contrast-agent 4.3.2 → 4.4.0

data/lib/contrast/api/decorators.rb

@@ -10,6 +10,8 @@ module Contrast
 end
 
 require 'contrast/api/decorators/message'
+require 'contrast/api/decorators/agent_startup'
+require 'contrast/api/decorators/application_startup'
 require 'contrast/api/decorators/application_update'
 require 'contrast/api/decorators/input_analysis'
 require 'contrast/api/decorators/application_settings'

data/lib/contrast/api/decorators/agent_startup.rb

@@ -0,0 +1,58 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/components/interface'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the AgentStartup protobuf model to handle reporting Agent process start
+      module AgentStartup
+        include Contrast::Components::ComponentBase
+        include Contrast::Components::Interface
+        access_component :analysis, :config
+
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          # Return a new DTM with the values from the configuration and Agent discovery
+          #
+          # @parma name [String] the Hostname of this Server, or overridden value, used to identify this process
+          # @parma name [String] the Hostname of this Server, or overridden value, used to identify this process
+          # @parma name [String] the Hostname of this Server, or overridden value, used to identify this process
+          # @return [Contrast::Api::Dtm::AgentStartup]
+          def build name, path, type
+            msg = new
+            msg.server_version   = Contrast::Agent::VERSION
+            msg.server_name      = Contrast::Utils::StringUtils.protobuf_format name
+            msg.server_path      = Contrast::Utils::StringUtils.protobuf_format path
+            msg.server_type      = Contrast::Utils::StringUtils.protobuf_format type
+            config!(msg)
+            msg.finding_tags = Contrast::Utils::StringUtils.protobuf_format ASSESS.tags
+            msg
+          end
+
+          private
+
+          # set the configuration driven values for this AgentStartup msg
+          #
+          # @param msg [Contrast::Api::Dtm::AgentStartup]
+          def config! msg
+            msg.version          = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.server.version
+            msg.environment      = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.server.environment
+            msg.server_tags      = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.server.tags
+            msg.application_tags = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.tags
+            msg.library_tags     = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.inventory.tags
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::AgentStartup.include(Contrast::Api::Decorators::AgentStartup)

data/lib/contrast/api/decorators/application_startup.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/components/interface'
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the ApplicationCreate protobuf model to handle reporting Agent process start
+      module ApplicationStartup
+        include Contrast::Components::ComponentBase
+        include Contrast::Components::Interface
+        access_component :config
+
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          # Return a new DTM with the values from the configuration
+          #
+          # @return [Contrast::Api::Dtm::ApplicationCreate]
+          def build
+            msg = new
+            msg.group            = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.group
+            msg.app_version      = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.version.to_s
+            msg.code             = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.code
+            msg.metadata         = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.metadata
+            session!(msg)
+            msg
+          end
+
+          private
+
+          # Set the session metadata for this ApplicationCreate msg
+          #
+          # @param msg [Contrast::Api::Dtm::ApplicationCreate]
+          def session! msg
+            msg.session_id       = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.session_id,        truncate: false
+            msg.session_metadata = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.session_metadata,  truncate: false
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::ApplicationCreate.include(Contrast::Api::Decorators::ApplicationStartup)

data/lib/contrast/api/decorators/route_coverage.rb

@@ -26,27 +26,37 @@ module Contrast
           end
 
           # Convert ActionDispatch::Journey::Route to Contrast::Api::Dtm::RouteCoverage
+          #
           # @param journey_obj [ActionDispatch::Journey::Route] a rails route
+          # @param url [String, nil] use url from string instead of journey object.
           # @return [Contrast::Api::Dtm::RouteCoverage]
-          def from_action_dispatch_journey journey_obj
+          def from_action_dispatch_journey journey_obj, url = nil
             msg = new
             msg.route = "#{ journey_obj.defaults[:controller] }##{ journey_obj.defaults[:action] }"
 
             verb = source_or_string(journey_obj.verb)
             msg.verb = Contrast::Utils::StringUtils.force_utf8(verb)
 
-            url = source_or_string(journey_obj.path.spec)
+            url ||= source_or_string(journey_obj.path.spec)
             msg.url = Contrast::Utils::StringUtils.force_utf8(url)
             msg
           end
 
-          def from_sinatra_route clazz, method, pattern
+          # Convert Sinatra route data to dtm message.
+          #
+          # @param controller [::Sinatra::Base] the route's final controller.
+          # @param method [String] GET, PUT, POST, etc...
+          # @param method [::Mustermann::Sinatra]  the pattern that was matched in routing.
+          # @param url [String, nil] use url from string instead matched pattern.
+          # @return [Contrast::Api::Dtm::RouteCoverage]
+          def from_sinatra_route controller, method, pattern, url = nil
             safe_pattern = source_or_string(pattern)
+            safe_url = source_or_string(url || pattern)
 
             msg = new
-            msg.route = "#{ clazz }##{ method } #{ safe_pattern }"
+            msg.route = "#{ controller }##{ method } #{ safe_pattern }"
             msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
-            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_pattern)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
             msg
           end
         end

data/lib/contrast/api/decorators/trace_event.rb

@@ -13,8 +13,38 @@ module Contrast
           klass.extend(ClassMethods)
         end
 
+        # The TeamServer uses the Event's type and action to render it in the Details page. These values control the
+        # left-hand "What happened" column and the data shown in the right-hand data
+        #
+        # @param contrast_event [Contrast::Agent::Assess::ContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
+        def build_display_params! contrast_event
+          self.type = contrast_event.policy_node.node_type
+          self.action = contrast_event.policy_node.build_action
+          self
+        end
+
+        # The TeamServer uses the Event's representation of the data to render the actual data used in the dataflow on
+        # the Details page.
+        #
+        # @param contrast_event [Contrast::Agent::Assess::ContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
+        def build_dataflow! contrast_event
+          # Figure out what the target of this event was. This can't be pulled into the decorator because SourceEvent
+          # has a custom impl :/
+          taint_target = contrast_event.determine_taint_target(self)
+          truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
+          self.object = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.object, truncate_obj)
+          truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
+          self.ret = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.ret, truncate_ret)
+          build_event_args!(contrast_event, taint_target)
+          build_taint_ranges!(contrast_event)
+          self
+        end
+
         # Wrapper around build_event_object for the args array. Handles
         # tainting the correct argument.
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_event_args! contrast_event, taint_target
           contrast_event.args.each_index do |idx|
             truncate_arg = taint_target != idx
@@ -29,6 +59,7 @@ module Contrast
         # their DTM form in order to report this.
         #
         # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_taint_ranges! contrast_event
           # If there's no taint_target, this isn't a dataflow trace, but a
           # trigger one
@@ -38,6 +69,10 @@ module Contrast
           self
         end
 
+        # For each Parent in the ContrastEvent, capture its id and report it to TeamServer.
+        #
+        # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_parent_ids! contrast_event
           contrast_event&.parent_events&.each do |event|
             next unless event
@@ -49,6 +84,10 @@ module Contrast
           self
         end
 
+        # Convert the caller into the Stack DTM TeamServer consumes
+        #
+        # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_stack! contrast_event
           # We delayed doing this as long as possible b/c it's expensive
           stack_dtms = Contrast::Utils::StackTraceUtils.build_assess_stack_array(contrast_event.stack_trace)
@@ -60,23 +99,12 @@ module Contrast
         module ClassMethods
           def build contrast_event
             event_dtm = new
-            # Figure out what the target of this event was. It's a little
-            # annoying for us since P can be named (thanks, Ruby) where
-            # as for everyone else it is idx based.
-            taint_target = contrast_event.determine_taint_target(event_dtm) # This can't be pulled into the decorator because SourceEvent has a custom impl :/
-
-            event_dtm.type = contrast_event.policy_node.node_type
-            event_dtm.action = contrast_event.policy_node.build_action
+            event_dtm.build_display_params!(contrast_event)
+            event_dtm.build_dataflow!(contrast_event)
+            event_dtm.build_stack!(contrast_event)
             event_dtm.timestamp_ms = contrast_event.time.to_i
             event_dtm.thread = Contrast::Utils::StringUtils.force_utf8(contrast_event.thread)
-            truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
-            event_dtm.object = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.object, truncate_obj)
-            truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
-            event_dtm.ret = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.ret, truncate_ret)
-            event_dtm.build_event_args!(contrast_event, taint_target)
             event_dtm.build_parent_ids!(contrast_event)
-            event_dtm.build_taint_ranges!(contrast_event)
-            event_dtm.build_stack!(contrast_event)
             event_dtm.object_id = contrast_event.event_id.to_i
             event_dtm.signature = Contrast::Api::Dtm::TraceEventSignature.build(contrast_event.ret, contrast_event.policy_node, contrast_event.args)
             event_dtm

data/lib/contrast/components/agent.rb

@@ -31,6 +31,8 @@ module Contrast
 
         def disable!
           @_enabled = false
+          Contrast::Agent::TracePointHook.disable
+          Contrast::Agent.thread_watcher&.shutdown!
         end
 
         def ruleset

data/lib/contrast/components/app_context.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'rubygems/version'
+require 'contrast/api/decorators/agent_startup'
+require 'contrast/api/decorators/application_startup'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -77,31 +79,11 @@ module Contrast
         end
 
         def build_app_startup_message
-          msg = Contrast::Api::Dtm::ApplicationCreate.new
-
-          msg.group            = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.group
-          msg.app_version      = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.version.to_s
-          msg.code             = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.code
-          msg.metadata         = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.metadata
-          # Other fields have limits in TeamServer, the rest don't.
-          msg.session_id       = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.session_id,        truncate: false
-          msg.session_metadata = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.session_metadata,  truncate: false
-
-          msg
+          Contrast::Api::Dtm::ApplicationCreate.build
         end
 
         def build_agent_startup_message
-          msg = Contrast::Api::Dtm::AgentStartup.new
-          msg.server_name      = Contrast::Utils::StringUtils.protobuf_format server_name
-          msg.server_path      = Contrast::Utils::StringUtils.protobuf_format server_path
-          msg.server_type      = Contrast::Utils::StringUtils.protobuf_format server_type
-          msg.server_version   = Contrast::Agent::VERSION
-          msg.version          = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.server.version
-          msg.environment      = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.server.environment
-          msg.server_tags      = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.server.tags
-          msg.application_tags = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.tags
-          msg.library_tags     = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.inventory.tags
-          msg.finding_tags     = Contrast::Utils::StringUtils.protobuf_format ASSESS.tags
+          msg = Contrast::Api::Dtm::AgentStartup.build(server_name, server_path, server_type)
           logger.info('Application context',
                       server_name: msg.server_name,
                       server_path: msg.server_path,

data/lib/contrast/components/sampling.rb

@@ -25,14 +25,14 @@ module Contrast
 
         def sampling_control
           @_sampling_control ||= begin
-            cas = CONFIG.root.assess&.sampling
+            config_settings = CONFIG.root.assess&.sampling
             settings = SETTINGS&.assess_state&.[](:sampling_settings)
             {
-                enabled: true?([cas&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED].reject(&:nil?)[0]),
-                baseline: [cas&.baseline, settings&.baseline, DEFAULT_SAMPLING_BASELINE].map(&:to_i).find(&:positive?),
-                request_frequency: [cas&.request_frequency, settings&.request_frequency, DEFAULT_SAMPLING_REQUEST_FREQUENCY].map(&:to_i).find(&:positive?),
-                response_frequency: [cas&.response_frequency, settings&.response_frequency, DEFAULT_SAMPLING_RESPONSE_FREQUENCY].map(&:to_i).find(&:positive?),
-                window: [cas&.window_ms, settings&.window_ms, DEFAULT_SAMPLING_WINDOW_MS].map(&:to_i).find(&:positive?)
+                enabled: enabled?(config_settings, settings),
+                baseline: baseline(config_settings, settings),
+                request_frequency: request_frequency(config_settings, settings),
+                response_frequency: response_frequency(config_settings, settings),
+                window: window(config_settings, settings)
             }
           end
         end
@@ -41,6 +41,48 @@ module Contrast
         def reset_sampling_control
           @_sampling_control = nil
         end
+
+        private
+
+        # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
+        #   local user input
+        # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
+        # @return [Boolean] the resolution of the config_settings, settings, and default value
+        def enabled? config_settings, settings
+          true?([config_settings&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED].reject(&:nil?)[0])
+        end
+
+        # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
+        #   local user input
+        # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
+        # @return [Integer] the resolution of the config_settings, settings, and default value
+        def baseline config_settings, settings
+          [config_settings&.baseline, settings&.baseline, DEFAULT_SAMPLING_BASELINE].map(&:to_i).find(&:positive?)
+        end
+
+        # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
+        #   local user input
+        # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
+        # @return [Integer] the resolution of the config_settings, settings, and default value
+        def request_frequency config_settings, settings
+          [config_settings&.request_frequency, settings&.request_frequency, DEFAULT_SAMPLING_REQUEST_FREQUENCY].map(&:to_i).find(&:positive?)
+        end
+
+        # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
+        #   local user input
+        # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
+        # @return [Integer] the resolution of the config_settings, settings, and default value
+        def response_frequency config_settings, settings
+          [config_settings&.response_frequency, settings&.response_frequency, DEFAULT_SAMPLING_RESPONSE_FREQUENCY].map(&:to_i).find(&:positive?)
+        end
+
+        # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
+        #   local user input
+        # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
+        # @return [Integer] the resolution of the config_settings, settings, and default value
+        def window config_settings, settings
+          [config_settings&.window_ms, settings&.window_ms, DEFAULT_SAMPLING_WINDOW_MS].map(&:to_i).find(&:positive?)
+        end
       end
 
       module InstanceMethods #:nodoc:

data/lib/contrast/components/settings.rb

@@ -28,8 +28,8 @@ module Contrast
 
         def assess_state
           @assess_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName
-              enabled: false,
-              sampling_features: nil
+              enabled: false,        # Boolean
+              sampling_features: nil # Contrast::Api::Settings::Sampling
           }
         end
 
@@ -95,6 +95,7 @@ module Contrast
           exclusion_matchers.select(&:code?)
         end
 
+        # @param server_features [Contrast::Api::Settings::ServerFeatures]
         def update_from_server_features server_features
           # protect
 
@@ -109,6 +110,7 @@ module Contrast
           Contrast::Utils::Assess::SamplingUtil.instance.update
         end
 
+        # @param application_settings [Contrast::Api::Settings::ApplicationSettings]
         def update_from_application_settings application_settings
           application_state.merge!(application_settings.application_state_translation)
         end
@@ -126,9 +128,8 @@ module Contrast
         end
 
         def build_assess_rules
+          # TODO: RUBY-1120 actually build assess_rules.
           @assess_rules = {}
-
-          Contrast::Agent::Assess::Rule::Redos.new
         end
 
         def build_protect_rules

data/lib/contrast/framework/manager.rb

@@ -44,11 +44,9 @@ module Contrast
         end
       end
 
-      # Return all the After Load Patches for all the Frameworks we know, even
-      # if that Framework hasn't been detected.
+      # Return all the After Load Patches for all the Frameworks we know, even if that Framework hasn't been detected.
       #
-      # @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the
-      #   AfterLoadPatches of each framework
+      # @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the AfterLoadPatches of each framework
       def find_after_load_patches
         patches = Set.new
         SUPPORTED_FRAMEWORKS.each do |framework|
@@ -82,8 +80,10 @@ module Contrast
       end
 
       # If we have 0 or n > 1 frameworks, we need to use the default rack request
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
-      #   and values of this particular Request
+      #
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values 
+      # of this particular Request
+      # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
         return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
 
@@ -102,14 +102,15 @@ module Contrast
         result
       end
 
+      # Iterate through current frameworks and return the current request's route. This will be the first 
+      # non-nil result.
+      #
+      # @param request [Contrast::Agent::Request] the current request.
+      # @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
+      # TODO: RUBY-1075 add unit test.
       def get_route_dtm request
         result = nil
-        @_frameworks.find do |framework_klass|
-          # TODO: RUBY-763 Sinatra::Base#call patch adds the Route report
-          next if framework_klass == Contrast::Framework::Sinatra::Support
-
-          result = framework_klass.current_route(request)
-        end
+        @_frameworks.find { |framework_klass| result = framework_klass.current_route(request) }
         result
       end