contrast-agent 4.7.0 → 4.8.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8b3d1ce6b9794d3923d2054d9a20bd31989fd0c6b4df2883f81ad3e740c04de5
4
- data.tar.gz: 894505c04e850858f83e2207c52cc944f738ce19183051d9530cfdaf09f72ab7
3
+ metadata.gz: e9b59d691aacb946697f5e70adca3118f87953a30209d9fb5aebb232df42ec3f
4
+ data.tar.gz: b4f831bbb3bf826aa0e28ee7f8040aca3f1efd9b50af63f0196124766afcdaa6
5
5
  SHA512:
6
- metadata.gz: 4df81e8b3d03efcdc952e9fce5330b34c6af6a965701ec7bbe02cf3dbd5b8a3c98d8d0745da91d7b0a43be6b03ac763ffb6e9eafb9f2b857bd2a76d325d10ad2
7
- data.tar.gz: 0015e74007146cf741e6b7f6274460a948a147df54109de959856f0ff883262260685f74eff8767e6ae845847eaf3d8a17dfbd54061d5b9f561952a8c6b90fef
6
+ metadata.gz: c37bdcf57f387aa4c8353db52eb5dff04c7c1781c31b5af7dd12e87f79c31b7fdb942031e97f5e0f5ea9d5d29407725ac2a63916080fe4041def3627426a4428
7
+ data.tar.gz: 2a05dab78c39243740d7357f43484c26f6ede46d05f7f28ad212fe8914fbd19887021d2fe6d217aa1e9312ea33b9a4880dcaa7a4bf4cb75a43a6ce9db56d95e2
@@ -21,6 +21,7 @@ module Contrast
21
21
  require 'contrast/agent/assess/policy/propagator/match_data'
22
22
  require 'contrast/agent/assess/policy/propagator/next'
23
23
  require 'contrast/agent/assess/policy/propagator/prepend'
24
+ require 'contrast/agent/assess/policy/propagator/rack_protection'
24
25
  require 'contrast/agent/assess/policy/propagator/remove'
25
26
  require 'contrast/agent/assess/policy/propagator/replace'
26
27
  require 'contrast/agent/assess/policy/propagator/reverse'
@@ -0,0 +1,73 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Agent
6
+ module Assess
7
+ module Policy
8
+ module Propagator
9
+ # Rack::Protection offers several protections against vulnerabilities. Of these, some apply to dataflow and
10
+ # need to be accounted for in order to properly tag data. Others apply to configurations and may be used to
11
+ # suppress configuration vulnerabilities in the future.
12
+ class RackProtection < Contrast::Agent::Assess::Policy::Propagator::Base
13
+ class << self
14
+ # Our custom instrumentation for the Rack::Protection::EscapedParams#escape_string method
15
+ # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
16
+ # propagation event.
17
+ # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
18
+ # the invocation of the patched method.
19
+ # @param ret [nil, String] the target to which to propagate.
20
+ # @return [nil, String] ret
21
+ def escaped_params propagation_node, preshift, ret, _block
22
+ Contrast::Agent::Assess::Policy::Propagator::Splat.propagate(propagation_node, preshift, ret)
23
+ apply_escaper_tags(preshift.object, ret)
24
+ ret
25
+ end
26
+
27
+ private
28
+
29
+ # Rack::Protection::EscapedParams can be configured such that it only applies certain escape. We need
30
+ # to account for the configuration of the individual escapes when applying tags.
31
+ #
32
+ # @param escaper [Rack::Protection::EscapedParams] the instance of Rack::Protection::EscapedParams
33
+ # applying the escape_string
34
+ # @param ret [String] the result of the escape
35
+ def apply_escaper_tags escaper, ret
36
+ # I don't know how this could not be an instance of Rack::Protection::EscapedParams, but I don't want
37
+ # to chance it.
38
+ return unless escaper.cs__is_a?(Rack::Protection::EscapedParams)
39
+ return unless (properties = Contrast::Agent::Assess::Tracker.properties(ret))
40
+
41
+ tags = []
42
+ untags = []
43
+ if escaper.instance_variable_get(:@html)
44
+ tags << 'HTML_ENCODED'
45
+ untags << 'HTML_DECODED'
46
+ end
47
+
48
+ if escaper.instance_variable_get(:@javascript)
49
+ tags << 'JAVASCRIPT_ENCODED'
50
+ untags << 'JAVASCRIPT_DECODED'
51
+ end
52
+
53
+ if escaper.instance_variable_get(:@url)
54
+ tags << 'URL_ENCODED'
55
+ untags << 'URL_DECODED'
56
+ end
57
+
58
+ length = Contrast::Utils::StringUtils.ret_length(ret)
59
+ tags.each do |tag|
60
+ properties.add_tag(tag, 0...length)
61
+ end
62
+
63
+ untags.each do |tag|
64
+ properties.delete_tags(tag)
65
+ end
66
+ end
67
+ end
68
+ end
69
+ end
70
+ end
71
+ end
72
+ end
73
+ end
@@ -3,6 +3,6 @@
3
3
 
4
4
  module Contrast
5
5
  module Agent
6
- VERSION = '4.7.0'
6
+ VERSION = '4.8.0'
7
7
  end
8
8
  end
@@ -20,7 +20,7 @@ module Contrast
20
20
  # (i.e., where we normally patch) we will miss the configuration
21
21
  # and will never be able to report session misconfiguration rules.
22
22
  Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
23
- require 'contrast/agent/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
23
+ require 'contrast/framework/rails/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
24
24
  end
25
25
 
26
26
  # (See BaseSupport#after_load_patches)
@@ -0,0 +1,32 @@
1
+ # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ require 'contrast/utils/job_servers_running'
5
+
6
+ module Contrast
7
+ module Framework
8
+ module Rails
9
+ # A Railtie to allow for the automatic hooking of the Agent into a Rails application.
10
+ class Railtie < ::Rails::Railtie
11
+ include Contrast::Components::Interface
12
+ access_component :agent, :app_context, :logging
13
+
14
+ initializer 'Contrast Ruby Agent Initializer' do |app|
15
+ Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
16
+
17
+ if APP_CONTEXT.instrument_middleware_stack?
18
+ AGENT.insert_middleware(app)
19
+ else
20
+ Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
21
+ logger.debug('Disabling Contrast for process', p_id: Process.pid)
22
+ end
23
+ end
24
+
25
+ rake_tasks do
26
+ load 'contrast/tasks/service.rb'
27
+ load 'contrast/tasks/config.rb'
28
+ end
29
+ end
30
+ end
31
+ end
32
+ end
@@ -1026,6 +1026,61 @@
1026
1026
  "action": "CUSTOM",
1027
1027
  "patch_class": "ERBPropagator",
1028
1028
  "patch_method": "result_tagger"
1029
+ },
1030
+ {
1031
+ "class_name": "ActionView::Helpers::SanitizeHelper",
1032
+ "method_name": "sanitize",
1033
+ "method_visibility": "public",
1034
+ "instance_method": true,
1035
+ "source": "P0",
1036
+ "target": "R",
1037
+ "action": "REMOVE",
1038
+ "tags":["HTML_ENCODED"],
1039
+ "untags":["HTML_DECODED"]
1040
+ },
1041
+ {
1042
+ "class_name": "ActionView::Helpers::SanitizeHelper",
1043
+ "method_name": "strip_tags",
1044
+ "method_visibility": "public",
1045
+ "instance_method": true,
1046
+ "source": "P0",
1047
+ "target": "R",
1048
+ "action": "REMOVE",
1049
+ "tags":["HTML_ENCODED"],
1050
+ "untags":["HTML_DECODED"]
1051
+ },
1052
+ {
1053
+ "class_name": "Rack::Protection::EscapedParams",
1054
+ "method_name": "escape_string",
1055
+ "method_visibility": "public",
1056
+ "instance_method": true,
1057
+ "source": "P0",
1058
+ "target": "R",
1059
+ "action": "CUSTOM",
1060
+ "patch_class": "Contrast::Agent::Assess::Policy::Propagator::RackProtection",
1061
+ "patch_method": "escaped_params"
1062
+ },
1063
+ {
1064
+ "class_name": "Rails::Html::FullSanitizer",
1065
+ "method_name": "sanitize",
1066
+ "method_visibility": "public",
1067
+ "instance_method": true,
1068
+ "source": "P0",
1069
+ "target": "R",
1070
+ "action": "REMOVE",
1071
+ "tags":["HTML_ENCODED"],
1072
+ "untags":["HTML_DECODED"]
1073
+ },
1074
+ {
1075
+ "class_name": "Rails::Html::SafeListSanitizer",
1076
+ "method_name": "sanitize",
1077
+ "method_visibility": "public",
1078
+ "instance_method": true,
1079
+ "source": "P0",
1080
+ "target": "R",
1081
+ "action": "REMOVE",
1082
+ "tags":["HTML_ENCODED"],
1083
+ "untags":["HTML_DECODED"]
1029
1084
  }
1030
1085
  ],
1031
1086
  "rules":[
data/ruby-agent.gemspec CHANGED
@@ -41,6 +41,7 @@ end
41
41
 
42
42
  # Dependencies used for framework testing.
43
43
  def self.add_frameworks spec
44
+ spec.add_development_dependency 'rack-protection', '>= 2'
44
45
  spec.add_development_dependency 'rails', '6.0.3.5'
45
46
  spec.add_development_dependency 'sinatra', '>= 2'
46
47
  end
@@ -90,7 +91,7 @@ def self.add_tested_gems spec
90
91
  spec.add_development_dependency 'async'
91
92
  spec.add_development_dependency 'execjs'
92
93
  spec.add_development_dependency 'sqlite3'
93
- spec.add_development_dependency 'therubyracer'
94
+ spec.add_development_dependency 'rhino'
94
95
  spec.add_development_dependency 'tilt'
95
96
  spec.add_development_dependency 'xpath'
96
97
  end
@@ -1 +1 @@
1
- 2.19.0
1
+ 2.20.2
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: contrast-agent
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.7.0
4
+ version: 4.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
13
13
  autorequire:
14
14
  bindir: exe
15
15
  cert_chain: []
16
- date: 2021-05-10 00:00:00.000000000 Z
16
+ date: 2021-05-20 00:00:00.000000000 Z
17
17
  dependencies:
18
18
  - !ruby/object:Gem::Dependency
19
19
  name: bundler
@@ -225,6 +225,20 @@ dependencies:
225
225
  - - '='
226
226
  - !ruby/object:Gem::Version
227
227
  version: 0.21.2
228
+ - !ruby/object:Gem::Dependency
229
+ name: rack-protection
230
+ requirement: !ruby/object:Gem::Requirement
231
+ requirements:
232
+ - - ">="
233
+ - !ruby/object:Gem::Version
234
+ version: '2'
235
+ type: :development
236
+ prerelease: false
237
+ version_requirements: !ruby/object:Gem::Requirement
238
+ requirements:
239
+ - - ">="
240
+ - !ruby/object:Gem::Version
241
+ version: '2'
228
242
  - !ruby/object:Gem::Dependency
229
243
  name: rails
230
244
  requirement: !ruby/object:Gem::Requirement
@@ -296,7 +310,7 @@ dependencies:
296
310
  - !ruby/object:Gem::Version
297
311
  version: '0'
298
312
  - !ruby/object:Gem::Dependency
299
- name: therubyracer
313
+ name: rhino
300
314
  requirement: !ruby/object:Gem::Requirement
301
315
  requirements:
302
316
  - - ">="
@@ -542,19 +556,19 @@ executables:
542
556
  extensions:
543
557
  - ext/cs__common/extconf.rb
544
558
  - ext/cs__assess_string/extconf.rb
559
+ - ext/cs__assess_kernel/extconf.rb
545
560
  - ext/cs__protect_kernel/extconf.rb
546
- - ext/cs__assess_regexp/extconf.rb
547
- - ext/cs__contrast_patch/extconf.rb
548
- - ext/cs__assess_array/extconf.rb
549
- - ext/cs__assess_yield_track/extconf.rb
561
+ - ext/cs__assess_module/extconf.rb
562
+ - ext/cs__assess_active_record_named/extconf.rb
550
563
  - ext/cs__assess_fiber_track/extconf.rb
564
+ - ext/cs__assess_array/extconf.rb
565
+ - ext/cs__contrast_patch/extconf.rb
566
+ - ext/cs__assess_string_interpolation26/extconf.rb
567
+ - ext/cs__assess_regexp/extconf.rb
551
568
  - ext/cs__assess_marshal_module/extconf.rb
552
569
  - ext/cs__assess_basic_object/extconf.rb
553
- - ext/cs__assess_module/extconf.rb
554
- - ext/cs__assess_kernel/extconf.rb
555
570
  - ext/cs__assess_hash/extconf.rb
556
- - ext/cs__assess_active_record_named/extconf.rb
557
- - ext/cs__assess_string_interpolation26/extconf.rb
571
+ - ext/cs__assess_yield_track/extconf.rb
558
572
  extra_rdoc_files: []
559
573
  files:
560
574
  - ".clang-format"
@@ -775,6 +789,7 @@ files:
775
789
  - lib/contrast/agent/assess/policy/propagator/match_data.rb
776
790
  - lib/contrast/agent/assess/policy/propagator/next.rb
777
791
  - lib/contrast/agent/assess/policy/propagator/prepend.rb
792
+ - lib/contrast/agent/assess/policy/propagator/rack_protection.rb
778
793
  - lib/contrast/agent/assess/policy/propagator/remove.rb
779
794
  - lib/contrast/agent/assess/policy/propagator/replace.rb
780
795
  - lib/contrast/agent/assess/policy/propagator/reverse.rb
@@ -859,7 +874,6 @@ files:
859
874
  - lib/contrast/agent/protect/rule/xss.rb
860
875
  - lib/contrast/agent/protect/rule/xxe.rb
861
876
  - lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb
862
- - lib/contrast/agent/railtie.rb
863
877
  - lib/contrast/agent/reaction_processor.rb
864
878
  - lib/contrast/agent/request.rb
865
879
  - lib/contrast/agent/request_context.rb
@@ -973,6 +987,7 @@ files:
973
987
  - lib/contrast/framework/rails/patch/assess_configuration.rb
974
988
  - lib/contrast/framework/rails/patch/rails_application_configuration.rb
975
989
  - lib/contrast/framework/rails/patch/support.rb
990
+ - lib/contrast/framework/rails/railtie.rb
976
991
  - lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb
977
992
  - lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb
978
993
  - lib/contrast/framework/rails/rewrite/active_record_named.rb
@@ -1,31 +0,0 @@
1
- # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- require 'contrast/utils/job_servers_running'
5
-
6
- module Contrast
7
- module Agent
8
- # A Railtie to allow for the automatic hooking of the Agent into a Rails
9
- # application.
10
- class Railtie < Rails::Railtie
11
- include Contrast::Components::Interface
12
- access_component :agent, :app_context, :logging
13
-
14
- initializer 'Contrast Ruby Agent Initializer' do |app|
15
- Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if defined?(Rails) && defined?(Rails.logger)
16
-
17
- if APP_CONTEXT.instrument_middleware_stack?
18
- AGENT.insert_middleware(app)
19
- else
20
- Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
21
- logger.debug('Disabling Contrast for process', p_id: Process.pid)
22
- end
23
- end
24
-
25
- rake_tasks do
26
- load 'contrast/tasks/service.rb'
27
- load 'contrast/tasks/config.rb'
28
- end
29
- end
30
- end
31
- end