|
30
|
-
ID2SYM(rb_sym_protect_kernel_fork));
|
31
|
-
} else {
|
32
|
-
ret = rb_funcall2(self, rb_sym_protect_kernel_fork, argc, argv);
|
33
|
-
}
|
34
|
-
return ret;
|
35
|
-
}
|
36
|
-
|
37
|
-
void Init_cs__protect_kernel(void) {
|
38
|
-
VALUE core_protect = rb_define_module_under(core_extensions, "Protect");
|
39
|
-
kernel_protect = rb_define_module_under(core_protect, "Kernel");
|
40
|
-
rb_sym_protect_kernel_wrapper = rb_intern("build_wrapper");
|
41
|
-
|
42
|
-
rb_sym_protect_kernel_fork =
|
43
|
-
contrast_register_patch("Kernel", "fork", &contrast_protect_fork);
|
44
|
-
|
45
|
-
rb_sym_protect_kernel_fork = contrast_register_singleton_patch(
|
46
|
-
"Kernel", "fork", &contrast_protect_fork);
|
47
|
-
}
|
@@ -1,12 +0,0 @@
|
|
1
|
-
#include <ruby.h>
|
2
|
-
|
3
|
-
extern VALUE rb_vm_top_self(void);
|
4
|
-
|
5
|
-
static VALUE kernel_protect;
|
6
|
-
static VALUE rb_sym_protect_kernel_fork;
|
7
|
-
static VALUE rb_sym_protect_kernel_wrapper;
|
8
|
-
|
9
|
-
static VALUE contrast_protect_fork(const int argc, const VALUE *argv,
|
10
|
-
const VALUE self);
|
11
|
-
|
12
|
-
void Init_cs__protect_kernel(void);
|
@@ -1,29 +0,0 @@
|
|
1
|
-
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
-
# frozen_string_literal: true
|
3
|
-
|
4
|
-
module Contrast
|
5
|
-
module Extension
|
6
|
-
module Protect
|
7
|
-
# This Module functions as our patch into the Kernel class for Protect,
|
8
|
-
# allowing us to track activity as it crosses spawned processes.
|
9
|
-
module Kernel
|
10
|
-
class << self
|
11
|
-
def build_wrapper
|
12
|
-
lambda {
|
13
|
-
proc_start
|
14
|
-
yield
|
15
|
-
# AtExitHook handles sending any messages generated in the new forked process
|
16
|
-
}
|
17
|
-
end
|
18
|
-
|
19
|
-
def proc_start
|
20
|
-
context = Contrast::Agent::REQUEST_TRACKER.current
|
21
|
-
return unless context
|
22
|
-
|
23
|
-
context.reset_activity
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|