contrast-agent 4.12.0 → 4.14.1

data/lib/contrast/utils/io_util.rb

@@ -11,7 +11,7 @@ module Contrast
 
       class << self
         # We're only going to call rewind on things that we believe are safe to
-        # call it on. This method white lists those cases and returns false in
+        # call it on. This method allow lists those cases and returns false in
         # all others.
         def should_rewind? potential_io
           return true if potential_io.is_a?(StringIO)

data/lib/contrast/utils/log_utils.rb

@@ -0,0 +1,108 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Method utility used by Contrast::Logger::log
+    module LogUtils
+      DEFAULT_NAME     = 'contrast.log'
+      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
+      VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
+      STDOUT_STR       = 'STDOUT'
+      STDERR_STR       = 'STDERR'
+      PROGNAME         = 'Contrast Agent'
+      DATE_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%L%z'
+
+      private
+
+      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        logger = case path
+                 when STDOUT_STR, STDERR_STR
+                   ::Ougai::Logger.new(Object.cs__const_get(path))
+                 else
+                   ::Ougai::Logger.new(path)
+                 end
+        add_contrast_loggers(logger)
+        logger.progname = PROGNAME
+        logger.level = level_const
+        logger.formatter = Contrast::Logger::Format.new
+        logger.formatter.datetime_format = DATE_TIME_FORMAT
+        logger
+      end
+
+      def add_contrast_loggers logger
+        logger.extend(Contrast::Logger::Application)
+        logger.extend(Contrast::Logger::Request)
+        logger.extend(Contrast::Logger::Time)
+      end
+
+      # Determine the valid path to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
+      def find_valid_path log_file
+        config = ::Contrast::CONFIG.root.agent.logger
+        config_path = config&.path&.length.to_i.positive? ? config.path : nil
+        valid_path(config_path || log_file)
+      end
+
+      def valid_path path
+        path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
+        return path if path == STDOUT_STR
+        return path if path == STDERR_STR
+
+        path = DEFAULT_NAME if path.empty?
+        if write_permission?(path)
+          path
+        elsif write_permission?(DEFAULT_NAME)
+          # Log once when the path is invalid. We'll change to this path, so no
+          # need to log again.
+          if previous_path != DEFAULT_NAME
+            $stdout.puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
+          end
+          DEFAULT_NAME
+        else
+          # Log once when the path is invalid. We'll change to this path, so no
+          # need to log again.
+          $stdout.puts "[!] Unable to write to '#{ path }'. Writing to standard out instead."
+          STDOUT_STR
+        end
+      end
+
+      # Determine the valid level to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [::Ougai::Logging::Severity] the level at which to log
+      def find_valid_level log_level
+        config = ::Contrast::CONFIG.root.agent.logger
+        config_level = config&.level&.length&.positive? ? config.level : nil
+
+        valid_level(config_level || log_level)
+      end
+
+      def valid_level level
+        level ||= DEFAULT_LEVEL
+        level = level.upcase
+        if VALID_LEVELS.include?(level)
+          Object.cs__const_get("::Ougai::Logging::Severity::#{ level }")
+        else
+          DEFAULT_LEVEL
+        end
+      rescue StandardError
+        DEFAULT_LEVEL
+      end
+
+      # Log that the Agent log has changed and include some default information at the start of the log.
+      def log_update
+        logger.debug('Initialized new contrast agent logger')
+        logger.debug_with_time('middleware: log environment') do
+          logger.application_environment
+          logger.application_configuration
+          logger.application_libraries
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/metrics_hash.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    # This is the MetricsHash, which will take data type, so we now what is introduced/included
+    # in the TelemetryEvent
+    class MetricsHash < Hash
+      include Contrast::Components::Logger::InstanceMethods
+
+      attr_reader :data_type
+
+      ERROR_MESSAGES = [
+        'The key is not string or does not meet the requirements.',
+        'The key extends the allowed length.',
+        'VThe provided value is not the right data type'
+      ].cs__freeze
+      KEY_REGEXP = /[a-zA-Z0-9_-]{1,63}/.cs__freeze
+
+      def initialize data_type, *several_variants
+        super
+        @data_type = data_type
+      end
+
+      def []= key, value
+        key_val = key.dup
+        value_val = value.dup
+        key_val.strip! if key_val.cs__is_a?(String)
+        value_val.strip! if value_val.cs__is_a?(String)
+        return unless valid_pair? key_val, value_val
+
+        key_val.downcase!
+        key_val.strip!
+        super(key_val, value_val)
+      end
+
+      def valid_pair? key, value
+        if !key.cs__is_a?(String) || (KEY_REGEXP =~ key).nil?
+          logger.warn('The following key will be omitted', key: key, error: ERROR_MESSAGES[0])
+          return false
+        end
+        unless key.length <= 28
+          logger.warn('The following key will be omitted', key: key, error: ERROR_MESSAGES[1])
+          return false
+        end
+        unless value.cs__is_a?(data_type)
+          logger.warn('The following key will be omitted', value: value, error: ERROR_MESSAGES[2])
+          return false
+        end
+        return false if value.cs__is_a?(String) && value.empty?
+        return false if value.cs__is_a?(String) && value.length > 200
+
+        true
+      end
+    end
+  end
+end

data/lib/contrast/utils/middleware_utils.rb

@@ -0,0 +1,87 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # helper methods for Contrast::Agent::Middleware
+    # including disclaimers, deprecation notices, error handling, setup
+    module MiddlewareUtils
+      private
+
+      def setup_agent
+        ::Contrast::SETTINGS.reset_state
+
+        inform_deprecations
+        telemetry_disclaimer
+
+        if ::Contrast::CONFIG.invalid?
+          ::Contrast::AGENT.disable!
+          logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
+        elsif ::Contrast::AGENT.disabled?
+          logger.warn('Contrast disabled by configuration. Continuing without instrumentation.')
+        else
+          ::Contrast::AGENT.enable!
+        end
+      end
+
+      SECURITY_EXCEPTION_MARKER = 'Contrast::SecurityException'
+      # We're only going to suppress SecurityExceptions indicating a blocked attack. And, only if the
+      # config.agent.ruby.exceptions.capture? is set
+      def handle_exception exception
+        if security_exception?(exception)
+          exception_control = ::Contrast::AGENT.exception_control
+          raise exception unless exception_control[:enable]
+
+          [exception_control[:status], {}, [exception_control[:message]]]
+        else
+          logger.debug('Re-throwing original error', exception)
+          raise exception
+        end
+      end
+
+      # Is the given exception one raised by our Protect code?
+      #
+      # @param exception [Exception]
+      # @return [Boolean]
+      def security_exception? exception
+        exception.is_a?(Contrast::SecurityException) || exception.message&.include?(SECURITY_EXCEPTION_MARKER)
+      end
+
+      # As we deprecate support to prepare to remove dead code, we need to inform our users still relying on the now
+      # deprecated and soon to be removed functionality. This method handles doing that by leveraging the standard
+      # Kernel#warn approach
+      def inform_deprecations
+        # Ruby 2.5 is currently in security maintenance, meaning int is only receiving updates for security issues. It
+        # will move to eol on 31 March 2021. As such, we can remove support for it in Q3. We'll begin the deprecation
+        # warnings now so that customers have time to reach out if they'll be impacted.
+        # TODO: RUBY-715 remove this part of the method, leaving it empty if there are no other deprecations, when we
+        #   drop 2.5 support.
+        return unless RUBY_VERSION < '2.6.0'
+
+        Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\
+                    'Please contact Customer Support prior if you require continued support.')
+      end
+
+      # Displays Telemetry disclaimer if Telemetry is enabled.
+      # if .telemetry file doesn't exist we create one and then show the disclaimer.
+      # if the file already exists we do nothing.
+      def telemetry_disclaimer
+        return unless Contrast::Agent::Telemetry.enabled?
+        return unless Contrast::Utils::Telemetry.create_telemetry_file
+
+        logger.info Contrast::Utils::Telemetry.disclaimer
+        $stdout.print Contrast::Utils::Telemetry.disclaimer
+        true
+      end
+
+      def application_code env
+        logger.trace_with_time('application') do
+          app.call(env)
+        end
+      rescue Contrast::SecurityException => e
+        logger.trace('Security Exception raised during application lifecycle to prevent an attack', e)
+        raise e
+      end
+    end
+  end
+end

data/lib/contrast/utils/net_http_base.rb

@@ -0,0 +1,158 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'net/http'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'socket'
+
+module Contrast
+  module Utils
+    # This module creates a Net::HTTP client base to be used by different services
+    # All HTTP clients reporting to Telemetry or TS should inherit from this
+    class NetHttpBase
+      include Contrast::Components::Logger::InstanceMethods
+      # This method initializes the Net::HTTP client we'll need. it will validate
+      # the connection and make the first request. If connection is valid and response
+      # is available then the open connection is returned.
+      #
+      # @param service_name [String] Name of service used in logging messages
+      # @param url [String]
+      # @param use_proxy [Boolean] flag used to indicate proxy connections [default = false]
+      # @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
+      # self signed certificates provided by config [default = false]
+      # @return [Net::HTTP, nil] Return open connection or nil
+      def initialize_connection service_name, url, use_proxy = false, use_custom_cert = false
+        return unless url
+
+        addr = URI(url)
+        # the proxy is enabled only if there is provided url even if the enable is set to true
+        return if addr.host.nil? || addr.port.nil? || addr.scheme != 'https'
+
+        proxy_addr = URI(Contrast::API.proxy_url) if proxy_enabled?
+        net_http_client = initialize_client addr, proxy_addr, use_proxy, use_custom_cert
+        return if net_http_client.nil?
+
+        net_http_client.start
+        return unless net_http_client.started?
+
+        logger.warn("Starting #{ service_name } connection test")
+        return unless connection_verified? net_http_client
+
+        net_http_client
+      rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, OpenSSL::SSL::SSLError => e
+        logger.warn("#{ service_name } connection failed", e.message)
+        nil
+      end
+
+      # Validates connection with assigned domain.
+      # If connection is running, SSL certificate of the endpoint is valid, Ip address is resolvable
+      # and response is received without peer's reset or refuse of connection,
+      # then validation returns true. Error handling is in place so that the work of the agent will continue as
+      # normal without Telemetry.
+      #
+      # @param client [Net::HTTP]
+      # @return [Boolean] true | false
+      def connection_verified? client
+        return @_connection_verified unless @_connection_verified.nil?
+        return false if client.nil?
+
+        # Before RUBY 2.7 there is no #ipaddr
+        ipaddr = if RUBY_VERSION < '2.7.0'
+                   socket = TCPSocket.open(client.address, client.port)
+                   ipaddr = socket.peeraddr[3]
+                   socket.close
+                   ipaddr
+                 else
+                   client.ipaddr
+                 end
+        response = client.request(Net::HTTP::Get.new(client.address))
+        verify_cert = OpenSSL::SSL.verify_certificate_identity(client.peer_cert, client.address)
+        resolved = resolved? client.address, ipaddr
+        @_connection_verified = if resolved && response && verify_cert
+                                  true
+                                else
+                                  false
+                                end
+      rescue OpenSSL::SSL::SSLError, Resolv::ResolvError, Errno::ECONNRESET, Errno::ECONNREFUSED,
+             Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, Errno::EHOSTUNREACH, Errno::EISCONN,
+             Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH => e
+
+        logger.warn("#{ service_name } connection failed", e.message)
+        false
+      end
+
+      private
+
+      # Resolves the address of the assigned domain to array of corresponding IPs (if more than one)
+      # and runs a matcher to see if current connection IP is in the list.
+      # This is called within #verify_connection, if called on it's own there will be no
+      # error handling.
+      #
+      # @param address [String] Human friendly address of assigned domain
+      # @param ipaddr [String] Machine friendly IP address of the assigned domain
+      # @return[Boolean] true if both addresses are resolved | false if one of the addresses
+      # is non-resolvable
+      def resolved? address, ipaddr
+        return @_resolved unless @_resolved.nil?
+
+        @_resolved = if (addresses = Resolv.getaddresses address)
+                       addresses.any? { |addr| addr.include?(ipaddr) }
+                     else
+                       false
+                     end
+      end
+
+      # if the configuration for the use of self-signed certificates is enabled
+      # and required for this client then assign the files and keys to the client
+      #
+      # @param client [Net::HTTP]
+      def assign_cert client
+        if Contrast::API.certification_ca_file
+          client.ca_file = OpenSSL::X509::Certificate.new(File.read(Contrast::API.certification_ca_file)).to_s
+        elsif Contrast::API.certification_cert_file
+          client.cert = OpenSSL::X509::Certificate.new(File.read(Contrast::API.certification_cert_file)).to_s
+        elsif Contrast::API.certification_key_file
+          client.key = OpenSSL::PKey::RSA.new(File.read(Contrast::API.certification_key_file)).to_s
+        end
+      rescue Errno::ENOENT => e
+        logger.error('Custom certificates failed', e.message)
+      end
+
+      # sets default setting for client validation of certificates and
+      # timeout options
+      #
+      # @param addr [URI::Generic] uri of assigned domain
+      # @param proxy_addr [URI::Generic | nil] uri of proxy
+      # @param use_proxy [Boolean] flag used to indicate proxy connections [default = false]
+      # @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
+      # self signed certificates provided by config [default = false]
+      # @return [Net::HTTP]
+      def initialize_client addr, proxy_addr, use_proxy, use_custom_cert
+        initialize_client = if proxy_enabled? && use_proxy
+                              Net::HTTP.new(addr.host, nil, proxy_addr&.host, proxy_addr&.port)
+                            else
+                              Net::HTTP.new(addr.host, addr.port)
+                            end
+        assign_cert(initialize_client) if use_custom_cert && Contrast::API.certification_enabled?
+        initialize_client.use_ssl = true
+        initialize_client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        initialize_client.verify_depth = 5
+        # open connection timeout in ms
+        # if connection reaches timeout this will produce Net::OpenTimeout error
+        initialize_client.open_timeout = 10
+        # if we can't read the response or a chunk within time this will cause a
+        # Net::ReadTimeout error when the request is made
+        initialize_client.read_timeout = 10
+        initialize_client
+      end
+
+      # Check if proxy is enabled
+      #
+      # @return @_proxy_enabled [Boolean] True if proxy is enabled and url is present else false
+      def proxy_enabled?
+        @_proxy_enabled ||= Contrast::API.proxy_enabled? && !Contrast::API.proxy_url.nil? if @_proxy_enabled.nil?
+      end
+    end
+  end
+end

data/lib/contrast/utils/object_share.rb

@@ -30,6 +30,7 @@ module Contrast
       SEMICOLON =     ';'
       SINGLE_QUOTE =  '\''
       SLASH =         '/'
+      SPACE =         ' '
       UNDERSCORE =    '_'
       DOUBLE_UNDERSCORE = '__'
       AT =            '@'

data/lib/contrast/utils/os.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/scope'
+require 'cs__os_information/cs__os_information'
 
 module Contrast
   module Utils
@@ -31,6 +32,28 @@ module Contrast
             zombie_pid_list.split("\n")
           end
         end
+
+        # Check current OS type
+        # returns true if check is correct or false if not
+        def windows?
+          (/cygwin|mswin|mingw|bccwin|wince|emx/ =~ RUBY_PLATFORM) != nil
+        end
+
+        def mac?
+          RUBY_PLATFORM.include? 'darwin'
+        end
+
+        def unix?
+          !windows?
+        end
+
+        def linux?
+          unix? and !mac?
+        end
+
+        def jruby?
+          RUBY_ENGINE == 'jruby'
+        end
       end
     end
   end