RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/assess/policy/source_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/source_method'
@@ -8,11 +8,13 @@ module Contrast
     module Assess
       module Policy
         module SourceValidation
-          # Validator used to assert a CROSS_SITE tag is actually applicable to
-          # the given method before applying the tag to its target
+          # Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the
+          # tag to its target
           module CrossSiteValidator
-            # prevent the application of a tag if it is from a source known to
-            # not apply a tag in a provided context.
+            # Prevent the application of a tag if it is from a source known to not apply a tag in a provided context.
+            # Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in
+            # ActionDispatch::Http::Headers to convert keys like `referer` to `HTTP_REFERER` before they get to the
+            # Rack::Request#get_header method
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
             def self.valid? tag, source_type, source_name
               return true unless tag == 'CROSS_SITE'
@@ -20,7 +22,7 @@ module Contrast
               return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE
               return false unless source_name
-              source_name.casecmp?('referer')
+              source_name == 'HTTP_REFERER'
             end
           end
         end

data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/source_validation/cross_site_validator'
@@ -11,9 +11,7 @@ module Contrast
         # certain tags in a given context. This provides a single place from
         # which those validations can be called.
         module SourceValidation
-          VALIDATORS = [
-            Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator
-          ].cs__freeze
+          VALIDATORS = [Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator].cs__freeze
           # Determines if the conditions in which this source was called are
           # valid and should result in the application of a tag

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -24,7 +24,7 @@ module Contrast
               }.cs__freeze
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
-              def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
+              def xss_tilt_trigger trigger_node, _source, object, ret, *args
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
                 scope = args[0]
@@ -44,7 +44,11 @@ module Contrast
                 end
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
+                                                                               ret,
+                                                                               erb_template_prerender,
+                                                                               ret,
+                                                                               interpolated_inputs)
                 end
                 ret

data/lib/contrast/agent/assess/policy/trigger/xpath.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -19,31 +19,30 @@ module Contrast
             include Contrast::Components::Interface
             class << self
-              def xpath_expression_trigger context, trigger_node, _source, object, ret, *args
+              def xpath_expression_trigger trigger_node, _source, object, ret, *args
                 return ret unless args
-                process(context, trigger_node, object, ret, *args)
+                process(trigger_node, object, ret, *args)
               end
-              def xpath_oga_trigger context, trigger_node, _source, object, ret, *args
+              def xpath_oga_trigger trigger_node, _source, object, ret, *args
                 return ret unless args
                 # convert the options arg in Oga::XML::CharacterNode#initialize into an
                 # array of its values so we can check if any are unsafe
                 args = args.first.values if args.first.cs__is_a?(Hash)
-                process(context, trigger_node, object, ret, *args)
+                process(trigger_node, object, ret, *args)
               end
               private
-              def process context, trigger_node, object, ret, *args
+              def process trigger_node, object, ret, *args
                 args.each do |arg|
                   next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
                   next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
                   next unless trigger_node.violated?(arg)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                      context, trigger_node, arg, object, ret, *args)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, arg, object, ret, *args)
                 end
                 ret

data/lib/contrast/agent/assess/policy/trigger_method.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/events/event_factory'
@@ -27,24 +27,6 @@ module Contrast
           CURRENT_FINDING_VERSION = 4
           class << self
-            # Append the given finding to the given context to be reported when
-            # the Context's activity is sent to the Service or, in the absence
-            # of that Context, generate an Activity and queue it manually
-            # @param finding [Contrast::Api::Dtm::Finding]
-            def report_finding finding
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              if context
-                context.activity.findings << finding
-              else
-                activity = Contrast::Api::Dtm::Activity.new
-                activity.findings << finding
-                Contrast::Agent.messaging_queue.send_event_eventually(activity)
-              end
-              logger.debug('Finding reported',
-                           rule: finding.rule_id)
-            end
             # This is called from within our woven proc. It will be called as if it
             # were inline in the Rack application.
             #
@@ -57,38 +39,23 @@ module Contrast
             def apply_trigger_rule trigger_node, object, ret, args
               return if trigger_node.nil?
-              current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return unless current_context&.analyze_request? && ASSESS.enabled?
               if trigger_node.sources&.any?
                 trigger_node.sources.each do |marker|
                   source = determine_source(marker, object, ret, args)
-                  apply_trigger(current_context,
-                                trigger_node,
-                                source,
-                                object,
-                                ret,
-                                *args)
+                  apply_trigger(trigger_node, source, object, ret, *args)
                 end
               else
-                apply_trigger(current_context,
-                              trigger_node,
-                              nil,
-                              object,
-                              ret,
-                              *args)
+                apply_trigger(trigger_node, nil, object, ret, *args)
               end
             end
-            def apply_eval_trigger context, trigger_node, source, object, ret, *args
-              apply_trigger(context, trigger_node, source, object, ret, *args)
+            def apply_eval_trigger trigger_node, source, object, ret, *args
+              apply_trigger(trigger_node, source, object, ret, *args)
             end
             # This converts the source of the finding, and the events leading
             # up to it into a Finding
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -99,39 +66,94 @@ module Contrast
             # @return [Contrast::Api::Dtm::Finding, nil] the
             #   Contrast::Api::Dtm::Finding to send to TeamServer or nil if
             #   conditions were not met
-            def build_finding context, trigger_node, source, object, ret, *args
+            def build_finding trigger_node, source, object, ret, *args
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
-              request = context.request
-              env = request.env
-              return if defined?(ActionController::Live) &&
-                  env &&
-                  env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live)
+              request = find_request(source)
+              return unless reportable?(request&.env)
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-              build_from_source(finding, source)
-              trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
-              finding.events << trigger_event
-              build_hash(finding, source)
-              finding.routes << context.route if context.route
+              append_events(finding, trigger_node, source, object, ret, args)
+              append_route(finding, request)
+              append_hash(finding, source, request)
               finding.version = determine_compliance_version(finding)
-              logger.trace('Finding created',
-                           node_id: trigger_node.id,
-                           source_id: source.__id__,
-                           rule: trigger_node.rule_id)
-              report_finding(finding)
+              logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
+                                              rule: trigger_node.rule_id)
+              report_finding(finding, request)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
+            # Given a finding, append it to an activity message and send it to
+            # the Service for processing.
+            #
+            # @param finding [Contrast::Api::Dtm::Finding] the Finding to
+            #    report.
+            # @param request [Contrast::Agent::Request] our wrapper around the
+            #   Rack::Request.
+            def report_finding finding, request = nil
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                context.activity.findings << finding
+                return
+              end
+              activity = Contrast::Api::Dtm::Activity.new
+              activity.findings << finding
+              if request
+                activity.http_request = request.dtm
+              else
+                logger.debug('Attempted to report finding without request', finding: finding)
+              end
+              # If we're out of request context, then we need to report this
+              # finding ourselves, so we'll send it in the one-off activity we
+              # created.
+              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+            end
             private
+            # A request is reportable if it is not from ActionController::Live
+            #
+            # @param env [Hash] the env of the Request
+            # @return [Boolean]
+            def reportable? env
+              !(defined?(ActionController::Live) &&
+                env &&
+                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+            end
+            # Find the request for this finding. This assumes, for now, that if
+            # there is an active request, then that is the request to report.
+            # Otherwise, we'll use the first request found in the events of the
+            # source_object.
+            #
+            # @param source [Object,nil] some Object used as the source of a
+            #   trigger event
+            # @return [Contrast::Agent::Request,nil] the request from which the
+            #   dataflow on the request originated.
+            def find_request source
+              return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
+              properties.events.each do |event|
+                next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+                return event.request if event.request
+              end
+              nil
+            end
+            def settings
+              Contrast::Agent::FeatureState.instance
+            end
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -139,19 +161,19 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_trigger context, trigger_node, source, object, ret, *args
-              return unless context && trigger_node
+            def apply_trigger trigger_node, source, object, ret, *args
+              return unless trigger_node
               return if trigger_node.rule_disabled?
               return if trigger_node.dataflow? && source.nil?
               if trigger_node.regexp_rule?
-                apply_regexp_rule(context, trigger_node, source, object, ret, *args)
+                apply_regexp_rule(trigger_node, source, object, ret, *args)
               elsif trigger_node.custom_trigger?
-                trigger_node.apply_custom_trigger(context, trigger_node, source, object, ret, *args)
+                trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
               elsif trigger_node.dataflow?
-                apply_dataflow_rule(context, trigger_node, source, object, ret, *args)
+                apply_dataflow_rule(trigger_node, source, object, ret, *args)
               else # trigger rule - just calling the method is dangerous
-                build_finding(context, trigger_node, source, object, ret, *args)
+                build_finding(trigger_node, source, object, ret, *args)
               end
             rescue StandardError => e
               logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
@@ -199,8 +221,6 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Regexp based rules.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -208,19 +228,17 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_regexp_rule context, trigger_node, source, object, ret, *args
+            def apply_regexp_rule trigger_node, source, object, ret, *args
               return unless source.is_a?(String)
               return if trigger_node.good_value && source.match?(trigger_node.good_value)
               return if trigger_node.bad_value && source !~ trigger_node.bad_value
-              build_finding(context, trigger_node, source, object, ret, *args)
+              build_finding(trigger_node, source, object, ret, *args)
             end
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Dataflow based rules.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -228,22 +246,22 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_dataflow_rule context, trigger_node, source, object, ret, *args
+            def apply_dataflow_rule trigger_node, source, object, ret, *args
               return unless source
               if Contrast::Agent::Assess::Tracker.trackable?(source)
                 return unless Contrast::Agent::Assess::Tracker.tracked?(source)
                 return unless trigger_node.violated?(source)
-                build_finding(context, trigger_node, source, object, ret, *args)
+                build_finding(trigger_node, source, object, ret, *args)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
                 source.each_pair do |key, value|
-                  apply_dataflow_rule(context, trigger_node, key, object, ret, *args)
-                  apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, key, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
                 end
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
                 source.each do |value|
-                  apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
                 end
               else
                 logger.debug('Trigger source is untrackable. Unable to inspect.',
@@ -255,7 +273,13 @@ module Contrast
               end
             end
-            def build_from_source finding, source
+            def append_events finding, trigger_node, source, object, ret, args
+              append_from_source(finding, source)
+              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,
+                                                                                    args).to_dtm_event
+            end
+            def append_from_source finding, source
               return unless source
               return unless Contrast::Agent::Assess::Tracker.trackable?(source)
@@ -286,8 +310,17 @@ module Contrast
               finding.events << event.to_dtm_event
             end
-            def build_hash finding, source
-              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
+            def append_route finding, request
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                finding.routes << context.route if context.route
+              elsif request&.route
+                finding.routes << request.route
+              end
+            end
+            def append_hash finding, source, request
+              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end

data/lib/contrast/agent/assess/policy/trigger_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/trigger/reflected_xss'
@@ -47,8 +47,8 @@ module Contrast
             TRIGGER
           end
-          def apply_custom_trigger context, trigger_node, source, object, ret, *args
-            custom_trigger_class.send(@trigger_method, context, trigger_node, source, object, ret, *args)
+          def apply_custom_trigger trigger_node, source, object, ret, *args
+            custom_trigger_class.send(@trigger_method, trigger_node, source, object, ret, *args)
           end
           def custom_trigger_class
@@ -104,7 +104,8 @@ module Contrast
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties,
+                                                     required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
@@ -185,11 +186,7 @@ module Contrast
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
           def ranges_with_all_tags length, properties, required_tags
-            # if there are no tags, not required tags, or the tags don't have
-            # all the required tags, we can just return here.
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
             ranges = []
             chunking = false
@@ -229,8 +226,7 @@ module Contrast
           #   by the given conditions
           def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless search_tags?(properties, tags)
             ranges = []
             tags.each do |desired|
@@ -243,6 +239,32 @@ module Contrast
             end
             ranges
           end
+          # We should only try to match tags on properties if those properties have any tags (are tracked) and there
+          # are tags to try and match on. Some rules, like regexp rules, have no tags. Some rules, like trigger, have
+          # no properties.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def search_tags? properties, tags
+            return false unless properties.tracked?
+            return false unless tags&.any?
+            true
+          end
+          # Determine if the given properties have instances of all the given tags or not.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def matches_tags? properties, tags
+            return false unless search_tags?(properties, tags)
+            return false unless tags.all? { |tag| properties.tag_keys.include?(tag) }
+            true
+          end
         end
       end
     end