contrast-agent 4.10.0 → 4.13.1

data/lib/contrast/utils/telemetry_identifier.rb

@@ -0,0 +1,137 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry'
+require 'contrast/utils/os'
+require 'socket'
+
+module Contrast
+  module Utils
+    # Tools for supporting the Telemetry feature
+    module Telemetry
+      # Gets info about the instrumented application required to build unique identifiers,
+      # used in the agent's Telemetry.
+      module Identifier
+        MAC_REGEX = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
+        LINUX_OS_REG = /hwaddr=.*?(([A-F0-9]{2}:){5}[A-F0-9]{2})/im.cs__freeze
+        MAC_OS_PRIMARY = 'en0'.cs__freeze
+        LINUX_PRIMARY = 'enp'.cs__freeze
+
+        # Sinatra and Grape both use similar approach to identify the app_name.
+        # Rails has a different way of doing it, but to unify this we'll use this one.
+        # If app_name is changed/renamed during production it would still get the
+        # new folder's name.
+        #
+        # @ return [String] name of the application from the current working directory
+        def self.app_name
+          @_app_name ||= File.basename(Dir.pwd)
+        end
+
+        # Returns the MAC address of the primary network interface, depending on the used OS.
+        # If the primary is unknown it finds the first available network interface and gets it's
+        # MAC address instead.
+        #
+        # @return [String, nil] MAC address of the primary network interface or
+        # the first available one, or nil if nothing found
+        def self.mac
+          @_mac = find_mac MAC_OS_PRIMARY if Contrast::Utils::OS.mac? && @_mac.nil?
+          @_mac = find_mac LINUX_PRIMARY if Contrast::Utils::OS.linux? && @_mac.nil?
+          # or find any available
+          @_mac = find_mac if @_mac.nil?
+          @_mac
+        end
+
+        class << self
+          private
+
+          # Finds the primary MAC address of all listed network adapters.
+          # If primary is not set or unknown, use the first MAC address found
+          # from the listed adapters.
+          #
+          # @param primary [nil, String] optional param if set look only for primary
+          # network adapter's name
+          # @return [String, nil] MAC address of the first listed network adapter or
+          # nil if not found
+          def find_mac primary = nil
+            result = nil
+            idx = 0
+            return if interfaces.empty?
+
+            while idx < interfaces.length
+              addr = interfaces[idx].addr
+              name = interfaces[idx].name # rubocop:disable Security/Module/Name
+              # retrieving MAC address from primary network interface or first available
+              mac = retrieve_mac name, addr, primary
+              idx += 1
+              next unless mac
+
+              result = mac if mac && (mac.match? MAC_REGEX)
+              break if result && !primary
+            end
+            result
+          end
+
+          # Retrieves MAC address for primary or any network interface.
+          # This is OS dependent search.
+          #
+          # @param name [Sting] interface name of ifaddr
+          # @param addr [String] address info
+          # example: #<Addrinfo: LINK[en0 aa:bb:cc:00:11:22]>
+          # @param primary [nil, String] optional param if set look only for primary
+          # network adapter's name
+          # @return mac [nil, String] MAC address of primary network interface,
+          # any network interface, or nil if no interface is found.
+          def retrieve_mac name, addr, primary
+            mac = nil
+            # Mac OS allow us to use getnameinfo(sockaddr [, flags]) => [hostname, servicename]
+            #
+            # returned address:
+            # <Socket::Ifaddr en0 UP,BROADCAST,RUNNING,NOTRAILERS,SIMPLEX,MULTICAST LINK[en0 aa:bb:cc:00:11:22]>
+            if Contrast::Utils::OS.mac?
+              mac = addr.getnameinfo[0] unless primary
+              mac = addr.getnameinfo[0] if primary && name.include?(primary)
+            end
+            # In Linux using Socket::addr#getnameinfo results in ai_family not supported exception.
+            # In this case we are relying on match filtering of addresses.
+            #
+            # returned address:
+            # #<Socket::Ifaddr eth0 UP,BROADCAST,RUNNING,MULTICAST,0x10000
+            # PACKET[protocol=0 eth0 hatype=1 HOST hwaddr=aa:bb:cc:00:11:22]>
+            if primary && Contrast::Utils::OS.linux?
+              mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG && name.include?(primary)
+            elsif primary.nil? && Contrast::Utils::OS.linux?
+              mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG
+            end
+            mac
+          end
+
+          # Returns array of network interfaces.
+          # This is OS dependent search.
+          #
+          # @return interfaces [Array] Returns an array of interface addresses.
+          # Socket::Ifaddr - represents a result of getifaddrs().
+          def interfaces
+            @_interfaces = []
+            arr = Socket.getifaddrs
+            idx = 0
+            check_family = 0
+            while idx < arr.length
+              # We need only network adapters MACs. Checking for pfamily of every socket address:
+              # 18 for Mac OS and 17 for Linux.
+              # family should be an address family such as: :INET, :INET6, :UNIX, etc.
+              check_family = 18 if Contrast::Utils::OS.mac?
+              check_family = 17 if Contrast::Utils::OS.linux?
+              if arr[idx].addr.pfamily != check_family
+                idx += 1
+                next
+              end
+              @_interfaces << arr[idx]
+              idx += 1
+            end
+            @_interfaces
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast.rb

@@ -23,7 +23,7 @@ end
 
 if RUBY_VERSION >= '3.0.0'
   # This fixes Ruby 3.0 issues with Module#(some instance method) patching by preventing the prepending of
-  # a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticable.
+  # a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticeable.
   # TODO: RUBY-1132 Remove this once Ruby 3 is fixed.
   # See bug here: https://bugs.ruby-lang.org/issues/17725
   class Class
@@ -35,6 +35,7 @@ if RUBY_VERSION >= '3.0.0'
 end
 
 require 'contrast/components/agent'
+require 'contrast/components/api'
 require 'contrast/components/app_context'
 require 'contrast/components/assess'
 require 'contrast/components/config'
@@ -47,6 +48,7 @@ require 'contrast/components/scope'
 require 'contrast/components/settings'
 
 module Contrast
+  API = Contrast::Components::Api::Interface.new
   SCOPE = Contrast::Components::Scope::Interface.new
   CONFIG = Contrast::Components::Config::Interface.new
   SETTINGS = Contrast::Components::Settings::Interface.new
@@ -76,3 +78,19 @@ if RUBY_VERSION >= '3.0.0'
   Class.alias_method(:prepend, :cs__orig_prepend)
   Class.remove_method(:cs__orig_prepend)
 end
+
+if RUBY_VERSION < '3.0.0'
+  # Better handles ancestors for older ruby versions.
+  # This is called from C, tread lightly.
+  class Module
+    @_included_in = []
+    # Returns array with modules including this instance
+    def included_in
+      @_included_in ||= [] unless cs__frozen?
+    end
+
+    def self.included_in
+      @_included_in ||= [] unless cs__frozen?
+    end
+  end
+end

data/resources/assess/policy.json

@@ -50,7 +50,7 @@
       "target": "R",
       "type": "COOKIE",
       "tags":["NO_NEWLINES", "CROSS_SITE"]
-    },  {
+    }, {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
@@ -200,8 +200,15 @@
       "source": "O",
       "target": "R",
       "action": "KEEP"
-    },
-    {
+    }, {
+      "class_name": "String",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "force_encoding",
+      "source": "O",
+      "target": "R",
+      "action": "SPLAT"
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -209,8 +216,7 @@
       "source": "O",
       "target": "R",
       "action": "KEEP"
-    },
-    {
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -218,7 +224,7 @@
       "source": "O,P0",
       "target": "R",
       "action": "SPLIT"
-    },{
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",

data/resources/deadzone/policy.json

@@ -1,11 +1,6 @@
 {
   "deadzones":[
     {
-      "class_name":"Rspec::Core::BacktraceFormatter",
-      "instance_method":true,
-      "method_visibility": "private",
-      "method_name":"matches?"
-    },{
       "class_name":"Rspec::Core::Example",
       "instance_method":true,
       "method_visibility": "private",
@@ -205,6 +200,92 @@
       "method_visibility": "public",
       "method_name":"exists?",
       "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/request/session.rb#L201"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BaseMatcher"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeAKindOf"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeAnInstanceOf"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeBetween"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Be"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeComparedTo"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeFalsey"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeHelpers"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeNil"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BePredicate"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeTruthy"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeWithin"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Change"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::ChangeRelatively"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::SpecificValuesChange"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Compound"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Compound::And"
+    }, {
+      "class_name": "RSpec::Matchers::BuiltIn::Compound::Or"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::ContainExactly"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Cover"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::EndWith"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Eq"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Eql"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Equal"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Exist"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Has"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::HaveAttributes"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::All"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Match"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::NegativeOperatorMatcher"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::OperatorMatcher"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Output"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::PositiveOperatorMatcher"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::RaiseError"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::RespondTo"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Satisfy"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::StartWith"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::ThrowSymbol"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::YieldControl"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::YieldSuccessiveArgs"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::YieldWithArgs"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::YieldWithNoArgs"
+    },{
+      "class_name": "SimpleCov"
     }
   ]
 }

data/ruby-agent.gemspec

@@ -150,7 +150,8 @@ def self.add_files spec
                    'shared_libraries/libfunchook.so',
                    'shared_libraries/funchook.h',
                    'funchook/src/libfunchook.dylib',
-                   'funchook/src/libfunchook.so')
+                   'funchook/src/libfunchook.so',
+                   '.secrets.baseline')
   end
 end
 

data/service_executables/VERSION

@@ -1 +1 @@
-2.21.2
+2.27.3

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 4.10.0
+  version: 4.13.1
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-08-31 00:00:00.000000000 Z
+date: 2021-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -618,19 +618,19 @@ executables:
 extensions:
 - ext/cs__common/extconf.rb
 - ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__assess_marshal_module/extconf.rb
+- ext/cs__os_information/extconf.rb
+- ext/cs__assess_array/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
 - ext/cs__assess_kernel/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_string/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
-- ext/cs__protect_kernel/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
-- ext/cs__assess_active_record_named/extconf.rb
+- ext/cs__assess_marshal_module/extconf.rb
 - ext/cs__assess_module/extconf.rb
 - ext/cs__assess_hash/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
-- ext/cs__assess_array/extconf.rb
+- ext/cs__assess_active_record_named/extconf.rb
 - ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_string/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -688,9 +688,9 @@ files:
 - ext/cs__contrast_patch/cs__contrast_patch.c
 - ext/cs__contrast_patch/cs__contrast_patch.h
 - ext/cs__contrast_patch/extconf.rb
-- ext/cs__protect_kernel/cs__protect_kernel.c
-- ext/cs__protect_kernel/cs__protect_kernel.h
-- ext/cs__protect_kernel/extconf.rb
+- ext/cs__os_information/cs__os_information.c
+- ext/cs__os_information/cs__os_information.h
+- ext/cs__os_information/extconf.rb
 - ext/extconf_common.rb
 - funchook/LICENSE
 - funchook/Makefile.in
@@ -898,6 +898,7 @@ files:
 - lib/contrast/agent/inventory/policy/datastores.rb
 - lib/contrast/agent/inventory/policy/policy.rb
 - lib/contrast/agent/inventory/policy/trigger_node.rb
+- lib/contrast/agent/metric_telemetry_event.rb
 - lib/contrast/agent/middleware.rb
 - lib/contrast/agent/module_data.rb
 - lib/contrast/agent/patching/policy/after_load_patch.rb
@@ -948,7 +949,10 @@ files:
 - lib/contrast/agent/rule_set.rb
 - lib/contrast/agent/scope.rb
 - lib/contrast/agent/service_heartbeat.rb
+- lib/contrast/agent/startup_metrics_telemetry_event.rb
 - lib/contrast/agent/static_analysis.rb
+- lib/contrast/agent/telemetry.rb
+- lib/contrast/agent/telemetry_event.rb
 - lib/contrast/agent/thread.rb
 - lib/contrast/agent/thread_watcher.rb
 - lib/contrast/agent/tracepoint_hook.rb
@@ -990,6 +994,7 @@ files:
 - lib/contrast/api/dtm.pb.rb
 - lib/contrast/api/settings.pb.rb
 - lib/contrast/components/agent.rb
+- lib/contrast/components/api.rb
 - lib/contrast/components/app_context.rb
 - lib/contrast/components/assess.rb
 - lib/contrast/components/base.rb
@@ -1004,11 +1009,13 @@ files:
 - lib/contrast/components/settings.rb
 - lib/contrast/config.rb
 - lib/contrast/config/agent_configuration.rb
+- lib/contrast/config/api_configuration.rb
 - lib/contrast/config/application_configuration.rb
 - lib/contrast/config/assess_configuration.rb
 - lib/contrast/config/assess_rules_configuration.rb
 - lib/contrast/config/base_configuration.rb
 - lib/contrast/config/default_value.rb
+- lib/contrast/config/env_variables.rb
 - lib/contrast/config/exception_configuration.rb
 - lib/contrast/config/heap_dump_configuration.rb
 - lib/contrast/config/inventory_configuration.rb
@@ -1039,7 +1046,6 @@ files:
 - lib/contrast/extension/kernel.rb
 - lib/contrast/extension/module.rb
 - lib/contrast/extension/protect.rb
-- lib/contrast/extension/protect/kernel.rb
 - lib/contrast/extension/protect/psych.rb
 - lib/contrast/extension/thread.rb
 - lib/contrast/framework/base_support.rb
@@ -1069,25 +1075,37 @@ files:
 - lib/contrast/security_exception.rb
 - lib/contrast/tasks/config.rb
 - lib/contrast/tasks/service.rb
+- lib/contrast/utils/assess/propagation_method_utils.rb
+- lib/contrast/utils/assess/property/tagged_utils.rb
 - lib/contrast/utils/assess/sampling_util.rb
+- lib/contrast/utils/assess/source_method_utils.rb
 - lib/contrast/utils/assess/tracking_util.rb
+- lib/contrast/utils/assess/trigger_method_utils.rb
 - lib/contrast/utils/class_util.rb
 - lib/contrast/utils/duck_utils.rb
 - lib/contrast/utils/env_configuration_item.rb
+- lib/contrast/utils/exclude_key.rb
 - lib/contrast/utils/hash_digest.rb
 - lib/contrast/utils/heap_dump_util.rb
 - lib/contrast/utils/invalid_configuration_util.rb
 - lib/contrast/utils/io_util.rb
 - lib/contrast/utils/job_servers_running.rb
+- lib/contrast/utils/lru_cache.rb
+- lib/contrast/utils/metrics_hash.rb
 - lib/contrast/utils/object_share.rb
 - lib/contrast/utils/os.rb
+- lib/contrast/utils/patching/policy/patch_utils.rb
+- lib/contrast/utils/patching/policy/patcher_utils.rb
 - lib/contrast/utils/preflight_util.rb
+- lib/contrast/utils/requests_client.rb
 - lib/contrast/utils/resource_loader.rb
 - lib/contrast/utils/ruby_ast_rewriter.rb
 - lib/contrast/utils/sha256_builder.rb
 - lib/contrast/utils/stack_trace_utils.rb
 - lib/contrast/utils/string_utils.rb
 - lib/contrast/utils/tag_util.rb
+- lib/contrast/utils/telemetry.rb
+- lib/contrast/utils/telemetry_identifier.rb
 - lib/contrast/utils/thread_tracker.rb
 - lib/contrast/utils/timer.rb
 - resources/assess/policy.json

data/ext/cs__protect_kernel/cs__protect_kernel.c

@@ -1,47 +0,0 @@
-/* Copyright (c) 2021 Contrast Security, Inc.  See
- * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
-
-#include "cs__protect_kernel.h"
-#include "../cs__common/cs__common.h"
-#include <ruby.h>
-
-static VALUE contrast_protect_fork(const int argc, const VALUE *argv,
-                                   const VALUE self) {
-    VALUE ret;
-    if (rb_block_given_p()) {
-        /* We call our hook, but it's a little complicated.
-         * We wrap the fork block with our own lambda in
-         * order to instrument it.  There are no public
-         * methods in the Ruby C API to set the prevailing
-         * block, so we have to use rb_funcall_with_block.
-         * Also, rb_funcall_with_block does a public call,
-         * and our method is private.
-         * So we (as a hack) temporarily set it to public.
-         */
-        VALUE wrapper;
-        wrapper =
-            rb_funcall_with_block(kernel_protect, rb_sym_protect_kernel_wrapper,
-                                  0, NULL, rb_block_proc());
-        rb_funcall(rb_mKernel, rb_intern("public"), 1,
-                   ID2SYM(rb_sym_protect_kernel_fork));
-        ret = rb_funcall_with_block(self, rb_sym_protect_kernel_fork, argc,
-                                    argv, wrapper);
-        rb_funcall(rb_mKernel, rb_intern("private"), 1,
-                   ID2SYM(rb_sym_protect_kernel_fork));
-    } else {
-        ret = rb_funcall2(self, rb_sym_protect_kernel_fork, argc, argv);
-    }
-    return ret;
-}
-
-void Init_cs__protect_kernel(void) {
-    VALUE core_protect = rb_define_module_under(core_extensions, "Protect");
-    kernel_protect = rb_define_module_under(core_protect, "Kernel");
-    rb_sym_protect_kernel_wrapper = rb_intern("build_wrapper");
-
-    rb_sym_protect_kernel_fork =
-        contrast_register_patch("Kernel", "fork", &contrast_protect_fork);
-
-    rb_sym_protect_kernel_fork = contrast_register_singleton_patch(
-        "Kernel", "fork", &contrast_protect_fork);
-}

data/ext/cs__protect_kernel/cs__protect_kernel.h

@@ -1,12 +0,0 @@
-#include <ruby.h>
-
-extern VALUE rb_vm_top_self(void);
-
-static VALUE kernel_protect;
-static VALUE rb_sym_protect_kernel_fork;
-static VALUE rb_sym_protect_kernel_wrapper;
-
-static VALUE contrast_protect_fork(const int argc, const VALUE *argv,
-                                   const VALUE self);
-
-void Init_cs__protect_kernel(void);

data/lib/contrast/extension/protect/kernel.rb

@@ -1,29 +0,0 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Extension
-    module Protect
-      # This Module functions as our patch into the Kernel class for Protect,
-      # allowing us to track activity as it crosses spawned processes.
-      module Kernel
-        class << self
-          def build_wrapper
-            lambda {
-              proc_start
-              yield
-              # AtExitHook handles sending any messages generated in the new forked process
-            }
-          end
-
-          def proc_start
-            context = Contrast::Agent::REQUEST_TRACKER.current
-            return unless context
-
-            context.reset_activity
-          end
-        end
-      end
-    end
-  end
-end