contrast-agent 4.7.0 → 4.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +73 -0
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +1 -1
- data/lib/contrast/framework/rails/railtie.rb +32 -0
- data/resources/assess/policy.json +55 -0
- data/ruby-agent.gemspec +2 -1
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +27 -12
- data/lib/contrast/agent/railtie.rb +0 -31
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e9b59d691aacb946697f5e70adca3118f87953a30209d9fb5aebb232df42ec3f
|
|
4
|
+
data.tar.gz: b4f831bbb3bf826aa0e28ee7f8040aca3f1efd9b50af63f0196124766afcdaa6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c37bdcf57f387aa4c8353db52eb5dff04c7c1781c31b5af7dd12e87f79c31b7fdb942031e97f5e0f5ea9d5d29407725ac2a63916080fe4041def3627426a4428
|
|
7
|
+
data.tar.gz: 2a05dab78c39243740d7357f43484c26f6ede46d05f7f28ad212fe8914fbd19887021d2fe6d217aa1e9312ea33b9a4880dcaa7a4bf4cb75a43a6ce9db56d95e2
|
|
@@ -21,6 +21,7 @@ module Contrast
|
|
|
21
21
|
require 'contrast/agent/assess/policy/propagator/match_data'
|
|
22
22
|
require 'contrast/agent/assess/policy/propagator/next'
|
|
23
23
|
require 'contrast/agent/assess/policy/propagator/prepend'
|
|
24
|
+
require 'contrast/agent/assess/policy/propagator/rack_protection'
|
|
24
25
|
require 'contrast/agent/assess/policy/propagator/remove'
|
|
25
26
|
require 'contrast/agent/assess/policy/propagator/replace'
|
|
26
27
|
require 'contrast/agent/assess/policy/propagator/reverse'
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
module Contrast
|
|
5
|
+
module Agent
|
|
6
|
+
module Assess
|
|
7
|
+
module Policy
|
|
8
|
+
module Propagator
|
|
9
|
+
# Rack::Protection offers several protections against vulnerabilities. Of these, some apply to dataflow and
|
|
10
|
+
# need to be accounted for in order to properly tag data. Others apply to configurations and may be used to
|
|
11
|
+
# suppress configuration vulnerabilities in the future.
|
|
12
|
+
class RackProtection < Contrast::Agent::Assess::Policy::Propagator::Base
|
|
13
|
+
class << self
|
|
14
|
+
# Our custom instrumentation for the Rack::Protection::EscapedParams#escape_string method
|
|
15
|
+
# @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
|
|
16
|
+
# propagation event.
|
|
17
|
+
# @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
|
|
18
|
+
# the invocation of the patched method.
|
|
19
|
+
# @param ret [nil, String] the target to which to propagate.
|
|
20
|
+
# @return [nil, String] ret
|
|
21
|
+
def escaped_params propagation_node, preshift, ret, _block
|
|
22
|
+
Contrast::Agent::Assess::Policy::Propagator::Splat.propagate(propagation_node, preshift, ret)
|
|
23
|
+
apply_escaper_tags(preshift.object, ret)
|
|
24
|
+
ret
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
private
|
|
28
|
+
|
|
29
|
+
# Rack::Protection::EscapedParams can be configured such that it only applies certain escape. We need
|
|
30
|
+
# to account for the configuration of the individual escapes when applying tags.
|
|
31
|
+
#
|
|
32
|
+
# @param escaper [Rack::Protection::EscapedParams] the instance of Rack::Protection::EscapedParams
|
|
33
|
+
# applying the escape_string
|
|
34
|
+
# @param ret [String] the result of the escape
|
|
35
|
+
def apply_escaper_tags escaper, ret
|
|
36
|
+
# I don't know how this could not be an instance of Rack::Protection::EscapedParams, but I don't want
|
|
37
|
+
# to chance it.
|
|
38
|
+
return unless escaper.cs__is_a?(Rack::Protection::EscapedParams)
|
|
39
|
+
return unless (properties = Contrast::Agent::Assess::Tracker.properties(ret))
|
|
40
|
+
|
|
41
|
+
tags = []
|
|
42
|
+
untags = []
|
|
43
|
+
if escaper.instance_variable_get(:@html)
|
|
44
|
+
tags << 'HTML_ENCODED'
|
|
45
|
+
untags << 'HTML_DECODED'
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
if escaper.instance_variable_get(:@javascript)
|
|
49
|
+
tags << 'JAVASCRIPT_ENCODED'
|
|
50
|
+
untags << 'JAVASCRIPT_DECODED'
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
if escaper.instance_variable_get(:@url)
|
|
54
|
+
tags << 'URL_ENCODED'
|
|
55
|
+
untags << 'URL_DECODED'
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
length = Contrast::Utils::StringUtils.ret_length(ret)
|
|
59
|
+
tags.each do |tag|
|
|
60
|
+
properties.add_tag(tag, 0...length)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
untags.each do |tag|
|
|
64
|
+
properties.delete_tags(tag)
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
@@ -20,7 +20,7 @@ module Contrast
|
|
|
20
20
|
# (i.e., where we normally patch) we will miss the configuration
|
|
21
21
|
# and will never be able to report session misconfiguration rules.
|
|
22
22
|
Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
|
|
23
|
-
require 'contrast/
|
|
23
|
+
require 'contrast/framework/rails/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
# (See BaseSupport#after_load_patches)
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require 'contrast/utils/job_servers_running'
|
|
5
|
+
|
|
6
|
+
module Contrast
|
|
7
|
+
module Framework
|
|
8
|
+
module Rails
|
|
9
|
+
# A Railtie to allow for the automatic hooking of the Agent into a Rails application.
|
|
10
|
+
class Railtie < ::Rails::Railtie
|
|
11
|
+
include Contrast::Components::Interface
|
|
12
|
+
access_component :agent, :app_context, :logging
|
|
13
|
+
|
|
14
|
+
initializer 'Contrast Ruby Agent Initializer' do |app|
|
|
15
|
+
Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
|
|
16
|
+
|
|
17
|
+
if APP_CONTEXT.instrument_middleware_stack?
|
|
18
|
+
AGENT.insert_middleware(app)
|
|
19
|
+
else
|
|
20
|
+
Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
|
|
21
|
+
logger.debug('Disabling Contrast for process', p_id: Process.pid)
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
rake_tasks do
|
|
26
|
+
load 'contrast/tasks/service.rb'
|
|
27
|
+
load 'contrast/tasks/config.rb'
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -1026,6 +1026,61 @@
|
|
|
1026
1026
|
"action": "CUSTOM",
|
|
1027
1027
|
"patch_class": "ERBPropagator",
|
|
1028
1028
|
"patch_method": "result_tagger"
|
|
1029
|
+
},
|
|
1030
|
+
{
|
|
1031
|
+
"class_name": "ActionView::Helpers::SanitizeHelper",
|
|
1032
|
+
"method_name": "sanitize",
|
|
1033
|
+
"method_visibility": "public",
|
|
1034
|
+
"instance_method": true,
|
|
1035
|
+
"source": "P0",
|
|
1036
|
+
"target": "R",
|
|
1037
|
+
"action": "REMOVE",
|
|
1038
|
+
"tags":["HTML_ENCODED"],
|
|
1039
|
+
"untags":["HTML_DECODED"]
|
|
1040
|
+
},
|
|
1041
|
+
{
|
|
1042
|
+
"class_name": "ActionView::Helpers::SanitizeHelper",
|
|
1043
|
+
"method_name": "strip_tags",
|
|
1044
|
+
"method_visibility": "public",
|
|
1045
|
+
"instance_method": true,
|
|
1046
|
+
"source": "P0",
|
|
1047
|
+
"target": "R",
|
|
1048
|
+
"action": "REMOVE",
|
|
1049
|
+
"tags":["HTML_ENCODED"],
|
|
1050
|
+
"untags":["HTML_DECODED"]
|
|
1051
|
+
},
|
|
1052
|
+
{
|
|
1053
|
+
"class_name": "Rack::Protection::EscapedParams",
|
|
1054
|
+
"method_name": "escape_string",
|
|
1055
|
+
"method_visibility": "public",
|
|
1056
|
+
"instance_method": true,
|
|
1057
|
+
"source": "P0",
|
|
1058
|
+
"target": "R",
|
|
1059
|
+
"action": "CUSTOM",
|
|
1060
|
+
"patch_class": "Contrast::Agent::Assess::Policy::Propagator::RackProtection",
|
|
1061
|
+
"patch_method": "escaped_params"
|
|
1062
|
+
},
|
|
1063
|
+
{
|
|
1064
|
+
"class_name": "Rails::Html::FullSanitizer",
|
|
1065
|
+
"method_name": "sanitize",
|
|
1066
|
+
"method_visibility": "public",
|
|
1067
|
+
"instance_method": true,
|
|
1068
|
+
"source": "P0",
|
|
1069
|
+
"target": "R",
|
|
1070
|
+
"action": "REMOVE",
|
|
1071
|
+
"tags":["HTML_ENCODED"],
|
|
1072
|
+
"untags":["HTML_DECODED"]
|
|
1073
|
+
},
|
|
1074
|
+
{
|
|
1075
|
+
"class_name": "Rails::Html::SafeListSanitizer",
|
|
1076
|
+
"method_name": "sanitize",
|
|
1077
|
+
"method_visibility": "public",
|
|
1078
|
+
"instance_method": true,
|
|
1079
|
+
"source": "P0",
|
|
1080
|
+
"target": "R",
|
|
1081
|
+
"action": "REMOVE",
|
|
1082
|
+
"tags":["HTML_ENCODED"],
|
|
1083
|
+
"untags":["HTML_DECODED"]
|
|
1029
1084
|
}
|
|
1030
1085
|
],
|
|
1031
1086
|
"rules":[
|
data/ruby-agent.gemspec
CHANGED
|
@@ -41,6 +41,7 @@ end
|
|
|
41
41
|
|
|
42
42
|
# Dependencies used for framework testing.
|
|
43
43
|
def self.add_frameworks spec
|
|
44
|
+
spec.add_development_dependency 'rack-protection', '>= 2'
|
|
44
45
|
spec.add_development_dependency 'rails', '6.0.3.5'
|
|
45
46
|
spec.add_development_dependency 'sinatra', '>= 2'
|
|
46
47
|
end
|
|
@@ -90,7 +91,7 @@ def self.add_tested_gems spec
|
|
|
90
91
|
spec.add_development_dependency 'async'
|
|
91
92
|
spec.add_development_dependency 'execjs'
|
|
92
93
|
spec.add_development_dependency 'sqlite3'
|
|
93
|
-
spec.add_development_dependency '
|
|
94
|
+
spec.add_development_dependency 'rhino'
|
|
94
95
|
spec.add_development_dependency 'tilt'
|
|
95
96
|
spec.add_development_dependency 'xpath'
|
|
96
97
|
end
|
data/service_executables/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.
|
|
1
|
+
2.20.2
|
|
Binary file
|
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: contrast-agent
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- galen.palmer@contrastsecurity.com
|
|
@@ -13,7 +13,7 @@ authors:
|
|
|
13
13
|
autorequire:
|
|
14
14
|
bindir: exe
|
|
15
15
|
cert_chain: []
|
|
16
|
-
date: 2021-05-
|
|
16
|
+
date: 2021-05-20 00:00:00.000000000 Z
|
|
17
17
|
dependencies:
|
|
18
18
|
- !ruby/object:Gem::Dependency
|
|
19
19
|
name: bundler
|
|
@@ -225,6 +225,20 @@ dependencies:
|
|
|
225
225
|
- - '='
|
|
226
226
|
- !ruby/object:Gem::Version
|
|
227
227
|
version: 0.21.2
|
|
228
|
+
- !ruby/object:Gem::Dependency
|
|
229
|
+
name: rack-protection
|
|
230
|
+
requirement: !ruby/object:Gem::Requirement
|
|
231
|
+
requirements:
|
|
232
|
+
- - ">="
|
|
233
|
+
- !ruby/object:Gem::Version
|
|
234
|
+
version: '2'
|
|
235
|
+
type: :development
|
|
236
|
+
prerelease: false
|
|
237
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
238
|
+
requirements:
|
|
239
|
+
- - ">="
|
|
240
|
+
- !ruby/object:Gem::Version
|
|
241
|
+
version: '2'
|
|
228
242
|
- !ruby/object:Gem::Dependency
|
|
229
243
|
name: rails
|
|
230
244
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -296,7 +310,7 @@ dependencies:
|
|
|
296
310
|
- !ruby/object:Gem::Version
|
|
297
311
|
version: '0'
|
|
298
312
|
- !ruby/object:Gem::Dependency
|
|
299
|
-
name:
|
|
313
|
+
name: rhino
|
|
300
314
|
requirement: !ruby/object:Gem::Requirement
|
|
301
315
|
requirements:
|
|
302
316
|
- - ">="
|
|
@@ -542,19 +556,19 @@ executables:
|
|
|
542
556
|
extensions:
|
|
543
557
|
- ext/cs__common/extconf.rb
|
|
544
558
|
- ext/cs__assess_string/extconf.rb
|
|
559
|
+
- ext/cs__assess_kernel/extconf.rb
|
|
545
560
|
- ext/cs__protect_kernel/extconf.rb
|
|
546
|
-
- ext/
|
|
547
|
-
- ext/
|
|
548
|
-
- ext/cs__assess_array/extconf.rb
|
|
549
|
-
- ext/cs__assess_yield_track/extconf.rb
|
|
561
|
+
- ext/cs__assess_module/extconf.rb
|
|
562
|
+
- ext/cs__assess_active_record_named/extconf.rb
|
|
550
563
|
- ext/cs__assess_fiber_track/extconf.rb
|
|
564
|
+
- ext/cs__assess_array/extconf.rb
|
|
565
|
+
- ext/cs__contrast_patch/extconf.rb
|
|
566
|
+
- ext/cs__assess_string_interpolation26/extconf.rb
|
|
567
|
+
- ext/cs__assess_regexp/extconf.rb
|
|
551
568
|
- ext/cs__assess_marshal_module/extconf.rb
|
|
552
569
|
- ext/cs__assess_basic_object/extconf.rb
|
|
553
|
-
- ext/cs__assess_module/extconf.rb
|
|
554
|
-
- ext/cs__assess_kernel/extconf.rb
|
|
555
570
|
- ext/cs__assess_hash/extconf.rb
|
|
556
|
-
- ext/
|
|
557
|
-
- ext/cs__assess_string_interpolation26/extconf.rb
|
|
571
|
+
- ext/cs__assess_yield_track/extconf.rb
|
|
558
572
|
extra_rdoc_files: []
|
|
559
573
|
files:
|
|
560
574
|
- ".clang-format"
|
|
@@ -775,6 +789,7 @@ files:
|
|
|
775
789
|
- lib/contrast/agent/assess/policy/propagator/match_data.rb
|
|
776
790
|
- lib/contrast/agent/assess/policy/propagator/next.rb
|
|
777
791
|
- lib/contrast/agent/assess/policy/propagator/prepend.rb
|
|
792
|
+
- lib/contrast/agent/assess/policy/propagator/rack_protection.rb
|
|
778
793
|
- lib/contrast/agent/assess/policy/propagator/remove.rb
|
|
779
794
|
- lib/contrast/agent/assess/policy/propagator/replace.rb
|
|
780
795
|
- lib/contrast/agent/assess/policy/propagator/reverse.rb
|
|
@@ -859,7 +874,6 @@ files:
|
|
|
859
874
|
- lib/contrast/agent/protect/rule/xss.rb
|
|
860
875
|
- lib/contrast/agent/protect/rule/xxe.rb
|
|
861
876
|
- lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb
|
|
862
|
-
- lib/contrast/agent/railtie.rb
|
|
863
877
|
- lib/contrast/agent/reaction_processor.rb
|
|
864
878
|
- lib/contrast/agent/request.rb
|
|
865
879
|
- lib/contrast/agent/request_context.rb
|
|
@@ -973,6 +987,7 @@ files:
|
|
|
973
987
|
- lib/contrast/framework/rails/patch/assess_configuration.rb
|
|
974
988
|
- lib/contrast/framework/rails/patch/rails_application_configuration.rb
|
|
975
989
|
- lib/contrast/framework/rails/patch/support.rb
|
|
990
|
+
- lib/contrast/framework/rails/railtie.rb
|
|
976
991
|
- lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb
|
|
977
992
|
- lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb
|
|
978
993
|
- lib/contrast/framework/rails/rewrite/active_record_named.rb
|
|
@@ -1,31 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
require 'contrast/utils/job_servers_running'
|
|
5
|
-
|
|
6
|
-
module Contrast
|
|
7
|
-
module Agent
|
|
8
|
-
# A Railtie to allow for the automatic hooking of the Agent into a Rails
|
|
9
|
-
# application.
|
|
10
|
-
class Railtie < Rails::Railtie
|
|
11
|
-
include Contrast::Components::Interface
|
|
12
|
-
access_component :agent, :app_context, :logging
|
|
13
|
-
|
|
14
|
-
initializer 'Contrast Ruby Agent Initializer' do |app|
|
|
15
|
-
Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
|
|
16
|
-
|
|
17
|
-
if APP_CONTEXT.instrument_middleware_stack?
|
|
18
|
-
AGENT.insert_middleware(app)
|
|
19
|
-
else
|
|
20
|
-
Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
|
|
21
|
-
logger.debug('Disabling Contrast for process', p_id: Process.pid)
|
|
22
|
-
end
|
|
23
|
-
end
|
|
24
|
-
|
|
25
|
-
rake_tasks do
|
|
26
|
-
load 'contrast/tasks/service.rb'
|
|
27
|
-
load 'contrast/tasks/config.rb'
|
|
28
|
-
end
|
|
29
|
-
end
|
|
30
|
-
end
|
|
31
|
-
end
|