RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/api/decorators/application_settings.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/application_startup.rb ADDED Viewed

@@ -0,0 +1,57 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/api/dtm.pb'
+require 'contrast/api/decorators/instrumentation_mode'
+require 'contrast/components/interface'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the ApplicationCreate protobuf model to handle reporting Agent process start
+      module ApplicationStartup
+        include Contrast::Components::ComponentBase
+        include Contrast::Components::Interface
+        access_component :config
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          # Return a new DTM with the values from the configuration
+          #
+          # @return [Contrast::Api::Dtm::ApplicationCreate]
+          def build
+            msg = new
+            msg.app_version      = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.version.to_s
+            msg.code             = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.code
+            msg.group            = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.group
+            msg.metadata         = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.metadata
+            msg.mode             = Contrast::Api::Dtm::InstrumentationMode.build
+            session!(msg)
+            msg
+          end
+          private
+          # Set the session metadata for this ApplicationCreate msg
+          #
+          # @param msg [Contrast::Api::Dtm::ApplicationCreate]
+          def session! msg
+            msg.session_id = Contrast::Utils::StringUtils.protobuf_format(
+                CONFIG.root.application.session_id,
+                truncate: false)
+            msg.session_metadata = Contrast::Utils::StringUtils.protobuf_format(
+                CONFIG.root.application.session_metadata,
+                truncate: false)
+          end
+        end
+      end
+    end
+  end
+end
+Contrast::Api::Dtm::ApplicationCreate.include(Contrast::Api::Decorators::ApplicationStartup)

data/lib/contrast/api/decorators/application_update.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'

data/lib/contrast/api/decorators/http_request.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/api/dtm.pb'

data/lib/contrast/api/decorators/input_analysis.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/instrumentation_mode.rb ADDED Viewed

@@ -0,0 +1,37 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/api/dtm.pb'
+require 'contrast/components/interface'
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the InstrumentationMode protobuf model to handle reporting Agent process start
+      module InstrumentationMode
+        include Contrast::Components::ComponentBase
+        include Contrast::Components::Interface
+        access_component :analysis
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          # Return a new DTM with the values from the configuration
+          #
+          # @return [Contrast::Api::Dtm::InstrumentationMode]
+          def build
+            msg = new
+            msg.assess =  ASSESS.enabled?
+            msg.protect = PROTECT.enabled?
+            msg
+          end
+        end
+      end
+    end
+  end
+end
+Contrast::Api::Dtm::InstrumentationMode.include(Contrast::Api::Decorators::InstrumentationMode)

data/lib/contrast/api/decorators/library.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'
@@ -10,6 +10,8 @@ module Contrast
     module Decorators
       # Used to decorate the Library protobuf model to handle Gem::Specification translation
       module Library
+        StringUtils = Contrast::Utils::StringUtils
         def self.included klass
           klass.extend(ClassMethods)
         end
@@ -18,13 +20,13 @@ module Contrast
         module ClassMethods
           def build digest, gem_specification
             msg = new
-            msg.file_path = Contrast::Utils::StringUtils.force_utf8(gem_specification.name)
-            msg.hash_code   = Contrast::Utils::StringUtils.force_utf8(digest)
-            msg.version     = Contrast::Utils::StringUtils.force_utf8(gem_specification.version)
-            msg.manifest    = Contrast::Utils::StringUtils.force_utf8(build_manifest(gem_specification))
+            msg.file_path = StringUtils.force_utf8(gem_specification.name) # rubocop:disable Security/Module/Name
+            msg.hash_code   = StringUtils.force_utf8(digest)
+            msg.version     = StringUtils.force_utf8(gem_specification.version)
+            msg.manifest    = StringUtils.force_utf8(build_manifest(gem_specification))
             msg.external_ms = date_to_ms(gem_specification.date)
             msg.internal_ms = msg.external_ms
-            msg.url         = Contrast::Utils::StringUtils.force_utf8(gem_specification.homepage)
+            msg.url         = StringUtils.force_utf8(gem_specification.homepage)
             msg.class_count = file_count(gem_specification.full_gem_path.to_s)
             msg.used_class_count = 0
             msg
@@ -37,7 +39,7 @@ module Contrast
           end
           def build_manifest spec
-            Contrast::Utils::StringUtils.force_utf8(spec.to_yaml.to_s)
+            StringUtils.force_utf8(spec.to_yaml.to_s)
           rescue StandardError
             nil
           end

data/lib/contrast/api/decorators/library_usage_update.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/message.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/object_share'
@@ -38,7 +38,7 @@ module Contrast
           when Contrast::Api::Dtm::ObservedRoute
             self.observed_route = event
           else
-            logger.error('Unknown event type received. Unsure how to send.', event_type: event.cs__class.name)
+            logger.error('Unknown event type received. Unsure how to send.', event_type: event.cs__class.cs__name)
             return
           end
           logger.debug('Wrapping event in message',
@@ -46,7 +46,7 @@ module Contrast
                        p_id: pid,
                        msg_count: message_count,
                        event_id: event.__id__,
-                       event_type: event.cs__class.name)
+                       event_type: event.cs__class.cs__name)
         end
         # Used to add class methods to the ApplicationUpdate class on inclusion of the decorator
@@ -58,7 +58,7 @@ module Contrast
           def build event
             msg = new
-            msg.app_name      = APP_CONTEXT.name
+            msg.app_name      = APP_CONTEXT.app_name
             msg.app_path      = APP_CONTEXT.path
             msg.app_language  = Contrast::Utils::ObjectShare::RUBY
             msg.client_id     = APP_CONTEXT.client_id

data/lib/contrast/api/decorators/rasp_rule_sample.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/api/decorators/route_coverage.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'
@@ -26,27 +26,37 @@ module Contrast
           end
           # Convert ActionDispatch::Journey::Route to Contrast::Api::Dtm::RouteCoverage
+          #
           # @param journey_obj [ActionDispatch::Journey::Route] a rails route
+          # @param url [String, nil] use url from string instead of journey object.
           # @return [Contrast::Api::Dtm::RouteCoverage]
-          def from_action_dispatch_journey journey_obj
+          def from_action_dispatch_journey journey_obj, url = nil
             msg = new
             msg.route = "#{ journey_obj.defaults[:controller] }##{ journey_obj.defaults[:action] }"
             verb = source_or_string(journey_obj.verb)
             msg.verb = Contrast::Utils::StringUtils.force_utf8(verb)
-            url = source_or_string(journey_obj.path.spec)
+            url ||= source_or_string(journey_obj.path.spec)
             msg.url = Contrast::Utils::StringUtils.force_utf8(url)
             msg
           end
-          def from_sinatra_route clazz, method, pattern
+          # Convert Sinatra route data to dtm message.
+          #
+          # @param controller [::Sinatra::Base] the route's final controller.
+          # @param method [String] GET, PUT, POST, etc...
+          # @param method [::Mustermann::Sinatra]  the pattern that was matched in routing.
+          # @param url [String, nil] use url from string instead matched pattern.
+          # @return [Contrast::Api::Dtm::RouteCoverage]
+          def from_sinatra_route controller, method, pattern, url = nil
             safe_pattern = source_or_string(pattern)
+            safe_url = source_or_string(url || pattern)
             msg = new
-            msg.route = "#{ clazz }##{ method } #{ safe_pattern }"
+            msg.route = "#{ controller }##{ method } #{ safe_pattern }"
             msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
-            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_pattern)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
             msg
           end
         end

data/lib/contrast/api/decorators/server_features.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/trace_event.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'
@@ -13,8 +13,38 @@ module Contrast
           klass.extend(ClassMethods)
         end
+        # The TeamServer uses the Event's type and action to render it in the Details page. These values control the
+        # left-hand "What happened" column and the data shown in the right-hand data
+        #
+        # @param contrast_event [Contrast::Agent::Assess::ContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
+        def build_display_params! contrast_event
+          self.type = contrast_event.policy_node.node_type
+          self.action = contrast_event.policy_node.build_action
+          self
+        end
+        # The TeamServer uses the Event's representation of the data to render the actual data used in the dataflow on
+        # the Details page.
+        #
+        # @param contrast_event [Contrast::Agent::Assess::ContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
+        def build_dataflow! contrast_event
+          # Figure out what the target of this event was. This can't be pulled into the decorator because SourceEvent
+          # has a custom impl :/
+          taint_target = contrast_event.determine_taint_target(self)
+          truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
+          self.object = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.object, truncate_obj)
+          truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
+          self.ret = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.ret, truncate_ret)
+          build_event_args!(contrast_event, taint_target)
+          build_taint_ranges!(contrast_event)
+          self
+        end
         # Wrapper around build_event_object for the args array. Handles
         # tainting the correct argument.
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_event_args! contrast_event, taint_target
           contrast_event.args.each_index do |idx|
             truncate_arg = taint_target != idx
@@ -29,6 +59,7 @@ module Contrast
         # their DTM form in order to report this.
         #
         # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_taint_ranges! contrast_event
           # If there's no taint_target, this isn't a dataflow trace, but a
           # trigger one
@@ -38,6 +69,10 @@ module Contrast
           self
         end
+        # For each Parent in the ContrastEvent, capture its id and report it to TeamServer.
+        #
+        # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_parent_ids! contrast_event
           contrast_event&.parent_events&.each do |event|
             next unless event
@@ -49,6 +84,10 @@ module Contrast
           self
         end
+        # Convert the caller into the Stack DTM TeamServer consumes
+        #
+        # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_stack! contrast_event
           # We delayed doing this as long as possible b/c it's expensive
           stack_dtms = Contrast::Utils::StackTraceUtils.build_assess_stack_array(contrast_event.stack_trace)
@@ -60,25 +99,16 @@ module Contrast
         module ClassMethods
           def build contrast_event
             event_dtm = new
-            # Figure out what the target of this event was. It's a little
-            # annoying for us since P can be named (thanks, Ruby) where
-            # as for everyone else it is idx based.
-            taint_target = contrast_event.determine_taint_target(event_dtm) # This can't be pulled into the decorator because SourceEvent has a custom impl :/
-            event_dtm.type = contrast_event.policy_node.node_type
-            event_dtm.action = contrast_event.policy_node.build_action
+            event_dtm.build_display_params!(contrast_event)
+            event_dtm.build_dataflow!(contrast_event)
+            event_dtm.build_stack!(contrast_event)
             event_dtm.timestamp_ms = contrast_event.time.to_i
             event_dtm.thread = Contrast::Utils::StringUtils.force_utf8(contrast_event.thread)
-            truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
-            event_dtm.object = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.object, truncate_obj)
-            truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
-            event_dtm.ret = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.ret, truncate_ret)
-            event_dtm.build_event_args!(contrast_event, taint_target)
             event_dtm.build_parent_ids!(contrast_event)
-            event_dtm.build_taint_ranges!(contrast_event)
-            event_dtm.build_stack!(contrast_event)
             event_dtm.object_id = contrast_event.event_id.to_i
-            event_dtm.signature = Contrast::Api::Dtm::TraceEventSignature.build(contrast_event.ret, contrast_event.policy_node, contrast_event.args)
+            event_dtm.signature = Contrast::Api::Dtm::TraceEventSignature.build(contrast_event.ret,
+                                                                                contrast_event.policy_node,
+                                                                                contrast_event.args)
             event_dtm
           end
         end

data/lib/contrast/api/decorators/trace_event_object.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'
@@ -52,9 +52,7 @@ module Contrast
             tmp = []
             tmp << obj_string[0, UNTRUNCATED_PORTION_LENGTH]
             tmp << ELLIPSIS
-            tmp << obj_string[
-                obj_string.length - UNTRUNCATED_PORTION_LENGTH,
-                UNTRUNCATED_PORTION_LENGTH]
+            tmp << obj_string[obj_string.length - UNTRUNCATED_PORTION_LENGTH, UNTRUNCATED_PORTION_LENGTH]
             tmp.join
           end
         end

data/lib/contrast/api/decorators/trace_event_signature.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/trace_taint_range.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/object_share'

data/lib/contrast/api/decorators/trace_taint_range_tags.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -97,12 +97,7 @@ module Contrast
           DATABASE_WRITE
         ].cs__freeze
-        VALID_SOURCE_TAGS = %w[
-          NO_NEWLINES
-          UNTRUSTED
-          CROSS_SITE
-          LIMITED_CHARS
-        ].cs__freeze
+        VALID_SOURCE_TAGS = %w[NO_NEWLINES UNTRUSTED CROSS_SITE LIMITED_CHARS].cs__freeze
       end
     end
   end

data/lib/contrast/api/decorators/user_input.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/components/agent.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'rubygems/version'
@@ -31,10 +31,12 @@ module Contrast
         def disable!
           @_enabled = false
+          Contrast::Agent::TracePointHook.disable
+          Contrast::Agent.thread_watcher&.shutdown!
         end
         def ruleset
-          @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_ruleset&.values)
+          @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_protect_ruleset&.values)
         end
         def reset_ruleset
@@ -67,8 +69,10 @@ module Contrast
         def exception_control
           @_exception_control ||= {
               enable: true?(CONFIG.root.agent.ruby.exceptions.capture),
-              status: CONFIG.root.agent.ruby.exceptions.override_status || 403,
-              message: CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
+              status:
+                CONFIG.root.agent.ruby.exceptions.override_status || 403,
+              message:
+                CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
           }
         end
@@ -78,8 +82,9 @@ module Contrast
           loaded_module_name.start_with?(*CONFIG.root.agent.ruby.uninstrument_namespace)
         end
+        # Insert ourselves into the application, keeping our middleware at the outermost layer of the onion
         def insert_middleware app
-          app.middleware.insert_before 0, Contrast::Agent::Middleware # Keep our middleware at the outermost layer of the onion
+          app.middleware.insert_before 0, Contrast::Agent::Middleware
         end
         def enable_tracepoint
@@ -92,20 +97,16 @@ module Contrast
         # Ruby exposed the C method for interpolation in version 2.6.0, meaning
         # we can attempt to patch using Funchook for that version and later.
         def interpolation_patch_possible?
-          @_interpolation_patch_possible = Gem::Version.new(RUBY_VERSION) >= INTERPOLATION_HOOKABLE_VERSION if @_interpolation_patch_possible.nil?
+          if @_interpolation_patch_possible.nil?
+            @_interpolation_patch_possible = Gem::Version.new(RUBY_VERSION) >= INTERPOLATION_HOOKABLE_VERSION
+          end
           @_interpolation_patch_possible
         end
-        def retrieve_ruleset
-          return {} unless enabled?
+        def retrieve_protect_ruleset
+          return {} unless enabled? && PROTECT.enabled?
-          if ASSESS.enabled? && PROTECT.enabled?
-            ASSESS.rules.merge(PROTECT.rules)
-          elsif ASSESS.enabled?
-            ASSESS.rules
-          else
-            PROTECT.rules
-          end
+          PROTECT.rules
         end
       end