contrast-agent 4.6.0 → 4.9.1

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -12,7 +12,7 @@ module Contrast
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
 
-          def name
+          def rule_name
             NAME
           end
 
@@ -32,7 +32,11 @@ module Contrast
           end
 
           def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            return result if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION || mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+              return result
+            end
 
             attack_string = input_analysis_result.value
             regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb

@@ -14,9 +14,7 @@ module Contrast
             # Is the current & next character '//' or are the current and
             # subsequent characters '<--' ?
             def start_line_comment? char, index, query
-              if char == Contrast::Utils::ObjectShare::SLASH &&
-                    query[index + 1] == Contrast::Utils::ObjectShare::SLASH
-
+              if char == Contrast::Utils::ObjectShare::SLASH && query[index + 1] == Contrast::Utils::ObjectShare::SLASH
                 return true
               end
 

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
-require 'contrast/components/interface'
 require 'contrast/utils/stack_trace_utils'
 
 module Contrast
@@ -12,9 +11,6 @@ module Contrast
         # This class handles our implementation of the Path Traversal
         # Protect rule.
         class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
-          include Contrast::Components::Interface
-          access_component :agent, :analysis
-
           NAME = 'path-traversal'
           SYSTEM_PATHS = %w[
             /proc/self
@@ -29,7 +25,7 @@ module Contrast
             /windows/repair/
           ].cs__freeze
 
-          def name
+          def rule_name
             NAME
           end
 
@@ -42,9 +38,8 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
-            raise Contrast::SecurityException.new(
-                self,
-                "Path Traversal rule triggered. Call to File.#{ method } blocked.")
+            raise Contrast::SecurityException.new(self,
+                                                  "Path Traversal rule triggered. Call to File.#{ method } blocked.")
           end
 
           protected
@@ -97,7 +92,7 @@ module Contrast
           end
 
           def custom_code_access_sysfile_enabled?
-            PROTECT.report_custom_code_sysfile_access?
+            ::Contrast::PROTECT.report_custom_code_sysfile_access?
           end
 
           def custom_code_accessing_system_file? input
@@ -128,7 +123,8 @@ module Contrast
             #     return 'NUL' in str(e) or 'null byte' in str(e) or (PY34 and 'embedded NUL character' == str(e))
             #   except Exception as e:
             #     return 'null byte' in str(e).lower()
-            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
+            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in
+            #   PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
             false
           end
         end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -13,7 +13,7 @@ module Contrast
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
-          def name
+          def rule_name
             NAME
           end
 

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb

@@ -12,7 +12,7 @@ module Contrast
           NAME = 'unsafe-file-upload'
           BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
 
-          def name
+          def rule_name
             NAME
           end
         end

data/lib/contrast/agent/protect/rule/xss.rb

@@ -12,7 +12,7 @@ module Contrast
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
 
-          def name
+          def rule_name
             NAME
           end
 

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -15,7 +15,7 @@ module Contrast
           BLOCK_MESSAGE = 'XXE rule triggered. Response blocked.'
           EXTERNAL_ENTITY_PATTERN = /<!ENTITY\s+[a-zA-Z0-f]+\s+(?:SYSTEM|PUBLIC)\s+(.*?)>/.cs__freeze
 
-          def name
+          def rule_name
             NAME
           end
 
@@ -59,12 +59,7 @@ module Contrast
             return unless xxe_details
 
             ia_result = build_evaluation(xxe_details.xml)
-            build_attack_with_match(
-                context,
-                ia_result,
-                nil,
-                nil,
-                details: xxe_details)
+            build_attack_with_match(context, ia_result, nil, nil, details: xxe_details)
           end
 
           # Given an XML determined to be unsafe, build out the details of the
@@ -118,7 +113,7 @@ module Contrast
           # supplied by the attacker.
           def build_evaluation xml
             ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(xml)
             ia_result
@@ -133,10 +128,8 @@ module Contrast
 
           def build_wrapper entity_wrapper
             wrapper = Contrast::Api::Dtm::XxeWrapper.new
-            wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(
-                entity_wrapper.system_id)
-            wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(
-                entity_wrapper.public_id)
+            wrapper.system_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.system_id)
+            wrapper.public_id = Contrast::Utils::StringUtils.protobuf_safe_string(entity_wrapper.public_id)
             wrapper
           end
         end

data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb

@@ -65,8 +65,7 @@ module Contrast
               return true if http && !tmp_id.end_with?(DTD_MARKER)
 
               # external if using external protocol
-              return true if tmp_id.start_with?(FTP_START, FILE_START,
-                                                JAR_START, GOPHER_START)
+              return true if tmp_id.start_with?(FTP_START, FILE_START, JAR_START, GOPHER_START)
 
               # external if start with path marker (/ or .)
               return true if tmp_id.start_with?(Contrast::Utils::ObjectShare::SLASH,

data/lib/contrast/agent/reaction_processor.rb

@@ -2,18 +2,15 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/disable_reaction'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
-    # Because communication between the Agent/Service and TeamServer can only
-    # be initiated by outbound connections from the Agent/Service, we must
-    # provide a mechanism for the TeamServer to direct the Agent to take a
-    # specific action. This action is referred to as a Reaction. This class is
-    # how we handle those Reaction messages.
+    # Because communication between the Agent/Service and TeamServer can only be initiated by outbound connections
+    # from the Agent/Service, we must provide a mechanism for the TeamServer to direct the Agent to take a specific
+    # action. This action is referred to as a Reaction. This class is how we handle those Reaction messages.
     class ReactionProcessor
-      include Contrast::Components::Interface
-      access_component :logging
+      extend Contrast::Components::Logger::InstanceMethods
 
       # Process the given Reactions from the application settings based on what
       # TeamServer has indicated. Each Reaction will result in a log message
@@ -25,8 +22,12 @@ module Contrast
         return unless application_settings&.reactions&.any?
 
         application_settings.reactions.each do |reaction|
-          # the enums are all uppercase, we need to downcase them before attempting to log
-          level = reaction.log_level.nil? ? :error : reaction.log_level.name.downcase
+          # The enums are all uppercase, we need to downcase them before attempting to log.
+          level = if reaction.log_level.nil?
+                    :error
+                  else
+                    reaction.log_level.name.downcase # rubocop:disable Security/Module/Name -- ruby logger builtin.
+                  end
 
           logger.with_level(level, reaction.message) if reaction.message
 
@@ -36,9 +37,8 @@ module Contrast
           when Contrast::Api::Settings::Reaction::Operation::NOOP
             # NOOP
           else
-            logger.warn(
-                'ReactionProcessor received a reaction with an unknown operation',
-                operation: reaction.operation)
+            logger.warn('ReactionProcessor received a reaction with an unknown operation',
+                        operation: reaction.operation)
           end
         end
       end

data/lib/contrast/agent/request.rb

@@ -7,7 +7,8 @@ require 'timeout'
 require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/hash_digest'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
@@ -16,8 +17,8 @@ module Contrast
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
     class Request
-      include Contrast::Components::Interface
-      access_component :agent, :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Components::Scope::InstanceMethods
 
       extend Forwardable
 
@@ -30,7 +31,8 @@ module Contrast
       attr_accessor :route, :observed_route
 
       # Delegate calls to the following methods to the attribute @rack_request
-      def_delegators :@rack_request, :base_url, :content_type, :cookies, :env, :ip, :path, :port, :query_string, :request_method, :scheme, :url, :user_agent
+      def_delegators :@rack_request, :base_url, :content_type, :cookies, :env, :ip, :path, :port, :query_string,
+                     :request_method, :scheme, :url, :user_agent
 
       def initialize rack_request
         @rack_request = rack_request
@@ -56,32 +58,28 @@ module Contrast
       end
 
       def document_type
-        @_document_type ||= begin
-          if /xml/i.match?(content_type) || body&.start_with?('<?xml')
-            :XML
-          elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
-            :JSON
-          else
-            :NORMAL
-          end
-        end
+        @_document_type ||= if /xml/i.match?(content_type) || body&.start_with?('<?xml')
+                              :XML
+                            elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
+                              :JSON
+                            else
+                              :NORMAL
+                            end
       end
 
       # Header keys upcased and any underscores replaced with dashes
       def headers
-        @_headers ||= begin
-          with_contrast_scope do
-            hash = {}
-            env.each do |key, value|
-              next unless key
-
-              name = key.to_s
-              next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
-
-              hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
-            end
-            hash
+        @_headers ||= with_contrast_scope do
+          hash = {}
+          env.each do |key, value|
+            next unless key
+
+            name = key.to_s
+            next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
+
+            hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
           end
+          hash
         end
       end
 
@@ -90,7 +88,10 @@ module Contrast
         # (can't use body because it might be nil)
         @_body_read ||= begin
           body = rack_request.body
-          if defined?(Rack::Multipart) && defined?(Rack::Multipart::UploadedFile) && body.is_a?(Rack::Multipart::UploadedFile)
+          if defined?(Rack::Multipart) &&
+                defined?(Rack::Multipart::UploadedFile) &&
+                body.is_a?(Rack::Multipart::UploadedFile)
+
             logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
             @_body = nil
           else

data/lib/contrast/agent/request_context.rb

@@ -5,8 +5,8 @@ require 'contrast/utils/timer'
 require 'contrast/agent/request'
 require 'contrast/agent/response'
 require 'contrast/utils/inventory_util'
-require 'contrast/components/interface'
-require 'contrast/delegators/input_analysis'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
@@ -26,20 +26,19 @@ module Contrast
     # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
     # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
     class RequestContext
-      include Contrast::Components::Interface
-      access_component :agent, :analysis, :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Components::Scope::InstanceMethods
 
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
 
-      attr_reader :activity, :logging_hash, :observed_route, :request, :response, :route, :speedracer_input_analysis, :server_activity, :timer
+      attr_reader :activity, :logging_hash, :observed_route, :request, :response, :route, :speedracer_input_analysis,
+                  :server_activity, :timer
 
       def initialize rack_request, app_loaded = true
         with_contrast_scope do
           # all requests get a timer and hash
           @timer = Contrast::Utils::Timer.new
-          @logging_hash = {
-              request_id: __id__
-          }
+          @logging_hash = { request_id: __id__ }
 
           # instantiate helper for request and response
           @request = Contrast::Agent::Request.new(rack_request)
@@ -64,9 +63,11 @@ module Contrast
 
           @sample = true
 
-          @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request) if ASSESS.enabled?
+          if ::Contrast::ASSESS.enabled?
+            @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
+          end
 
-          @sample_response &&= ASSESS.scan_response?
+          @sample_response &&= ::Contrast::ASSESS.scan_response?
 
           append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
         end
@@ -119,8 +120,8 @@ module Contrast
       end
 
       def service_extract_request
-        return false unless AGENT.enabled?
-        return false unless PROTECT.enabled?
+        return false unless ::Contrast::AGENT.enabled?
+        return false unless ::Contrast::PROTECT.enabled?
         return false if @do_not_track
 
         service_response = Contrast::Agent.messaging_queue.send_event_immediately(@activity.http_request)
@@ -200,7 +201,7 @@ module Contrast
         attack_results_by_rule = {}
         agent_settings.input_analysis.results.each do |ia_result|
           rule_id = ia_result.rule_id
-          rule = PROTECT.rule(rule_id)
+          rule = ::Contrast::PROTECT.rule(rule_id)
           next unless rule
 
           logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
@@ -209,16 +210,10 @@ module Contrast
                             # special case for rules (like reflected xss)
                             # that used to have an infilter / block
                             # mode but now are just block at perimeter
-                            rule.build_attack_with_match(
-                                self,
-                                ia_result,
-                                attack_results_by_rule[rule_id],
-                                ia_result.value)
+                            rule.build_attack_with_match(self, ia_result, attack_results_by_rule[rule_id],
+                                                         ia_result.value)
                           else
-                            rule.build_attack_without_match(
-                                self,
-                                ia_result,
-                                attack_results_by_rule[rule_id])
+                            rule.build_attack_without_match(self, ia_result, attack_results_by_rule[rule_id])
                           end
           attack_results_by_rule[rule_id] = attack_result
         end

data/lib/contrast/agent/request_handler.rb

@@ -1,20 +1,22 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+require 'contrast/components/scope'
+
 module Contrast
   module Agent
     # This class is instantiated when we receive a request and the agent is enabled to process
     # that request. It holds the ruleset that we perform filtering operations on (currently
     # prefilter and postfilter).
     class RequestHandler
-      include Contrast::Components::Interface
-      access_component :agent, :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
 
       attr_reader :ruleset, :context
 
       def initialize context
         @context = context
-        @ruleset = AGENT.ruleset
+        @ruleset = ::Contrast::AGENT.ruleset
       end
 
       def send_activity_messages

data/lib/contrast/agent/response.rb

@@ -7,7 +7,7 @@ require 'timeout'
 require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/hash_digest'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -16,8 +16,7 @@ module Contrast
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
     class Response
-      include Contrast::Components::Interface
-      access_component :logging
+      include Contrast::Components::Logger::InstanceMethods
 
       extend Forwardable