contrast-agent 4.13.0 → 5.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +2 -1
- data/Gemfile +1 -1
- data/LICENSE.txt +1 -1
- data/Rakefile +1 -1
- data/exe/contrast_service +1 -1
- data/ext/build_funchook.rb +1 -1
- data/ext/cs__assess_array/cs__assess_array.c +1 -1
- data/ext/cs__assess_array/extconf.rb +1 -1
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
- data/ext/cs__assess_basic_object/extconf.rb +1 -1
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_fiber_track/extconf.rb +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +1 -1
- data/ext/cs__assess_hash/extconf.rb +1 -1
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
- data/ext/cs__assess_kernel/extconf.rb +1 -1
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
- data/ext/cs__assess_marshal_module/extconf.rb +1 -1
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_module/extconf.rb +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
- data/ext/cs__assess_regexp/extconf.rb +1 -1
- data/ext/cs__assess_string/cs__assess_string.c +1 -1
- data/ext/cs__assess_string/extconf.rb +1 -1
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
- data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +1 -1
- data/ext/cs__common/cs__common.c +1 -1
- data/ext/cs__common/extconf.rb +1 -1
- data/ext/cs__contrast_patch/cs__contrast_patch.c +1 -1
- data/ext/cs__contrast_patch/extconf.rb +1 -1
- data/ext/cs__os_information/cs__os_information.c +1 -1
- data/ext/cs__os_information/extconf.rb +1 -1
- data/ext/extconf_common.rb +1 -1
- data/lib/contrast/agent/assess/contrast_event.rb +7 -11
- data/lib/contrast/agent/assess/contrast_object.rb +1 -1
- data/lib/contrast/agent/assess/events/event_data.rb +30 -0
- data/lib/contrast/agent/assess/events/event_factory.rb +14 -6
- data/lib/contrast/agent/assess/events/source_event.rb +22 -3
- data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +1 -1
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +7 -7
- data/lib/contrast/agent/assess/policy/patcher.rb +1 -35
- data/lib/contrast/agent/assess/policy/policy.rb +1 -1
- data/lib/contrast/agent/assess/policy/policy_node.rb +7 -7
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +6 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagation_method.rb +55 -28
- data/lib/contrast/agent/assess/policy/propagation_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/append.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/center.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +6 -2
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +5 -2
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +7 -3
- data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +27 -25
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +3 -157
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +190 -0
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +9 -4
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_method.rb +39 -26
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -2
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +68 -18
- data/lib/contrast/agent/assess/policy/trigger_node.rb +15 -7
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +2 -2
- data/lib/contrast/agent/assess/properties.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +25 -12
- data/lib/contrast/agent/assess/property/tagged.rb +52 -58
- data/lib/contrast/agent/assess/property/updated.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +1 -19
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +1 -13
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +42 -60
- data/lib/contrast/agent/assess/rule/provider.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/autocomplete_rule.rb +130 -0
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +117 -0
- data/lib/contrast/agent/assess/tag.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +1 -1
- data/lib/contrast/agent/assess.rb +1 -2
- data/lib/contrast/agent/at_exit_hook.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +13 -8
- data/lib/contrast/agent/deadzone/policy/policy.rb +1 -1
- data/lib/contrast/agent/disable_reaction.rb +1 -1
- data/lib/contrast/agent/exclusion_matcher.rb +1 -1
- data/lib/contrast/agent/inventory/database_config.rb +115 -77
- data/lib/contrast/agent/inventory/dependencies.rb +1 -1
- data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +3 -3
- data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
- data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/inventory.rb +1 -1
- data/lib/contrast/agent/metric_telemetry_event.rb +3 -3
- data/lib/contrast/agent/middleware.rb +8 -77
- data/lib/contrast/agent/module_data.rb +1 -1
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +1 -1
- data/lib/contrast/agent/patching/policy/method_policy.rb +31 -104
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +113 -0
- data/lib/contrast/agent/patching/policy/module_policy.rb +1 -1
- data/lib/contrast/agent/patching/policy/patch.rb +1 -1
- data/lib/contrast/agent/patching/policy/patch_status.rb +2 -26
- data/lib/contrast/agent/patching/policy/patcher.rb +13 -13
- data/lib/contrast/agent/patching/policy/policy.rb +1 -1
- data/lib/contrast/agent/patching/policy/policy_node.rb +1 -1
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/policy.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
- data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +1 -1
- data/lib/contrast/agent/protect/rule/base_service.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +1 -1
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +1 -1
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +1 -1
- data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/no_sqli.rb +1 -1
- data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -1
- data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli.rb +1 -1
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +1 -1
- data/lib/contrast/agent/protect/rule/xss.rb +1 -1
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +1 -1
- data/lib/contrast/agent/protect/rule/xxe.rb +1 -1
- data/lib/contrast/agent/protect/rule.rb +1 -1
- data/lib/contrast/agent/reaction_processor.rb +1 -1
- data/lib/contrast/agent/reporting/report.rb +27 -0
- data/lib/contrast/agent/reporting/reporter.rb +115 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +49 -0
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +82 -0
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +80 -0
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +59 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +185 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +264 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +57 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_object.rb +90 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +121 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_signature.rb +105 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_stack.rb +67 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_taint_range.rb +58 -0
- data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +93 -0
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +50 -0
- data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +54 -0
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight.rb +39 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +75 -0
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +47 -0
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +76 -0
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +65 -0
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +52 -0
- data/lib/contrast/agent/reporting/reporting_events/trace_event_source.rb +30 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +137 -0
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +67 -0
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +165 -0
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +55 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +86 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +154 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +66 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +30 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +57 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +196 -0
- data/lib/contrast/agent/reporting/settings/application_settings.rb +67 -0
- data/lib/contrast/agent/reporting/settings/assess.rb +45 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +136 -0
- data/lib/contrast/agent/reporting/settings/exclusions.rb +123 -0
- data/lib/contrast/agent/reporting/settings/protect.rb +89 -0
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +243 -0
- data/lib/contrast/agent/reporting/settings/reaction.rb +30 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +78 -0
- data/lib/contrast/agent/request.rb +46 -84
- data/lib/contrast/agent/request_context.rb +20 -131
- data/lib/contrast/agent/request_context_extend.rb +163 -0
- data/lib/contrast/agent/request_handler.rb +41 -5
- data/lib/contrast/agent/response.rb +25 -88
- data/lib/contrast/agent/rule_set.rb +1 -1
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +1 -1
- data/lib/contrast/agent/startup_metrics_telemetry_event.rb +73 -23
- data/lib/contrast/agent/static_analysis.rb +14 -4
- data/lib/contrast/agent/telemetry.rb +16 -8
- data/lib/contrast/agent/telemetry_event.rb +9 -10
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +32 -6
- data/lib/contrast/agent/tracepoint_hook.rb +1 -4
- data/lib/contrast/agent/version.rb +2 -2
- data/lib/contrast/agent/worker_thread.rb +1 -1
- data/lib/contrast/agent.rb +16 -1
- data/lib/contrast/api/communication/connection_status.rb +11 -8
- data/lib/contrast/api/communication/messaging_queue.rb +38 -4
- data/lib/contrast/api/communication/response_processor.rb +22 -11
- data/lib/contrast/api/communication/service_lifecycle.rb +14 -4
- data/lib/contrast/api/communication/socket.rb +7 -9
- data/lib/contrast/api/communication/socket_client.rb +33 -13
- data/lib/contrast/api/communication/speedracer.rb +38 -2
- data/lib/contrast/api/communication/tcp_socket.rb +5 -4
- data/lib/contrast/api/communication/unix_socket.rb +2 -1
- data/lib/contrast/api/communication.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +1 -1
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +1 -1
- data/lib/contrast/api/decorators/application_update.rb +1 -1
- data/lib/contrast/api/decorators/architecture_component.rb +36 -0
- data/lib/contrast/api/decorators/finding.rb +29 -0
- data/lib/contrast/api/decorators/http_request.rb +3 -2
- data/lib/contrast/api/decorators/input_analysis.rb +1 -1
- data/lib/contrast/api/decorators/instrumentation_mode.rb +1 -1
- data/lib/contrast/api/decorators/library.rb +1 -1
- data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
- data/lib/contrast/api/decorators/message.rb +1 -1
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
- data/lib/contrast/api/decorators/route_coverage.rb +1 -1
- data/lib/contrast/api/decorators/server_features.rb +1 -1
- data/lib/contrast/api/decorators/trace_event.rb +1 -1
- data/lib/contrast/api/decorators/trace_event_object.rb +1 -1
- data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range_tags.rb +1 -1
- data/lib/contrast/api/decorators/user_input.rb +1 -1
- data/lib/contrast/api/decorators.rb +2 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/components/agent.rb +5 -24
- data/lib/contrast/components/api.rb +67 -2
- data/lib/contrast/components/app_context.rb +12 -66
- data/lib/contrast/components/app_context_extend.rb +78 -0
- data/lib/contrast/components/assess.rb +12 -8
- data/lib/contrast/components/base.rb +24 -1
- data/lib/contrast/components/config.rb +38 -23
- data/lib/contrast/components/contrast_service.rb +6 -1
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/inventory.rb +5 -1
- data/lib/contrast/components/logger.rb +1 -1
- data/lib/contrast/components/protect.rb +6 -2
- data/lib/contrast/components/sampling.rb +3 -3
- data/lib/contrast/components/scope.rb +1 -1
- data/lib/contrast/components/settings.rb +25 -12
- data/lib/contrast/config/agent_configuration.rb +2 -2
- data/lib/contrast/config/api_configuration.rb +9 -4
- data/lib/contrast/config/api_proxy_configuration.rb +14 -0
- data/lib/contrast/config/application_configuration.rb +3 -4
- data/lib/contrast/config/assess_configuration.rb +4 -4
- data/lib/contrast/config/assess_rules_configuration.rb +1 -1
- data/lib/contrast/config/base_configuration.rb +18 -29
- data/lib/contrast/config/certification_configuration.rb +15 -0
- data/lib/contrast/config/env_variables.rb +3 -10
- data/lib/contrast/config/exception_configuration.rb +1 -1
- data/lib/contrast/config/heap_dump_configuration.rb +7 -7
- data/lib/contrast/config/inventory_configuration.rb +2 -6
- data/lib/contrast/config/logger_configuration.rb +1 -1
- data/lib/contrast/config/protect_configuration.rb +1 -1
- data/lib/contrast/config/protect_rule_configuration.rb +2 -2
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/config/request_audit_configuration.rb +18 -0
- data/lib/contrast/config/root_configuration.rb +1 -1
- data/lib/contrast/config/ruby_configuration.rb +10 -7
- data/lib/contrast/config/sampling_configuration.rb +1 -1
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config/service_configuration.rb +2 -3
- data/lib/contrast/config.rb +1 -2
- data/lib/contrast/configuration.rb +2 -3
- data/lib/contrast/extension/assess/array.rb +9 -9
- data/lib/contrast/extension/assess/erb.rb +15 -5
- data/lib/contrast/extension/assess/eval_trigger.rb +3 -1
- data/lib/contrast/extension/assess/exec_trigger.rb +2 -1
- data/lib/contrast/extension/assess/fiber.rb +6 -3
- data/lib/contrast/extension/assess/hash.rb +1 -1
- data/lib/contrast/extension/assess/kernel.rb +8 -3
- data/lib/contrast/extension/assess/marshal.rb +6 -2
- data/lib/contrast/extension/assess/regexp.rb +8 -2
- data/lib/contrast/extension/assess/string.rb +8 -2
- data/lib/contrast/extension/assess.rb +1 -1
- data/lib/contrast/extension/delegator.rb +1 -1
- data/lib/contrast/extension/extension.rb +2 -4
- data/lib/contrast/extension/inventory.rb +1 -1
- data/lib/contrast/extension/kernel.rb +1 -1
- data/lib/contrast/extension/module.rb +1 -1
- data/lib/contrast/extension/protect/psych.rb +1 -1
- data/lib/contrast/extension/protect.rb +1 -1
- data/lib/contrast/extension/thread.rb +32 -13
- data/lib/contrast/framework/base_support.rb +5 -1
- data/lib/contrast/framework/grape/support.rb +25 -1
- data/lib/contrast/framework/manager.rb +33 -36
- data/lib/contrast/framework/manager_extend.rb +50 -0
- data/lib/contrast/framework/platform_version.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
- data/lib/contrast/framework/rack/patch/support.rb +1 -1
- data/lib/contrast/framework/rack/support.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +1 -1
- data/lib/contrast/framework/rails/railtie.rb +2 -2
- data/lib/contrast/framework/rails/support.rb +46 -2
- data/lib/contrast/framework/sinatra/support.rb +26 -3
- data/lib/contrast/funchook/funchook.rb +21 -18
- data/lib/contrast/logger/application.rb +1 -1
- data/lib/contrast/logger/format.rb +1 -1
- data/lib/contrast/logger/log.rb +9 -104
- data/lib/contrast/logger/request.rb +1 -1
- data/lib/contrast/logger/time.rb +1 -1
- data/lib/contrast/security_exception.rb +1 -1
- data/lib/contrast/tasks/config.rb +1 -1
- data/lib/contrast/tasks/service.rb +1 -1
- data/lib/contrast/utils/assess/propagation_method_utils.rb +1 -1
- data/lib/contrast/utils/assess/property/tagged_utils.rb +24 -1
- data/lib/contrast/utils/assess/sampling_util.rb +4 -4
- data/lib/contrast/utils/assess/source_method_utils.rb +1 -1
- data/lib/contrast/utils/assess/split_utils.rb +23 -0
- data/lib/contrast/utils/assess/tracking_util.rb +21 -16
- data/lib/contrast/utils/assess/trigger_method_utils.rb +4 -3
- data/lib/contrast/utils/class_util.rb +19 -15
- data/lib/contrast/utils/duck_utils.rb +1 -1
- data/lib/contrast/utils/env_configuration_item.rb +2 -2
- data/lib/contrast/utils/exclude_key.rb +1 -1
- data/lib/contrast/utils/findings.rb +65 -0
- data/lib/contrast/utils/hash_digest.rb +46 -79
- data/lib/contrast/utils/hash_digest_extend.rb +129 -0
- data/lib/contrast/utils/head_dump_utils_extend.rb +74 -0
- data/lib/contrast/utils/heap_dump_util.rb +3 -66
- data/lib/contrast/utils/invalid_configuration_util.rb +32 -2
- data/lib/contrast/utils/io_util.rb +2 -2
- data/lib/contrast/utils/job_servers_running.rb +1 -1
- data/lib/contrast/utils/log_utils.rb +108 -0
- data/lib/contrast/utils/lru_cache.rb +1 -1
- data/lib/contrast/utils/metrics_hash.rb +2 -2
- data/lib/contrast/utils/middleware_utils.rb +87 -0
- data/lib/contrast/utils/net_http_base.rb +165 -0
- data/lib/contrast/utils/object_share.rb +2 -6
- data/lib/contrast/utils/os.rb +9 -5
- data/lib/contrast/utils/patching/policy/patch_utils.rb +63 -99
- data/lib/contrast/utils/patching/policy/patcher_utils.rb +1 -1
- data/lib/contrast/utils/preflight_util.rb +1 -1
- data/lib/contrast/utils/request_utils.rb +96 -0
- data/lib/contrast/utils/resource_loader.rb +1 -1
- data/lib/contrast/utils/response_utils.rb +97 -0
- data/lib/contrast/utils/sha256_builder.rb +1 -1
- data/lib/contrast/utils/stack_trace_utils.rb +1 -1
- data/lib/contrast/utils/string_utils.rb +69 -67
- data/lib/contrast/utils/tag_util.rb +11 -10
- data/lib/contrast/utils/telemetry.rb +11 -10
- data/lib/contrast/utils/telemetry_client.rb +90 -0
- data/lib/contrast/utils/telemetry_identifier.rb +18 -25
- data/lib/contrast/utils/thread_tracker.rb +1 -1
- data/lib/contrast/utils/timer.rb +1 -1
- data/lib/contrast-agent.rb +1 -1
- data/lib/contrast.rb +1 -1
- data/ruby-agent.gemspec +9 -10
- metadata +102 -49
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +0 -46
- data/ext/cs__assess_active_record_named/cs__active_record_named.h +0 -11
- data/ext/cs__assess_active_record_named/extconf.rb +0 -5
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +0 -95
- data/lib/contrast/agent/class_reopener.rb +0 -258
- data/lib/contrast/agent/rewriter.rb +0 -259
- data/lib/contrast/config/default_value.rb +0 -17
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +0 -37
- data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +0 -41
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +0 -75
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +0 -35
- data/lib/contrast/utils/requests_client.rb +0 -150
- data/lib/contrast/utils/ruby_ast_rewriter.rb +0 -82
@@ -0,0 +1,185 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'json'
|
5
|
+
require 'contrast/components/logger'
|
6
|
+
require 'contrast/agent/reporting/reporting_events/finding_event'
|
7
|
+
require 'contrast/agent/reporting/reporting_events/finding_request'
|
8
|
+
require 'contrast/agent/reporting/reporting_events/reporting_event'
|
9
|
+
require 'contrast/agent/assess/events/event_data'
|
10
|
+
require 'contrast/utils/timer'
|
11
|
+
|
12
|
+
module Contrast
|
13
|
+
module Agent
|
14
|
+
module Reporting
|
15
|
+
# This is the new Finding class which will include all the needed information for the new reporting system to
|
16
|
+
# relay this information in the Finding/Trace messages. These findings are used by TeamServer to construct the
|
17
|
+
# vulnerability information for the assess feature. They represent those parts of the application, either through
|
18
|
+
# configuration, method invocation, or dataflow, which are determined to be insecure.
|
19
|
+
#
|
20
|
+
# @attr_accessor events [Array<Contrast::Agent::Assess::ContrastEvent>] if a dataflow based finding, the
|
21
|
+
# representation of those method calls which constitute a dangerous code path.
|
22
|
+
# @attr_accessor properties [Hash<String,String>] a set of values that TeamServer can use to provide more context
|
23
|
+
# to the user when rendering the finding. For some findings, a specific set of keys and values are required.
|
24
|
+
# @attr_accessor request [Contrast::Agent::Request, nil] the request, if any, in which this finding occurred
|
25
|
+
# @attr_accessor hash_code [String] the unique identifier of this finding.
|
26
|
+
# @attr_reader rule_id [String] the name of the rule violated; must match those in TeamServer.
|
27
|
+
class Finding < Contrast::Agent::Reporting::ReportingEvent
|
28
|
+
attr_reader :rule_id, :routes, :events, :properties, :request
|
29
|
+
attr_accessor :hash_code
|
30
|
+
|
31
|
+
PROPERTIES_RULES = ['autocomplete-missing'].cs__freeze
|
32
|
+
|
33
|
+
class << self
|
34
|
+
# @param finding_dtm [Contrast::Api::Dtm::Finding]
|
35
|
+
# @return [Contrast::Agent::Reporting::Finding]
|
36
|
+
def convert finding_dtm
|
37
|
+
report = new(finding_dtm.rule_id)
|
38
|
+
report.attach_property_data(finding_dtm)
|
39
|
+
report
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
def initialize rule_id
|
44
|
+
@event_method = :PUT
|
45
|
+
@event_endpoint = "#{ Contrast::API.api_url }/api/ng/traces"
|
46
|
+
@events = []
|
47
|
+
@routes = []
|
48
|
+
@rule_id = Contrast::Utils::StringUtils.truncate(rule_id)
|
49
|
+
@properties = {}
|
50
|
+
super()
|
51
|
+
end
|
52
|
+
|
53
|
+
# Some reports require specific additional headers to be used. To that end, we'll attach them here, letting
|
54
|
+
# each handle their own.
|
55
|
+
#
|
56
|
+
# @param request [Net::HTTPRequest]
|
57
|
+
def attach_headers request
|
58
|
+
request['Report-Hash'] = hash_code
|
59
|
+
end
|
60
|
+
|
61
|
+
# @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
|
62
|
+
# trigger event
|
63
|
+
# @param source [Object] the source of the Trigger Event
|
64
|
+
# @param object [Object] the Object on which the method was invoked
|
65
|
+
# @param ret [Object] the Return of the invoked method
|
66
|
+
# @param request [Contrast::Agent::Request]
|
67
|
+
# @param args [Array<Object>] the Arguments with which the method was invoked
|
68
|
+
def attach_data trigger_node, source, object, ret, request, *args
|
69
|
+
event_data = Contrast::Agent::Assess::Events::EventData.new(trigger_node, source, object, ret, args)
|
70
|
+
event_msgs = Contrast::Agent::Reporting::FindingEvent.from_source(source)
|
71
|
+
events.concat(event_msgs) if event_msgs
|
72
|
+
if request
|
73
|
+
@request = Contrast::Agent::Reporting::FindingRequest.convert(request)
|
74
|
+
@routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request&.route)
|
75
|
+
end
|
76
|
+
events << Contrast::Agent::Assess::ContrastEvent.new(event_data)
|
77
|
+
attach_properties
|
78
|
+
end
|
79
|
+
|
80
|
+
# Attach the data from a Contrast::Api::Dtm::Finding required for property based findings generated during
|
81
|
+
# response analysis.
|
82
|
+
#
|
83
|
+
# @param finding_dtm [Contrast::Api::Dtm::Finding]
|
84
|
+
def attach_property_data finding_dtm
|
85
|
+
@created = Contrast::Utils::Timer.now_ms
|
86
|
+
@hash_code = finding_dtm.hash_code
|
87
|
+
@rule_id = finding_dtm.rule_id
|
88
|
+
finding_dtm.properties.each_pair do |key, value|
|
89
|
+
@properties[key] = value
|
90
|
+
end
|
91
|
+
finding_dtm.routes.each do |route|
|
92
|
+
@routes << Contrast::Agent::Reporting::RouteDiscovery.convert(route)
|
93
|
+
end
|
94
|
+
request = Contrast::Agent::REQUEST_TRACKER.current&.activity&.http_request
|
95
|
+
@request = Contrast::Agent::Reporting::FindingRequest.convert(request) if request
|
96
|
+
end
|
97
|
+
|
98
|
+
# Convert the instance variables on the class, and other information, into the identifiers required for
|
99
|
+
# TeamServer to process the JSON form of this message.
|
100
|
+
#
|
101
|
+
# @return [Hash]
|
102
|
+
# @raise [ArgumentError]
|
103
|
+
def to_controlled_hash
|
104
|
+
validate
|
105
|
+
hsh = {
|
106
|
+
created: @created,
|
107
|
+
hash: hash_code,
|
108
|
+
ruleId: @rule_id,
|
109
|
+
session_id: @agent_session_id_value,
|
110
|
+
version: 4
|
111
|
+
}
|
112
|
+
hsh[:events] = events if event_based?
|
113
|
+
hsh[:evidence] = @evidence unless event_based? || property_based?
|
114
|
+
hsh[:properties] = properties if property_based?
|
115
|
+
hsh[:tags] = Contrast::ASSESS.tags if Contrast::ASSESS.tags
|
116
|
+
if request_based?
|
117
|
+
hsh[:request] = request
|
118
|
+
hsh[:routes] = routes
|
119
|
+
end
|
120
|
+
hsh
|
121
|
+
end
|
122
|
+
|
123
|
+
# @raise [ArgumentError]
|
124
|
+
def validate
|
125
|
+
raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
|
126
|
+
|
127
|
+
if event_based? && events.empty?
|
128
|
+
raise(ArgumentError, "#{ self } did not have proper events. Unable to continue.")
|
129
|
+
end
|
130
|
+
if property_based? && properties.empty?
|
131
|
+
raise(ArgumentError, "#{ self } did not have proper properties. Unable to continue.")
|
132
|
+
end
|
133
|
+
return unless request_based? && request.nil?
|
134
|
+
|
135
|
+
raise(ArgumentError, "#{ self } did not have a proper request. Unable to continue.")
|
136
|
+
end
|
137
|
+
|
138
|
+
private
|
139
|
+
|
140
|
+
# Our events have properties on them. To report them to TeamServer, we need to pull them from our object up to
|
141
|
+
# the Contrast::Agent::Reporting::Finding level.
|
142
|
+
#
|
143
|
+
# TODO: RUBY-99999 put properties on events, not just on DTM
|
144
|
+
def attach_properties; end
|
145
|
+
|
146
|
+
def build_events events, event
|
147
|
+
return unless event
|
148
|
+
|
149
|
+
event.parent_events&.each do |parent_event|
|
150
|
+
build_events(events, parent_event)
|
151
|
+
end
|
152
|
+
events << event
|
153
|
+
end
|
154
|
+
|
155
|
+
# Rules which are event based must have an event to be sent to TeamServer. They include the Trigger, Regexp,
|
156
|
+
# and Data flow type Rules, meaning all those which are not Properties based. Eventually, we may have
|
157
|
+
# validation for each of those types; however, that's a refactor for after we've translated all rules from the
|
158
|
+
# Service and have had time to build proper child structure.
|
159
|
+
#
|
160
|
+
# @return [Boolean]
|
161
|
+
def event_based?
|
162
|
+
!property_based?
|
163
|
+
end
|
164
|
+
|
165
|
+
# Rules which are property based must have a property to be sent to TeamServer. Eventually, each rule may own
|
166
|
+
# its own validation, as the properties each needs are different; however, that's a refactor for after we've
|
167
|
+
# translated all rules from the Service and have had time to build proper child structure.
|
168
|
+
#
|
169
|
+
# @return [Boolean]
|
170
|
+
def property_based?
|
171
|
+
PROPERTIES_RULES.include?(@rule_id)
|
172
|
+
end
|
173
|
+
|
174
|
+
# Rules which are request based must have a request to be sent to TeamServer. Most rules fit this category, so
|
175
|
+
# we'll default to true for now. Eventually, this will be split out for those rules, like Hardcoded, which do
|
176
|
+
# not need requests.
|
177
|
+
#
|
178
|
+
# @return [Boolean]
|
179
|
+
def request_based?
|
180
|
+
true
|
181
|
+
end
|
182
|
+
end
|
183
|
+
end
|
184
|
+
end
|
185
|
+
end
|
@@ -0,0 +1,264 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/reporting/reporting_events/finding_event_source'
|
5
|
+
require 'contrast/agent/reporting/reporting_events/finding_object'
|
6
|
+
require 'contrast/agent/reporting/reporting_events/finding_stack'
|
7
|
+
require 'contrast/agent/reporting/reporting_events/finding_taint_range'
|
8
|
+
|
9
|
+
module Contrast
|
10
|
+
module Agent
|
11
|
+
module Reporting
|
12
|
+
# This is the new Finding class which will include all the needed information for the new reporting system to
|
13
|
+
# relay this information in the Finding/Trace messages. These findings are used by TeamServer to construct the
|
14
|
+
# vulnerability information for the assess feature. They represent those parts of the application, either through
|
15
|
+
# configuration, method invocation, or dataflow, which are determined to be insecure.
|
16
|
+
#
|
17
|
+
# @attr_reader action [String] what the event did; CREATION, A2O, A2P, A2A, A2R, O2A, O2O, O2P, O2R, P2A, P2O,
|
18
|
+
# P2P, P2R, TAG, TRIGGER.
|
19
|
+
# @attr_reader args [Array<Contrast::Agent::Reporting::FindingObject>] the arguments passed to the method.
|
20
|
+
# @attr_reader code [nil] unused.
|
21
|
+
# @attr_reader event_id [Integer] the id of this event.
|
22
|
+
# @attr_reader event_sources [Array<Contrast::Agent::Reporting::FindingEventSource>] the source of taint
|
23
|
+
# @attr_reader field_name [nil] unused.
|
24
|
+
# @attr_reader object [Contrast::Agent::Reporting::FindingEventSource] the object this method was invoked on.
|
25
|
+
# @attr_reader parent_object_ids [Array<Integer>]
|
26
|
+
# @attr_reader properties [Hash<String,String]
|
27
|
+
# @attr_reader ret [Contrast::Agent::Reporting::FindingObject] the return of the method.
|
28
|
+
# @attr_reader signature [Contrast::Agent::Reporting::FindingSignature] the signature of the method.
|
29
|
+
# @attr_reader source [String] the source of the taint from the method; ^(O|R|P\d+)$
|
30
|
+
# @attr_reader stack [Array<Contrast::Agent::Reporting::FindingStack>]
|
31
|
+
# @attr_reader tags [Array<String>] description of what's happened to the data
|
32
|
+
# @attr_reader taint_ranges [Array<Contrast::Agent::Reporting::FindingTaintRange>] the tags and spans of the
|
33
|
+
# source that are tracked
|
34
|
+
# @attr_reader target [String] the target of the taint from the method; ^(O|R|P\d+)$
|
35
|
+
# @attr_reader thread [String] the id of the thread on which the method was invoked
|
36
|
+
# @attr_reader time [Integer] the time, in ms, when the event was generated
|
37
|
+
# @attr_reader type [String] the type of event; METHOD, PROPAGATION, TAG
|
38
|
+
class FindingEvent
|
39
|
+
attr_reader :action, :args, :code, :event_id, :event_sources, :field_name, :object, :parent_object_ids,
|
40
|
+
:properties, :ret, :signature, :source, :stack, :tags, :taint_ranges, :target, :thread, :time,
|
41
|
+
:type
|
42
|
+
|
43
|
+
class << self
|
44
|
+
# Find all the events leading up to the given source and return an array of FindingEvents
|
45
|
+
#
|
46
|
+
# @param source [Object] something that may have been tracked
|
47
|
+
# @return [Array<Contrast::Agent::Reporting::FindingEvent>]
|
48
|
+
def from_source source
|
49
|
+
return unless source && (props = Contrast::Agent::Assess::Tracker.properties(source))
|
50
|
+
|
51
|
+
build_events([], props.event) if props&.event
|
52
|
+
end
|
53
|
+
|
54
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
55
|
+
# @return [Contrast::Agent::Reporting::FindingEvent]
|
56
|
+
def convert event
|
57
|
+
report = new
|
58
|
+
report.attach_data(event)
|
59
|
+
report
|
60
|
+
end
|
61
|
+
|
62
|
+
private
|
63
|
+
|
64
|
+
# Pull the parent events from the given event, generating an array of FindingEvents, passing back the given
|
65
|
+
# array of events after populating it.
|
66
|
+
#
|
67
|
+
# @param events [Array<Contrast::Agent::Reporting::FindingEvent>]
|
68
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
69
|
+
# @return [Array<Contrast::Agent::Reporting::FindingEvent>]
|
70
|
+
def build_events events, event
|
71
|
+
return unless event
|
72
|
+
|
73
|
+
event.parent_events&.each do |parent_event|
|
74
|
+
build_events(finding, parent_event)
|
75
|
+
end
|
76
|
+
events << convert(event)
|
77
|
+
events
|
78
|
+
end
|
79
|
+
end
|
80
|
+
|
81
|
+
# Parse the data from a Contrast::Agent::Assess::ContrastEvent to attach what is required for reporting to
|
82
|
+
# TeamServer to this Contrast::Agent::Reporting::FindingEvent
|
83
|
+
#
|
84
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
85
|
+
def attach_data event
|
86
|
+
@event_id = event.event_id
|
87
|
+
@time = event.time.to_i
|
88
|
+
@thread = event.thread
|
89
|
+
display_params!(event)
|
90
|
+
dataflow!(event)
|
91
|
+
event_sources!(event)
|
92
|
+
@signature = Contrast::Agent::Reporting::FindingSignature.convert(event)
|
93
|
+
stack!(event)
|
94
|
+
parent_ids!(event)
|
95
|
+
properties!(event)
|
96
|
+
end
|
97
|
+
|
98
|
+
# Convert the instance variables on the class, and other information, into the identifiers required for
|
99
|
+
# TeamServer to process the JSON form of this message.
|
100
|
+
#
|
101
|
+
# @return [Hash]
|
102
|
+
# @raise [ArgumentError]
|
103
|
+
def to_controlled_hash
|
104
|
+
validate
|
105
|
+
{
|
106
|
+
action: action,
|
107
|
+
args: args,
|
108
|
+
# code: code, # Unused by our agent
|
109
|
+
eventId: event_id,
|
110
|
+
eventSources: event_sources,
|
111
|
+
# fieldName: field_name, # Unused by our agent
|
112
|
+
object: object,
|
113
|
+
parentObjectIds: parent_object_ids,
|
114
|
+
properties: properties,
|
115
|
+
ret: ret,
|
116
|
+
signature: signature,
|
117
|
+
source: source,
|
118
|
+
stack: stack,
|
119
|
+
tags: tags,
|
120
|
+
taintRanges: taint_ranges,
|
121
|
+
target: target,
|
122
|
+
thread: thread,
|
123
|
+
time: time,
|
124
|
+
type: type
|
125
|
+
}
|
126
|
+
end
|
127
|
+
|
128
|
+
# @raise [ArgumentError]
|
129
|
+
def validate
|
130
|
+
validate_base
|
131
|
+
validate_dataflow
|
132
|
+
end
|
133
|
+
|
134
|
+
private
|
135
|
+
|
136
|
+
# Find the action and type of this event, used by TeamServer to display type of the event and the
|
137
|
+
# transformation if made.
|
138
|
+
#
|
139
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
140
|
+
def display_params! event
|
141
|
+
@action = event.policy_node.build_action
|
142
|
+
@type = event.policy_node.node_type
|
143
|
+
end
|
144
|
+
|
145
|
+
# Build the dataflow components of this FindingEvent.
|
146
|
+
#
|
147
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
148
|
+
def dataflow! event
|
149
|
+
taint_target = taint_target!(event)
|
150
|
+
truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
|
151
|
+
@object = Contrast::Agent::Reporting::FindingObject.convert(event.object, truncate_obj)
|
152
|
+
truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
|
153
|
+
@ret = Contrast::Agent::Reporting::FindingObject.convert(event.ret, truncate_ret)
|
154
|
+
event_args!(event, taint_target)
|
155
|
+
taint_ranges!(event)
|
156
|
+
end
|
157
|
+
|
158
|
+
# Convert the arguments of the given ContrastEvent to the reportable form for this FindingEvent. We'll
|
159
|
+
# truncate any argument that isn't the taint target of this event.
|
160
|
+
#
|
161
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
162
|
+
# @param taint_target [String,nil] the target of the taint in this event.
|
163
|
+
def event_args! event, taint_target
|
164
|
+
@args = []
|
165
|
+
idx = 0
|
166
|
+
while idx < event.args.length
|
167
|
+
@args << Contrast::Agent::Reporting::FindingObject.convert(event.args[idx], taint_target != idx)
|
168
|
+
idx += 1
|
169
|
+
end
|
170
|
+
end
|
171
|
+
|
172
|
+
# Convert the sources of the event to sources here
|
173
|
+
#
|
174
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
175
|
+
def event_sources! event
|
176
|
+
@event_sources = []
|
177
|
+
return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
|
178
|
+
|
179
|
+
event_sources << Contrast::Agent::Reporting::FindingEventSource.convert(event)
|
180
|
+
end
|
181
|
+
|
182
|
+
# Convert the parent id's of the given ContrastEvent to the reportable form for this FindingEvent.
|
183
|
+
#
|
184
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
185
|
+
def parent_ids! event
|
186
|
+
@parent_object_ids = []
|
187
|
+
event.parent_events&.each do |parent_event|
|
188
|
+
parent_object_ids << parent_event.event_id.to_i
|
189
|
+
end
|
190
|
+
end
|
191
|
+
|
192
|
+
# Convert the properties of the given ContrastEvent to the reportable form for this FindingEvent.
|
193
|
+
# TODO: RUBY-99999 How do properties get to events? Do they? I thought Stored-XSS needed it.
|
194
|
+
#
|
195
|
+
# @param _event [Contrast::Agent::Assess::ContrastEvent]
|
196
|
+
def properties! _event
|
197
|
+
@properties = {}
|
198
|
+
end
|
199
|
+
|
200
|
+
# Convert the stack of the given ContrastEvent to the reportable form for this FindingEvent.
|
201
|
+
#
|
202
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
203
|
+
def stack! event
|
204
|
+
@stack = []
|
205
|
+
event.stack_trace.each do |stack_event|
|
206
|
+
if (report = Contrast::Agent::Reporting::FindingStack.convert(stack_event))
|
207
|
+
stack << report
|
208
|
+
end
|
209
|
+
end
|
210
|
+
end
|
211
|
+
|
212
|
+
# Convert the taint ranges of the given ContrastEvent to the reportable form for this FindingEvent.
|
213
|
+
#
|
214
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
215
|
+
def taint_ranges! event
|
216
|
+
@tags = []
|
217
|
+
@taint_ranges = []
|
218
|
+
event&.tags&.each_pair do |tag_key, tag_ranges|
|
219
|
+
tags << tag_key
|
220
|
+
tag_ranges.each { |range| taint_ranges << Contrast::Agent::Reporting::FindingTaintRange.convert(range) }
|
221
|
+
end
|
222
|
+
end
|
223
|
+
|
224
|
+
# Find the source and target for this FindingEvent based on the provided event.
|
225
|
+
#
|
226
|
+
# @param event [Contrast::Agent::Assess::ContrastEvent]
|
227
|
+
# @return [String,nil] the target of the taint in this event.
|
228
|
+
def taint_target! event
|
229
|
+
return unless (node = event.policy_node)
|
230
|
+
|
231
|
+
@source = node.source_string if node.source_string
|
232
|
+
@target = node.target_string if node.target_string
|
233
|
+
return node.targets[0] if node.targets&.any?
|
234
|
+
|
235
|
+
node.sources[0] if node.sources&.any?
|
236
|
+
end
|
237
|
+
|
238
|
+
# @raise [ArgumentError]
|
239
|
+
def validate_base
|
240
|
+
raise(ArgumentError, "#{ self } did not have a proper action. Unable to continue.") unless action
|
241
|
+
raise(ArgumentError, "#{ self } did not have a proper eventId. Unable to continue.") unless event_id
|
242
|
+
raise(ArgumentError, "#{ self } did not have a proper thread. Unable to continue.") unless thread
|
243
|
+
raise(ArgumentError, "#{ self } did not have a proper time. Unable to continue.") unless time
|
244
|
+
raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type
|
245
|
+
end
|
246
|
+
|
247
|
+
# @raise [ArgumentError]
|
248
|
+
def validate_dataflow
|
249
|
+
unless parent_object_ids
|
250
|
+
raise(ArgumentError, "#{ self } did not have a proper parentObjectIds. Unable to continue.")
|
251
|
+
end
|
252
|
+
unless taint_ranges && !taint_ranges.empty?
|
253
|
+
raise(ArgumentError, "#{ self } did not have a proper taintRanges. Unable to continue.")
|
254
|
+
end
|
255
|
+
raise(ArgumentError, "#{ self } did not have a proper args. Unable to continue.") unless args
|
256
|
+
raise(ArgumentError, "#{ self } did not have a proper object. Unable to continue.") unless object
|
257
|
+
raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.") unless signature
|
258
|
+
raise(ArgumentError, "#{ self } did not have a proper stack. Unable to continue.") unless stack
|
259
|
+
raise(ArgumentError, "#{ self } did not have a proper tags. Unable to continue.") unless tags && !tags.empty?
|
260
|
+
end
|
261
|
+
end
|
262
|
+
end
|
263
|
+
end
|
264
|
+
end
|
@@ -0,0 +1,57 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'base64'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
# This is the new FindingEventSource class which will include all the needed information for the new reporting
|
10
|
+
# system to relay this information in the Finding/Trace messages. These FindingEventSource are used by TeamServer
|
11
|
+
# to construct the vulnerability information for the assess feature. They indicate the type of data that the
|
12
|
+
# event represents.
|
13
|
+
#
|
14
|
+
# @attr_reader name [String] the name of the source
|
15
|
+
# @attr_reader type [String] the type of the source
|
16
|
+
class FindingEventSource
|
17
|
+
attr_reader :name, :type
|
18
|
+
|
19
|
+
class << self
|
20
|
+
# @param event [Contrast::Agent::Assess::Events::SourceEvent] the event to pull the source off of
|
21
|
+
# @return [Contrast::Agent::Reporting::FindingObject]
|
22
|
+
def convert event
|
23
|
+
report = new
|
24
|
+
report.attach_data(event)
|
25
|
+
report
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
# Parse the data from a Contrast::Agent::Assess::Events::SourceEvent to attach what is required for reporting
|
30
|
+
# to TeamServer to this Contrast::Agent::Reporting::FindingEventSource
|
31
|
+
#
|
32
|
+
# @param event [Contrast::Agent::Assess::Events::SourceEvent] the event to pull the source off of
|
33
|
+
def attach_data event
|
34
|
+
@name = event.source_name
|
35
|
+
@type = event.source_type
|
36
|
+
end
|
37
|
+
|
38
|
+
# Convert the instance variables on the class, and other information, into the identifiers required for
|
39
|
+
# TeamServer to process the JSON form of this message.
|
40
|
+
#
|
41
|
+
# @return [Hash]
|
42
|
+
# @raise [ArgumentError]
|
43
|
+
def to_controlled_hash
|
44
|
+
validate
|
45
|
+
{
|
46
|
+
name: name, # rubocop:disable Security/Module/Name
|
47
|
+
type: type
|
48
|
+
}
|
49
|
+
end
|
50
|
+
|
51
|
+
def validate
|
52
|
+
raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type && !type.empty?
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
@@ -0,0 +1,90 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'base64'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
# This is the new FindingObject class which will include all the needed information for the new reporting system
|
10
|
+
# to relay this information in the Finding/Trace messages. These FindingObjects are used by TeamServer to
|
11
|
+
# construct the vulnerability information for the assess feature. They represent those parts of the objects that
|
12
|
+
# were acted on in a Dataflow Finding.
|
13
|
+
#
|
14
|
+
# @attr_reader hash [String] the id of the Object this represents.
|
15
|
+
# @attr_reader tracked [Boolean] if the Object this represents is tracked or not.
|
16
|
+
# @attr_reader value [String] the base64 of the human readable representation of the Object this represents.
|
17
|
+
class FindingObject
|
18
|
+
attr_reader :hash, :tracked, :value
|
19
|
+
|
20
|
+
# We'll truncate any object that isn't important to the taint ranges of this event, so that we don't murder
|
21
|
+
# TeamServer by, for instance, hypothetically sending the entire rendered HTML page >_> <_< >_>
|
22
|
+
ELLIPSIS = '...'
|
23
|
+
UNTRUNCATED_PORTION_LENGTH = 25
|
24
|
+
TRUNCATION_LENGTH = (UNTRUNCATED_PORTION_LENGTH * 2) + ELLIPSIS.length
|
25
|
+
|
26
|
+
class << self
|
27
|
+
# @param object [Contrast::Agent::Assess::ContrastObject] the object to translate
|
28
|
+
# @param truncate [Boolean] if the value of this FindingObject should be truncated or not
|
29
|
+
# @return [Contrast::Agent::Reporting::FindingObject]
|
30
|
+
def convert object, truncate
|
31
|
+
report = new
|
32
|
+
report.attach_data(object, truncate)
|
33
|
+
report
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
# Parse the data from a Contrast::Agent::Assess::ContrastObject to attach what is required for reporting to
|
38
|
+
# TeamServer to this Contrast::Agent::Reporting::FindingObject
|
39
|
+
#
|
40
|
+
# @param object [Contrast::Agent::Assess::ContrastObject]
|
41
|
+
def attach_data object, truncate
|
42
|
+
@hash = object.__id__
|
43
|
+
@tracked = object.tracked?
|
44
|
+
@value = reportable_value(object.object, truncate)
|
45
|
+
end
|
46
|
+
|
47
|
+
# Convert the instance variables on the class, and other information, into the identifiers required for
|
48
|
+
# TeamServer to process the JSON form of this message.
|
49
|
+
#
|
50
|
+
# @return [Hash]
|
51
|
+
# @raise [ArgumentError]
|
52
|
+
def to_controlled_hash
|
53
|
+
validate
|
54
|
+
{
|
55
|
+
hash: hash,
|
56
|
+
tracked: tracked,
|
57
|
+
value: value
|
58
|
+
}
|
59
|
+
end
|
60
|
+
|
61
|
+
def validate
|
62
|
+
raise(ArgumentError, "#{ self } did not have a proper hash. Unable to continue.") unless hash && !hash.empty?
|
63
|
+
raise(ArgumentError, "#{ self } did not have a proper tracked. Unable to continue.") if tracked.nil?
|
64
|
+
return unless value && !value.empty?
|
65
|
+
|
66
|
+
raise(ArgumentError, "#{ self } did not have a proper value. Unable to continue.")
|
67
|
+
end
|
68
|
+
|
69
|
+
private
|
70
|
+
|
71
|
+
# Parse, truncate, and translate the given value to be reported to TeamServer. The field is expected to be
|
72
|
+
# base64 encoded.
|
73
|
+
#
|
74
|
+
# @param value [String] the contrast_string of the object this represents.
|
75
|
+
# @param truncate [Boolean] if the string should be truncated or not.
|
76
|
+
# @return [String]
|
77
|
+
def reportable_value value, truncate
|
78
|
+
if truncate && value.length > TRUNCATION_LENGTH
|
79
|
+
tmp = []
|
80
|
+
tmp << value[0, UNTRUNCATED_PORTION_LENGTH]
|
81
|
+
tmp << ELLIPSIS
|
82
|
+
tmp << value[value.length - UNTRUNCATED_PORTION_LENGTH, UNTRUNCATED_PORTION_LENGTH]
|
83
|
+
value = tmp.join
|
84
|
+
end
|
85
|
+
Base64.strict_encode64(value)
|
86
|
+
end
|
87
|
+
end
|
88
|
+
end
|
89
|
+
end
|
90
|
+
end
|