contrast-agent 4.7.0 → 4.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +1 -1
- data/lib/contrast/framework/rails/railtie.rb +32 -0
- data/resources/assess/policy.json +55 -0
- data/ruby-agent.gemspec +2 -1
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +27 -12
- data/lib/contrast/agent/railtie.rb +0 -31
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e9b59d691aacb946697f5e70adca3118f87953a30209d9fb5aebb232df42ec3f
|
|
4
|
+
data.tar.gz: b4f831bbb3bf826aa0e28ee7f8040aca3f1efd9b50af63f0196124766afcdaa6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c37bdcf57f387aa4c8353db52eb5dff04c7c1781c31b5af7dd12e87f79c31b7fdb942031e97f5e0f5ea9d5d29407725ac2a63916080fe4041def3627426a4428
|
|
7
|
+
data.tar.gz: 2a05dab78c39243740d7357f43484c26f6ede46d05f7f28ad212fe8914fbd19887021d2fe6d217aa1e9312ea33b9a4880dcaa7a4bf4cb75a43a6ce9db56d95e2
|
|
@@ -21,6 +21,7 @@ module Contrast
|
|
|
21
21
|
require 'contrast/agent/assess/policy/propagator/match_data'
|
|
22
22
|
require 'contrast/agent/assess/policy/propagator/next'
|
|
23
23
|
require 'contrast/agent/assess/policy/propagator/prepend'
|
|
24
|
+
require 'contrast/agent/assess/policy/propagator/rack_protection'
|
|
24
25
|
require 'contrast/agent/assess/policy/propagator/remove'
|
|
25
26
|
require 'contrast/agent/assess/policy/propagator/replace'
|
|
26
27
|
require 'contrast/agent/assess/policy/propagator/reverse'
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
module Contrast
|
|
5
|
+
module Agent
|
|
6
|
+
module Assess
|
|
7
|
+
module Policy
|
|
8
|
+
module Propagator
|
|
9
|
+
# Rack::Protection offers several protections against vulnerabilities. Of these, some apply to dataflow and
|
|
10
|
+
# need to be accounted for in order to properly tag data. Others apply to configurations and may be used to
|
|
11
|
+
# suppress configuration vulnerabilities in the future.
|
|
12
|
+
class RackProtection < Contrast::Agent::Assess::Policy::Propagator::Base
|
|
13
|
+
class << self
|
|
14
|
+
# Our custom instrumentation for the Rack::Protection::EscapedParams#escape_string method
|
|
15
|
+
# @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
|
|
16
|
+
# propagation event.
|
|
17
|
+
# @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
|
|
18
|
+
# the invocation of the patched method.
|
|
19
|
+
# @param ret [nil, String] the target to which to propagate.
|
|
20
|
+
# @return [nil, String] ret
|
|
21
|
+
def escaped_params propagation_node, preshift, ret, _block
|
|
22
|
+
Contrast::Agent::Assess::Policy::Propagator::Splat.propagate(propagation_node, preshift, ret)
|
|
23
|
+
apply_escaper_tags(preshift.object, ret)
|
|
24
|
+
ret
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
private
|
|
28
|
+
|
|
29
|
+
# Rack::Protection::EscapedParams can be configured such that it only applies certain escape. We need
|
|
30
|
+
# to account for the configuration of the individual escapes when applying tags.
|
|
31
|
+
#
|
|
32
|
+
# @param escaper [Rack::Protection::EscapedParams] the instance of Rack::Protection::EscapedParams
|
|
33
|
+
# applying the escape_string
|
|
34
|
+
# @param ret [String] the result of the escape
|
|
35
|
+
def apply_escaper_tags escaper, ret
|
|
36
|
+
# I don't know how this could not be an instance of Rack::Protection::EscapedParams, but I don't want
|
|
37
|
+
# to chance it.
|
|
38
|
+
return unless escaper.cs__is_a?(Rack::Protection::EscapedParams)
|
|
39
|
+
return unless (properties = Contrast::Agent::Assess::Tracker.properties(ret))
|
|
40
|
+
|
|
41
|
+
tags = []
|
|
42
|
+
untags = []
|
|
43
|
+
if escaper.instance_variable_get(:@html)
|
|
44
|
+
tags << 'HTML_ENCODED'
|
|
45
|
+
untags << 'HTML_DECODED'
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
if escaper.instance_variable_get(:@javascript)
|
|
49
|
+
tags << 'JAVASCRIPT_ENCODED'
|
|
50
|
+
untags << 'JAVASCRIPT_DECODED'
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
if escaper.instance_variable_get(:@url)
|
|
54
|
+
tags << 'URL_ENCODED'
|
|
55
|
+
untags << 'URL_DECODED'
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
length = Contrast::Utils::StringUtils.ret_length(ret)
|
|
59
|
+
tags.each do |tag|
|
|
60
|
+
properties.add_tag(tag, 0...length)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
untags.each do |tag|
|
|
64
|
+
properties.delete_tags(tag)
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
@@ -20,7 +20,7 @@ module Contrast
|
|
|
20
20
|
# (i.e., where we normally patch) we will miss the configuration
|
|
21
21
|
# and will never be able to report session misconfiguration rules.
|
|
22
22
|
Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
|
|
23
|
-
require 'contrast/
|
|
23
|
+
require 'contrast/framework/rails/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
# (See BaseSupport#after_load_patches)
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require 'contrast/utils/job_servers_running'
|
|
5
|
+
|
|
6
|
+
module Contrast
|
|
7
|
+
module Framework
|
|
8
|
+
module Rails
|
|
9
|
+
# A Railtie to allow for the automatic hooking of the Agent into a Rails application.
|
|
10
|
+
class Railtie < ::Rails::Railtie
|
|
11
|
+
include Contrast::Components::Interface
|
|
12
|
+
access_component :agent, :app_context, :logging
|
|
13
|
+
|
|
14
|
+
initializer 'Contrast Ruby Agent Initializer' do |app|
|
|
15
|
+
Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
|
|
16
|
+
|
|
17
|
+
if APP_CONTEXT.instrument_middleware_stack?
|
|
18
|
+
AGENT.insert_middleware(app)
|
|
19
|
+
else
|
|
20
|
+
Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
|
|
21
|
+
logger.debug('Disabling Contrast for process', p_id: Process.pid)
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
rake_tasks do
|
|
26
|
+
load 'contrast/tasks/service.rb'
|
|
27
|
+
load 'contrast/tasks/config.rb'
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -1026,6 +1026,61 @@
|
|
|
1026
1026
|
"action": "CUSTOM",
|
|
1027
1027
|
"patch_class": "ERBPropagator",
|
|
1028
1028
|
"patch_method": "result_tagger"
|
|
1029
|
+
},
|
|
1030
|
+
{
|
|
1031
|
+
"class_name": "ActionView::Helpers::SanitizeHelper",
|
|
1032
|
+
"method_name": "sanitize",
|
|
1033
|
+
"method_visibility": "public",
|
|
1034
|
+
"instance_method": true,
|
|
1035
|
+
"source": "P0",
|
|
1036
|
+
"target": "R",
|
|
1037
|
+
"action": "REMOVE",
|
|
1038
|
+
"tags":["HTML_ENCODED"],
|
|
1039
|
+
"untags":["HTML_DECODED"]
|
|
1040
|
+
},
|
|
1041
|
+
{
|
|
1042
|
+
"class_name": "ActionView::Helpers::SanitizeHelper",
|
|
1043
|
+
"method_name": "strip_tags",
|
|
1044
|
+
"method_visibility": "public",
|
|
1045
|
+
"instance_method": true,
|
|
1046
|
+
"source": "P0",
|
|
1047
|
+
"target": "R",
|
|
1048
|
+
"action": "REMOVE",
|
|
1049
|
+
"tags":["HTML_ENCODED"],
|
|
1050
|
+
"untags":["HTML_DECODED"]
|
|
1051
|
+
},
|
|
1052
|
+
{
|
|
1053
|
+
"class_name": "Rack::Protection::EscapedParams",
|
|
1054
|
+
"method_name": "escape_string",
|
|
1055
|
+
"method_visibility": "public",
|
|
1056
|
+
"instance_method": true,
|
|
1057
|
+
"source": "P0",
|
|
1058
|
+
"target": "R",
|
|
1059
|
+
"action": "CUSTOM",
|
|
1060
|
+
"patch_class": "Contrast::Agent::Assess::Policy::Propagator::RackProtection",
|
|
1061
|
+
"patch_method": "escaped_params"
|
|
1062
|
+
},
|
|
1063
|
+
{
|
|
1064
|
+
"class_name": "Rails::Html::FullSanitizer",
|
|
1065
|
+
"method_name": "sanitize",
|
|
1066
|
+
"method_visibility": "public",
|
|
1067
|
+
"instance_method": true,
|
|
1068
|
+
"source": "P0",
|
|
1069
|
+
"target": "R",
|
|
1070
|
+
"action": "REMOVE",
|
|
1071
|
+
"tags":["HTML_ENCODED"],
|
|
1072
|
+
"untags":["HTML_DECODED"]
|
|
1073
|
+
},
|
|
1074
|
+
{
|
|
1075
|
+
"class_name": "Rails::Html::SafeListSanitizer",
|
|
1076
|
+
"method_name": "sanitize",
|
|
1077
|
+
"method_visibility": "public",
|
|
1078
|
+
"instance_method": true,
|
|
1079
|
+
"source": "P0",
|
|
1080
|
+
"target": "R",
|
|
1081
|
+
"action": "REMOVE",
|
|
1082
|
+
"tags":["HTML_ENCODED"],
|
|
1083
|
+
"untags":["HTML_DECODED"]
|
|
1029
1084
|
}
|
|
1030
1085
|
],
|
|
1031
1086
|
"rules":[
|
data/ruby-agent.gemspec
CHANGED
|
@@ -41,6 +41,7 @@ end
|
|
|
41
41
|
|
|
42
42
|
# Dependencies used for framework testing.
|
|
43
43
|
def self.add_frameworks spec
|
|
44
|
+
spec.add_development_dependency 'rack-protection', '>= 2'
|
|
44
45
|
spec.add_development_dependency 'rails', '6.0.3.5'
|
|
45
46
|
spec.add_development_dependency 'sinatra', '>= 2'
|
|
46
47
|
end
|
|
@@ -90,7 +91,7 @@ def self.add_tested_gems spec
|
|
|
90
91
|
spec.add_development_dependency 'async'
|
|
91
92
|
spec.add_development_dependency 'execjs'
|
|
92
93
|
spec.add_development_dependency 'sqlite3'
|
|
93
|
-
spec.add_development_dependency '
|
|
94
|
+
spec.add_development_dependency 'rhino'
|
|
94
95
|
spec.add_development_dependency 'tilt'
|
|
95
96
|
spec.add_development_dependency 'xpath'
|
|
96
97
|
end
|
data/service_executables/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.
|
|
1
|
+
2.20.2
|
|
Binary file
|
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: contrast-agent
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- galen.palmer@contrastsecurity.com
|
|
@@ -13,7 +13,7 @@ authors:
|
|
|
13
13
|
autorequire:
|
|
14
14
|
bindir: exe
|
|
15
15
|
cert_chain: []
|
|
16
|
-
date: 2021-05-
|
|
16
|
+
date: 2021-05-20 00:00:00.000000000 Z
|
|
17
17
|
dependencies:
|
|
18
18
|
- !ruby/object:Gem::Dependency
|
|
19
19
|
name: bundler
|
|
@@ -225,6 +225,20 @@ dependencies:
|
|
|
225
225
|
- - '='
|
|
226
226
|
- !ruby/object:Gem::Version
|
|
227
227
|
version: 0.21.2
|
|
228
|
+
- !ruby/object:Gem::Dependency
|
|
229
|
+
name: rack-protection
|
|
230
|
+
requirement: !ruby/object:Gem::Requirement
|
|
231
|
+
requirements:
|
|
232
|
+
- - ">="
|
|
233
|
+
- !ruby/object:Gem::Version
|
|
234
|
+
version: '2'
|
|
235
|
+
type: :development
|
|
236
|
+
prerelease: false
|
|
237
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
238
|
+
requirements:
|
|
239
|
+
- - ">="
|
|
240
|
+
- !ruby/object:Gem::Version
|
|
241
|
+
version: '2'
|
|
228
242
|
- !ruby/object:Gem::Dependency
|
|
229
243
|
name: rails
|
|
230
244
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -296,7 +310,7 @@ dependencies:
|
|
|
296
310
|
- !ruby/object:Gem::Version
|
|
297
311
|
version: '0'
|
|
298
312
|
- !ruby/object:Gem::Dependency
|
|
299
|
-
name:
|
|
313
|
+
name: rhino
|
|
300
314
|
requirement: !ruby/object:Gem::Requirement
|
|
301
315
|
requirements:
|
|
302
316
|
- - ">="
|
|
@@ -542,19 +556,19 @@ executables:
|
|
|
542
556
|
extensions:
|
|
543
557
|
- ext/cs__common/extconf.rb
|
|
544
558
|
- ext/cs__assess_string/extconf.rb
|
|
559
|
+
- ext/cs__assess_kernel/extconf.rb
|
|
545
560
|
- ext/cs__protect_kernel/extconf.rb
|
|
546
|
-
- ext/
|
|
547
|
-
- ext/
|
|
548
|
-
- ext/cs__assess_array/extconf.rb
|
|
549
|
-
- ext/cs__assess_yield_track/extconf.rb
|
|
561
|
+
- ext/cs__assess_module/extconf.rb
|
|
562
|
+
- ext/cs__assess_active_record_named/extconf.rb
|
|
550
563
|
- ext/cs__assess_fiber_track/extconf.rb
|
|
564
|
+
- ext/cs__assess_array/extconf.rb
|
|
565
|
+
- ext/cs__contrast_patch/extconf.rb
|
|
566
|
+
- ext/cs__assess_string_interpolation26/extconf.rb
|
|
567
|
+
- ext/cs__assess_regexp/extconf.rb
|
|
551
568
|
- ext/cs__assess_marshal_module/extconf.rb
|
|
552
569
|
- ext/cs__assess_basic_object/extconf.rb
|
|
553
|
-
- ext/cs__assess_module/extconf.rb
|
|
554
|
-
- ext/cs__assess_kernel/extconf.rb
|
|
555
570
|
- ext/cs__assess_hash/extconf.rb
|
|
556
|
-
- ext/
|
|
557
|
-
- ext/cs__assess_string_interpolation26/extconf.rb
|
|
571
|
+
- ext/cs__assess_yield_track/extconf.rb
|
|
558
572
|
extra_rdoc_files: []
|
|
559
573
|
files:
|
|
560
574
|
- ".clang-format"
|
|
@@ -775,6 +789,7 @@ files:
|
|
|
775
789
|
- lib/contrast/agent/assess/policy/propagator/match_data.rb
|
|
776
790
|
- lib/contrast/agent/assess/policy/propagator/next.rb
|
|
777
791
|
- lib/contrast/agent/assess/policy/propagator/prepend.rb
|
|
792
|
+
- lib/contrast/agent/assess/policy/propagator/rack_protection.rb
|
|
778
793
|
- lib/contrast/agent/assess/policy/propagator/remove.rb
|
|
779
794
|
- lib/contrast/agent/assess/policy/propagator/replace.rb
|
|
780
795
|
- lib/contrast/agent/assess/policy/propagator/reverse.rb
|
|
@@ -859,7 +874,6 @@ files:
|
|
|
859
874
|
- lib/contrast/agent/protect/rule/xss.rb
|
|
860
875
|
- lib/contrast/agent/protect/rule/xxe.rb
|
|
861
876
|
- lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb
|
|
862
|
-
- lib/contrast/agent/railtie.rb
|
|
863
877
|
- lib/contrast/agent/reaction_processor.rb
|
|
864
878
|
- lib/contrast/agent/request.rb
|
|
865
879
|
- lib/contrast/agent/request_context.rb
|
|
@@ -973,6 +987,7 @@ files:
|
|
|
973
987
|
- lib/contrast/framework/rails/patch/assess_configuration.rb
|
|
974
988
|
- lib/contrast/framework/rails/patch/rails_application_configuration.rb
|
|
975
989
|
- lib/contrast/framework/rails/patch/support.rb
|
|
990
|
+
- lib/contrast/framework/rails/railtie.rb
|
|
976
991
|
- lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb
|
|
977
992
|
- lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb
|
|
978
993
|
- lib/contrast/framework/rails/rewrite/active_record_named.rb
|
|
@@ -1,31 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
require 'contrast/utils/job_servers_running'
|
|
5
|
-
|
|
6
|
-
module Contrast
|
|
7
|
-
module Agent
|
|
8
|
-
# A Railtie to allow for the automatic hooking of the Agent into a Rails
|
|
9
|
-
# application.
|
|
10
|
-
class Railtie < Rails::Railtie
|
|
11
|
-
include Contrast::Components::Interface
|
|
12
|
-
access_component :agent, :app_context, :logging
|
|
13
|
-
|
|
14
|
-
initializer 'Contrast Ruby Agent Initializer' do |app|
|
|
15
|
-
Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
|
|
16
|
-
|
|
17
|
-
if APP_CONTEXT.instrument_middleware_stack?
|
|
18
|
-
AGENT.insert_middleware(app)
|
|
19
|
-
else
|
|
20
|
-
Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
|
|
21
|
-
logger.debug('Disabling Contrast for process', p_id: Process.pid)
|
|
22
|
-
end
|
|
23
|
-
end
|
|
24
|
-
|
|
25
|
-
rake_tasks do
|
|
26
|
-
load 'contrast/tasks/service.rb'
|
|
27
|
-
load 'contrast/tasks/config.rb'
|
|
28
|
-
end
|
|
29
|
-
end
|
|
30
|
-
end
|
|
31
|
-
end
|