contrast-agent 4.11.0 → 4.14.0

data/lib/contrast/utils/findings.rb

@@ -0,0 +1,62 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    # Utility for saving raw findings for later
+    class Findings
+      include Contrast::Components::Logger::InstanceMethods
+
+      def initialize
+        @_collection = []
+      end
+
+      def collection
+        @_collection ||= []
+      end
+
+      def push trigger_node, source, object, ret, *args
+        return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless trigger_node.collectable?
+
+        @_collection << { trigger_node: trigger_node, source: source, object: object, ret: ret, args: args }
+      end
+
+      # Some rules requires response to be available before validating them correctly,
+      # so we check if trigger_node.rule_id is collectable and then save them for
+      # later report, when we have the response.
+      #
+      # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+      # trigger event
+      # @param source [Object] the source of the Trigger Event
+      # @param object [Object] the Object on which the method was invoked
+      # @param ret [Object] the Return of the invoked method
+      # @param args [Array<Object>] the Arguments with which the method was invoked
+      def collect_finding trigger_node, source, object, ret, *args
+        push trigger_node, source, object, ret, args
+        logger.trace('Finding collected', node_id: trigger_node.id,
+                                          source_id: source.__id__,
+                                          rule: trigger_node.rule_id)
+      end
+
+      # Build and report all collected findings for the collectable rules.
+      #
+      # We make sure the content-type is present before reporting, because some
+      # findings do require it for validation.
+      def report_collected_findings
+        return if Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type.nil?
+        return if @_collection.empty?
+
+        while @_collection.any?
+          finding = @_collection.pop
+          Contrast::Agent::Assess::Policy::TriggerMethod.build_finding finding[:trigger_node],
+                                                                       finding[:source],
+                                                                       finding[:object],
+                                                                       finding[:ret],
+                                                                       finding[:args]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/hash_digest.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'digest'
+require 'contrast/utils/hash_digest_extend'
 
 module Contrast
   module Utils
@@ -13,6 +14,7 @@ module Contrast
     # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/preflight.md
     class HashDigest < Digest::Class
       include Digest::Instance
+      extend Contrast::Utils::HashDigestExtend
 
       CONTENT_LENGTH_HEADER = 'Content-Length'
       CRYPTO_RULES = %w[crypto-bad-ciphers crypto-bad-mac].cs__freeze
@@ -21,76 +23,6 @@ module Contrast
       CLASS_SOURCE_KEY = 'source'
       CLASS_CONSTANT_NAME_KEY = 'name'
       CLASS_LINE_NO_KEY = 'lineNo'
-      class << self
-        def generate_request_hash request
-          hash = new
-          hash.update(request.request_method)
-          hash.update(request.normalized_uri)
-          request.parameters.each_key do |name|
-            hash.update(name)
-          end
-          cl = request.headers[CONTENT_LENGTH_HEADER]
-          hash.update_on_content_length(cl) if cl
-          hash.finish
-        end
-
-        def generate_event_hash finding, source, request
-          return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
-
-          id = finding.rule_id
-          return generate_crypto_hash(finding, source, request) if CRYPTO_RULES.include?(id)
-
-          generate_trigger_hash(finding, request)
-        end
-
-        def generate_config_hash finding
-          hash = new
-          hash.update(finding.rule_id)
-          path = finding.properties[CONFIG_PATH_KEY]
-          hash.update(path)
-          method = finding.properties[CONFIG_SESSION_ID_KEY]
-          hash.update(method)
-          hash.finish
-        end
-
-        def generate_class_scanning_hash finding
-          hash = new
-          hash.update(finding.rule_id)
-          module_name = finding.properties[CLASS_SOURCE_KEY]
-          hash.update(module_name)
-          # We're not currently collecting this. 30/7/19 HM
-          line_no = finding.properties[CLASS_LINE_NO_KEY]
-          hash.update(line_no)
-          field = finding.properties[CLASS_CONSTANT_NAME_KEY]
-          hash.update(field)
-          hash.finish
-        end
-
-        private
-
-        def generate_crypto_hash finding, algorithm, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update(algorithm)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-
-        def generate_dataflow_hash finding, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update_on_sources(finding.events)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-
-        def generate_trigger_hash finding, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-      end
 
       def update_on_request finding, request
         if (route = finding.routes[0])
@@ -106,9 +38,14 @@ module Contrast
         return unless events&.any?
 
         events.each do |event|
-          event.event_sources.each do |source|
-            update(source.type)
-            update(source.name) # rubocop:disable Security/Module/Name -- API attribute.
+          if event.cs__is_a?(Contrast::Api::Dtm::TraceEvent)
+            event.event_sources&.each do |source|
+              update(source.type)
+              update(source.name) # rubocop:disable Security/Module/Name
+            end
+          elsif event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+            update(event.source_type)
+            update(event.source_name)
           end
         end
       end

data/lib/contrast/utils/hash_digest_extend.rb

@@ -0,0 +1,86 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'digest'
+require 'contrast/utils/hash_digest'
+
+module Contrast
+  module Utils
+    # We use this class to provide hashes for our Request and Finding objects
+    # based upon our definitions of uniqueness.
+    # While the uniqueness of the request object is something internal to the
+    # Ruby agent, the uniqueness of the Finding hash is defined by a
+    # specification shared across all agent teams. The spec can be found here:
+    # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/preflight.md
+    module HashDigestExtend
+      def generate_request_hash request
+        hash = new
+        hash.update(request.request_method)
+        hash.update(request.normalized_uri)
+        request.parameters.each_key do |name|
+          hash.update(name)
+        end
+        cl = request.headers[Contrast::Utils::HashDigest::CONTENT_LENGTH_HEADER]
+        hash.update_on_content_length(cl) if cl
+        hash.finish
+      end
+
+      def generate_event_hash finding, source, request
+        return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
+
+        id = finding.rule_id
+        return generate_crypto_hash(finding, source, request) if Contrast::Utils::HashDigest::CRYPTO_RULES.include?(id)
+
+        generate_trigger_hash(finding, request)
+      end
+
+      def generate_config_hash finding
+        hash = new
+        hash.update(finding.rule_id)
+        path = finding.properties[Contrast::Utils::HashDigest::CONFIG_PATH_KEY]
+        hash.update(path)
+        method = finding.properties[Contrast::Utils::HashDigest::CONFIG_SESSION_ID_KEY]
+        hash.update(method)
+        hash.finish
+      end
+
+      def generate_class_scanning_hash finding
+        hash = new
+        hash.update(finding.rule_id)
+        module_name = finding.properties[Contrast::Utils::HashDigest::CLASS_SOURCE_KEY]
+        hash.update(module_name)
+        # We're not currently collecting this. 30/7/19 HM
+        line_no = finding.properties[Contrast::Utils::HashDigest::CLASS_LINE_NO_KEY]
+        hash.update(line_no)
+        field = finding.properties[Contrast::Utils::HashDigest::CLASS_CONSTANT_NAME_KEY]
+        hash.update(field)
+        hash.finish
+      end
+
+      private
+
+      def generate_crypto_hash finding, algorithm, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update(algorithm)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+
+      def generate_dataflow_hash finding, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update_on_sources(finding.events)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+
+      def generate_trigger_hash finding, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+    end
+  end
+end

data/lib/contrast/utils/head_dump_utils_extend.rb

@@ -0,0 +1,74 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # this module extends HeadDumpUtil
+    module HeadDumpExtend
+      def log_enabled_warning
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        delay  = control[:delay]
+        clean  = control[:clean]
+
+        logger.info <<~WARNING
+          *****************************************************
+          ********      HEAP DUMP HAS BEEN ENABLED     ********
+          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
+          *****************************************************
+
+          Heap dump is a debugging tool that snapshots the entire
+          state of the Ruby VM. It is an exceptionally expensive
+          process, and should only be used to debug especially
+          pernicious errors.
+
+          It will write multiple memory snaphots, which are liable
+          to be multiple gigabytes in size.
+          They will be named "[unix timestamp]-heap.dump",
+          e.g.: 1020304050-heap.dump
+
+          It will then call Ruby `exit()`.
+
+          If this is not your specific intent, you can (and should)
+          disable this option in your Contrast config file.
+
+          HEAP DUMP PARAMETERS:
+          \t[write files to this directory]             dir:     #{ dir    }
+          \t[wait this many seconds in between dumps]   window:  #{ window }
+          \t[heap dump this many times]                 count:   #{ count  }
+          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
+          \t[perform gc pass before dump]               clean:   #{ clean  }
+
+          *****************************************************
+          ********        YOU HAVE BEEN WARNED         ********
+          *****************************************************
+        WARNING
+      end
+
+      def capture_heap_dump
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        clean  = control[:clean]
+        logger.info('HEAP DUMP MAIN LOOP')
+        ObjectSpace.trace_object_allocations_start
+        count.times do |i|
+          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
+          snapshot_heap(dir, clean)
+          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
+          sleep(window)
+        end
+      ensure
+        ObjectSpace.trace_object_allocations_stop
+        logger.info('*****************************************************')
+        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
+        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
+        logger.info('*****************************************************')
+        exit # rubocop:disable Rails/Exit We weren't kidding!
+      end
+    end
+  end
+end

data/lib/contrast/utils/heap_dump_util.rb

@@ -5,6 +5,7 @@ require 'objspace'
 require 'singleton'
 require 'contrast/components/heap_dump'
 require 'contrast/components/logger'
+require 'contrast/utils/head_dump_utils_extend'
 
 module Contrast
   module Utils
@@ -13,6 +14,7 @@ module Contrast
       extend Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Logger::InstanceMethods
       extend Contrast::Components::HeapDump::InstanceMethods
+      include Contrast::Utils::HeadDumpExtend
 
       LOG_ERROR_DUMPS = 'Unable to generate heap dumps'
       FILE_WRITE_FLAGS = 'w'
@@ -47,71 +49,6 @@ module Contrast
         nil
       end
 
-      def log_enabled_warning
-        control = Contrast::Utils::HeapDumpUtil.control
-        dir    = control[:path]
-        window = control[:window]
-        count  = control[:count]
-        delay  = control[:delay]
-        clean  = control[:clean]
-
-        logger.info <<~WARNING
-          *****************************************************
-          ********      HEAP DUMP HAS BEEN ENABLED     ********
-          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
-          *****************************************************
-
-          Heap dump is a debugging tool that snapshots the entire
-          state of the Ruby VM. It is an exceptionally expensive
-          process, and should only be used to debug especially
-          pernicious errors.
-
-          It will write multiple memory snaphots, which are liable
-          to be multiple gigabytes in size.
-          They will be named "[unix timestamp]-heap.dump",
-          e.g.: 1020304050-heap.dump
-
-          It will then call Ruby `exit()`.
-
-          If this is not your specific intent, you can (and should)
-          disable this option in your Contrast config file.
-
-          HEAP DUMP PARAMETERS:
-          \t[write files to this directory]             dir:     #{ dir    }
-          \t[wait this many seconds in between dumps]   window:  #{ window }
-          \t[heap dump this many times]                 count:   #{ count  }
-          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
-          \t[perform gc pass before dump]               clean:   #{ clean  }
-
-          *****************************************************
-          ********        YOU HAVE BEEN WARNED         ********
-          *****************************************************
-        WARNING
-      end
-
-      def capture_heap_dump
-        control = Contrast::Utils::HeapDumpUtil.control
-        dir    = control[:path]
-        window = control[:window]
-        count  = control[:count]
-        clean  = control[:clean]
-        logger.info('HEAP DUMP MAIN LOOP')
-        ObjectSpace.trace_object_allocations_start
-        count.times do |i|
-          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
-          snapshot_heap(dir, clean)
-          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
-          sleep(window)
-        end
-      ensure
-        ObjectSpace.trace_object_allocations_stop
-        logger.info('*****************************************************')
-        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
-        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
-        logger.info('*****************************************************')
-        exit # rubocop:disable Rails/Exit We weren't kidding!
-      end
-
       def snapshot_heap dir, clean
         output = "#{ Time.now.to_f }-heap.dump"
         output = File.join(dir, output)

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -34,11 +34,28 @@ module Contrast
           finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
           finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
           Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
+          if Contrast::Agent::Reporter.enabled?
+            cs__report_new_finding hash, rule_id, user_provided_options, call_location
+          end
         end
       rescue StandardError => e
         logger.error('Unable to build a finding', e, rule: rule_id)
       end
 
+      def cs__report_new_finding hash_code, rule_id, user_provided_options, call_location
+        new_preflight = Contrast::Agent::Reporting::Preflight.new
+        new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
+        new_preflight_message.hash_code = hash_code
+        new_preflight_message.data = "#{ rule_id },#{ hash_code }"
+        new_preflight.messages << new_preflight_message
+
+        ruby_finding = Contrast::Agent::Reporting::Finding.new rule_id
+        ruby_finding.hash_code = hash_code
+        set_new_finding_properties(ruby_finding, user_provided_options, call_location)
+        Contrast::Agent.reporter_queue.send_event_immediately(new_preflight)
+        Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
+      end
+
       private
 
       # Set the properties needed to report and subsequently render this finding on the finding given.
@@ -76,6 +93,18 @@ module Contrast
         end
         call_location&.label&.dup
       end
+
+      def set_new_finding_properties finding, user_provided_options, call_location
+        path = call_location.path
+        # just get the file name, not the full path
+        path = path.split(Contrast::Utils::ObjectShare::SLASH).last
+        session_id = user_provided_options[:key].to_s if user_provided_options
+        finding.properties[CS__SESSION_ID] = session_id
+        finding.properties[CS__PATH] = path
+        file_path = call_location.absolute_path
+        snippet = file_snippet(file_path, call_location)
+        finding.properties[CS__SNIPPET] = snippet
+      end
     end
   end
 end

data/lib/contrast/utils/io_util.rb

@@ -11,7 +11,7 @@ module Contrast
 
       class << self
         # We're only going to call rewind on things that we believe are safe to
-        # call it on. This method white lists those cases and returns false in
+        # call it on. This method allow lists those cases and returns false in
         # all others.
         def should_rewind? potential_io
           return true if potential_io.is_a?(StringIO)

data/lib/contrast/utils/log_utils.rb

@@ -0,0 +1,108 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Method utility used by Contrast::Logger::log
+    module LogUtils
+      DEFAULT_NAME     = 'contrast.log'
+      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
+      VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
+      STDOUT_STR       = 'STDOUT'
+      STDERR_STR       = 'STDERR'
+      PROGNAME         = 'Contrast Agent'
+      DATE_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%L%z'
+
+      private
+
+      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        logger = case path
+                 when STDOUT_STR, STDERR_STR
+                   ::Ougai::Logger.new(Object.cs__const_get(path))
+                 else
+                   ::Ougai::Logger.new(path)
+                 end
+        add_contrast_loggers(logger)
+        logger.progname = PROGNAME
+        logger.level = level_const
+        logger.formatter = Contrast::Logger::Format.new
+        logger.formatter.datetime_format = DATE_TIME_FORMAT
+        logger
+      end
+
+      def add_contrast_loggers logger
+        logger.extend(Contrast::Logger::Application)
+        logger.extend(Contrast::Logger::Request)
+        logger.extend(Contrast::Logger::Time)
+      end
+
+      # Determine the valid path to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
+      def find_valid_path log_file
+        config = ::Contrast::CONFIG.root.agent.logger
+        config_path = config&.path&.length.to_i.positive? ? config.path : nil
+        valid_path(config_path || log_file)
+      end
+
+      def valid_path path
+        path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
+        return path if path == STDOUT_STR
+        return path if path == STDERR_STR
+
+        path = DEFAULT_NAME if path.empty?
+        if write_permission?(path)
+          path
+        elsif write_permission?(DEFAULT_NAME)
+          # Log once when the path is invalid. We'll change to this path, so no
+          # need to log again.
+          if previous_path != DEFAULT_NAME
+            $stdout.puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
+          end
+          DEFAULT_NAME
+        else
+          # Log once when the path is invalid. We'll change to this path, so no
+          # need to log again.
+          $stdout.puts "[!] Unable to write to '#{ path }'. Writing to standard out instead."
+          STDOUT_STR
+        end
+      end
+
+      # Determine the valid level to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [::Ougai::Logging::Severity] the level at which to log
+      def find_valid_level log_level
+        config = ::Contrast::CONFIG.root.agent.logger
+        config_level = config&.level&.length&.positive? ? config.level : nil
+
+        valid_level(config_level || log_level)
+      end
+
+      def valid_level level
+        level ||= DEFAULT_LEVEL
+        level = level.upcase
+        if VALID_LEVELS.include?(level)
+          Object.cs__const_get("::Ougai::Logging::Severity::#{ level }")
+        else
+          DEFAULT_LEVEL
+        end
+      rescue StandardError
+        DEFAULT_LEVEL
+      end
+
+      # Log that the Agent log has changed and include some default information at the start of the log.
+      def log_update
+        logger.debug('Initialized new contrast agent logger')
+        logger.debug_with_time('middleware: log environment') do
+          logger.application_environment
+          logger.application_configuration
+          logger.application_libraries
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/lru_cache.rb

@@ -1,8 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/logger'
-
 module Contrast
   module Utils
     # A LRU(Least Recently Used) Cache store.
@@ -38,6 +36,10 @@ module Contrast
       def values
         @cache.values
       end
+
+      def clear
+        @cache.clear
+      end
     end
   end
 end

data/lib/contrast/utils/metrics_hash.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    # This is the MetricsHash, which will take data type, so we now what is introduced/included
+    # in the TelemetryEvent
+    class MetricsHash < Hash
+      include Contrast::Components::Logger::InstanceMethods
+
+      attr_reader :data_type
+
+      ERROR_MESSAGES = [
+        'The key is not string or does not meet the requirements.',
+        'The key extends the allowed length.',
+        'VThe provided value is not the right data type'
+      ].cs__freeze
+      KEY_REGEXP = /[a-zA-Z0-9_-]{1,63}/.cs__freeze
+
+      def initialize data_type, *several_variants
+        super
+        @data_type = data_type
+      end
+
+      def []= key, value
+        key_val = key.dup
+        value_val = value.dup
+        key_val.strip! if key_val.cs__is_a?(String)
+        value_val.strip! if value_val.cs__is_a?(String)
+        return unless valid_pair? key_val, value_val
+
+        key_val.downcase!
+        key_val.strip!
+        super(key_val, value_val)
+      end
+
+      def valid_pair? key, value
+        if !key.cs__is_a?(String) || (KEY_REGEXP =~ key).nil?
+          logger.warn('The following key will be omitted', key: key, error: ERROR_MESSAGES[0])
+          return false
+        end
+        unless key.length <= 28
+          logger.warn('The following key will be omitted', key: key, error: ERROR_MESSAGES[1])
+          return false
+        end
+        unless value.cs__is_a?(data_type)
+          logger.warn('The following key will be omitted', value: value, error: ERROR_MESSAGES[2])
+          return false
+        end
+        return false if value.cs__is_a?(String) && value.empty?
+        return false if value.cs__is_a?(String) && value.length > 200
+
+        true
+      end
+    end
+  end
+end