contrast-agent 4.9.1 → 4.10.0

data/lib/contrast/agent/reaction_processor.rb

@@ -9,7 +9,7 @@ module Contrast
     # Because communication between the Agent/Service and TeamServer can only be initiated by outbound connections
     # from the Agent/Service, we must provide a mechanism for the TeamServer to direct the Agent to take a specific
     # action. This action is referred to as a Reaction. This class is how we handle those Reaction messages.
-    class ReactionProcessor
+    module ReactionProcessor
       extend Contrast::Components::Logger::InstanceMethods
 
       # Process the given Reactions from the application settings based on what

data/lib/contrast/agent/request.rb

@@ -183,8 +183,11 @@ module Contrast
           res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
           res
         when Enumerable
-          res = val.each_with_index.each_with_object({}) do |(v, i), hash|
-            hash.merge! normalize_params(v, prefix: "#{ prefix }[#{ i }]")
+          idx = 0
+          res = {}
+          while idx < val.size
+            res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
+            idx += 1
           end
           res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
           res

data/lib/contrast/agent/request_context.rb

@@ -4,15 +4,14 @@
 require 'contrast/utils/timer'
 require 'contrast/agent/request'
 require 'contrast/agent/response'
-require 'contrast/utils/inventory_util'
+require 'contrast/agent/inventory/database_config'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 
 module Contrast
   module Agent
-    # This class acts to encapsulate information about the currently executed
-    # request, making it available to the Agent for the duration of the request
-    # in a standardized and normalized format which the Agent understands.
+    # This class acts to encapsulate information about the currently executed request, making it available to the Agent
+    # for the duration of the request in a standardized and normalized format which the Agent understands.
     #
     # @attr_reader timer [Contrast::Utils::Timer] when the context was created
     # @attr_reader logging_hash [Hash] context used to log the request
@@ -85,9 +84,11 @@ module Contrast
         @sample_response
       end
 
-      # Convert the discovered route for this request to appropriate forms and
-      # disseminate it to those locations where it is necessary for our route
-      # coverage and finding vulnerability discovery features to function.
+      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
+      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
+      #
+      # @param route [Contrast::Api::Dtm::RouteCoverage, nil] the route of the current request, as determined from the
+      #   framework
       def append_route_coverage route
         return unless route
 
@@ -108,8 +109,8 @@ module Contrast
       # Collect the results for the given rule with the given action
       #
       # @param rule [String] the id of the rule to which the results apply
-      # @param response_type [Symbol] the result of the response, matching a
-      #   value of Contrast::Api::Dtm::AttackResult::ResponseType
+      # @param response_type [Symbol] the result of the response, matching a value of
+      #   Contrast::Api::Dtm::AttackResult::ResponseType
       # @return [Array<Contrast::Api::Dtm::AttackResult>]
       def results_for rule, response_type = nil
         if response_type.nil?
@@ -145,10 +146,9 @@ module Contrast
         false
       end
 
-      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations
-      # when the protect state indicates a security exception should be thrown. This method
-      # ensures that the attack reports are generated. Normally these should be generated on
-      # Speedracer for any attacks detected during prefilter.
+      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
+      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
+      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
       def handle_protect_state agent_settings
@@ -165,9 +165,8 @@ module Contrast
         raise Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior'))
       end
 
-      # append anything we've learned to the request seen message
-      # this is the sum-total of all inventory information that has
-      # been accumulated since the last request
+      # append anything we've learned to the request seen message this is the sum-total of all inventory information
+      # that has been accumulated since the last request
       def extract_after rack_response
         @response = Contrast::Agent::Response.new(rack_response)
         activity.http_response = @response.dtm if @sample_response
@@ -185,14 +184,13 @@ module Contrast
 
       def reset_activity
         @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
-        @server_activity = Contrast::Api::Dtm::ServerActivity.new # it doesn't look like this is ever actually used?
+        @server_activity = Contrast::Api::Dtm::ServerActivity.new
         @observed_route = Contrast::Api::Dtm::ObservedRoute.new
       end
 
       private
 
-      # Generate attack results directly from any evaluations on the
-      # agent settings object.
+      # Generate attack results directly from any evaluations on the agent settings object.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
       def build_attack_results agent_settings
@@ -207,9 +205,8 @@ module Contrast
           logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
 
           attack_result = if rule.mode == :BLOCK
-                            # special case for rules (like reflected xss)
-                            # that used to have an infilter / block
-                            # mode but now are just block at perimeter
+                            # special case for rules (like reflected xss) that used to have an infilter / block mode
+                            # but now are just block at perimeter
                             rule.build_attack_with_match(self, ia_result, attack_results_by_rule[rule_id],
                                                          ia_result.value)
                           else

data/lib/contrast/agent/static_analysis.rb

@@ -28,7 +28,7 @@ module Contrast
 
           app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.build
 
-          Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
+          Contrast::Agent::Inventory::DatabaseConfig.append_db_config(app_update_msg)
           Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
         end
 

data/lib/contrast/agent/tracepoint_hook.rb

@@ -35,10 +35,15 @@ module Contrast
             path = tracepoint_event.path
             return if path&.include?('contrast')
 
+            Contrast::Agent.framework_manager.register_late_framework(loaded_module)
             Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.associate_file(path) if path
             Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
-            Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module) if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+            if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module)
+            end
             Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)
+          rescue StandardError => e
+            logger.error('Unable to complete TracePoint analysis', e, module: loaded_module)
           end
         end
       end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.9.1'
+    VERSION = '4.10.0'
   end
 end

data/lib/contrast/api/communication/messaging_queue.rb

@@ -11,10 +11,9 @@ module Contrast
       class MessagingQueue < Contrast::Agent::WorkerThread
         include Contrast::Components::Logger::InstanceMethods
 
-        attr_reader :queue, :speedracer
+        attr_reader :speedracer
 
         def initialize
-          @queue = Queue.new
           @speedracer = Contrast::Api::Communication::Speedracer.new
           super
         end
@@ -28,6 +27,10 @@ module Contrast
           speedracer.return_response(event)
         end
 
+        def queue
+          @_queue ||= Queue.new
+        end
+
         # Use this to add a message to the queue and process the response internally
         def send_event_eventually event
           if ::Contrast::AGENT.disabled?
@@ -42,7 +45,6 @@ module Contrast
           speedracer.ensure_startup!
           return if running?
 
-          @queue ||= Queue.new
           @_thread = Contrast::Agent::Thread.new do
             loop do
               event = queue.pop
@@ -58,13 +60,17 @@ module Contrast
           logger.debug('Started background sending thread.')
         end
 
+        def delete_queue!
+          @_queue&.clear
+          @_queue&.close
+          @_queue = nil
+        end
+
         def stop!
           return unless running?
 
           super
-          @queue&.clear
-          @queue&.close
-          @queue = nil
+          delete_queue!
         end
       end
     end

data/lib/contrast/api/communication/service_lifecycle.rb

@@ -6,10 +6,13 @@ require 'contrast/components/logger'
 module Contrast
   module Api
     module Communication
-      # Handles local service startup
+      # Handles local service startup. As this should only ever be invoked by the Speedracer class, which includes
+      # this, all methods here are private.
       module ServiceLifecycle
         include Contrast::Components::Logger::InstanceMethods
 
+        private
+
         def attempt_local_service_startup
           zombie_check
           service_starter_thread.join(5)

data/lib/contrast/api/communication/socket_client.rb

@@ -37,8 +37,7 @@ module Contrast
           log_connection
           if ::Contrast::CONTRAST_SERVICE.use_tcp?
             Contrast::Api::Communication::TcpSocket.new(
-              ::Contrast::CONTRAST_SERVICE.host, ::Contrast::CONTRAST_SERVICE.port
-            )
+                ::Contrast::CONTRAST_SERVICE.host, ::Contrast::CONTRAST_SERVICE.port)
           else
             Contrast::Api::Communication::UnixSocket.new(::Contrast::CONTRAST_SERVICE.socket_path)
           end
@@ -61,8 +60,9 @@ module Contrast
 
           # Or something is not set.
           logger.warn(
-            log_connection_error_msg, host: ::Contrast::CONTRAST_SERVICE.host, port: ::Contrast::CONTRAST_SERVICE.port
-          )
+              log_connection_error_msg,
+              host: ::Contrast::CONTRAST_SERVICE.host,
+              port: ::Contrast::CONTRAST_SERVICE.port)
         end
 
         # If our connection isn't built properly, we need to warn the user. This builds out the context specific

data/lib/contrast/api/decorators/agent_startup.rb

@@ -41,11 +41,11 @@ module Contrast
           #
           # @param msg [Contrast::Api::Dtm::AgentStartup]
           def config! msg
-            msg.version          = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.version
-            msg.environment      = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.environment
-            msg.server_tags      = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.tags
+            msg.version      = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.version
+            msg.server_tags  = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.tags
+            msg.library_tags = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.inventory.tags
+            msg.environment  = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.environment
             msg.application_tags = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.tags
-            msg.library_tags     = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.inventory.tags
           end
         end
       end

data/lib/contrast/api/decorators/application_startup.rb

@@ -24,11 +24,12 @@ module Contrast
           # @return [Contrast::Api::Dtm::ApplicationCreate]
           def build
             msg = new
-            msg.app_version = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.version.to_s
-            msg.code        = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.code
-            msg.group       = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.group
-            msg.metadata    = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.metadata
-            msg.mode        = Contrast::Api::Dtm::InstrumentationMode.build
+            msg.code     = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.code
+            msg.group    = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.group
+            msg.metadata = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.metadata
+            msg.mode     = Contrast::Api::Dtm::InstrumentationMode.build
+            msg.app_version =
+                Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.version.to_s # rubocop:disable Layout/AssignmentIndentation Layout/FirstArgumentIndentation:
             session!(msg)
             msg
           end

data/lib/contrast/api/decorators/route_coverage.rb

@@ -46,7 +46,7 @@ module Contrast
           #
           # @param controller [::Sinatra::Base] the route's final controller.
           # @param method [String] GET, PUT, POST, etc...
-          # @param method [::Mustermann::Sinatra]  the pattern that was matched in routing.
+          # @param pattern [::Mustermann::Sinatra]  the pattern that was matched in routing.
           # @param url [String, nil] use url from string instead matched pattern.
           # @return [Contrast::Api::Dtm::RouteCoverage]
           def from_sinatra_route controller, method, pattern, url = nil
@@ -59,6 +59,29 @@ module Contrast
             msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
             msg
           end
+
+          # Convert Grape route data to dtm message.
+          #
+          # @param controller [::Grape::API] the route's final controller.
+          # @param method [String] GET, PUT, POST, etc...
+          # @param url [String, nil] use url from string instead matched pattern.
+          # @param pattern [String, Grape::Router::Route] the pattern that was matched in routing.
+          # @return [Contrast::Api::Dtm::RouteCoverage]
+          def from_grape_controller controller, method, pattern, url = nil
+            if pattern.cs__is_a?(Grape::Router::Route)
+              safe_pattern = pattern.pattern&.path&.to_s
+              safe_url = source_or_string(url || safe_pattern)
+            else
+              safe_pattern = source_or_string(pattern)
+              safe_url = source_or_string(url || pattern)
+            end
+
+            msg = new
+            msg.route = "#{ controller }##{ method } #{ safe_pattern }"
+            msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
+            msg
+          end
         end
       end
     end

data/lib/contrast/components/agent.rb

@@ -54,7 +54,9 @@ module Contrast
         end
 
         def interpolation_enabled?
-          @_interpolation_enabled = !false?(::Contrast::CONFIG.root.agent.ruby.interpolate) if @_interpolation_enabled.nil?
+          if @_interpolation_enabled.nil?
+            @_interpolation_enabled = !false?(::Contrast::CONFIG.root.agent.ruby.interpolate)
+          end
           @_interpolation_enabled
         end
 
@@ -69,7 +71,8 @@ module Contrast
               status:
                 ::Contrast::CONFIG.root.agent.ruby.exceptions.override_status || 403,
               message:
-                ::Contrast::CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
+                ::Contrast::CONFIG.root.agent.ruby.exceptions.override_message ||
+                    Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
           }
         end
 

data/lib/contrast/components/assess.rb

@@ -5,7 +5,6 @@ require 'contrast/components/base'
 require 'contrast/components/config'
 require 'contrast/components/settings'
 
-
 module Contrast
   module Components
     module Assess
@@ -78,7 +77,9 @@ module Contrast
         end
 
         def track_frozen_sources?
-          @_track_frozen_sources = !false?(::Contrast::CONFIG.root.agent.ruby.track_frozen_sources) if @_track_frozen_sources.nil?
+          if @_track_frozen_sources.nil?
+            @_track_frozen_sources = !false?(::Contrast::CONFIG.root.agent.ruby.track_frozen_sources)
+          end
           @_track_frozen_sources
         end
 
@@ -93,7 +94,9 @@ module Contrast
 
         def disabled_rules
           # TODO: RUBY-903
-          ::Contrast::CONFIG.root.assess&.rules&.disabled_rules || ::Contrast::SETTINGS.assess_state.disabled_assess_rules || []
+          ::Contrast::CONFIG.root.assess&.rules&.disabled_rules ||
+              ::Contrast::SETTINGS.assess_state.disabled_assess_rules ||
+              []
         end
 
         private

data/lib/contrast/components/base.rb

@@ -18,7 +18,7 @@ module Contrast
         return true if config_param == false
         return false unless config_param.cs__is_a?(String)
 
-        Contrast::Utils::ObjectShare::FALSE.casecmp?(config_param)
+        config_param.downcase == Contrast::Utils::ObjectShare::FALSE
       end
 
       # use this to determine if the configuration value is literally boolean
@@ -33,7 +33,7 @@ module Contrast
         return true if config_param == true
         return false unless config_param.cs__is_a?(String)
 
-        Contrast::Utils::ObjectShare::TRUE.casecmp?(config_param)
+        config_param.downcase == Contrast::Utils::ObjectShare::TRUE
       end
     end
   end

data/lib/contrast/components/config.rb

@@ -44,6 +44,7 @@ module Contrast
 
         def valid?
           @_valid = validate(log: false) if @_valid.nil?
+          @_valid
         end
 
         def invalid?

data/lib/contrast/components/contrast_service.rb

@@ -32,11 +32,13 @@ module Contrast
         end
 
         def host
-          @_host ||= (::Contrast::CONFIG.root.agent.service.host || Contrast::Config::ServiceConfiguration::DEFAULT_HOST).to_s
+          @_host ||=
+            (::Contrast::CONFIG.root.agent.service.host || Contrast::Config::ServiceConfiguration::DEFAULT_HOST).to_s
         end
 
         def port
-          @_port ||= (::Contrast::CONFIG.root.agent.service.port || Contrast::Config::ServiceConfiguration::DEFAULT_PORT).to_i
+          @_port ||=
+            (::Contrast::CONFIG.root.agent.service.port || Contrast::Config::ServiceConfiguration::DEFAULT_PORT).to_i
         end
 
         def socket_path

data/lib/contrast/components/logger.rb

@@ -6,20 +6,25 @@ require 'contrast/components/base'
 
 module Contrast
   module Components
-    module Logger
-      module InstanceMethods #:nodoc:
+    module Logger # :nodoc:
+      module InstanceMethods # :nodoc:
         def logger
           Contrast::Logger::Log.instance.logger
         end
+
+        def add_trace_perf_logging_for sym, custom_message = nil
+          logger.add_trace_perf_logging(self, sym, custom_message)
+        end
+      end
+
+      class << self
+        def add_trace_log_timing_for clazz, method_name, custom_message = nil
+          Contrast::Logger::Log.instance.add_method_to_trace_timing(clazz, method_name, custom_message)
+        end
       end
-      ClassMethods = InstanceMethods
 
-      # A wrapper build around the Common Agent Configuration project to allow
-      # for access of the values contained in its
-      # parent_configuration_spec.yaml.
-      # Specifically, this allows for querying the state of the Agent Logger.
       class Interface
-        include Contrast::Components::ComponentBase
+        include InstanceMethods
       end
     end
   end