contrast-agent 4.3.2 → 4.4.0

data/lib/contrast/agent/patching/policy/patch_status.rb

@@ -13,7 +13,7 @@ module Contrast
             # one does not exist.
             #
             # @param mod [Module] the Module for which the status is asked
-            # @return [Contrast::Agent::Patching::Policy::PolicyStatus]
+            # @return [Contrast::Agent::Patching::Policy::PatchStatus]
             def get_status mod
               if mod.cs__const_defined?(status_key, false)
                 mod.cs__const_get(status_key, false)

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -52,7 +52,7 @@ module Contrast
             # startup to catchup on everything we didn't see get loaded
             def patch
               catchup_after_load_patches
-              patch_methods
+              catchup_loaded_methods
               Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
             end
 
@@ -62,10 +62,11 @@ module Contrast
             # where only a subset of the Assess changes are needed.
             PATCH_MONITOR = Monitor.new
 
-            def patch_methods
+            # Iterate over and patch those Modules and Methods which were loaded before the Agent was enabled.
+            def catchup_loaded_methods
               PATCH_MONITOR.synchronize do
                 t = Contrast::Agent::Thread.new do
-                  synchronized_patch_methods
+                  synchronized_catchup_loaded_methods
                 end
                 # aborting on exception makes exceptions propagate.
                 t.abort_on_exception = true
@@ -100,7 +101,7 @@ module Contrast
             # @param mod [Module] the module in which the patch should be
             #   placed.
             # @param methods [Array(Symbol)] all the instance or singleton
-            #   methods in this clazz.
+            #   methods in this mod.
             # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
             #   the policy that applies to the given method_name.
             # @return [Boolean] if patched, either by this invocation or a
@@ -149,7 +150,7 @@ module Contrast
             # other functions, like rewriting or scanning. This method should
             # only be invoked by the patch_methods method above in order to
             # ensure it is wrapped in a synchronize call
-            def synchronized_patch_methods
+            def synchronized_catchup_loaded_methods
               logger.trace_with_time('Running patching') do
                 patched = []
                 all_module_names.each do |patchable_name|
@@ -166,53 +167,37 @@ module Contrast
               end
             end
 
-            # Given the patchers that apply to this class that may apply, patch
-            # Contrast method calls into the methods for which we have rules.
+            # Given the patchers that apply to this class that may apply, patch Contrast method calls into the methods
+            # for which we have rules.
             #
-            # @param module_data [Contrast::Agent::ModuleData] the module, and
-            #   its name, that's being patched into
-            # @param redo_patch [Boolean] a trigger to force patching
-            #   regardless of the state of the
-            #   Contrast::Agent::Patching::Policy::PatchStatus status on the
-            #   Module
+            # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
+            # @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
+            #   Contrast::Agent::Patching::Policy::PatchStatus status on the Module
             def patch_into_module module_data, redo_patch = false
               status = status_type.get_status(module_data.mod)
               return if (status&.patched? || status&.patching?) && !redo_patch
 
-              # Begin patching our sources into the given clazz (or module)
-              # Any patcher that has the name of the clazz will be evaluated for
-              # patching.
-              # Find all the patchers that apply to this class, sorted by type.
+              # Begin patching our sources into the given module. Any patcher that has the name of the module will be
+              # evaluated for patching. Find all the patchers that apply to this class, sorted by type.
               module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.name)
-
-              clazz = module_data.mod
+              # If there's nothing to match, then set that status and exit
+              if module_policy.empty?
+                status.no_patch!
+                return
+              end
 
               status.patching!
-              patched = false
-
-              counts = 0
-              # Monkey patch any methods in this class that have matching nodes in the policy
-              unless module_policy.empty?
-                instance_methods = all_instance_methods(clazz, true)
-                singleton_methods = clazz.singleton_methods(false)
-                counts += patch_into_methods(clazz, instance_methods, module_policy, true)
-                counts += patch_into_methods(clazz, singleton_methods, module_policy, false)
-                counts = module_policy.num_expected_patches if adjust_for_prepend(clazz)
-                patched = true
-              end
+              num_applied_patches = patch_into_instance_methods(module_data, module_policy)
+              num_applied_patches += patch_into_singleton_methods(module_data, module_policy)
+              if adjust_for_prepend(module_data) ||
+                    module_policy.num_expected_patches == num_applied_patches
 
-              if patched
-                if module_policy.num_expected_patches == counts
-                  status.patched!
-                else
-                  status.partial_patch!
-                end
+                status.patched!
               else
-                status.no_patch!
+                status.partial_patch!
               end
             rescue StandardError => e
-              status ||= status_type.get_status(module_data.mod)
-              status.failed_patch!
+              status&.failed_patch!
               logger.warn('Patching failed', e, module: module_data.name)
             ensure
               logger.trace('Patching complete',
@@ -249,6 +234,29 @@ module Contrast
               instance_methods
             end
 
+            # Patch into the Instance Methods, including private, of the given Module that match the ModulePolicy
+            # provided.
+            #
+            # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
+            # @param module_policy [Contrast::Agent::Patching::Policy::ModulePolicy] All the patchers that apply to
+            #   this module, sorted by type.
+            def patch_into_instance_methods module_data, module_policy
+              mod = module_data.mod
+              methods = all_instance_methods(mod, true)
+              patch_into_methods(mod, methods, module_policy, true)
+            end
+
+            # Patch into the Singleton Methods of the given Module that match the ModulePolicy provided.
+            #
+            # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
+            # @param module_policy [Contrast::Agent::Patching::Policy::ModulePolicy] All the patchers that apply to
+            #   this module, sorted by type.
+            def patch_into_singleton_methods module_data, module_policy
+              mod = module_data.mod
+              methods = mod.singleton_methods(false)
+              patch_into_methods(mod, methods, module_policy, false)
+            end
+
             # We've found the patchers that apply to this class (or module). Now we'll
             # filter on the given method.
             #
@@ -279,11 +287,10 @@ module Contrast
             # it has to be reapplied.
             # TODO: RUBY-620 should remove the need for this
             #
-            # @param mod[Module] the Module for which a prepend action needs to
-            #   be accounted
+            # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
             # @return [Boolean] if an adjustment was made or not
-            def adjust_for_prepend mod
-              return false unless mod.cs__name == 'CGI::Util'
+            def adjust_for_prepend module_data
+              return false unless module_data.mod.cs__name == 'CGI::Util'
 
               CGI.include(CGI::Util)
               CGI.extend(CGI::Util)

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -46,6 +46,11 @@ module Contrast
               raise(ArgumentError,
                     "#{ id } did not have a proper applicator method: #{ applicator } does not respond to #{ applicator_method }. Unable to create.")
             end
+            validate_properties
+            validate_rule
+          end
+
+          def validate_properties
             if (required_properties & optional_properties).any?
               raise(ArgumentError, "#{ rule_id } had overlapping elements between required and optional properties. Unable to create.")
             end
@@ -53,8 +58,6 @@ module Contrast
               raise(ArgumentError, "#{ id } had an unexpected property. Unable to create.")
             end
             raise(ArgumentError, "#{ id } did not have a required property. Unable to create.") if (required_properties - properties.keys).any?
-
-            validate_rule
           end
 
           def validate_rule

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -50,16 +50,9 @@ module Contrast
               last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
               next unless last_boundary && boundary
 
-              input_analysis_result.attack_count = input_analysis_result.attack_count + 1
-
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
-
               result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+              record_match(idx, length, boundary, last_boundary, kwargs)
+              append_match(context, input_analysis_result, result, query_string, kwargs)
             end
 
             result
@@ -75,13 +68,26 @@ module Contrast
             sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
             sample.sqli.start_idx = sample.sqli.query.index(input).to_i
             sample.sqli.end_idx = sample.sqli.start_idx + input.length
-            sample.sqli.boundary_overrun_idx = kwargs[:boundary].to_i
-            sample.sqli.input_boundary_idx = kwargs[:last_boundary].to_i
+            sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+            sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
             sample
           end
 
           private
 
+          def record_match idx, length, boundary, last_boundary, kwargs
+            kwargs[:start_idx] = idx
+            kwargs[:end_idx] = idx + length
+            kwargs[:boundary_overrun_idx] = boundary
+            kwargs[:input_boundary_idx] = last_boundary
+          end
+
+          def append_match context, input_analysis_result, result, query_string, **kwargs
+            input_analysis_result.attack_count = input_analysis_result.attack_count + 1
+            update_successful_attack_response(context, input_analysis_result, result, query_string)
+            append_sample(context, input_analysis_result, result, query_string, **kwargs)
+          end
+
           def select_scanner database
             @sql_scanners ||= {
                 Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>

data/lib/contrast/agent/request_context.rb

@@ -12,6 +12,18 @@ module Contrast
     # This class acts to encapsulate information about the currently executed
     # request, making it available to the Agent for the duration of the request
     # in a standardized and normalized format which the Agent understands.
+    #
+    # @attr_reader timer [Contrast::Utils::Timer] when the context was created
+    # @attr_reader logging_hash [Hash] context used to log the request
+    # @attr_reader speedracer_input_analysis [Contrast::Api::Settings::InputAnalysis] the protect input analysis of
+    #   sources on this request
+    # @attr_reader request [Contrast::Agent::Request] our wrapper around the Rack::Request for this context
+    # @attr_reader response [Contrast::Agent::Response] our wrapper aroudn the Rack::Response or Array for this context,
+    #   only available after the application has finished its processing
+    # @attr_reader activity [Contrast::Api::Dtm::Activity] the application activity found in this request
+    # @attr_reader server_activity [Contrast::Api::Dtm::ServerActivity] the server activity found in this request
+    # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
+    # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
     class RequestContext
       include Contrast::Components::Interface
       access_component :agent, :analysis, :logging, :scope

data/lib/contrast/agent/thread.rb

@@ -5,7 +5,7 @@ require 'contrast/components/interface'
 
 module Contrast
   module Agent
-    # Threads used by Contrast.
+    # Threads used by Contrast. Any long running thread should be created and managed by our ThreadWatcher class.
     class Thread < ::Thread
       include Contrast::Components::Interface
 

data/lib/contrast/agent/thread_watcher.rb

@@ -3,22 +3,31 @@
 
 require 'contrast/components/interface'
 require 'contrast/agent/service_heartbeat'
+require 'contrast/api/communication/messaging_queue'
 
 module Contrast
   module Agent
     # This class used to ensure that our worker threads are running in multi-process environments
+    #
+    # @attr_reader heapdump_util [Contrast::Utils::HeapDumpUtil]
+    # @attr_reader heartbeat [Contrast::Agent::ServiceHeartbeat]
+    # @attr_reader messaging_queue [Contrast::Api::Communication::MessagingQueue]
     class ThreadWatcher
       include Contrast::Components::Interface
-      access_component :logging
+      access_component :agent, :logging
 
-      attr_reader :heartbeat
+      attr_reader :heapdump_util, :heartbeat, :messaging_queue
 
       def initialize
         @pids = {}
+        @heapdump_util = Contrast::Utils::HeapDumpUtil.new
         @heartbeat = Contrast::Agent::ServiceHeartbeat.new
+        @messaging_queue = Contrast::Api::Communication::MessagingQueue.new
       end
 
       def startup!
+        return unless AGENT.enabled?
+
         unless heartbeat.running?
           logger.debug('Attempting to start heartbeat thread')
           heartbeat.start_thread!
@@ -26,11 +35,11 @@ module Contrast
         heartbeat_result = heartbeat.running?
         logger.debug('Heartbeat thread status', alive: heartbeat_result)
 
-        unless Contrast::Agent.messaging_queue.running?
+        unless messaging_queue.running?
           logger.debug('Attempting to start messaging queue thread')
-          Contrast::Agent.messaging_queue.start_thread!
+          messaging_queue.start_thread!
         end
-        messaging_result = Contrast::Agent.messaging_queue.running?
+        messaging_result = messaging_queue.running?
         logger.debug('Messaging thread status', alive: messaging_result)
 
         logger.debug('ThreadWatcher started threads')
@@ -44,6 +53,12 @@ module Contrast
         logger.debug('ThreadWatcher - threads not running')
         startup!
       end
+
+      def shutdown!
+        heartbeat.stop!
+        messaging_queue.stop!
+        heapdump_util.stop!
+      end
     end
   end
 end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.3.2'
+    VERSION = '4.4.0'
   end
 end

data/lib/contrast/api/communication/messaging_queue.rb

@@ -10,7 +10,7 @@ module Contrast
       # Top level gateway to messaging with speedracer
       class MessagingQueue < Contrast::Agent::WorkerThread
         include Contrast::Components::Interface
-        access_component :analysis, :logging, :settings
+        access_component :agent, :analysis, :logging, :settings
 
         attr_reader :queue, :speedracer
 
@@ -22,11 +22,19 @@ module Contrast
 
         # Use this to bypass the messaging queue and leave response processing to the caller
         def send_event_immediately event
-          send_event(event, true)
+          if AGENT.disabled?
+            logger.warn('Attempted to send event immediately with Agent disabled', caller: caller, event: event)
+            return
+          end
+          speedracer.return_response(event)
         end
 
         # Use this to add a message to the queue and process the response internally
         def send_event_eventually event
+          if AGENT.disabled?
+            logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
+            return
+          end
           logger.debug('Enqueued event for sending', event_type: event.cs__class)
           queue << event if event
         end
@@ -35,13 +43,14 @@ module Contrast
           speedracer.ensure_startup!
           return if running?
 
+          @queue ||= Queue.new
           @_thread = Contrast::Agent::Thread.new do
             loop do
               event = queue.pop
 
               begin
                 logger.debug('Dequeued event for sending', event_type: event.cs__class)
-                send_event(event)
+                speedracer.process_internally(event)
               rescue StandardError => e
                 logger.error('Could not send message to service from messaging queue thread.', e)
               end
@@ -50,25 +59,13 @@ module Contrast
           logger.debug('Started background sending thread.')
         end
 
-        private
+        def stop!
+          return unless running?
 
-        # return_response is used to determine if we want to return the response to the caller or process it internally
-        def send_event event, return_response = false
-          preprocess_event(event)
-          if return_response
-            speedracer.return_response(event)
-          else
-            speedracer.process_internally(event)
-          end
-        end
-
-        # For now this only handles appending assess tags
-        # eventually we could break out preprocessors for every event type
-        def preprocess_event event
-          return unless event.is_a?(Contrast::Api::Dtm::Activity)
-
-          # See if they're even enabled
-          event.findings.delete_if { |finding| ASSESS.rule_disabled?(finding.rule_id) }
+          super
+          @queue&.clear
+          @queue&.close
+          @queue = nil
         end
       end
     end

data/lib/contrast/api/communication/response_processor.rb

@@ -11,6 +11,7 @@ module Contrast
         include Contrast::Components::Interface
         access_component :agent, :analysis, :logging, :settings
 
+        # @param response [Contrast::Api::Settings::AgentSettings]
         def process response
           logger.debug('Received a response', sent_ms: response&.sent_ms)
 
@@ -31,8 +32,10 @@ module Contrast
 
         private
 
-        # Given some protobuf messages, update settings.
+        # Given some protobuf messages, update server features.
         # This is the bridge between Contrast Service <-> Settings.
+        #
+        # @param response [Contrast::Api::Settings::AgentSettings]
         def process_server_response response
           server_features = response&.server_features
           return unless server_features
@@ -44,6 +47,10 @@ module Contrast
           server_features
         end
 
+        # Given some protobuf messages, update application settings.
+        # This is the bridge between Contrast Service <-> Settings.
+        #
+        # @param response [Contrast::Api::Settings::AgentSettings]
         def process_application_response response
           app_settings = response&.application_settings
           return unless app_settings

data/lib/contrast/api/communication/socket_client.rb

@@ -26,6 +26,7 @@ module Contrast
         #
         # @param event [Contrast::Api::Dtm] One of the DTMs valid for the event field of
         #   Contrast::Api::Dtm::Message
+        # @return [Contrast::Api::Settings::AgentSettings]
         def send_one event
           msg = Contrast::Api::Dtm::Message.build(event)
           send_message(msg)
@@ -58,24 +59,31 @@ module Contrast
           end
 
           # Or something is not set.
-          msg = if CONFIG.root.agent.service.host
-                  'Missing a required connection value to the Contrast Service. ' \
-                  '`agent.service.port` is not set. ' \
-                  'Falling back to default TCP socket port.'
-                elsif CONFIG.root.agent.service.port
-                  'Missing a required connection value to the Contrast Service. ' \
-                  '`agent.service.host` is not set. ' \
-                  'Falling back to default TCP socket host.'
-                else
-                  'Missing a required connection value to the Contrast Service. ' \
-                  'Neither `agent.service.socket` nor the pair of `agent.service.host` and `agent.service.port` are set. '\
-                  'Falling back to default TCP socket.'
-                end
-          logger.warn(msg,
+          logger.warn(log_connection_error_msg,
                       host: CONTRAST_SERVICE.host,
                       port: CONTRAST_SERVICE.port)
         end
 
+        # If our connection isn't built properly, we need to warn the user. This builds out the context specific
+        # message to provide that warning
+        #
+        # @return [String]
+        def log_connection_error_msg
+          if CONFIG.root.agent.service.host
+            'Missing a required connection value to the Contrast Service. ' \
+            '`agent.service.port` is not set. ' \
+            'Falling back to default TCP socket port.'
+          elsif CONFIG.root.agent.service.port
+            'Missing a required connection value to the Contrast Service. ' \
+            '`agent.service.host` is not set. ' \
+            'Falling back to default TCP socket host.'
+          else
+            'Missing a required connection value to the Contrast Service. ' \
+            'Neither `agent.service.socket` nor the pair of `agent.service.host` and `agent.service.port` are set. '\
+            'Falling back to default TCP socket.'
+          end
+        end
+
         def send_message msg
           return unless msg