contrast-agent 4.7.0 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8b3d1ce6b9794d3923d2054d9a20bd31989fd0c6b4df2883f81ad3e740c04de5
4
- data.tar.gz: 894505c04e850858f83e2207c52cc944f738ce19183051d9530cfdaf09f72ab7
3
+ metadata.gz: e9b59d691aacb946697f5e70adca3118f87953a30209d9fb5aebb232df42ec3f
4
+ data.tar.gz: b4f831bbb3bf826aa0e28ee7f8040aca3f1efd9b50af63f0196124766afcdaa6
5
5
  SHA512:
6
- metadata.gz: 4df81e8b3d03efcdc952e9fce5330b34c6af6a965701ec7bbe02cf3dbd5b8a3c98d8d0745da91d7b0a43be6b03ac763ffb6e9eafb9f2b857bd2a76d325d10ad2
7
- data.tar.gz: 0015e74007146cf741e6b7f6274460a948a147df54109de959856f0ff883262260685f74eff8767e6ae845847eaf3d8a17dfbd54061d5b9f561952a8c6b90fef
6
+ metadata.gz: c37bdcf57f387aa4c8353db52eb5dff04c7c1781c31b5af7dd12e87f79c31b7fdb942031e97f5e0f5ea9d5d29407725ac2a63916080fe4041def3627426a4428
7
+ data.tar.gz: 2a05dab78c39243740d7357f43484c26f6ede46d05f7f28ad212fe8914fbd19887021d2fe6d217aa1e9312ea33b9a4880dcaa7a4bf4cb75a43a6ce9db56d95e2
@@ -21,6 +21,7 @@ module Contrast
21
21
  require 'contrast/agent/assess/policy/propagator/match_data'
22
22
  require 'contrast/agent/assess/policy/propagator/next'
23
23
  require 'contrast/agent/assess/policy/propagator/prepend'
24
+ require 'contrast/agent/assess/policy/propagator/rack_protection'
24
25
  require 'contrast/agent/assess/policy/propagator/remove'
25
26
  require 'contrast/agent/assess/policy/propagator/replace'
26
27
  require 'contrast/agent/assess/policy/propagator/reverse'
@@ -0,0 +1,73 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Agent
6
+ module Assess
7
+ module Policy
8
+ module Propagator
9
+ # Rack::Protection offers several protections against vulnerabilities. Of these, some apply to dataflow and
10
+ # need to be accounted for in order to properly tag data. Others apply to configurations and may be used to
11
+ # suppress configuration vulnerabilities in the future.
12
+ class RackProtection < Contrast::Agent::Assess::Policy::Propagator::Base
13
+ class << self
14
+ # Our custom instrumentation for the Rack::Protection::EscapedParams#escape_string method
15
+ # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
16
+ # propagation event.
17
+ # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
18
+ # the invocation of the patched method.
19
+ # @param ret [nil, String] the target to which to propagate.
20
+ # @return [nil, String] ret
21
+ def escaped_params propagation_node, preshift, ret, _block
22
+ Contrast::Agent::Assess::Policy::Propagator::Splat.propagate(propagation_node, preshift, ret)
23
+ apply_escaper_tags(preshift.object, ret)
24
+ ret
25
+ end
26
+
27
+ private
28
+
29
+ # Rack::Protection::EscapedParams can be configured such that it only applies certain escape. We need
30
+ # to account for the configuration of the individual escapes when applying tags.
31
+ #
32
+ # @param escaper [Rack::Protection::EscapedParams] the instance of Rack::Protection::EscapedParams
33
+ # applying the escape_string
34
+ # @param ret [String] the result of the escape
35
+ def apply_escaper_tags escaper, ret
36
+ # I don't know how this could not be an instance of Rack::Protection::EscapedParams, but I don't want
37
+ # to chance it.
38
+ return unless escaper.cs__is_a?(Rack::Protection::EscapedParams)
39
+ return unless (properties = Contrast::Agent::Assess::Tracker.properties(ret))
40
+
41
+ tags = []
42
+ untags = []
43
+ if escaper.instance_variable_get(:@html)
44
+ tags << 'HTML_ENCODED'
45
+ untags << 'HTML_DECODED'
46
+ end
47
+
48
+ if escaper.instance_variable_get(:@javascript)
49
+ tags << 'JAVASCRIPT_ENCODED'
50
+ untags << 'JAVASCRIPT_DECODED'
51
+ end
52
+
53
+ if escaper.instance_variable_get(:@url)
54
+ tags << 'URL_ENCODED'
55
+ untags << 'URL_DECODED'
56
+ end
57
+
58
+ length = Contrast::Utils::StringUtils.ret_length(ret)
59
+ tags.each do |tag|
60
+ properties.add_tag(tag, 0...length)
61
+ end
62
+
63
+ untags.each do |tag|
64
+ properties.delete_tags(tag)
65
+ end
66
+ end
67
+ end
68
+ end
69
+ end
70
+ end
71
+ end
72
+ end
73
+ end
@@ -3,6 +3,6 @@
3
3
 
4
4
  module Contrast
5
5
  module Agent
6
- VERSION = '4.7.0'
6
+ VERSION = '4.8.0'
7
7
  end
8
8
  end
@@ -20,7 +20,7 @@ module Contrast
20
20
  # (i.e., where we normally patch) we will miss the configuration
21
21
  # and will never be able to report session misconfiguration rules.
22
22
  Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
23
- require 'contrast/agent/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
23
+ require 'contrast/framework/rails/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
24
24
  end
25
25
 
26
26
  # (See BaseSupport#after_load_patches)
@@ -0,0 +1,32 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/job_servers_running'
5
+
6
+ module Contrast
7
+ module Framework
8
+ module Rails
9
+ # A Railtie to allow for the automatic hooking of the Agent into a Rails application.
10
+ class Railtie < ::Rails::Railtie
11
+ include Contrast::Components::Interface
12
+ access_component :agent, :app_context, :logging
13
+
14
+ initializer 'Contrast Ruby Agent Initializer' do |app|
15
+ Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
16
+
17
+ if APP_CONTEXT.instrument_middleware_stack?
18
+ AGENT.insert_middleware(app)
19
+ else
20
+ Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
21
+ logger.debug('Disabling Contrast for process', p_id: Process.pid)
22
+ end
23
+ end
24
+
25
+ rake_tasks do
26
+ load 'contrast/tasks/service.rb'
27
+ load 'contrast/tasks/config.rb'
28
+ end
29
+ end
30
+ end
31
+ end
32
+ end
@@ -1026,6 +1026,61 @@
1026
1026
  "action": "CUSTOM",
1027
1027
  "patch_class": "ERBPropagator",
1028
1028
  "patch_method": "result_tagger"
1029
+ },
1030
+ {
1031
+ "class_name": "ActionView::Helpers::SanitizeHelper",
1032
+ "method_name": "sanitize",
1033
+ "method_visibility": "public",
1034
+ "instance_method": true,
1035
+ "source": "P0",
1036
+ "target": "R",
1037
+ "action": "REMOVE",
1038
+ "tags":["HTML_ENCODED"],
1039
+ "untags":["HTML_DECODED"]
1040
+ },
1041
+ {
1042
+ "class_name": "ActionView::Helpers::SanitizeHelper",
1043
+ "method_name": "strip_tags",
1044
+ "method_visibility": "public",
1045
+ "instance_method": true,
1046
+ "source": "P0",
1047
+ "target": "R",
1048
+ "action": "REMOVE",
1049
+ "tags":["HTML_ENCODED"],
1050
+ "untags":["HTML_DECODED"]
1051
+ },
1052
+ {
1053
+ "class_name": "Rack::Protection::EscapedParams",
1054
+ "method_name": "escape_string",
1055
+ "method_visibility": "public",
1056
+ "instance_method": true,
1057
+ "source": "P0",
1058
+ "target": "R",
1059
+ "action": "CUSTOM",
1060
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::RackProtection",
1061
+ "patch_method": "escaped_params"
1062
+ },
1063
+ {
1064
+ "class_name": "Rails::Html::FullSanitizer",
1065
+ "method_name": "sanitize",
1066
+ "method_visibility": "public",
1067
+ "instance_method": true,
1068
+ "source": "P0",
1069
+ "target": "R",
1070
+ "action": "REMOVE",
1071
+ "tags":["HTML_ENCODED"],
1072
+ "untags":["HTML_DECODED"]
1073
+ },
1074
+ {
1075
+ "class_name": "Rails::Html::SafeListSanitizer",
1076
+ "method_name": "sanitize",
1077
+ "method_visibility": "public",
1078
+ "instance_method": true,
1079
+ "source": "P0",
1080
+ "target": "R",
1081
+ "action": "REMOVE",
1082
+ "tags":["HTML_ENCODED"],
1083
+ "untags":["HTML_DECODED"]
1029
1084
  }
1030
1085
  ],
1031
1086
  "rules":[
data/ruby-agent.gemspec CHANGED
@@ -41,6 +41,7 @@ end
41
41
 
42
42
  # Dependencies used for framework testing.
43
43
  def self.add_frameworks spec
44
+ spec.add_development_dependency 'rack-protection', '>= 2'
44
45
  spec.add_development_dependency 'rails', '6.0.3.5'
45
46
  spec.add_development_dependency 'sinatra', '>= 2'
46
47
  end
@@ -90,7 +91,7 @@ def self.add_tested_gems spec
90
91
  spec.add_development_dependency 'async'
91
92
  spec.add_development_dependency 'execjs'
92
93
  spec.add_development_dependency 'sqlite3'
93
- spec.add_development_dependency 'therubyracer'
94
+ spec.add_development_dependency 'rhino'
94
95
  spec.add_development_dependency 'tilt'
95
96
  spec.add_development_dependency 'xpath'
96
97
  end
@@ -1 +1 @@
1
- 2.19.0
1
+ 2.20.2
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: contrast-agent
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.7.0
4
+ version: 4.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
13
13
  autorequire:
14
14
  bindir: exe
15
15
  cert_chain: []
16
- date: 2021-05-10 00:00:00.000000000 Z
16
+ date: 2021-05-20 00:00:00.000000000 Z
17
17
  dependencies:
18
18
  - !ruby/object:Gem::Dependency
19
19
  name: bundler
@@ -225,6 +225,20 @@ dependencies:
225
225
  - - '='
226
226
  - !ruby/object:Gem::Version
227
227
  version: 0.21.2
228
+ - !ruby/object:Gem::Dependency
229
+ name: rack-protection
230
+ requirement: !ruby/object:Gem::Requirement
231
+ requirements:
232
+ - - ">="
233
+ - !ruby/object:Gem::Version
234
+ version: '2'
235
+ type: :development
236
+ prerelease: false
237
+ version_requirements: !ruby/object:Gem::Requirement
238
+ requirements:
239
+ - - ">="
240
+ - !ruby/object:Gem::Version
241
+ version: '2'
228
242
  - !ruby/object:Gem::Dependency
229
243
  name: rails
230
244
  requirement: !ruby/object:Gem::Requirement
@@ -296,7 +310,7 @@ dependencies:
296
310
  - !ruby/object:Gem::Version
297
311
  version: '0'
298
312
  - !ruby/object:Gem::Dependency
299
- name: therubyracer
313
+ name: rhino
300
314
  requirement: !ruby/object:Gem::Requirement
301
315
  requirements:
302
316
  - - ">="
@@ -542,19 +556,19 @@ executables:
542
556
  extensions:
543
557
  - ext/cs__common/extconf.rb
544
558
  - ext/cs__assess_string/extconf.rb
559
+ - ext/cs__assess_kernel/extconf.rb
545
560
  - ext/cs__protect_kernel/extconf.rb
546
- - ext/cs__assess_regexp/extconf.rb
547
- - ext/cs__contrast_patch/extconf.rb
548
- - ext/cs__assess_array/extconf.rb
549
- - ext/cs__assess_yield_track/extconf.rb
561
+ - ext/cs__assess_module/extconf.rb
562
+ - ext/cs__assess_active_record_named/extconf.rb
550
563
  - ext/cs__assess_fiber_track/extconf.rb
564
+ - ext/cs__assess_array/extconf.rb
565
+ - ext/cs__contrast_patch/extconf.rb
566
+ - ext/cs__assess_string_interpolation26/extconf.rb
567
+ - ext/cs__assess_regexp/extconf.rb
551
568
  - ext/cs__assess_marshal_module/extconf.rb
552
569
  - ext/cs__assess_basic_object/extconf.rb
553
- - ext/cs__assess_module/extconf.rb
554
- - ext/cs__assess_kernel/extconf.rb
555
570
  - ext/cs__assess_hash/extconf.rb
556
- - ext/cs__assess_active_record_named/extconf.rb
557
- - ext/cs__assess_string_interpolation26/extconf.rb
571
+ - ext/cs__assess_yield_track/extconf.rb
558
572
  extra_rdoc_files: []
559
573
  files:
560
574
  - ".clang-format"
@@ -775,6 +789,7 @@ files:
775
789
  - lib/contrast/agent/assess/policy/propagator/match_data.rb
776
790
  - lib/contrast/agent/assess/policy/propagator/next.rb
777
791
  - lib/contrast/agent/assess/policy/propagator/prepend.rb
792
+ - lib/contrast/agent/assess/policy/propagator/rack_protection.rb
778
793
  - lib/contrast/agent/assess/policy/propagator/remove.rb
779
794
  - lib/contrast/agent/assess/policy/propagator/replace.rb
780
795
  - lib/contrast/agent/assess/policy/propagator/reverse.rb
@@ -859,7 +874,6 @@ files:
859
874
  - lib/contrast/agent/protect/rule/xss.rb
860
875
  - lib/contrast/agent/protect/rule/xxe.rb
861
876
  - lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb
862
- - lib/contrast/agent/railtie.rb
863
877
  - lib/contrast/agent/reaction_processor.rb
864
878
  - lib/contrast/agent/request.rb
865
879
  - lib/contrast/agent/request_context.rb
@@ -973,6 +987,7 @@ files:
973
987
  - lib/contrast/framework/rails/patch/assess_configuration.rb
974
988
  - lib/contrast/framework/rails/patch/rails_application_configuration.rb
975
989
  - lib/contrast/framework/rails/patch/support.rb
990
+ - lib/contrast/framework/rails/railtie.rb
976
991
  - lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb
977
992
  - lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb
978
993
  - lib/contrast/framework/rails/rewrite/active_record_named.rb
@@ -1,31 +0,0 @@
1
- # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- require 'contrast/utils/job_servers_running'
5
-
6
- module Contrast
7
- module Agent
8
- # A Railtie to allow for the automatic hooking of the Agent into a Rails
9
- # application.
10
- class Railtie < Rails::Railtie
11
- include Contrast::Components::Interface
12
- access_component :agent, :app_context, :logging
13
-
14
- initializer 'Contrast Ruby Agent Initializer' do |app|
15
- Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
16
-
17
- if APP_CONTEXT.instrument_middleware_stack?
18
- AGENT.insert_middleware(app)
19
- else
20
- Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
21
- logger.debug('Disabling Contrast for process', p_id: Process.pid)
22
- end
23
- end
24
-
25
- rake_tasks do
26
- load 'contrast/tasks/service.rb'
27
- load 'contrast/tasks/config.rb'
28
- end
29
- end
30
- end
31
- end