contrast-agent 4.3.2 → 4.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitmodules +1 -1
- data/.simplecov +1 -1
- data/Gemfile +1 -1
- data/LICENSE.txt +1 -1
- data/Rakefile +2 -3
- data/exe/contrast_service +1 -1
- data/ext/build_funchook.rb +4 -4
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
- data/ext/cs__assess_active_record_named/extconf.rb +1 -1
- data/ext/cs__assess_array/cs__assess_array.c +1 -1
- data/ext/cs__assess_array/extconf.rb +1 -1
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
- data/ext/cs__assess_basic_object/extconf.rb +1 -1
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_fiber_track/extconf.rb +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
- data/ext/cs__assess_hash/extconf.rb +1 -1
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
- data/ext/cs__assess_kernel/extconf.rb +1 -1
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
- data/ext/cs__assess_marshal_module/extconf.rb +1 -1
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_module/extconf.rb +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
- data/ext/cs__assess_regexp/extconf.rb +1 -1
- data/ext/cs__assess_string/cs__assess_string.c +1 -1
- data/ext/cs__assess_string/extconf.rb +1 -1
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
- data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +1 -1
- data/ext/cs__common/cs__common.c +5 -5
- data/ext/cs__common/cs__common.h +4 -4
- data/ext/cs__common/extconf.rb +1 -1
- data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
- data/ext/cs__contrast_patch/extconf.rb +1 -1
- data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
- data/ext/cs__protect_kernel/extconf.rb +1 -1
- data/ext/extconf_common.rb +2 -6
- data/lib/contrast-agent.rb +1 -1
- data/lib/contrast.rb +20 -1
- data/lib/contrast/agent.rb +6 -4
- data/lib/contrast/agent/assess.rb +2 -11
- data/lib/contrast/agent/assess/contrast_event.rb +54 -71
- data/lib/contrast/agent/assess/contrast_object.rb +7 -4
- data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
- data/lib/contrast/agent/assess/events/source_event.rb +7 -2
- data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
- data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
- data/lib/contrast/agent/assess/policy/policy.rb +1 -1
- data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
- data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
- data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
- data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
- data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
- data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
- data/lib/contrast/agent/assess/properties.rb +1 -3
- data/lib/contrast/agent/assess/property/evented.rb +9 -6
- data/lib/contrast/agent/assess/property/tagged.rb +38 -20
- data/lib/contrast/agent/assess/property/updated.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
- data/lib/contrast/agent/assess/tag.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +2 -2
- data/lib/contrast/agent/at_exit_hook.rb +1 -1
- data/lib/contrast/agent/class_reopener.rb +4 -2
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
- data/lib/contrast/agent/disable_reaction.rb +2 -4
- data/lib/contrast/agent/exclusion_matcher.rb +6 -12
- data/lib/contrast/agent/inventory.rb +1 -2
- data/lib/contrast/agent/inventory/dependencies.rb +3 -1
- data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
- data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
- data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/middleware.rb +111 -110
- data/lib/contrast/agent/module_data.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
- data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
- data/lib/contrast/agent/patching/policy/patch.rb +23 -29
- data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
- data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
- data/lib/contrast/agent/patching/policy/policy.rb +14 -21
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
- data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
- data/lib/contrast/agent/protect/policy/policy.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
- data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +19 -33
- data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
- data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
- data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
- data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
- data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
- data/lib/contrast/agent/protect/rule/xss.rb +2 -2
- data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
- data/lib/contrast/agent/railtie.rb +1 -1
- data/lib/contrast/agent/reaction_processor.rb +12 -11
- data/lib/contrast/agent/request.rb +25 -24
- data/lib/contrast/agent/request_context.rb +25 -23
- data/lib/contrast/agent/request_handler.rb +1 -1
- data/lib/contrast/agent/response.rb +1 -1
- data/lib/contrast/agent/rewriter.rb +6 -4
- data/lib/contrast/agent/rule_set.rb +3 -3
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +3 -4
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/thread.rb +2 -2
- data/lib/contrast/agent/thread_watcher.rb +21 -6
- data/lib/contrast/agent/tracepoint_hook.rb +2 -2
- data/lib/contrast/agent/version.rb +2 -2
- data/lib/contrast/agent/worker_thread.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/communication.rb +1 -1
- data/lib/contrast/api/communication/connection_status.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +19 -22
- data/lib/contrast/api/communication/response_processor.rb +13 -8
- data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +30 -35
- data/lib/contrast/api/communication/speedracer.rb +6 -10
- data/lib/contrast/api/communication/tcp_socket.rb +1 -1
- data/lib/contrast/api/communication/unix_socket.rb +1 -1
- data/lib/contrast/api/decorators.rb +3 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +58 -0
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +57 -0
- data/lib/contrast/api/decorators/application_update.rb +1 -1
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/input_analysis.rb +1 -1
- data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
- data/lib/contrast/api/decorators/library.rb +9 -7
- data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
- data/lib/contrast/api/decorators/message.rb +4 -4
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
- data/lib/contrast/api/decorators/route_coverage.rb +16 -6
- data/lib/contrast/api/decorators/server_features.rb +1 -1
- data/lib/contrast/api/decorators/trace_event.rb +46 -16
- data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
- data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
- data/lib/contrast/api/decorators/user_input.rb +1 -1
- data/lib/contrast/components/agent.rb +16 -15
- data/lib/contrast/components/app_context.rb +11 -29
- data/lib/contrast/components/assess.rb +6 -11
- data/lib/contrast/components/config.rb +3 -2
- data/lib/contrast/components/contrast_service.rb +8 -9
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/interface.rb +4 -3
- data/lib/contrast/components/inventory.rb +1 -1
- data/lib/contrast/components/logger.rb +1 -1
- data/lib/contrast/components/protect.rb +11 -14
- data/lib/contrast/components/sampling.rb +55 -7
- data/lib/contrast/components/scope.rb +2 -1
- data/lib/contrast/components/settings.rb +29 -99
- data/lib/contrast/config.rb +1 -1
- data/lib/contrast/config/agent_configuration.rb +1 -1
- data/lib/contrast/config/application_configuration.rb +1 -1
- data/lib/contrast/config/assess_configuration.rb +1 -1
- data/lib/contrast/config/assess_rules_configuration.rb +2 -4
- data/lib/contrast/config/base_configuration.rb +5 -6
- data/lib/contrast/config/default_value.rb +1 -1
- data/lib/contrast/config/exception_configuration.rb +2 -6
- data/lib/contrast/config/heap_dump_configuration.rb +13 -7
- data/lib/contrast/config/inventory_configuration.rb +1 -1
- data/lib/contrast/config/logger_configuration.rb +2 -6
- data/lib/contrast/config/protect_configuration.rb +1 -1
- data/lib/contrast/config/protect_rule_configuration.rb +23 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/config/root_configuration.rb +1 -1
- data/lib/contrast/config/ruby_configuration.rb +1 -1
- data/lib/contrast/config/sampling_configuration.rb +1 -1
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config/service_configuration.rb +1 -1
- data/lib/contrast/configuration.rb +4 -15
- data/lib/contrast/delegators/input_analysis.rb +12 -0
- data/lib/contrast/extension/assess.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +2 -7
- data/lib/contrast/extension/assess/erb.rb +2 -8
- data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
- data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
- data/lib/contrast/extension/assess/fiber.rb +3 -13
- data/lib/contrast/extension/assess/hash.rb +1 -1
- data/lib/contrast/extension/assess/kernel.rb +3 -10
- data/lib/contrast/extension/assess/marshal.rb +3 -11
- data/lib/contrast/extension/assess/regexp.rb +2 -7
- data/lib/contrast/extension/assess/string.rb +4 -2
- data/lib/contrast/extension/delegator.rb +1 -1
- data/lib/contrast/extension/inventory.rb +1 -1
- data/lib/contrast/extension/kernel.rb +5 -3
- data/lib/contrast/extension/module.rb +1 -1
- data/lib/contrast/extension/protect.rb +1 -1
- data/lib/contrast/extension/protect/kernel.rb +1 -1
- data/lib/contrast/extension/protect/psych.rb +1 -1
- data/lib/contrast/extension/thread.rb +1 -1
- data/lib/contrast/framework/base_support.rb +1 -1
- data/lib/contrast/framework/manager.rb +14 -17
- data/lib/contrast/framework/platform_version.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
- data/lib/contrast/framework/rack/patch/support.rb +7 -5
- data/lib/contrast/framework/rack/support.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
- data/lib/contrast/framework/rails/patch/support.rb +5 -3
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
- data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
- data/lib/contrast/framework/rails/support.rb +45 -46
- data/lib/contrast/framework/sinatra/support.rb +103 -42
- data/lib/contrast/funchook/funchook.rb +2 -6
- data/lib/contrast/logger/application.rb +13 -10
- data/lib/contrast/logger/format.rb +3 -6
- data/lib/contrast/logger/log.rb +36 -19
- data/lib/contrast/logger/request.rb +2 -3
- data/lib/contrast/logger/time.rb +1 -1
- data/lib/contrast/security_exception.rb +2 -2
- data/lib/contrast/tasks/config.rb +1 -1
- data/lib/contrast/tasks/service.rb +6 -2
- data/lib/contrast/utils/assess/sampling_util.rb +1 -1
- data/lib/contrast/utils/assess/tracking_util.rb +2 -3
- data/lib/contrast/utils/class_util.rb +18 -12
- data/lib/contrast/utils/duck_utils.rb +1 -1
- data/lib/contrast/utils/env_configuration_item.rb +1 -1
- data/lib/contrast/utils/hash_digest.rb +16 -24
- data/lib/contrast/utils/heap_dump_util.rb +104 -88
- data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
- data/lib/contrast/utils/inventory_util.rb +1 -1
- data/lib/contrast/utils/io_util.rb +2 -2
- data/lib/contrast/utils/job_servers_running.rb +10 -5
- data/lib/contrast/utils/object_share.rb +1 -1
- data/lib/contrast/utils/os.rb +3 -2
- data/lib/contrast/utils/preflight_util.rb +1 -1
- data/lib/contrast/utils/resource_loader.rb +1 -1
- data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
- data/lib/contrast/utils/sha256_builder.rb +1 -1
- data/lib/contrast/utils/stack_trace_utils.rb +1 -1
- data/lib/contrast/utils/string_utils.rb +1 -1
- data/lib/contrast/utils/tag_util.rb +1 -1
- data/lib/contrast/utils/thread_tracker.rb +1 -1
- data/lib/contrast/utils/timer.rb +1 -1
- data/resources/assess/policy.json +8 -11
- data/resources/deadzone/policy.json +7 -17
- data/ruby-agent.gemspec +66 -27
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- data/sonar-project.properties +9 -0
- metadata +154 -156
- data/lib/contrast/agent/assess/rule.rb +0 -18
- data/lib/contrast/agent/assess/rule/base.rb +0 -52
- data/lib/contrast/agent/assess/rule/redos.rb +0 -67
- data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
- data/lib/contrast/common_agent_configuration.rb +0 -87
- data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
- data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
- data/lib/contrast/utils/prevent_serialization.rb +0 -52
data/lib/contrast/config.rb
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'contrast/config/default_value'
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -6,9 +6,7 @@ module Contrast
|
|
|
6
6
|
# Common Configuration settings. Those in this section pertain to the
|
|
7
7
|
# disabled assess rule functionality of the Agent.
|
|
8
8
|
class AssessRulesConfiguration < BaseConfiguration
|
|
9
|
-
KEYS = {
|
|
10
|
-
disabled_rules: EMPTY_VALUE
|
|
11
|
-
}.cs__freeze
|
|
9
|
+
KEYS = { disabled_rules: EMPTY_VALUE }.cs__freeze
|
|
12
10
|
|
|
13
11
|
def initialize hsh
|
|
14
12
|
super(hsh, KEYS)
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'forwardable'
|
|
@@ -17,10 +17,7 @@ module Contrast
|
|
|
17
17
|
attr_reader :map
|
|
18
18
|
|
|
19
19
|
alias_method :to_hash, :map
|
|
20
|
-
def_delegators :@map, :empty?, :key?,
|
|
21
|
-
:delete,
|
|
22
|
-
:fetch, :[], :[]=,
|
|
23
|
-
:each, :each_pair, :each_key, :each_value
|
|
20
|
+
def_delegators :@map, :empty?, :key?, :delete, :fetch, :[], :[]=, :each, :each_pair, :each_key, :each_value
|
|
24
21
|
|
|
25
22
|
EMPTY_VALUE = :EMPTY_VALUE
|
|
26
23
|
|
|
@@ -35,7 +32,9 @@ module Contrast
|
|
|
35
32
|
current_level = current_level.send(segment) if current_level.cs__respond_to?(segment)
|
|
36
33
|
end
|
|
37
34
|
last_entry = dot_path_array[-1]
|
|
38
|
-
|
|
35
|
+
if current_level.nil? == false && current_level.cs__respond_to?(last_entry)
|
|
36
|
+
current_level.send("#{ last_entry }=", value)
|
|
37
|
+
end
|
|
39
38
|
nil
|
|
40
39
|
end
|
|
41
40
|
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -7,11 +7,7 @@ module Contrast
|
|
|
7
7
|
# exception handling in Ruby, allowing for the override of Response Code
|
|
8
8
|
# and Message when Security Exceptions are raised.
|
|
9
9
|
class ExceptionConfiguration < BaseConfiguration
|
|
10
|
-
KEYS = {
|
|
11
|
-
capture: EMPTY_VALUE,
|
|
12
|
-
override_status: EMPTY_VALUE,
|
|
13
|
-
override_message: EMPTY_VALUE
|
|
14
|
-
}.cs__freeze
|
|
10
|
+
KEYS = { capture: EMPTY_VALUE, override_status: EMPTY_VALUE, override_message: EMPTY_VALUE }.cs__freeze
|
|
15
11
|
|
|
16
12
|
def initialize hsh
|
|
17
13
|
super(hsh, KEYS)
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -7,12 +7,18 @@ module Contrast
|
|
|
7
7
|
# Heap Dump collection functionality of the Agent.
|
|
8
8
|
class HeapDumpConfiguration < BaseConfiguration
|
|
9
9
|
KEYS = {
|
|
10
|
-
enable:
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
10
|
+
enable: # should dumps be taken
|
|
11
|
+
Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::FALSE),
|
|
12
|
+
path: # dir to which dumps should be
|
|
13
|
+
Contrast::Config::DefaultValue.new('contrast_heap_dumps'), # saved
|
|
14
|
+
delay_ms: # time, in ms, after initialization
|
|
15
|
+
Contrast::Config::DefaultValue.new(10_000), # to delay before taking dump
|
|
16
|
+
window_ms: # ms between each dump
|
|
17
|
+
Contrast::Config::DefaultValue.new(10_000), #
|
|
18
|
+
count: # number of dumps to take
|
|
19
|
+
Contrast::Config::DefaultValue.new(5), #
|
|
20
|
+
clean: # remove temporary objects or not
|
|
21
|
+
Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::FALSE) #
|
|
16
22
|
}.cs__freeze
|
|
17
23
|
|
|
18
24
|
def initialize hsh
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -6,11 +6,7 @@ module Contrast
|
|
|
6
6
|
# Common Configuration settings. Those in this section pertain to the
|
|
7
7
|
# logging in the Agent.
|
|
8
8
|
class LoggerConfiguration < BaseConfiguration
|
|
9
|
-
KEYS = {
|
|
10
|
-
path: EMPTY_VALUE,
|
|
11
|
-
level: EMPTY_VALUE,
|
|
12
|
-
progname: EMPTY_VALUE
|
|
13
|
-
}.cs__freeze
|
|
9
|
+
KEYS = { path: EMPTY_VALUE, level: EMPTY_VALUE, progname: EMPTY_VALUE }.cs__freeze
|
|
14
10
|
|
|
15
11
|
def initialize hsh
|
|
16
12
|
super(hsh, KEYS)
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'set'
|
|
@@ -18,6 +18,28 @@ module Contrast
|
|
|
18
18
|
def initialize hsh
|
|
19
19
|
super(hsh, KEYS)
|
|
20
20
|
end
|
|
21
|
+
|
|
22
|
+
# To convert the user input mode from config to a standard format used by TS & SR, we need to convert the given
|
|
23
|
+
# String to its Contrast::Api::Settings::ProtectionRule::Mode equivalent. If a nonsense value is provided, it'll
|
|
24
|
+
# be treated the same as disabling the rule.
|
|
25
|
+
#
|
|
26
|
+
# @return [Contrast::Api::Settings::ProtectionRule::Mode, nil]
|
|
27
|
+
def applicable_mode
|
|
28
|
+
return unless mode
|
|
29
|
+
|
|
30
|
+
case mode
|
|
31
|
+
when 'permit'
|
|
32
|
+
Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
|
|
33
|
+
when 'block_at_perimeter'
|
|
34
|
+
Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
|
|
35
|
+
when 'block'
|
|
36
|
+
Contrast::Api::Settings::ProtectionRule::Mode::BLOCK
|
|
37
|
+
when 'monitor'
|
|
38
|
+
Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
|
|
39
|
+
else
|
|
40
|
+
Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
|
|
41
|
+
end
|
|
42
|
+
end
|
|
21
43
|
end
|
|
22
44
|
end
|
|
23
45
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'contrast/config/default_value'
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'yaml'
|
|
@@ -25,16 +25,8 @@ module Contrast
|
|
|
25
25
|
|
|
26
26
|
DEFAULT_YAML_PATH = 'contrast_security.yaml'
|
|
27
27
|
MILLISECOND_MARKER = '_ms'
|
|
28
|
-
CONVERSION = {
|
|
29
|
-
|
|
30
|
-
}.cs__freeze
|
|
31
|
-
CONFIG_BASE_PATHS = [
|
|
32
|
-
'',
|
|
33
|
-
'config/',
|
|
34
|
-
'/etc/contrast/ruby/',
|
|
35
|
-
'/etc/contrast/',
|
|
36
|
-
'/etc/'
|
|
37
|
-
].cs__freeze
|
|
28
|
+
CONVERSION = { 'agent.service.enable' => 'agent.start_bundled_service' }.cs__freeze
|
|
29
|
+
CONFIG_BASE_PATHS = ['', 'config/', '/etc/contrast/ruby/', '/etc/contrast/', '/etc/'].cs__freeze
|
|
38
30
|
|
|
39
31
|
def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH
|
|
40
32
|
@default_name = default_name
|
|
@@ -189,10 +181,7 @@ module Contrast
|
|
|
189
181
|
# When we fail to parse a configuration because it is misformatted, log an
|
|
190
182
|
# appropriate message based on the Agent Onboarding specification
|
|
191
183
|
def log_yaml_parse_error path, exception
|
|
192
|
-
hash = {
|
|
193
|
-
path: path,
|
|
194
|
-
pwd: Dir.pwd
|
|
195
|
-
}
|
|
184
|
+
hash = { path: path, pwd: Dir.pwd }
|
|
196
185
|
if exception.is_a?(Psych::SyntaxError)
|
|
197
186
|
hash[:context] = exception.context
|
|
198
187
|
hash[:column] = exception.column
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
module Contrast
|
|
5
|
+
module Delegators
|
|
6
|
+
# Used to decorate the InputAnalysis protobuf model so it can own the
|
|
7
|
+
# Contrast::Agent::Request from which it came.
|
|
8
|
+
class InputAnalysis < SimpleDelegator
|
|
9
|
+
attr_accessor :request
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
module Contrast
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'contrast/agent/patching/policy/patch'
|
|
@@ -56,12 +56,7 @@ module Contrast
|
|
|
56
56
|
return ret unless Contrast::Agent::Assess::Tracker.tracked?(ret)
|
|
57
57
|
|
|
58
58
|
properties.cleanup_tags
|
|
59
|
-
properties.build_event(
|
|
60
|
-
ARRAY_JOIN_NODE,
|
|
61
|
-
ret,
|
|
62
|
-
ary,
|
|
63
|
-
ret,
|
|
64
|
-
[separator])
|
|
59
|
+
properties.build_event(ARRAY_JOIN_NODE, ret, ary, ret, [separator])
|
|
65
60
|
properties.event.instance_variable_set(:@_parent_events, parent_events)
|
|
66
61
|
ret
|
|
67
62
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
# This module is used to track propagation through ERB template rendering
|
|
@@ -25,13 +25,7 @@ module ERBPropagator
|
|
|
25
25
|
parent_event = Contrast::Agent::Assess::Tracker.properties(bound_variable_value)&.event
|
|
26
26
|
parent_events << parent_event if parent_event
|
|
27
27
|
end
|
|
28
|
-
properties.build_event(
|
|
29
|
-
patcher,
|
|
30
|
-
ret,
|
|
31
|
-
preshift.object,
|
|
32
|
-
ret,
|
|
33
|
-
preshift.args,
|
|
34
|
-
1)
|
|
28
|
+
properties.build_event(patcher, ret, preshift.object, ret, preshift.args, 1)
|
|
35
29
|
properties.event.instance_variable_set(:@_parent_events, parent_events)
|
|
36
30
|
|
|
37
31
|
ret
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'contrast/components/interface'
|
|
@@ -24,9 +24,6 @@ module Contrast
|
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
def apply_trigger obj, source, ret, clazz, method
|
|
27
|
-
current_context = Contrast::Agent::REQUEST_TRACKER.current
|
|
28
|
-
return unless current_context
|
|
29
|
-
|
|
30
27
|
# Since we know this is the source of the trigger, we can do some
|
|
31
28
|
# optimization here and return when it is not tracked
|
|
32
29
|
return unless Contrast::Utils::Assess::TrackingUtil.tracked?(source)
|
|
@@ -34,13 +31,8 @@ module Contrast
|
|
|
34
31
|
# source might not be all the args passed in, but it is the one we care
|
|
35
32
|
# about. we could pass in all the args in the last param here if it
|
|
36
33
|
# becomes an issue in rendering on TS
|
|
37
|
-
Contrast::Agent::Assess::Policy::TriggerMethod.apply_eval_trigger(
|
|
38
|
-
|
|
39
|
-
trigger_node(clazz, method),
|
|
40
|
-
source,
|
|
41
|
-
obj,
|
|
42
|
-
ret,
|
|
43
|
-
source)
|
|
34
|
+
Contrast::Agent::Assess::Policy::TriggerMethod.apply_eval_trigger(trigger_node(clazz, method), source, obj,
|
|
35
|
+
ret, source)
|
|
44
36
|
end
|
|
45
37
|
|
|
46
38
|
def instrument_basic_object_track
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'contrast/agent/at_exit_hook'
|
|
@@ -11,9 +11,6 @@ module Contrast
|
|
|
11
11
|
# the trigger at the start in order to account for the process hand off.
|
|
12
12
|
module ExecTrigger
|
|
13
13
|
def apply_trigger source
|
|
14
|
-
current_context = Contrast::Agent::REQUEST_TRACKER.current
|
|
15
|
-
return unless current_context
|
|
16
|
-
|
|
17
14
|
# Since we know this is the source of the trigger, we can do some
|
|
18
15
|
# optimization here and return when it is not tracked
|
|
19
16
|
return unless Contrast::Utils::Assess::TrackingUtil.tracked?(source)
|
|
@@ -21,21 +18,14 @@ module Contrast
|
|
|
21
18
|
# source might not be all the args passed in, but it is the one we care
|
|
22
19
|
# about. we could pass in all the args in the last param here if it
|
|
23
20
|
# becomes an issue in rendering on TS
|
|
24
|
-
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
|
|
25
|
-
current_context,
|
|
26
|
-
trigger_node,
|
|
27
|
-
source,
|
|
28
|
-
Kernel,
|
|
29
|
-
nil,
|
|
30
|
-
source)
|
|
21
|
+
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, source, Kernel, nil, source)
|
|
31
22
|
end
|
|
32
23
|
|
|
33
24
|
private
|
|
34
25
|
|
|
35
26
|
def trigger_node
|
|
36
|
-
@_trigger_node ||=
|
|
37
|
-
|
|
38
|
-
end
|
|
27
|
+
@_trigger_node ||= Contrast::Agent::Assess::Policy::Policy.instance.find_node('cmd-injection', 'Kernel',
|
|
28
|
+
:exec, false)
|
|
39
29
|
end
|
|
40
30
|
end
|
|
41
31
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Copyright (c)
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require 'contrast/agent/assess/policy/propagation_node'
|
|
@@ -64,12 +64,7 @@ module Contrast
|
|
|
64
64
|
next unless (result_properties = Contrast::Agent::Assess::Tracker.properties!(result))
|
|
65
65
|
|
|
66
66
|
result_properties.splat_from(fiber, result)
|
|
67
|
-
result_properties.build_event(
|
|
68
|
-
FIBER_YIELD_NODE,
|
|
69
|
-
result,
|
|
70
|
-
fiber,
|
|
71
|
-
result,
|
|
72
|
-
[])
|
|
67
|
+
result_properties.build_event(FIBER_YIELD_NODE, result, fiber, result, [])
|
|
73
68
|
end
|
|
74
69
|
end
|
|
75
70
|
rescue Exception => e # rubocop:disable Lint/RescueException
|
|
@@ -85,12 +80,7 @@ module Contrast
|
|
|
85
80
|
return unless properties
|
|
86
81
|
|
|
87
82
|
properties.splat_from(underlying, fiber)
|
|
88
|
-
properties.build_event(
|
|
89
|
-
FIBER_NEW_NODE,
|
|
90
|
-
fiber,
|
|
91
|
-
underlying,
|
|
92
|
-
fiber,
|
|
93
|
-
[])
|
|
83
|
+
properties.build_event(FIBER_NEW_NODE, fiber, underlying, fiber, [])
|
|
94
84
|
end
|
|
95
85
|
rescue Exception => e # rubocop:disable Lint/RescueException
|
|
96
86
|
logger.error('Unable to propagate during Fiber.new', e)
|