contrast-agent 4.12.0 → 4.13.0

data/lib/contrast/utils/requests_client.rb

@@ -0,0 +1,150 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'net/http'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'contrast/agent/version'
+require 'socket'
+
+module Contrast
+  module Utils
+    # This module creates a Net::HTTP client and initiates a connection to the provided result
+    module RequestsClient
+      ENDPOINT = 'api/v1/telemetry/metrics' # /TelemetryEvent.path
+
+      class << self
+        include Contrast::Components::Logger::InstanceMethods
+        # This method initializes the Net::HTTP client we'll need
+        # @param url [String]
+        # @return [Net::HTTP, nil]
+        def initialize_connection url
+          addr = URI(url)
+          return if addr.host.nil? || addr.port.nil?
+          return if addr.scheme != 'https'
+
+          @_net_http_client = Net::HTTP.new(addr.host, addr.port)
+          @_net_http_client.open_timeout = 5
+          @_net_http_client.read_timeout = 5
+          @_net_http_client.use_ssl = true
+          @_net_http_client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          @_net_http_client.verify_depth = 5
+          @_net_http_client.start
+          return unless @_net_http_client.started?
+
+          logger.warn('Starting Telemetry connection test')
+          return unless connection_verified? @_net_http_client
+
+          @_net_http_client
+        rescue Net::OpenTimeout, Net::ReadTimeout => e
+          logger.warn('Telemetry connection failed', e.message)
+          nil
+        end
+
+        # This method will be responsible for building the request
+        # @param event[Contrast::Agent::TelemetryEvent,Contrast::Agent::StartupMetricsTelemetryEvent]
+        # @return [Net::HTTP::Post]
+        def build_request event
+          return unless valid_event? event
+
+          string_body = event.to_json.to_s
+          header = { 'User-Agent' => "<#{ Contrast::Utils::ObjectShare::RUBY }>-<#{ Contrast::Agent::VERSION }>" }
+          path = ENDPOINT + event.path
+          @_request = Net::HTTP::Post.new(path, header)
+          @_request.body = string_body
+          @_request
+        end
+
+        # This method will create the actual request and send it
+        # @param event[Contrast::Agent::TelemetryEvent]
+        # @param connection[Net::HTTP]
+        def send_request event, connection
+          return if connection.nil? || event.nil?
+          return unless valid_event? event
+
+          req = build_request event
+          connection.request req
+        end
+
+        # This method will handle the response from the tenant
+        # @param res [Net::HTTPResponse]
+        # @return sleep_time [Integer, nil]
+        def handle_response res
+          status_code = res.code.to_i
+          ready_after = if res.to_hash.keys.map(&:downcase).include?('ready-after')
+                          res['Ready-After']
+                        else
+                          60
+                        end
+          ready_after if status_code == 429
+        end
+
+        # This method will be responsible for validating the event
+        # @param event[Contrast::Agent::TelemetryEvent,Contrast::Agent::StartupMetricsTelemetryEvent]
+        def valid_event? event
+          return false unless event.cs__is_a?(Contrast::Agent::TelemetryEvent)
+          return false unless event.cs__is_a?(Contrast::Agent::StartupMetricsTelemetryEvent)
+
+          true
+        end
+
+        # Validates connection with Telemetry assigned domain.
+        # If connection is running, SSL certificate of the endpoint is valid, Ip address is resolvable
+        # and response is received without peer's reset or refuse of connection,
+        # then validation returns true. Error handling is in place so that the work of the agent will continue as
+        # normal without Telemetry.
+        #
+        # @param client [Net::HTTP]
+        # @return [Boolean] true | false
+        def connection_verified? client
+          return @_connection_verified unless @_connection_verified.nil?
+
+          # Before RUBY 2.7 there is no #ipaddr
+          ipaddr = if RUBY_VERSION < '2.7.0'
+                     socket = TCPSocket.open(client.address, client.port)
+                     ipaddr = socket.peeraddr[3]
+                     socket.close
+                     ipaddr
+                   else
+                     client.ipaddr
+                   end
+          response = client.request(Net::HTTP::Get.new(client.address))
+          verify_cert = OpenSSL::SSL.verify_certificate_identity(client.peer_cert, client.address)
+          resolved = resolved? client.address, ipaddr
+          @_connection_verified = if resolved && response && verify_cert
+                                    true
+                                  else
+                                    false
+                                  end
+        rescue OpenSSL::SSL::SSLError, Resolv::ResolvError, Errno::ECONNRESET, Errno::ECONNREFUSED,
+               Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, Errno::EHOSTUNREACH, Errno::EISCONN,
+               Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH => e
+
+          logger.warn('Telemetry connection failed', e.message)
+          false
+        end
+
+        private
+
+        # Resolves the address of the assigned telemetry domain to array of corresponding IPs (if more than one)
+        # and runs a matcher to see if current connection IP is in the list.
+        # This is called within #verify_connection, if called on it's own there will be no
+        # error handling.
+        #
+        # @param address [String] Human friendly address of assigned telemetry domain
+        # @param ipaddr [String] Machine friendly IP address of the assigned telemetry domain
+        # @return[Boolean] true if both addresses are resolved | false if one of the addresses
+        # is non-resolvable
+        def resolved? address, ipaddr
+          return @_resolved unless @_resolved.nil?
+
+          @_resolved = if (addresses = Resolv.getaddresses address)
+                         addresses.any? { |addr| addr.include?(ipaddr) }
+                       else
+                         false
+                       end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/telemetry.rb

@@ -0,0 +1,78 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry'
+require 'contrast/utils/telemetry_identifier'
+
+module Contrast
+  module Utils
+    # Tools for supporting the Telemetry feature
+    module Telemetry
+      DIR = '/ect/contrast/ruby-agent/'.cs__freeze
+      FILE = '.telemetry'.cs__freeze
+      CURRENT_DIR = Dir.pwd.cs__freeze
+      CONFIG_DIR = CURRENT_DIR + '/config/contrast/'.cs__freeze
+      MESSAGE = {
+          disclaimer:
+            "\n===================================================================================================" \
+            "\n\nThe [Contrast Security] [Ruby Agent] " \
+            "collects usage data in order to help us improve compatibility\n" \
+            "and security coverage. The data is anonymous and does not contain application data. It is collected\n" \
+            "by Contrast and is never shared. You can opt-out of telemetry by setting the\n" \
+            "'CONTRAST_AGENT_TELEMETRY_OPTOUT' environment variable to '1' or 'true'.\n\n" \
+          "===================================================================================================\n\n"
+      }.cs__freeze
+
+      # Here we create the .telemetry file. If the file exist we do nothing.
+      #
+      # @return[Boolean, nil] true if file is created, false if file already exist
+      # and nil if Telemetry is disabled or on unsupported OS.
+      def self.create_telemetry_file
+        write_mark_file DIR, FILE, CONFIG_DIR
+      end
+
+      def self.disclaimer
+        @_disclaimer = MESSAGE[:disclaimer]
+      end
+
+      class << self
+        private
+
+        # Create the mark file
+        #
+        # @param dir [String] Directory in which the file is to be created
+        # @param file [String] filename of the mark file
+        # @param config_dir [String] path for the config folder in working directory
+        # @return[Boolean, nil] true if file is created, false if file already exist
+        # and nil if Telemetry is disabled or on unsupported OS.
+        def write_mark_file dir, file, config_dir
+          return unless Contrast::Agent::Telemetry.enabled?
+          return if Contrast::Utils::OS.windows?
+
+          @dir = dir
+          # After macOS Catalina, you can no longer store files or data in the read-only system volume,
+          # nor can we write to the "root" directory ( / ). This results in Errno::EROFS exception.
+          # So for the MacOS we would use the config directory of the instrumented application.
+          @dir = config_dir if Contrast::Utils::OS.mac?
+          return false if File.file? @dir + file
+
+          begin
+            return true if touch @dir, file # rubocop:disable Rails/SkipsModelValidations
+          rescue Errno::EROFS
+            # If we don't have permission to write to root directory use config instead
+            return true if touch config_dir, file # rubocop:disable Rails/SkipsModelValidations
+          end
+        end
+
+        # Touches .telemetry file
+        #
+        # @return[Boolean] true if success, false if fails
+        def touch dir, file
+          FileUtils.mkdir_p dir unless Dir.exist? dir
+          FileUtils.touch dir + file
+          File.file? dir + file
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/telemetry_identifier.rb

@@ -0,0 +1,137 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry'
+require 'contrast/utils/os'
+require 'socket'
+
+module Contrast
+  module Utils
+    # Tools for supporting the Telemetry feature
+    module Telemetry
+      # Gets info about the instrumented application required to build unique identifiers,
+      # used in the agent's Telemetry.
+      module Identifier
+        MAC_REGEX = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
+        LINUX_OS_REG = /hwaddr=.*?(([A-F0-9]{2}:){5}[A-F0-9]{2})/im.cs__freeze
+        MAC_OS_PRIMARY = 'en0'.cs__freeze
+        LINUX_PRIMARY = 'enp'.cs__freeze
+
+        # Sinatra and Grape both use similar approach to identify the app_name.
+        # Rails has a different way of doing it, but to unify this we'll use this one.
+        # If app_name is changed/renamed during production it would still get the
+        # new folder's name.
+        #
+        # @ return [String] name of the application from the current working directory
+        def self.app_name
+          @_app_name ||= File.basename(Dir.pwd)
+        end
+
+        # Returns the MAC address of the primary network interface, depending on the used OS.
+        # If the primary is unknown it finds the first available network interface and gets it's
+        # MAC address instead.
+        #
+        # @return [String, nil] MAC address of the primary network interface or
+        # the first available one, or nil if nothing found
+        def self.mac
+          @_mac = find_mac MAC_OS_PRIMARY if Contrast::Utils::OS.mac? && @_mac.nil?
+          @_mac = find_mac LINUX_PRIMARY if Contrast::Utils::OS.linux? && @_mac.nil?
+          # or find any available
+          @_mac = find_mac if @_mac.nil?
+          @_mac
+        end
+
+        class << self
+          private
+
+          # Finds the primary MAC address of all listed network adapters.
+          # If primary is not set or unknown, use the first MAC address found
+          # from the listed adapters.
+          #
+          # @param primary [nil, String] optional param if set look only for primary
+          # network adapter's name
+          # @return [String, nil] MAC address of the first listed network adapter or
+          # nil if not found
+          def find_mac primary = nil
+            result = nil
+            idx = 0
+            return if interfaces.empty?
+
+            while idx < interfaces.length
+              addr = interfaces[idx].addr
+              name = interfaces[idx].name # rubocop:disable Security/Module/Name
+              # retrieving MAC address from primary network interface or first available
+              mac = retrieve_mac name, addr, primary
+              idx += 1
+              next unless mac
+
+              result = mac if mac && (mac.match? MAC_REGEX)
+              break if result && !primary
+            end
+            result
+          end
+
+          # Retrieves MAC address for primary or any network interface.
+          # This is OS dependent search.
+          #
+          # @param name [Sting] interface name of ifaddr
+          # @param addr [String] address info
+          # example: #<Addrinfo: LINK[en0 aa:bb:cc:00:11:22]>
+          # @param primary [nil, String] optional param if set look only for primary
+          # network adapter's name
+          # @return mac [nil, String] MAC address of primary network interface,
+          # any network interface, or nil if no interface is found.
+          def retrieve_mac name, addr, primary
+            mac = nil
+            # Mac OS allow us to use getnameinfo(sockaddr [, flags]) => [hostname, servicename]
+            #
+            # returned address:
+            # <Socket::Ifaddr en0 UP,BROADCAST,RUNNING,NOTRAILERS,SIMPLEX,MULTICAST LINK[en0 aa:bb:cc:00:11:22]>
+            if Contrast::Utils::OS.mac?
+              mac = addr.getnameinfo[0] unless primary
+              mac = addr.getnameinfo[0] if primary && name.include?(primary)
+            end
+            # In Linux using Socket::addr#getnameinfo results in ai_family not supported exception.
+            # In this case we are relying on match filtering of addresses.
+            #
+            # returned address:
+            # #<Socket::Ifaddr eth0 UP,BROADCAST,RUNNING,MULTICAST,0x10000
+            # PACKET[protocol=0 eth0 hatype=1 HOST hwaddr=aa:bb:cc:00:11:22]>
+            if primary && Contrast::Utils::OS.linux?
+              mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG && name.include?(primary)
+            elsif primary.nil? && Contrast::Utils::OS.linux?
+              mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG
+            end
+            mac
+          end
+
+          # Returns array of network interfaces.
+          # This is OS dependent search.
+          #
+          # @return interfaces [Array] Returns an array of interface addresses.
+          # Socket::Ifaddr - represents a result of getifaddrs().
+          def interfaces
+            @_interfaces = []
+            arr = Socket.getifaddrs
+            idx = 0
+            check_family = 0
+            while idx < arr.length
+              # We need only network adapters MACs. Checking for pfamily of every socket address:
+              # 18 for Mac OS and 17 for Linux.
+              # family should be an address family such as: :INET, :INET6, :UNIX, etc.
+              check_family = 18 if Contrast::Utils::OS.mac?
+              check_family = 17 if Contrast::Utils::OS.linux?
+              if arr[idx].addr.pfamily != check_family
+                idx += 1
+                next
+              end
+              @_interfaces << arr[idx]
+              idx += 1
+            end
+            @_interfaces
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast.rb

@@ -35,6 +35,7 @@ if RUBY_VERSION >= '3.0.0'
 end
 
 require 'contrast/components/agent'
+require 'contrast/components/api'
 require 'contrast/components/app_context'
 require 'contrast/components/assess'
 require 'contrast/components/config'
@@ -47,6 +48,7 @@ require 'contrast/components/scope'
 require 'contrast/components/settings'
 
 module Contrast
+  API = Contrast::Components::Api::Interface.new
   SCOPE = Contrast::Components::Scope::Interface.new
   CONFIG = Contrast::Components::Config::Interface.new
   SETTINGS = Contrast::Components::Settings::Interface.new
@@ -76,3 +78,19 @@ if RUBY_VERSION >= '3.0.0'
   Class.alias_method(:prepend, :cs__orig_prepend)
   Class.remove_method(:cs__orig_prepend)
 end
+
+if RUBY_VERSION < '3.0.0'
+  # Better handles ancestors for older ruby versions.
+  # This is called from C, tread lightly.
+  class Module
+    @_included_in = []
+    # Returns array with modules including this instance
+    def included_in
+      @_included_in ||= [] unless cs__frozen?
+    end
+
+    def self.included_in
+      @_included_in ||= [] unless cs__frozen?
+    end
+  end
+end

data/ruby-agent.gemspec

@@ -150,7 +150,8 @@ def self.add_files spec
                    'shared_libraries/libfunchook.so',
                    'shared_libraries/funchook.h',
                    'funchook/src/libfunchook.dylib',
-                   'funchook/src/libfunchook.so')
+                   'funchook/src/libfunchook.so',
+                   '.secrets.baseline')
   end
 end
 

data/service_executables/VERSION

@@ -1 +1 @@
-2.26.0
+2.27.3

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 4.12.0
+  version: 4.13.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-10-14 00:00:00.000000000 Z
+date: 2021-11-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -617,18 +617,19 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
+- ext/cs__os_information/extconf.rb
+- ext/cs__assess_regexp/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_active_record_named/extconf.rb
+- ext/cs__assess_module/extconf.rb
 - ext/cs__assess_array/extconf.rb
+- ext/cs__assess_kernel/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__assess_hash/extconf.rb
 - ext/cs__assess_fiber_track/extconf.rb
 - ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_active_record_named/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
 - ext/cs__assess_string/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
-- ext/cs__assess_hash/extconf.rb
-- ext/cs__assess_module/extconf.rb
-- ext/cs__assess_regexp/extconf.rb
-- ext/cs__assess_kernel/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
 - ext/cs__assess_yield_track/extconf.rb
 extra_rdoc_files: []
 files:
@@ -687,6 +688,9 @@ files:
 - ext/cs__contrast_patch/cs__contrast_patch.c
 - ext/cs__contrast_patch/cs__contrast_patch.h
 - ext/cs__contrast_patch/extconf.rb
+- ext/cs__os_information/cs__os_information.c
+- ext/cs__os_information/cs__os_information.h
+- ext/cs__os_information/extconf.rb
 - ext/extconf_common.rb
 - funchook/LICENSE
 - funchook/Makefile.in
@@ -894,6 +898,7 @@ files:
 - lib/contrast/agent/inventory/policy/datastores.rb
 - lib/contrast/agent/inventory/policy/policy.rb
 - lib/contrast/agent/inventory/policy/trigger_node.rb
+- lib/contrast/agent/metric_telemetry_event.rb
 - lib/contrast/agent/middleware.rb
 - lib/contrast/agent/module_data.rb
 - lib/contrast/agent/patching/policy/after_load_patch.rb
@@ -944,7 +949,10 @@ files:
 - lib/contrast/agent/rule_set.rb
 - lib/contrast/agent/scope.rb
 - lib/contrast/agent/service_heartbeat.rb
+- lib/contrast/agent/startup_metrics_telemetry_event.rb
 - lib/contrast/agent/static_analysis.rb
+- lib/contrast/agent/telemetry.rb
+- lib/contrast/agent/telemetry_event.rb
 - lib/contrast/agent/thread.rb
 - lib/contrast/agent/thread_watcher.rb
 - lib/contrast/agent/tracepoint_hook.rb
@@ -986,6 +994,7 @@ files:
 - lib/contrast/api/dtm.pb.rb
 - lib/contrast/api/settings.pb.rb
 - lib/contrast/components/agent.rb
+- lib/contrast/components/api.rb
 - lib/contrast/components/app_context.rb
 - lib/contrast/components/assess.rb
 - lib/contrast/components/base.rb
@@ -1000,11 +1009,13 @@ files:
 - lib/contrast/components/settings.rb
 - lib/contrast/config.rb
 - lib/contrast/config/agent_configuration.rb
+- lib/contrast/config/api_configuration.rb
 - lib/contrast/config/application_configuration.rb
 - lib/contrast/config/assess_configuration.rb
 - lib/contrast/config/assess_rules_configuration.rb
 - lib/contrast/config/base_configuration.rb
 - lib/contrast/config/default_value.rb
+- lib/contrast/config/env_variables.rb
 - lib/contrast/config/exception_configuration.rb
 - lib/contrast/config/heap_dump_configuration.rb
 - lib/contrast/config/inventory_configuration.rb
@@ -1064,26 +1075,37 @@ files:
 - lib/contrast/security_exception.rb
 - lib/contrast/tasks/config.rb
 - lib/contrast/tasks/service.rb
+- lib/contrast/utils/assess/propagation_method_utils.rb
+- lib/contrast/utils/assess/property/tagged_utils.rb
 - lib/contrast/utils/assess/sampling_util.rb
+- lib/contrast/utils/assess/source_method_utils.rb
 - lib/contrast/utils/assess/tracking_util.rb
+- lib/contrast/utils/assess/trigger_method_utils.rb
 - lib/contrast/utils/class_util.rb
 - lib/contrast/utils/duck_utils.rb
 - lib/contrast/utils/env_configuration_item.rb
+- lib/contrast/utils/exclude_key.rb
 - lib/contrast/utils/hash_digest.rb
 - lib/contrast/utils/heap_dump_util.rb
 - lib/contrast/utils/invalid_configuration_util.rb
 - lib/contrast/utils/io_util.rb
 - lib/contrast/utils/job_servers_running.rb
 - lib/contrast/utils/lru_cache.rb
+- lib/contrast/utils/metrics_hash.rb
 - lib/contrast/utils/object_share.rb
 - lib/contrast/utils/os.rb
+- lib/contrast/utils/patching/policy/patch_utils.rb
+- lib/contrast/utils/patching/policy/patcher_utils.rb
 - lib/contrast/utils/preflight_util.rb
+- lib/contrast/utils/requests_client.rb
 - lib/contrast/utils/resource_loader.rb
 - lib/contrast/utils/ruby_ast_rewriter.rb
 - lib/contrast/utils/sha256_builder.rb
 - lib/contrast/utils/stack_trace_utils.rb
 - lib/contrast/utils/string_utils.rb
 - lib/contrast/utils/tag_util.rb
+- lib/contrast/utils/telemetry.rb
+- lib/contrast/utils/telemetry_identifier.rb
 - lib/contrast/utils/thread_tracker.rb
 - lib/contrast/utils/timer.rb
 - resources/assess/policy.json