RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/protect/rule/base_service.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base'
@@ -10,7 +10,7 @@ module Contrast
         # Encapsulate common code for protect rules that do their
         # input analysis on Speedracer rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
-          def name
+          def rule_name
             'base-service'
           end
@@ -32,7 +32,11 @@ module Contrast
           # streamed responses will break
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return if mode == :NO_ACTION || mode == :PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+              return
+            end
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
@@ -40,14 +44,14 @@ module Contrast
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
-            raise Contrast::SecurityException.new(self, "#{ name } triggered in postfilter. Response blocked.")
+            raise Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")
           end
           protected
           def gather_ia_results context
             context.speedracer_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == name
+              ia_result.rule_id == rule_name
             end
           end
@@ -58,7 +62,7 @@ module Contrast
           # Allows for the InputAnalysis from service to be extracted early
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
             result = nil
             ia_results.each do |ia_result|

data/lib/contrast/agent/protect/rule/cmd_injection.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -18,7 +18,7 @@ module Contrast
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -34,20 +34,25 @@ module Contrast
               Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
             end
-            result = find_attacker_with_results(context, command, ia_results, **{ classname: classname, method: method })
+            result = find_attacker_with_results(context, command, ia_results,
+                                                **{ classname: classname, method: method })
             result ||= report_command_execution(context, command, **{ classname: classname, method: method })
             return unless result
             append_to_activity(context, result)
             return unless blocked?
-            raise Contrast::SecurityException.new(
-                self,
-                "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
+            raise Contrast::SecurityException.new(self,
+                                                  'Command Injection rule triggered. '\
+                                                  "Call to #{ classname }.#{ method } blocked.")
           end
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
-            return result if mode == :NO_ACTION || mode == :PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+              return result
+            end
             result ||= build_attack_result(context)
             update_successful_attack_response(context, input_analysis_result, result, candidate_string)
@@ -60,14 +65,10 @@ module Contrast
           # Because results are not necessarily on the context across
           # processes; extract early and pass into the method
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
             result = super(context, potential_attack_string, ia_results, **kwargs)
             if result.nil? && potential_attack_string
-              result = find_probable_attacker(
-                  context,
-                  potential_attack_string,
-                  ia_results,
-                  **kwargs)
+              result = find_probable_attacker(context, potential_attack_string, ia_results, **kwargs)
             end
             result
           end
@@ -109,12 +110,7 @@ module Contrast
             likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
             return unless likely_attacker
-            build_attack_with_match(
-                context,
-                likely_attacker,
-                nil,
-                potential_attack_string,
-                **kwargs)
+            build_attack_with_match(context, likely_attacker, nil, potential_attack_string, **kwargs)
           end
           def chained_command? command

data/lib/contrast/agent/protect/rule/default_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 # The base class used to determine if a user input crosses a token boundary or

data/lib/contrast/agent/protect/rule/deserialization.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base'
@@ -17,10 +17,7 @@ module Contrast
           BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
           # Gadgets that map to ERB modules
-          ERB_GADGETS = %W[
-            object:ERB
-            o:\bERB
-          ].cs__freeze
+          ERB_GADGETS = %W[object:ERB o:\bERB].cs__freeze
           # Gadgets that map to ActionDispatch modules
           ACTION_DISPATCH_GADGETS = %w[
@@ -29,11 +26,7 @@ module Contrast
           ].cs__freeze
           # Gadgets that map to Arel Modules
-          AREL_GADGETS = %w[
-            string:Arel::Nodes::SqlLiteral
-            object:Arel::Nodes
-            o:\bArel::Nodes
-          ].cs__freeze
+          AREL_GADGETS = %w[string:Arel::Nodes::SqlLiteral object:Arel::Nodes o:\bArel::Nodes].cs__freeze
           # Used to indicate to TeamServer the gadget is an ERB module
           ERB = 'ERB'
@@ -45,7 +38,7 @@ module Contrast
           # Return the TeamServer understood id / name of this rule.
           # @return [String] the TeamServer understood id / name of this rule.
-          def name
+          def rule_name
             NAME
           end
@@ -124,8 +117,8 @@ module Contrast
             sample = build_base_sample(context, input_analysis_result)
             sample.untrusted_deserialization = Contrast::Api::Dtm::UntrustedDeserializationDetails.new
-            deserializer = kwargs[:GADGET_TYPE]
-            sample.untrusted_deserialization.deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(deserializer)
+            deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:GADGET_TYPE])
+            sample.untrusted_deserialization.deserializer = deserializer
             command = !!kwargs[:COMMAND_SCOPE]
             sample.untrusted_deserialization.command = command
@@ -148,7 +141,7 @@ module Contrast
           #   of the analysis done by this rule.
           def build_evaluation gadget_string
             ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.key = INPUT_NAME
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(gadget_string)

data/lib/contrast/agent/protect/rule/http_method_tampering.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -12,7 +12,7 @@ module Contrast
           NAME = 'method-tampering'
           STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -30,20 +30,9 @@ module Contrast
             method = ia_results.first.value
             result = if response_code.to_s.start_with?('4', '5')
-                       build_attack_without_match(
-                           context,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
+                       build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
                      else
-                       build_attack_with_match(
-                           context,
-                           nil,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
+                       build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
                      end
             append_to_activity(context, result) if result
           end

data/lib/contrast/agent/protect/rule/no_sqli.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -12,7 +12,7 @@ module Contrast
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
-          def name
+          def rule_name
             NAME
           end
@@ -32,7 +32,11 @@ module Contrast
           end
           def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            return result if mode == :NO_ACTION || mode == :PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+              return result
+            end
             attack_string = input_analysis_result.value
             regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -14,9 +14,7 @@ module Contrast
             # Is the current & next character '//' or are the current and
             # subsequent characters '<--' ?
             def start_line_comment? char, index, query
-              if char == Contrast::Utils::ObjectShare::SLASH &&
-                    query[index + 1] == Contrast::Utils::ObjectShare::SLASH
+              if char == Contrast::Utils::ObjectShare::SLASH && query[index + 1] == Contrast::Utils::ObjectShare::SLASH
                 return true
               end

data/lib/contrast/agent/protect/rule/path_traversal.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -29,7 +29,7 @@ module Contrast
             /windows/repair/
           ].cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -42,9 +42,8 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
-            raise Contrast::SecurityException.new(
-                self,
-                "Path Traversal rule triggered. Call to File.#{ method } blocked.")
+            raise Contrast::SecurityException.new(self,
+                                                  "Path Traversal rule triggered. Call to File.#{ method } blocked.")
           end
           protected
@@ -128,7 +127,8 @@ module Contrast
             #     return 'NUL' in str(e) or 'null byte' in str(e) or (PY34 and 'embedded NUL character' == str(e))
             #   except Exception as e:
             #     return 'null byte' in str(e).lower()
-            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
+            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in
+            #   PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
             false
           end
         end

data/lib/contrast/agent/protect/rule/sqli.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -13,7 +13,7 @@ module Contrast
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
-          def name
+          def rule_name
             NAME
           end
@@ -50,16 +50,9 @@ module Contrast
               last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
               next unless last_boundary && boundary
-              input_analysis_result.attack_count = input_analysis_result.attack_count + 1
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
               result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+              record_match(idx, length, boundary, last_boundary, kwargs)
+              append_match(context, input_analysis_result, result, query_string, **kwargs)
             end
             result
@@ -75,13 +68,26 @@ module Contrast
             sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
             sample.sqli.start_idx = sample.sqli.query.index(input).to_i
             sample.sqli.end_idx = sample.sqli.start_idx + input.length
-            sample.sqli.boundary_overrun_idx = kwargs[:boundary].to_i
-            sample.sqli.input_boundary_idx = kwargs[:last_boundary].to_i
+            sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+            sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
             sample
           end
           private
+          def record_match idx, length, boundary, last_boundary, kwargs
+            kwargs[:start_idx] = idx
+            kwargs[:end_idx] = idx + length
+            kwargs[:boundary_overrun_idx] = boundary
+            kwargs[:input_boundary_idx] = last_boundary
+          end
+          def append_match context, input_analysis_result, result, query_string, **kwargs
+            input_analysis_result.attack_count = input_analysis_result.attack_count + 1
+            update_successful_attack_response(context, input_analysis_result, result, query_string)
+            append_sample(context, input_analysis_result, result, query_string, **kwargs)
+          end
           def select_scanner database
             @sql_scanners ||= {
                 Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>

data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 # This class is the concrete implementation of the DefaultSqlScanner designed

data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb CHANGED Viewed

@@ -1,7 +1,7 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -12,7 +12,7 @@ module Contrast
           NAME = 'unsafe-file-upload'
           BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
-          def name
+          def rule_name
             NAME
           end
         end

data/lib/contrast/agent/protect/rule/xss.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -12,7 +12,7 @@ module Contrast
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
-          def name
+          def rule_name
             NAME
           end

data/lib/contrast/agent/protect/rule/xxe.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base'
@@ -15,7 +15,7 @@ module Contrast
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -59,12 +59,7 @@ module Contrast
             return unless xxe_details
             ia_result = build_evaluation(xxe_details.xml)
-            build_attack_with_match(
-                context,
-                ia_result,
-                nil,
-                nil,
-                details: xxe_details)
+            build_attack_with_match(context, ia_result, nil, nil, details: xxe_details)
           end
           # Given an XML determined to be unsafe, build out the details of the
@@ -118,7 +113,7 @@ module Contrast
           # supplied by the attacker.
           def build_evaluation xml
             ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(xml)
             ia_result
@@ -133,10 +128,8 @@ module Contrast
           def build_wrapper entity_wrapper
             wrapper = Contrast::Api::Dtm::XxeWrapper.new
-            wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(
-                entity_wrapper.system_id)
-            wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(
-                entity_wrapper.public_id)
+            wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.system_id)
+            wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.public_id)
             wrapper
           end
         end