RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/patching/policy/policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'json'
@@ -13,8 +13,9 @@ module Contrast
   module Agent
     module Patching
       module Policy
-        # This is just a holder for our policy. Takes the policy JSON and
-        # converts it into hashes that we can access nicely
+        # This is just a holder for our policy. Takes the policy JSON and converts it into hashes that we can access
+        # nicely.
+        #
         # @abstract
         class Policy
           include Singleton
@@ -25,8 +26,8 @@ module Contrast
             raise(NoMethodError, 'specify policy_folder for patching')
           end
-          # Indicates is this feature has been disabled by the configuration,
-          # read at startup, and therefore can never be enabled.
+          # Indicates is this feature has been disabled by the configuration, read at startup, and therefore can never
+          # be enabled.
           def disabled_globally?
             raise(NoMethodError, 'specify disabled_globally? conditions for patching')
           end
@@ -58,17 +59,15 @@ module Contrast
             from_hash_string(json)
           end
-          # Our policy for patching rules is a 'dope ass' JSON file. Rather than
-          # hard code in a bunch of things to monkey patch, we let the JSON file
-          # define the conditions in which modifications are applied.
-          # This let's us be flexible and extensible.
+          # Our policy for patching rules is a 'dope ass' JSON file. Rather than hard code in a bunch of things to
+          # monkey patch, we let the JSON file define the conditions in which modifications are applied. This let's us
+          # be flexible and extensible.
           def from_hash_string string
-            # The default behavior of the agent is to load the policy on startup,
-            # as at this point we do not know in which mode we'll be run.
+            # The default behavior of the agent is to load the policy on startup, as at this point we do not know in
+            # which mode we'll be run.
             #
-            # If the configuration file explicitly disables a feature, we know
-            # that we will not ever be able to enable it, so in that case, we
-            # can skip policy loading.
+            # If the configuration file explicitly disables a feature, we know that we will not ever be able to enable
+            # it, so in that case, we can skip policy loading.
             return if disabled_globally?
             policy_data = JSON.parse(string)
@@ -110,13 +109,7 @@ module Contrast
           end
           def module_names
-            @_module_names ||= begin
-              m = Set.new
-              sources.each { |source| m << source.class_name }
-              propagators.each { |propagator| m << propagator.class_name }
-              triggers.each { |trigger| m << trigger.class_name }
-              m
-            end
+            @_module_names ||= Set.new([sources, propagators, triggers].flatten.map!(&:class_name))
           end
           def find_triggers_by_rule rule_id

data/lib/contrast/agent/patching/policy/policy_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -44,10 +44,20 @@ module Contrast
           # later on. Really, if they don't have these things, they couldn't have
           # done their jobs anyway.
           def validate
-            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.") unless class_name
-            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper method name. Unable to create.") unless method_name
-            raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_name value. Unable to create.") unless method_name.is_a?(Symbol)
-            raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_visibility value. Unable to create.") unless method_visibility.is_a?(Symbol)
+            unless class_name
+              raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
+            end
+            unless method_name
+              raise(ArgumentError, "#{ node_class } #{ id } did not have a proper method name. Unable to create.")
+            end
+            unless method_name.is_a?(Symbol)
+              raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_name value. Unable to create.")
+            end
+            unless method_visibility.is_a?(Symbol)
+              raise(ArgumentError,
+                    "#{ node_class } #{ id } has a non symbol @method_visibility value. Unable to create.")
+            end
             unless method_scope.nil? || Contrast::Agent::Scope.valid_scope?(method_scope)
               raise(ArgumentError, "#{ node_class } #{ id } requires an undefined scope. Unable to create.")
             end

data/lib/contrast/agent/patching/policy/trigger_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/extension/module'
@@ -21,7 +21,8 @@ module Contrast
           JSON_OPTIONAL_PROPS = 'optional_properties'
           JSON_ON_EXCEPTION = 'on_exception'
-          attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties, :rule_id
+          attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties,
+                      :rule_id
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
@@ -42,27 +43,42 @@ module Contrast
           def validate
             super
-            unless applicator.public_methods(false).any? { |method| method == applicator_method }
+            unless applicator.public_methods(false).any?(applicator_method)
               raise(ArgumentError,
-                    "#{ id } did not have a proper applicator method: #{ applicator } does not respond to #{ applicator_method }. Unable to create.")
+                    "#{ id } did not have a proper applicator method: "\
+                    "#{ applicator } does not respond to #{ applicator_method }. Unable to create.")
             end
+            validate_properties
+            validate_rule
+          end
+          def validate_properties
             if (required_properties & optional_properties).any?
-              raise(ArgumentError, "#{ rule_id } had overlapping elements between required and optional properties. Unable to create.")
+              raise(ArgumentError,
+                    "#{ rule_id } had overlapping elements between required and optional properties. Unable to create.")
             end
             if (properties.keys - (required_properties | optional_properties)).any?
               raise(ArgumentError, "#{ id } had an unexpected property. Unable to create.")
             end
-            raise(ArgumentError, "#{ id } did not have a required property. Unable to create.") if (required_properties - properties.keys).any?
-            validate_rule
+            return unless (required_properties - properties.keys).any?
+            raise(ArgumentError, "#{ id } did not have a required property. Unable to create.")
           end
           def validate_rule
             raise(ArgumentError, 'Unknown rule did not have a proper name. Unable to create.') unless rule_id
             raise(ArgumentError, "#{ id } did not have a proper applicator. Unable to create.") unless applicator
-            raise(ArgumentError, "#{ id } did not have a proper applicator method. Unable to create.") unless applicator_method
-            raise(ArgumentError, "#{ id } did not have a proper set of required properties. Unable to create.") unless required_properties
-            raise(ArgumentError, "#{ id } did not have a proper set of optional properties. Unable to create.") unless optional_properties
+            unless applicator_method
+              raise(ArgumentError, "#{ id } did not have a proper applicator method. Unable to create.")
+            end
+            unless required_properties
+              raise(ArgumentError, "#{ id } did not have a proper set of required properties. Unable to create.")
+            end
+            return if optional_properties
+            raise(ArgumentError, "#{ id } did not have a proper set of optional properties. Unable to create.")
           end
           private

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/cmd_injection'
@@ -37,7 +37,7 @@ module Contrast
             protected
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::CmdInjection::NAME
             end

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/deserialization'
@@ -71,7 +71,7 @@ module Contrast
             protected
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::Deserialization::NAME
             end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/no_sqli'
@@ -34,7 +34,7 @@ module Contrast
             protected
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::NoSqli::NAME
             end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/path_traversal'
@@ -42,15 +42,14 @@ module Contrast
             protected
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::PathTraversal::NAME
             end
             private
             def possible_write? input
-              input.cs__respond_to?(:to_s) &&
-                  input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
+              input.cs__respond_to?(:to_s) && input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
             end
             READ = 'read'

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/sqli'
@@ -34,7 +34,7 @@ module Contrast
             protected
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::Sqli::NAME
             end

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/xxe'
@@ -49,16 +49,15 @@ module Contrast
             protected
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::Xxe::NAME
             end
             private
-            DATA_KEY = '@data'.to_sym
+            DATA_KEY = :@data
             def valid_data_input? object
-              object.instance_variable_defined?(DATA_KEY) &&
-                  object.instance_variable_get(DATA_KEY)
+              object.instance_variable_defined?(DATA_KEY) && object.instance_variable_get(DATA_KEY)
             end
             NOKOGIRI_MARKER = 'Nokogiri::'
@@ -115,11 +114,8 @@ module Contrast
               raise e
             rescue StandardError => e
               parser ||= Contrast::Utils::ObjectShare::UNKNOWN
-              logger.error(
-                  'Error applying xxe',
-                  e,
-                  module: potential_parser.cs__class.cs__name,
-                  method: method, parser: parser)
+              logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,
+                                                    parser: parser)
             end
           end
         end

data/lib/contrast/agent/protect/policy/policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/policy'

data/lib/contrast/agent/protect/policy/rule_applicator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -42,7 +42,8 @@ module Contrast
           rescue Contrast::SecurityException => e
             raise e
           rescue StandardError => e
-            logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method, rule: name)
+            logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
+                                                           rule: rule_name)
           end
           protected
@@ -68,11 +69,10 @@ module Contrast
             raise NoMethodError, 'This is abstract, override it.'
           end
-          # The name of the rule, as expected by the Contrast Service and
-          # Contrast UI.
+          # The name of the rule, as expected by the Contrast Service and Contrast UI.
           #
           # @return [String]
-          def name
+          def rule_name
             raise NoMethodError, 'This is abstract, override it.'
           end
@@ -82,7 +82,7 @@ module Contrast
           #
           # @return [Contrast::Agent::Protect::Rule::Base]
           def rule
-            PROTECT.rule name
+            PROTECT.rule rule_name
           end
           # Should we skip analysis for this rule for this method invocation?

data/lib/contrast/agent/protect/policy/trigger_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/trigger_node'

data/lib/contrast/agent/protect/rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/protect/rule/base.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -36,42 +36,31 @@ module Contrast
           attr_reader :mode
-          def initialize default_mode = Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
-            PROTECT.rules[name] = self
-            @mode = mode_from_settings || default_mode
+          def initialize
+            PROTECT.rules[rule_name] = self
+            @mode = mode_from_settings
           end
           # Should return the name as it is known to Teamserver; defaults to class
-          def name
-            cs__class.name
+          def rule_name
+            cs__class.cs__name
           end
-          OFF = 'off'
           def enabled?
             # 1. it is not enabled because protect is not enabled
             return false unless AGENT.enabled?
             return false unless PROTECT.enabled?
-            rule_configs = PROTECT.rule_config
-            unless rule_configs.nil?
-              # 2. it is not enabled because it is in the list of disabled protect rules
-              disabled_rules = rule_configs.disabled_rules
-              return false if disabled_rules&.include?(name)
-              # 3. it is not enabled because it has been turned "off" explicitly
-              rule_config = rule_configs.send(name)
-              return rule_config.mode != OFF unless rule_config.mode.nil?
-            end
+            # 2. it is not enabled because it is in the list of disabled protect rules
+            return false if PROTECT.rule_config&.disabled_rules&.include?(rule_name)
-            # 4. it is not enabled because it's mode is :NO_ACTION
-            @mode != :NO_ACTION
+            # 3. it is enabled so long as its mode is not NO_ACTION
+            @mode != Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
           end
           def excluded? exclusions
             Array(exclusions).any? do |ex|
-              ex.protection_rule?(name)
+              ex.protection_rule?(rule_name)
             end
           end
@@ -187,8 +176,8 @@ module Contrast
           protected
           def mode_from_settings
-            PROTECT.rule_mode(name).tap do |mode|
-              logger.trace('Retrieving rule mode', rule: name, mode: mode)
+            PROTECT.rule_mode(rule_name).tap do |mode|
+              logger.trace('Retrieving rule mode', rule: rule_name, mode: mode)
             end
           end
@@ -205,7 +194,7 @@ module Contrast
             exclusions = SETTINGS.code_exclusions
             return false unless exclusions
-            for_rule = exclusions.select { |ex| ex.protection_rule?(name) }
+            for_rule = exclusions.select { |ex| ex.protection_rule?(rule_name) }
             return false if for_rule.empty?
             stack = caller_locations
@@ -224,7 +213,7 @@ module Contrast
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
           def find_attacker _context, _potential_attack_string, **_kwargs
-            raise NoMethodError, "Rule #{ name } did not implement find_attack"
+            raise NoMethodError, "Rule #{ rule_name } did not implement find_attack"
           end
           def update_successful_attack_response context, ia_result, result, attack_string = nil
@@ -260,7 +249,7 @@ module Contrast
           # @return [Contrast::Api::Dtm::AttackResult]
           def build_attack_result _context
             result = Contrast::Api::Dtm::AttackResult.new
-            result.rule_id = name
+            result.rule_id = rule_name
             result
           end
@@ -297,7 +286,7 @@ module Contrast
           def log_rule_matched _context, ia_result, response, _matched_string = nil
             logger.debug('A successful attack was detected',
-                         rule: name,
+                         rule: rule_name,
                          type: ia_result&.input_type,
                          name: ia_result&.key,
                          input: ia_result&.value,
@@ -307,11 +296,8 @@ module Contrast
           private
           def log_rule_probed _context, ia_result
-            logger.debug('An unsuccessful attack was detected',
-                         rule: name,
-                         type: ia_result&.input_type,
-                         name: ia_result&.key,
-                         input: ia_result&.value)
+            logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
+                                                                name: ia_result&.key, input: ia_result&.value)
           end
         end
       end