contrast-agent 4.9.1 → 4.10.0

data/resources/deadzone/policy.json

@@ -1,6 +1,16 @@
 {
   "deadzones":[
     {
+      "class_name":"Rspec::Core::BacktraceFormatter",
+      "instance_method":true,
+      "method_visibility": "private",
+      "method_name":"matches?"
+    },{
+      "class_name":"Rspec::Core::Example",
+      "instance_method":true,
+      "method_visibility": "private",
+      "method_name":"finish"
+    },{
       "class_name":"Rack::Request::Helpers",
       "instance_method":true,
       "method_visibility": "public",

data/ruby-agent.gemspec

@@ -24,6 +24,7 @@ def self.add_dev_dependencies spec
   add_debuggers(spec)
   add_linters(spec) # if RUBY_VERSION >= '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
   add_specs(spec)
+  add_custom_dependencies(spec)
 end
 
 # Dependencies used to build the agent during development.
@@ -33,14 +34,21 @@ def self.add_builders spec
   spec.add_development_dependency 'rake-compiler', '~> 0'
 end
 
+# Dependencies that are required during testing in actual application
+def self.add_custom_dependencies spec
+  spec.add_development_dependency 'zlib'
+end
+
 # Dependencies used for local debugging during development.
 def self.add_debuggers spec
   spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'pry-byebug', '>= 3.9'
   spec.add_development_dependency 'ruby-debug-ide'
 end
 
 # Dependencies used for framework testing.
 def self.add_frameworks spec
+  spec.add_development_dependency 'grape', '~> 1.5', '>= 1.5.2'
   spec.add_development_dependency 'rack-protection', '>= 2'
   spec.add_development_dependency 'rails', '6.0.3.5'
   spec.add_development_dependency 'sinatra', '>= 2'
@@ -66,12 +74,13 @@ def self.add_specs spec
   spec.add_development_dependency 'factory_bot'
   spec.add_development_dependency 'fake_ftp'
   spec.add_development_dependency 'openssl'
+  spec.add_development_dependency 'parallel_tests'
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'rspec-benchmark'
   spec.add_development_dependency 'rspec_junit_formatter', '0.3.0'
   spec.add_development_dependency 'rspec-rails', '5.0'
-  spec.add_development_dependency 'warning'
   spec.add_development_dependency 'tzinfo-data' # Alpine rspec-rails requirement.
+  spec.add_development_dependency 'warning'
 end
 
 def self.add_coverage spec

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 4.9.1
+  version: 4.10.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-07-15 00:00:00.000000000 Z
+date: 2021-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -71,6 +71,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: ruby-debug-ide
   requirement: !ruby/object:Gem::Requirement
@@ -211,6 +225,26 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.21.2
+- !ruby/object:Gem::Dependency
+  name: grape
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.2
 - !ruby/object:Gem::Dependency
   name: rack-protection
   requirement: !ruby/object:Gem::Requirement
@@ -407,6 +441,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: parallel_tests
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -463,6 +511,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: tzinfo-data
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: warning
   requirement: !ruby/object:Gem::Requirement
@@ -478,7 +540,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: tzinfo-data
+  name: zlib
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -555,20 +617,20 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__assess_string/extconf.rb
 - ext/cs__assess_fiber_track/extconf.rb
 - ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__protect_kernel/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_active_record_named/extconf.rb
-- ext/cs__assess_yield_track/extconf.rb
 - ext/cs__assess_kernel/extconf.rb
-- ext/cs__assess_array/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__assess_string/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
-- ext/cs__assess_hash/extconf.rb
+- ext/cs__protect_kernel/extconf.rb
 - ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_active_record_named/extconf.rb
 - ext/cs__assess_module/extconf.rb
+- ext/cs__assess_hash/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
+- ext/cs__assess_array/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -577,6 +639,7 @@ files:
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
+- ".rspec_parallel"
 - ".simplecov"
 - Gemfile
 - LICENSE.txt
@@ -828,6 +891,7 @@ files:
 - lib/contrast/agent/disable_reaction.rb
 - lib/contrast/agent/exclusion_matcher.rb
 - lib/contrast/agent/inventory.rb
+- lib/contrast/agent/inventory/database_config.rb
 - lib/contrast/agent/inventory/dependencies.rb
 - lib/contrast/agent/inventory/dependency_analysis.rb
 - lib/contrast/agent/inventory/dependency_usage_analysis.rb
@@ -865,6 +929,7 @@ files:
 - lib/contrast/agent/protect/rule/no_sqli.rb
 - lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb
 - lib/contrast/agent/protect/rule/path_traversal.rb
+- lib/contrast/agent/protect/rule/sql_sample_builder.rb
 - lib/contrast/agent/protect/rule/sqli.rb
 - lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb
 - lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb
@@ -969,6 +1034,7 @@ files:
 - lib/contrast/extension/assess/regexp.rb
 - lib/contrast/extension/assess/string.rb
 - lib/contrast/extension/delegator.rb
+- lib/contrast/extension/extension.rb
 - lib/contrast/extension/inventory.rb
 - lib/contrast/extension/kernel.rb
 - lib/contrast/extension/module.rb
@@ -977,6 +1043,7 @@ files:
 - lib/contrast/extension/protect/psych.rb
 - lib/contrast/extension/thread.rb
 - lib/contrast/framework/base_support.rb
+- lib/contrast/framework/grape/support.rb
 - lib/contrast/framework/manager.rb
 - lib/contrast/framework/platform_version.rb
 - lib/contrast/framework/rack/patch/session_cookie.rb
@@ -1010,7 +1077,6 @@ files:
 - lib/contrast/utils/hash_digest.rb
 - lib/contrast/utils/heap_dump_util.rb
 - lib/contrast/utils/invalid_configuration_util.rb
-- lib/contrast/utils/inventory_util.rb
 - lib/contrast/utils/io_util.rb
 - lib/contrast/utils/job_servers_running.rb
 - lib/contrast/utils/object_share.rb

data/lib/contrast/utils/inventory_util.rb

@@ -1,113 +0,0 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/timer'
-require 'contrast/utils/object_share'
-require 'contrast/components/logger'
-
-module Contrast
-  module Utils
-    # Utilities for getting inventory information from the application
-    class InventoryUtil
-      extend Contrast::Components::Logger::InstanceMethods
-
-      # TeamServer only accepts certain values for ArchitectureComponents.
-      # DO NOT CHANGE THIS!
-      AC_TYPE_DB = 'db'
-      # TeamServer only accepts certain values for FlowMap Services.
-      # DO NOT CHANGE THIS
-      ADAPTER = 'adapter'
-      HOST = 'host'
-      PORT = 'port'
-      DATABASE = 'database'
-      DEFAULT = 'default'
-      LOCALHOST = 'localhost'
-
-      def self.active_record_config
-        return @_active_record_config if instance_variable_defined?(:@_active_record_config)
-
-        @_active_record_config = ActiveRecord::Base.connection_config rescue nil # rubocop:disable Style/RescueModifier
-      end
-
-      def self.append_db_config activity_or_update, hash_or_str = Contrast::Utils::InventoryUtil.active_record_config
-        arr = build_from_db_config(hash_or_str)
-        return unless arr&.any?
-
-        arr.each do |a|
-          next unless a
-
-          if activity_or_update.is_a?(Contrast::Api::Dtm::Activity)
-            activity_or_update.architectures << a
-          else
-            activity_or_update.components << a
-          end
-        end
-      rescue StandardError => e
-        logger.error('Unable to append db config', e)
-        nil
-      end
-
-      def self.build_from_db_config hash_or_str
-        return unless hash_or_str
-
-        if hash_or_str.is_a?(Hash)
-          build_from_db_hash(hash_or_str)
-        else
-          build_from_db_string(hash_or_str.to_s)
-        end
-      end
-
-      def self.build_from_db_hash hash
-        ac = Contrast::Api::Dtm::ArchitectureComponent.new
-        ac.vendor = hash[:adapter] || hash[ADAPTER] || Contrast::Utils::ObjectShare::EMPTY_STRING
-        ac.remote_host = host_from_hash(hash)
-        ac.remote_port = port_from_hash(hash)
-        ac.type = AC_TYPE_DB
-        ac.url = hash[:database] || hash[DATABASE] || DEFAULT
-        [ac]
-      end
-
-      def self.host_from_hash hash
-        hash[:host] || hash[HOST] || Contrast::Utils::ObjectShare::EMPTY_STRING
-      end
-
-      def self.port_from_hash hash
-        p = hash[:port] || hash[PORT] || Contrast::Utils::ObjectShare::EMPTY_STRING
-        p.to_i
-      end
-
-      # Examples:
-      # mongodb://[user:pass@]host1[:port1][,host2[:port2],[,hostN[:portN]]][/[database][?options]]
-      # postgresql://scott:tiger@localhost/mydatabase
-      # mysql+mysqlconnector://scott:tiger@localhost/foo
-      def self.build_from_db_string str
-        adapter, hosts, database = split_connection_str(str)
-        acs = []
-        hosts.split(Contrast::Utils::ObjectShare::COMMA).map do |s|
-          host, port = s.split(Contrast::Utils::ObjectShare::COLON)
-
-          ac = Contrast::Api::Dtm::ArchitectureComponent.new
-          ac.vendor = Contrast::Utils::StringUtils.force_utf8(adapter)
-          ac.remote_host = Contrast::Utils::StringUtils.force_utf8(host)
-          ac.remote_port = port.to_i
-          ac.type = AC_TYPE_DB
-          ac.url = Contrast::Utils::StringUtils.force_utf8(database)
-          acs << ac
-        end
-        acs
-      end
-
-      def self.split_connection_str str
-        adapter, str = str.split(Contrast::Utils::ObjectShare::COLON_SLASH_SLASH)
-        _auth, str = str.split(Contrast::Utils::ObjectShare::AT)
-        # Not currently used
-        # user, pass = auth.split(Contrast::Utils::ObjectShare::COLON)
-        hosts, db_and_options = str.split(Contrast::Utils::ObjectShare::SLASH)
-        hosts << LOCALHOST if hosts.empty?
-        database, _options = db_and_options.split(Contrast::Utils::ObjectShare::QUESTION_MARK)
-
-        [adapter, hosts, database]
-      end
-    end
-  end
-end