RubyGems - contrast-agent - Versions diffs - 4.6.0 → 4.9.1 - Mend

contrast-agent 4.6.0 → 4.9.1

Files changed (190) hide show

checksums.yaml +4 -4
data/.gitignore +6 -1
data/.gitmodules +1 -1
data/.simplecov +1 -0
data/Rakefile +1 -2
data/ext/build_funchook.rb +3 -3
data/ext/extconf_common.rb +1 -5
data/lib/contrast.rb +24 -14
data/lib/contrast/agent/assess.rb +1 -1
data/lib/contrast/agent/assess/contrast_event.rb +1 -4
data/lib/contrast/agent/assess/contrast_object.rb +2 -2
data/lib/contrast/agent/assess/events/event_factory.rb +2 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +2 -4
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +6 -3
data/lib/contrast/agent/assess/policy/patcher.rb +16 -21
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +25 -33
data/lib/contrast/agent/assess/policy/policy_scanner.rb +3 -5
data/lib/contrast/agent/assess/policy/preshift.rb +7 -5
data/lib/contrast/agent/assess/policy/propagation_method.rb +10 -19
data/lib/contrast/agent/assess/policy/propagation_node.rb +19 -8
data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
data/lib/contrast/agent/assess/policy/propagator/center.rb +2 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +3 -6
data/lib/contrast/agent/assess/policy/propagator/insert.rb +3 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +2 -1
data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +2 -12
data/lib/contrast/agent/assess/policy/propagator/split.rb +12 -13
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +3 -10
data/lib/contrast/agent/assess/policy/propagator/trim.rb +3 -15
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +13 -10
data/lib/contrast/agent/assess/policy/source_method.rb +12 -12
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +1 -3
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +5 -1
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +0 -3
data/lib/contrast/agent/assess/policy/trigger_method.rb +8 -18
data/lib/contrast/agent/assess/policy/trigger_node.rb +3 -2
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +4 -3
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -2
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -8
data/lib/contrast/agent/assess/property/evented.rb +8 -5
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +11 -5
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +4 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +7 -9
data/lib/contrast/agent/at_exit_hook.rb +3 -3
data/lib/contrast/agent/class_reopener.rb +9 -6
data/lib/contrast/agent/disable_reaction.rb +4 -7
data/lib/contrast/agent/exclusion_matcher.rb +7 -14
data/lib/contrast/agent/inventory/dependencies.rb +2 -0
data/lib/contrast/agent/inventory/dependency_analysis.rb +2 -6
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +3 -5
data/lib/contrast/agent/inventory/policy/datastores.rb +3 -4
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/middleware.rb +17 -18
data/lib/contrast/agent/module_data.rb +3 -3
data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -3
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -9
data/lib/contrast/agent/patching/policy/method_policy.rb +6 -2
data/lib/contrast/agent/patching/policy/module_policy.rb +14 -7
data/lib/contrast/agent/patching/policy/patch.rb +20 -25
data/lib/contrast/agent/patching/policy/patch_status.rb +6 -7
data/lib/contrast/agent/patching/policy/patcher.rb +21 -18
data/lib/contrast/agent/patching/policy/policy.rb +2 -4
data/lib/contrast/agent/patching/policy/policy_node.rb +16 -7
data/lib/contrast/agent/patching/policy/trigger_node.rb +21 -8
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -3
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +5 -9
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +7 -9
data/lib/contrast/agent/protect/rule/base.rb +20 -23
data/lib/contrast/agent/protect/rule/base_service.rb +9 -5
data/lib/contrast/agent/protect/rule/cmd_injection.rb +18 -23
data/lib/contrast/agent/protect/rule/deserialization.rb +6 -13
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +3 -14
data/lib/contrast/agent/protect/rule/no_sqli.rb +6 -2
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +1 -3
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
data/lib/contrast/agent/protect/rule/sqli.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +1 -1
data/lib/contrast/agent/protect/rule/xss.rb +1 -1
data/lib/contrast/agent/protect/rule/xxe.rb +5 -12
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +1 -2
data/lib/contrast/agent/reaction_processor.rb +13 -13
data/lib/contrast/agent/request.rb +27 -26
data/lib/contrast/agent/request_context.rb +17 -22
data/lib/contrast/agent/request_handler.rb +5 -3
data/lib/contrast/agent/response.rb +2 -3
data/lib/contrast/agent/rewriter.rb +9 -6
data/lib/contrast/agent/rule_set.rb +5 -4
data/lib/contrast/agent/service_heartbeat.rb +4 -6
data/lib/contrast/agent/static_analysis.rb +6 -5
data/lib/contrast/agent/thread.rb +2 -4
data/lib/contrast/agent/thread_watcher.rb +3 -4
data/lib/contrast/agent/tracepoint_hook.rb +5 -5
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +4 -5
data/lib/contrast/api/communication/response_processor.rb +11 -13
data/lib/contrast/api/communication/service_lifecycle.rb +9 -6
data/lib/contrast/api/communication/socket_client.rb +22 -31
data/lib/contrast/api/communication/speedracer.rb +8 -13
data/lib/contrast/api/decorators/address.rb +2 -3
data/lib/contrast/api/decorators/agent_startup.rb +7 -9
data/lib/contrast/api/decorators/application_startup.rb +12 -10
data/lib/contrast/api/decorators/application_update.rb +0 -4
data/lib/contrast/api/decorators/http_request.rb +3 -7
data/lib/contrast/api/decorators/instrumentation_mode.rb +3 -5
data/lib/contrast/api/decorators/library.rb +8 -6
data/lib/contrast/api/decorators/message.rb +9 -9
data/lib/contrast/api/decorators/trace_event.rb +3 -1
data/lib/contrast/api/decorators/trace_event_object.rb +3 -6
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +1 -6
data/lib/contrast/components/agent.rb +17 -17
data/lib/contrast/components/app_context.rb +11 -15
data/lib/contrast/components/assess.rb +16 -16
data/lib/contrast/components/base.rb +40 -0
data/lib/contrast/components/config.rb +2 -3
data/lib/contrast/components/contrast_service.rb +12 -18
data/lib/contrast/components/heap_dump.rb +5 -4
data/lib/contrast/components/inventory.rb +2 -7
data/lib/contrast/components/logger.rb +1 -2
data/lib/contrast/components/protect.rb +10 -13
data/lib/contrast/components/sampling.rb +13 -7
data/lib/contrast/components/scope.rb +0 -4
data/lib/contrast/components/settings.rb +5 -7
data/lib/contrast/config/assess_rules_configuration.rb +1 -3
data/lib/contrast/config/base_configuration.rb +4 -5
data/lib/contrast/config/exception_configuration.rb +1 -5
data/lib/contrast/config/heap_dump_configuration.rb +12 -6
data/lib/contrast/config/logger_configuration.rb +1 -5
data/lib/contrast/configuration.rb +6 -18
data/lib/contrast/extension/assess/array.rb +3 -10
data/lib/contrast/extension/assess/erb.rb +1 -7
data/lib/contrast/extension/assess/eval_trigger.rb +4 -9
data/lib/contrast/extension/assess/exec_trigger.rb +3 -9
data/lib/contrast/extension/assess/fiber.rb +8 -17
data/lib/contrast/extension/assess/hash.rb +3 -3
data/lib/contrast/extension/assess/kernel.rb +4 -13
data/lib/contrast/extension/assess/marshal.rb +6 -10
data/lib/contrast/extension/assess/regexp.rb +6 -10
data/lib/contrast/extension/assess/string.rb +8 -6
data/lib/contrast/extension/kernel.rb +2 -2
data/lib/contrast/extension/protect/kernel.rb +0 -5
data/lib/contrast/framework/manager.rb +3 -5
data/lib/contrast/framework/rack/patch/session_cookie.rb +11 -24
data/lib/contrast/framework/rack/patch/support.rb +6 -4
data/lib/contrast/framework/rails/patch/assess_configuration.rb +12 -9
data/lib/contrast/framework/rails/patch/support.rb +41 -35
data/lib/contrast/framework/rails/railtie.rb +34 -0
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +4 -1
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +2 -0
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +5 -4
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +2 -0
data/lib/contrast/framework/rails/support.rb +2 -2
data/lib/contrast/framework/sinatra/support.rb +3 -1
data/lib/contrast/funchook/funchook.rb +5 -8
data/lib/contrast/logger/application.rb +13 -15
data/lib/contrast/logger/format.rb +2 -5
data/lib/contrast/logger/log.rb +26 -9
data/lib/contrast/logger/request.rb +1 -6
data/lib/contrast/security_exception.rb +1 -1
data/lib/contrast/tasks/config.rb +0 -1
data/lib/contrast/tasks/service.rb +6 -7
data/lib/contrast/utils/assess/sampling_util.rb +2 -3
data/lib/contrast/utils/assess/tracking_util.rb +3 -6
data/lib/contrast/utils/class_util.rb +0 -8
data/lib/contrast/utils/hash_digest.rb +2 -5
data/lib/contrast/utils/heap_dump_util.rb +5 -3
data/lib/contrast/utils/invalid_configuration_util.rb +4 -3
data/lib/contrast/utils/inventory_util.rb +2 -3
data/lib/contrast/utils/io_util.rb +3 -5
data/lib/contrast/utils/job_servers_running.rb +13 -7
data/lib/contrast/utils/os.rb +4 -4
data/lib/contrast/utils/ruby_ast_rewriter.rb +2 -1
data/lib/contrast/utils/string_utils.rb +2 -3
data/lib/contrast/utils/tag_util.rb +25 -19
data/resources/assess/policy.json +55 -0
data/ruby-agent.gemspec +17 -16
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +61 -46
data/lib/contrast/agent/railtie.rb +0 -31
data/lib/contrast/components/interface.rb +0 -195
data/lib/contrast/delegators/input_analysis.rb +0 -12

data/lib/contrast/extension/assess/kernel.rb CHANGED Viewed

@@ -1,8 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
 require 'contrast/extension/assess/exec_trigger'
+require 'contrast/components/logger'
 module Contrast
   module Extension
@@ -13,11 +13,9 @@ module Contrast
       # Kernel Module or exposing our methods there.
       module KernelPropagator
         class << self
-          include Contrast::Components::Interface
+          extend Contrast::Components::Logger::InstanceMethods
           include Contrast::Extension::Assess::ExecTrigger
-          access_component :logging
           # We're 'tracking' sprintf now, meaning if anything is tracked on the way
           # in, the entire result will be tracked out. We're going to take this
           # approach for now b/c it's fast and easy. I don't super love it, and by
@@ -47,13 +45,7 @@ module Contrast
             parent_events = []
             track_sprintf(ret, format_string, args, parent_events)
-            properties.build_event(
-                patcher,
-                ret,
-                preshift.object,
-                ret,
-                preshift.args,
-                1)
+            properties.build_event(patcher, ret, preshift.object, ret, preshift.args, 1)
             properties.event.instance_variable_set(:@_parent_events, parent_events)
             ret
@@ -70,8 +62,7 @@ module Contrast
               handle_sprintf_array(args, result, parent_events)
             end
           rescue StandardError => e
-            logger.error(
-                'Unable to track dataflow through sprintf', e)
+            logger.error('Unable to track dataflow through sprintf', e)
           end
           def instrument_kernel_track

data/lib/contrast/extension/assess/marshal.rb CHANGED Viewed

@@ -1,7 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 module Contrast
   module Extension
@@ -11,9 +12,8 @@ module Contrast
       # Hopefully, we'll be in a 'get it right' state soon.
       # This module is used for our Marshal.load patches
       class MarshalPropagator
-        include Contrast::Components::Interface
-        access_component :logging, :scope
+        extend Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Scope::InstanceMethods
         class << self
           def cs__load_protect arg
@@ -31,12 +31,8 @@ module Contrast
               # source might not be all the args passed in, but it is the one we care
               # about. we could pass in all the args in the last param here if it
               # becomes an issue in rendering on TS
-              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                  trigger_node('Marshal', :load),
-                  source,
-                  self,
-                  ret,
-                  *args)
+              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node('Marshal', :load), source,
+                                                                           self, ret, *args)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
               properties.copy_from(source, ret)

data/lib/contrast/extension/assess/regexp.rb CHANGED Viewed

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/propagation_node'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 module Contrast
   module Extension
@@ -12,9 +13,9 @@ module Contrast
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # Regexp Class or exposing our methods there.
       class RegexpPropagator
-        include Contrast::Components::Interface
+        extend Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Scope::InstanceMethods
-        access_component :analysis, :logging, :scope
         REGEXP_EQUAL_SQUIGGLE_HASH = {
             'id' => 'regexp_100',
@@ -34,7 +35,7 @@ module Contrast
         class << self
           def track_equal_squiggle info_hash
-            return unless ASSESS.enabled?
+            return unless ::Contrast::ASSESS.enabled?
             # Because we have a special case for this propagation,
             # it falls out of regular scoping. As such, any patch to the `=~` method
@@ -53,12 +54,7 @@ module Contrast
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
               properties.splat_from(string, target)
-              properties.build_event(
-                  REGEXP_EQUAL_SQUIGGLE_NODE,
-                  target,
-                  self,
-                  result,
-                  [string])
+              properties.build_event(REGEXP_EQUAL_SQUIGGLE_NODE, target, self, result, [string])
             end
           rescue Exception => e # rubocop:disable Lint/RescueException
             logger.error('Unable to propagate during Regexp#=~', e)

data/lib/contrast/extension/assess/string.rb CHANGED Viewed

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/propagation_node'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 module Contrast
   module Extension
@@ -12,9 +13,8 @@ module Contrast
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # String Class or exposing our methods there.
       class StringPropagator
-        include Contrast::Components::Interface
-        access_component :agent, :analysis, :logging, :scope
+        extend Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Scope::InstanceMethods
         NODE_HASH = {
             'class_name' => 'String',
@@ -31,7 +31,7 @@ module Contrast
         class << self
           def track_interpolation inputs, result
-            return unless AGENT.interpolation_enabled?
+            return unless ::Contrast::AGENT.interpolation_enabled?
             return if in_contrast_scope?
             return unless inputs.any? { |input| Contrast::Agent::Assess::Tracker.tracked?(input) }
@@ -66,7 +66,9 @@ module Contrast
           def instrument_string_interpolation
             if @_instrument_string_interpolation.nil?
               @_instrument_string_interpolation = begin
-                require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26' if AGENT.patch_interpolation? && Funchook.available?
+                if ::Contrast::AGENT.patch_interpolation? && Funchook.available?
+                  require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26'
+                end
                 true
               rescue StandardError, LoadError => e
                 logger.error('Error loading interpolation patch', e)

data/lib/contrast/extension/kernel.rb CHANGED Viewed

@@ -41,13 +41,13 @@ module Kernel # :nodoc:
   def catch *args, &block
     # Save current scope level
-    scope_level = Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
+    scope_level = ::Contrast::SCOPE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
     # Run original catch with block.
     retval = cs__catch(*args, &block)
     # Restore scope.
-    Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
+    ::Contrast::SCOPE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
     retval
   end

data/lib/contrast/extension/protect/kernel.rb CHANGED Viewed

@@ -1,8 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
 module Contrast
   module Extension
     module Protect
@@ -10,9 +8,6 @@ module Contrast
       # allowing us to track activity as it crosses spawned processes.
       module Kernel
         class << self
-          include Contrast::Components::Interface
-          access_component :contrast_service
           def build_wrapper
             lambda {
               proc_start

data/lib/contrast/framework/manager.rb CHANGED Viewed

@@ -1,26 +1,24 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+require 'contrast/components/logger'
 require 'contrast/framework/platform_version'
 require 'contrast/framework/rack/support'
 require 'contrast/framework/rails/support'
 require 'contrast/framework/sinatra/support'
-require 'contrast/components/interface'
 require 'contrast/utils/class_util'
 module Contrast
   module Framework
     # Allows access to framework specific information
     class Manager
-      include Contrast::Components::Interface
-      access_component :analysis, :logging
+      include Contrast::Components::Logger::InstanceMethods
       # Order here does matter as the first framework listed will be the first one we pull information from
       # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
       # do not exist
       SUPPORTED_FRAMEWORKS = [
-        Contrast::Framework::Rails::Support,
-        Contrast::Framework::Sinatra::Support,
+        Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
         Contrast::Framework::Rack::Support
       ].cs__freeze

data/lib/contrast/framework/rack/patch/session_cookie.rb CHANGED Viewed

@@ -1,7 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 module Contrast
   module Framework
@@ -11,9 +12,8 @@ module Contrast
         # runtime detection of insecure configurations on individual cookies
         # within the application
         class SessionCookie
-          include Contrast::Components::Interface
-          access_component :agent, :analysis, :logging, :scope
+          extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Components::Scope::InstanceMethods
           CS__SECURE_RULE_NAME = 'secure-flag-missing'
           CS__HTTPONLY_NAME = 'rails-http-only-disabled'
@@ -36,8 +36,8 @@ module Contrast
             end
             def analyze options
-              return unless AGENT.enabled?
-              return if ASSESS.forcibly_disabled?
+              return unless ::Contrast::AGENT.enabled?
+              return if ::Contrast::ASSESS.forcibly_disabled?
               apply_session_timeout(options)
               apply_httponly(options)
@@ -61,16 +61,9 @@ module Contrast
             end
             def apply_secure_session options
-              return unless vulnerable_setting?(
-                  :secure,
-                  true,
-                  options,
-                  safe_default: false)
-              cs__report_finding(
-                  CS__SECURE_RULE_NAME,
-                  options,
-                  caller_locations(10, 9)[0])
+              return unless vulnerable_setting?(:secure, true, options, safe_default: false)
+              cs__report_finding(CS__SECURE_RULE_NAME, options, caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to secure session', e)
@@ -86,10 +79,7 @@ module Contrast
                                                 safe_default: false,
                                                 comparison_type: :greater_than)
-              cs__report_finding(
-                  CS__SESSION_TIMEOUT_NAME,
-                  options,
-                  caller_locations(10, 9)[0])
+              cs__report_finding(CS__SESSION_TIMEOUT_NAME, options, caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to set session timeout', e)
@@ -101,10 +91,7 @@ module Contrast
             def apply_httponly options
               return unless vulnerable_setting?(:httponly, true, options)
-              cs__report_finding(
-                  CS__HTTPONLY_NAME,
-                  options,
-                  caller_locations(10, 9)[0])
+              cs__report_finding(CS__HTTPONLY_NAME, options, caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to httponly', e)

data/lib/contrast/framework/rack/patch/support.rb CHANGED Viewed

@@ -12,10 +12,12 @@ module Contrast
         module Support
           # (See BaseSupport#after_load_patches)
           def after_load_patches
-            Set.new([Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                'Rack::Session::Cookie',
-                'contrast/framework/rack/patch/session_cookie',
-                instrumenting_module: 'Contrast::Framework::Rack::Patch::SessionCookie')])
+            Set.new([
+                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                          'Rack::Session::Cookie',
+                          'contrast/framework/rack/patch/session_cookie',
+                          instrumenting_module: 'Contrast::Framework::Rack::Patch::SessionCookie')
+                    ])
           end
         end
       end

data/lib/contrast/framework/rails/patch/assess_configuration.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
 require 'contrast/utils/invalid_configuration_util'
 module Contrast
@@ -10,9 +9,8 @@ module Contrast
       module Patch
         # This module is used to analyze rails session storage configuration for assess vulnerabilities
         module AssessConfiguration
-          include Contrast::Components::Interface
+          include Contrast::Components::Logger::InstanceMethods
-          access_component :agent, :analysis, :logging
           CS__SESSION_TIMEOUT_NAME = 'session-timeout'
           SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
@@ -23,7 +21,7 @@ module Contrast
             include Contrast::Utils::InvalidConfigurationUtil
             def analyze_session_store *args
-              return if ASSESS.forcibly_disabled?
+              return if ::Contrast::ASSESS.forcibly_disabled?
               apply_httponly_disabled(*args)
               apply_secure_cookie_disabled(*args)
@@ -32,7 +30,11 @@ module Contrast
             private
-            def vulnerable_setting? setting_key, safe_settings_value, original_args, safe_default: true, comparison_type: nil
+            def vulnerable_setting?(setting_key,
+                                    safe_settings_value,
+                                    original_args,
+                                    safe_default: true,
+                                    comparison_type: nil)
               # In most cases, Rails is pretty nice and the default value is safe
               return !safe_default unless original_args && original_args.length > 1
@@ -48,8 +50,9 @@ module Contrast
             end
             def apply_session_timeout *args
-              return if ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
-              return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args, comparison_type: :greater_than, safe_default: false)
+              return if ::Contrast::ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
+              return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args,
+                                                comparison_type: :greater_than, safe_default: false)
               rails_session_settings = args[1]
               cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(3, 2)[0])
@@ -62,7 +65,7 @@ module Contrast
             end
             def apply_secure_cookie_disabled *args
-              return if ASSESS.rule_disabled? CS__SECURE_RULE_NAME
+              return if ::Contrast::ASSESS.rule_disabled? CS__SECURE_RULE_NAME
               return unless vulnerable_setting?(:secure, true, args)
               rails_session_settings = args[1]
@@ -76,7 +79,7 @@ module Contrast
             end
             def apply_httponly_disabled *args
-              return if ASSESS.rule_disabled? CS__HTTPONLY_RULE_NAME
+              return if ::Contrast::ASSESS.rule_disabled? CS__HTTPONLY_RULE_NAME
               return unless vulnerable_setting?(:httponly, true, args)
               rails_session_settings = args[1]

data/lib/contrast/framework/rails/patch/support.rb CHANGED Viewed

@@ -20,45 +20,51 @@ module Contrast
             # (i.e., where we normally patch) we will miss the configuration
             # and will never be able to report session misconfiguration rules.
             Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
-            require 'contrast/agent/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
+            require 'contrast/framework/rails/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
           end
           # (See BaseSupport#after_load_patches)
           def after_load_patches
-            Set.new([
-                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                          'ActionController::Live::Buffer',
-                          'contrast/framework/rails/patch/action_controller_live_buffer',
-                          instrumenting_module: 'Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer'),
-                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                          'Rails::Application::Configuration',
-                          'contrast/framework/rails/patch/rails_application_configuration',
-                          method_to_instrument: :session_store,
-                          instrumenting_module: 'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration'),
-                      # TODO: RUBY-714 remove w/ EOL of 2.5
-                      #
-                      # @deprecated  Everything past here is used for Rewriting and can
-                      #   be removed once we no longer support 2.5.
-                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                          'ActionController::Railties::Helper::ClassMethods',
-                          'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
-                          method_to_instrument: :inherited,
-                          instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
-                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                          'ActiveRecord::AttributeMethods::Read::ClassMethods',
-                          'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
-                          instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
-                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                          'ActiveRecord::Scoping::Named::ClassMethods',
-                          'contrast/framework/rails/rewrite/active_record_named',
-                          instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
-                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                          'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
-                          'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
-                          method_to_instrument: :inherited,
-                          instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
-                    ])
+            patches = Set.new([
+                                Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                                    'ActionController::Live::Buffer',
+                                    'contrast/framework/rails/patch/action_controller_live_buffer',
+                                    instrumenting_module: 'Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer'),
+                                Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                                    'Rails::Application::Configuration',
+                                    'contrast/framework/rails/patch/rails_application_configuration',
+                                    method_to_instrument: :session_store,
+                                    instrumenting_module: 'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
+                              ])
+            if RUBY_VERSION < '2.6.0'
+              patches.merge([
+                              # TODO: RUBY-714 remove w/ EOL of 2.5
+                              #
+                              # @deprecated  Everything past here is used for Rewriting and can
+                              #   be removed once we no longer support 2.5.
+                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                                  'ActionController::Railties::Helper::ClassMethods',
+                                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
+                                  method_to_instrument: :inherited,
+                                  instrumenting_module:
+                                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
+                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
+                                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
+                                  instrumenting_module:
+                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
+                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                                  'ActiveRecord::Scoping::Named::ClassMethods',
+                                  'contrast/framework/rails/rewrite/active_record_named',
+                                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
+                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
+                                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
+                                  method_to_instrument: :inherited,
+                                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
+                            ])
+            end
+            patches
           end
         end
       end