RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/api/decorators/application_settings.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/application_startup.rb ADDED Viewed

@@ -0,0 +1,57 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/api/dtm.pb'
+require 'contrast/api/decorators/instrumentation_mode'
+require 'contrast/components/interface'
+require 'contrast/utils/string_utils'
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the ApplicationCreate protobuf model to handle reporting Agent process start
+      module ApplicationStartup
+        include Contrast::Components::ComponentBase
+        include Contrast::Components::Interface
+        access_component :config
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          # Return a new DTM with the values from the configuration
+          #
+          # @return [Contrast::Api::Dtm::ApplicationCreate]
+          def build
+            msg = new
+            msg.app_version      = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.version.to_s
+            msg.code             = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.code
+            msg.group            = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.group
+            msg.metadata         = Contrast::Utils::StringUtils.protobuf_format CONFIG.root.application.metadata
+            msg.mode             = Contrast::Api::Dtm::InstrumentationMode.build
+            session!(msg)
+            msg
+          end
+          private
+          # Set the session metadata for this ApplicationCreate msg
+          #
+          # @param msg [Contrast::Api::Dtm::ApplicationCreate]
+          def session! msg
+            msg.session_id = Contrast::Utils::StringUtils.protobuf_format(
+                CONFIG.root.application.session_id,
+                truncate: false)
+            msg.session_metadata = Contrast::Utils::StringUtils.protobuf_format(
+                CONFIG.root.application.session_metadata,
+                truncate: false)
+          end
+        end
+      end
+    end
+  end
+end
+Contrast::Api::Dtm::ApplicationCreate.include(Contrast::Api::Decorators::ApplicationStartup)

data/lib/contrast/api/decorators/application_update.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'

data/lib/contrast/api/decorators/http_request.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/api/dtm.pb'

data/lib/contrast/api/decorators/input_analysis.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/instrumentation_mode.rb ADDED Viewed

@@ -0,0 +1,37 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/api/dtm.pb'
+require 'contrast/components/interface'
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the InstrumentationMode protobuf model to handle reporting Agent process start
+      module InstrumentationMode
+        include Contrast::Components::ComponentBase
+        include Contrast::Components::Interface
+        access_component :analysis
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          # Return a new DTM with the values from the configuration
+          #
+          # @return [Contrast::Api::Dtm::InstrumentationMode]
+          def build
+            msg = new
+            msg.assess =  ASSESS.enabled?
+            msg.protect = PROTECT.enabled?
+            msg
+          end
+        end
+      end
+    end
+  end
+end
+Contrast::Api::Dtm::InstrumentationMode.include(Contrast::Api::Decorators::InstrumentationMode)

data/lib/contrast/api/decorators/library.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'
@@ -10,6 +10,8 @@ module Contrast
     module Decorators
       # Used to decorate the Library protobuf model to handle Gem::Specification translation
       module Library
+        StringUtils = Contrast::Utils::StringUtils
         def self.included klass
           klass.extend(ClassMethods)
         end
@@ -18,13 +20,13 @@ module Contrast
         module ClassMethods
           def build digest, gem_specification
             msg = new
-            msg.file_path = Contrast::Utils::StringUtils.force_utf8(gem_specification.name)
-            msg.hash_code   = Contrast::Utils::StringUtils.force_utf8(digest)
-            msg.version     = Contrast::Utils::StringUtils.force_utf8(gem_specification.version)
-            msg.manifest    = Contrast::Utils::StringUtils.force_utf8(build_manifest(gem_specification))
+            msg.file_path = StringUtils.force_utf8(gem_specification.name) # rubocop:disable Security/Module/Name
+            msg.hash_code   = StringUtils.force_utf8(digest)
+            msg.version     = StringUtils.force_utf8(gem_specification.version)
+            msg.manifest    = StringUtils.force_utf8(build_manifest(gem_specification))
             msg.external_ms = date_to_ms(gem_specification.date)
             msg.internal_ms = msg.external_ms
-            msg.url         = Contrast::Utils::StringUtils.force_utf8(gem_specification.homepage)
+            msg.url         = StringUtils.force_utf8(gem_specification.homepage)
             msg.class_count = file_count(gem_specification.full_gem_path.to_s)
             msg.used_class_count = 0
             msg
@@ -37,7 +39,7 @@ module Contrast
           end
           def build_manifest spec
-            Contrast::Utils::StringUtils.force_utf8(spec.to_yaml.to_s)
+            StringUtils.force_utf8(spec.to_yaml.to_s)
           rescue StandardError
             nil
           end

data/lib/contrast/api/decorators/library_usage_update.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/message.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/object_share'
@@ -38,7 +38,7 @@ module Contrast
           when Contrast::Api::Dtm::ObservedRoute
             self.observed_route = event
           else
-            logger.error('Unknown event type received. Unsure how to send.', event_type: event.cs__class.name)
+            logger.error('Unknown event type received. Unsure how to send.', event_type: event.cs__class.cs__name)
             return
           end
           logger.debug('Wrapping event in message',
@@ -46,7 +46,7 @@ module Contrast
                        p_id: pid,
                        msg_count: message_count,
                        event_id: event.__id__,
-                       event_type: event.cs__class.name)
+                       event_type: event.cs__class.cs__name)
         end
         # Used to add class methods to the ApplicationUpdate class on inclusion of the decorator
@@ -58,7 +58,7 @@ module Contrast
           def build event
             msg = new
-            msg.app_name      = APP_CONTEXT.name
+            msg.app_name      = APP_CONTEXT.app_name
             msg.app_path      = APP_CONTEXT.path
             msg.app_language  = Contrast::Utils::ObjectShare::RUBY
             msg.client_id     = APP_CONTEXT.client_id

data/lib/contrast/api/decorators/rasp_rule_sample.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/api/decorators/route_coverage.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'
@@ -26,27 +26,37 @@ module Contrast
           end
           # Convert ActionDispatch::Journey::Route to Contrast::Api::Dtm::RouteCoverage
+          #
           # @param journey_obj [ActionDispatch::Journey::Route] a rails route
+          # @param url [String, nil] use url from string instead of journey object.
           # @return [Contrast::Api::Dtm::RouteCoverage]
-          def from_action_dispatch_journey journey_obj
+          def from_action_dispatch_journey journey_obj, url = nil
             msg = new
             msg.route = "#{ journey_obj.defaults[:controller] }##{ journey_obj.defaults[:action] }"
             verb = source_or_string(journey_obj.verb)
             msg.verb = Contrast::Utils::StringUtils.force_utf8(verb)
-            url = source_or_string(journey_obj.path.spec)
+            url ||= source_or_string(journey_obj.path.spec)
             msg.url = Contrast::Utils::StringUtils.force_utf8(url)
             msg
           end
-          def from_sinatra_route clazz, method, pattern
+          # Convert Sinatra route data to dtm message.
+          #
+          # @param controller [::Sinatra::Base] the route's final controller.
+          # @param method [String] GET, PUT, POST, etc...
+          # @param method [::Mustermann::Sinatra]  the pattern that was matched in routing.
+          # @param url [String, nil] use url from string instead matched pattern.
+          # @return [Contrast::Api::Dtm::RouteCoverage]
+          def from_sinatra_route controller, method, pattern, url = nil
             safe_pattern = source_or_string(pattern)
+            safe_url = source_or_string(url || pattern)
             msg = new
-            msg.route = "#{ clazz }##{ method } #{ safe_pattern }"
+            msg.route = "#{ controller }##{ method } #{ safe_pattern }"
             msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
-            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_pattern)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
             msg
           end
         end

data/lib/contrast/api/decorators/server_features.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/trace_event.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'
@@ -13,8 +13,38 @@ module Contrast
           klass.extend(ClassMethods)
         end
+        # The TeamServer uses the Event's type and action to render it in the Details page. These values control the
+        # left-hand "What happened" column and the data shown in the right-hand data
+        #
+        # @param contrast_event [Contrast::Agent::Assess::ContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
+        def build_display_params! contrast_event
+          self.type = contrast_event.policy_node.node_type
+          self.action = contrast_event.policy_node.build_action
+          self
+        end
+        # The TeamServer uses the Event's representation of the data to render the actual data used in the dataflow on
+        # the Details page.
+        #
+        # @param contrast_event [Contrast::Agent::Assess::ContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
+        def build_dataflow! contrast_event
+          # Figure out what the target of this event was. This can't be pulled into the decorator because SourceEvent
+          # has a custom impl :/
+          taint_target = contrast_event.determine_taint_target(self)
+          truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
+          self.object = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.object, truncate_obj)
+          truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
+          self.ret = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.ret, truncate_ret)
+          build_event_args!(contrast_event, taint_target)
+          build_taint_ranges!(contrast_event)
+          self
+        end
         # Wrapper around build_event_object for the args array. Handles
         # tainting the correct argument.
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_event_args! contrast_event, taint_target
           contrast_event.args.each_index do |idx|
             truncate_arg = taint_target != idx
@@ -29,6 +59,7 @@ module Contrast
         # their DTM form in order to report this.
         #
         # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_taint_ranges! contrast_event
           # If there's no taint_target, this isn't a dataflow trace, but a
           # trigger one
@@ -38,6 +69,10 @@ module Contrast
           self
         end
+        # For each Parent in the ContrastEvent, capture its id and report it to TeamServer.
+        #
+        # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_parent_ids! contrast_event
           contrast_event&.parent_events&.each do |event|
             next unless event
@@ -49,6 +84,10 @@ module Contrast
           self
         end
+        # Convert the caller into the Stack DTM TeamServer consumes
+        #
+        # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        # @return [Contrast::Api::Dtm::TraceEvent]
         def build_stack! contrast_event
           # We delayed doing this as long as possible b/c it's expensive
           stack_dtms = Contrast::Utils::StackTraceUtils.build_assess_stack_array(contrast_event.stack_trace)
@@ -60,25 +99,16 @@ module Contrast
         module ClassMethods
           def build contrast_event
             event_dtm = new
-            # Figure out what the target of this event was. It's a little
-            # annoying for us since P can be named (thanks, Ruby) where
-            # as for everyone else it is idx based.
-            taint_target = contrast_event.determine_taint_target(event_dtm) # This can't be pulled into the decorator because SourceEvent has a custom impl :/
-            event_dtm.type = contrast_event.policy_node.node_type
-            event_dtm.action = contrast_event.policy_node.build_action
+            event_dtm.build_display_params!(contrast_event)
+            event_dtm.build_dataflow!(contrast_event)
+            event_dtm.build_stack!(contrast_event)
             event_dtm.timestamp_ms = contrast_event.time.to_i
             event_dtm.thread = Contrast::Utils::StringUtils.force_utf8(contrast_event.thread)
-            truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
-            event_dtm.object = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.object, truncate_obj)
-            truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
-            event_dtm.ret = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.ret, truncate_ret)
-            event_dtm.build_event_args!(contrast_event, taint_target)
             event_dtm.build_parent_ids!(contrast_event)
-            event_dtm.build_taint_ranges!(contrast_event)
-            event_dtm.build_stack!(contrast_event)
             event_dtm.object_id = contrast_event.event_id.to_i
-            event_dtm.signature = Contrast::Api::Dtm::TraceEventSignature.build(contrast_event.ret, contrast_event.policy_node, contrast_event.args)
+            event_dtm.signature = Contrast::Api::Dtm::TraceEventSignature.build(contrast_event.ret,
+                                                                                contrast_event.policy_node,
+                                                                                contrast_event.args)
             event_dtm
           end
         end

data/lib/contrast/api/decorators/trace_event_object.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'
@@ -52,9 +52,7 @@ module Contrast
             tmp = []
             tmp << obj_string[0, UNTRUNCATED_PORTION_LENGTH]
             tmp << ELLIPSIS
-            tmp << obj_string[
-                obj_string.length - UNTRUNCATED_PORTION_LENGTH,
-                UNTRUNCATED_PORTION_LENGTH]
+            tmp << obj_string[obj_string.length - UNTRUNCATED_PORTION_LENGTH, UNTRUNCATED_PORTION_LENGTH]
             tmp.join
           end
         end

data/lib/contrast/api/decorators/trace_event_signature.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/api/decorators/trace_taint_range.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/object_share'

data/lib/contrast/api/decorators/trace_taint_range_tags.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -97,12 +97,7 @@ module Contrast
           DATABASE_WRITE
         ].cs__freeze
-        VALID_SOURCE_TAGS = %w[
-          NO_NEWLINES
-          UNTRUSTED
-          CROSS_SITE
-          LIMITED_CHARS
-        ].cs__freeze
+        VALID_SOURCE_TAGS = %w[NO_NEWLINES UNTRUSTED CROSS_SITE LIMITED_CHARS].cs__freeze
       end
     end
   end

data/lib/contrast/api/decorators/user_input.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/string_utils'

data/lib/contrast/components/agent.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'rubygems/version'
@@ -31,10 +31,12 @@ module Contrast
         def disable!
           @_enabled = false
+          Contrast::Agent::TracePointHook.disable
+          Contrast::Agent.thread_watcher&.shutdown!
         end
         def ruleset
-          @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_ruleset&.values)
+          @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_protect_ruleset&.values)
         end
         def reset_ruleset
@@ -67,8 +69,10 @@ module Contrast
         def exception_control
           @_exception_control ||= {
               enable: true?(CONFIG.root.agent.ruby.exceptions.capture),
-              status: CONFIG.root.agent.ruby.exceptions.override_status || 403,
-              message: CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
+              status:
+                CONFIG.root.agent.ruby.exceptions.override_status || 403,
+              message:
+                CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
           }
         end
@@ -78,8 +82,9 @@ module Contrast
           loaded_module_name.start_with?(*CONFIG.root.agent.ruby.uninstrument_namespace)
         end
+        # Insert ourselves into the application, keeping our middleware at the outermost layer of the onion
         def insert_middleware app
-          app.middleware.insert_before 0, Contrast::Agent::Middleware # Keep our middleware at the outermost layer of the onion
+          app.middleware.insert_before 0, Contrast::Agent::Middleware
         end
         def enable_tracepoint
@@ -92,20 +97,16 @@ module Contrast
         # Ruby exposed the C method for interpolation in version 2.6.0, meaning
         # we can attempt to patch using Funchook for that version and later.
         def interpolation_patch_possible?
-          @_interpolation_patch_possible = Gem::Version.new(RUBY_VERSION) >= INTERPOLATION_HOOKABLE_VERSION if @_interpolation_patch_possible.nil?
+          if @_interpolation_patch_possible.nil?
+            @_interpolation_patch_possible = Gem::Version.new(RUBY_VERSION) >= INTERPOLATION_HOOKABLE_VERSION
+          end
           @_interpolation_patch_possible
         end
-        def retrieve_ruleset
-          return {} unless enabled?
+        def retrieve_protect_ruleset
+          return {} unless enabled? && PROTECT.enabled?
-          if ASSESS.enabled? && PROTECT.enabled?
-            ASSESS.rules.merge(PROTECT.rules)
-          elsif ASSESS.enabled?
-            ASSESS.rules
-          else
-            PROTECT.rules
-          end
+          PROTECT.rules
         end
       end