RubyGems - contrast-agent - Versions diffs - 4.13.0 → 5.0.0 - Mend

contrast-agent 4.13.0 → 5.0.0

Files changed (390) hide show

data/lib/contrast/agent/request_context.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/timer'
@@ -7,6 +7,9 @@ require 'contrast/agent/response'
 require 'contrast/agent/inventory/database_config'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/utils/request_utils'
+require 'contrast/agent/request_context_extend'
+require 'contrast/agent/reporting/reporting_events/observed_route'
 module Contrast
   module Agent
@@ -24,14 +27,18 @@ module Contrast
     # @attr_reader server_activity [Contrast::Api::Dtm::ServerActivity] the server activity found in this request
     # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
     # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
+    # @attr_reader new_observed_route [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of this
+    # request
     class RequestContext
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
+      include Contrast::Utils::RequestUtils
+      include Contrast::Agent::RequestContextExtend
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
-      attr_reader :activity, :logging_hash, :observed_route, :request, :response, :route, :speedracer_input_analysis,
-                  :server_activity, :timer
+      attr_reader :activity, :logging_hash, :observed_route, :new_observed_route, :request, :response, :route,
+                  :speedracer_input_analysis, :server_activity, :timer
       def initialize rack_request, app_loaded = true
         with_contrast_scope do
@@ -47,8 +54,6 @@ module Contrast
           @server_activity = Contrast::Api::Dtm::ServerActivity.new
-          @observed_route = Contrast::Api::Dtm::ObservedRoute.new
           # build analyzer
           @do_not_track = false
           @speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
@@ -64,7 +69,7 @@ module Contrast
             @sample_req, @sample_res = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
           end
-          append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
+          handle_routes
         end
       end
@@ -100,98 +105,6 @@ module Contrast
         ::Contrast::ASSESS.enabled?
       end
-      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
-      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
-      #
-      # @param route [Contrast::Api::Dtm::RouteCoverage, nil] the route of the current request, as determined from the
-      #   framework
-      def append_route_coverage route
-        return unless route
-        # For our findings
-        @route = route
-        # For SR findings
-        @activity.routes << route
-        # For TS routes
-        @observed_route.signature  = route.route
-        @observed_route.verb       = route.verb
-        @observed_route.url        = route.url if route.url
-        @request.route = route
-        @request.observed_route = @observed_route
-      end
-      # Collect the results for the given rule with the given action
-      #
-      # @param rule [String] the id of the rule to which the results apply
-      # @param response_type [Symbol] the result of the response, matching a value of
-      #   Contrast::Api::Dtm::AttackResult::ResponseType
-      # @return [Array<Contrast::Api::Dtm::AttackResult>]
-      def results_for rule, response_type = nil
-        if response_type.nil?
-          activity.results.select { |r| r.rule_id == rule }
-        else
-          activity.results.select { |r| r.rule_id == rule && r.response == response_type }
-        end
-      end
-      def service_extract_request
-        return false unless ::Contrast::AGENT.enabled?
-        return false unless ::Contrast::PROTECT.enabled?
-        return false if @do_not_track
-        service_response = Contrast::Agent.messaging_queue.send_event_immediately(@activity.http_request)
-        return false unless service_response
-        handle_protect_state(service_response)
-        ia = service_response.input_analysis
-        if ia
-          if logger.trace?
-            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
-            logger.trace('Results', input_analysis: ia.inspect)
-          end
-          @speedracer_input_analysis = ia
-          speedracer_input_analysis.request = request
-        else
-          logger.trace('Analysis from Contrast Service was empty.')
-          false
-        end
-      rescue Contrast::SecurityException => e
-        raise e
-      rescue StandardError => e
-        logger.warn('Unable to extract Contrast Service information from request', e)
-        false
-      end
-      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
-      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
-      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
-      #
-      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
-      def handle_protect_state agent_settings
-        return unless agent_settings&.protect_state
-        state = agent_settings.protect_state
-        @uuid = state.uuid
-        @do_not_track = true unless state.track_request
-        return unless state.security_exception
-        # If Contrast Service has NOT handled the input analysis, handle them here
-        build_attack_results(agent_settings)
-        logger.debug('Contrast Service said to block this request')
-        raise Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior'))
-      end
-      # append anything we've learned to the request seen message this is the sum-total of all inventory information
-      # that has been accumulated since the last request
-      def extract_after rack_response
-        @response = Contrast::Agent::Response.new(rack_response)
-        activity.http_response = @response.dtm if @sample_res
-      rescue StandardError => e
-        logger.error('Unable to extract information after request', e)
-      end
       def add_property key, value
         @_properties[key] = value
       end
@@ -203,43 +116,19 @@ module Contrast
       def reset_activity
         @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
         @server_activity = Contrast::Api::Dtm::ServerActivity.new
-        @observed_route = Contrast::Api::Dtm::ObservedRoute.new
+        @observed_route = Contrast::Api::Dtm::ObservedRoute.new # TODO: RUBY-1438 -- remove
+        @new_observed_route = Contrast::Agent::Reporting::ObservedRoute.new
       end
       private
-      # Generate attack results directly from any evaluations on the agent settings object.
-      #
-      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
-      def build_attack_results agent_settings
-        return unless agent_settings&.input_analysis&.results&.any?
-        attack_results_by_rule = {}
-        agent_settings.input_analysis.results.each do |ia_result|
-          rule_id = ia_result.rule_id
-          rule = ::Contrast::PROTECT.rule(rule_id)
-          next unless rule
-          if logger.debug?
-            logger.debug('Building attack result from Contrast Service input analysis result',
-                         result: ia_result.inspect)
-          end
-          attack_result = if rule.mode == :BLOCK
-                            # special case for rules (like reflected xss) that used to have an infilter / block mode
-                            # but now are just block at perimeter
-                            rule.build_attack_with_match(self, ia_result, attack_results_by_rule[rule_id],
-                                                         ia_result.value)
-                          else
-                            rule.build_attack_without_match(self, ia_result, attack_results_by_rule[rule_id])
-                          end
-          attack_results_by_rule[rule_id] = attack_result
-        end
-        attack_results_by_rule.each_pair do |_, attack_result|
-          logger.info('Blocking attack result', rule: attack_result.rule_id)
-          activity.results << attack_result
-        end
+      def handle_routes
+        @observed_route = Contrast::Api::Dtm::ObservedRoute.new # TODO: RUBY-1438 -- remove
+        @new_observed_route = Contrast::Agent::Reporting::ObservedRoute.new
+        route_dtm = Contrast::Agent.framework_manager.get_route_dtm(@request)
+        new_route_coverage_dtm = Contrast::Agent.framework_manager.get_route_information(@request)
+        append_route_coverage(route_dtm)
+        append_to_new_observed_route(new_route_coverage_dtm)
       end
     end
   end

data/lib/contrast/agent/request_context_extend.rb ADDED Viewed

@@ -0,0 +1,163 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/autocomplete_rule'
+module Contrast
+  module Agent
+    # This class extends RequestContexts: this class acts to encapsulate information about the currently
+    # executed request, making it available to the Agent for the duration of the request in a standardized
+    # and normalized format which the Agent understands.
+    module RequestContextExtend
+      BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
+      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
+      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
+      #
+      # @param route [Contrast::Api::Dtm::RouteCoverage, nil] the route of the current request, as determined from the
+      #   framework
+      def append_route_coverage route
+        return unless route
+        # For our findings
+        @route = route
+        # For SR findings
+        @activity.routes << route
+        # For TS routes
+        @observed_route.signature  = route.route
+        @observed_route.verb       = route.verb
+        @observed_route.url        = route.url if route.url
+        @request.route = route
+        @request.observed_route = @observed_route
+      end
+      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
+      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
+      #
+      def append_to_new_observed_route route
+        return unless route
+        @new_observed_route.signature  = route.route
+        @new_observed_route.verb       = route.verb
+        @new_observed_route.url        = route.url if route.url
+        @request.new_observed_route = @new_observed_route
+      end
+      # Collect the results for the given rule with the given action
+      #
+      # @param rule [String] the id of the rule to which the results apply
+      # @param response_type [Symbol] the result of the response, matching a value of
+      #   Contrast::Api::Dtm::AttackResult::ResponseType
+      # @return [Array<Contrast::Api::Dtm::AttackResult>]
+      def results_for rule, response_type = nil
+        if response_type.nil?
+          activity.results.select { |r| r.rule_id == rule }
+        else
+          activity.results.select { |r| r.rule_id == rule && r.response == response_type }
+        end
+      end
+      def service_extract_request
+        return false unless ::Contrast::AGENT.enabled?
+        return false unless ::Contrast::PROTECT.enabled?
+        return false if @do_not_track
+        service_response = Contrast::Agent.messaging_queue.send_event_immediately(@activity.http_request)
+        return false unless service_response
+        handle_protect_state(service_response)
+        ia = service_response.input_analysis
+        if ia
+          if logger.trace?
+            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
+            logger.trace('Results', input_analysis: ia.inspect)
+          end
+          @speedracer_input_analysis = ia
+          speedracer_input_analysis.request = request
+        else
+          logger.trace('Analysis from Contrast Service was empty.')
+          false
+        end
+      rescue Contrast::SecurityException => e
+        raise e
+      rescue StandardError => e
+        logger.warn('Unable to extract Contrast Service information from request', e)
+        false
+      end
+      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
+      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
+      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
+      #
+      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
+      def handle_protect_state agent_settings
+        return unless agent_settings&.protect_state
+        state = agent_settings.protect_state
+        @uuid = state.uuid
+        @do_not_track = true unless state.track_request
+        return unless state.security_exception
+        # If Contrast Service has NOT handled the input analysis, handle them here
+        build_attack_results(agent_settings)
+        logger.debug('Contrast Service said to block this request')
+        raise Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior'))
+      end
+      # append anything we've learned to the request seen message this is the sum-total of all inventory information
+      # that has been accumulated since the last request
+      def extract_after rack_response
+        @response = Contrast::Agent::Response.new(rack_response)
+        activity.http_response = @response.dtm if @sample_res
+        return unless Contrast::Agent::Reporter.enabled?
+        Contrast::Agent::Assess::Rule::Response::Autocomplete.new.analyze(@response)
+      rescue StandardError => e
+        logger.error('Unable to extract information after request', e)
+      end
+      private
+      # Generate attack results directly from any evaluations on the agent settings object.
+      #
+      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
+      def build_attack_results agent_settings
+        return unless agent_settings&.input_analysis&.results&.any?
+        results_by_rule = {}
+        agent_settings.input_analysis.results.each do |ia_result|
+          rule_id = ia_result.rule_id
+          rule = ::Contrast::PROTECT.rule(rule_id)
+          next unless rule
+          logger.debug(BUILD_ATTACK_LOGGER_MESSAGE, result: ia_result.inspect) if logger.debug?
+          results_by_rule[rule_id] = attack_result rule, rule_id, ia_result, results_by_rule
+        end
+        results_by_rule.each_pair do |_, attack_result|
+          logger.info('Blocking attack result', rule: attack_result.rule_id)
+          activity.results << attack_result
+        end
+      end
+      # Generates the attack result
+      #
+      # @param rule [Contrast::Agent::Protect::Rule, Contrast::Agent::Assess::Rule]
+      # @param rule_id [String] String name of the rule
+      # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+      #   analysis of the input that was determined to be an attack
+      # @param results_by_rule [Hash] attack results from any evaluations on the agent settings object.
+      # @return [Contrast::Api::Dtm::AttackResult] the attack result from this input
+      def attack_result rule, rule_id, ia_result, results_by_rule
+        @_attack_result = if rule.mode == :BLOCK
+                            # special case for rules (like reflected xss) that used to have an infilter / block mode
+                            # but now are just block at perimeter
+                            rule.build_attack_with_match(self, ia_result, results_by_rule[rule_id], ia_result.value)
+                          else
+                            rule.build_attack_without_match(self, ia_result, results_by_rule[rule_id])
+                          end
+      end
+    end
+  end
+end

data/lib/contrast/agent/request_handler.rb CHANGED Viewed

@@ -1,8 +1,10 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/agent/reporting/reporter'
+require 'contrast/agent/reporting/reporting_utilities/dtm_message'
 module Contrast
   module Agent
@@ -19,15 +21,49 @@ module Contrast
         @ruleset = ::Contrast::AGENT.ruleset
       end
-      # TODO: RUBY-1353
+      # Send Activities messages to TS [Contrast::Agent::Reporting::ServerActivity,
+      #                                 Contrast::Api::Dtm::ServerActivity,
+      #                                 Contrast::Api::Dtm::Activity,
+      #                                 Contrast::Api::Dtm::ObservedRoute]
+      # If bypass is enabled use the reporting service if not than the messages are
+      # send with speedracer
       # TODO: RUBY-1355
-      # TODO: RUBY-1357
       # TODO: RUBY-1358
+      # TODO: RUBY-1438 -- remove
       def send_activity_messages
+        events = [context.activity]
+        unless Contrast::Agent::Reporter.enabled?
+          Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
+          events << context.server_activity
+          events << context.observed_route
+        end
+        events.each do |message|
+          Contrast::Agent.messaging_queue&.send_event_eventually(message)
+        end
+      end
+      # reports events[Contrast::Agent::Reporting::ReporterEvent] to TS
+      # This method is used to send our JSON messages directly to TeamServer at the end of each request. As we move
+      # more endpoints over, this method will take the messages originally sent by #send_actiivty_messages. At the end,
+      # that method should be removed.
+      # TODO: RUBY-1358
+      def report_activity
+        return unless Contrast::Agent::Reporter.enabled?
+        reporter = Contrast::Agent.reporter
+        return unless reporter
         Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
-        [context.server_activity, context.activity, context.observed_route].each do |message|
-          Contrast::Agent.messaging_queue.send_event_eventually(message)
+        [
+          context.new_observed_route,
+          Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.server_activity),
+          Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity.library_usages)
+        ].each do |event|
+          reporter.send_event(event)
+        rescue StandardError => e
+          logger.warn('Unable to send Event Activity', e)
         end
+        context.activity.library_usages.clear # TODO: RUBY-1355 remove when no longer using activity
       end
       # If the response is streaming, we should only perform filtering on our stream safe rules

data/lib/contrast/agent/response.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'resolv'
@@ -8,6 +8,7 @@ require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/hash_digest'
 require 'contrast/components/logger'
+require 'contrast/utils/response_utils'
 module Contrast
   module Agent
@@ -17,6 +18,7 @@ module Contrast
     # order to avoid repeatedly creating Strings & thrashing GC.
     class Response
       include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Utils::ResponseUtils
       extend Forwardable
@@ -27,6 +29,9 @@ module Contrast
         @is_array = !rack_response.is_a?(Rack::Response)
       end
+      # The document type of the response, based on its Content-Type. Can be one of :JSON, :NORMAL, :XML, or nothing.
+      #
+      # @return [Symbol<:XML, :JSON, :NORMAL>, nil]
       def document_type
         case content_type
         when /xml/i
@@ -38,7 +43,10 @@ module Contrast
         end
       end
-      # B/c the response can change, we can't memoize this :(
+      # A form of the Rack::Response which we can report to the Service to be sent to TeamServer for processing. B/c
+      # the response can change, we can't memoize this :(
+      #
+      # @return [Contrast::Api::Dtm::HttpResponse]
       def dtm
         context_response = Contrast::Api::Dtm::HttpResponse.new
         context_response.response_code = response_code.to_i
@@ -53,114 +61,43 @@ module Contrast
         context_response
       end
+      # The response code of this response
+      #
+      # @return [Integer]
       def response_code
         return unless rack_response
         @is_array ? rack_response[0].to_i : rack_response.status
       end
+      # The headers of this response
+      #
+      # @return [Hash, nil]
       def headers
         return unless rack_response
-        if @is_array
-          rack_response[1]
-        else
-          rack_response.headers
-        end
+        @is_array ? rack_response[1] : rack_response.headers
       end
+      # The Content-Type of this response, as set in the headers hash under the key Rack::CONTENT_TYPE
+      #
+      # @return [String, nil]
       def content_type
         return unless rack_response
-        if @is_array
-          headers[Rack::CONTENT_TYPE]
-        else
-          rack_response.content_type
-        end
+        @is_array ? headers[Rack::CONTENT_TYPE] : rack_response.content_type
       end
-      # The response body can change during the request lifecycle
-      # We should not extract it out as a variable here, or we'll miss those
-      # changes.
+      # The response body can change during the request lifecycle, so we have to look it up every time we need it.
+      # We should not extract it out as a variable here, or we'll miss those changes.
+      #
+      # @return [String, nil]
       def body
         return unless rack_response
         body_content = @is_array ? rack_response[2] : rack_response.body
         extract_body(body_content)
       end
-      private
-      # From the dtm for normalized_response_headers:
-      #   Key is UPPERCASE_UNDERSCORE
-      #
-      #   Example: Content-Type: text/html; charset=utf-8
-      #   "CONTENT_TYPE" => Content-Type,["text/html; charset=utf8"]
-      def append_pair map, key, value
-        return unless key && value
-        return if value.is_a?(Hash)
-        safe_key = Contrast::Utils::StringUtils.force_utf8(key)
-        hash_key = Contrast::Utils::StringUtils.normalized_key(safe_key)
-        map[hash_key] ||= Contrast::Api::Dtm::Pair.new
-        map[hash_key].key = safe_key
-        map[hash_key].values << Contrast::Utils::StringUtils.force_utf8(value)
-      end
-      HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
-      # Given some holder of the content of the response's body, extract that
-      # content and return it as a String
-      #
-      # @param body [String, Rack::File, Rack::BodyProxy,
-      #   ActionDispatch::Response::RackBody, Rack::Response] Something that
-      #   holds, wraps, or is the body of the Response
-      # @return [nil, String] the content of the body
-      def extract_body body
-        return unless body
-        if defined?(Rack::File) && body.is_a?(Rack::File)
-          # not sure what to do in this situation, so don't do anything.
-          nil
-        elsif body.is_a?(Rack::BodyProxy)
-          handle_rack_body_proxy(body)
-        elsif (defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
-              body.is_a?(Rack::Response)
-          extract_body(body.body)
-        elsif Contrast::Utils::DuckUtils.quacks_to?(body, :each)
-          acc = []
-          body.each { |tmp| acc << read_or_string(tmp) }
-          acc.compact.join(Contrast::Utils::ObjectShare::NEW_LINE)
-        elsif ActionView::OutputBuffer
-          # https://stackoverflow.com/questions/15654676/how-to-convert-activesupportsafebuffer-to-string
-          body.to_str
-        else
-          read_or_string(body)
-        end
-      end
-      def handle_rack_body_proxy body
-        next_body = body.instance_variable_get(:@body)
-        case next_body
-        when Array
-          extract_body(next_body[0])
-        else
-          extract_body(next_body)
-        end
-      end
-      def read_or_string obj
-        return unless obj
-        if Contrast::Utils::DuckUtils.quacks_to?(obj, :read)
-          tmp = obj.read
-          obj.rewind
-          tmp
-        else
-          obj.to_s
-        end
-      end
     end
   end
 end

data/lib/contrast/agent/rule_set.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/logger'

data/lib/contrast/agent/scope.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/service_heartbeat.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/logger'