contrast-agent 5.1.0 → 5.2.0

data/lib/contrast/agent/request_context.rb

@@ -10,6 +10,7 @@ require 'contrast/components/scope'
 require 'contrast/utils/request_utils'
 require 'contrast/agent/request_context_extend'
 require 'contrast/agent/reporting/reporting_events/observed_route'
+require 'contrast/agent/reporting/input_analysis/input_analysis'
 
 module Contrast
   module Agent
@@ -36,9 +37,10 @@ module Contrast
       include Contrast::Agent::RequestContextExtend
 
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
+      INPUT_ANALYSIS = Contrast::Agent::Reporting::InputAnalysis.new
 
       attr_reader :activity, :logging_hash, :observed_route, :new_observed_route, :request, :response, :route,
-                  :speedracer_input_analysis, :server_activity, :timer
+                  :speedracer_input_analysis, :agent_input_analysis, :server_activity, :timer
 
       def initialize rack_request, app_loaded = true
         with_contrast_scope do
@@ -59,6 +61,9 @@ module Contrast
           @speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
           speedracer_input_analysis.request = request
 
+          @agent_input_analysis = INPUT_ANALYSIS
+          agent_input_analysis.request = request
+
           # flag to indicate whether the app is fully loaded
           @app_loaded = !!app_loaded
 

data/lib/contrast/agent/request_context_extend.rb

@@ -1,19 +1,27 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/assess/rule/response/autocomplete_rule'
+require 'contrast/agent/assess/rule/response/auto_complete_rule'
+require 'contrast/agent/assess/rule/response/cache_control_header_rule'
+require 'contrast/agent/assess/rule/response/click_jacking_header_rule'
+require 'contrast/agent/assess/rule/response/csp_header_insecure_rule'
+require 'contrast/agent/assess/rule/response/csp_header_missing_rule'
 require 'contrast/agent/assess/rule/response/hsts_header_rule'
-require 'contrast/agent/assess/rule/response/cachecontrol_rule'
-require 'contrast/agent/assess/rule/response/clickjacking_rule'
-require 'contrast/agent/assess/rule/response/x_content_type_rule'
 require 'contrast/agent/assess/rule/response/parameters_pollution_rule'
+require 'contrast/agent/assess/rule/response/x_content_type_header_rule'
+require 'contrast/agent/assess/rule/response/x_xss_protection_header_rule'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/components/logger'
+require 'contrast/utils/log_utils'
 
 module Contrast
   module Agent
     # This class extends RequestContexts: this class acts to encapsulate information about the currently
     # executed request, making it available to the Agent for the duration of the request in a standardized
     # and normalized format which the Agent understands.
-    module RequestContextExtend
+    module RequestContextExtend # rubocop:disable Metrics/ModuleLength
+      include Contrast::Utils::CEFLogUtils
+      include Contrast::Components::Logger::InstanceMethods
       BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
       # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
       # where it is necessary for our route coverage and finding vulnerability discovery features to function.
@@ -74,10 +82,10 @@ module Contrast
         handle_protect_state(service_response)
         ia = service_response.input_analysis
         if ia
-          if logger.trace?
-            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
-            logger.trace('Results', input_analysis: ia.inspect)
-          end
+          service_extract_logging ia
+          # using Agent analysis
+          initialize_agent_input_analysis request
+
           @speedracer_input_analysis = ia
           speedracer_input_analysis.request = request
         else
@@ -113,23 +121,41 @@ module Contrast
       # append anything we've learned to the request seen message this is the sum-total of all inventory information
       # that has been accumulated since the last request
       def extract_after rack_response
+        # We must ALWAYS save the response, even if we don't need it here for response sampling. It is used for other
+        # vulnerability detection, most notably XSS, and not capturing it may suppress valid findings.
         @response = Contrast::Agent::Response.new(rack_response)
-        activity.http_response = @response.dtm if @sample_res
-        return unless Contrast::Agent::Reporter.enabled?
-
-        Contrast::Agent::Assess::Rule::Response::Autocomplete.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::HSTSHeader.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::Cachecontrol.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::XXssProtection.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::CspHeaderMissing.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::CspHeaderInsecure.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::Clickjacking.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::XContentType.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::ParametersPollution.new.analyze(@response)
+        return unless @sample_res
+
+        # TODO: RUBY-1376 once all rules translated, move this to if/else w/ the enabled
+        if Contrast::Agent::Reporter.enabled?
+          Contrast::Agent::Assess::Rule::Response::AutoComplete.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::CacheControl.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::ClickJacking.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::CspHeaderMissing.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::CspHeaderInsecure.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::HSTSHeader.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::ParametersPollution.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::XContentType.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::XXssProtection.new.analyze(@response)
+        else
+          activity.http_response = @response.dtm
+        end
       rescue StandardError => e
         logger.error('Unable to extract information after request', e)
       end
 
+      # This here is for things we don't have implemented
+      def log_to_cef
+        activity.results.each { |attack_result| logging_logic attack_result, attack_result.rule_id.downcase }
+      end
+
+      # @param input_analysis [Contrast::Api::Settings::InputAnalysis]
+      def service_extract_logging input_analysis
+        log_to_cef
+        logger.trace('Analysis from Contrast Service', evaluations: input_analysis.results.length) if logger.trace?
+        logger.trace('Results', input_analysis: input_analysis.inspect) if logger.trace?
+      end
+
       private
 
       # Generate attack results directly from any evaluations on the agent settings object.
@@ -171,6 +197,44 @@ module Contrast
                             rule.build_attack_without_match(self, ia_result, results_by_rule[rule_id])
                           end
       end
+
+      # Sets request to be used with agent and service input analysis.
+      #
+      # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request
+      # for this context
+      def initialize_agent_input_analysis request
+        # using Agent analysis
+        ia = Contrast::Agent::Protect::InputAnalyzer.analyse request
+        if ia
+          @agent_input_analysis = ia
+        else
+          logger.trace('Analysis from Agent was empty.')
+
+        end
+      end
+
+      def logging_logic result, rule_id
+        rules = %w[bot_blocker virtual_patch ip_denylist]
+        return unless rules.include?(rule_id)
+
+        rule_details = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0]).fetch(rule_id.to_sym)
+        outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+        case rule_id
+        when /bot_blocker/i
+          blocker_to_json = Contrast::Api::Dtm::BotBlockerDetails.to_controlled_hash rule_details
+          cef_logger.bot_blocking_message(blocker_to_json, outcome)
+        when /virtual_patch/i
+          virtual_patch_to_json = Contrast::Api::Dtm::VirtualPatchDetails.to_controlled_hash rule_details
+          cef_logger.virtual_patch_message(virtual_patch_to_json, outcome)
+        when /ip_denylist/i
+          sender_ip = extract_sender_ip
+          ip_denylist_to_json = Contrast::Api::Dtm::IpDenylistDetails.to_controlled_hash rule_details
+          return unless sender_ip
+          return unless sender_ip.include?(ip_denylist_to_json[:ip])
+
+          cef_logger.ip_denylisted_message(sender_ip, ip_denylist_to_json, outcome)
+        end
+      end
     end
   end
 end

data/lib/contrast/agent/scope.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'cs__scope/cs__scope'
+
 module Contrast
   module Agent
     # Scope lets us disable Contrast for certain code calls. We need to do this so
@@ -14,75 +16,100 @@ module Contrast
     #
     # Instead, we should say "If I'm already doing Contrast things, don't track
     # this"
+    #
+    # Scope Exits...
+    # by design, can go below zero.
+    # every exit/enter pair (regardless of series)
+    # should cancel each other out.
+    #
+    # so we prefer this sequence:
+    #   scope =  0
+    #   exit  = -1
+    #   enter =  0
+    #   enter =  1
+    #   exit  =  0
+    #   scope =  0
+    #
+    # over this sequence:
+    #   scope =  0
+    #   exit  =  0
+    #   enter =  1
+    #   enter =  2
+    #   exit  =  1
+    #   scope =  1
+    #
+    # This class have been moved to C and it's called from there. Here remains
+    # the validation and wrapper methods.
+    #
+    # Methods defined in C:
+    #
+    # sets scope instance variables.
+    # def initialize end;
+    #
+    # Check if we are in contrast scope.
+    # def in_contrast_scope? end;
+    # @return [Boolean] check if we are in contrast scope
+    #                   if the scope is above 0 return true.
+    #
+    # check if we are in deserialization scope.
+    # def in_deserialization_scope? end;
+    # @return [Boolean] check if we are in contrast scope
+    #                   if the scope is above 0 return true.
+    #
+    # check if we are in split scope.
+    # def in_split_scope? end;
+    # @return [Boolean] check if we are in contrast scope
+    #                   if the scope is above 0 return true.
+    #
+    # enter contrast scope.
+    # def enter_contrast_scope! end;
+    # @return @contrast_scope [Integer] contrast scope increased.
+    #
+    # enter deserialization scope.
+    # def enter_deserialization_scope! end;
+    # @return @deserialization_scope [Integer] deserialization scope increased.
+    #
+    # enter split scope.
+    # def enter_split_scope! end;
+    # @return @split_scope [Integer] split scope increased.
+    #
+    # check split scope depth.
+    # def split_scope_depth end;
+    # @return @split_scope [Integer] split scope depth.
+    #
+    # exit contrast scope.
+    # def exit_contrast_scope! end;
+    # @return @contrast_scope [Integer] contrast scope decreased.
+    #
+    # exit deserialization scope.
+    # def exit_deserialization_scope! end;
+    # @return @deserialization_scope [Integer] deserialization scope decreased.
+    #
+    # exit split scope.
+    # def exit_split_scope! end;
+    # @return @split_scope [Integer] split scope decreased.
+    #
+    # Static methods to be used, the cases are defined by the usage from the above methods
+    #
+    # check if we are in specific scope.
+    # def in_scope? name end;
+    # @param name [Symbol] scope symbol representing scope to check.
+    # @return [Boolean] check if we are in passed scope.
+    #
+    # enter specific scope.
+    # def enter_scope! name end;
+    # @param name [Symbol] scope symbol representing scope to enter.
+    # @return scope [Integer] entered scope value increased.
+    #
+    # exit specific scope.
+    # def exit_cope! name end;
+    # @param name [Symbol] scope symbol representing scope to exit.
+    # @return scope [Integer] entered scope value decreased.
     class Scope
       SCOPE_LIST = %i[contrast deserialization split].cs__freeze
 
-      def initialize
-        @contrast_scope = 0
-        @deserialization_scope = 0
-        @split_scope = 0
-      end
-
-      def in_contrast_scope?
-        @contrast_scope.positive?
-      end
-
-      def in_deserialization_scope?
-        @deserialization_scope.positive?
-      end
-
-      def in_split_scope?
-        @split_scope.positive?
-      end
-
-      def enter_contrast_scope!
-        @contrast_scope += 1
-      end
-
-      def enter_deserialization_scope!
-        @deserialization_scope += 1
-      end
-
-      def enter_split_scope!
-        @split_scope += 1
-      end
-
-      def split_scope_depth
-        @split_scope
-      end
-
-      # Scope Exits...
-      # by design, can go below zero.
-      # every exit/enter pair (regardless of series)
-      # should cancel each other out.
-      #
-      # so we prefer this sequence:
-      #   scope =  0
-      #   exit  = -1
-      #   enter =  0
-      #   enter =  1
-      #   exit  =  0
-      #   scope =  0
-      #
-      # over this sequence:
-      #   scope =  0
-      #   exit  =  0
-      #   enter =  1
-      #   enter =  2
-      #   exit  =  1
-      #   scope =  1
-      def exit_contrast_scope!
-        @contrast_scope -= 1
-      end
-
-      def exit_deserialization_scope!
-        @deserialization_scope -= 1
-      end
-
-      def exit_split_scope!
-        @split_scope -= 1
-      end
-
+      # Wraps block to be executed in contrast scope.
+      # On completion exits scope.
       def with_contrast_scope
         enter_contrast_scope!
         yield
@@ -90,6 +117,8 @@ module Contrast
         exit_contrast_scope!
       end
 
+      # Wraps block to be executed in deserialization scope.
+      # On completion exits scope.
       def with_deserialization_scope
         enter_deserialization_scope!
         yield
@@ -97,6 +126,8 @@ module Contrast
         exit_deserialization_scope!
       end
 
+      # Wraps block to be executed in split scope.
+      # On completion exits scope.
       def with_split_scope
         enter_split_scope!
         yield
@@ -104,48 +135,12 @@ module Contrast
         exit_split_scope!
       end
 
-      # Static methods to be used, the cases are defined by the usage from the above methods
-      # if more methods are added - please extend the case statements as they are no longed dynamic
-      def in_scope? name
-        case name
-        when :contrast
-          in_contrast_scope?
-        when :deserialization
-          in_deserialization_scope?
-        when :split
-          in_split_scope?
-        else
-          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
-        end
-      end
-
-      def enter_scope! name
-        case name
-        when :contrast
-          enter_contrast_scope!
-        when :deserialization
-          enter_deserialization_scope!
-        when :split
-          enter_split_scope!
-        else
-          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
-        end
-      end
-
-      def exit_scope! name
-        case name
-        when :contrast
-          exit_contrast_scope!
-        when :deserialization
-          exit_deserialization_scope!
-        when :split
-          exit_split_scope!
-        else
-          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
-        end
-      end
-
       class << self
+        # Validates scope. To be valid the scope must be one of:
+        # :contrast, :split, :deserialization
+        #
+        # @param scope_sym [Symbol] scope to check.
+        # @return [Boolean] true | false
         def valid_scope? scope_sym
           Contrast::Agent::Scope::SCOPE_LIST.include? scope_sym
         end

data/lib/contrast/agent/service_heartbeat.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/components/logger'
 require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
 
 module Contrast
   module Agent
@@ -14,13 +15,35 @@ module Contrast
       # Spec recommends 30 seconds, we're going with 15.
       REFRESH_INTERVAL_SEC = 15
 
+      # check if we can report to TS
+      #
+      # @return[Boolean] true if bypass is enabled, or false if bypass disabled
+      def enabled?
+        @_enabled = Contrast::CONTRAST_SERVICE.use_agent_communication? if @_enabled.nil?
+        @_enabled
+      end
+
+      def client
+        @_client ||= Contrast::Agent::Reporting::ReporterClient.new
+      end
+
+      def connection
+        @_connection ||= client.initialize_connection
+      end
+
       def start_thread!
         return if running?
 
+        report_from_reporter = check_report_provider
+
         @_thread = Contrast::Agent::Thread.new do
           logger.info('Starting heartbeat thread.')
           loop do
-            Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
+            if report_from_reporter
+              client.send_event(poll_message, connection)
+            else
+              Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
+            end
 
             sleep REFRESH_INTERVAL_SEC
           end
@@ -28,7 +51,27 @@ module Contrast
       end
 
       def poll_message
-        @_poll_message ||= Contrast::Api::Dtm::Poll.new
+        @_poll_message ||= if enabled? && client
+                             Contrast::Agent::Reporting::Poll.new
+                           else
+                             Contrast::Api::Dtm::Poll.new
+                           end
+      end
+
+      def check_report_provider
+        return false unless enabled?
+        return false unless client && connection
+
+        client.startup!(connection)
+        true
+      end
+
+      def send_event provider
+        if provider
+          client.send_event(poll_message, connection)
+          return
+        end
+        Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
       end
     end
   end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '5.1.0'
+    VERSION = '5.2.0'
   end
 end

data/lib/contrast/api/decorators/bot_blocker.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/base'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::BotBlockerDetails} protobuf
+      # model so it can own the request which its data is for.
+      module BotBlockerDetails
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+
+          # @param result [Contrast::Api::Dtm::BotBlockerDetails]
+          def to_controlled_hash result
+            {
+                bot: result.bot,
+                user_agent: result.user_agent
+            }
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::BotBlockerDetails.include(Contrast::Api::Decorators::BotBlockerDetails)

data/lib/contrast/api/decorators/ip_denylist.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/base'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::IpDenylistDetails} protobuf
+      # model so it can own the request which its data is for.
+      module IpDenylistDetails
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+
+          # @param result [Contrast::Api::Dtm::IpDenylistDetails]
+          def to_controlled_hash result
+            {
+                ip: result.ip,
+                uuid: result.uuid
+            }
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::IpDenylistDetails.include(Contrast::Api::Decorators::IpDenylistDetails)

data/lib/contrast/api/decorators/rasp_rule_sample.rb

@@ -20,6 +20,35 @@ module Contrast
             sample.user_input.document_type = Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
             sample
           end
+
+          # @param result [Contrast::Api::Dtm::RaspRuleSample]
+          def to_controlled_hash result
+            {
+                timestamp: Time.at(result.timestamp_ms).iso8601,
+                user_input: result.user_input,
+                brute_force: result.brute_force,
+                bot_blocker: result.bot_blocker,
+                cmdi: result.cmdi,
+                csrf: result.csrf,
+                cve: result.cve,
+                untrusted_deserialization: result.untrusted_deserialization,
+                el_injection: result.el_injection,
+                mark_of_the_beast: result.mark_of_the_beast,
+                padding_oracle: result.padding_oracle,
+                path_traversal: result.path_traversal,
+                re_dos: result.re_dos,
+                sqli: result.sqli,
+                ssrf: result.ssrf,
+                virtual_patch: result.virtual_patch,
+                xss: result.xss,
+                xxe: result.xxe,
+                no_sqli: result.no_sqli,
+                method_tampering: result.method_tampering,
+                path_traversal_semantic: result.path_traversal_semantic,
+                ssjs: result.ssjs,
+                ip_denylist: result.ip_denylist
+            }
+          end
         end
       end
     end

data/lib/contrast/api/decorators/user_input.rb

@@ -25,11 +25,21 @@ module Contrast
             return UNKNOWN_USER_INPUT.dup unless ia_result
 
             user_input = new
-            user_input.input_type = ia_result.input_type.to_i
             user_input.matcher_ids = ia_result.ids
             user_input.path = ia_result.path.to_s
             user_input.key = ia_result.key.to_s
             user_input.value = ia_result.value.to_s
+            if ia_result.input_type
+              #
+              # InputAnalysis have local Agent implementation, so we need ot take care of difference
+              # if we pass data from wrong place - we need to handle the TypeError in throws
+              begin
+                user_input.input_type = ia_result.input_type.to_i
+              rescue TypeError, NoMethodError => _e
+                user_input.input_type = ia_result.input_type
+              end
+            end
+
             user_input
           end
         end

data/lib/contrast/api/decorators/virtual_patch.rb

@@ -0,0 +1,34 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/base'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::VirtualPatchDetails} protobuf
+      # model so it can own the request which its data is for.
+      module VirtualPatchDetails
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+
+          # @param result [Contrast::Api::Dtm::VirtualPatchDetails]
+          def to_controlled_hash result
+            { uuid: result.uuid }
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::VirtualPatchDetails.include(Contrast::Api::Decorators::VirtualPatchDetails)