contrast-agent 4.3.2 → 4.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitmodules +1 -1
- data/.simplecov +1 -1
- data/Gemfile +1 -1
- data/LICENSE.txt +1 -1
- data/Rakefile +2 -3
- data/exe/contrast_service +1 -1
- data/ext/build_funchook.rb +4 -4
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
- data/ext/cs__assess_active_record_named/extconf.rb +1 -1
- data/ext/cs__assess_array/cs__assess_array.c +1 -1
- data/ext/cs__assess_array/extconf.rb +1 -1
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
- data/ext/cs__assess_basic_object/extconf.rb +1 -1
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_fiber_track/extconf.rb +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
- data/ext/cs__assess_hash/extconf.rb +1 -1
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
- data/ext/cs__assess_kernel/extconf.rb +1 -1
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
- data/ext/cs__assess_marshal_module/extconf.rb +1 -1
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_module/extconf.rb +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
- data/ext/cs__assess_regexp/extconf.rb +1 -1
- data/ext/cs__assess_string/cs__assess_string.c +1 -1
- data/ext/cs__assess_string/extconf.rb +1 -1
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
- data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +1 -1
- data/ext/cs__common/cs__common.c +5 -5
- data/ext/cs__common/cs__common.h +4 -4
- data/ext/cs__common/extconf.rb +1 -1
- data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
- data/ext/cs__contrast_patch/extconf.rb +1 -1
- data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
- data/ext/cs__protect_kernel/extconf.rb +1 -1
- data/ext/extconf_common.rb +2 -6
- data/lib/contrast-agent.rb +1 -1
- data/lib/contrast.rb +20 -1
- data/lib/contrast/agent.rb +6 -4
- data/lib/contrast/agent/assess.rb +2 -11
- data/lib/contrast/agent/assess/contrast_event.rb +54 -71
- data/lib/contrast/agent/assess/contrast_object.rb +7 -4
- data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
- data/lib/contrast/agent/assess/events/source_event.rb +7 -2
- data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
- data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
- data/lib/contrast/agent/assess/policy/policy.rb +1 -1
- data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
- data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
- data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
- data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
- data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
- data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
- data/lib/contrast/agent/assess/properties.rb +1 -3
- data/lib/contrast/agent/assess/property/evented.rb +9 -6
- data/lib/contrast/agent/assess/property/tagged.rb +38 -20
- data/lib/contrast/agent/assess/property/updated.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
- data/lib/contrast/agent/assess/tag.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +2 -2
- data/lib/contrast/agent/at_exit_hook.rb +1 -1
- data/lib/contrast/agent/class_reopener.rb +4 -2
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
- data/lib/contrast/agent/disable_reaction.rb +2 -4
- data/lib/contrast/agent/exclusion_matcher.rb +6 -12
- data/lib/contrast/agent/inventory.rb +1 -2
- data/lib/contrast/agent/inventory/dependencies.rb +3 -1
- data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
- data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
- data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/middleware.rb +111 -110
- data/lib/contrast/agent/module_data.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
- data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
- data/lib/contrast/agent/patching/policy/patch.rb +23 -29
- data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
- data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
- data/lib/contrast/agent/patching/policy/policy.rb +14 -21
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
- data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
- data/lib/contrast/agent/protect/policy/policy.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
- data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +19 -33
- data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
- data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
- data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
- data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
- data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
- data/lib/contrast/agent/protect/rule/xss.rb +2 -2
- data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
- data/lib/contrast/agent/railtie.rb +1 -1
- data/lib/contrast/agent/reaction_processor.rb +12 -11
- data/lib/contrast/agent/request.rb +25 -24
- data/lib/contrast/agent/request_context.rb +25 -23
- data/lib/contrast/agent/request_handler.rb +1 -1
- data/lib/contrast/agent/response.rb +1 -1
- data/lib/contrast/agent/rewriter.rb +6 -4
- data/lib/contrast/agent/rule_set.rb +3 -3
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +3 -4
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/thread.rb +2 -2
- data/lib/contrast/agent/thread_watcher.rb +21 -6
- data/lib/contrast/agent/tracepoint_hook.rb +2 -2
- data/lib/contrast/agent/version.rb +2 -2
- data/lib/contrast/agent/worker_thread.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/communication.rb +1 -1
- data/lib/contrast/api/communication/connection_status.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +19 -22
- data/lib/contrast/api/communication/response_processor.rb +13 -8
- data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +30 -35
- data/lib/contrast/api/communication/speedracer.rb +6 -10
- data/lib/contrast/api/communication/tcp_socket.rb +1 -1
- data/lib/contrast/api/communication/unix_socket.rb +1 -1
- data/lib/contrast/api/decorators.rb +3 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +58 -0
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +57 -0
- data/lib/contrast/api/decorators/application_update.rb +1 -1
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/input_analysis.rb +1 -1
- data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
- data/lib/contrast/api/decorators/library.rb +9 -7
- data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
- data/lib/contrast/api/decorators/message.rb +4 -4
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
- data/lib/contrast/api/decorators/route_coverage.rb +16 -6
- data/lib/contrast/api/decorators/server_features.rb +1 -1
- data/lib/contrast/api/decorators/trace_event.rb +46 -16
- data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
- data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
- data/lib/contrast/api/decorators/user_input.rb +1 -1
- data/lib/contrast/components/agent.rb +16 -15
- data/lib/contrast/components/app_context.rb +11 -29
- data/lib/contrast/components/assess.rb +6 -11
- data/lib/contrast/components/config.rb +3 -2
- data/lib/contrast/components/contrast_service.rb +8 -9
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/interface.rb +4 -3
- data/lib/contrast/components/inventory.rb +1 -1
- data/lib/contrast/components/logger.rb +1 -1
- data/lib/contrast/components/protect.rb +11 -14
- data/lib/contrast/components/sampling.rb +55 -7
- data/lib/contrast/components/scope.rb +2 -1
- data/lib/contrast/components/settings.rb +29 -99
- data/lib/contrast/config.rb +1 -1
- data/lib/contrast/config/agent_configuration.rb +1 -1
- data/lib/contrast/config/application_configuration.rb +1 -1
- data/lib/contrast/config/assess_configuration.rb +1 -1
- data/lib/contrast/config/assess_rules_configuration.rb +2 -4
- data/lib/contrast/config/base_configuration.rb +5 -6
- data/lib/contrast/config/default_value.rb +1 -1
- data/lib/contrast/config/exception_configuration.rb +2 -6
- data/lib/contrast/config/heap_dump_configuration.rb +13 -7
- data/lib/contrast/config/inventory_configuration.rb +1 -1
- data/lib/contrast/config/logger_configuration.rb +2 -6
- data/lib/contrast/config/protect_configuration.rb +1 -1
- data/lib/contrast/config/protect_rule_configuration.rb +23 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/config/root_configuration.rb +1 -1
- data/lib/contrast/config/ruby_configuration.rb +1 -1
- data/lib/contrast/config/sampling_configuration.rb +1 -1
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config/service_configuration.rb +1 -1
- data/lib/contrast/configuration.rb +4 -15
- data/lib/contrast/delegators/input_analysis.rb +12 -0
- data/lib/contrast/extension/assess.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +2 -7
- data/lib/contrast/extension/assess/erb.rb +2 -8
- data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
- data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
- data/lib/contrast/extension/assess/fiber.rb +3 -13
- data/lib/contrast/extension/assess/hash.rb +1 -1
- data/lib/contrast/extension/assess/kernel.rb +3 -10
- data/lib/contrast/extension/assess/marshal.rb +3 -11
- data/lib/contrast/extension/assess/regexp.rb +2 -7
- data/lib/contrast/extension/assess/string.rb +4 -2
- data/lib/contrast/extension/delegator.rb +1 -1
- data/lib/contrast/extension/inventory.rb +1 -1
- data/lib/contrast/extension/kernel.rb +5 -3
- data/lib/contrast/extension/module.rb +1 -1
- data/lib/contrast/extension/protect.rb +1 -1
- data/lib/contrast/extension/protect/kernel.rb +1 -1
- data/lib/contrast/extension/protect/psych.rb +1 -1
- data/lib/contrast/extension/thread.rb +1 -1
- data/lib/contrast/framework/base_support.rb +1 -1
- data/lib/contrast/framework/manager.rb +14 -17
- data/lib/contrast/framework/platform_version.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
- data/lib/contrast/framework/rack/patch/support.rb +7 -5
- data/lib/contrast/framework/rack/support.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
- data/lib/contrast/framework/rails/patch/support.rb +5 -3
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
- data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
- data/lib/contrast/framework/rails/support.rb +45 -46
- data/lib/contrast/framework/sinatra/support.rb +103 -42
- data/lib/contrast/funchook/funchook.rb +2 -6
- data/lib/contrast/logger/application.rb +13 -10
- data/lib/contrast/logger/format.rb +3 -6
- data/lib/contrast/logger/log.rb +36 -19
- data/lib/contrast/logger/request.rb +2 -3
- data/lib/contrast/logger/time.rb +1 -1
- data/lib/contrast/security_exception.rb +2 -2
- data/lib/contrast/tasks/config.rb +1 -1
- data/lib/contrast/tasks/service.rb +6 -2
- data/lib/contrast/utils/assess/sampling_util.rb +1 -1
- data/lib/contrast/utils/assess/tracking_util.rb +2 -3
- data/lib/contrast/utils/class_util.rb +18 -12
- data/lib/contrast/utils/duck_utils.rb +1 -1
- data/lib/contrast/utils/env_configuration_item.rb +1 -1
- data/lib/contrast/utils/hash_digest.rb +16 -24
- data/lib/contrast/utils/heap_dump_util.rb +104 -88
- data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
- data/lib/contrast/utils/inventory_util.rb +1 -1
- data/lib/contrast/utils/io_util.rb +2 -2
- data/lib/contrast/utils/job_servers_running.rb +10 -5
- data/lib/contrast/utils/object_share.rb +1 -1
- data/lib/contrast/utils/os.rb +3 -2
- data/lib/contrast/utils/preflight_util.rb +1 -1
- data/lib/contrast/utils/resource_loader.rb +1 -1
- data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
- data/lib/contrast/utils/sha256_builder.rb +1 -1
- data/lib/contrast/utils/stack_trace_utils.rb +1 -1
- data/lib/contrast/utils/string_utils.rb +1 -1
- data/lib/contrast/utils/tag_util.rb +1 -1
- data/lib/contrast/utils/thread_tracker.rb +1 -1
- data/lib/contrast/utils/timer.rb +1 -1
- data/resources/assess/policy.json +8 -11
- data/resources/deadzone/policy.json +7 -17
- data/ruby-agent.gemspec +66 -27
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- data/sonar-project.properties +9 -0
- metadata +154 -156
- data/lib/contrast/agent/assess/rule.rb +0 -18
- data/lib/contrast/agent/assess/rule/base.rb +0 -52
- data/lib/contrast/agent/assess/rule/redos.rb +0 -67
- data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
- data/lib/contrast/common_agent_configuration.rb +0 -87
- data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
- data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
- data/lib/contrast/utils/prevent_serialization.rb +0 -52
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -47,13 +47,7 @@ module Contrast
|
|
47
47
|
parent_events = []
|
48
48
|
track_sprintf(ret, format_string, args, parent_events)
|
49
49
|
|
50
|
-
properties.build_event(
|
51
|
-
patcher,
|
52
|
-
ret,
|
53
|
-
preshift.object,
|
54
|
-
ret,
|
55
|
-
preshift.args,
|
56
|
-
1)
|
50
|
+
properties.build_event(patcher, ret, preshift.object, ret, preshift.args, 1)
|
57
51
|
|
58
52
|
properties.event.instance_variable_set(:@_parent_events, parent_events)
|
59
53
|
ret
|
@@ -70,8 +64,7 @@ module Contrast
|
|
70
64
|
handle_sprintf_array(args, result, parent_events)
|
71
65
|
end
|
72
66
|
rescue StandardError => e
|
73
|
-
logger.error(
|
74
|
-
'Unable to track dataflow through sprintf', e)
|
67
|
+
logger.error('Unable to track dataflow through sprintf', e)
|
75
68
|
end
|
76
69
|
|
77
70
|
def instrument_kernel_track
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -27,20 +27,12 @@ module Contrast
|
|
27
27
|
|
28
28
|
def cs__load_assess source, ret
|
29
29
|
with_contrast_scope do
|
30
|
-
current_context = Contrast::Agent::REQUEST_TRACKER.current
|
31
|
-
return unless current_context
|
32
|
-
|
33
30
|
args = [source]
|
34
31
|
# source might not be all the args passed in, but it is the one we care
|
35
32
|
# about. we could pass in all the args in the last param here if it
|
36
33
|
# becomes an issue in rendering on TS
|
37
|
-
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
|
38
|
-
|
39
|
-
trigger_node('Marshal', :load),
|
40
|
-
source,
|
41
|
-
self,
|
42
|
-
ret,
|
43
|
-
*args)
|
34
|
+
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node('Marshal', :load), source,
|
35
|
+
self, ret, *args)
|
44
36
|
return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
|
45
37
|
|
46
38
|
properties.copy_from(source, ret)
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/assess/policy/propagation_node'
|
@@ -53,12 +53,7 @@ module Contrast
|
|
53
53
|
return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
|
54
54
|
|
55
55
|
properties.splat_from(string, target)
|
56
|
-
properties.build_event(
|
57
|
-
REGEXP_EQUAL_SQUIGGLE_NODE,
|
58
|
-
target,
|
59
|
-
self,
|
60
|
-
result,
|
61
|
-
[string])
|
56
|
+
properties.build_event(REGEXP_EQUAL_SQUIGGLE_NODE, target, self, result, [string])
|
62
57
|
end
|
63
58
|
rescue Exception => e # rubocop:disable Lint/RescueException
|
64
59
|
logger.error('Unable to propagate during Regexp#=~', e)
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/assess/policy/propagation_node'
|
@@ -66,7 +66,9 @@ module Contrast
|
|
66
66
|
def instrument_string_interpolation
|
67
67
|
if @_instrument_string_interpolation.nil?
|
68
68
|
@_instrument_string_interpolation = begin
|
69
|
-
|
69
|
+
if AGENT.patch_interpolation? && Funchook.available?
|
70
|
+
require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26'
|
71
|
+
end
|
70
72
|
true
|
71
73
|
rescue StandardError, LoadError => e
|
72
74
|
logger.error('Error loading interpolation patch', e)
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
# Some developers override various methods on Delegator, which can often
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/scope'
|
@@ -41,13 +41,15 @@ module Kernel # :nodoc:
|
|
41
41
|
|
42
42
|
def catch *args, &block
|
43
43
|
# Save current scope level
|
44
|
-
scope_level =
|
44
|
+
scope_level =
|
45
|
+
Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
|
45
46
|
|
46
47
|
# Run original catch with block.
|
47
48
|
retval = cs__catch(*args, &block)
|
48
49
|
|
49
50
|
# Restore scope.
|
50
|
-
Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_set(:@contrast_scope,
|
51
|
+
Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_set(:@contrast_scope,
|
52
|
+
scope_level)
|
51
53
|
|
52
54
|
retval
|
53
55
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
if defined?(Psych)
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
# ensure that we're being loaded with an agent
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/framework/platform_version'
|
@@ -19,8 +19,7 @@ module Contrast
|
|
19
19
|
# Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
|
20
20
|
# do not exist
|
21
21
|
SUPPORTED_FRAMEWORKS = [
|
22
|
-
Contrast::Framework::Rails::Support,
|
23
|
-
Contrast::Framework::Sinatra::Support,
|
22
|
+
Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
|
24
23
|
Contrast::Framework::Rack::Support
|
25
24
|
].cs__freeze
|
26
25
|
|
@@ -44,11 +43,9 @@ module Contrast
|
|
44
43
|
end
|
45
44
|
end
|
46
45
|
|
47
|
-
# Return all the After Load Patches for all the Frameworks we know, even
|
48
|
-
# if that Framework hasn't been detected.
|
46
|
+
# Return all the After Load Patches for all the Frameworks we know, even if that Framework hasn't been detected.
|
49
47
|
#
|
50
|
-
# @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the
|
51
|
-
# AfterLoadPatches of each framework
|
48
|
+
# @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the AfterLoadPatches of each framework
|
52
49
|
def find_after_load_patches
|
53
50
|
patches = Set.new
|
54
51
|
SUPPORTED_FRAMEWORKS.each do |framework|
|
@@ -82,8 +79,10 @@ module Contrast
|
|
82
79
|
end
|
83
80
|
|
84
81
|
# If we have 0 or n > 1 frameworks, we need to use the default rack request
|
85
|
-
#
|
86
|
-
#
|
82
|
+
#
|
83
|
+
# @param env [Hash] the various variables stored by this and other Middlewares to know the state and values
|
84
|
+
# of this particular Request
|
85
|
+
# @return [::Rack::Request] either a rack request or subclass thereof.
|
87
86
|
def retrieve_request env
|
88
87
|
return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
|
89
88
|
|
@@ -102,15 +101,13 @@ module Contrast
|
|
102
101
|
result
|
103
102
|
end
|
104
103
|
|
104
|
+
# Iterate through current frameworks and return the current request's route. This will be the first
|
105
|
+
# non-nil result.
|
106
|
+
#
|
107
|
+
# @param request [Contrast::Agent::Request] the current request.
|
108
|
+
# @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
|
105
109
|
def get_route_dtm request
|
106
|
-
|
107
|
-
@_frameworks.find do |framework_klass|
|
108
|
-
# TODO: RUBY-763 Sinatra::Base#call patch adds the Route report
|
109
|
-
next if framework_klass == Contrast::Framework::Sinatra::Support
|
110
|
-
|
111
|
-
result = framework_klass.current_route(request)
|
112
|
-
end
|
113
|
-
result
|
110
|
+
@_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.reject(&:nil?).first
|
114
111
|
end
|
115
112
|
|
116
113
|
private
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -61,16 +61,9 @@ module Contrast
|
|
61
61
|
end
|
62
62
|
|
63
63
|
def apply_secure_session options
|
64
|
-
return unless vulnerable_setting?(
|
65
|
-
|
66
|
-
|
67
|
-
options,
|
68
|
-
safe_default: false)
|
69
|
-
|
70
|
-
cs__report_finding(
|
71
|
-
CS__SECURE_RULE_NAME,
|
72
|
-
options,
|
73
|
-
caller_locations(10, 9)[0])
|
64
|
+
return unless vulnerable_setting?(:secure, true, options, safe_default: false)
|
65
|
+
|
66
|
+
cs__report_finding(CS__SECURE_RULE_NAME, options, caller_locations(10, 9)[0])
|
74
67
|
rescue StandardError => e
|
75
68
|
begin
|
76
69
|
logger.error('Unable to track call to secure session', e)
|
@@ -86,10 +79,7 @@ module Contrast
|
|
86
79
|
safe_default: false,
|
87
80
|
comparison_type: :greater_than)
|
88
81
|
|
89
|
-
cs__report_finding(
|
90
|
-
CS__SESSION_TIMEOUT_NAME,
|
91
|
-
options,
|
92
|
-
caller_locations(10, 9)[0])
|
82
|
+
cs__report_finding(CS__SESSION_TIMEOUT_NAME, options, caller_locations(10, 9)[0])
|
93
83
|
rescue StandardError => e
|
94
84
|
begin
|
95
85
|
logger.error('Unable to track call to set session timeout', e)
|
@@ -101,10 +91,7 @@ module Contrast
|
|
101
91
|
def apply_httponly options
|
102
92
|
return unless vulnerable_setting?(:httponly, true, options)
|
103
93
|
|
104
|
-
cs__report_finding(
|
105
|
-
CS__HTTPONLY_NAME,
|
106
|
-
options,
|
107
|
-
caller_locations(10, 9)[0])
|
94
|
+
cs__report_finding(CS__HTTPONLY_NAME, options, caller_locations(10, 9)[0])
|
108
95
|
rescue StandardError => e
|
109
96
|
begin
|
110
97
|
logger.error('Unable to track call to httponly', e)
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/patching/policy/after_load_patch'
|
@@ -12,10 +12,12 @@ module Contrast
|
|
12
12
|
module Support
|
13
13
|
# (See BaseSupport#after_load_patches)
|
14
14
|
def after_load_patches
|
15
|
-
Set.new([
|
16
|
-
|
17
|
-
|
18
|
-
|
15
|
+
Set.new([
|
16
|
+
Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
|
17
|
+
'Rack::Session::Cookie',
|
18
|
+
'contrast/framework/rack/patch/session_cookie',
|
19
|
+
instrumenting_module: 'Contrast::Framework::Rack::Patch::SessionCookie')
|
20
|
+
])
|
19
21
|
end
|
20
22
|
end
|
21
23
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/framework/base_support'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -32,7 +32,11 @@ module Contrast
|
|
32
32
|
|
33
33
|
private
|
34
34
|
|
35
|
-
def vulnerable_setting?
|
35
|
+
def vulnerable_setting?(setting_key,
|
36
|
+
safe_settings_value,
|
37
|
+
original_args,
|
38
|
+
safe_default: true,
|
39
|
+
comparison_type: nil)
|
36
40
|
# In most cases, Rails is pretty nice and the default value is safe
|
37
41
|
return !safe_default unless original_args && original_args.length > 1
|
38
42
|
|
@@ -49,7 +53,8 @@ module Contrast
|
|
49
53
|
|
50
54
|
def apply_session_timeout *args
|
51
55
|
return if ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
|
52
|
-
return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args,
|
56
|
+
return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args,
|
57
|
+
comparison_type: :greater_than, safe_default: false)
|
53
58
|
|
54
59
|
rails_session_settings = args[1]
|
55
60
|
cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(3, 2)[0])
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/framework/rails/patch/assess_configuration'
|
@@ -15,9 +15,9 @@ module Contrast
|
|
15
15
|
@_instrument ||= begin
|
16
16
|
::Rails::Application::Configuration.class_eval do
|
17
17
|
alias_method :cs__patched_session_store, :session_store
|
18
|
-
def session_store *args
|
19
|
-
ret = cs__patched_session_store(*args)
|
20
|
-
Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args)
|
18
|
+
def session_store *args, **kwargs
|
19
|
+
ret = cs__patched_session_store(*args, **kwargs)
|
20
|
+
Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args, **kwargs)
|
21
21
|
ret
|
22
22
|
end
|
23
23
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/framework/rails/patch/rails_application_configuration'
|
@@ -44,11 +44,13 @@ module Contrast
|
|
44
44
|
'ActionController::Railties::Helper::ClassMethods',
|
45
45
|
'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
|
46
46
|
method_to_instrument: :inherited,
|
47
|
-
instrumenting_module:
|
47
|
+
instrumenting_module:
|
48
|
+
'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
|
48
49
|
Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
|
49
50
|
'ActiveRecord::AttributeMethods::Read::ClassMethods',
|
50
51
|
'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
|
51
|
-
instrumenting_module:
|
52
|
+
instrumenting_module:
|
53
|
+
'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
|
52
54
|
Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
|
53
55
|
'ActiveRecord::Scoping::Named::ClassMethods',
|
54
56
|
'contrast/framework/rails/rewrite/active_record_named',
|
@@ -1,6 +1,8 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
|
5
|
+
|
4
6
|
module Contrast
|
5
7
|
module Framework
|
6
8
|
module Rails
|
@@ -19,7 +21,8 @@ module Contrast
|
|
19
21
|
alias_method :cs__patched_helper_inherited, :inherited
|
20
22
|
def inherited klass # rubocop:disable Lint/MissingSuper
|
21
23
|
klass&.instance_variable_set(:@cs__defining_class, true)
|
22
|
-
|
24
|
+
# This calls the original inherited, which should handle super as needed.
|
25
|
+
cs__patched_helper_inherited(klass)
|
23
26
|
ensure
|
24
27
|
klass&.instance_variable_set(:@cs__defining_class, false)
|
25
28
|
end
|
@@ -1,6 +1,8 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
|
5
|
+
|
4
6
|
module Contrast
|
5
7
|
module Framework
|
6
8
|
module Rails
|