contrast-agent 4.3.2 → 4.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitmodules +1 -1
- data/.simplecov +1 -1
- data/Gemfile +1 -1
- data/LICENSE.txt +1 -1
- data/Rakefile +2 -3
- data/exe/contrast_service +1 -1
- data/ext/build_funchook.rb +4 -4
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
- data/ext/cs__assess_active_record_named/extconf.rb +1 -1
- data/ext/cs__assess_array/cs__assess_array.c +1 -1
- data/ext/cs__assess_array/extconf.rb +1 -1
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
- data/ext/cs__assess_basic_object/extconf.rb +1 -1
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_fiber_track/extconf.rb +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
- data/ext/cs__assess_hash/extconf.rb +1 -1
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
- data/ext/cs__assess_kernel/extconf.rb +1 -1
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
- data/ext/cs__assess_marshal_module/extconf.rb +1 -1
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_module/extconf.rb +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
- data/ext/cs__assess_regexp/extconf.rb +1 -1
- data/ext/cs__assess_string/cs__assess_string.c +1 -1
- data/ext/cs__assess_string/extconf.rb +1 -1
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
- data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
- data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +1 -1
- data/ext/cs__common/cs__common.c +5 -5
- data/ext/cs__common/cs__common.h +4 -4
- data/ext/cs__common/extconf.rb +1 -1
- data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
- data/ext/cs__contrast_patch/extconf.rb +1 -1
- data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
- data/ext/cs__protect_kernel/extconf.rb +1 -1
- data/ext/extconf_common.rb +2 -6
- data/lib/contrast-agent.rb +1 -1
- data/lib/contrast.rb +20 -1
- data/lib/contrast/agent.rb +6 -4
- data/lib/contrast/agent/assess.rb +2 -11
- data/lib/contrast/agent/assess/contrast_event.rb +54 -71
- data/lib/contrast/agent/assess/contrast_object.rb +7 -4
- data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
- data/lib/contrast/agent/assess/events/source_event.rb +7 -2
- data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
- data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
- data/lib/contrast/agent/assess/policy/policy.rb +1 -1
- data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
- data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
- data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
- data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
- data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
- data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
- data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
- data/lib/contrast/agent/assess/properties.rb +1 -3
- data/lib/contrast/agent/assess/property/evented.rb +9 -6
- data/lib/contrast/agent/assess/property/tagged.rb +38 -20
- data/lib/contrast/agent/assess/property/updated.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider.rb +1 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
- data/lib/contrast/agent/assess/tag.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +2 -2
- data/lib/contrast/agent/at_exit_hook.rb +1 -1
- data/lib/contrast/agent/class_reopener.rb +4 -2
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
- data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
- data/lib/contrast/agent/disable_reaction.rb +2 -4
- data/lib/contrast/agent/exclusion_matcher.rb +6 -12
- data/lib/contrast/agent/inventory.rb +1 -2
- data/lib/contrast/agent/inventory/dependencies.rb +3 -1
- data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
- data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
- data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
- data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
- data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/middleware.rb +111 -110
- data/lib/contrast/agent/module_data.rb +4 -4
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
- data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
- data/lib/contrast/agent/patching/policy/patch.rb +23 -29
- data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
- data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
- data/lib/contrast/agent/patching/policy/policy.rb +14 -21
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
- data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
- data/lib/contrast/agent/protect/policy/policy.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
- data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +19 -33
- data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
- data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
- data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
- data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
- data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
- data/lib/contrast/agent/protect/rule/xss.rb +2 -2
- data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
- data/lib/contrast/agent/railtie.rb +1 -1
- data/lib/contrast/agent/reaction_processor.rb +12 -11
- data/lib/contrast/agent/request.rb +25 -24
- data/lib/contrast/agent/request_context.rb +25 -23
- data/lib/contrast/agent/request_handler.rb +1 -1
- data/lib/contrast/agent/response.rb +1 -1
- data/lib/contrast/agent/rewriter.rb +6 -4
- data/lib/contrast/agent/rule_set.rb +3 -3
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +3 -4
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/thread.rb +2 -2
- data/lib/contrast/agent/thread_watcher.rb +21 -6
- data/lib/contrast/agent/tracepoint_hook.rb +2 -2
- data/lib/contrast/agent/version.rb +2 -2
- data/lib/contrast/agent/worker_thread.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/communication.rb +1 -1
- data/lib/contrast/api/communication/connection_status.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +19 -22
- data/lib/contrast/api/communication/response_processor.rb +13 -8
- data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +30 -35
- data/lib/contrast/api/communication/speedracer.rb +6 -10
- data/lib/contrast/api/communication/tcp_socket.rb +1 -1
- data/lib/contrast/api/communication/unix_socket.rb +1 -1
- data/lib/contrast/api/decorators.rb +3 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +58 -0
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +57 -0
- data/lib/contrast/api/decorators/application_update.rb +1 -1
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/input_analysis.rb +1 -1
- data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
- data/lib/contrast/api/decorators/library.rb +9 -7
- data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
- data/lib/contrast/api/decorators/message.rb +4 -4
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
- data/lib/contrast/api/decorators/route_coverage.rb +16 -6
- data/lib/contrast/api/decorators/server_features.rb +1 -1
- data/lib/contrast/api/decorators/trace_event.rb +46 -16
- data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
- data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
- data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
- data/lib/contrast/api/decorators/user_input.rb +1 -1
- data/lib/contrast/components/agent.rb +16 -15
- data/lib/contrast/components/app_context.rb +11 -29
- data/lib/contrast/components/assess.rb +6 -11
- data/lib/contrast/components/config.rb +3 -2
- data/lib/contrast/components/contrast_service.rb +8 -9
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/interface.rb +4 -3
- data/lib/contrast/components/inventory.rb +1 -1
- data/lib/contrast/components/logger.rb +1 -1
- data/lib/contrast/components/protect.rb +11 -14
- data/lib/contrast/components/sampling.rb +55 -7
- data/lib/contrast/components/scope.rb +2 -1
- data/lib/contrast/components/settings.rb +29 -99
- data/lib/contrast/config.rb +1 -1
- data/lib/contrast/config/agent_configuration.rb +1 -1
- data/lib/contrast/config/application_configuration.rb +1 -1
- data/lib/contrast/config/assess_configuration.rb +1 -1
- data/lib/contrast/config/assess_rules_configuration.rb +2 -4
- data/lib/contrast/config/base_configuration.rb +5 -6
- data/lib/contrast/config/default_value.rb +1 -1
- data/lib/contrast/config/exception_configuration.rb +2 -6
- data/lib/contrast/config/heap_dump_configuration.rb +13 -7
- data/lib/contrast/config/inventory_configuration.rb +1 -1
- data/lib/contrast/config/logger_configuration.rb +2 -6
- data/lib/contrast/config/protect_configuration.rb +1 -1
- data/lib/contrast/config/protect_rule_configuration.rb +23 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/config/root_configuration.rb +1 -1
- data/lib/contrast/config/ruby_configuration.rb +1 -1
- data/lib/contrast/config/sampling_configuration.rb +1 -1
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config/service_configuration.rb +1 -1
- data/lib/contrast/configuration.rb +4 -15
- data/lib/contrast/delegators/input_analysis.rb +12 -0
- data/lib/contrast/extension/assess.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +2 -7
- data/lib/contrast/extension/assess/erb.rb +2 -8
- data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
- data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
- data/lib/contrast/extension/assess/fiber.rb +3 -13
- data/lib/contrast/extension/assess/hash.rb +1 -1
- data/lib/contrast/extension/assess/kernel.rb +3 -10
- data/lib/contrast/extension/assess/marshal.rb +3 -11
- data/lib/contrast/extension/assess/regexp.rb +2 -7
- data/lib/contrast/extension/assess/string.rb +4 -2
- data/lib/contrast/extension/delegator.rb +1 -1
- data/lib/contrast/extension/inventory.rb +1 -1
- data/lib/contrast/extension/kernel.rb +5 -3
- data/lib/contrast/extension/module.rb +1 -1
- data/lib/contrast/extension/protect.rb +1 -1
- data/lib/contrast/extension/protect/kernel.rb +1 -1
- data/lib/contrast/extension/protect/psych.rb +1 -1
- data/lib/contrast/extension/thread.rb +1 -1
- data/lib/contrast/framework/base_support.rb +1 -1
- data/lib/contrast/framework/manager.rb +14 -17
- data/lib/contrast/framework/platform_version.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
- data/lib/contrast/framework/rack/patch/support.rb +7 -5
- data/lib/contrast/framework/rack/support.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
- data/lib/contrast/framework/rails/patch/support.rb +5 -3
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
- data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
- data/lib/contrast/framework/rails/support.rb +45 -46
- data/lib/contrast/framework/sinatra/support.rb +103 -42
- data/lib/contrast/funchook/funchook.rb +2 -6
- data/lib/contrast/logger/application.rb +13 -10
- data/lib/contrast/logger/format.rb +3 -6
- data/lib/contrast/logger/log.rb +36 -19
- data/lib/contrast/logger/request.rb +2 -3
- data/lib/contrast/logger/time.rb +1 -1
- data/lib/contrast/security_exception.rb +2 -2
- data/lib/contrast/tasks/config.rb +1 -1
- data/lib/contrast/tasks/service.rb +6 -2
- data/lib/contrast/utils/assess/sampling_util.rb +1 -1
- data/lib/contrast/utils/assess/tracking_util.rb +2 -3
- data/lib/contrast/utils/class_util.rb +18 -12
- data/lib/contrast/utils/duck_utils.rb +1 -1
- data/lib/contrast/utils/env_configuration_item.rb +1 -1
- data/lib/contrast/utils/hash_digest.rb +16 -24
- data/lib/contrast/utils/heap_dump_util.rb +104 -88
- data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
- data/lib/contrast/utils/inventory_util.rb +1 -1
- data/lib/contrast/utils/io_util.rb +2 -2
- data/lib/contrast/utils/job_servers_running.rb +10 -5
- data/lib/contrast/utils/object_share.rb +1 -1
- data/lib/contrast/utils/os.rb +3 -2
- data/lib/contrast/utils/preflight_util.rb +1 -1
- data/lib/contrast/utils/resource_loader.rb +1 -1
- data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
- data/lib/contrast/utils/sha256_builder.rb +1 -1
- data/lib/contrast/utils/stack_trace_utils.rb +1 -1
- data/lib/contrast/utils/string_utils.rb +1 -1
- data/lib/contrast/utils/tag_util.rb +1 -1
- data/lib/contrast/utils/thread_tracker.rb +1 -1
- data/lib/contrast/utils/timer.rb +1 -1
- data/resources/assess/policy.json +8 -11
- data/resources/deadzone/policy.json +7 -17
- data/ruby-agent.gemspec +66 -27
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- data/sonar-project.properties +9 -0
- metadata +154 -156
- data/lib/contrast/agent/assess/rule.rb +0 -18
- data/lib/contrast/agent/assess/rule/base.rb +0 -52
- data/lib/contrast/agent/assess/rule/redos.rb +0 -67
- data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
- data/lib/contrast/common_agent_configuration.rb +0 -87
- data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
- data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
- data/lib/contrast/utils/prevent_serialization.rb +0 -52
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/agent/assess/policy/trigger_method'
|
@@ -26,19 +26,9 @@ module Contrast
|
|
26
26
|
def cs__report_finding rule_id, user_provided_options, call_location
|
27
27
|
with_contrast_scope do
|
28
28
|
finding = Contrast::Api::Dtm::Finding.new
|
29
|
-
finding.rule_id = rule_id
|
30
|
-
path = call_location.path
|
31
|
-
# just get the file name, not the full path
|
32
|
-
path = path.split(Contrast::Utils::ObjectShare::SLASH).last
|
33
|
-
session_id = user_provided_options[:key].to_s if user_provided_options
|
34
|
-
|
35
29
|
finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
|
36
|
-
finding.
|
37
|
-
finding
|
38
|
-
file_path = call_location.absolute_path
|
39
|
-
snippet = file_snippet(file_path, call_location)
|
40
|
-
finding.properties[CS__SNIPPET] = Contrast::Utils::StringUtils.force_utf8(snippet)
|
41
|
-
|
30
|
+
finding.rule_id = rule_id
|
31
|
+
set_properties(finding, user_provided_options, call_location)
|
42
32
|
hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
|
43
33
|
finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
|
44
34
|
finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
|
@@ -50,6 +40,25 @@ module Contrast
|
|
50
40
|
|
51
41
|
private
|
52
42
|
|
43
|
+
# Set the properties needed to report and subsequently render this finding on the finding given.
|
44
|
+
#
|
45
|
+
# @param finding [Contrast::Api::Dtm::Finding] the configuration finding to populate
|
46
|
+
# @param user_provided_options [Hash] the configuration value(s) which
|
47
|
+
# violated the rule
|
48
|
+
# @param call_location [Thread::Backtrace::Location] the location where
|
49
|
+
# the bad configuration was set
|
50
|
+
def set_properties finding, user_provided_options, call_location
|
51
|
+
path = call_location.path
|
52
|
+
# just get the file name, not the full path
|
53
|
+
path = path.split(Contrast::Utils::ObjectShare::SLASH).last
|
54
|
+
session_id = user_provided_options[:key].to_s if user_provided_options
|
55
|
+
finding.properties[CS__SESSION_ID] = Contrast::Utils::StringUtils.force_utf8(session_id)
|
56
|
+
finding.properties[CS__PATH] = Contrast::Utils::StringUtils.force_utf8(path)
|
57
|
+
file_path = call_location.absolute_path
|
58
|
+
snippet = file_snippet(file_path, call_location)
|
59
|
+
finding.properties[CS__SNIPPET] = Contrast::Utils::StringUtils.force_utf8(snippet)
|
60
|
+
end
|
61
|
+
|
53
62
|
def file_snippet file_path, call_location
|
54
63
|
idx = call_location&.lineno
|
55
64
|
if file_path && idx && File.exist?(file_path)
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/timer'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -20,7 +20,7 @@ module Contrast
|
|
20
20
|
|
21
21
|
should_rewind_io?(potential_io)
|
22
22
|
rescue StandardError => e
|
23
|
-
logger.debug('Encountered an issue determining if rewindable', e, module: potential_io.cs__class.
|
23
|
+
logger.debug('Encountered an issue determining if rewindable', e, module: potential_io.cs__class.cs__name)
|
24
24
|
false
|
25
25
|
end
|
26
26
|
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -24,12 +24,17 @@ module Contrast
|
|
24
24
|
end
|
25
25
|
|
26
26
|
def rake_running?
|
27
|
-
|
28
|
-
|
29
|
-
|
27
|
+
unless defined?(Rake) &&
|
28
|
+
Rake.cs__respond_to?(:application) &&
|
29
|
+
Rake.application.cs__respond_to?(:top_level_tasks)
|
30
|
+
|
31
|
+
return
|
32
|
+
end
|
30
33
|
|
31
34
|
disabled_rake_tasks = APP_CONTEXT.disabled_agent_rake_tasks
|
32
|
-
has_disabled_task = Rake.application.top_level_tasks.any?
|
35
|
+
has_disabled_task = Rake.application.top_level_tasks.any? do |top_level_task|
|
36
|
+
disabled_rake_tasks.include?(top_level_task)
|
37
|
+
end
|
33
38
|
return false unless has_disabled_task
|
34
39
|
|
35
40
|
logger.trace('Detected startup within Rake task')
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
# rubocop:disable Security/Object/Freeze
|
data/lib/contrast/utils/os.rb
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -27,7 +27,8 @@ module Contrast
|
|
27
27
|
# returns an array of zombie process PIDs as strings; empty array if there are none
|
28
28
|
def zombie_pids
|
29
29
|
with_contrast_scope do
|
30
|
-
|
30
|
+
# retrieve pid of service processes
|
31
|
+
zombie_pid_list = `ps aux | grep contrast-servic[e] | grep Z | awk '{print $2}'`
|
31
32
|
zombie_pid_list.split("\n")
|
32
33
|
end
|
33
34
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,8 +1,9 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
|
4
|
+
return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
|
5
5
|
|
6
|
+
require 'parser/current'
|
6
7
|
module Contrast
|
7
8
|
module Utils
|
8
9
|
# This utility allows us to parse and rewrite the AST in Ruby 2.5,
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'singleton'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/components/interface'
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
data/lib/contrast/utils/timer.rb
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Contrast
|
@@ -1173,27 +1173,19 @@
|
|
1173
1173
|
"instance_method": true,
|
1174
1174
|
"method_visibility": "public",
|
1175
1175
|
"method_name":"match",
|
1176
|
-
"source":"P0"
|
1177
|
-
"trigger_class": "Contrast::Agent::Assess::Rule::Redos",
|
1178
|
-
"trigger_method": "regexp_complexity_check"
|
1179
|
-
|
1176
|
+
"source":"P0"
|
1180
1177
|
}, {
|
1181
1178
|
"class_name":"String",
|
1182
1179
|
"instance_method": true,
|
1183
1180
|
"method_visibility": "public",
|
1184
1181
|
"method_name":"=~",
|
1185
|
-
"source":"O"
|
1186
|
-
"trigger_class": "Contrast::Agent::Assess::Rule::Redos",
|
1187
|
-
"trigger_method": "regexp_complexity_check"
|
1182
|
+
"source":"O"
|
1188
1183
|
}, {
|
1189
1184
|
"class_name":"Regexp",
|
1190
1185
|
"instance_method": true,
|
1191
1186
|
"method_visibility": "public",
|
1192
1187
|
"method_name":"=~",
|
1193
|
-
"source":"P0"
|
1194
|
-
"trigger_class": "Contrast::Agent::Assess::Rule::Redos",
|
1195
|
-
"trigger_method": "regexp_complexity_check"
|
1196
|
-
|
1188
|
+
"source":"P0"
|
1197
1189
|
}
|
1198
1190
|
]
|
1199
1191
|
}, {
|
@@ -1429,6 +1421,11 @@
|
|
1429
1421
|
"instance_method": true,
|
1430
1422
|
"method_visibility": "public",
|
1431
1423
|
"method_name":"rand"
|
1424
|
+
}, {
|
1425
|
+
"class_name":"Random::Base",
|
1426
|
+
"instance_method": true,
|
1427
|
+
"method_visibility": "public",
|
1428
|
+
"method_name":"rand"
|
1432
1429
|
}
|
1433
1430
|
]
|
1434
1431
|
}, {
|
@@ -5,16 +5,6 @@
|
|
5
5
|
"instance_method":true,
|
6
6
|
"method_visibility": "public",
|
7
7
|
"method_name":"content_type"
|
8
|
-
}, {
|
9
|
-
"class_name":"Rack::Request::Helpers",
|
10
|
-
"instance_method":true,
|
11
|
-
"method_visibility": "public",
|
12
|
-
"method_name":"host_authority"
|
13
|
-
}, {
|
14
|
-
"class_name":"Rack::Request::Helpers",
|
15
|
-
"instance_method":true,
|
16
|
-
"method_visibility": "public",
|
17
|
-
"method_name":"host_with_port"
|
18
8
|
}, {
|
19
9
|
"class_name":"Rack::Request::Helpers",
|
20
10
|
"instance_method":true,
|
@@ -61,18 +51,18 @@
|
|
61
51
|
"method_visibility": "private",
|
62
52
|
"method_name":"session_exists?",
|
63
53
|
"code": "https://github.com/rack/rack/blob/master/lib/rack/session/abstract/id.rb#L334"
|
64
|
-
}, {
|
65
|
-
"class_name":"ActionDispatch::Http::MimeNegotiation",
|
66
|
-
"instance_method":true,
|
67
|
-
"method_visibility": "public",
|
68
|
-
"method_name":"formats",
|
69
|
-
"code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/mime_negotiation.rb#L63"
|
70
54
|
}, {
|
71
55
|
"class_name":"ActionDispatch::FileHandler",
|
72
56
|
"instance_method":true,
|
73
57
|
"method_visibility": "public",
|
74
58
|
"method_name":"match?",
|
75
59
|
"code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/static.rb#L30"
|
60
|
+
}, {
|
61
|
+
"class_name":"ActionDispatch::Http::MimeNegotiation",
|
62
|
+
"instance_method":true,
|
63
|
+
"method_visibility": "public",
|
64
|
+
"method_name":"formats",
|
65
|
+
"code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/mime_negotiation.rb#L63"
|
76
66
|
}, {
|
77
67
|
"class_name":"ActionDispatch::Journey::Router",
|
78
68
|
"instance_method":true,
|
@@ -83,7 +73,7 @@
|
|
83
73
|
"class_name":"ActionDispatch::Request",
|
84
74
|
"instance_method":true,
|
85
75
|
"method_visibility": "public",
|
86
|
-
"method_name":"
|
76
|
+
"method_name":"controller_class_for",
|
87
77
|
"code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/request.rb#L84"
|
88
78
|
}, {
|
89
79
|
"class_name":"ActionDispatch::Request",
|
data/ruby-agent.gemspec
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright (c)
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require_relative './lib/contrast/agent/version'
|
@@ -20,39 +20,79 @@ end
|
|
20
20
|
|
21
21
|
# Add those dependencies required to develop or test the Agent
|
22
22
|
def self.add_dev_dependencies spec
|
23
|
-
spec
|
24
|
-
spec
|
23
|
+
add_builders(spec)
|
24
|
+
add_debuggers(spec)
|
25
|
+
add_linters(spec) # if RUBY_VERSION >= '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
|
26
|
+
add_specs(spec)
|
27
|
+
end
|
28
|
+
|
29
|
+
# Dependencies used to build the agent during development.
|
30
|
+
def self.add_builders spec
|
25
31
|
spec.add_development_dependency 'bundler'
|
32
|
+
spec.add_development_dependency 'rake', '>= 12.3.3'
|
33
|
+
spec.add_development_dependency 'rake-compiler', '~> 0'
|
34
|
+
end
|
35
|
+
|
36
|
+
# Dependencies used for local debugging during development.
|
37
|
+
def self.add_debuggers spec
|
38
|
+
spec.add_development_dependency 'pry'
|
39
|
+
spec.add_development_dependency 'ruby-debug-ide'
|
40
|
+
end
|
41
|
+
|
42
|
+
# Dependencies used for framework testing.
|
43
|
+
def self.add_frameworks spec
|
44
|
+
spec.add_development_dependency 'rails', '6.0.3.5'
|
45
|
+
spec.add_development_dependency 'sinatra', '>= 2'
|
46
|
+
end
|
47
|
+
|
48
|
+
# Dependencies used for linting prior to commit.
|
49
|
+
def self.add_linters spec
|
50
|
+
spec.add_development_dependency 'debride', '1.8.2'
|
51
|
+
spec.add_development_dependency 'fasterer', '0.9.0'
|
52
|
+
spec.add_development_dependency 'flay', '2.12.1'
|
53
|
+
add_rubocop(spec)
|
54
|
+
end
|
55
|
+
|
56
|
+
# Dependencies used to run our current RSpec test suite.
|
57
|
+
def self.add_specs spec
|
58
|
+
add_coverage(spec)
|
59
|
+
add_frameworks(spec)
|
60
|
+
add_tested_gems(spec)
|
61
|
+
|
62
|
+
spec.add_development_dependency 'benchmark-ips'
|
26
63
|
spec.add_development_dependency 'climate_control' # mock ENV
|
27
|
-
spec.add_development_dependency 'debase'
|
28
|
-
spec.add_development_dependency 'debride'
|
29
|
-
spec.add_development_dependency 'execjs'
|
30
64
|
spec.add_development_dependency 'factory_bot'
|
31
65
|
spec.add_development_dependency 'fake_ftp'
|
32
|
-
spec.add_development_dependency 'fasterer'
|
33
|
-
spec.add_development_dependency 'flay'
|
34
66
|
spec.add_development_dependency 'openssl'
|
35
|
-
spec.add_development_dependency 'parser', '~> 2.6'
|
36
|
-
spec.add_development_dependency 'pry'
|
37
|
-
spec.add_development_dependency 'rails', '>= 3'
|
38
|
-
spec.add_development_dependency 'rake', '>= 12.3.3'
|
39
|
-
spec.add_development_dependency 'rake-compiler', '~> 0'
|
40
67
|
spec.add_development_dependency 'rspec', '~> 3.0'
|
41
68
|
spec.add_development_dependency 'rspec-benchmark'
|
42
69
|
spec.add_development_dependency 'rspec_junit_formatter', '0.3.0'
|
43
|
-
spec.add_development_dependency '
|
44
|
-
spec.add_development_dependency '
|
70
|
+
spec.add_development_dependency 'rspec-rails', '5.0'
|
71
|
+
spec.add_development_dependency 'tzinfo-data' # Alpine rspec-rails requirement.
|
72
|
+
end
|
73
|
+
|
74
|
+
def self.add_coverage spec
|
75
|
+
spec.add_development_dependency 'codecov', '0.5.2'
|
76
|
+
spec.add_development_dependency 'simplecov', '0.21.2'
|
77
|
+
end
|
78
|
+
|
79
|
+
# Dependencies used to run all of our Rubocop during the linting phase.
|
80
|
+
def self.add_rubocop spec
|
81
|
+
spec.add_development_dependency 'rubocop', '1.13.0'
|
82
|
+
spec.add_development_dependency 'rubocop-performance', '1.11.0'
|
45
83
|
spec.add_development_dependency 'rubocop-rails', '2.9.1'
|
46
84
|
spec.add_development_dependency 'rubocop-rake', '0.5.1'
|
47
|
-
spec.add_development_dependency 'rubocop-rspec', '2.
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
85
|
+
spec.add_development_dependency 'rubocop-rspec', '2.2.0'
|
86
|
+
end
|
87
|
+
|
88
|
+
# Dependencies not mocked out during RSpec that we test real code of, beyond just frameworks.
|
89
|
+
def self.add_tested_gems spec
|
90
|
+
spec.add_development_dependency 'async'
|
91
|
+
spec.add_development_dependency 'execjs'
|
92
|
+
spec.add_development_dependency 'sqlite3'
|
52
93
|
spec.add_development_dependency 'therubyracer'
|
53
94
|
spec.add_development_dependency 'tilt'
|
54
95
|
spec.add_development_dependency 'xpath'
|
55
|
-
spec.add_development_dependency 'yarjuf', '~> 2.0'
|
56
96
|
end
|
57
97
|
|
58
98
|
# Add those dependencies required to run the Agent in customer applications.
|
@@ -62,7 +102,7 @@ end
|
|
62
102
|
# corresponding update to the fake gem server data in TeamServer.
|
63
103
|
def self.add_dependencies spec
|
64
104
|
spec.add_dependency 'ougai', '~> 1.8'
|
65
|
-
spec.add_dependency 'parser', '
|
105
|
+
spec.add_dependency 'parser', '>= 2.6' # if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
|
66
106
|
spec.add_dependency 'protobuf', '~> 3.10'
|
67
107
|
spec.add_dependency 'rack', '~> 2.0'
|
68
108
|
end
|
@@ -114,9 +154,7 @@ Gem::Specification.new do |spec|
|
|
114
154
|
spec.name = 'contrast-agent'
|
115
155
|
spec.version = Contrast::Agent::VERSION
|
116
156
|
|
117
|
-
spec.email = %w[
|
118
|
-
ruby@contrastsecurity.com
|
119
|
-
]
|
157
|
+
spec.email = %w[ruby@contrastsecurity.com]
|
120
158
|
|
121
159
|
spec.summary = 'Contrast Security\'s agent for rack-based applications.'
|
122
160
|
spec.description = 'This gem instantiates a Rack middleware for rack-based ' \
|
@@ -124,7 +162,7 @@ Gem::Specification.new do |spec|
|
|
124
162
|
'Testing and Protection.'
|
125
163
|
spec.homepage = 'https://www.contrastsecurity.com'
|
126
164
|
spec.license = 'CONTRAST SECURITY (see license file)'
|
127
|
-
spec.required_ruby_version = ['>= 2.5.0', '<
|
165
|
+
spec.required_ruby_version = ['>= 2.5.0', '< 3.1.0']
|
128
166
|
|
129
167
|
spec.bindir = 'exe'
|
130
168
|
spec.executables = ['contrast_service']
|
@@ -133,7 +171,8 @@ Gem::Specification.new do |spec|
|
|
133
171
|
spec.require_paths = ['lib']
|
134
172
|
|
135
173
|
unless File.exist?(File.join(Dir.pwd, 'contrast_security.yaml'))
|
136
|
-
spec.post_install_message = 'To generate the required contrast_security.yaml file you can run:
|
174
|
+
spec.post_install_message = 'To generate the required contrast_security.yaml file you can run: '\
|
175
|
+
'bundle exec rake contrast:config:create'
|
137
176
|
end
|
138
177
|
|
139
178
|
add_authors(spec)
|
data/service_executables/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
2.
|
1
|
+
2.19.0
|
Binary file
|
Binary file
|
@@ -0,0 +1,9 @@
|
|
1
|
+
sonar.projectKey=Contrast-Security-Inc_ruby-agent
|
2
|
+
sonar.organization=contrast-security-inc
|
3
|
+
|
4
|
+
# Ignore C/CPP/ObjC files
|
5
|
+
sonar.c.file.suffixes=-
|
6
|
+
sonar.cpp.file.suffixes=-
|
7
|
+
sonar.objc.file.suffixes=-
|
8
|
+
|
9
|
+
sonar.ruby.coverage.reportPaths=coverage/coverage-formatted.json
|