contrast-agent 4.9.1 → 4.13.0

data/lib/contrast/utils/telemetry_identifier.rb

@@ -0,0 +1,137 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry'
+require 'contrast/utils/os'
+require 'socket'
+
+module Contrast
+  module Utils
+    # Tools for supporting the Telemetry feature
+    module Telemetry
+      # Gets info about the instrumented application required to build unique identifiers,
+      # used in the agent's Telemetry.
+      module Identifier
+        MAC_REGEX = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
+        LINUX_OS_REG = /hwaddr=.*?(([A-F0-9]{2}:){5}[A-F0-9]{2})/im.cs__freeze
+        MAC_OS_PRIMARY = 'en0'.cs__freeze
+        LINUX_PRIMARY = 'enp'.cs__freeze
+
+        # Sinatra and Grape both use similar approach to identify the app_name.
+        # Rails has a different way of doing it, but to unify this we'll use this one.
+        # If app_name is changed/renamed during production it would still get the
+        # new folder's name.
+        #
+        # @ return [String] name of the application from the current working directory
+        def self.app_name
+          @_app_name ||= File.basename(Dir.pwd)
+        end
+
+        # Returns the MAC address of the primary network interface, depending on the used OS.
+        # If the primary is unknown it finds the first available network interface and gets it's
+        # MAC address instead.
+        #
+        # @return [String, nil] MAC address of the primary network interface or
+        # the first available one, or nil if nothing found
+        def self.mac
+          @_mac = find_mac MAC_OS_PRIMARY if Contrast::Utils::OS.mac? && @_mac.nil?
+          @_mac = find_mac LINUX_PRIMARY if Contrast::Utils::OS.linux? && @_mac.nil?
+          # or find any available
+          @_mac = find_mac if @_mac.nil?
+          @_mac
+        end
+
+        class << self
+          private
+
+          # Finds the primary MAC address of all listed network adapters.
+          # If primary is not set or unknown, use the first MAC address found
+          # from the listed adapters.
+          #
+          # @param primary [nil, String] optional param if set look only for primary
+          # network adapter's name
+          # @return [String, nil] MAC address of the first listed network adapter or
+          # nil if not found
+          def find_mac primary = nil
+            result = nil
+            idx = 0
+            return if interfaces.empty?
+
+            while idx < interfaces.length
+              addr = interfaces[idx].addr
+              name = interfaces[idx].name # rubocop:disable Security/Module/Name
+              # retrieving MAC address from primary network interface or first available
+              mac = retrieve_mac name, addr, primary
+              idx += 1
+              next unless mac
+
+              result = mac if mac && (mac.match? MAC_REGEX)
+              break if result && !primary
+            end
+            result
+          end
+
+          # Retrieves MAC address for primary or any network interface.
+          # This is OS dependent search.
+          #
+          # @param name [Sting] interface name of ifaddr
+          # @param addr [String] address info
+          # example: #<Addrinfo: LINK[en0 aa:bb:cc:00:11:22]>
+          # @param primary [nil, String] optional param if set look only for primary
+          # network adapter's name
+          # @return mac [nil, String] MAC address of primary network interface,
+          # any network interface, or nil if no interface is found.
+          def retrieve_mac name, addr, primary
+            mac = nil
+            # Mac OS allow us to use getnameinfo(sockaddr [, flags]) => [hostname, servicename]
+            #
+            # returned address:
+            # <Socket::Ifaddr en0 UP,BROADCAST,RUNNING,NOTRAILERS,SIMPLEX,MULTICAST LINK[en0 aa:bb:cc:00:11:22]>
+            if Contrast::Utils::OS.mac?
+              mac = addr.getnameinfo[0] unless primary
+              mac = addr.getnameinfo[0] if primary && name.include?(primary)
+            end
+            # In Linux using Socket::addr#getnameinfo results in ai_family not supported exception.
+            # In this case we are relying on match filtering of addresses.
+            #
+            # returned address:
+            # #<Socket::Ifaddr eth0 UP,BROADCAST,RUNNING,MULTICAST,0x10000
+            # PACKET[protocol=0 eth0 hatype=1 HOST hwaddr=aa:bb:cc:00:11:22]>
+            if primary && Contrast::Utils::OS.linux?
+              mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG && name.include?(primary)
+            elsif primary.nil? && Contrast::Utils::OS.linux?
+              mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG
+            end
+            mac
+          end
+
+          # Returns array of network interfaces.
+          # This is OS dependent search.
+          #
+          # @return interfaces [Array] Returns an array of interface addresses.
+          # Socket::Ifaddr - represents a result of getifaddrs().
+          def interfaces
+            @_interfaces = []
+            arr = Socket.getifaddrs
+            idx = 0
+            check_family = 0
+            while idx < arr.length
+              # We need only network adapters MACs. Checking for pfamily of every socket address:
+              # 18 for Mac OS and 17 for Linux.
+              # family should be an address family such as: :INET, :INET6, :UNIX, etc.
+              check_family = 18 if Contrast::Utils::OS.mac?
+              check_family = 17 if Contrast::Utils::OS.linux?
+              if arr[idx].addr.pfamily != check_family
+                idx += 1
+                next
+              end
+              @_interfaces << arr[idx]
+              idx += 1
+            end
+            @_interfaces
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast.rb

@@ -23,7 +23,7 @@ end
 
 if RUBY_VERSION >= '3.0.0'
   # This fixes Ruby 3.0 issues with Module#(some instance method) patching by preventing the prepending of
-  # a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticable.
+  # a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticeable.
   # TODO: RUBY-1132 Remove this once Ruby 3 is fixed.
   # See bug here: https://bugs.ruby-lang.org/issues/17725
   class Class
@@ -35,6 +35,7 @@ if RUBY_VERSION >= '3.0.0'
 end
 
 require 'contrast/components/agent'
+require 'contrast/components/api'
 require 'contrast/components/app_context'
 require 'contrast/components/assess'
 require 'contrast/components/config'
@@ -47,6 +48,7 @@ require 'contrast/components/scope'
 require 'contrast/components/settings'
 
 module Contrast
+  API = Contrast::Components::Api::Interface.new
   SCOPE = Contrast::Components::Scope::Interface.new
   CONFIG = Contrast::Components::Config::Interface.new
   SETTINGS = Contrast::Components::Settings::Interface.new
@@ -76,3 +78,19 @@ if RUBY_VERSION >= '3.0.0'
   Class.alias_method(:prepend, :cs__orig_prepend)
   Class.remove_method(:cs__orig_prepend)
 end
+
+if RUBY_VERSION < '3.0.0'
+  # Better handles ancestors for older ruby versions.
+  # This is called from C, tread lightly.
+  class Module
+    @_included_in = []
+    # Returns array with modules including this instance
+    def included_in
+      @_included_in ||= [] unless cs__frozen?
+    end
+
+    def self.included_in
+      @_included_in ||= [] unless cs__frozen?
+    end
+  end
+end

data/resources/assess/policy.json

@@ -33,6 +33,23 @@
       "target": "R",
       "type": "BODY",
       "tags":["NO_NEWLINES", "CROSS_SITE"]
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "body",
+      "source": "P0",
+      "target": "R",
+      "type": "BODY",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
+    },  {
+      "class_name":"ActionDispatch::Cookies::CookieJar",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "[]",
+      "target": "R",
+      "type": "COOKIE",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
     }, {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
@@ -129,10 +146,45 @@
       "target":"R",
       "type":"PARAMETER",
       "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Env",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"[]",
+      "source": "P0",
+      "target":"R",
+      "type":"HEADER",
+      "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"headers",
+      "source": "P0",
+      "target":"R",
+      "type":"HEADER",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Validations::Base",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"validate!",
+      "source": "P0",
+      "target":"R",
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }
   ],
   "propagators":[
-    {
+     {
       "class_name":"String",
       "instance_method": true,
       "method_visibility": "public",
@@ -140,7 +192,7 @@
       "source":"O",
       "target":"R",
       "action":"KEEP"
-    },     {
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -148,8 +200,15 @@
       "source": "O",
       "target": "R",
       "action": "KEEP"
-    },
-    {
+    }, {
+      "class_name": "String",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "force_encoding",
+      "source": "O",
+      "target": "R",
+      "action": "SPLAT"
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -157,8 +216,7 @@
       "source": "O",
       "target": "R",
       "action": "KEEP"
-    },
-    {
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -166,7 +224,7 @@
       "source": "O,P0",
       "target": "R",
       "action": "SPLIT"
-    },{
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -722,6 +780,24 @@
       "patch_method": "select_tagger",
       "source": "O",
       "target": "R"
+    },{
+      "class_name":"CGI::Util",
+      "method_name":"unescape",
+      "instance_method": true,
+      "method_visibility": "public",
+      "source":"P0",
+      "target":"R",
+      "action":"SPLAT",
+      "tags":[],
+      "untags":[]
+    }, {
+      "class_name":"StringIO",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "read",
+      "source": "O",
+      "target": "R",
+      "action": "SPLAT"
     }, {
       "class_name":"CGI::Util",
       "method_name":"escapeHTML",
@@ -742,6 +818,16 @@
       "action":"SPLAT",
       "tags":["HTML_ENCODED"],
       "untags":["HTML_DECODED"]
+    }, {
+      "class_name":"Rack::Utils",
+      "method_name":"escape_html",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source":"P0",
+      "target":"R",
+      "action":"SPLAT",
+      "tags":["HTML_ENCODED"],
+      "untags":["HTML_DECODED"]
     }, {
       "class_name":"CGI::Util",
       "method_name":"h",
@@ -1287,6 +1373,18 @@
           "instance_method": true,
           "method_visibility": "public",
           "source":"P0"
+        }, {
+          "class_name":"Rack::Response",
+          "method_name":"body=",
+          "instance_method": true,
+          "method_visibility": "public",
+          "source":"P0"
+        }, {
+          "class_name":"Rack::Response",
+          "method_name":"write",
+          "instance_method": true,
+          "method_visibility": "public",
+          "source":"P0"
         }, {
           "class_name":"Sinatra::Helpers",
           "method_name":"body",
@@ -1347,12 +1445,108 @@
           "method_visibility": "public",
           "method_name":"async_exec",
           "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation::Calculations",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"calculate",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::FinderMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"exists?",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::FinderMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"find_by",
+          "source":"P0"
         }, {
           "class_name":"ActiveRecord::Querying",
           "instance_method": false,
           "method_visibility": "public",
           "method_name":"select",
           "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"from",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"group",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"having",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"joins",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"lock",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"select",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"reselect",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"where",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"rewhere",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods::WhereChain",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"not",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"delete_by",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"destroy_by",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"update_all",
+          "source":"P0"
         }
       ]
     }, {
@@ -1685,6 +1879,13 @@
           "method_visibility": "public",
           "method_name": "redirect_to",
           "source": "P0"
+        },
+        {
+          "class_name": "Grape::DSL::InsideRoute",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "redirect",
+          "source": "P0"
         }
       ]
     }, {

data/resources/deadzone/policy.json

@@ -1,6 +1,11 @@
 {
   "deadzones":[
     {
+      "class_name":"Rspec::Core::Example",
+      "instance_method":true,
+      "method_visibility": "private",
+      "method_name":"finish"
+    },{
       "class_name":"Rack::Request::Helpers",
       "instance_method":true,
       "method_visibility": "public",
@@ -195,6 +200,92 @@
       "method_visibility": "public",
       "method_name":"exists?",
       "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/request/session.rb#L201"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BaseMatcher"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeAKindOf"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeAnInstanceOf"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeBetween"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Be"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeComparedTo"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeFalsey"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeHelpers"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeNil"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BePredicate"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeTruthy"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::BeWithin"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Change"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::ChangeRelatively"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::SpecificValuesChange"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Compound"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Compound::And"
+    }, {
+      "class_name": "RSpec::Matchers::BuiltIn::Compound::Or"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::ContainExactly"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Cover"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::EndWith"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Eq"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Eql"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Equal"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Exist"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Has"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::HaveAttributes"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::All"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Match"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::NegativeOperatorMatcher"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::OperatorMatcher"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Output"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::PositiveOperatorMatcher"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::RaiseError"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::RespondTo"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::Satisfy"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::StartWith"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::ThrowSymbol"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::YieldControl"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::YieldSuccessiveArgs"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::YieldWithArgs"
+    },{
+      "class_name": "RSpec::Matchers::BuiltIn::YieldWithNoArgs"
+    },{
+      "class_name": "SimpleCov"
     }
   ]
 }

data/ruby-agent.gemspec

@@ -24,6 +24,7 @@ def self.add_dev_dependencies spec
   add_debuggers(spec)
   add_linters(spec) # if RUBY_VERSION >= '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
   add_specs(spec)
+  add_custom_dependencies(spec)
 end
 
 # Dependencies used to build the agent during development.
@@ -33,14 +34,21 @@ def self.add_builders spec
   spec.add_development_dependency 'rake-compiler', '~> 0'
 end
 
+# Dependencies that are required during testing in actual application
+def self.add_custom_dependencies spec
+  spec.add_development_dependency 'zlib'
+end
+
 # Dependencies used for local debugging during development.
 def self.add_debuggers spec
   spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'pry-byebug', '>= 3.9'
   spec.add_development_dependency 'ruby-debug-ide'
 end
 
 # Dependencies used for framework testing.
 def self.add_frameworks spec
+  spec.add_development_dependency 'grape', '~> 1.5', '>= 1.5.2'
   spec.add_development_dependency 'rack-protection', '>= 2'
   spec.add_development_dependency 'rails', '6.0.3.5'
   spec.add_development_dependency 'sinatra', '>= 2'
@@ -66,12 +74,13 @@ def self.add_specs spec
   spec.add_development_dependency 'factory_bot'
   spec.add_development_dependency 'fake_ftp'
   spec.add_development_dependency 'openssl'
+  spec.add_development_dependency 'parallel_tests'
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'rspec-benchmark'
   spec.add_development_dependency 'rspec_junit_formatter', '0.3.0'
   spec.add_development_dependency 'rspec-rails', '5.0'
-  spec.add_development_dependency 'warning'
   spec.add_development_dependency 'tzinfo-data' # Alpine rspec-rails requirement.
+  spec.add_development_dependency 'warning'
 end
 
 def self.add_coverage spec
@@ -141,7 +150,8 @@ def self.add_files spec
                    'shared_libraries/libfunchook.so',
                    'shared_libraries/funchook.h',
                    'funchook/src/libfunchook.dylib',
-                   'funchook/src/libfunchook.so')
+                   'funchook/src/libfunchook.so',
+                   '.secrets.baseline')
   end
 end
 

data/service_executables/VERSION

@@ -1 +1 @@
-2.21.2
+2.27.3