contrast-agent 5.1.0 → 6.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +7 -5
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +7 -7
- data/ext/cs__assess_string/cs__assess_string.c +13 -1
- data/ext/cs__common/cs__common.c +16 -11
- data/ext/cs__common/cs__common.h +1 -0
- data/ext/cs__contrast_patch/cs__contrast_patch.c +100 -64
- data/ext/cs__contrast_patch/cs__contrast_patch.h +2 -0
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +796 -0
- data/ext/cs__scope/cs__scope.h +88 -0
- data/ext/cs__scope/extconf.rb +5 -0
- data/lib/contrast/agent/assess/contrast_event.rb +20 -13
- data/lib/contrast/agent/assess/contrast_object.rb +4 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
- data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -5
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +2 -0
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/trigger_method.rb +6 -1
- data/lib/contrast/agent/assess/property/tagged.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/{autocomplete_rule.rb → auto_complete_rule.rb} +4 -3
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +12 -79
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +109 -0
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +157 -0
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +14 -15
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +5 -25
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +29 -0
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +12 -36
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +2 -1
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +35 -0
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/middleware.rb +4 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +1 -3
- data/lib/contrast/agent/patching/policy/patch.rb +2 -6
- data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +147 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
- data/lib/contrast/agent/protect/rule/base.rb +61 -2
- data/lib/contrast/agent/protect/rule/base_service.rb +12 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/deserialization.rb +6 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +13 -1
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +88 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +118 -0
- data/lib/contrast/agent/protect/rule/sqli.rb +33 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -0
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +115 -0
- data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
- data/lib/contrast/agent/reporting/report.rb +3 -0
- data/lib/contrast/agent/reporting/reporter.rb +31 -12
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +69 -36
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +88 -59
- data/lib/contrast/agent/reporting/reporting_events/{finding_object.rb → finding_event_object.rb} +24 -20
- data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +39 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/{finding_signature.rb → finding_event_signature.rb} +29 -24
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +12 -8
- data/lib/contrast/agent/reporting/reporting_events/{finding_stack.rb → finding_event_stack.rb} +23 -19
- data/lib/contrast/agent/reporting/reporting_events/{finding_taint_range.rb → finding_event_taint_range.rb} +17 -15
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +26 -53
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +29 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +6 -4
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +1 -0
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +10 -3
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +17 -5
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -45
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +69 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +123 -85
- data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/request_context.rb +7 -2
- data/lib/contrast/agent/request_context_extend.rb +85 -21
- data/lib/contrast/agent/request_handler.rb +4 -0
- data/lib/contrast/agent/scope.rb +102 -107
- data/lib/contrast/agent/service_heartbeat.rb +45 -2
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
- data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
- data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
- data/lib/contrast/agent/thread_watcher.rb +1 -1
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +3 -0
- data/lib/contrast/api/communication/speedracer.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/bot_blocker.rb +37 -0
- data/lib/contrast/api/decorators/ip_denylist.rb +37 -0
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +29 -0
- data/lib/contrast/api/decorators/response_type.rb +30 -0
- data/lib/contrast/api/decorators/user_input.rb +11 -1
- data/lib/contrast/api/decorators/virtual_patch.rb +34 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/logger.rb +5 -0
- data/lib/contrast/components/protect.rb +6 -4
- data/lib/contrast/components/sampling.rb +7 -11
- data/lib/contrast/components/scope.rb +98 -91
- data/lib/contrast/components/settings.rb +106 -8
- data/lib/contrast/config/agent_configuration.rb +41 -12
- data/lib/contrast/config/api_configuration.rb +37 -12
- data/lib/contrast/config/api_proxy_configuration.rb +12 -3
- data/lib/contrast/config/application_configuration.rb +38 -14
- data/lib/contrast/config/assess_configuration.rb +47 -12
- data/lib/contrast/config/assess_rules_configuration.rb +15 -3
- data/lib/contrast/config/base_configuration.rb +18 -50
- data/lib/contrast/config/certification_configuration.rb +17 -3
- data/lib/contrast/config/exception_configuration.rb +14 -3
- data/lib/contrast/config/heap_dump_configuration.rb +43 -17
- data/lib/contrast/config/inventory_configuration.rb +17 -3
- data/lib/contrast/config/logger_configuration.rb +10 -3
- data/lib/contrast/config/protect_configuration.rb +17 -7
- data/lib/contrast/config/protect_rule_configuration.rb +17 -8
- data/lib/contrast/config/protect_rules_configuration.rb +115 -17
- data/lib/contrast/config/request_audit_configuration.rb +26 -3
- data/lib/contrast/config/root_configuration.rb +52 -12
- data/lib/contrast/config/ruby_configuration.rb +60 -22
- data/lib/contrast/config/sampling_configuration.rb +19 -9
- data/lib/contrast/config/server_configuration.rb +19 -10
- data/lib/contrast/config/service_configuration.rb +27 -11
- data/lib/contrast/configuration.rb +5 -3
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/manager.rb +2 -2
- data/lib/contrast/logger/application.rb +1 -1
- data/lib/contrast/logger/cef_log.rb +151 -0
- data/lib/contrast/tasks/config.rb +90 -3
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/class_util.rb +3 -12
- data/lib/contrast/utils/hash_digest.rb +14 -6
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/log_utils.rb +114 -0
- data/lib/contrast/utils/middleware_utils.rb +9 -9
- data/lib/contrast/utils/net_http_base.rb +13 -10
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +0 -5
- data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -9
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/telemetry.rb +1 -1
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/lib/contrast/utils/telemetry_identifier.rb +1 -1
- data/lib/contrast.rb +4 -3
- data/resources/assess/policy.json +98 -0
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +9 -8
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +103 -38
- data/lib/contrast/agent/assess/rule/response/cachecontrol_rule.rb +0 -184
- data/lib/contrast/agent/assess/rule/response/clickjacking_rule.rb +0 -66
- data/lib/contrast/agent/assess/rule/response/x_content_type_rule.rb +0 -52
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb +0 -53
- data/lib/contrast/extension/kernel.rb +0 -54
@@ -1,19 +1,27 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/assess/rule/response/
|
4
|
+
require 'contrast/agent/assess/rule/response/auto_complete_rule'
|
5
|
+
require 'contrast/agent/assess/rule/response/cache_control_header_rule'
|
6
|
+
require 'contrast/agent/assess/rule/response/click_jacking_header_rule'
|
7
|
+
require 'contrast/agent/assess/rule/response/csp_header_insecure_rule'
|
8
|
+
require 'contrast/agent/assess/rule/response/csp_header_missing_rule'
|
5
9
|
require 'contrast/agent/assess/rule/response/hsts_header_rule'
|
6
|
-
require 'contrast/agent/assess/rule/response/cachecontrol_rule'
|
7
|
-
require 'contrast/agent/assess/rule/response/clickjacking_rule'
|
8
|
-
require 'contrast/agent/assess/rule/response/x_content_type_rule'
|
9
10
|
require 'contrast/agent/assess/rule/response/parameters_pollution_rule'
|
11
|
+
require 'contrast/agent/assess/rule/response/x_content_type_header_rule'
|
12
|
+
require 'contrast/agent/assess/rule/response/x_xss_protection_header_rule'
|
13
|
+
require 'contrast/agent/protect/input_analyzer/input_analyzer'
|
14
|
+
require 'contrast/components/logger'
|
15
|
+
require 'contrast/utils/log_utils'
|
10
16
|
|
11
17
|
module Contrast
|
12
18
|
module Agent
|
13
19
|
# This class extends RequestContexts: this class acts to encapsulate information about the currently
|
14
20
|
# executed request, making it available to the Agent for the duration of the request in a standardized
|
15
21
|
# and normalized format which the Agent understands.
|
16
|
-
module RequestContextExtend
|
22
|
+
module RequestContextExtend # rubocop:disable Metrics/ModuleLength
|
23
|
+
include Contrast::Utils::CEFLogUtils
|
24
|
+
include Contrast::Components::Logger::InstanceMethods
|
17
25
|
BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
|
18
26
|
# Convert the discovered route for this request to appropriate forms and disseminate it to those locations
|
19
27
|
# where it is necessary for our route coverage and finding vulnerability discovery features to function.
|
@@ -74,10 +82,10 @@ module Contrast
|
|
74
82
|
handle_protect_state(service_response)
|
75
83
|
ia = service_response.input_analysis
|
76
84
|
if ia
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
85
|
+
service_extract_logging ia
|
86
|
+
# using Agent analysis
|
87
|
+
initialize_agent_input_analysis request
|
88
|
+
|
81
89
|
@speedracer_input_analysis = ia
|
82
90
|
speedracer_input_analysis.request = request
|
83
91
|
else
|
@@ -113,23 +121,42 @@ module Contrast
|
|
113
121
|
# append anything we've learned to the request seen message this is the sum-total of all inventory information
|
114
122
|
# that has been accumulated since the last request
|
115
123
|
def extract_after rack_response
|
124
|
+
# We must ALWAYS save the response, even if we don't need it here for response sampling. It is used for other
|
125
|
+
# vulnerability detection, most notably XSS, and not capturing it may suppress valid findings.
|
116
126
|
@response = Contrast::Agent::Response.new(rack_response)
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
Contrast::Agent::
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
127
|
+
return unless @sample_res
|
128
|
+
|
129
|
+
#
|
130
|
+
# TODO: RUBY-1376 once all rules translated, move this to if/else w/ the enabled
|
131
|
+
if Contrast::Agent::Reporter.enabled?
|
132
|
+
Contrast::Agent::Assess::Rule::Response::AutoComplete.new.analyze(@response)
|
133
|
+
Contrast::Agent::Assess::Rule::Response::CacheControl.new.analyze(@response)
|
134
|
+
Contrast::Agent::Assess::Rule::Response::ClickJacking.new.analyze(@response)
|
135
|
+
Contrast::Agent::Assess::Rule::Response::CspHeaderMissing.new.analyze(@response)
|
136
|
+
Contrast::Agent::Assess::Rule::Response::CspHeaderInsecure.new.analyze(@response)
|
137
|
+
Contrast::Agent::Assess::Rule::Response::HSTSHeader.new.analyze(@response)
|
138
|
+
Contrast::Agent::Assess::Rule::Response::ParametersPollution.new.analyze(@response)
|
139
|
+
Contrast::Agent::Assess::Rule::Response::XContentType.new.analyze(@response)
|
140
|
+
Contrast::Agent::Assess::Rule::Response::XXssProtection.new.analyze(@response)
|
141
|
+
else
|
142
|
+
activity.http_response = @response.dtm
|
143
|
+
end
|
129
144
|
rescue StandardError => e
|
130
145
|
logger.error('Unable to extract information after request', e)
|
131
146
|
end
|
132
147
|
|
148
|
+
# This here is for things we don't have implemented
|
149
|
+
def log_to_cef
|
150
|
+
activity.results.each { |attack_result| logging_logic attack_result, attack_result.rule_id.downcase }
|
151
|
+
end
|
152
|
+
|
153
|
+
# @param input_analysis [Contrast::Api::Settings::InputAnalysis]
|
154
|
+
def service_extract_logging input_analysis
|
155
|
+
log_to_cef
|
156
|
+
logger.trace('Analysis from Contrast Service', evaluations: input_analysis.results.length) if logger.trace?
|
157
|
+
logger.trace('Results', input_analysis: input_analysis.inspect) if logger.trace?
|
158
|
+
end
|
159
|
+
|
133
160
|
private
|
134
161
|
|
135
162
|
# Generate attack results directly from any evaluations on the agent settings object.
|
@@ -171,6 +198,43 @@ module Contrast
|
|
171
198
|
rule.build_attack_without_match(self, ia_result, results_by_rule[rule_id])
|
172
199
|
end
|
173
200
|
end
|
201
|
+
|
202
|
+
# Sets request to be used with agent and service input analysis.
|
203
|
+
#
|
204
|
+
# @param request [Contrast::Agent::Request] our wrapper around the Rack::Request
|
205
|
+
# for this context
|
206
|
+
def initialize_agent_input_analysis request
|
207
|
+
# using Agent analysis
|
208
|
+
ia = Contrast::Agent::Protect::InputAnalyzer.analyse request
|
209
|
+
if ia
|
210
|
+
@agent_input_analysis = ia
|
211
|
+
else
|
212
|
+
logger.trace('Analysis from Agent was empty.')
|
213
|
+
end
|
214
|
+
end
|
215
|
+
|
216
|
+
def logging_logic result, rule_id
|
217
|
+
rules = %w[bot_blocker virtual_patch ip_denylist]
|
218
|
+
return unless rules.include?(rule_id)
|
219
|
+
|
220
|
+
rule_details = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0]).fetch(rule_id.to_sym)
|
221
|
+
outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
|
222
|
+
case rule_id
|
223
|
+
when /bot_blocker/i
|
224
|
+
blocker_to_json = Contrast::Api::Dtm::BotBlockerDetails.to_controlled_hash rule_details
|
225
|
+
cef_logger.bot_blocking_message(blocker_to_json, outcome)
|
226
|
+
when /virtual_patch/i
|
227
|
+
virtual_patch_to_json = Contrast::Api::Dtm::VirtualPatchDetails.to_controlled_hash rule_details
|
228
|
+
cef_logger.virtual_patch_message(virtual_patch_to_json, outcome)
|
229
|
+
when /ip_denylist/i
|
230
|
+
sender_ip = extract_sender_ip
|
231
|
+
ip_denylist_to_json = Contrast::Api::Dtm::IpDenylistDetails.to_controlled_hash rule_details
|
232
|
+
return unless sender_ip
|
233
|
+
return unless sender_ip.include?(ip_denylist_to_json[:ip])
|
234
|
+
|
235
|
+
cef_logger.ip_denylisted_message(sender_ip, ip_denylist_to_json, outcome)
|
236
|
+
end
|
237
|
+
end
|
174
238
|
end
|
175
239
|
end
|
176
240
|
end
|
@@ -5,6 +5,7 @@ require 'contrast/components/logger'
|
|
5
5
|
require 'contrast/components/scope'
|
6
6
|
require 'contrast/agent/reporting/reporter'
|
7
7
|
require 'contrast/agent/reporting/reporting_utilities/dtm_message'
|
8
|
+
require 'contrast/agent/reporting/masker/masker'
|
8
9
|
|
9
10
|
module Contrast
|
10
11
|
module Agent
|
@@ -53,6 +54,9 @@ module Contrast
|
|
53
54
|
reporter = Contrast::Agent.reporter
|
54
55
|
return unless reporter
|
55
56
|
|
57
|
+
# Mask Sensitive Data
|
58
|
+
Contrast::Agent::Reporting::Masker.mask context.activity
|
59
|
+
|
56
60
|
Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
|
57
61
|
[
|
58
62
|
context.new_observed_route,
|
data/lib/contrast/agent/scope.rb
CHANGED
@@ -1,6 +1,8 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require 'cs__scope/cs__scope'
|
5
|
+
|
4
6
|
module Contrast
|
5
7
|
module Agent
|
6
8
|
# Scope lets us disable Contrast for certain code calls. We need to do this so
|
@@ -14,75 +16,100 @@ module Contrast
|
|
14
16
|
#
|
15
17
|
# Instead, we should say "If I'm already doing Contrast things, don't track
|
16
18
|
# this"
|
19
|
+
#
|
20
|
+
# Scope Exits...
|
21
|
+
# by design, can go below zero.
|
22
|
+
# every exit/enter pair (regardless of series)
|
23
|
+
# should cancel each other out.
|
24
|
+
#
|
25
|
+
# so we prefer this sequence:
|
26
|
+
# scope = 0
|
27
|
+
# exit = -1
|
28
|
+
# enter = 0
|
29
|
+
# enter = 1
|
30
|
+
# exit = 0
|
31
|
+
# scope = 0
|
32
|
+
#
|
33
|
+
# over this sequence:
|
34
|
+
# scope = 0
|
35
|
+
# exit = 0
|
36
|
+
# enter = 1
|
37
|
+
# enter = 2
|
38
|
+
# exit = 1
|
39
|
+
# scope = 1
|
40
|
+
#
|
41
|
+
# This class have been moved to C and it's called from there. Here remains
|
42
|
+
# the validation and wrapper methods.
|
43
|
+
#
|
44
|
+
# Methods defined in C:
|
45
|
+
#
|
46
|
+
# sets scope instance variables.
|
47
|
+
# def initialize end;
|
48
|
+
#
|
49
|
+
# Check if we are in contrast scope.
|
50
|
+
# def in_contrast_scope? end;
|
51
|
+
# @return [Boolean] check if we are in contrast scope
|
52
|
+
# if the scope is above 0 return true.
|
53
|
+
#
|
54
|
+
# check if we are in deserialization scope.
|
55
|
+
# def in_deserialization_scope? end;
|
56
|
+
# @return [Boolean] check if we are in contrast scope
|
57
|
+
# if the scope is above 0 return true.
|
58
|
+
#
|
59
|
+
# check if we are in split scope.
|
60
|
+
# def in_split_scope? end;
|
61
|
+
# @return [Boolean] check if we are in contrast scope
|
62
|
+
# if the scope is above 0 return true.
|
63
|
+
#
|
64
|
+
# enter contrast scope.
|
65
|
+
# def enter_contrast_scope! end;
|
66
|
+
# @return @contrast_scope [Integer] contrast scope increased.
|
67
|
+
#
|
68
|
+
# enter deserialization scope.
|
69
|
+
# def enter_deserialization_scope! end;
|
70
|
+
# @return @deserialization_scope [Integer] deserialization scope increased.
|
71
|
+
#
|
72
|
+
# enter split scope.
|
73
|
+
# def enter_split_scope! end;
|
74
|
+
# @return @split_scope [Integer] split scope increased.
|
75
|
+
#
|
76
|
+
# check split scope depth.
|
77
|
+
# def split_scope_depth end;
|
78
|
+
# @return @split_scope [Integer] split scope depth.
|
79
|
+
#
|
80
|
+
# exit contrast scope.
|
81
|
+
# def exit_contrast_scope! end;
|
82
|
+
# @return @contrast_scope [Integer] contrast scope decreased.
|
83
|
+
#
|
84
|
+
# exit deserialization scope.
|
85
|
+
# def exit_deserialization_scope! end;
|
86
|
+
# @return @deserialization_scope [Integer] deserialization scope decreased.
|
87
|
+
#
|
88
|
+
# exit split scope.
|
89
|
+
# def exit_split_scope! end;
|
90
|
+
# @return @split_scope [Integer] split scope decreased.
|
91
|
+
#
|
92
|
+
# Static methods to be used, the cases are defined by the usage from the above methods
|
93
|
+
#
|
94
|
+
# check if we are in specific scope.
|
95
|
+
# def in_scope? name end;
|
96
|
+
# @param name [Symbol] scope symbol representing scope to check.
|
97
|
+
# @return [Boolean] check if we are in passed scope.
|
98
|
+
#
|
99
|
+
# enter specific scope.
|
100
|
+
# def enter_scope! name end;
|
101
|
+
# @param name [Symbol] scope symbol representing scope to enter.
|
102
|
+
# @return scope [Integer] entered scope value increased.
|
103
|
+
#
|
104
|
+
# exit specific scope.
|
105
|
+
# def exit_cope! name end;
|
106
|
+
# @param name [Symbol] scope symbol representing scope to exit.
|
107
|
+
# @return scope [Integer] entered scope value decreased.
|
17
108
|
class Scope
|
18
109
|
SCOPE_LIST = %i[contrast deserialization split].cs__freeze
|
19
110
|
|
20
|
-
|
21
|
-
|
22
|
-
@deserialization_scope = 0
|
23
|
-
@split_scope = 0
|
24
|
-
end
|
25
|
-
|
26
|
-
def in_contrast_scope?
|
27
|
-
@contrast_scope.positive?
|
28
|
-
end
|
29
|
-
|
30
|
-
def in_deserialization_scope?
|
31
|
-
@deserialization_scope.positive?
|
32
|
-
end
|
33
|
-
|
34
|
-
def in_split_scope?
|
35
|
-
@split_scope.positive?
|
36
|
-
end
|
37
|
-
|
38
|
-
def enter_contrast_scope!
|
39
|
-
@contrast_scope += 1
|
40
|
-
end
|
41
|
-
|
42
|
-
def enter_deserialization_scope!
|
43
|
-
@deserialization_scope += 1
|
44
|
-
end
|
45
|
-
|
46
|
-
def enter_split_scope!
|
47
|
-
@split_scope += 1
|
48
|
-
end
|
49
|
-
|
50
|
-
def split_scope_depth
|
51
|
-
@split_scope
|
52
|
-
end
|
53
|
-
|
54
|
-
# Scope Exits...
|
55
|
-
# by design, can go below zero.
|
56
|
-
# every exit/enter pair (regardless of series)
|
57
|
-
# should cancel each other out.
|
58
|
-
#
|
59
|
-
# so we prefer this sequence:
|
60
|
-
# scope = 0
|
61
|
-
# exit = -1
|
62
|
-
# enter = 0
|
63
|
-
# enter = 1
|
64
|
-
# exit = 0
|
65
|
-
# scope = 0
|
66
|
-
#
|
67
|
-
# over this sequence:
|
68
|
-
# scope = 0
|
69
|
-
# exit = 0
|
70
|
-
# enter = 1
|
71
|
-
# enter = 2
|
72
|
-
# exit = 1
|
73
|
-
# scope = 1
|
74
|
-
def exit_contrast_scope!
|
75
|
-
@contrast_scope -= 1
|
76
|
-
end
|
77
|
-
|
78
|
-
def exit_deserialization_scope!
|
79
|
-
@deserialization_scope -= 1
|
80
|
-
end
|
81
|
-
|
82
|
-
def exit_split_scope!
|
83
|
-
@split_scope -= 1
|
84
|
-
end
|
85
|
-
|
111
|
+
# Wraps block to be executed in contrast scope.
|
112
|
+
# On completion exits scope.
|
86
113
|
def with_contrast_scope
|
87
114
|
enter_contrast_scope!
|
88
115
|
yield
|
@@ -90,6 +117,8 @@ module Contrast
|
|
90
117
|
exit_contrast_scope!
|
91
118
|
end
|
92
119
|
|
120
|
+
# Wraps block to be executed in deserialization scope.
|
121
|
+
# On completion exits scope.
|
93
122
|
def with_deserialization_scope
|
94
123
|
enter_deserialization_scope!
|
95
124
|
yield
|
@@ -97,6 +126,8 @@ module Contrast
|
|
97
126
|
exit_deserialization_scope!
|
98
127
|
end
|
99
128
|
|
129
|
+
# Wraps block to be executed in split scope.
|
130
|
+
# On completion exits scope.
|
100
131
|
def with_split_scope
|
101
132
|
enter_split_scope!
|
102
133
|
yield
|
@@ -104,48 +135,12 @@ module Contrast
|
|
104
135
|
exit_split_scope!
|
105
136
|
end
|
106
137
|
|
107
|
-
# Static methods to be used, the cases are defined by the usage from the above methods
|
108
|
-
# if more methods are added - please extend the case statements as they are no longed dynamic
|
109
|
-
def in_scope? name
|
110
|
-
case name
|
111
|
-
when :contrast
|
112
|
-
in_contrast_scope?
|
113
|
-
when :deserialization
|
114
|
-
in_deserialization_scope?
|
115
|
-
when :split
|
116
|
-
in_split_scope?
|
117
|
-
else
|
118
|
-
raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
|
119
|
-
end
|
120
|
-
end
|
121
|
-
|
122
|
-
def enter_scope! name
|
123
|
-
case name
|
124
|
-
when :contrast
|
125
|
-
enter_contrast_scope!
|
126
|
-
when :deserialization
|
127
|
-
enter_deserialization_scope!
|
128
|
-
when :split
|
129
|
-
enter_split_scope!
|
130
|
-
else
|
131
|
-
raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
|
132
|
-
end
|
133
|
-
end
|
134
|
-
|
135
|
-
def exit_scope! name
|
136
|
-
case name
|
137
|
-
when :contrast
|
138
|
-
exit_contrast_scope!
|
139
|
-
when :deserialization
|
140
|
-
exit_deserialization_scope!
|
141
|
-
when :split
|
142
|
-
exit_split_scope!
|
143
|
-
else
|
144
|
-
raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
|
145
|
-
end
|
146
|
-
end
|
147
|
-
|
148
138
|
class << self
|
139
|
+
# Validates scope. To be valid the scope must be one of:
|
140
|
+
# :contrast, :split, :deserialization
|
141
|
+
#
|
142
|
+
# @param scope_sym [Symbol] scope to check.
|
143
|
+
# @return [Boolean] true | false
|
149
144
|
def valid_scope? scope_sym
|
150
145
|
Contrast::Agent::Scope::SCOPE_LIST.include? scope_sym
|
151
146
|
end
|
@@ -3,6 +3,7 @@
|
|
3
3
|
|
4
4
|
require 'contrast/components/logger'
|
5
5
|
require 'contrast/agent/worker_thread'
|
6
|
+
require 'contrast/agent/reporting/report'
|
6
7
|
|
7
8
|
module Contrast
|
8
9
|
module Agent
|
@@ -14,13 +15,35 @@ module Contrast
|
|
14
15
|
# Spec recommends 30 seconds, we're going with 15.
|
15
16
|
REFRESH_INTERVAL_SEC = 15
|
16
17
|
|
18
|
+
# check if we can report to TS
|
19
|
+
#
|
20
|
+
# @return[Boolean] true if bypass is enabled, or false if bypass disabled
|
21
|
+
def enabled?
|
22
|
+
@_enabled = Contrast::CONTRAST_SERVICE.use_agent_communication? if @_enabled.nil?
|
23
|
+
@_enabled
|
24
|
+
end
|
25
|
+
|
26
|
+
def client
|
27
|
+
@_client ||= Contrast::Agent::Reporting::ReporterClient.new
|
28
|
+
end
|
29
|
+
|
30
|
+
def connection
|
31
|
+
@_connection ||= client.initialize_connection
|
32
|
+
end
|
33
|
+
|
17
34
|
def start_thread!
|
18
35
|
return if running?
|
19
36
|
|
37
|
+
report_from_reporter = check_report_provider
|
38
|
+
|
20
39
|
@_thread = Contrast::Agent::Thread.new do
|
21
40
|
logger.info('Starting heartbeat thread.')
|
22
41
|
loop do
|
23
|
-
|
42
|
+
if report_from_reporter
|
43
|
+
client.send_event(poll_message, connection)
|
44
|
+
else
|
45
|
+
Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
|
46
|
+
end
|
24
47
|
|
25
48
|
sleep REFRESH_INTERVAL_SEC
|
26
49
|
end
|
@@ -28,7 +51,27 @@ module Contrast
|
|
28
51
|
end
|
29
52
|
|
30
53
|
def poll_message
|
31
|
-
@_poll_message ||=
|
54
|
+
@_poll_message ||= if enabled? && client
|
55
|
+
Contrast::Agent::Reporting::Poll.new
|
56
|
+
else
|
57
|
+
Contrast::Api::Dtm::Poll.new
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
def check_report_provider
|
62
|
+
return false unless enabled?
|
63
|
+
return false unless client && connection
|
64
|
+
|
65
|
+
client.startup!(connection)
|
66
|
+
true
|
67
|
+
end
|
68
|
+
|
69
|
+
def send_event provider
|
70
|
+
if provider
|
71
|
+
client.send_event(poll_message, connection)
|
72
|
+
return
|
73
|
+
end
|
74
|
+
Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
|
32
75
|
end
|
33
76
|
end
|
34
77
|
end
|
@@ -0,0 +1,51 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Agent
|
6
|
+
# This class will hold the all the mutual information for the Telemetry Exception
|
7
|
+
class TelemetryExceptionBase
|
8
|
+
def to_controlled_hash; end
|
9
|
+
|
10
|
+
protected
|
11
|
+
|
12
|
+
# Validate required and option fields
|
13
|
+
#
|
14
|
+
# @param validations [Hash] Validation hash to use
|
15
|
+
# @return [nil]
|
16
|
+
def validate validations
|
17
|
+
validations.each do |k, v|
|
18
|
+
next if v[:required] == false
|
19
|
+
|
20
|
+
validate_field validations[k], k
|
21
|
+
end
|
22
|
+
nil
|
23
|
+
end
|
24
|
+
|
25
|
+
# This method will validate every single field passed from validate
|
26
|
+
#
|
27
|
+
# @param validation_pair [Hash] Validation hash to use
|
28
|
+
# @param key[String] The key to check in VALIDATIONS
|
29
|
+
def validate_field validation_pair, key
|
30
|
+
value_to_validate = send(key.to_sym)
|
31
|
+
validate_class value_to_validate, validation_pair[:class], key if validation_pair.key?(:class)
|
32
|
+
value_length = value_to_validate.cs__is_a?(String) ? value_to_validate.length : value_to_validate.entries.length
|
33
|
+
unless validation_pair[:range].include?(value_length)
|
34
|
+
raise ArgumentError, "The provided value for #{ key } is invalid"
|
35
|
+
end
|
36
|
+
|
37
|
+
nil
|
38
|
+
end
|
39
|
+
|
40
|
+
# With the all nested classes, we still need to double check if everything passed along the way
|
41
|
+
# is right
|
42
|
+
# @param message [Object] The message we want to check the class of
|
43
|
+
# @param klass [Class] The klass we want to check the message with
|
44
|
+
# @param field [Object] The field with the error
|
45
|
+
def validate_class message, klass, field
|
46
|
+
message = message[0] if message.cs__is_a?(Array)
|
47
|
+
raise ArgumentError, "The provided value for #{ field } is invalid" unless message.cs__is_a? klass
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require_relative 'telemetry_exception_base'
|
5
|
+
require_relative 'telemetry_exception_message'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
# This class will hold the basic information for a Parent Telemetry Exception Event
|
10
|
+
class TelemetryExceptionEvent < Contrast::Agent::TelemetryExceptionBase
|
11
|
+
# Array of Telemetry Exclusions
|
12
|
+
# @return [Array<Contrast::Agent::TelemetryExceptionMessage>]
|
13
|
+
attr_reader :exclusions
|
14
|
+
|
15
|
+
# Initialization of the Parent Event requires us to require the exception
|
16
|
+
# to be created
|
17
|
+
#
|
18
|
+
# @param message [Contrast::Agent::TelemetryExceptionMessage]
|
19
|
+
def initialize message
|
20
|
+
super()
|
21
|
+
validate_class message, Contrast::Agent::TelemetryExceptionMessage, 'exception_message'
|
22
|
+
@exclusions = Array.new(1, message)
|
23
|
+
end
|
24
|
+
|
25
|
+
# @param message [Contrast::Agent::TelemetryExceptionMessage]
|
26
|
+
def push message
|
27
|
+
validate_class message, Contrast::Agent::TelemetryExceptionMessage, 'exception_message'
|
28
|
+
@exclusions << message
|
29
|
+
end
|
30
|
+
|
31
|
+
def to_controlled_hash
|
32
|
+
exclusions.map(&:to_controlled_hash)
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,97 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require_relative 'telemetry_exception_base'
|
5
|
+
require_relative 'telemetry_exception_message_exception'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
# This class will hold the all the information for the specific exceptions
|
10
|
+
# and will be passed in the the event to be sent to TS
|
11
|
+
class TelemetryExceptionMessage < Contrast::Agent::TelemetryExceptionBase
|
12
|
+
VALIDATIONS = {
|
13
|
+
instance: { required: true, range: 12..64 },
|
14
|
+
tags: { required: true, range: 1..512 },
|
15
|
+
logger: { required: false, range: 1..128 },
|
16
|
+
message: { required: false, range: 1..512 },
|
17
|
+
exceptions: { required: true, range: 1..512, class: Contrast::Agent::TelemetryExceptionMessageException }
|
18
|
+
}.cs__freeze
|
19
|
+
|
20
|
+
# Timestamp of creation in ISO8601 format
|
21
|
+
# @return [Integer]
|
22
|
+
attr_reader :timestamp
|
23
|
+
|
24
|
+
# An Instance ID as defined in Unique Identification // Application ID
|
25
|
+
# @return [String]
|
26
|
+
attr_reader :instance
|
27
|
+
|
28
|
+
# Tags are key-value string pairs that annotate either metrics
|
29
|
+
# or errors to help provide context, filtering, grouping, and deduplication.
|
30
|
+
# @return [Hash{String => String}]
|
31
|
+
attr_reader :tags
|
32
|
+
|
33
|
+
# @return [Integer] A number of the occurrences of the exception
|
34
|
+
attr_accessor :occurrences
|
35
|
+
|
36
|
+
# Array of exceptions, but in our case the Array will only include one exception
|
37
|
+
# @return [Array<Contrast::Agent::TelemetryExceptionMessageException>]
|
38
|
+
attr_reader :exceptions
|
39
|
+
|
40
|
+
# @return [String,nil] A string denoting the origin of this error.
|
41
|
+
attr_reader :logger
|
42
|
+
|
43
|
+
# @return [String | nil] A string message to provide additional context to the errors.
|
44
|
+
attr_reader :message
|
45
|
+
|
46
|
+
def initialize instance, tags, exceptions
|
47
|
+
super()
|
48
|
+
@tags = tags
|
49
|
+
@timestamp = Time.now.iso8601
|
50
|
+
@instance = instance
|
51
|
+
@occurrences = 1
|
52
|
+
@exceptions = exceptions
|
53
|
+
validate VALIDATIONS
|
54
|
+
end
|
55
|
+
|
56
|
+
# Optional parameters will be set separately from the required
|
57
|
+
#
|
58
|
+
# @param logger[String]
|
59
|
+
def logger= logger
|
60
|
+
validate_field VALIDATIONS[:logger], 'logger'
|
61
|
+
@logger = logger
|
62
|
+
end
|
63
|
+
|
64
|
+
# Optional parameters will be set separately from the required
|
65
|
+
#
|
66
|
+
# @param message[String]
|
67
|
+
def message= message
|
68
|
+
validate_field VALIDATIONS[:message], 'message'
|
69
|
+
@message = message
|
70
|
+
end
|
71
|
+
|
72
|
+
# Optional parameters will be set separately from the required
|
73
|
+
# This method is different and is regarding the way we proceed
|
74
|
+
# with incrementing occurrences
|
75
|
+
# If we keep track of them in different places and we store that value
|
76
|
+
# in separated variable - we may directly re-assign occurrences=
|
77
|
+
# But if we are not doing that - we may on same message generated
|
78
|
+
# to increment occurrences from here
|
79
|
+
def increment_occurrences
|
80
|
+
@occurrences += 1
|
81
|
+
end
|
82
|
+
|
83
|
+
def to_controlled_hash
|
84
|
+
super()
|
85
|
+
{
|
86
|
+
timestamp: timestamp,
|
87
|
+
instance: instance,
|
88
|
+
occurrences: occurrences,
|
89
|
+
tags: tags,
|
90
|
+
exceptions: exceptions.map(&:to_controlled_hash),
|
91
|
+
logger: logger,
|
92
|
+
message: message
|
93
|
+
}.compact
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|