contrast-agent 4.3.0 → 4.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (315) hide show
  1. checksums.yaml +4 -4
  2. data/.simplecov +1 -1
  3. data/Gemfile +1 -1
  4. data/LICENSE.txt +1 -1
  5. data/Rakefile +1 -1
  6. data/exe/contrast_service +1 -1
  7. data/ext/build_funchook.rb +1 -1
  8. data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
  9. data/ext/cs__assess_active_record_named/extconf.rb +1 -1
  10. data/ext/cs__assess_array/cs__assess_array.c +1 -1
  11. data/ext/cs__assess_array/extconf.rb +1 -1
  12. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
  13. data/ext/cs__assess_basic_object/extconf.rb +1 -1
  14. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
  15. data/ext/cs__assess_fiber_track/extconf.rb +1 -1
  16. data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
  17. data/ext/cs__assess_hash/extconf.rb +1 -1
  18. data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
  19. data/ext/cs__assess_kernel/extconf.rb +1 -1
  20. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
  21. data/ext/cs__assess_marshal_module/extconf.rb +1 -1
  22. data/ext/cs__assess_module/cs__assess_module.c +1 -1
  23. data/ext/cs__assess_module/extconf.rb +1 -1
  24. data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
  25. data/ext/cs__assess_regexp/extconf.rb +1 -1
  26. data/ext/cs__assess_string/cs__assess_string.c +1 -1
  27. data/ext/cs__assess_string/extconf.rb +1 -1
  28. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
  29. data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
  30. data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
  31. data/ext/cs__assess_yield_track/extconf.rb +1 -1
  32. data/ext/cs__common/cs__common.c +5 -5
  33. data/ext/cs__common/cs__common.h +4 -4
  34. data/ext/cs__common/extconf.rb +1 -1
  35. data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
  36. data/ext/cs__contrast_patch/extconf.rb +1 -1
  37. data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
  38. data/ext/cs__protect_kernel/extconf.rb +1 -1
  39. data/ext/extconf_common.rb +1 -1
  40. data/lib/contrast-agent.rb +1 -1
  41. data/lib/contrast.rb +20 -1
  42. data/lib/contrast/agent.rb +6 -2
  43. data/lib/contrast/agent/assess.rb +1 -10
  44. data/lib/contrast/agent/assess/contrast_event.rb +54 -71
  45. data/lib/contrast/agent/assess/contrast_object.rb +6 -3
  46. data/lib/contrast/agent/assess/events/event_factory.rb +1 -1
  47. data/lib/contrast/agent/assess/events/source_event.rb +7 -2
  48. data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
  49. data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
  50. data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +30 -15
  51. data/lib/contrast/agent/assess/policy/patcher.rb +1 -1
  52. data/lib/contrast/agent/assess/policy/policy.rb +1 -1
  53. data/lib/contrast/agent/assess/policy/policy_node.rb +1 -1
  54. data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
  55. data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
  56. data/lib/contrast/agent/assess/policy/propagation_method.rb +30 -19
  57. data/lib/contrast/agent/assess/policy/propagation_node.rb +1 -1
  58. data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
  59. data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
  60. data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
  61. data/lib/contrast/agent/assess/policy/propagator/center.rb +1 -1
  62. data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
  63. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
  64. data/lib/contrast/agent/assess/policy/propagator/insert.rb +1 -1
  65. data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
  66. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +1 -1
  67. data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
  68. data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
  69. data/lib/contrast/agent/assess/policy/propagator/remove.rb +1 -1
  70. data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
  71. data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
  72. data/lib/contrast/agent/assess/policy/propagator/select.rb +1 -1
  73. data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
  74. data/lib/contrast/agent/assess/policy/propagator/split.rb +15 -8
  75. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +31 -15
  76. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  77. data/lib/contrast/agent/assess/policy/rewriter_patch.rb +1 -1
  78. data/lib/contrast/agent/assess/policy/source_method.rb +87 -76
  79. data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
  80. data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
  81. data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +1 -1
  82. data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +3 -3
  83. data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
  84. data/lib/contrast/agent/assess/policy/trigger_method.rb +106 -64
  85. data/lib/contrast/agent/assess/policy/trigger_node.rb +31 -10
  86. data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +59 -0
  87. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -3
  88. data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
  89. data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +3 -5
  90. data/lib/contrast/agent/assess/properties.rb +1 -3
  91. data/lib/contrast/agent/assess/property/evented.rb +1 -1
  92. data/lib/contrast/agent/assess/property/tagged.rb +38 -20
  93. data/lib/contrast/agent/assess/property/updated.rb +1 -1
  94. data/lib/contrast/agent/assess/rule/provider.rb +1 -1
  95. data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +1 -1
  96. data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +1 -1
  97. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +1 -1
  98. data/lib/contrast/agent/assess/tag.rb +1 -1
  99. data/lib/contrast/agent/assess/tracker.rb +2 -2
  100. data/lib/contrast/agent/at_exit_hook.rb +1 -1
  101. data/lib/contrast/agent/class_reopener.rb +1 -1
  102. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
  103. data/lib/contrast/agent/deadzone/policy/policy.rb +1 -1
  104. data/lib/contrast/agent/disable_reaction.rb +1 -1
  105. data/lib/contrast/agent/exclusion_matcher.rb +1 -1
  106. data/lib/contrast/agent/inventory.rb +1 -2
  107. data/lib/contrast/agent/inventory/dependencies.rb +1 -1
  108. data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
  109. data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
  110. data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
  111. data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
  112. data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
  113. data/lib/contrast/agent/middleware.rb +87 -58
  114. data/lib/contrast/agent/module_data.rb +1 -1
  115. data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
  116. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +5 -1
  117. data/lib/contrast/agent/patching/policy/method_policy.rb +1 -1
  118. data/lib/contrast/agent/patching/policy/module_policy.rb +1 -1
  119. data/lib/contrast/agent/patching/policy/patch.rb +8 -6
  120. data/lib/contrast/agent/patching/policy/patch_status.rb +2 -2
  121. data/lib/contrast/agent/patching/policy/patcher.rb +59 -54
  122. data/lib/contrast/agent/patching/policy/policy.rb +1 -1
  123. data/lib/contrast/agent/patching/policy/policy_node.rb +1 -1
  124. data/lib/contrast/agent/patching/policy/trigger_node.rb +6 -3
  125. data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +1 -1
  126. data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +1 -1
  127. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +1 -1
  128. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
  129. data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -1
  130. data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
  131. data/lib/contrast/agent/protect/policy/policy.rb +1 -1
  132. data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
  133. data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
  134. data/lib/contrast/agent/protect/rule.rb +1 -1
  135. data/lib/contrast/agent/protect/rule/base.rb +7 -18
  136. data/lib/contrast/agent/protect/rule/base_service.rb +2 -2
  137. data/lib/contrast/agent/protect/rule/cmd_injection.rb +2 -2
  138. data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
  139. data/lib/contrast/agent/protect/rule/deserialization.rb +1 -1
  140. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +1 -1
  141. data/lib/contrast/agent/protect/rule/no_sqli.rb +2 -2
  142. data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +1 -1
  143. data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -1
  144. data/lib/contrast/agent/protect/rule/sqli.rb +18 -12
  145. data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
  146. data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
  147. data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
  148. data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
  149. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +1 -1
  150. data/lib/contrast/agent/protect/rule/xss.rb +1 -1
  151. data/lib/contrast/agent/protect/rule/xxe.rb +1 -1
  152. data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +1 -1
  153. data/lib/contrast/agent/railtie.rb +1 -1
  154. data/lib/contrast/agent/reaction_processor.rb +1 -1
  155. data/lib/contrast/agent/request.rb +2 -1
  156. data/lib/contrast/agent/request_context.rb +17 -10
  157. data/lib/contrast/agent/request_handler.rb +1 -1
  158. data/lib/contrast/agent/response.rb +1 -1
  159. data/lib/contrast/agent/rewriter.rb +1 -1
  160. data/lib/contrast/agent/rule_set.rb +3 -3
  161. data/lib/contrast/agent/scope.rb +1 -1
  162. data/lib/contrast/agent/service_heartbeat.rb +1 -1
  163. data/lib/contrast/agent/static_analysis.rb +1 -1
  164. data/lib/contrast/agent/thread.rb +2 -2
  165. data/lib/contrast/agent/thread_watcher.rb +21 -6
  166. data/lib/contrast/agent/tracepoint_hook.rb +1 -1
  167. data/lib/contrast/agent/version.rb +2 -2
  168. data/lib/contrast/agent/worker_thread.rb +1 -1
  169. data/lib/contrast/api.rb +1 -1
  170. data/lib/contrast/api/communication.rb +1 -1
  171. data/lib/contrast/api/communication/connection_status.rb +1 -1
  172. data/lib/contrast/api/communication/messaging_queue.rb +19 -22
  173. data/lib/contrast/api/communication/response_processor.rb +9 -2
  174. data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
  175. data/lib/contrast/api/communication/socket.rb +1 -1
  176. data/lib/contrast/api/communication/socket_client.rb +23 -15
  177. data/lib/contrast/api/communication/speedracer.rb +3 -3
  178. data/lib/contrast/api/communication/tcp_socket.rb +1 -1
  179. data/lib/contrast/api/communication/unix_socket.rb +1 -1
  180. data/lib/contrast/api/decorators.rb +3 -1
  181. data/lib/contrast/api/decorators/address.rb +1 -1
  182. data/lib/contrast/api/decorators/agent_startup.rb +58 -0
  183. data/lib/contrast/api/decorators/application_settings.rb +1 -1
  184. data/lib/contrast/api/decorators/application_startup.rb +53 -0
  185. data/lib/contrast/api/decorators/application_update.rb +1 -1
  186. data/lib/contrast/api/decorators/http_request.rb +1 -1
  187. data/lib/contrast/api/decorators/input_analysis.rb +1 -1
  188. data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
  189. data/lib/contrast/api/decorators/library.rb +1 -1
  190. data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
  191. data/lib/contrast/api/decorators/message.rb +1 -1
  192. data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
  193. data/lib/contrast/api/decorators/route_coverage.rb +16 -6
  194. data/lib/contrast/api/decorators/server_features.rb +1 -1
  195. data/lib/contrast/api/decorators/trace_event.rb +43 -15
  196. data/lib/contrast/api/decorators/trace_event_object.rb +1 -1
  197. data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
  198. data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
  199. data/lib/contrast/api/decorators/trace_taint_range_tags.rb +1 -1
  200. data/lib/contrast/api/decorators/user_input.rb +1 -1
  201. data/lib/contrast/common_agent_configuration.rb +1 -1
  202. data/lib/contrast/components/agent.rb +3 -1
  203. data/lib/contrast/components/app_context.rb +5 -23
  204. data/lib/contrast/components/assess.rb +1 -1
  205. data/lib/contrast/components/config.rb +1 -1
  206. data/lib/contrast/components/contrast_service.rb +1 -1
  207. data/lib/contrast/components/heap_dump.rb +1 -1
  208. data/lib/contrast/components/interface.rb +1 -1
  209. data/lib/contrast/components/inventory.rb +1 -1
  210. data/lib/contrast/components/logger.rb +1 -1
  211. data/lib/contrast/components/protect.rb +4 -2
  212. data/lib/contrast/components/sampling.rb +49 -7
  213. data/lib/contrast/components/scope.rb +1 -1
  214. data/lib/contrast/components/settings.rb +7 -6
  215. data/lib/contrast/config.rb +1 -1
  216. data/lib/contrast/config/agent_configuration.rb +1 -1
  217. data/lib/contrast/config/application_configuration.rb +1 -1
  218. data/lib/contrast/config/assess_configuration.rb +1 -1
  219. data/lib/contrast/config/assess_rules_configuration.rb +1 -1
  220. data/lib/contrast/config/base_configuration.rb +1 -1
  221. data/lib/contrast/config/default_value.rb +1 -1
  222. data/lib/contrast/config/exception_configuration.rb +1 -1
  223. data/lib/contrast/config/heap_dump_configuration.rb +1 -1
  224. data/lib/contrast/config/inventory_configuration.rb +1 -1
  225. data/lib/contrast/config/logger_configuration.rb +1 -1
  226. data/lib/contrast/config/protect_configuration.rb +1 -1
  227. data/lib/contrast/config/protect_rule_configuration.rb +23 -1
  228. data/lib/contrast/config/protect_rules_configuration.rb +1 -1
  229. data/lib/contrast/config/root_configuration.rb +1 -1
  230. data/lib/contrast/config/ruby_configuration.rb +1 -1
  231. data/lib/contrast/config/sampling_configuration.rb +1 -1
  232. data/lib/contrast/config/server_configuration.rb +1 -1
  233. data/lib/contrast/config/service_configuration.rb +1 -1
  234. data/lib/contrast/configuration.rb +1 -1
  235. data/lib/contrast/delegators/input_analysis.rb +12 -0
  236. data/lib/contrast/extension/assess.rb +1 -1
  237. data/lib/contrast/extension/assess/array.rb +1 -1
  238. data/lib/contrast/extension/assess/erb.rb +1 -1
  239. data/lib/contrast/extension/assess/eval_trigger.rb +1 -5
  240. data/lib/contrast/extension/assess/exec_trigger.rb +1 -5
  241. data/lib/contrast/extension/assess/fiber.rb +1 -1
  242. data/lib/contrast/extension/assess/hash.rb +1 -1
  243. data/lib/contrast/extension/assess/kernel.rb +1 -1
  244. data/lib/contrast/extension/assess/marshal.rb +1 -5
  245. data/lib/contrast/extension/assess/regexp.rb +1 -1
  246. data/lib/contrast/extension/assess/string.rb +1 -1
  247. data/lib/contrast/extension/delegator.rb +1 -1
  248. data/lib/contrast/extension/inventory.rb +1 -1
  249. data/lib/contrast/extension/kernel.rb +1 -1
  250. data/lib/contrast/extension/module.rb +1 -1
  251. data/lib/contrast/extension/protect.rb +1 -1
  252. data/lib/contrast/extension/protect/kernel.rb +1 -1
  253. data/lib/contrast/extension/protect/psych.rb +1 -1
  254. data/lib/contrast/extension/thread.rb +1 -1
  255. data/lib/contrast/framework/base_support.rb +1 -1
  256. data/lib/contrast/framework/manager.rb +14 -13
  257. data/lib/contrast/framework/platform_version.rb +1 -1
  258. data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
  259. data/lib/contrast/framework/rack/patch/support.rb +1 -1
  260. data/lib/contrast/framework/rack/support.rb +1 -1
  261. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
  262. data/lib/contrast/framework/rails/patch/assess_configuration.rb +1 -1
  263. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
  264. data/lib/contrast/framework/rails/patch/support.rb +1 -1
  265. data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +1 -1
  266. data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +1 -1
  267. data/lib/contrast/framework/rails/rewrite/active_record_named.rb +1 -1
  268. data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +1 -1
  269. data/lib/contrast/framework/rails/support.rb +43 -44
  270. data/lib/contrast/framework/sinatra/support.rb +101 -42
  271. data/lib/contrast/funchook/funchook.rb +1 -1
  272. data/lib/contrast/logger/application.rb +1 -1
  273. data/lib/contrast/logger/format.rb +1 -1
  274. data/lib/contrast/logger/log.rb +32 -16
  275. data/lib/contrast/logger/request.rb +1 -1
  276. data/lib/contrast/logger/time.rb +1 -1
  277. data/lib/contrast/security_exception.rb +1 -1
  278. data/lib/contrast/tasks/config.rb +1 -1
  279. data/lib/contrast/tasks/service.rb +1 -1
  280. data/lib/contrast/utils/assess/sampling_util.rb +1 -1
  281. data/lib/contrast/utils/assess/tracking_util.rb +1 -1
  282. data/lib/contrast/utils/class_util.rb +18 -4
  283. data/lib/contrast/utils/duck_utils.rb +1 -1
  284. data/lib/contrast/utils/env_configuration_item.rb +1 -1
  285. data/lib/contrast/utils/hash_digest.rb +14 -19
  286. data/lib/contrast/utils/heap_dump_util.rb +104 -88
  287. data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
  288. data/lib/contrast/utils/inventory_util.rb +1 -1
  289. data/lib/contrast/utils/io_util.rb +1 -1
  290. data/lib/contrast/utils/job_servers_running.rb +1 -1
  291. data/lib/contrast/utils/object_share.rb +1 -1
  292. data/lib/contrast/utils/os.rb +1 -1
  293. data/lib/contrast/utils/preflight_util.rb +1 -1
  294. data/lib/contrast/utils/resource_loader.rb +1 -1
  295. data/lib/contrast/utils/ruby_ast_rewriter.rb +1 -1
  296. data/lib/contrast/utils/sha256_builder.rb +1 -1
  297. data/lib/contrast/utils/stack_trace_utils.rb +1 -1
  298. data/lib/contrast/utils/string_utils.rb +1 -1
  299. data/lib/contrast/utils/tag_util.rb +1 -1
  300. data/lib/contrast/utils/thread_tracker.rb +1 -1
  301. data/lib/contrast/utils/timer.rb +1 -1
  302. data/resources/assess/policy.json +8 -11
  303. data/resources/deadzone/policy.json +7 -23
  304. data/ruby-agent.gemspec +56 -19
  305. data/service_executables/VERSION +1 -1
  306. data/service_executables/linux/contrast-service +0 -0
  307. data/service_executables/mac/contrast-service +0 -0
  308. metadata +117 -161
  309. data/lib/contrast/agent/assess/rule.rb +0 -18
  310. data/lib/contrast/agent/assess/rule/base.rb +0 -52
  311. data/lib/contrast/agent/assess/rule/redos.rb +0 -67
  312. data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
  313. data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
  314. data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
  315. data/lib/contrast/utils/prevent_serialization.rb +0 -52
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/patching/policy/after_load_patch'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/framework/base_support'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/framework/rails/patch/assess_configuration'
@@ -15,9 +15,9 @@ module Contrast
15
15
  @_instrument ||= begin
16
16
  ::Rails::Application::Configuration.class_eval do
17
17
  alias_method :cs__patched_session_store, :session_store
18
- def session_store *args
19
- ret = cs__patched_session_store(*args)
20
- Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args)
18
+ def session_store *args, **kwargs
19
+ ret = cs__patched_session_store(*args, **kwargs)
20
+ Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args, **kwargs)
21
21
  ret
22
22
  end
23
23
  end
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/framework/rails/patch/rails_application_configuration'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/api/dtm.pb'
@@ -47,32 +47,34 @@ module Contrast
47
47
  end
48
48
 
49
49
  # Find the current route, based on the provided Request wrapper
50
+ #
50
51
  # @param request[Contrast::Agent::Request]
51
52
  # @return [Contrast::Api::Dtm::RouteCoverage]
52
53
  def current_route request
53
54
  return unless ::Rails.cs__respond_to?(:application)
54
55
 
55
- # returns array of arrays [[match_data, path_parameters, route]], sorted by
56
- # precedence
57
- # match_data: ActionDispatch::Journey::Path::Pattern::MatchData
58
- # path_parameters: hash of various things
59
- # route: ActionDispatch::Journey::Route
60
- full_routes = ::Rails.application.routes.router.send(:find_routes, request.rack_request)
61
- return if full_routes.empty?
56
+ match, _params, route, path = get_full_route(request.rack_request)
62
57
 
63
- full_route = full_routes[0]
58
+ original_url = request.rack_request.path_info
64
59
 
65
- # the route is directly implemented within the application
66
- if direct_route?(full_route)
67
- route = full_route[2] # route w/ highest precedence
68
- Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route)
69
- else
70
- engine_route(full_route, request)
60
+ # Route is either the final rails route, or a router that points to a Sinatra controller.
61
+ if Contrast::Framework::Sinatra::Support.sinatra_controller?(route.app.app)
62
+ # Create a request copied from current request, but with the base path removed from path_info.
63
+ new_req = ::ActionDispatch::Request.new(request.env)
64
+ new_req.path_info = new_req.path_info.gsub((path << match).join, '')
65
+
66
+ return Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
71
67
  end
68
+
69
+ Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route, original_url)
72
70
  rescue StandardError => _e
73
71
  nil
74
72
  end
75
73
 
74
+ # Copy a request for modification.
75
+ #
76
+ # @param [::ActionDispatch::Request] original env.
77
+ # @return [::ActionDispatch::Request] a copy of original env with rails env merged.
76
78
  def retrieve_request env
77
79
  rails_env = ::Rails.application.env_config.merge(env)
78
80
  ::ActionDispatch::Request.new(rails_env || env)
@@ -87,37 +89,34 @@ module Contrast
87
89
 
88
90
  private
89
91
 
90
- # route is not mounted within an engine
91
- def direct_route? full_route
92
- full_route[2]&.app&.cs__class == ActionDispatch::Routing::RouteSet::Dispatcher ||
93
- (full_route[2].cs__class == ActionDispatch::Journey::Route && full_route[2]&.app&.cs__class == ActionDispatch::Routing::Mapper::Constraints)
92
+ # Determine if route is a Rails engine route.
93
+ #
94
+ # @param [Object] app or route that points to a ::Rails::Engine
95
+ # @return [bool] whether the router is an engine or not.
96
+ def engine_route? route
97
+ route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) && route.app.app < ::Rails::Engine
94
98
  end
95
99
 
96
- def engine_route full_route, request
97
- engine_route = full_route[2] # supposed route - but actually an Engine mount point
98
- return unless engine_route
99
-
100
- engine_mount_name = engine_route.name
101
- return unless engine_mount_name
102
-
103
- engine_path_segments = request.rack_request.path_info.split(engine_mount_name)
104
- return if engine_path_segments.empty?
105
-
106
- path_within_engine = engine_path_segments[-1]
107
- return unless path_within_engine
108
-
109
- engine_router = engine_route.app&.app&.routes&.router
110
- return unless engine_router
111
-
112
- # Get all routes regardless of http method
113
- matching_routes = engine_router.send(:filter_routes, path_within_engine)
114
- return unless matching_routes
115
-
116
- # filter for current http method
117
- reportable_routes = engine_router.send(:match_routes, matching_routes, request.rack_request)
118
- return if reportable_routes.empty?
119
-
120
- Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(reportable_routes[0])
100
+ # Recursively get final route traversing engines as required.
101
+ #
102
+ # @param request [::Rack::Request] the rack request as will be handed to rails controller.
103
+ # @param top_router [::ActionDispatch::Journer::Router] the current router relative to the previous.
104
+ # @param path [Array<String>] the chunks of path that have been seen.
105
+ # @return [Array<array>] the final set of rails route classes.
106
+ def get_full_route request, top_router = ::Rails.application.routes.router, path = []
107
+ return if (route_matches = top_router.send(:find_routes, request)).empty?
108
+
109
+ match, params, route = route_matches.first
110
+
111
+ # If the current routing node points to a sub-app (::Rais::Engine), dive deeper.
112
+ # Have sub-app route the remainder of the url.
113
+ if engine_route?(route)
114
+ new_req = retrieve_request request.env
115
+ new_req.path_info = new_req.path_info.gsub(match.to_s, '')
116
+ get_full_route(new_req, route.app.app.routes.router, path << match.to_s)
117
+ else
118
+ [match, params, route, path]
119
+ end
121
120
  end
122
121
 
123
122
  # Rails engine routes need to be detected by inspecting Engine class route set
@@ -1,8 +1,7 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/framework/base_support'
5
- require 'contrast/framework/sinatra/patch/support'
6
5
 
7
6
  module Contrast
8
7
  module Framework
@@ -10,7 +9,6 @@ module Contrast
10
9
  # Used when Sinatra is present to define framework specific behavior
11
10
  class Support
12
11
  extend Contrast::Framework::BaseSupport
13
- extend Contrast::Framework::Sinatra::Patch::Support
14
12
  class << self
15
13
  def detection_class
16
14
  'Sinatra'
@@ -21,44 +19,74 @@ module Contrast
21
19
  end
22
20
 
23
21
  def application_name
24
- return unless app_class
25
-
26
- app_class.cs__class.cs__name
22
+ app_class&.cs__name
27
23
  end
28
24
 
29
25
  def application_root
30
- return unless app_class
31
-
32
- app_class.root
26
+ app_instance&.root
33
27
  end
34
28
 
35
29
  def server_type
36
30
  'sinatra'
37
31
  end
38
32
 
39
- # Iterate over every class that extends Sinatra::Base, pull out its routes
40
- # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
41
- # Contrast::Api::Dtm::RouteCoverage
33
+ # Given an object, determine if it is a Sinatra controller with routes.
34
+ #
35
+ # @param app [Object] suspected Sinatra app.
36
+ # @return [Boolean]
37
+ def sinatra_controller? app
38
+ # Sinatra is loaded?
39
+ return false unless defined?(::Sinatra) && defined?(::Sinatra::Base)
40
+ # App is a subclass of or actually is ::Sinatra::Base.
41
+ return false unless (app.cs__respond_to?(:<) && app < ::Sinatra::Base) || app == ::Sinatra::Base
42
+
43
+ # App has routes.
44
+ !app.routes.empty?
45
+ end
46
+
47
+ # Find all classes that subclass ::Sinatra::Base. Gather their routes.
48
+ #
49
+ # @return [Array<Contrast::Api::Dtm::RouteCoverage>] the routes found as Dtms.
42
50
  def collect_routes
51
+ return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless defined?(::Sinatra) && defined?(::Sinatra::Base)
52
+
43
53
  routes = []
44
- controllers = sinatra_controllers
45
- controllers.each do |clazz|
46
- class_routes = sinatra_class_routes(clazz)
47
- next unless class_routes
48
-
49
- class_routes.each_pair do |method, list|
50
- # item: [ Mustermann::Sinatra, [], Proc]
51
- list.each do |item|
52
- routes << Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(clazz, method, item[0])
54
+ sinatra_controllers.each do |controller|
55
+ controller.routes.each_pair do |method, route_triplets|
56
+ # Sinatra stores its routes as a triplet: [Mustermann::Sinatra, [], Proc]
57
+ route_triplets.map(&:first).each do |route_pattern|
58
+ routes << Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(controller, method, route_pattern)
53
59
  end
54
60
  end
55
61
  end
56
62
  routes
57
63
  end
58
64
 
59
- # TODO: RUBY-763
60
- def current_route _request
61
- nil
65
+ # Given the current request return a RouteCoverage dtm.
66
+ #
67
+ # @param request [Contrast::Agent::Request] a contrast tracked request.
68
+ # @param controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
69
+ # @return [Contrast::Api::Dtm::RouteCoverage, nil] a Dtm describing the route
70
+ # matched to the request if a match was found.
71
+ def current_route request, controller = ::Sinatra::Base, full_route = nil
72
+ return unless sinatra_controller?(controller)
73
+
74
+ method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
75
+
76
+ # Find route match--checking superclasses if necessary.
77
+ final_controller, route_pattern = _route_recurse(controller, method, _cleaned_route(request))
78
+ return unless !final_controller.nil? && !route_pattern.nil?
79
+
80
+ full_route ||= request.path_info
81
+
82
+ Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(final_controller, method, route_pattern, full_route)
83
+ end
84
+
85
+ # Search object space for sinatra controllers--any class that subclasses ::Sinatra::Base.
86
+ #
87
+ # @return [Array<::Sinatra::Base>] sinatra controlelrs
88
+ def sinatra_controllers
89
+ [::Sinatra::Base] + ObjectSpace.each_object(Class).select { |clazz| sinatra_controller?(clazz) }
62
90
  end
63
91
 
64
92
  def retrieve_request env
@@ -67,30 +95,61 @@ module Contrast
67
95
 
68
96
  private
69
97
 
70
- def app_class
71
- return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
72
-
73
- @_app_class ||= begin
74
- sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
75
- result_layer = sinatra_layers.find { |layer| layer.app.nil? }
76
- result_layer
98
+ # Given a controller and a route to match against, find the route_pattern and class that will serve the
99
+ # route. This is recursive as Sinatra's routing is recursive from subclass to super.
100
+ #
101
+ # @param controller [Sinatra::Base, #routes] a Sinatra application.
102
+ # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
103
+ # @param method [String] the relative route passed from Rack.
104
+ # @return [Array[Sinatra::Base, Mustermann::Sinatra], nil] Either the controller that
105
+ # will handle the route along with the route pattern or nil if no match.
106
+ def _route_recurse controller, method, route
107
+ return if controller.nil? || controller.cs__class == NilClass
108
+
109
+ route_patterns = controller.routes.fetch(method, []).map(&:first)
110
+ route_pattern = route_patterns&.find do |matcher|
111
+ matcher.params(route) # ::Mustermann::Sinatra match.
77
112
  end
113
+
114
+ return controller, route_pattern if route_pattern
115
+
116
+ # Check routes defined in superclass if present.
117
+ return _route_recurse(controller.superclass, method, route) if controller.superclass&.instance_variable_get(:@routes)
78
118
  end
79
119
 
80
- # Iterate over every class that extends Sinatra::Base, pull out its routes
81
- # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
82
- # Contrast::Api::Dtm::RouteCoverage
83
- def sinatra_controllers
84
- return [] unless defined?(::Sinatra) && defined?(::Sinatra::Base)
120
+ # Get route and do some cleanup matching that of Sinatra::Base#process_route.
121
+ #
122
+ # @param request [Contrast::Agent::Request] a contrast tracked request.
123
+ # @return [String] the extracted and cleaned relative route.
124
+ def _cleaned_route request
125
+ settings = ::Sinatra::Base.settings
126
+ route = request.env[::Rack::PATH_INFO]
127
+ return '/' if route.empty? && !settings.empty_path_info?
128
+
129
+ !settings.strict_paths? && route.end_with?('/') ? route[0..-2] : route
130
+ end
85
131
 
86
- Contrast::Utils::ClassUtil.descendants(::Sinatra::Base)
132
+ # Almost an alias to app_instance.
133
+ #
134
+ # @return [::Sinatra::Base] the current controller class as routed by Rack.
135
+ def app_class
136
+ return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
137
+
138
+ app_instance.cs__class
87
139
  end
88
140
 
89
- def sinatra_class_routes controller
90
- controller.instance_variable_get(:@routes) if controller.instance_variable_defined?(:@routes)
91
- rescue StandardError
92
- logger.trace('Sinatra controller found with no route instances', module: controller)
93
- nil
141
+ # Search the object space for the controller handling this request which will be
142
+ # the class inheriting from ::Sinatra::Base with @app=nil since it is the final servicer
143
+ # in the request/middleware chain.
144
+ #
145
+ # @return [::Sinatra::Base] the current controller as routed by Rack.
146
+ def app_instance
147
+ return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
148
+
149
+ @_app_instance ||= begin
150
+ sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
151
+ sinatra_layers.find { |layer| layer.app.nil? }
152
+ end
94
153
  end
95
154
  end
96
155
  end
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'ougai'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'logger'
@@ -37,28 +37,22 @@ module Contrast
37
37
  # Given new settings from TeamServer, update our logging to use the new
38
38
  # file and level, assuming they weren't set by local configuration.
39
39
  #
40
- # @param log_file [String] the file to which to log
41
- # @param log_level [String] the level at which to log
40
+ # @param log_file [String] the file to which to log, as provided by TeamServer settings
41
+ # @param log_level [String] the level at which to log, as provided by TeamServer settings
42
42
  def update log_file = nil, log_level = nil
43
- config = CONFIG.root.agent.logger
44
-
45
- config_path = config.path&.length.to_i.positive? ? config.path : nil
46
- config_level = config.level&.length&.positive? ? config.level : nil
47
-
48
- # config > settings > default
49
- path = valid_path(config_path || log_file)
50
- level_const = valid_level(config_level || log_level)
43
+ current_path = find_valid_path(log_file)
44
+ current_level_const = find_valid_level(log_level)
51
45
 
52
- path_change = path != previous_path
53
- level_change = level_const != previous_level
46
+ path_change = current_path != previous_path
47
+ level_change = current_level_const != previous_level
54
48
 
55
49
  # don't needlessly recreate logger
56
50
  return if @_logger && !(path_change || level_change)
57
51
 
58
- @previous_path = path
59
- @previous_level = level_const
52
+ @previous_path = current_path
53
+ @previous_level = current_level_const
60
54
 
61
- @_logger = build(path: path, level_const: level_const)
55
+ @_logger = build(path: current_path, level_const: current_level_const)
62
56
  # If we're logging to a new path, then let's start it w/ our helpful
63
57
  # data gathering messages
64
58
  log_update if path_change
@@ -108,6 +102,17 @@ module Contrast
108
102
  logger.extend(Contrast::Logger::Time)
109
103
  end
110
104
 
105
+ # Determine the valid path to which to log, given the precedence of config > settings > default.
106
+ #
107
+ # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
108
+ # TeamServer.
109
+ # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
110
+ def find_valid_path log_file
111
+ config = CONFIG.root.agent.logger
112
+ config_path = config.path&.length.to_i.positive? ? config.path : nil
113
+ valid_path(config_path || log_file)
114
+ end
115
+
111
116
  def valid_path path
112
117
  path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
113
118
  return path if path == STDOUT_STR
@@ -129,6 +134,17 @@ module Contrast
129
134
  end
130
135
  end
131
136
 
137
+ # Determine the valid level to which to log, given the precedence of config > settings > default.
138
+ #
139
+ # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
140
+ # TeamServer.
141
+ # @return [::Ougai::Logging::Severity] the level at which to log
142
+ def find_valid_level log_level
143
+ config = CONFIG.root.agent.logger
144
+ config_level = config.level&.length&.positive? ? config.level : nil
145
+ valid_level(config_level || log_level)
146
+ end
147
+
132
148
  def valid_level level
133
149
  level ||= DEFAULT_LEVEL
134
150
  level = level.upcase