contrast-agent 4.3.2 → 4.7.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (317) hide show
  1. checksums.yaml +4 -4
  2. data/.gitmodules +1 -1
  3. data/.simplecov +1 -1
  4. data/Gemfile +1 -1
  5. data/LICENSE.txt +1 -1
  6. data/Rakefile +2 -3
  7. data/exe/contrast_service +1 -1
  8. data/ext/build_funchook.rb +4 -4
  9. data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
  10. data/ext/cs__assess_active_record_named/extconf.rb +1 -1
  11. data/ext/cs__assess_array/cs__assess_array.c +1 -1
  12. data/ext/cs__assess_array/extconf.rb +1 -1
  13. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
  14. data/ext/cs__assess_basic_object/extconf.rb +1 -1
  15. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
  16. data/ext/cs__assess_fiber_track/extconf.rb +1 -1
  17. data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
  18. data/ext/cs__assess_hash/extconf.rb +1 -1
  19. data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
  20. data/ext/cs__assess_kernel/extconf.rb +1 -1
  21. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
  22. data/ext/cs__assess_marshal_module/extconf.rb +1 -1
  23. data/ext/cs__assess_module/cs__assess_module.c +1 -1
  24. data/ext/cs__assess_module/extconf.rb +1 -1
  25. data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
  26. data/ext/cs__assess_regexp/extconf.rb +1 -1
  27. data/ext/cs__assess_string/cs__assess_string.c +1 -1
  28. data/ext/cs__assess_string/extconf.rb +1 -1
  29. data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
  30. data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
  31. data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
  32. data/ext/cs__assess_yield_track/extconf.rb +1 -1
  33. data/ext/cs__common/cs__common.c +5 -5
  34. data/ext/cs__common/cs__common.h +4 -4
  35. data/ext/cs__common/extconf.rb +1 -1
  36. data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
  37. data/ext/cs__contrast_patch/extconf.rb +1 -1
  38. data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
  39. data/ext/cs__protect_kernel/extconf.rb +1 -1
  40. data/ext/extconf_common.rb +2 -6
  41. data/lib/contrast-agent.rb +1 -1
  42. data/lib/contrast.rb +20 -1
  43. data/lib/contrast/agent.rb +6 -4
  44. data/lib/contrast/agent/assess.rb +2 -11
  45. data/lib/contrast/agent/assess/contrast_event.rb +54 -71
  46. data/lib/contrast/agent/assess/contrast_object.rb +7 -4
  47. data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
  48. data/lib/contrast/agent/assess/events/source_event.rb +7 -2
  49. data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
  50. data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
  51. data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
  52. data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
  53. data/lib/contrast/agent/assess/policy/policy.rb +1 -1
  54. data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
  55. data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
  56. data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
  57. data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
  58. data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
  59. data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
  60. data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
  61. data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
  62. data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
  63. data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
  64. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
  65. data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
  66. data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
  67. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
  68. data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
  69. data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
  70. data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
  71. data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
  72. data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
  73. data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
  74. data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
  75. data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
  76. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
  77. data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
  78. data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
  79. data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
  80. data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
  81. data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
  82. data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
  83. data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
  84. data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
  85. data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
  86. data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
  87. data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
  88. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
  89. data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
  90. data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
  91. data/lib/contrast/agent/assess/properties.rb +1 -3
  92. data/lib/contrast/agent/assess/property/evented.rb +9 -6
  93. data/lib/contrast/agent/assess/property/tagged.rb +38 -20
  94. data/lib/contrast/agent/assess/property/updated.rb +1 -1
  95. data/lib/contrast/agent/assess/rule/provider.rb +1 -1
  96. data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
  97. data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
  98. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
  99. data/lib/contrast/agent/assess/tag.rb +1 -1
  100. data/lib/contrast/agent/assess/tracker.rb +2 -2
  101. data/lib/contrast/agent/at_exit_hook.rb +1 -1
  102. data/lib/contrast/agent/class_reopener.rb +4 -2
  103. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
  104. data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
  105. data/lib/contrast/agent/disable_reaction.rb +2 -4
  106. data/lib/contrast/agent/exclusion_matcher.rb +6 -12
  107. data/lib/contrast/agent/inventory.rb +1 -2
  108. data/lib/contrast/agent/inventory/dependencies.rb +3 -1
  109. data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
  110. data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
  111. data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
  112. data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
  113. data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
  114. data/lib/contrast/agent/middleware.rb +111 -110
  115. data/lib/contrast/agent/module_data.rb +4 -4
  116. data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
  117. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
  118. data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
  119. data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
  120. data/lib/contrast/agent/patching/policy/patch.rb +23 -29
  121. data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
  122. data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
  123. data/lib/contrast/agent/patching/policy/policy.rb +14 -21
  124. data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
  125. data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
  126. data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
  127. data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
  128. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
  129. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
  130. data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
  131. data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
  132. data/lib/contrast/agent/protect/policy/policy.rb +1 -1
  133. data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
  134. data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
  135. data/lib/contrast/agent/protect/rule.rb +1 -1
  136. data/lib/contrast/agent/protect/rule/base.rb +19 -33
  137. data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
  138. data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
  139. data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
  140. data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
  141. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
  142. data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
  143. data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
  144. data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
  145. data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
  146. data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
  147. data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
  148. data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
  149. data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
  150. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
  151. data/lib/contrast/agent/protect/rule/xss.rb +2 -2
  152. data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
  153. data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
  154. data/lib/contrast/agent/railtie.rb +1 -1
  155. data/lib/contrast/agent/reaction_processor.rb +12 -11
  156. data/lib/contrast/agent/request.rb +25 -24
  157. data/lib/contrast/agent/request_context.rb +25 -23
  158. data/lib/contrast/agent/request_handler.rb +1 -1
  159. data/lib/contrast/agent/response.rb +1 -1
  160. data/lib/contrast/agent/rewriter.rb +6 -4
  161. data/lib/contrast/agent/rule_set.rb +3 -3
  162. data/lib/contrast/agent/scope.rb +1 -1
  163. data/lib/contrast/agent/service_heartbeat.rb +3 -4
  164. data/lib/contrast/agent/static_analysis.rb +1 -1
  165. data/lib/contrast/agent/thread.rb +2 -2
  166. data/lib/contrast/agent/thread_watcher.rb +21 -6
  167. data/lib/contrast/agent/tracepoint_hook.rb +2 -2
  168. data/lib/contrast/agent/version.rb +2 -2
  169. data/lib/contrast/agent/worker_thread.rb +1 -1
  170. data/lib/contrast/api.rb +1 -1
  171. data/lib/contrast/api/communication.rb +1 -1
  172. data/lib/contrast/api/communication/connection_status.rb +1 -1
  173. data/lib/contrast/api/communication/messaging_queue.rb +19 -22
  174. data/lib/contrast/api/communication/response_processor.rb +13 -8
  175. data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
  176. data/lib/contrast/api/communication/socket.rb +1 -1
  177. data/lib/contrast/api/communication/socket_client.rb +30 -35
  178. data/lib/contrast/api/communication/speedracer.rb +6 -10
  179. data/lib/contrast/api/communication/tcp_socket.rb +1 -1
  180. data/lib/contrast/api/communication/unix_socket.rb +1 -1
  181. data/lib/contrast/api/decorators.rb +3 -1
  182. data/lib/contrast/api/decorators/address.rb +1 -1
  183. data/lib/contrast/api/decorators/agent_startup.rb +58 -0
  184. data/lib/contrast/api/decorators/application_settings.rb +1 -1
  185. data/lib/contrast/api/decorators/application_startup.rb +57 -0
  186. data/lib/contrast/api/decorators/application_update.rb +1 -1
  187. data/lib/contrast/api/decorators/http_request.rb +1 -1
  188. data/lib/contrast/api/decorators/input_analysis.rb +1 -1
  189. data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
  190. data/lib/contrast/api/decorators/library.rb +9 -7
  191. data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
  192. data/lib/contrast/api/decorators/message.rb +4 -4
  193. data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
  194. data/lib/contrast/api/decorators/route_coverage.rb +16 -6
  195. data/lib/contrast/api/decorators/server_features.rb +1 -1
  196. data/lib/contrast/api/decorators/trace_event.rb +46 -16
  197. data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
  198. data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
  199. data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
  200. data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
  201. data/lib/contrast/api/decorators/user_input.rb +1 -1
  202. data/lib/contrast/components/agent.rb +16 -15
  203. data/lib/contrast/components/app_context.rb +11 -29
  204. data/lib/contrast/components/assess.rb +6 -11
  205. data/lib/contrast/components/config.rb +3 -2
  206. data/lib/contrast/components/contrast_service.rb +8 -9
  207. data/lib/contrast/components/heap_dump.rb +1 -1
  208. data/lib/contrast/components/interface.rb +4 -3
  209. data/lib/contrast/components/inventory.rb +1 -1
  210. data/lib/contrast/components/logger.rb +1 -1
  211. data/lib/contrast/components/protect.rb +11 -14
  212. data/lib/contrast/components/sampling.rb +55 -7
  213. data/lib/contrast/components/scope.rb +2 -1
  214. data/lib/contrast/components/settings.rb +29 -99
  215. data/lib/contrast/config.rb +1 -1
  216. data/lib/contrast/config/agent_configuration.rb +1 -1
  217. data/lib/contrast/config/application_configuration.rb +1 -1
  218. data/lib/contrast/config/assess_configuration.rb +1 -1
  219. data/lib/contrast/config/assess_rules_configuration.rb +2 -4
  220. data/lib/contrast/config/base_configuration.rb +5 -6
  221. data/lib/contrast/config/default_value.rb +1 -1
  222. data/lib/contrast/config/exception_configuration.rb +2 -6
  223. data/lib/contrast/config/heap_dump_configuration.rb +13 -7
  224. data/lib/contrast/config/inventory_configuration.rb +1 -1
  225. data/lib/contrast/config/logger_configuration.rb +2 -6
  226. data/lib/contrast/config/protect_configuration.rb +1 -1
  227. data/lib/contrast/config/protect_rule_configuration.rb +23 -1
  228. data/lib/contrast/config/protect_rules_configuration.rb +1 -1
  229. data/lib/contrast/config/root_configuration.rb +1 -1
  230. data/lib/contrast/config/ruby_configuration.rb +1 -1
  231. data/lib/contrast/config/sampling_configuration.rb +1 -1
  232. data/lib/contrast/config/server_configuration.rb +1 -1
  233. data/lib/contrast/config/service_configuration.rb +1 -1
  234. data/lib/contrast/configuration.rb +4 -15
  235. data/lib/contrast/delegators/input_analysis.rb +12 -0
  236. data/lib/contrast/extension/assess.rb +1 -1
  237. data/lib/contrast/extension/assess/array.rb +2 -7
  238. data/lib/contrast/extension/assess/erb.rb +2 -8
  239. data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
  240. data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
  241. data/lib/contrast/extension/assess/fiber.rb +3 -13
  242. data/lib/contrast/extension/assess/hash.rb +1 -1
  243. data/lib/contrast/extension/assess/kernel.rb +3 -10
  244. data/lib/contrast/extension/assess/marshal.rb +3 -11
  245. data/lib/contrast/extension/assess/regexp.rb +2 -7
  246. data/lib/contrast/extension/assess/string.rb +4 -2
  247. data/lib/contrast/extension/delegator.rb +1 -1
  248. data/lib/contrast/extension/inventory.rb +1 -1
  249. data/lib/contrast/extension/kernel.rb +5 -3
  250. data/lib/contrast/extension/module.rb +1 -1
  251. data/lib/contrast/extension/protect.rb +1 -1
  252. data/lib/contrast/extension/protect/kernel.rb +1 -1
  253. data/lib/contrast/extension/protect/psych.rb +1 -1
  254. data/lib/contrast/extension/thread.rb +1 -1
  255. data/lib/contrast/framework/base_support.rb +1 -1
  256. data/lib/contrast/framework/manager.rb +14 -17
  257. data/lib/contrast/framework/platform_version.rb +1 -1
  258. data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
  259. data/lib/contrast/framework/rack/patch/support.rb +7 -5
  260. data/lib/contrast/framework/rack/support.rb +1 -1
  261. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
  262. data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
  263. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
  264. data/lib/contrast/framework/rails/patch/support.rb +5 -3
  265. data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
  266. data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
  267. data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
  268. data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
  269. data/lib/contrast/framework/rails/support.rb +45 -46
  270. data/lib/contrast/framework/sinatra/support.rb +103 -42
  271. data/lib/contrast/funchook/funchook.rb +2 -6
  272. data/lib/contrast/logger/application.rb +13 -10
  273. data/lib/contrast/logger/format.rb +3 -6
  274. data/lib/contrast/logger/log.rb +36 -19
  275. data/lib/contrast/logger/request.rb +2 -3
  276. data/lib/contrast/logger/time.rb +1 -1
  277. data/lib/contrast/security_exception.rb +2 -2
  278. data/lib/contrast/tasks/config.rb +1 -1
  279. data/lib/contrast/tasks/service.rb +6 -2
  280. data/lib/contrast/utils/assess/sampling_util.rb +1 -1
  281. data/lib/contrast/utils/assess/tracking_util.rb +2 -3
  282. data/lib/contrast/utils/class_util.rb +18 -12
  283. data/lib/contrast/utils/duck_utils.rb +1 -1
  284. data/lib/contrast/utils/env_configuration_item.rb +1 -1
  285. data/lib/contrast/utils/hash_digest.rb +16 -24
  286. data/lib/contrast/utils/heap_dump_util.rb +104 -88
  287. data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
  288. data/lib/contrast/utils/inventory_util.rb +1 -1
  289. data/lib/contrast/utils/io_util.rb +2 -2
  290. data/lib/contrast/utils/job_servers_running.rb +10 -5
  291. data/lib/contrast/utils/object_share.rb +1 -1
  292. data/lib/contrast/utils/os.rb +3 -2
  293. data/lib/contrast/utils/preflight_util.rb +1 -1
  294. data/lib/contrast/utils/resource_loader.rb +1 -1
  295. data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
  296. data/lib/contrast/utils/sha256_builder.rb +1 -1
  297. data/lib/contrast/utils/stack_trace_utils.rb +1 -1
  298. data/lib/contrast/utils/string_utils.rb +1 -1
  299. data/lib/contrast/utils/tag_util.rb +1 -1
  300. data/lib/contrast/utils/thread_tracker.rb +1 -1
  301. data/lib/contrast/utils/timer.rb +1 -1
  302. data/resources/assess/policy.json +8 -11
  303. data/resources/deadzone/policy.json +7 -17
  304. data/ruby-agent.gemspec +66 -27
  305. data/service_executables/VERSION +1 -1
  306. data/service_executables/linux/contrast-service +0 -0
  307. data/service_executables/mac/contrast-service +0 -0
  308. data/sonar-project.properties +9 -0
  309. metadata +154 -156
  310. data/lib/contrast/agent/assess/rule.rb +0 -18
  311. data/lib/contrast/agent/assess/rule/base.rb +0 -52
  312. data/lib/contrast/agent/assess/rule/redos.rb +0 -67
  313. data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
  314. data/lib/contrast/common_agent_configuration.rb +0 -87
  315. data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
  316. data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
  317. data/lib/contrast/utils/prevent_serialization.rb +0 -52
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -65,8 +65,7 @@ module Contrast
65
65
  return true if http && !tmp_id.end_with?(DTD_MARKER)
66
66
 
67
67
  # external if using external protocol
68
- return true if tmp_id.start_with?(FTP_START, FILE_START,
69
- JAR_START, GOPHER_START)
68
+ return true if tmp_id.start_with?(FTP_START, FILE_START, JAR_START, GOPHER_START)
70
69
 
71
70
  # external if start with path marker (/ or .)
72
71
  return true if tmp_id.start_with?(Contrast::Utils::ObjectShare::SLASH,
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/utils/job_servers_running'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/disable_reaction'
@@ -6,11 +6,9 @@ require 'contrast/components/interface'
6
6
 
7
7
  module Contrast
8
8
  module Agent
9
- # Because communication between the Agent/Service and TeamServer can only
10
- # be initiated by outbound connections from the Agent/Service, we must
11
- # provide a mechanism for the TeamServer to direct the Agent to take a
12
- # specific action. This action is referred to as a Reaction. This class is
13
- # how we handle those Reaction messages.
9
+ # Because communication between the Agent/Service and TeamServer can only be initiated by outbound connections
10
+ # from the Agent/Service, we must provide a mechanism for the TeamServer to direct the Agent to take a specific
11
+ # action. This action is referred to as a Reaction. This class is how we handle those Reaction messages.
14
12
  class ReactionProcessor
15
13
  include Contrast::Components::Interface
16
14
  access_component :logging
@@ -25,8 +23,12 @@ module Contrast
25
23
  return unless application_settings&.reactions&.any?
26
24
 
27
25
  application_settings.reactions.each do |reaction|
28
- # the enums are all uppercase, we need to downcase them before attempting to log
29
- level = reaction.log_level.nil? ? :error : reaction.log_level.name.downcase
26
+ # The enums are all uppercase, we need to downcase them before attempting to log.
27
+ level = if reaction.log_level.nil?
28
+ :error
29
+ else
30
+ reaction.log_level.name.downcase # rubocop:disable Security/Module/Name -- ruby logger builtin.
31
+ end
30
32
 
31
33
  logger.with_level(level, reaction.message) if reaction.message
32
34
 
@@ -36,9 +38,8 @@ module Contrast
36
38
  when Contrast::Api::Settings::Reaction::Operation::NOOP
37
39
  # NOOP
38
40
  else
39
- logger.warn(
40
- 'ReactionProcessor received a reaction with an unknown operation',
41
- operation: reaction.operation)
41
+ logger.warn('ReactionProcessor received a reaction with an unknown operation',
42
+ operation: reaction.operation)
42
43
  end
43
44
  end
44
45
  end
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'resolv'
@@ -27,9 +27,11 @@ module Contrast
27
27
  LAST_NUMBER_MARKER = '/{n}'
28
28
 
29
29
  attr_reader :rack_request
30
+ attr_accessor :route, :observed_route
30
31
 
31
32
  # Delegate calls to the following methods to the attribute @rack_request
32
- def_delegators :@rack_request, :base_url, :content_type, :cookies, :env, :ip, :path, :port, :query_string, :request_method, :scheme, :url, :user_agent
33
+ def_delegators :@rack_request, :base_url, :content_type, :cookies, :env, :ip, :path, :port, :query_string,
34
+ :request_method, :scheme, :url, :user_agent
33
35
 
34
36
  def initialize rack_request
35
37
  @rack_request = rack_request
@@ -55,32 +57,28 @@ module Contrast
55
57
  end
56
58
 
57
59
  def document_type
58
- @_document_type ||= begin
59
- if /xml/i.match?(content_type) || body&.start_with?('<?xml')
60
- :XML
61
- elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
62
- :JSON
63
- else
64
- :NORMAL
65
- end
66
- end
60
+ @_document_type ||= if /xml/i.match?(content_type) || body&.start_with?('<?xml')
61
+ :XML
62
+ elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
63
+ :JSON
64
+ else
65
+ :NORMAL
66
+ end
67
67
  end
68
68
 
69
69
  # Header keys upcased and any underscores replaced with dashes
70
70
  def headers
71
- @_headers ||= begin
72
- with_contrast_scope do
73
- hash = {}
74
- env.each do |key, value|
75
- next unless key
76
-
77
- name = key.to_s
78
- next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
79
-
80
- hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
81
- end
82
- hash
71
+ @_headers ||= with_contrast_scope do
72
+ hash = {}
73
+ env.each do |key, value|
74
+ next unless key
75
+
76
+ name = key.to_s
77
+ next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
78
+
79
+ hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
83
80
  end
81
+ hash
84
82
  end
85
83
  end
86
84
 
@@ -89,7 +87,10 @@ module Contrast
89
87
  # (can't use body because it might be nil)
90
88
  @_body_read ||= begin
91
89
  body = rack_request.body
92
- if defined?(Rack::Multipart) && defined?(Rack::Multipart::UploadedFile) && body.is_a?(Rack::Multipart::UploadedFile)
90
+ if defined?(Rack::Multipart) &&
91
+ defined?(Rack::Multipart::UploadedFile) &&
92
+ body.is_a?(Rack::Multipart::UploadedFile)
93
+
93
94
  logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
94
95
  @_body = nil
95
96
  else
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/utils/timer'
@@ -6,35 +6,39 @@ require 'contrast/agent/request'
6
6
  require 'contrast/agent/response'
7
7
  require 'contrast/utils/inventory_util'
8
8
  require 'contrast/components/interface'
9
+ require 'contrast/delegators/input_analysis'
9
10
 
10
11
  module Contrast
11
12
  module Agent
12
13
  # This class acts to encapsulate information about the currently executed
13
14
  # request, making it available to the Agent for the duration of the request
14
15
  # in a standardized and normalized format which the Agent understands.
16
+ #
17
+ # @attr_reader timer [Contrast::Utils::Timer] when the context was created
18
+ # @attr_reader logging_hash [Hash] context used to log the request
19
+ # @attr_reader speedracer_input_analysis [Contrast::Api::Settings::InputAnalysis] the protect input analysis of
20
+ # sources on this request
21
+ # @attr_reader request [Contrast::Agent::Request] our wrapper around the Rack::Request for this context
22
+ # @attr_reader response [Contrast::Agent::Response] our wrapper aroudn the Rack::Response or Array for this context,
23
+ # only available after the application has finished its processing
24
+ # @attr_reader activity [Contrast::Api::Dtm::Activity] the application activity found in this request
25
+ # @attr_reader server_activity [Contrast::Api::Dtm::ServerActivity] the server activity found in this request
26
+ # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
27
+ # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
15
28
  class RequestContext
16
29
  include Contrast::Components::Interface
17
30
  access_component :agent, :analysis, :logging, :scope
18
31
 
19
32
  EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
20
33
 
21
- attr_reader :timer,
22
- :logging_hash,
23
- :speedracer_input_analysis,
24
- :request,
25
- :response,
26
- :activity,
27
- :server_activity,
28
- :route,
29
- :observed_route
34
+ attr_reader :activity, :logging_hash, :observed_route, :request, :response, :route, :speedracer_input_analysis,
35
+ :server_activity, :timer
30
36
 
31
37
  def initialize rack_request, app_loaded = true
32
38
  with_contrast_scope do
33
39
  # all requests get a timer and hash
34
40
  @timer = Contrast::Utils::Timer.new
35
- @logging_hash = {
36
- request_id: __id__
37
- }
41
+ @logging_hash = { request_id: __id__ }
38
42
 
39
43
  # instantiate helper for request and response
40
44
  @request = Contrast::Agent::Request.new(rack_request)
@@ -59,7 +63,9 @@ module Contrast
59
63
 
60
64
  @sample = true
61
65
 
62
- @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request) if ASSESS.enabled?
66
+ if ASSESS.enabled?
67
+ @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
68
+ end
63
69
 
64
70
  @sample_response &&= ASSESS.scan_response?
65
71
 
@@ -95,6 +101,8 @@ module Contrast
95
101
  @observed_route.signature = route.route
96
102
  @observed_route.verb = route.verb
97
103
  @observed_route.url = route.url if route.url
104
+ @request.route = route
105
+ @request.observed_route = @observed_route
98
106
  end
99
107
 
100
108
  # Collect the results for the given rule with the given action
@@ -202,16 +210,10 @@ module Contrast
202
210
  # special case for rules (like reflected xss)
203
211
  # that used to have an infilter / block
204
212
  # mode but now are just block at perimeter
205
- rule.build_attack_with_match(
206
- self,
207
- ia_result,
208
- attack_results_by_rule[rule_id],
209
- ia_result.value)
213
+ rule.build_attack_with_match(self, ia_result, attack_results_by_rule[rule_id],
214
+ ia_result.value)
210
215
  else
211
- rule.build_attack_without_match(
212
- self,
213
- ia_result,
214
- attack_results_by_rule[rule_id])
216
+ rule.build_attack_without_match(self, ia_result, attack_results_by_rule[rule_id])
215
217
  end
216
218
  attack_results_by_rule[rule_id] = attack_result
217
219
  end
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'resolv'
@@ -1,8 +1,10 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  # intentional -- we're using a << operator here
5
5
 
6
+ return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
7
+
6
8
  require 'contrast/agent/class_reopener'
7
9
  require 'contrast/agent/patching/policy/patch_status'
8
10
  require 'contrast/components/interface'
@@ -57,13 +59,13 @@ module Contrast
57
59
  rescue SyntaxError, StandardError => e
58
60
  opener = nil
59
61
  mod ||= module_data.mod
60
- logger.debug('Reopening threw a handled exception - skipping rewriting', e, module: module_data.name)
62
+ logger.debug('Reopening threw a handled exception - skipping rewriting', e, module: module_data.mod_name)
61
63
  status ||= Contrast::Agent::Patching::Policy::PatchStatus.get_status(mod)
62
64
  status.failed_rewrite!
63
65
  ensure
64
66
  opener&.commit_patches
65
67
  logger.trace('Rewriting complete',
66
- module: module_data.name,
68
+ module: module_data.mod_name,
67
69
  result: Contrast::Agent::Patching::Policy::PatchStatus.get_status(
68
70
  module_data.mod).rewrite_status)
69
71
  end
@@ -238,7 +240,7 @@ module Contrast
238
240
  ].cs__freeze
239
241
  def should_rewrite? module_data
240
242
  clazz = module_data.mod
241
- name = module_data.name
243
+ name = module_data.mod_name
242
244
  return false unless clazz
243
245
 
244
246
  # Name can be nil for anonymous modules. We won't work on them.
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -16,7 +16,7 @@ module Contrast
16
16
  def prefilter
17
17
  context = Contrast::Agent::REQUEST_TRACKER.current
18
18
  # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
19
- return unless context.analyze_request? || PROTECT.enabled?
19
+ return unless context&.analyze_request? || PROTECT.enabled?
20
20
 
21
21
  logger.trace_with_time('Running prefilter...') do
22
22
  map { |rule| rule.prefilter(context) }
@@ -33,7 +33,7 @@ module Contrast
33
33
  def postfilter
34
34
  context = Contrast::Agent::REQUEST_TRACKER.current
35
35
  # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
36
- return unless context.analyze_response? || PROTECT.enabled?
36
+ return unless context&.analyze_response? || PROTECT.enabled?
37
37
 
38
38
  logger.trace_with_time('Running postfilter...') do
39
39
  map { |rule| rule.postfilter(context) }
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
@@ -21,9 +21,8 @@ module Contrast
21
21
  @_thread = Contrast::Agent::Thread.new do
22
22
  logger.info('Starting heartbeat thread.')
23
23
  loop do
24
- begin
25
- Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
26
- end
24
+ Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
25
+
27
26
  sleep REFRESH_INTERVAL_SEC
28
27
  end
29
28
  end
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
@@ -1,11 +1,11 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
5
5
 
6
6
  module Contrast
7
7
  module Agent
8
- # Threads used by Contrast.
8
+ # Threads used by Contrast. Any long running thread should be created and managed by our ThreadWatcher class.
9
9
  class Thread < ::Thread
10
10
  include Contrast::Components::Interface
11
11
 
@@ -1,24 +1,33 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
5
5
  require 'contrast/agent/service_heartbeat'
6
+ require 'contrast/api/communication/messaging_queue'
6
7
 
7
8
  module Contrast
8
9
  module Agent
9
10
  # This class used to ensure that our worker threads are running in multi-process environments
11
+ #
12
+ # @attr_reader heapdump_util [Contrast::Utils::HeapDumpUtil]
13
+ # @attr_reader heartbeat [Contrast::Agent::ServiceHeartbeat]
14
+ # @attr_reader messaging_queue [Contrast::Api::Communication::MessagingQueue]
10
15
  class ThreadWatcher
11
16
  include Contrast::Components::Interface
12
- access_component :logging
17
+ access_component :agent, :logging
13
18
 
14
- attr_reader :heartbeat
19
+ attr_reader :heapdump_util, :heartbeat, :messaging_queue
15
20
 
16
21
  def initialize
17
22
  @pids = {}
23
+ @heapdump_util = Contrast::Utils::HeapDumpUtil.new
18
24
  @heartbeat = Contrast::Agent::ServiceHeartbeat.new
25
+ @messaging_queue = Contrast::Api::Communication::MessagingQueue.new
19
26
  end
20
27
 
21
28
  def startup!
29
+ return unless AGENT.enabled?
30
+
22
31
  unless heartbeat.running?
23
32
  logger.debug('Attempting to start heartbeat thread')
24
33
  heartbeat.start_thread!
@@ -26,11 +35,11 @@ module Contrast
26
35
  heartbeat_result = heartbeat.running?
27
36
  logger.debug('Heartbeat thread status', alive: heartbeat_result)
28
37
 
29
- unless Contrast::Agent.messaging_queue.running?
38
+ unless messaging_queue.running?
30
39
  logger.debug('Attempting to start messaging queue thread')
31
- Contrast::Agent.messaging_queue.start_thread!
40
+ messaging_queue.start_thread!
32
41
  end
33
- messaging_result = Contrast::Agent.messaging_queue.running?
42
+ messaging_result = messaging_queue.running?
34
43
  logger.debug('Messaging thread status', alive: messaging_result)
35
44
 
36
45
  logger.debug('ThreadWatcher started threads')
@@ -44,6 +53,12 @@ module Contrast
44
53
  logger.debug('ThreadWatcher - threads not running')
45
54
  startup!
46
55
  end
56
+
57
+ def shutdown!
58
+ heartbeat.stop!
59
+ messaging_queue.stop!
60
+ heapdump_util.stop!
61
+ end
47
62
  end
48
63
  end
49
64
  end
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/interface'
@@ -37,7 +37,7 @@ module Contrast
37
37
 
38
38
  Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.associate_file(path) if path
39
39
  Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
40
- Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module)
40
+ Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module) if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
41
41
  Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)
42
42
  end
43
43
  end