RubyGems - contrast-agent - Versions diffs - 4.4.1 → 4.9.0 - Mend

contrast-agent 4.4.1 → 4.9.0

Files changed (314) hide show

checksums.yaml +4 -4
data/.gitignore +6 -1
data/.gitmodules +1 -1
data/.simplecov +2 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +44 -15
data/lib/contrast/agent.rb +1 -3
data/lib/contrast/agent/assess.rb +2 -2
data/lib/contrast/agent/assess/contrast_event.rb +54 -72
data/lib/contrast/agent/assess/contrast_object.rb +3 -3
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +28 -38
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +24 -20
data/lib/contrast/agent/assess/policy/patcher.rb +17 -22
data/lib/contrast/agent/assess/policy/policy.rb +2 -2
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +4 -6
data/lib/contrast/agent/assess/policy/preshift.rb +8 -6
data/lib/contrast/agent/assess/policy/propagation_method.rb +12 -25
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +2 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +4 -7
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/split.rb +13 -14
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +4 -11
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +14 -11
data/lib/contrast/agent/assess/policy/source_method.rb +97 -86
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -11
data/lib/contrast/agent/assess/policy/trigger_method.rb +104 -77
data/lib/contrast/agent/assess/policy/trigger_node.rb +6 -5
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +5 -4
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -3
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +1 -1
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +2 -9
data/lib/contrast/agent/assess/properties.rb +1 -1
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +1 -1
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +8 -10
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +1 -1
data/lib/contrast/agent/at_exit_hook.rb +4 -4
data/lib/contrast/agent/class_reopener.rb +10 -7
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +5 -8
data/lib/contrast/agent/exclusion_matcher.rb +8 -15
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +3 -7
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +38 -28
data/lib/contrast/agent/inventory/policy/datastores.rb +4 -5
data/lib/contrast/agent/inventory/policy/policy.rb +2 -2
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +52 -80
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +10 -10
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +32 -38
data/lib/contrast/agent/patching/policy/patch_status.rb +7 -8
data/lib/contrast/agent/patching/policy/patcher.rb +29 -28
data/lib/contrast/agent/patching/policy/policy.rb +16 -25
data/lib/contrast/agent/patching/policy/policy_node.rb +17 -8
data/lib/contrast/agent/patching/policy/trigger_node.rb +22 -9
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +2 -2
data/lib/contrast/agent/protect/policy/rule_applicator.rb +8 -10
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +26 -40
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +19 -24
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +7 -11
data/lib/contrast/agent/protect/rule/sqli.rb +3 -3
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/reaction_processor.rb +14 -14
data/lib/contrast/agent/request.rb +29 -27
data/lib/contrast/agent/request_context.rb +20 -30
data/lib/contrast/agent/request_handler.rb +6 -4
data/lib/contrast/agent/response.rb +3 -4
data/lib/contrast/agent/rewriter.rb +10 -7
data/lib/contrast/agent/rule_set.rb +6 -5
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +5 -7
data/lib/contrast/agent/static_analysis.rb +7 -6
data/lib/contrast/agent/thread.rb +3 -5
data/lib/contrast/agent/thread_watcher.rb +4 -5
data/lib/contrast/agent/tracepoint_hook.rb +6 -6
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +5 -6
data/lib/contrast/api/communication/response_processor.rb +13 -15
data/lib/contrast/api/communication/service_lifecycle.rb +10 -7
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +23 -32
data/lib/contrast/api/communication/speedracer.rb +10 -15
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +1 -1
data/lib/contrast/api/decorators/address.rb +3 -4
data/lib/contrast/api/decorators/agent_startup.rb +8 -10
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +14 -10
data/lib/contrast/api/decorators/application_update.rb +1 -5
data/lib/contrast/api/decorators/http_request.rb +4 -8
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +35 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +10 -10
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +1 -1
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +4 -2
data/lib/contrast/api/decorators/trace_event_object.rb +4 -7
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +20 -26
data/lib/contrast/components/app_context.rb +12 -16
data/lib/contrast/components/assess.rb +20 -25
data/lib/contrast/components/base.rb +40 -0
data/lib/contrast/components/config.rb +3 -4
data/lib/contrast/components/contrast_service.rb +13 -19
data/lib/contrast/components/heap_dump.rb +6 -5
data/lib/contrast/components/inventory.rb +3 -8
data/lib/contrast/components/logger.rb +2 -3
data/lib/contrast/components/protect.rb +14 -20
data/lib/contrast/components/sampling.rb +14 -8
data/lib/contrast/components/scope.rb +2 -5
data/lib/contrast/components/settings.rb +28 -103
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +7 -19
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +4 -11
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +5 -14
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +9 -18
data/lib/contrast/extension/assess/hash.rb +4 -4
data/lib/contrast/extension/assess/kernel.rb +5 -14
data/lib/contrast/extension/assess/marshal.rb +7 -15
data/lib/contrast/extension/assess/regexp.rb +7 -11
data/lib/contrast/extension/assess/string.rb +9 -7
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +3 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -6
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +7 -12
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +12 -25
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +13 -10
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +42 -36
data/lib/contrast/framework/rails/railtie.rb +34 -0
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +6 -5
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +3 -3
data/lib/contrast/framework/sinatra/support.rb +4 -2
data/lib/contrast/funchook/funchook.rb +6 -9
data/lib/contrast/logger/application.rb +14 -16
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +27 -10
data/lib/contrast/logger/request.rb +2 -7
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +7 -8
data/lib/contrast/utils/assess/sampling_util.rb +3 -4
data/lib/contrast/utils/assess/tracking_util.rb +4 -7
data/lib/contrast/utils/class_util.rb +15 -11
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +6 -4
data/lib/contrast/utils/invalid_configuration_util.rb +5 -4
data/lib/contrast/utils/inventory_util.rb +3 -4
data/lib/contrast/utils/io_util.rb +4 -6
data/lib/contrast/utils/job_servers_running.rb +14 -8
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +5 -5
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +3 -4
data/lib/contrast/utils/tag_util.rb +26 -20
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +60 -2
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +25 -21
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +108 -51
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/agent/railtie.rb +0 -31
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/components/interface.rb +0 -195

data/lib/contrast/agent/assess/policy/trigger_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/trigger/reflected_xss'
@@ -47,8 +47,8 @@ module Contrast
             TRIGGER
           end
-          def apply_custom_trigger context, trigger_node, source, object, ret, *args
-            custom_trigger_class.send(@trigger_method, context, trigger_node, source, object, ret, *args)
+          def apply_custom_trigger trigger_node, source, object, ret, *args
+            custom_trigger_class.send(@trigger_method, trigger_node, source, object, ret, *args)
           end
           def custom_trigger_class
@@ -68,7 +68,7 @@ module Contrast
           end
           def rule_disabled?
-            ASSESS.rule_disabled?(rule_id)
+            ::Contrast::ASSESS.rule_disabled?(rule_id)
           end
           # Indicate if this is a dataflow based trigger, meaning it has a proper
@@ -104,7 +104,8 @@ module Contrast
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties,
+                                                     required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -35,9 +35,10 @@ module Contrast
               # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
               def regexp_vulnerable? regexp
                 # A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
-                # A level is defined as any set of opening and closing control characters immediately followed by a multi match control character.
-                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS,
-                # or MULTI_MATCH_CHARS that is not immediately preceded by an escaping \ character.
+                # A level is defined as any set of opening and closing control characters immediately followed by a
+                #   multi match control character.
+                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS, or MULTI_MATCH_CHARS that
+                #   is not immediately preceded by an escaping \ character.
                 # OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
                 # Nota bene about Regexp#to_s:  it doesn't necessarily give you the original Regexp back

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -10,8 +10,7 @@ module Contrast
           # before serializing that finding as a DTM to report to the service.
           module SSRFValidator
             RULE_NAME = 'ssrf'
-            URL_PATTERN =
-              %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze
+            URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength
             # The Net::HTTP class validates host format on instantiation. Since
             # our triggers for that class are on the instance, they already
             # have this validation done for them. We do not need to apply the

data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/trigger_validation/ssrf_validator'

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -11,14 +11,7 @@ module Contrast
           # the service.
           module XSSValidator
             RULE_NAME = 'reflected-xss'
-            SAFE_CONTENT_TYPES = %w[
-              /csv
-              /javascript
-              /json
-              /pdf
-              /x-javascript
-              /x-json
-            ].cs__freeze
+            SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze
             # A finding is valid for XSS if the response type is not one of
             # those assumed to be safe

data/lib/contrast/agent/assess/properties.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'base64'

data/lib/contrast/agent/assess/property/evented.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/events/event_factory'
@@ -14,7 +14,7 @@ module Contrast
         # @attr_reader event [Contrast::Agent::Assess::ContrastEvent] the
         #   latest event to track
         module Evented
-          attr_accessor :event
+          attr_reader :event
           # Create a new event and add it to the event set.
           #
@@ -31,7 +31,8 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event policy_node, tagged, object, ret, args, source_type = nil, source_name = nil
-            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
+            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args,
+                                                                         source_type, source_name)
             report_sources(tagged, event)
           end
@@ -46,10 +47,12 @@ module Contrast
             return unless tagged && !tagged.to_s.empty?
             return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
             return unless event.source_type
+            return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
+            if current_request.observed_route.sources.any? do |source|
+                 source.type == event.forced_source_type && source.name == event.forced_source_name
+               end
-            current_request = Contrast::Agent::REQUEST_TRACKER.current
-            return unless current_request
-            if current_request.observed_route.sources.any? { |source| source.type == event.forced_source_type && source.name == event.forced_source_name }
               return
             end

data/lib/contrast/agent/assess/property/tagged.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/tag'

data/lib/contrast/agent/assess/property/updated.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/duck_utils'

data/lib/contrast/agent/assess/rule/provider.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -55,9 +55,12 @@ module Contrast
               value_node.children.each do |child|
                 next unless child
-                return false unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
-                    child.type == :LIT &&
-                    child.children[0]&.cs__is_a?(Integer)
+                unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                      child.type == :LIT &&
+                      child.children[0]&.cs__is_a?(Integer)
+                  return false
+                end
               end
               true
@@ -84,8 +87,11 @@ module Contrast
               return false unless children.length >= 2
               potential_string_node = children[0]
-              return false unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
-                  potential_string_node.type == :STR
+              unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                    potential_string_node.type == :STR
+                return false
+              end
               children[1] == :bytes
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -29,7 +29,10 @@ module Contrast
             # These are markers whose presence indicates that a field is more
             # likely to be a descriptor or requirement than an actual password.
             # We should ignore fields that contain them.
-            NON_PASSWORD_PARTIAL_NAMES = %w[DATE FORGOT FORM ENCODE PATTERN PREFIX PROP SUFFIX URL BASE FILE URI].cs__freeze
+            NON_PASSWORD_PARTIAL_NAMES = %w[
+              DATE FORGOT FORM ENCODE PATTERN PREFIX PROP SUFFIX URL BASE FILE
+              URI
+            ].cs__freeze
             # If the constant looks like a password and it doesn't look like a
             # password descriptor, it passes for this rule

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb CHANGED Viewed

@@ -1,8 +1,8 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/trigger_method'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/extension/module'
 module Contrast
@@ -18,18 +18,15 @@ module Contrast
           #    given value set
           # 3) redacted_marker : the value to plug in for the obfuscated value
           module HardcodedValueRule
-            include Contrast::Components::Interface
-            access_component :analysis, :app_context, :logging
+            include Contrast::Components::Logger::InstanceMethods
             def disabled?
-              !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
+              !::Contrast::ASSESS.enabled? || ::Contrast::ASSESS.rule_disabled?(rule_id)
             end
             # TODO: RUBY-1014 - remove `#analyze`
-            COMMON_CONSTANTS = %i[
-              CONTRAST_ASSESS_POLICY_STATUS
-              VERSION
-            ].cs__freeze
+            COMMON_CONSTANTS = %i[CONTRAST_ASSESS_POLICY_STATUS VERSION].cs__freeze
             def analyze clazz
               return if disabled?
@@ -171,7 +168,8 @@ module Contrast
               finding.properties[SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(class_name)
               finding.properties[CONSTANT_NAME_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string)
-              finding.properties[CODE_SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string + redacted_marker)
+              finding.properties[CODE_SOURCE_KEY] =
+                Contrast::Utils::StringUtils.protobuf_safe_string(constant_string + redacted_marker)
               hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)

data/lib/contrast/agent/assess/tag.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/assess/tracker.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/finalizers/hash'

data/lib/contrast/agent/at_exit_hook.rb CHANGED Viewed

@@ -1,14 +1,14 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 module Contrast
   module Agent
     # This module adds an at_exit hook for us to send messages that may be lost at process exit
     module AtExitHook
-      include Contrast::Components::Interface
-      access_component :logging
+      extend Contrast::Components::Logger::InstanceMethods
       def self.exit_hook
         @_exit_hook ||= begin
           at_exit do

data/lib/contrast/agent/class_reopener.rb CHANGED Viewed

@@ -1,9 +1,12 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
 require 'ripper'
 require 'contrast/extension/module'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 require 'contrast/logger/log'
 # This method is left purposefully at the top level namespace. Moving it
@@ -18,7 +21,7 @@ require 'contrast/logger/log'
 def unbound_eval _class_name, content
   # Yuck, this is a top-level method that has to break encapsulation
   # in order to access scoping!
-  Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.enter_contrast_scope!
+  ::Contrast::SCOPE.scope_for_current_ec.enter_contrast_scope!
   eval(content) # rubocop:disable Security/Eval
 rescue Exception # rubocop:disable Lint/RescueException
   # We can't use components here, so we have to access the log directly. I hate
@@ -27,7 +30,7 @@ rescue Exception # rubocop:disable Lint/RescueException
   # And we need to return nil here, not the value from the logger.
   nil
 ensure
-  Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.exit_contrast_scope!
+  ::Contrast::SCOPE.scope_for_current_ec.exit_contrast_scope!
 end
 module Contrast
@@ -36,8 +39,8 @@ module Contrast
     # @deprecated Changes to this class are discouraged as this approach is
     #   being phased out with support for those language versions.
     class ClassReopener
-      include Contrast::Components::Interface
-      access_component :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Components::Scope::InstanceMethods
       END_NEW_LINE = "end\n"
       PROTECTED_WITH_NEW_LINE = "protected\n"
@@ -48,7 +51,7 @@ module Contrast
                   :public_instance_methods, :protected_instance_methods, :private_instance_methods, :locations
       def initialize module_data
-        @class_module_path = module_data.name
+        @class_module_path = module_data.mod_name
         clazz = module_data.mod
         @is_class = clazz.is_a?(Class)
         @public_instance_methods = []

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/policy_node'

data/lib/contrast/agent/deadzone/policy/policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/deadzone/policy/deadzone_node'
@@ -8,8 +8,8 @@ module Contrast
   module Agent
     module Deadzone
       module Policy
-        # This is just a holder for our policy. Takes the policy JSON and
-        # converts it into hashes that we can access nicely
+        # This is just a holder for our policy. Takes the policy JSON and converts it into hashes that we can access
+        # nicely.
         class Policy < Contrast::Agent::Patching::Policy::Policy
           def self.policy_folder
             'deadzone'
@@ -35,6 +35,10 @@ module Contrast
             end
           end
+          def module_names
+            @_module_names ||= Set.new(deadzones.map(&:class_name))
+          end
           def add_node node, _node_type = :deadzones
             unless node
               logger.error('Node was nil when adding node to policy')

data/lib/contrast/agent/disable_reaction.rb CHANGED Viewed

@@ -1,7 +1,7 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -9,14 +9,11 @@ module Contrast
     # typically because some configuration setting did not satisfy requirements
     # set by the Organization's Administrator
     class DisableReaction
-      include Contrast::Components::Interface
-      access_component :agent, :logging
+      extend Contrast::Components::Logger::InstanceMethods
       def self.run _reaction, level
-        logger.with_level(
-            level,
-            'Contrast received instructions to disable itself - Disabling now')
-        AGENT.disable!
+        logger.with_level(level, 'Contrast received instructions to disable itself - Disabling now')
+        ::Contrast::AGENT.disable!
       end
     end
   end

data/lib/contrast/agent/exclusion_matcher.rb CHANGED Viewed

@@ -1,7 +1,7 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -9,8 +9,7 @@ module Contrast
     # the Application. If a request or an event matches one of these, the
     # functions of the Agent are suppressed for that request or event.
     class ExclusionMatcher
-      include Contrast::Components::Interface
-      access_component :logging
+      include Contrast::Components::Logger::InstanceMethods
       # Create a matcher around an exclusion sent from TeamServer.
       #
@@ -47,7 +46,7 @@ module Contrast
         return if @wildcard_url
         return unless @exclusion.urls&.any?
-        @wildcard_url ||= @exclusion.urls.any? { |test| test == '/.*' }
+        @wildcard_url ||= @exclusion.urls.any?('/.*')
         return if @wildcard_url
         @urls = []
@@ -95,8 +94,8 @@ module Contrast
         @exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::CODE
       end
-      def name
-        @exclusion.name
+      def exc_name
+        @exclusion.name # rubocop:disable Security/Module/Name -- part of the API.
       end
       def match_all?
@@ -109,10 +108,7 @@ module Contrast
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def protection_rule? rule
-        protect? &&
-            (@exclusion.protection_rules.empty? ||
-                @exclusion.protection_rules.include?(rule)
-            )
+        protect? && (@exclusion.protection_rules.empty? || @exclusion.protection_rules.include?(rule))
       end
       # Determine if the given rule is excluded by this exclusion.
@@ -121,10 +117,7 @@ module Contrast
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def assess_rule? rule
-        assess? &&
-            (@exclusion.assessment_rules.empty? ||
-                @exclusion.assessment_rules.include?(rule)
-            )
+        assess? && (@exclusion.assessment_rules.empty? || @exclusion.assessment_rules.include?(rule))
       end
       def match_code? stack_trace