RubyGems - contrast-agent - Versions diffs - 4.6.0 → 4.9.1 - Mend

contrast-agent 4.6.0 → 4.9.1

Files changed (190) hide show

checksums.yaml +4 -4
data/.gitignore +6 -1
data/.gitmodules +1 -1
data/.simplecov +1 -0
data/Rakefile +1 -2
data/ext/build_funchook.rb +3 -3
data/ext/extconf_common.rb +1 -5
data/lib/contrast.rb +24 -14
data/lib/contrast/agent/assess.rb +1 -1
data/lib/contrast/agent/assess/contrast_event.rb +1 -4
data/lib/contrast/agent/assess/contrast_object.rb +2 -2
data/lib/contrast/agent/assess/events/event_factory.rb +2 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +2 -4
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +6 -3
data/lib/contrast/agent/assess/policy/patcher.rb +16 -21
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +25 -33
data/lib/contrast/agent/assess/policy/policy_scanner.rb +3 -5
data/lib/contrast/agent/assess/policy/preshift.rb +7 -5
data/lib/contrast/agent/assess/policy/propagation_method.rb +10 -19
data/lib/contrast/agent/assess/policy/propagation_node.rb +19 -8
data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
data/lib/contrast/agent/assess/policy/propagator/center.rb +2 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +3 -6
data/lib/contrast/agent/assess/policy/propagator/insert.rb +3 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +2 -1
data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +2 -12
data/lib/contrast/agent/assess/policy/propagator/split.rb +12 -13
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +3 -10
data/lib/contrast/agent/assess/policy/propagator/trim.rb +3 -15
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +13 -10
data/lib/contrast/agent/assess/policy/source_method.rb +12 -12
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +1 -3
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +5 -1
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +0 -3
data/lib/contrast/agent/assess/policy/trigger_method.rb +8 -18
data/lib/contrast/agent/assess/policy/trigger_node.rb +3 -2
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +4 -3
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -2
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -8
data/lib/contrast/agent/assess/property/evented.rb +8 -5
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +11 -5
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +4 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +7 -9
data/lib/contrast/agent/at_exit_hook.rb +3 -3
data/lib/contrast/agent/class_reopener.rb +9 -6
data/lib/contrast/agent/disable_reaction.rb +4 -7
data/lib/contrast/agent/exclusion_matcher.rb +7 -14
data/lib/contrast/agent/inventory/dependencies.rb +2 -0
data/lib/contrast/agent/inventory/dependency_analysis.rb +2 -6
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +3 -5
data/lib/contrast/agent/inventory/policy/datastores.rb +3 -4
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/middleware.rb +17 -18
data/lib/contrast/agent/module_data.rb +3 -3
data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -3
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -9
data/lib/contrast/agent/patching/policy/method_policy.rb +6 -2
data/lib/contrast/agent/patching/policy/module_policy.rb +14 -7
data/lib/contrast/agent/patching/policy/patch.rb +20 -25
data/lib/contrast/agent/patching/policy/patch_status.rb +6 -7
data/lib/contrast/agent/patching/policy/patcher.rb +21 -18
data/lib/contrast/agent/patching/policy/policy.rb +2 -4
data/lib/contrast/agent/patching/policy/policy_node.rb +16 -7
data/lib/contrast/agent/patching/policy/trigger_node.rb +21 -8
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -3
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -1
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +5 -9
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +7 -9
data/lib/contrast/agent/protect/rule/base.rb +20 -23
data/lib/contrast/agent/protect/rule/base_service.rb +9 -5
data/lib/contrast/agent/protect/rule/cmd_injection.rb +18 -23
data/lib/contrast/agent/protect/rule/deserialization.rb +6 -13
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +3 -14
data/lib/contrast/agent/protect/rule/no_sqli.rb +6 -2
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +1 -3
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
data/lib/contrast/agent/protect/rule/sqli.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +1 -1
data/lib/contrast/agent/protect/rule/xss.rb +1 -1
data/lib/contrast/agent/protect/rule/xxe.rb +5 -12
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +1 -2
data/lib/contrast/agent/reaction_processor.rb +13 -13
data/lib/contrast/agent/request.rb +27 -26
data/lib/contrast/agent/request_context.rb +17 -22
data/lib/contrast/agent/request_handler.rb +5 -3
data/lib/contrast/agent/response.rb +2 -3
data/lib/contrast/agent/rewriter.rb +9 -6
data/lib/contrast/agent/rule_set.rb +5 -4
data/lib/contrast/agent/service_heartbeat.rb +4 -6
data/lib/contrast/agent/static_analysis.rb +6 -5
data/lib/contrast/agent/thread.rb +2 -4
data/lib/contrast/agent/thread_watcher.rb +3 -4
data/lib/contrast/agent/tracepoint_hook.rb +5 -5
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +4 -5
data/lib/contrast/api/communication/response_processor.rb +11 -13
data/lib/contrast/api/communication/service_lifecycle.rb +9 -6
data/lib/contrast/api/communication/socket_client.rb +22 -31
data/lib/contrast/api/communication/speedracer.rb +8 -13
data/lib/contrast/api/decorators/address.rb +2 -3
data/lib/contrast/api/decorators/agent_startup.rb +7 -9
data/lib/contrast/api/decorators/application_startup.rb +12 -10
data/lib/contrast/api/decorators/application_update.rb +0 -4
data/lib/contrast/api/decorators/http_request.rb +3 -7
data/lib/contrast/api/decorators/instrumentation_mode.rb +3 -5
data/lib/contrast/api/decorators/library.rb +8 -6
data/lib/contrast/api/decorators/message.rb +9 -9
data/lib/contrast/api/decorators/trace_event.rb +3 -1
data/lib/contrast/api/decorators/trace_event_object.rb +3 -6
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +1 -6
data/lib/contrast/components/agent.rb +17 -17
data/lib/contrast/components/app_context.rb +11 -15
data/lib/contrast/components/assess.rb +16 -16
data/lib/contrast/components/base.rb +40 -0
data/lib/contrast/components/config.rb +2 -3
data/lib/contrast/components/contrast_service.rb +12 -18
data/lib/contrast/components/heap_dump.rb +5 -4
data/lib/contrast/components/inventory.rb +2 -7
data/lib/contrast/components/logger.rb +1 -2
data/lib/contrast/components/protect.rb +10 -13
data/lib/contrast/components/sampling.rb +13 -7
data/lib/contrast/components/scope.rb +0 -4
data/lib/contrast/components/settings.rb +5 -7
data/lib/contrast/config/assess_rules_configuration.rb +1 -3
data/lib/contrast/config/base_configuration.rb +4 -5
data/lib/contrast/config/exception_configuration.rb +1 -5
data/lib/contrast/config/heap_dump_configuration.rb +12 -6
data/lib/contrast/config/logger_configuration.rb +1 -5
data/lib/contrast/configuration.rb +6 -18
data/lib/contrast/extension/assess/array.rb +3 -10
data/lib/contrast/extension/assess/erb.rb +1 -7
data/lib/contrast/extension/assess/eval_trigger.rb +4 -9
data/lib/contrast/extension/assess/exec_trigger.rb +3 -9
data/lib/contrast/extension/assess/fiber.rb +8 -17
data/lib/contrast/extension/assess/hash.rb +3 -3
data/lib/contrast/extension/assess/kernel.rb +4 -13
data/lib/contrast/extension/assess/marshal.rb +6 -10
data/lib/contrast/extension/assess/regexp.rb +6 -10
data/lib/contrast/extension/assess/string.rb +8 -6
data/lib/contrast/extension/kernel.rb +2 -2
data/lib/contrast/extension/protect/kernel.rb +0 -5
data/lib/contrast/framework/manager.rb +3 -5
data/lib/contrast/framework/rack/patch/session_cookie.rb +11 -24
data/lib/contrast/framework/rack/patch/support.rb +6 -4
data/lib/contrast/framework/rails/patch/assess_configuration.rb +12 -9
data/lib/contrast/framework/rails/patch/support.rb +41 -35
data/lib/contrast/framework/rails/railtie.rb +34 -0
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +4 -1
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +2 -0
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +5 -4
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +2 -0
data/lib/contrast/framework/rails/support.rb +2 -2
data/lib/contrast/framework/sinatra/support.rb +3 -1
data/lib/contrast/funchook/funchook.rb +5 -8
data/lib/contrast/logger/application.rb +13 -15
data/lib/contrast/logger/format.rb +2 -5
data/lib/contrast/logger/log.rb +26 -9
data/lib/contrast/logger/request.rb +1 -6
data/lib/contrast/security_exception.rb +1 -1
data/lib/contrast/tasks/config.rb +0 -1
data/lib/contrast/tasks/service.rb +6 -7
data/lib/contrast/utils/assess/sampling_util.rb +2 -3
data/lib/contrast/utils/assess/tracking_util.rb +3 -6
data/lib/contrast/utils/class_util.rb +0 -8
data/lib/contrast/utils/hash_digest.rb +2 -5
data/lib/contrast/utils/heap_dump_util.rb +5 -3
data/lib/contrast/utils/invalid_configuration_util.rb +4 -3
data/lib/contrast/utils/inventory_util.rb +2 -3
data/lib/contrast/utils/io_util.rb +3 -5
data/lib/contrast/utils/job_servers_running.rb +13 -7
data/lib/contrast/utils/os.rb +4 -4
data/lib/contrast/utils/ruby_ast_rewriter.rb +2 -1
data/lib/contrast/utils/string_utils.rb +2 -3
data/lib/contrast/utils/tag_util.rb +25 -19
data/resources/assess/policy.json +55 -0
data/ruby-agent.gemspec +17 -16
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +61 -46
data/lib/contrast/agent/railtie.rb +0 -31
data/lib/contrast/components/interface.rb +0 -195
data/lib/contrast/delegators/input_analysis.rb +0 -12

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb CHANGED Viewed

@@ -34,7 +34,7 @@ module Contrast
             protected
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::Sqli::NAME
             end

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb CHANGED Viewed

@@ -49,16 +49,15 @@ module Contrast
             protected
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::Xxe::NAME
             end
             private
-            DATA_KEY = '@data'.to_sym
+            DATA_KEY = :@data
             def valid_data_input? object
-              object.instance_variable_defined?(DATA_KEY) &&
-                  object.instance_variable_get(DATA_KEY)
+              object.instance_variable_defined?(DATA_KEY) && object.instance_variable_get(DATA_KEY)
             end
             NOKOGIRI_MARKER = 'Nokogiri::'
@@ -115,11 +114,8 @@ module Contrast
               raise e
             rescue StandardError => e
               parser ||= Contrast::Utils::ObjectShare::UNKNOWN
-              logger.error(
-                  'Error applying xxe',
-                  e,
-                  module: potential_parser.cs__class.cs__name,
-                  method: method, parser: parser)
+              logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,
+                                                    parser: parser)
             end
           end
         end

data/lib/contrast/agent/protect/policy/policy.rb CHANGED Viewed

@@ -24,7 +24,7 @@ module Contrast
           end
           def disabled_globally?
-            PROTECT.forcibly_disabled?
+            ::Contrast::PROTECT.forcibly_disabled?
           end
           def node_type

data/lib/contrast/agent/protect/policy/rule_applicator.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -11,9 +11,7 @@ module Contrast
         # form of the Applicator, which will override specific implementations
         # in order to properly invoke its Rule.
         module RuleApplicator
-          include Contrast::Components::Interface
-          access_component :analysis, :logging
+          include Contrast::Components::Logger::InstanceMethods
           # Calls the actual invocation for this applicator, if required. Will
           # attempt to transform the data as required prior to invocation and
@@ -42,7 +40,8 @@ module Contrast
           rescue Contrast::SecurityException => e
             raise e
           rescue StandardError => e
-            logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method, rule: name)
+            logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
+                                                           rule: rule_name)
           end
           protected
@@ -68,11 +67,10 @@ module Contrast
             raise NoMethodError, 'This is abstract, override it.'
           end
-          # The name of the rule, as expected by the Contrast Service and
-          # Contrast UI.
+          # The name of the rule, as expected by the Contrast Service and Contrast UI.
           #
           # @return [String]
-          def name
+          def rule_name
             raise NoMethodError, 'This is abstract, override it.'
           end
@@ -82,7 +80,7 @@ module Contrast
           #
           # @return [Contrast::Agent::Protect::Rule::Base]
           def rule
-            PROTECT.rule name
+            ::Contrast::PROTECT.rule rule_name
           end
           # Should we skip analysis for this rule for this method invocation?

data/lib/contrast/agent/protect/rule/base.rb CHANGED Viewed

@@ -1,7 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 module Contrast
   module Agent
@@ -12,9 +13,8 @@ module Contrast
         #
         # @abstract Subclass and override {#prefilter}, {#infilter}, {#find_attacker}, {#postfilter} to implement
         class Base
-          include Contrast::Components::Interface
-          access_component :agent, :analysis, :logging, :scope, :settings
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Components::Scope::InstanceMethods
           UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
             user_input.input_type = :UNKNOWN
@@ -37,22 +37,22 @@ module Contrast
           attr_reader :mode
           def initialize
-            PROTECT.rules[name] = self
+            ::Contrast::PROTECT.rules[rule_name] = self
             @mode = mode_from_settings
           end
           # Should return the name as it is known to Teamserver; defaults to class
-          def name
-            cs__class.name
+          def rule_name
+            cs__class.cs__name
           end
           def enabled?
             # 1. it is not enabled because protect is not enabled
-            return false unless AGENT.enabled?
-            return false unless PROTECT.enabled?
+            return false unless ::Contrast::AGENT.enabled?
+            return false unless ::Contrast::PROTECT.enabled?
             # 2. it is not enabled because it is in the list of disabled protect rules
-            return false if PROTECT.rule_config&.disabled_rules&.include?(name)
+            return false if ::Contrast::PROTECT.rule_config&.disabled_rules&.include?(rule_name)
             # 3. it is enabled so long as its mode is not NO_ACTION
             @mode != Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
@@ -60,7 +60,7 @@ module Contrast
           def excluded? exclusions
             Array(exclusions).any? do |ex|
-              ex.protection_rule?(name)
+              ex.protection_rule?(rule_name)
             end
           end
@@ -176,8 +176,8 @@ module Contrast
           protected
           def mode_from_settings
-            PROTECT.rule_mode(name).tap do |mode|
-              logger.trace('Retrieving rule mode', rule: name, mode: mode)
+            ::Contrast::PROTECT.rule_mode(rule_name).tap do |mode|
+              logger.trace('Retrieving rule mode', rule: rule_name, mode: mode)
             end
           end
@@ -191,10 +191,10 @@ module Contrast
           # @return [Boolean] if an exclusion was applicable to this request
           #   for this rule
           def protect_excluded_by_code?
-            exclusions = SETTINGS.code_exclusions
+            exclusions = ::Contrast::SETTINGS.code_exclusions
             return false unless exclusions
-            for_rule = exclusions.select { |ex| ex.protection_rule?(name) }
+            for_rule = exclusions.select { |ex| ex.protection_rule?(rule_name) }
             return false if for_rule.empty?
             stack = caller_locations
@@ -213,7 +213,7 @@ module Contrast
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
           def find_attacker _context, _potential_attack_string, **_kwargs
-            raise NoMethodError, "Rule #{ name } did not implement find_attack"
+            raise NoMethodError, "Rule #{ rule_name } did not implement find_attack"
           end
           def update_successful_attack_response context, ia_result, result, attack_string = nil
@@ -249,7 +249,7 @@ module Contrast
           # @return [Contrast::Api::Dtm::AttackResult]
           def build_attack_result _context
             result = Contrast::Api::Dtm::AttackResult.new
-            result.rule_id = name
+            result.rule_id = rule_name
             result
           end
@@ -286,7 +286,7 @@ module Contrast
           def log_rule_matched _context, ia_result, response, _matched_string = nil
             logger.debug('A successful attack was detected',
-                         rule: name,
+                         rule: rule_name,
                          type: ia_result&.input_type,
                          name: ia_result&.key,
                          input: ia_result&.value,
@@ -296,11 +296,8 @@ module Contrast
           private
           def log_rule_probed _context, ia_result
-            logger.debug('An unsuccessful attack was detected',
-                         rule: name,
-                         type: ia_result&.input_type,
-                         name: ia_result&.key,
-                         input: ia_result&.value)
+            logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
+                                                                name: ia_result&.key, input: ia_result&.value)
           end
         end
       end

data/lib/contrast/agent/protect/rule/base_service.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module Contrast
         # Encapsulate common code for protect rules that do their
         # input analysis on Speedracer rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
-          def name
+          def rule_name
             'base-service'
           end
@@ -32,7 +32,11 @@ module Contrast
           # streamed responses will break
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION || mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+              return
+            end
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
@@ -40,14 +44,14 @@ module Contrast
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
-            raise Contrast::SecurityException.new(self, "#{ name } triggered in postfilter. Response blocked.")
+            raise Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")
           end
           protected
           def gather_ia_results context
             context.speedracer_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == name
+              ia_result.rule_id == rule_name
             end
           end
@@ -58,7 +62,7 @@ module Contrast
           # Allows for the InputAnalysis from service to be extracted early
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
             result = nil
             ia_results.each do |ia_result|

data/lib/contrast/agent/protect/rule/cmd_injection.rb CHANGED Viewed

@@ -4,7 +4,7 @@
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -12,13 +12,12 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect Command Injection rule.
         class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
-          include Contrast::Components::Interface
-          access_component :app_context, :logging
+          include Contrast::Components::Logger::InstanceMethods
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -28,26 +27,31 @@ module Contrast
             ia_results = gather_ia_results(context)
             return if ia_results.empty?
-            if APP_CONTEXT.in_new_process?
+            if ::Contrast::APP_CONTEXT.in_new_process?
               logger.trace('Running cmd-injection infilter within new process - creating new context')
               context = Contrast::Agent::RequestContext.new(context.request.rack_request)
               Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
             end
-            result = find_attacker_with_results(context, command, ia_results, **{ classname: classname, method: method })
+            result = find_attacker_with_results(context, command, ia_results,
+                                                **{ classname: classname, method: method })
             result ||= report_command_execution(context, command, **{ classname: classname, method: method })
             return unless result
             append_to_activity(context, result)
             return unless blocked?
-            raise Contrast::SecurityException.new(
-                self,
-                "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
+            raise Contrast::SecurityException.new(self,
+                                                  'Command Injection rule triggered. '\
+                                                  "Call to #{ classname }.#{ method } blocked.")
           end
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
-            return result if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION || mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+              return result
+            end
             result ||= build_attack_result(context)
             update_successful_attack_response(context, input_analysis_result, result, candidate_string)
@@ -60,14 +64,10 @@ module Contrast
           # Because results are not necessarily on the context across
           # processes; extract early and pass into the method
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
             result = super(context, potential_attack_string, ia_results, **kwargs)
             if result.nil? && potential_attack_string
-              result = find_probable_attacker(
-                  context,
-                  potential_attack_string,
-                  ia_results,
-                  **kwargs)
+              result = find_probable_attacker(context, potential_attack_string, ia_results, **kwargs)
             end
             result
           end
@@ -109,12 +109,7 @@ module Contrast
             likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
             return unless likely_attacker
-            build_attack_with_match(
-                context,
-                likely_attacker,
-                nil,
-                potential_attack_string,
-                **kwargs)
+            build_attack_with_match(context, likely_attacker, nil, potential_attack_string, **kwargs)
           end
           def chained_command? command
@@ -128,7 +123,7 @@ module Contrast
           # @return [Boolean] if the agent should report all command
           #   executions.
           def report_any_command_execution?
-            PROTECT.report_any_command_execution?
+            ::Contrast::PROTECT.report_any_command_execution?
           end
         end
       end

data/lib/contrast/agent/protect/rule/deserialization.rb CHANGED Viewed

@@ -17,10 +17,7 @@ module Contrast
           BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
           # Gadgets that map to ERB modules
-          ERB_GADGETS = %W[
-            object:ERB
-            o:\bERB
-          ].cs__freeze
+          ERB_GADGETS = %W[object:ERB o:\bERB].cs__freeze
           # Gadgets that map to ActionDispatch modules
           ACTION_DISPATCH_GADGETS = %w[
@@ -29,11 +26,7 @@ module Contrast
           ].cs__freeze
           # Gadgets that map to Arel Modules
-          AREL_GADGETS = %w[
-            string:Arel::Nodes::SqlLiteral
-            object:Arel::Nodes
-            o:\bArel::Nodes
-          ].cs__freeze
+          AREL_GADGETS = %w[string:Arel::Nodes::SqlLiteral object:Arel::Nodes o:\bArel::Nodes].cs__freeze
           # Used to indicate to TeamServer the gadget is an ERB module
           ERB = 'ERB'
@@ -45,7 +38,7 @@ module Contrast
           # Return the TeamServer understood id / name of this rule.
           # @return [String] the TeamServer understood id / name of this rule.
-          def name
+          def rule_name
             NAME
           end
@@ -124,8 +117,8 @@ module Contrast
             sample = build_base_sample(context, input_analysis_result)
             sample.untrusted_deserialization = Contrast::Api::Dtm::UntrustedDeserializationDetails.new
-            deserializer = kwargs[:GADGET_TYPE]
-            sample.untrusted_deserialization.deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(deserializer)
+            deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:GADGET_TYPE])
+            sample.untrusted_deserialization.deserializer = deserializer
             command = !!kwargs[:COMMAND_SCOPE]
             sample.untrusted_deserialization.command = command
@@ -148,7 +141,7 @@ module Contrast
           #   of the analysis done by this rule.
           def build_evaluation gadget_string
             ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.key = INPUT_NAME
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(gadget_string)

data/lib/contrast/agent/protect/rule/http_method_tampering.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Contrast
           NAME = 'method-tampering'
           STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
-          def name
+          def rule_name
             NAME
           end
@@ -30,20 +30,9 @@ module Contrast
             method = ia_results.first.value
             result = if response_code.to_s.start_with?('4', '5')
-                       build_attack_without_match(
-                           context,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
+                       build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
                      else
-                       build_attack_with_match(
-                           context,
-                           nil,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
+                       build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
                      end
             append_to_activity(context, result) if result
           end