RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/protect/rule/base_service.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base'
@@ -10,7 +10,7 @@ module Contrast
         # Encapsulate common code for protect rules that do their
         # input analysis on Speedracer rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
-          def name
+          def rule_name
             'base-service'
           end
@@ -32,7 +32,11 @@ module Contrast
           # streamed responses will break
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return if mode == :NO_ACTION || mode == :PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+              return
+            end
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
@@ -40,14 +44,14 @@ module Contrast
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
-            raise Contrast::SecurityException.new(self, "#{ name } triggered in postfilter. Response blocked.")
+            raise Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")
           end
           protected
           def gather_ia_results context
             context.speedracer_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == name
+              ia_result.rule_id == rule_name
             end
           end
@@ -58,7 +62,7 @@ module Contrast
           # Allows for the InputAnalysis from service to be extracted early
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
             result = nil
             ia_results.each do |ia_result|

data/lib/contrast/agent/protect/rule/cmd_injection.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -18,7 +18,7 @@ module Contrast
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -34,20 +34,25 @@ module Contrast
               Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
             end
-            result = find_attacker_with_results(context, command, ia_results, **{ classname: classname, method: method })
+            result = find_attacker_with_results(context, command, ia_results,
+                                                **{ classname: classname, method: method })
             result ||= report_command_execution(context, command, **{ classname: classname, method: method })
             return unless result
             append_to_activity(context, result)
             return unless blocked?
-            raise Contrast::SecurityException.new(
-                self,
-                "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
+            raise Contrast::SecurityException.new(self,
+                                                  'Command Injection rule triggered. '\
+                                                  "Call to #{ classname }.#{ method } blocked.")
           end
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
-            return result if mode == :NO_ACTION || mode == :PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+              return result
+            end
             result ||= build_attack_result(context)
             update_successful_attack_response(context, input_analysis_result, result, candidate_string)
@@ -60,14 +65,10 @@ module Contrast
           # Because results are not necessarily on the context across
           # processes; extract early and pass into the method
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
             result = super(context, potential_attack_string, ia_results, **kwargs)
             if result.nil? && potential_attack_string
-              result = find_probable_attacker(
-                  context,
-                  potential_attack_string,
-                  ia_results,
-                  **kwargs)
+              result = find_probable_attacker(context, potential_attack_string, ia_results, **kwargs)
             end
             result
           end
@@ -109,12 +110,7 @@ module Contrast
             likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
             return unless likely_attacker
-            build_attack_with_match(
-                context,
-                likely_attacker,
-                nil,
-                potential_attack_string,
-                **kwargs)
+            build_attack_with_match(context, likely_attacker, nil, potential_attack_string, **kwargs)
           end
           def chained_command? command

data/lib/contrast/agent/protect/rule/default_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 # The base class used to determine if a user input crosses a token boundary or

data/lib/contrast/agent/protect/rule/deserialization.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base'
@@ -17,10 +17,7 @@ module Contrast
           BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
           # Gadgets that map to ERB modules
-          ERB_GADGETS = %W[
-            object:ERB
-            o:\bERB
-          ].cs__freeze
+          ERB_GADGETS = %W[object:ERB o:\bERB].cs__freeze
           # Gadgets that map to ActionDispatch modules
           ACTION_DISPATCH_GADGETS = %w[
@@ -29,11 +26,7 @@ module Contrast
           ].cs__freeze
           # Gadgets that map to Arel Modules
-          AREL_GADGETS = %w[
-            string:Arel::Nodes::SqlLiteral
-            object:Arel::Nodes
-            o:\bArel::Nodes
-          ].cs__freeze
+          AREL_GADGETS = %w[string:Arel::Nodes::SqlLiteral object:Arel::Nodes o:\bArel::Nodes].cs__freeze
           # Used to indicate to TeamServer the gadget is an ERB module
           ERB = 'ERB'
@@ -45,7 +38,7 @@ module Contrast
           # Return the TeamServer understood id / name of this rule.
           # @return [String] the TeamServer understood id / name of this rule.
-          def name
+          def rule_name
             NAME
           end
@@ -124,8 +117,8 @@ module Contrast
             sample = build_base_sample(context, input_analysis_result)
             sample.untrusted_deserialization = Contrast::Api::Dtm::UntrustedDeserializationDetails.new
-            deserializer = kwargs[:GADGET_TYPE]
-            sample.untrusted_deserialization.deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(deserializer)
+            deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:GADGET_TYPE])
+            sample.untrusted_deserialization.deserializer = deserializer
             command = !!kwargs[:COMMAND_SCOPE]
             sample.untrusted_deserialization.command = command
@@ -148,7 +141,7 @@ module Contrast
           #   of the analysis done by this rule.
           def build_evaluation gadget_string
             ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.key = INPUT_NAME
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(gadget_string)

data/lib/contrast/agent/protect/rule/http_method_tampering.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -12,7 +12,7 @@ module Contrast
           NAME = 'method-tampering'
           STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -30,20 +30,9 @@ module Contrast
             method = ia_results.first.value
             result = if response_code.to_s.start_with?('4', '5')
-                       build_attack_without_match(
-                           context,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
+                       build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
                      else
-                       build_attack_with_match(
-                           context,
-                           nil,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
+                       build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
                      end
             append_to_activity(context, result) if result
           end

data/lib/contrast/agent/protect/rule/no_sqli.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -12,7 +12,7 @@ module Contrast
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
-          def name
+          def rule_name
             NAME
           end
@@ -32,7 +32,11 @@ module Contrast
           end
           def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            return result if mode == :NO_ACTION || mode == :PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+              return result
+            end
             attack_string = input_analysis_result.value
             regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -14,9 +14,7 @@ module Contrast
             # Is the current & next character '//' or are the current and
             # subsequent characters '<--' ?
             def start_line_comment? char, index, query
-              if char == Contrast::Utils::ObjectShare::SLASH &&
-                    query[index + 1] == Contrast::Utils::ObjectShare::SLASH
+              if char == Contrast::Utils::ObjectShare::SLASH && query[index + 1] == Contrast::Utils::ObjectShare::SLASH
                 return true
               end

data/lib/contrast/agent/protect/rule/path_traversal.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -29,7 +29,7 @@ module Contrast
             /windows/repair/
           ].cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -42,9 +42,8 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
-            raise Contrast::SecurityException.new(
-                self,
-                "Path Traversal rule triggered. Call to File.#{ method } blocked.")
+            raise Contrast::SecurityException.new(self,
+                                                  "Path Traversal rule triggered. Call to File.#{ method } blocked.")
           end
           protected
@@ -128,7 +127,8 @@ module Contrast
             #     return 'NUL' in str(e) or 'null byte' in str(e) or (PY34 and 'embedded NUL character' == str(e))
             #   except Exception as e:
             #     return 'null byte' in str(e).lower()
-            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
+            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in
+            #   PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
             false
           end
         end

data/lib/contrast/agent/protect/rule/sqli.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -13,7 +13,7 @@ module Contrast
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
-          def name
+          def rule_name
             NAME
           end
@@ -50,16 +50,9 @@ module Contrast
               last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
               next unless last_boundary && boundary
-              input_analysis_result.attack_count = input_analysis_result.attack_count + 1
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
               result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+              record_match(idx, length, boundary, last_boundary, kwargs)
+              append_match(context, input_analysis_result, result, query_string, **kwargs)
             end
             result
@@ -75,13 +68,26 @@ module Contrast
             sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
             sample.sqli.start_idx = sample.sqli.query.index(input).to_i
             sample.sqli.end_idx = sample.sqli.start_idx + input.length
-            sample.sqli.boundary_overrun_idx = kwargs[:boundary].to_i
-            sample.sqli.input_boundary_idx = kwargs[:last_boundary].to_i
+            sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+            sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
             sample
           end
           private
+          def record_match idx, length, boundary, last_boundary, kwargs
+            kwargs[:start_idx] = idx
+            kwargs[:end_idx] = idx + length
+            kwargs[:boundary_overrun_idx] = boundary
+            kwargs[:input_boundary_idx] = last_boundary
+          end
+          def append_match context, input_analysis_result, result, query_string, **kwargs
+            input_analysis_result.attack_count = input_analysis_result.attack_count + 1
+            update_successful_attack_response(context, input_analysis_result, result, query_string)
+            append_sample(context, input_analysis_result, result, query_string, **kwargs)
+          end
           def select_scanner database
             @sql_scanners ||= {
                 Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>

data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 # This class is the concrete implementation of the DefaultSqlScanner designed

data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb CHANGED Viewed

@@ -1,7 +1,7 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -12,7 +12,7 @@ module Contrast
           NAME = 'unsafe-file-upload'
           BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
-          def name
+          def rule_name
             NAME
           end
         end

data/lib/contrast/agent/protect/rule/xss.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -12,7 +12,7 @@ module Contrast
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
-          def name
+          def rule_name
             NAME
           end

data/lib/contrast/agent/protect/rule/xxe.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base'
@@ -15,7 +15,7 @@ module Contrast
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -59,12 +59,7 @@ module Contrast
             return unless xxe_details
             ia_result = build_evaluation(xxe_details.xml)
-            build_attack_with_match(
-                context,
-                ia_result,
-                nil,
-                nil,
-                details: xxe_details)
+            build_attack_with_match(context, ia_result, nil, nil, details: xxe_details)
           end
           # Given an XML determined to be unsafe, build out the details of the
@@ -118,7 +113,7 @@ module Contrast
           # supplied by the attacker.
           def build_evaluation xml
             ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(xml)
             ia_result
@@ -133,10 +128,8 @@ module Contrast
           def build_wrapper entity_wrapper
             wrapper = Contrast::Api::Dtm::XxeWrapper.new
-            wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(
-                entity_wrapper.system_id)
-            wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(
-                entity_wrapper.public_id)
+            wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.system_id)
+            wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.public_id)
             wrapper
           end
         end