RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/assess/policy/source_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/source_method'
@@ -8,11 +8,13 @@ module Contrast
     module Assess
       module Policy
         module SourceValidation
-          # Validator used to assert a CROSS_SITE tag is actually applicable to
-          # the given method before applying the tag to its target
+          # Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the
+          # tag to its target
           module CrossSiteValidator
-            # prevent the application of a tag if it is from a source known to
-            # not apply a tag in a provided context.
+            # Prevent the application of a tag if it is from a source known to not apply a tag in a provided context.
+            # Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in
+            # ActionDispatch::Http::Headers to convert keys like `referer` to `HTTP_REFERER` before they get to the
+            # Rack::Request#get_header method
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
             def self.valid? tag, source_type, source_name
               return true unless tag == 'CROSS_SITE'
@@ -20,7 +22,7 @@ module Contrast
               return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE
               return false unless source_name
-              source_name.casecmp?('referer')
+              source_name == 'HTTP_REFERER'
             end
           end
         end

data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/source_validation/cross_site_validator'
@@ -11,9 +11,7 @@ module Contrast
         # certain tags in a given context. This provides a single place from
         # which those validations can be called.
         module SourceValidation
-          VALIDATORS = [
-            Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator
-          ].cs__freeze
+          VALIDATORS = [Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator].cs__freeze
           # Determines if the conditions in which this source was called are
           # valid and should result in the application of a tag

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -24,7 +24,7 @@ module Contrast
               }.cs__freeze
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
-              def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
+              def xss_tilt_trigger trigger_node, _source, object, ret, *args
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
                 scope = args[0]
@@ -44,7 +44,11 @@ module Contrast
                 end
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
+                                                                               ret,
+                                                                               erb_template_prerender,
+                                                                               ret,
+                                                                               interpolated_inputs)
                 end
                 ret

data/lib/contrast/agent/assess/policy/trigger/xpath.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -19,31 +19,30 @@ module Contrast
             include Contrast::Components::Interface
             class << self
-              def xpath_expression_trigger context, trigger_node, _source, object, ret, *args
+              def xpath_expression_trigger trigger_node, _source, object, ret, *args
                 return ret unless args
-                process(context, trigger_node, object, ret, *args)
+                process(trigger_node, object, ret, *args)
               end
-              def xpath_oga_trigger context, trigger_node, _source, object, ret, *args
+              def xpath_oga_trigger trigger_node, _source, object, ret, *args
                 return ret unless args
                 # convert the options arg in Oga::XML::CharacterNode#initialize into an
                 # array of its values so we can check if any are unsafe
                 args = args.first.values if args.first.cs__is_a?(Hash)
-                process(context, trigger_node, object, ret, *args)
+                process(trigger_node, object, ret, *args)
               end
               private
-              def process context, trigger_node, object, ret, *args
+              def process trigger_node, object, ret, *args
                 args.each do |arg|
                   next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
                   next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
                   next unless trigger_node.violated?(arg)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                      context, trigger_node, arg, object, ret, *args)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, arg, object, ret, *args)
                 end
                 ret

data/lib/contrast/agent/assess/policy/trigger_method.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/events/event_factory'
@@ -27,24 +27,6 @@ module Contrast
           CURRENT_FINDING_VERSION = 4
           class << self
-            # Append the given finding to the given context to be reported when
-            # the Context's activity is sent to the Service or, in the absence
-            # of that Context, generate an Activity and queue it manually
-            # @param finding [Contrast::Api::Dtm::Finding]
-            def report_finding finding
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              if context
-                context.activity.findings << finding
-              else
-                activity = Contrast::Api::Dtm::Activity.new
-                activity.findings << finding
-                Contrast::Agent.messaging_queue.send_event_eventually(activity)
-              end
-              logger.debug('Finding reported',
-                           rule: finding.rule_id)
-            end
             # This is called from within our woven proc. It will be called as if it
             # were inline in the Rack application.
             #
@@ -57,38 +39,23 @@ module Contrast
             def apply_trigger_rule trigger_node, object, ret, args
               return if trigger_node.nil?
-              current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return unless current_context&.analyze_request? && ASSESS.enabled?
               if trigger_node.sources&.any?
                 trigger_node.sources.each do |marker|
                   source = determine_source(marker, object, ret, args)
-                  apply_trigger(current_context,
-                                trigger_node,
-                                source,
-                                object,
-                                ret,
-                                *args)
+                  apply_trigger(trigger_node, source, object, ret, *args)
                 end
               else
-                apply_trigger(current_context,
-                              trigger_node,
-                              nil,
-                              object,
-                              ret,
-                              *args)
+                apply_trigger(trigger_node, nil, object, ret, *args)
               end
             end
-            def apply_eval_trigger context, trigger_node, source, object, ret, *args
-              apply_trigger(context, trigger_node, source, object, ret, *args)
+            def apply_eval_trigger trigger_node, source, object, ret, *args
+              apply_trigger(trigger_node, source, object, ret, *args)
             end
             # This converts the source of the finding, and the events leading
             # up to it into a Finding
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -99,39 +66,94 @@ module Contrast
             # @return [Contrast::Api::Dtm::Finding, nil] the
             #   Contrast::Api::Dtm::Finding to send to TeamServer or nil if
             #   conditions were not met
-            def build_finding context, trigger_node, source, object, ret, *args
+            def build_finding trigger_node, source, object, ret, *args
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
-              request = context.request
-              env = request.env
-              return if defined?(ActionController::Live) &&
-                  env &&
-                  env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live)
+              request = find_request(source)
+              return unless reportable?(request&.env)
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-              build_from_source(finding, source)
-              trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
-              finding.events << trigger_event
-              build_hash(finding, source)
-              finding.routes << context.route if context.route
+              append_events(finding, trigger_node, source, object, ret, args)
+              append_route(finding, request)
+              append_hash(finding, source, request)
               finding.version = determine_compliance_version(finding)
-              logger.trace('Finding created',
-                           node_id: trigger_node.id,
-                           source_id: source.__id__,
-                           rule: trigger_node.rule_id)
-              report_finding(finding)
+              logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
+                                              rule: trigger_node.rule_id)
+              report_finding(finding, request)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
+            # Given a finding, append it to an activity message and send it to
+            # the Service for processing.
+            #
+            # @param finding [Contrast::Api::Dtm::Finding] the Finding to
+            #    report.
+            # @param request [Contrast::Agent::Request] our wrapper around the
+            #   Rack::Request.
+            def report_finding finding, request = nil
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                context.activity.findings << finding
+                return
+              end
+              activity = Contrast::Api::Dtm::Activity.new
+              activity.findings << finding
+              if request
+                activity.http_request = request.dtm
+              else
+                logger.debug('Attempted to report finding without request', finding: finding)
+              end
+              # If we're out of request context, then we need to report this
+              # finding ourselves, so we'll send it in the one-off activity we
+              # created.
+              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+            end
             private
+            # A request is reportable if it is not from ActionController::Live
+            #
+            # @param env [Hash] the env of the Request
+            # @return [Boolean]
+            def reportable? env
+              !(defined?(ActionController::Live) &&
+                env &&
+                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+            end
+            # Find the request for this finding. This assumes, for now, that if
+            # there is an active request, then that is the request to report.
+            # Otherwise, we'll use the first request found in the events of the
+            # source_object.
+            #
+            # @param source [Object,nil] some Object used as the source of a
+            #   trigger event
+            # @return [Contrast::Agent::Request,nil] the request from which the
+            #   dataflow on the request originated.
+            def find_request source
+              return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
+              properties.events.each do |event|
+                next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+                return event.request if event.request
+              end
+              nil
+            end
+            def settings
+              Contrast::Agent::FeatureState.instance
+            end
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -139,19 +161,19 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_trigger context, trigger_node, source, object, ret, *args
-              return unless context && trigger_node
+            def apply_trigger trigger_node, source, object, ret, *args
+              return unless trigger_node
               return if trigger_node.rule_disabled?
               return if trigger_node.dataflow? && source.nil?
               if trigger_node.regexp_rule?
-                apply_regexp_rule(context, trigger_node, source, object, ret, *args)
+                apply_regexp_rule(trigger_node, source, object, ret, *args)
               elsif trigger_node.custom_trigger?
-                trigger_node.apply_custom_trigger(context, trigger_node, source, object, ret, *args)
+                trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
               elsif trigger_node.dataflow?
-                apply_dataflow_rule(context, trigger_node, source, object, ret, *args)
+                apply_dataflow_rule(trigger_node, source, object, ret, *args)
               else # trigger rule - just calling the method is dangerous
-                build_finding(context, trigger_node, source, object, ret, *args)
+                build_finding(trigger_node, source, object, ret, *args)
               end
             rescue StandardError => e
               logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
@@ -199,8 +221,6 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Regexp based rules.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -208,19 +228,17 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_regexp_rule context, trigger_node, source, object, ret, *args
+            def apply_regexp_rule trigger_node, source, object, ret, *args
               return unless source.is_a?(String)
               return if trigger_node.good_value && source.match?(trigger_node.good_value)
               return if trigger_node.bad_value && source !~ trigger_node.bad_value
-              build_finding(context, trigger_node, source, object, ret, *args)
+              build_finding(trigger_node, source, object, ret, *args)
             end
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Dataflow based rules.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -228,22 +246,22 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_dataflow_rule context, trigger_node, source, object, ret, *args
+            def apply_dataflow_rule trigger_node, source, object, ret, *args
               return unless source
               if Contrast::Agent::Assess::Tracker.trackable?(source)
                 return unless Contrast::Agent::Assess::Tracker.tracked?(source)
                 return unless trigger_node.violated?(source)
-                build_finding(context, trigger_node, source, object, ret, *args)
+                build_finding(trigger_node, source, object, ret, *args)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
                 source.each_pair do |key, value|
-                  apply_dataflow_rule(context, trigger_node, key, object, ret, *args)
-                  apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, key, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
                 end
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
                 source.each do |value|
-                  apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
                 end
               else
                 logger.debug('Trigger source is untrackable. Unable to inspect.',
@@ -255,7 +273,13 @@ module Contrast
               end
             end
-            def build_from_source finding, source
+            def append_events finding, trigger_node, source, object, ret, args
+              append_from_source(finding, source)
+              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,
+                                                                                    args).to_dtm_event
+            end
+            def append_from_source finding, source
               return unless source
               return unless Contrast::Agent::Assess::Tracker.trackable?(source)
@@ -286,8 +310,17 @@ module Contrast
               finding.events << event.to_dtm_event
             end
-            def build_hash finding, source
-              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
+            def append_route finding, request
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                finding.routes << context.route if context.route
+              elsif request&.route
+                finding.routes << request.route
+              end
+            end
+            def append_hash finding, source, request
+              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end

data/lib/contrast/agent/assess/policy/trigger_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/trigger/reflected_xss'
@@ -47,8 +47,8 @@ module Contrast
             TRIGGER
           end
-          def apply_custom_trigger context, trigger_node, source, object, ret, *args
-            custom_trigger_class.send(@trigger_method, context, trigger_node, source, object, ret, *args)
+          def apply_custom_trigger trigger_node, source, object, ret, *args
+            custom_trigger_class.send(@trigger_method, trigger_node, source, object, ret, *args)
           end
           def custom_trigger_class
@@ -104,7 +104,8 @@ module Contrast
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties,
+                                                     required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
@@ -185,11 +186,7 @@ module Contrast
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
           def ranges_with_all_tags length, properties, required_tags
-            # if there are no tags, not required tags, or the tags don't have
-            # all the required tags, we can just return here.
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
             ranges = []
             chunking = false
@@ -229,8 +226,7 @@ module Contrast
           #   by the given conditions
           def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless search_tags?(properties, tags)
             ranges = []
             tags.each do |desired|
@@ -243,6 +239,32 @@ module Contrast
             end
             ranges
           end
+          # We should only try to match tags on properties if those properties have any tags (are tracked) and there
+          # are tags to try and match on. Some rules, like regexp rules, have no tags. Some rules, like trigger, have
+          # no properties.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def search_tags? properties, tags
+            return false unless properties.tracked?
+            return false unless tags&.any?
+            true
+          end
+          # Determine if the given properties have instances of all the given tags or not.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def matches_tags? properties, tags
+            return false unless search_tags?(properties, tags)
+            return false unless tags.all? { |tag| properties.tag_keys.include?(tag) }
+            true
+          end
         end
       end
     end