contrast-agent 5.1.0 → 6.0.0

data/lib/contrast/agent/request_context_extend.rb

@@ -1,19 +1,27 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/assess/rule/response/autocomplete_rule'
+require 'contrast/agent/assess/rule/response/auto_complete_rule'
+require 'contrast/agent/assess/rule/response/cache_control_header_rule'
+require 'contrast/agent/assess/rule/response/click_jacking_header_rule'
+require 'contrast/agent/assess/rule/response/csp_header_insecure_rule'
+require 'contrast/agent/assess/rule/response/csp_header_missing_rule'
 require 'contrast/agent/assess/rule/response/hsts_header_rule'
-require 'contrast/agent/assess/rule/response/cachecontrol_rule'
-require 'contrast/agent/assess/rule/response/clickjacking_rule'
-require 'contrast/agent/assess/rule/response/x_content_type_rule'
 require 'contrast/agent/assess/rule/response/parameters_pollution_rule'
+require 'contrast/agent/assess/rule/response/x_content_type_header_rule'
+require 'contrast/agent/assess/rule/response/x_xss_protection_header_rule'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/components/logger'
+require 'contrast/utils/log_utils'
 
 module Contrast
   module Agent
     # This class extends RequestContexts: this class acts to encapsulate information about the currently
     # executed request, making it available to the Agent for the duration of the request in a standardized
     # and normalized format which the Agent understands.
-    module RequestContextExtend
+    module RequestContextExtend # rubocop:disable Metrics/ModuleLength
+      include Contrast::Utils::CEFLogUtils
+      include Contrast::Components::Logger::InstanceMethods
       BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
       # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
       # where it is necessary for our route coverage and finding vulnerability discovery features to function.
@@ -74,10 +82,10 @@ module Contrast
         handle_protect_state(service_response)
         ia = service_response.input_analysis
         if ia
-          if logger.trace?
-            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
-            logger.trace('Results', input_analysis: ia.inspect)
-          end
+          service_extract_logging ia
+          # using Agent analysis
+          initialize_agent_input_analysis request
+
           @speedracer_input_analysis = ia
           speedracer_input_analysis.request = request
         else
@@ -113,23 +121,42 @@ module Contrast
       # append anything we've learned to the request seen message this is the sum-total of all inventory information
       # that has been accumulated since the last request
       def extract_after rack_response
+        # We must ALWAYS save the response, even if we don't need it here for response sampling. It is used for other
+        # vulnerability detection, most notably XSS, and not capturing it may suppress valid findings.
         @response = Contrast::Agent::Response.new(rack_response)
-        activity.http_response = @response.dtm if @sample_res
-        return unless Contrast::Agent::Reporter.enabled?
-
-        Contrast::Agent::Assess::Rule::Response::Autocomplete.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::HSTSHeader.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::Cachecontrol.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::XXssProtection.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::CspHeaderMissing.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::CspHeaderInsecure.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::Clickjacking.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::XContentType.new.analyze(@response)
-        Contrast::Agent::Assess::Rule::Response::ParametersPollution.new.analyze(@response)
+        return unless @sample_res
+
+        #
+        # TODO: RUBY-1376 once all rules translated, move this to if/else w/ the enabled
+        if Contrast::Agent::Reporter.enabled?
+          Contrast::Agent::Assess::Rule::Response::AutoComplete.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::CacheControl.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::ClickJacking.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::CspHeaderMissing.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::CspHeaderInsecure.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::HSTSHeader.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::ParametersPollution.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::XContentType.new.analyze(@response)
+          Contrast::Agent::Assess::Rule::Response::XXssProtection.new.analyze(@response)
+        else
+          activity.http_response = @response.dtm
+        end
       rescue StandardError => e
         logger.error('Unable to extract information after request', e)
       end
 
+      # This here is for things we don't have implemented
+      def log_to_cef
+        activity.results.each { |attack_result| logging_logic attack_result, attack_result.rule_id.downcase }
+      end
+
+      # @param input_analysis [Contrast::Api::Settings::InputAnalysis]
+      def service_extract_logging input_analysis
+        log_to_cef
+        logger.trace('Analysis from Contrast Service', evaluations: input_analysis.results.length) if logger.trace?
+        logger.trace('Results', input_analysis: input_analysis.inspect) if logger.trace?
+      end
+
       private
 
       # Generate attack results directly from any evaluations on the agent settings object.
@@ -171,6 +198,43 @@ module Contrast
                             rule.build_attack_without_match(self, ia_result, results_by_rule[rule_id])
                           end
       end
+
+      # Sets request to be used with agent and service input analysis.
+      #
+      # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request
+      # for this context
+      def initialize_agent_input_analysis request
+        # using Agent analysis
+        ia = Contrast::Agent::Protect::InputAnalyzer.analyse request
+        if ia
+          @agent_input_analysis = ia
+        else
+          logger.trace('Analysis from Agent was empty.')
+        end
+      end
+
+      def logging_logic result, rule_id
+        rules = %w[bot_blocker virtual_patch ip_denylist]
+        return unless rules.include?(rule_id)
+
+        rule_details = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0]).fetch(rule_id.to_sym)
+        outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+        case rule_id
+        when /bot_blocker/i
+          blocker_to_json = Contrast::Api::Dtm::BotBlockerDetails.to_controlled_hash rule_details
+          cef_logger.bot_blocking_message(blocker_to_json, outcome)
+        when /virtual_patch/i
+          virtual_patch_to_json = Contrast::Api::Dtm::VirtualPatchDetails.to_controlled_hash rule_details
+          cef_logger.virtual_patch_message(virtual_patch_to_json, outcome)
+        when /ip_denylist/i
+          sender_ip = extract_sender_ip
+          ip_denylist_to_json = Contrast::Api::Dtm::IpDenylistDetails.to_controlled_hash rule_details
+          return unless sender_ip
+          return unless sender_ip.include?(ip_denylist_to_json[:ip])
+
+          cef_logger.ip_denylisted_message(sender_ip, ip_denylist_to_json, outcome)
+        end
+      end
     end
   end
 end

data/lib/contrast/agent/request_handler.rb

@@ -5,6 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/agent/reporting/reporter'
 require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/agent/reporting/masker/masker'
 
 module Contrast
   module Agent
@@ -53,6 +54,9 @@ module Contrast
         reporter = Contrast::Agent.reporter
         return unless reporter
 
+        # Mask Sensitive Data
+        Contrast::Agent::Reporting::Masker.mask context.activity
+
         Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
         [
           context.new_observed_route,

data/lib/contrast/agent/scope.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'cs__scope/cs__scope'
+
 module Contrast
   module Agent
     # Scope lets us disable Contrast for certain code calls. We need to do this so
@@ -14,75 +16,100 @@ module Contrast
     #
     # Instead, we should say "If I'm already doing Contrast things, don't track
     # this"
+    #
+    # Scope Exits...
+    # by design, can go below zero.
+    # every exit/enter pair (regardless of series)
+    # should cancel each other out.
+    #
+    # so we prefer this sequence:
+    #   scope =  0
+    #   exit  = -1
+    #   enter =  0
+    #   enter =  1
+    #   exit  =  0
+    #   scope =  0
+    #
+    # over this sequence:
+    #   scope =  0
+    #   exit  =  0
+    #   enter =  1
+    #   enter =  2
+    #   exit  =  1
+    #   scope =  1
+    #
+    # This class have been moved to C and it's called from there. Here remains
+    # the validation and wrapper methods.
+    #
+    # Methods defined in C:
+    #
+    # sets scope instance variables.
+    # def initialize end;
+    #
+    # Check if we are in contrast scope.
+    # def in_contrast_scope? end;
+    # @return [Boolean] check if we are in contrast scope
+    #                   if the scope is above 0 return true.
+    #
+    # check if we are in deserialization scope.
+    # def in_deserialization_scope? end;
+    # @return [Boolean] check if we are in contrast scope
+    #                   if the scope is above 0 return true.
+    #
+    # check if we are in split scope.
+    # def in_split_scope? end;
+    # @return [Boolean] check if we are in contrast scope
+    #                   if the scope is above 0 return true.
+    #
+    # enter contrast scope.
+    # def enter_contrast_scope! end;
+    # @return @contrast_scope [Integer] contrast scope increased.
+    #
+    # enter deserialization scope.
+    # def enter_deserialization_scope! end;
+    # @return @deserialization_scope [Integer] deserialization scope increased.
+    #
+    # enter split scope.
+    # def enter_split_scope! end;
+    # @return @split_scope [Integer] split scope increased.
+    #
+    # check split scope depth.
+    # def split_scope_depth end;
+    # @return @split_scope [Integer] split scope depth.
+    #
+    # exit contrast scope.
+    # def exit_contrast_scope! end;
+    # @return @contrast_scope [Integer] contrast scope decreased.
+    #
+    # exit deserialization scope.
+    # def exit_deserialization_scope! end;
+    # @return @deserialization_scope [Integer] deserialization scope decreased.
+    #
+    # exit split scope.
+    # def exit_split_scope! end;
+    # @return @split_scope [Integer] split scope decreased.
+    #
+    # Static methods to be used, the cases are defined by the usage from the above methods
+    #
+    # check if we are in specific scope.
+    # def in_scope? name end;
+    # @param name [Symbol] scope symbol representing scope to check.
+    # @return [Boolean] check if we are in passed scope.
+    #
+    # enter specific scope.
+    # def enter_scope! name end;
+    # @param name [Symbol] scope symbol representing scope to enter.
+    # @return scope [Integer] entered scope value increased.
+    #
+    # exit specific scope.
+    # def exit_cope! name end;
+    # @param name [Symbol] scope symbol representing scope to exit.
+    # @return scope [Integer] entered scope value decreased.
     class Scope
       SCOPE_LIST = %i[contrast deserialization split].cs__freeze
 
-      def initialize
-        @contrast_scope = 0
-        @deserialization_scope = 0
-        @split_scope = 0
-      end
-
-      def in_contrast_scope?
-        @contrast_scope.positive?
-      end
-
-      def in_deserialization_scope?
-        @deserialization_scope.positive?
-      end
-
-      def in_split_scope?
-        @split_scope.positive?
-      end
-
-      def enter_contrast_scope!
-        @contrast_scope += 1
-      end
-
-      def enter_deserialization_scope!
-        @deserialization_scope += 1
-      end
-
-      def enter_split_scope!
-        @split_scope += 1
-      end
-
-      def split_scope_depth
-        @split_scope
-      end
-
-      # Scope Exits...
-      # by design, can go below zero.
-      # every exit/enter pair (regardless of series)
-      # should cancel each other out.
-      #
-      # so we prefer this sequence:
-      #   scope =  0
-      #   exit  = -1
-      #   enter =  0
-      #   enter =  1
-      #   exit  =  0
-      #   scope =  0
-      #
-      # over this sequence:
-      #   scope =  0
-      #   exit  =  0
-      #   enter =  1
-      #   enter =  2
-      #   exit  =  1
-      #   scope =  1
-      def exit_contrast_scope!
-        @contrast_scope -= 1
-      end
-
-      def exit_deserialization_scope!
-        @deserialization_scope -= 1
-      end
-
-      def exit_split_scope!
-        @split_scope -= 1
-      end
-
+      # Wraps block to be executed in contrast scope.
+      # On completion exits scope.
       def with_contrast_scope
         enter_contrast_scope!
         yield
@@ -90,6 +117,8 @@ module Contrast
         exit_contrast_scope!
       end
 
+      # Wraps block to be executed in deserialization scope.
+      # On completion exits scope.
       def with_deserialization_scope
         enter_deserialization_scope!
         yield
@@ -97,6 +126,8 @@ module Contrast
         exit_deserialization_scope!
       end
 
+      # Wraps block to be executed in split scope.
+      # On completion exits scope.
       def with_split_scope
         enter_split_scope!
         yield
@@ -104,48 +135,12 @@ module Contrast
         exit_split_scope!
       end
 
-      # Static methods to be used, the cases are defined by the usage from the above methods
-      # if more methods are added - please extend the case statements as they are no longed dynamic
-      def in_scope? name
-        case name
-        when :contrast
-          in_contrast_scope?
-        when :deserialization
-          in_deserialization_scope?
-        when :split
-          in_split_scope?
-        else
-          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
-        end
-      end
-
-      def enter_scope! name
-        case name
-        when :contrast
-          enter_contrast_scope!
-        when :deserialization
-          enter_deserialization_scope!
-        when :split
-          enter_split_scope!
-        else
-          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
-        end
-      end
-
-      def exit_scope! name
-        case name
-        when :contrast
-          exit_contrast_scope!
-        when :deserialization
-          exit_deserialization_scope!
-        when :split
-          exit_split_scope!
-        else
-          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
-        end
-      end
-
       class << self
+        # Validates scope. To be valid the scope must be one of:
+        # :contrast, :split, :deserialization
+        #
+        # @param scope_sym [Symbol] scope to check.
+        # @return [Boolean] true | false
         def valid_scope? scope_sym
           Contrast::Agent::Scope::SCOPE_LIST.include? scope_sym
         end

data/lib/contrast/agent/service_heartbeat.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/components/logger'
 require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
 
 module Contrast
   module Agent
@@ -14,13 +15,35 @@ module Contrast
       # Spec recommends 30 seconds, we're going with 15.
       REFRESH_INTERVAL_SEC = 15
 
+      # check if we can report to TS
+      #
+      # @return[Boolean] true if bypass is enabled, or false if bypass disabled
+      def enabled?
+        @_enabled = Contrast::CONTRAST_SERVICE.use_agent_communication? if @_enabled.nil?
+        @_enabled
+      end
+
+      def client
+        @_client ||= Contrast::Agent::Reporting::ReporterClient.new
+      end
+
+      def connection
+        @_connection ||= client.initialize_connection
+      end
+
       def start_thread!
         return if running?
 
+        report_from_reporter = check_report_provider
+
         @_thread = Contrast::Agent::Thread.new do
           logger.info('Starting heartbeat thread.')
           loop do
-            Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
+            if report_from_reporter
+              client.send_event(poll_message, connection)
+            else
+              Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
+            end
 
             sleep REFRESH_INTERVAL_SEC
           end
@@ -28,7 +51,27 @@ module Contrast
       end
 
       def poll_message
-        @_poll_message ||= Contrast::Api::Dtm::Poll.new
+        @_poll_message ||= if enabled? && client
+                             Contrast::Agent::Reporting::Poll.new
+                           else
+                             Contrast::Api::Dtm::Poll.new
+                           end
+      end
+
+      def check_report_provider
+        return false unless enabled?
+        return false unless client && connection
+
+        client.startup!(connection)
+        true
+      end
+
+      def send_event provider
+        if provider
+          client.send_event(poll_message, connection)
+          return
+        end
+        Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
       end
     end
   end

data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    # This class will hold the all the mutual information for the Telemetry Exception
+    class TelemetryExceptionBase
+      def to_controlled_hash; end
+
+      protected
+
+      # Validate required and option fields
+      #
+      # @param validations [Hash] Validation hash to use
+      # @return [nil]
+      def validate validations
+        validations.each do |k, v|
+          next if v[:required] == false
+
+          validate_field validations[k], k
+        end
+        nil
+      end
+
+      # This method will validate every single field passed from validate
+      #
+      # @param validation_pair [Hash] Validation hash to use
+      # @param key[String] The key to check in VALIDATIONS
+      def validate_field validation_pair, key
+        value_to_validate = send(key.to_sym)
+        validate_class value_to_validate, validation_pair[:class], key if validation_pair.key?(:class)
+        value_length = value_to_validate.cs__is_a?(String) ? value_to_validate.length : value_to_validate.entries.length
+        unless validation_pair[:range].include?(value_length)
+          raise ArgumentError, "The provided value for #{ key } is invalid"
+        end
+
+        nil
+      end
+
+      # With the all nested classes, we still need to double check if everything passed along the way
+      # is right
+      # @param message [Object] The message we want to check the class of
+      # @param klass [Class] The klass we want to check the message with
+      # @param field [Object] The field with the error
+      def validate_class message, klass, field
+        message = message[0] if message.cs__is_a?(Array)
+        raise ArgumentError, "The provided value for #{ field } is invalid" unless message.cs__is_a? klass
+      end
+    end
+  end
+end

data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require_relative 'telemetry_exception_base'
+require_relative 'telemetry_exception_message'
+
+module Contrast
+  module Agent
+    # This class will hold the basic information for a Parent Telemetry Exception Event
+    class TelemetryExceptionEvent < Contrast::Agent::TelemetryExceptionBase
+      # Array of Telemetry Exclusions
+      # @return [Array<Contrast::Agent::TelemetryExceptionMessage>]
+      attr_reader :exclusions
+
+      # Initialization of the Parent Event requires us to require the exception
+      # to be created
+      #
+      # @param message [Contrast::Agent::TelemetryExceptionMessage]
+      def initialize message
+        super()
+        validate_class message, Contrast::Agent::TelemetryExceptionMessage, 'exception_message'
+        @exclusions = Array.new(1, message)
+      end
+
+      # @param message [Contrast::Agent::TelemetryExceptionMessage]
+      def push message
+        validate_class message, Contrast::Agent::TelemetryExceptionMessage, 'exception_message'
+        @exclusions << message
+      end
+
+      def to_controlled_hash
+        exclusions.map(&:to_controlled_hash)
+      end
+    end
+  end
+end

data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb

@@ -0,0 +1,97 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require_relative 'telemetry_exception_base'
+require_relative 'telemetry_exception_message_exception'
+
+module Contrast
+  module Agent
+    # This class will hold the all the information for the specific exceptions
+    # and will be passed in the the event to be sent to TS
+    class TelemetryExceptionMessage < Contrast::Agent::TelemetryExceptionBase
+      VALIDATIONS = {
+          instance: { required: true, range: 12..64 },
+          tags: { required: true, range: 1..512 },
+          logger: { required: false, range: 1..128 },
+          message: { required: false, range: 1..512 },
+          exceptions: { required: true, range: 1..512, class: Contrast::Agent::TelemetryExceptionMessageException }
+      }.cs__freeze
+
+      # Timestamp of creation in ISO8601 format
+      # @return [Integer]
+      attr_reader :timestamp
+
+      # An Instance ID as defined in Unique Identification // Application ID
+      # @return [String]
+      attr_reader :instance
+
+      # Tags are key-value string pairs that annotate either metrics
+      # or errors to help provide context, filtering, grouping, and deduplication.
+      # @return [Hash{String => String}]
+      attr_reader :tags
+
+      # @return [Integer] A number of the occurrences of the exception
+      attr_accessor :occurrences
+
+      # Array of exceptions, but in our case the Array will only include one exception
+      # @return [Array<Contrast::Agent::TelemetryExceptionMessageException>]
+      attr_reader :exceptions
+
+      # @return [String,nil] A string denoting the origin of this error.
+      attr_reader :logger
+
+      # @return [String | nil] A string message to provide additional context to the errors.
+      attr_reader :message
+
+      def initialize instance, tags, exceptions
+        super()
+        @tags = tags
+        @timestamp = Time.now.iso8601
+        @instance = instance
+        @occurrences = 1
+        @exceptions = exceptions
+        validate VALIDATIONS
+      end
+
+      # Optional parameters will be set separately from the required
+      #
+      # @param logger[String]
+      def logger= logger
+        validate_field VALIDATIONS[:logger], 'logger'
+        @logger = logger
+      end
+
+      # Optional parameters will be set separately from the required
+      #
+      # @param message[String]
+      def message= message
+        validate_field VALIDATIONS[:message], 'message'
+        @message = message
+      end
+
+      # Optional parameters will be set separately from the required
+      # This method is different and is regarding the way we proceed
+      # with incrementing occurrences
+      # If we keep track of them in different places and we store that value
+      # in separated variable - we may directly re-assign occurrences=
+      # But if we are not doing that - we may on same message generated
+      # to increment occurrences from here
+      def increment_occurrences
+        @occurrences += 1
+      end
+
+      def to_controlled_hash
+        super()
+        {
+            timestamp: timestamp,
+            instance: instance,
+            occurrences: occurrences,
+            tags: tags,
+            exceptions: exceptions.map(&:to_controlled_hash),
+            logger: logger,
+            message: message
+        }.compact
+      end
+    end
+  end
+end