contrast-agent 4.11.0 → 4.14.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (145) hide show
  1. checksums.yaml +4 -4
  2. data/.simplecov +1 -0
  3. data/ext/cs__assess_module/cs__assess_module.c +48 -0
  4. data/ext/cs__assess_module/cs__assess_module.h +7 -0
  5. data/ext/cs__common/cs__common.c +24 -7
  6. data/ext/cs__common/cs__common.h +12 -2
  7. data/ext/cs__contrast_patch/cs__contrast_patch.c +48 -11
  8. data/ext/cs__contrast_patch/cs__contrast_patch.h +5 -2
  9. data/ext/cs__os_information/cs__os_information.c +31 -0
  10. data/ext/cs__os_information/cs__os_information.h +7 -0
  11. data/ext/{cs__protect_kernel → cs__os_information}/extconf.rb +0 -0
  12. data/lib/contrast/agent/assess/contrast_event.rb +1 -1
  13. data/lib/contrast/agent/assess/contrast_object.rb +1 -1
  14. data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +2 -0
  15. data/lib/contrast/agent/assess/policy/policy_node.rb +6 -6
  16. data/lib/contrast/agent/assess/policy/policy_scanner.rb +5 -0
  17. data/lib/contrast/agent/assess/policy/preshift.rb +19 -6
  18. data/lib/contrast/agent/assess/policy/propagation_method.rb +2 -116
  19. data/lib/contrast/agent/assess/policy/propagation_node.rb +4 -4
  20. data/lib/contrast/agent/assess/policy/propagator/center.rb +1 -1
  21. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +2 -0
  22. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -154
  23. data/lib/contrast/agent/assess/policy/source_method.rb +2 -71
  24. data/lib/contrast/agent/assess/policy/trigger_method.rb +45 -110
  25. data/lib/contrast/agent/assess/policy/trigger_node.rb +62 -21
  26. data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
  27. data/lib/contrast/agent/assess/property/tagged.rb +66 -189
  28. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +40 -6
  29. data/lib/contrast/agent/deadzone/policy/policy.rb +6 -0
  30. data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +1 -0
  31. data/lib/contrast/agent/metric_telemetry_event.rb +26 -0
  32. data/lib/contrast/agent/middleware.rb +14 -62
  33. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +0 -1
  34. data/lib/contrast/agent/patching/policy/method_policy.rb +3 -44
  35. data/lib/contrast/agent/patching/policy/method_policy_extend.rb +111 -0
  36. data/lib/contrast/agent/patching/policy/patch.rb +37 -238
  37. data/lib/contrast/agent/patching/policy/patcher.rb +15 -50
  38. data/lib/contrast/agent/reporting/report.rb +21 -0
  39. data/lib/contrast/agent/reporting/reporter.rb +142 -0
  40. data/lib/contrast/agent/reporting/reporting_events/finding.rb +90 -0
  41. data/lib/contrast/agent/reporting/reporting_events/preflight.rb +25 -0
  42. data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +56 -0
  43. data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +37 -0
  44. data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +127 -0
  45. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +168 -0
  46. data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +66 -0
  47. data/lib/contrast/agent/request.rb +2 -81
  48. data/lib/contrast/agent/request_context.rb +18 -126
  49. data/lib/contrast/agent/request_context_extend.rb +138 -0
  50. data/lib/contrast/agent/request_handler.rb +7 -3
  51. data/lib/contrast/agent/response.rb +2 -73
  52. data/lib/contrast/agent/rule_set.rb +2 -4
  53. data/lib/contrast/agent/startup_metrics_telemetry_event.rb +94 -0
  54. data/lib/contrast/agent/static_analysis.rb +5 -3
  55. data/lib/contrast/agent/telemetry.rb +137 -0
  56. data/lib/contrast/agent/telemetry_event.rb +33 -0
  57. data/lib/contrast/agent/thread_watcher.rb +66 -11
  58. data/lib/contrast/agent/version.rb +1 -1
  59. data/lib/contrast/agent.rb +21 -1
  60. data/lib/contrast/api/communication/connection_status.rb +10 -7
  61. data/lib/contrast/api/communication/messaging_queue.rb +37 -3
  62. data/lib/contrast/api/communication/response_processor.rb +15 -8
  63. data/lib/contrast/api/communication/service_lifecycle.rb +13 -3
  64. data/lib/contrast/api/communication/socket.rb +6 -8
  65. data/lib/contrast/api/communication/socket_client.rb +29 -12
  66. data/lib/contrast/api/communication/speedracer.rb +37 -1
  67. data/lib/contrast/api/communication/tcp_socket.rb +4 -3
  68. data/lib/contrast/api/communication/unix_socket.rb +1 -0
  69. data/lib/contrast/api/decorators/finding.rb +45 -0
  70. data/lib/contrast/components/api.rb +90 -0
  71. data/lib/contrast/components/app_context.rb +10 -41
  72. data/lib/contrast/components/app_context_extend.rb +78 -0
  73. data/lib/contrast/components/assess.rb +7 -0
  74. data/lib/contrast/components/base.rb +23 -0
  75. data/lib/contrast/components/config.rb +92 -13
  76. data/lib/contrast/components/contrast_service.rb +11 -0
  77. data/lib/contrast/components/sampling.rb +2 -2
  78. data/lib/contrast/config/agent_configuration.rb +1 -1
  79. data/lib/contrast/config/api_configuration.rb +27 -0
  80. data/lib/contrast/config/api_proxy_configuration.rb +14 -0
  81. data/lib/contrast/config/application_configuration.rb +2 -3
  82. data/lib/contrast/config/assess_configuration.rb +3 -2
  83. data/lib/contrast/config/base_configuration.rb +17 -28
  84. data/lib/contrast/config/certification_configuration.rb +15 -0
  85. data/lib/contrast/config/env_variables.rb +18 -0
  86. data/lib/contrast/config/heap_dump_configuration.rb +6 -6
  87. data/lib/contrast/config/inventory_configuration.rb +1 -5
  88. data/lib/contrast/config/protect_rule_configuration.rb +1 -1
  89. data/lib/contrast/config/request_audit_configuration.rb +18 -0
  90. data/lib/contrast/config/root_configuration.rb +1 -0
  91. data/lib/contrast/config/ruby_configuration.rb +6 -6
  92. data/lib/contrast/config/service_configuration.rb +2 -2
  93. data/lib/contrast/config.rb +1 -1
  94. data/lib/contrast/configuration.rb +4 -2
  95. data/lib/contrast/extension/assess/array.rb +5 -7
  96. data/lib/contrast/framework/manager.rb +22 -44
  97. data/lib/contrast/framework/manager_extend.rb +50 -0
  98. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +9 -6
  99. data/lib/contrast/framework/rails/patch/support.rb +31 -29
  100. data/lib/contrast/framework/rails/railtie.rb +1 -1
  101. data/lib/contrast/framework/sinatra/support.rb +2 -1
  102. data/lib/contrast/logger/application.rb +4 -0
  103. data/lib/contrast/logger/log.rb +8 -103
  104. data/lib/contrast/utils/assess/propagation_method_utils.rb +129 -0
  105. data/lib/contrast/utils/assess/property/tagged_utils.rb +165 -0
  106. data/lib/contrast/utils/assess/source_method_utils.rb +83 -0
  107. data/lib/contrast/utils/assess/tracking_util.rb +20 -15
  108. data/lib/contrast/utils/assess/trigger_method_utils.rb +138 -0
  109. data/lib/contrast/utils/class_util.rb +65 -54
  110. data/lib/contrast/utils/exclude_key.rb +20 -0
  111. data/lib/contrast/utils/findings.rb +62 -0
  112. data/lib/contrast/utils/hash_digest.rb +10 -73
  113. data/lib/contrast/utils/hash_digest_extend.rb +86 -0
  114. data/lib/contrast/utils/head_dump_utils_extend.rb +74 -0
  115. data/lib/contrast/utils/heap_dump_util.rb +2 -65
  116. data/lib/contrast/utils/invalid_configuration_util.rb +29 -0
  117. data/lib/contrast/utils/io_util.rb +1 -1
  118. data/lib/contrast/utils/log_utils.rb +108 -0
  119. data/lib/contrast/utils/lru_cache.rb +4 -2
  120. data/lib/contrast/utils/metrics_hash.rb +59 -0
  121. data/lib/contrast/utils/middleware_utils.rb +87 -0
  122. data/lib/contrast/utils/net_http_base.rb +158 -0
  123. data/lib/contrast/utils/object_share.rb +1 -0
  124. data/lib/contrast/utils/os.rb +23 -0
  125. data/lib/contrast/utils/patching/policy/patch_utils.rb +232 -0
  126. data/lib/contrast/utils/patching/policy/patcher_utils.rb +54 -0
  127. data/lib/contrast/utils/request_utils.rb +88 -0
  128. data/lib/contrast/utils/response_utils.rb +97 -0
  129. data/lib/contrast/utils/substitution_utils.rb +167 -0
  130. data/lib/contrast/utils/tag_util.rb +9 -9
  131. data/lib/contrast/utils/telemetry.rb +79 -0
  132. data/lib/contrast/utils/telemetry_client.rb +90 -0
  133. data/lib/contrast/utils/telemetry_identifier.rb +130 -0
  134. data/lib/contrast.rb +19 -1
  135. data/resources/assess/policy.json +12 -6
  136. data/resources/deadzone/policy.json +86 -5
  137. data/ruby-agent.gemspec +7 -6
  138. data/service_executables/VERSION +1 -1
  139. data/service_executables/linux/contrast-service +0 -0
  140. data/service_executables/mac/contrast-service +0 -0
  141. metadata +68 -26
  142. data/ext/cs__protect_kernel/cs__protect_kernel.c +0 -47
  143. data/ext/cs__protect_kernel/cs__protect_kernel.h +0 -12
  144. data/lib/contrast/config/default_value.rb +0 -17
  145. data/lib/contrast/extension/protect/kernel.rb +0 -29
@@ -0,0 +1,62 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/components/logger'
5
+
6
+ module Contrast
7
+ module Utils
8
+ # Utility for saving raw findings for later
9
+ class Findings
10
+ include Contrast::Components::Logger::InstanceMethods
11
+
12
+ def initialize
13
+ @_collection = []
14
+ end
15
+
16
+ def collection
17
+ @_collection ||= []
18
+ end
19
+
20
+ def push trigger_node, source, object, ret, *args
21
+ return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless trigger_node.collectable?
22
+
23
+ @_collection << { trigger_node: trigger_node, source: source, object: object, ret: ret, args: args }
24
+ end
25
+
26
+ # Some rules requires response to be available before validating them correctly,
27
+ # so we check if trigger_node.rule_id is collectable and then save them for
28
+ # later report, when we have the response.
29
+ #
30
+ # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
31
+ # trigger event
32
+ # @param source [Object] the source of the Trigger Event
33
+ # @param object [Object] the Object on which the method was invoked
34
+ # @param ret [Object] the Return of the invoked method
35
+ # @param args [Array<Object>] the Arguments with which the method was invoked
36
+ def collect_finding trigger_node, source, object, ret, *args
37
+ push trigger_node, source, object, ret, args
38
+ logger.trace('Finding collected', node_id: trigger_node.id,
39
+ source_id: source.__id__,
40
+ rule: trigger_node.rule_id)
41
+ end
42
+
43
+ # Build and report all collected findings for the collectable rules.
44
+ #
45
+ # We make sure the content-type is present before reporting, because some
46
+ # findings do require it for validation.
47
+ def report_collected_findings
48
+ return if Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type.nil?
49
+ return if @_collection.empty?
50
+
51
+ while @_collection.any?
52
+ finding = @_collection.pop
53
+ Contrast::Agent::Assess::Policy::TriggerMethod.build_finding finding[:trigger_node],
54
+ finding[:source],
55
+ finding[:object],
56
+ finding[:ret],
57
+ finding[:args]
58
+ end
59
+ end
60
+ end
61
+ end
62
+ end
@@ -2,6 +2,7 @@
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'digest'
5
+ require 'contrast/utils/hash_digest_extend'
5
6
 
6
7
  module Contrast
7
8
  module Utils
@@ -13,6 +14,7 @@ module Contrast
13
14
  # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/preflight.md
14
15
  class HashDigest < Digest::Class
15
16
  include Digest::Instance
17
+ extend Contrast::Utils::HashDigestExtend
16
18
 
17
19
  CONTENT_LENGTH_HEADER = 'Content-Length'
18
20
  CRYPTO_RULES = %w[crypto-bad-ciphers crypto-bad-mac].cs__freeze
@@ -21,76 +23,6 @@ module Contrast
21
23
  CLASS_SOURCE_KEY = 'source'
22
24
  CLASS_CONSTANT_NAME_KEY = 'name'
23
25
  CLASS_LINE_NO_KEY = 'lineNo'
24
- class << self
25
- def generate_request_hash request
26
- hash = new
27
- hash.update(request.request_method)
28
- hash.update(request.normalized_uri)
29
- request.parameters.each_key do |name|
30
- hash.update(name)
31
- end
32
- cl = request.headers[CONTENT_LENGTH_HEADER]
33
- hash.update_on_content_length(cl) if cl
34
- hash.finish
35
- end
36
-
37
- def generate_event_hash finding, source, request
38
- return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
39
-
40
- id = finding.rule_id
41
- return generate_crypto_hash(finding, source, request) if CRYPTO_RULES.include?(id)
42
-
43
- generate_trigger_hash(finding, request)
44
- end
45
-
46
- def generate_config_hash finding
47
- hash = new
48
- hash.update(finding.rule_id)
49
- path = finding.properties[CONFIG_PATH_KEY]
50
- hash.update(path)
51
- method = finding.properties[CONFIG_SESSION_ID_KEY]
52
- hash.update(method)
53
- hash.finish
54
- end
55
-
56
- def generate_class_scanning_hash finding
57
- hash = new
58
- hash.update(finding.rule_id)
59
- module_name = finding.properties[CLASS_SOURCE_KEY]
60
- hash.update(module_name)
61
- # We're not currently collecting this. 30/7/19 HM
62
- line_no = finding.properties[CLASS_LINE_NO_KEY]
63
- hash.update(line_no)
64
- field = finding.properties[CLASS_CONSTANT_NAME_KEY]
65
- hash.update(field)
66
- hash.finish
67
- end
68
-
69
- private
70
-
71
- def generate_crypto_hash finding, algorithm, request
72
- hash = new
73
- hash.update(finding.rule_id)
74
- hash.update(algorithm)
75
- hash.update_on_request(finding, request)
76
- hash.finish
77
- end
78
-
79
- def generate_dataflow_hash finding, request
80
- hash = new
81
- hash.update(finding.rule_id)
82
- hash.update_on_sources(finding.events)
83
- hash.update_on_request(finding, request)
84
- hash.finish
85
- end
86
-
87
- def generate_trigger_hash finding, request
88
- hash = new
89
- hash.update(finding.rule_id)
90
- hash.update_on_request(finding, request)
91
- hash.finish
92
- end
93
- end
94
26
 
95
27
  def update_on_request finding, request
96
28
  if (route = finding.routes[0])
@@ -106,9 +38,14 @@ module Contrast
106
38
  return unless events&.any?
107
39
 
108
40
  events.each do |event|
109
- event.event_sources.each do |source|
110
- update(source.type)
111
- update(source.name) # rubocop:disable Security/Module/Name -- API attribute.
41
+ if event.cs__is_a?(Contrast::Api::Dtm::TraceEvent)
42
+ event.event_sources&.each do |source|
43
+ update(source.type)
44
+ update(source.name) # rubocop:disable Security/Module/Name
45
+ end
46
+ elsif event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
47
+ update(event.source_type)
48
+ update(event.source_name)
112
49
  end
113
50
  end
114
51
  end
@@ -0,0 +1,86 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'digest'
5
+ require 'contrast/utils/hash_digest'
6
+
7
+ module Contrast
8
+ module Utils
9
+ # We use this class to provide hashes for our Request and Finding objects
10
+ # based upon our definitions of uniqueness.
11
+ # While the uniqueness of the request object is something internal to the
12
+ # Ruby agent, the uniqueness of the Finding hash is defined by a
13
+ # specification shared across all agent teams. The spec can be found here:
14
+ # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/preflight.md
15
+ module HashDigestExtend
16
+ def generate_request_hash request
17
+ hash = new
18
+ hash.update(request.request_method)
19
+ hash.update(request.normalized_uri)
20
+ request.parameters.each_key do |name|
21
+ hash.update(name)
22
+ end
23
+ cl = request.headers[Contrast::Utils::HashDigest::CONTENT_LENGTH_HEADER]
24
+ hash.update_on_content_length(cl) if cl
25
+ hash.finish
26
+ end
27
+
28
+ def generate_event_hash finding, source, request
29
+ return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
30
+
31
+ id = finding.rule_id
32
+ return generate_crypto_hash(finding, source, request) if Contrast::Utils::HashDigest::CRYPTO_RULES.include?(id)
33
+
34
+ generate_trigger_hash(finding, request)
35
+ end
36
+
37
+ def generate_config_hash finding
38
+ hash = new
39
+ hash.update(finding.rule_id)
40
+ path = finding.properties[Contrast::Utils::HashDigest::CONFIG_PATH_KEY]
41
+ hash.update(path)
42
+ method = finding.properties[Contrast::Utils::HashDigest::CONFIG_SESSION_ID_KEY]
43
+ hash.update(method)
44
+ hash.finish
45
+ end
46
+
47
+ def generate_class_scanning_hash finding
48
+ hash = new
49
+ hash.update(finding.rule_id)
50
+ module_name = finding.properties[Contrast::Utils::HashDigest::CLASS_SOURCE_KEY]
51
+ hash.update(module_name)
52
+ # We're not currently collecting this. 30/7/19 HM
53
+ line_no = finding.properties[Contrast::Utils::HashDigest::CLASS_LINE_NO_KEY]
54
+ hash.update(line_no)
55
+ field = finding.properties[Contrast::Utils::HashDigest::CLASS_CONSTANT_NAME_KEY]
56
+ hash.update(field)
57
+ hash.finish
58
+ end
59
+
60
+ private
61
+
62
+ def generate_crypto_hash finding, algorithm, request
63
+ hash = new
64
+ hash.update(finding.rule_id)
65
+ hash.update(algorithm)
66
+ hash.update_on_request(finding, request)
67
+ hash.finish
68
+ end
69
+
70
+ def generate_dataflow_hash finding, request
71
+ hash = new
72
+ hash.update(finding.rule_id)
73
+ hash.update_on_sources(finding.events)
74
+ hash.update_on_request(finding, request)
75
+ hash.finish
76
+ end
77
+
78
+ def generate_trigger_hash finding, request
79
+ hash = new
80
+ hash.update(finding.rule_id)
81
+ hash.update_on_request(finding, request)
82
+ hash.finish
83
+ end
84
+ end
85
+ end
86
+ end
@@ -0,0 +1,74 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Utils
6
+ # this module extends HeadDumpUtil
7
+ module HeadDumpExtend
8
+ def log_enabled_warning
9
+ control = Contrast::Utils::HeapDumpUtil.control
10
+ dir = control[:path]
11
+ window = control[:window]
12
+ count = control[:count]
13
+ delay = control[:delay]
14
+ clean = control[:clean]
15
+
16
+ logger.info <<~WARNING
17
+ *****************************************************
18
+ ******** HEAP DUMP HAS BEEN ENABLED ********
19
+ *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
20
+ *****************************************************
21
+
22
+ Heap dump is a debugging tool that snapshots the entire
23
+ state of the Ruby VM. It is an exceptionally expensive
24
+ process, and should only be used to debug especially
25
+ pernicious errors.
26
+
27
+ It will write multiple memory snaphots, which are liable
28
+ to be multiple gigabytes in size.
29
+ They will be named "[unix timestamp]-heap.dump",
30
+ e.g.: 1020304050-heap.dump
31
+
32
+ It will then call Ruby `exit()`.
33
+
34
+ If this is not your specific intent, you can (and should)
35
+ disable this option in your Contrast config file.
36
+
37
+ HEAP DUMP PARAMETERS:
38
+ \t[write files to this directory] dir: #{ dir }
39
+ \t[wait this many seconds in between dumps] window: #{ window }
40
+ \t[heap dump this many times] count: #{ count }
41
+ \t[wait this many seconds into app lifetime] delay: #{ delay }
42
+ \t[perform gc pass before dump] clean: #{ clean }
43
+
44
+ *****************************************************
45
+ ******** YOU HAVE BEEN WARNED ********
46
+ *****************************************************
47
+ WARNING
48
+ end
49
+
50
+ def capture_heap_dump
51
+ control = Contrast::Utils::HeapDumpUtil.control
52
+ dir = control[:path]
53
+ window = control[:window]
54
+ count = control[:count]
55
+ clean = control[:clean]
56
+ logger.info('HEAP DUMP MAIN LOOP')
57
+ ObjectSpace.trace_object_allocations_start
58
+ count.times do |i|
59
+ logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
60
+ snapshot_heap(dir, clean)
61
+ logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
62
+ sleep(window)
63
+ end
64
+ ensure
65
+ ObjectSpace.trace_object_allocations_stop
66
+ logger.info('*****************************************************')
67
+ logger.info('******** HEAP DUMP HAS CONCLUDED ********')
68
+ logger.info('*** APPLICATION PROCESS WILL EXIT SHORTLY ***')
69
+ logger.info('*****************************************************')
70
+ exit # rubocop:disable Rails/Exit We weren't kidding!
71
+ end
72
+ end
73
+ end
74
+ end
@@ -5,6 +5,7 @@ require 'objspace'
5
5
  require 'singleton'
6
6
  require 'contrast/components/heap_dump'
7
7
  require 'contrast/components/logger'
8
+ require 'contrast/utils/head_dump_utils_extend'
8
9
 
9
10
  module Contrast
10
11
  module Utils
@@ -13,6 +14,7 @@ module Contrast
13
14
  extend Contrast::Components::Logger::InstanceMethods
14
15
  include Contrast::Components::Logger::InstanceMethods
15
16
  extend Contrast::Components::HeapDump::InstanceMethods
17
+ include Contrast::Utils::HeadDumpExtend
16
18
 
17
19
  LOG_ERROR_DUMPS = 'Unable to generate heap dumps'
18
20
  FILE_WRITE_FLAGS = 'w'
@@ -47,71 +49,6 @@ module Contrast
47
49
  nil
48
50
  end
49
51
 
50
- def log_enabled_warning
51
- control = Contrast::Utils::HeapDumpUtil.control
52
- dir = control[:path]
53
- window = control[:window]
54
- count = control[:count]
55
- delay = control[:delay]
56
- clean = control[:clean]
57
-
58
- logger.info <<~WARNING
59
- *****************************************************
60
- ******** HEAP DUMP HAS BEEN ENABLED ********
61
- *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
62
- *****************************************************
63
-
64
- Heap dump is a debugging tool that snapshots the entire
65
- state of the Ruby VM. It is an exceptionally expensive
66
- process, and should only be used to debug especially
67
- pernicious errors.
68
-
69
- It will write multiple memory snaphots, which are liable
70
- to be multiple gigabytes in size.
71
- They will be named "[unix timestamp]-heap.dump",
72
- e.g.: 1020304050-heap.dump
73
-
74
- It will then call Ruby `exit()`.
75
-
76
- If this is not your specific intent, you can (and should)
77
- disable this option in your Contrast config file.
78
-
79
- HEAP DUMP PARAMETERS:
80
- \t[write files to this directory] dir: #{ dir }
81
- \t[wait this many seconds in between dumps] window: #{ window }
82
- \t[heap dump this many times] count: #{ count }
83
- \t[wait this many seconds into app lifetime] delay: #{ delay }
84
- \t[perform gc pass before dump] clean: #{ clean }
85
-
86
- *****************************************************
87
- ******** YOU HAVE BEEN WARNED ********
88
- *****************************************************
89
- WARNING
90
- end
91
-
92
- def capture_heap_dump
93
- control = Contrast::Utils::HeapDumpUtil.control
94
- dir = control[:path]
95
- window = control[:window]
96
- count = control[:count]
97
- clean = control[:clean]
98
- logger.info('HEAP DUMP MAIN LOOP')
99
- ObjectSpace.trace_object_allocations_start
100
- count.times do |i|
101
- logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
102
- snapshot_heap(dir, clean)
103
- logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
104
- sleep(window)
105
- end
106
- ensure
107
- ObjectSpace.trace_object_allocations_stop
108
- logger.info('*****************************************************')
109
- logger.info('******** HEAP DUMP HAS CONCLUDED ********')
110
- logger.info('*** APPLICATION PROCESS WILL EXIT SHORTLY ***')
111
- logger.info('*****************************************************')
112
- exit # rubocop:disable Rails/Exit We weren't kidding!
113
- end
114
-
115
52
  def snapshot_heap dir, clean
116
53
  output = "#{ Time.now.to_f }-heap.dump"
117
54
  output = File.join(dir, output)
@@ -34,11 +34,28 @@ module Contrast
34
34
  finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
35
35
  finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
36
36
  Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
37
+ if Contrast::Agent::Reporter.enabled?
38
+ cs__report_new_finding hash, rule_id, user_provided_options, call_location
39
+ end
37
40
  end
38
41
  rescue StandardError => e
39
42
  logger.error('Unable to build a finding', e, rule: rule_id)
40
43
  end
41
44
 
45
+ def cs__report_new_finding hash_code, rule_id, user_provided_options, call_location
46
+ new_preflight = Contrast::Agent::Reporting::Preflight.new
47
+ new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
48
+ new_preflight_message.hash_code = hash_code
49
+ new_preflight_message.data = "#{ rule_id },#{ hash_code }"
50
+ new_preflight.messages << new_preflight_message
51
+
52
+ ruby_finding = Contrast::Agent::Reporting::Finding.new rule_id
53
+ ruby_finding.hash_code = hash_code
54
+ set_new_finding_properties(ruby_finding, user_provided_options, call_location)
55
+ Contrast::Agent.reporter_queue.send_event_immediately(new_preflight)
56
+ Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
57
+ end
58
+
42
59
  private
43
60
 
44
61
  # Set the properties needed to report and subsequently render this finding on the finding given.
@@ -76,6 +93,18 @@ module Contrast
76
93
  end
77
94
  call_location&.label&.dup
78
95
  end
96
+
97
+ def set_new_finding_properties finding, user_provided_options, call_location
98
+ path = call_location.path
99
+ # just get the file name, not the full path
100
+ path = path.split(Contrast::Utils::ObjectShare::SLASH).last
101
+ session_id = user_provided_options[:key].to_s if user_provided_options
102
+ finding.properties[CS__SESSION_ID] = session_id
103
+ finding.properties[CS__PATH] = path
104
+ file_path = call_location.absolute_path
105
+ snippet = file_snippet(file_path, call_location)
106
+ finding.properties[CS__SNIPPET] = snippet
107
+ end
79
108
  end
80
109
  end
81
110
  end
@@ -11,7 +11,7 @@ module Contrast
11
11
 
12
12
  class << self
13
13
  # We're only going to call rewind on things that we believe are safe to
14
- # call it on. This method white lists those cases and returns false in
14
+ # call it on. This method allow lists those cases and returns false in
15
15
  # all others.
16
16
  def should_rewind? potential_io
17
17
  return true if potential_io.is_a?(StringIO)
@@ -0,0 +1,108 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Utils
6
+ # Method utility used by Contrast::Logger::log
7
+ module LogUtils
8
+ DEFAULT_NAME = 'contrast.log'
9
+ DEFAULT_LEVEL = ::Ougai::Logging::Severity::INFO
10
+ VALID_LEVELS = ::Ougai::Logging::Severity::SEV_LABEL
11
+ STDOUT_STR = 'STDOUT'
12
+ STDERR_STR = 'STDERR'
13
+ PROGNAME = 'Contrast Agent'
14
+ DATE_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%L%z'
15
+
16
+ private
17
+
18
+ def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
19
+ logger = case path
20
+ when STDOUT_STR, STDERR_STR
21
+ ::Ougai::Logger.new(Object.cs__const_get(path))
22
+ else
23
+ ::Ougai::Logger.new(path)
24
+ end
25
+ add_contrast_loggers(logger)
26
+ logger.progname = PROGNAME
27
+ logger.level = level_const
28
+ logger.formatter = Contrast::Logger::Format.new
29
+ logger.formatter.datetime_format = DATE_TIME_FORMAT
30
+ logger
31
+ end
32
+
33
+ def add_contrast_loggers logger
34
+ logger.extend(Contrast::Logger::Application)
35
+ logger.extend(Contrast::Logger::Request)
36
+ logger.extend(Contrast::Logger::Time)
37
+ end
38
+
39
+ # Determine the valid path to which to log, given the precedence of config > settings > default.
40
+ #
41
+ # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
42
+ # TeamServer.
43
+ # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
44
+ def find_valid_path log_file
45
+ config = ::Contrast::CONFIG.root.agent.logger
46
+ config_path = config&.path&.length.to_i.positive? ? config.path : nil
47
+ valid_path(config_path || log_file)
48
+ end
49
+
50
+ def valid_path path
51
+ path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
52
+ return path if path == STDOUT_STR
53
+ return path if path == STDERR_STR
54
+
55
+ path = DEFAULT_NAME if path.empty?
56
+ if write_permission?(path)
57
+ path
58
+ elsif write_permission?(DEFAULT_NAME)
59
+ # Log once when the path is invalid. We'll change to this path, so no
60
+ # need to log again.
61
+ if previous_path != DEFAULT_NAME
62
+ $stdout.puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
63
+ end
64
+ DEFAULT_NAME
65
+ else
66
+ # Log once when the path is invalid. We'll change to this path, so no
67
+ # need to log again.
68
+ $stdout.puts "[!] Unable to write to '#{ path }'. Writing to standard out instead."
69
+ STDOUT_STR
70
+ end
71
+ end
72
+
73
+ # Determine the valid level to which to log, given the precedence of config > settings > default.
74
+ #
75
+ # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
76
+ # TeamServer.
77
+ # @return [::Ougai::Logging::Severity] the level at which to log
78
+ def find_valid_level log_level
79
+ config = ::Contrast::CONFIG.root.agent.logger
80
+ config_level = config&.level&.length&.positive? ? config.level : nil
81
+
82
+ valid_level(config_level || log_level)
83
+ end
84
+
85
+ def valid_level level
86
+ level ||= DEFAULT_LEVEL
87
+ level = level.upcase
88
+ if VALID_LEVELS.include?(level)
89
+ Object.cs__const_get("::Ougai::Logging::Severity::#{ level }")
90
+ else
91
+ DEFAULT_LEVEL
92
+ end
93
+ rescue StandardError
94
+ DEFAULT_LEVEL
95
+ end
96
+
97
+ # Log that the Agent log has changed and include some default information at the start of the log.
98
+ def log_update
99
+ logger.debug('Initialized new contrast agent logger')
100
+ logger.debug_with_time('middleware: log environment') do
101
+ logger.application_environment
102
+ logger.application_configuration
103
+ logger.application_libraries
104
+ end
105
+ end
106
+ end
107
+ end
108
+ end
@@ -1,8 +1,6 @@
1
1
  # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
- require 'contrast/components/logger'
5
-
6
4
  module Contrast
7
5
  module Utils
8
6
  # A LRU(Least Recently Used) Cache store.
@@ -38,6 +36,10 @@ module Contrast
38
36
  def values
39
37
  @cache.values
40
38
  end
39
+
40
+ def clear
41
+ @cache.clear
42
+ end
41
43
  end
42
44
  end
43
45
  end
@@ -0,0 +1,59 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/components/logger'
5
+
6
+ module Contrast
7
+ module Utils
8
+ # This is the MetricsHash, which will take data type, so we now what is introduced/included
9
+ # in the TelemetryEvent
10
+ class MetricsHash < Hash
11
+ include Contrast::Components::Logger::InstanceMethods
12
+
13
+ attr_reader :data_type
14
+
15
+ ERROR_MESSAGES = [
16
+ 'The key is not string or does not meet the requirements.',
17
+ 'The key extends the allowed length.',
18
+ 'VThe provided value is not the right data type'
19
+ ].cs__freeze
20
+ KEY_REGEXP = /[a-zA-Z0-9_-]{1,63}/.cs__freeze
21
+
22
+ def initialize data_type, *several_variants
23
+ super
24
+ @data_type = data_type
25
+ end
26
+
27
+ def []= key, value
28
+ key_val = key.dup
29
+ value_val = value.dup
30
+ key_val.strip! if key_val.cs__is_a?(String)
31
+ value_val.strip! if value_val.cs__is_a?(String)
32
+ return unless valid_pair? key_val, value_val
33
+
34
+ key_val.downcase!
35
+ key_val.strip!
36
+ super(key_val, value_val)
37
+ end
38
+
39
+ def valid_pair? key, value
40
+ if !key.cs__is_a?(String) || (KEY_REGEXP =~ key).nil?
41
+ logger.warn('The following key will be omitted', key: key, error: ERROR_MESSAGES[0])
42
+ return false
43
+ end
44
+ unless key.length <= 28
45
+ logger.warn('The following key will be omitted', key: key, error: ERROR_MESSAGES[1])
46
+ return false
47
+ end
48
+ unless value.cs__is_a?(data_type)
49
+ logger.warn('The following key will be omitted', value: value, error: ERROR_MESSAGES[2])
50
+ return false
51
+ end
52
+ return false if value.cs__is_a?(String) && value.empty?
53
+ return false if value.cs__is_a?(String) && value.length > 200
54
+
55
+ true
56
+ end
57
+ end
58
+ end
59
+ end