contrast-agent 5.1.0 → 6.0.0

data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb

@@ -0,0 +1,65 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require_relative 'telemetry_exception_base'
+require_relative 'telemetry_exception_stack_frame'
+
+module Contrast
+  module Agent
+    # This class will hold the all the information for the specific exception
+    # and will be passed in the Exception message itself
+    class TelemetryExceptionMessageException < Contrast::Agent::TelemetryExceptionBase
+      VALIDATIONS = {
+          type: { required: true, range: 1..256 },
+          module_name: { required: false, range: 1..256 },
+          value: { required: false, range: 1..256 },
+          stack_frames: { required: true, range: 1..128, class: Contrast::Agent::TelemetryExceptionStackFrame }
+      }.cs__freeze
+
+      # @return [String] The type of the exception itself
+      attr_reader :type
+
+      # @return [Array<Contrast::Agent::TelemetryExceptionStackFrame>] stack frames for the message exception
+      attr_reader :stack_frames
+
+      # @return [String]
+      attr_reader :module_name
+
+      # @return [String]
+      attr_reader :value
+
+      def initialize type, stack_frame
+        super()
+        @type = type
+        @stack_frames = Array.new(1, stack_frame)
+        validate VALIDATIONS
+      end
+
+      # @param stack_frame [Contrast::Agent::TelemetryExceptionStackFrame]
+      def push stack_frame
+        validate_class stack_frame, Contrast::Agent::TelemetryExceptionStackFrame, 'stack_frame'
+        @stack_frames << stack_frame
+      end
+
+      def module_name= module_name
+        validate_field VALIDATIONS[:module_name], 'module_name'
+        @module_name = module_name
+      end
+
+      def value= value
+        validate_field VALIDATIONS[:value], 'value'
+        @value = value
+      end
+
+      def to_controlled_hash
+        super
+        {
+            type: type,
+            stack_frames: stack_frames.map(&:to_controlled_hash),
+            module_name: module_name,
+            value: value
+        }.compact
+      end
+    end
+  end
+end

data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb

@@ -0,0 +1,47 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require_relative 'telemetry_exception_base'
+
+module Contrast
+  module Agent
+    # This class will hold the all the information for the specific exception
+    # and will be passed in the Exception message itself
+    class TelemetryExceptionStackFrame < Contrast::Agent::TelemetryExceptionBase
+      VALIDATIONS = {
+          function: { required: true, range: 1..256 },
+          type: { required: true, range: 1..256 },
+          module_name: { required: false, range: 1..256 }
+      }.cs__freeze
+
+      # @return [String] The type of the exception itself
+      attr_reader :type
+
+      # @return [String] the function of the stack trace
+      attr_reader :function
+
+      # @return [Boolean] Is it in contrast
+      attr_accessor :in_contrast
+
+      def initialize function, type
+        super()
+        @function = function
+        @type = type
+        @in_contrast = false
+        validate VALIDATIONS
+      end
+
+      attr_reader :module_name
+
+      def module_name= module_name
+        validate_field VALIDATIONS[:module_name], 'module_name'
+        @module_name = module_name
+      end
+
+      def to_controlled_hash
+        super
+        { function: function, type: type, inContrast: in_contrast, module_name: module_name }.compact
+      end
+    end
+  end
+end

data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb}

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/metrics_hash'
-require 'contrast/agent/telemetry_event'
+require 'contrast/agent/telemetry/events/telemetry_event'
 
 module Contrast
   module Agent

data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb}

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/metrics_hash'
-require 'contrast/agent/metric_telemetry_event'
+require 'contrast/agent/telemetry/events/metric_telemetry_event'
 require 'contrast/agent/version'
 require 'contrast/utils/os'
 
@@ -69,9 +69,9 @@ module Contrast
       end
 
       def add_config_keys config, nested_key
-        config.configuration_map.reject! { |_k, v| REJECTED_VALUES.include?(v) }
+        config.to_hash.reject! { |_k, v| REJECTED_VALUES.include?(v) }
 
-        config.configuration_map.each do |k, v|
+        config.to_hash.each do |k, v|
           unless v.cs__class <= Contrast::Config::BaseConfiguration
             @settings << "#{ nested_key }.#{ k }"
             next

data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb}

@@ -9,7 +9,7 @@ module Contrast
     class TelemetryEvent
       include Contrast::Utils
 
-      attr_reader :timestamp, :tags
+      attr_reader :tags
 
       def initialize
         @tags = MetricsHash.new(String)

data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb}

@@ -27,13 +27,13 @@ module Contrast
             mac = Contrast::Utils::Telemetry::Identifier.mac
             app_name = Contrast::Utils::Telemetry::Identifier.app_name
             id = mac + app_name if mac && app_name
-            Digest::SHA2.new(256).hexdigest(id || ('_' + SecureRandom.uuid))
+            Digest::SHA2.new(256).hexdigest(id || "_#{ SecureRandom.uuid }")
           end
         end
 
         def instance_id
           @_instance_id ||= Digest::SHA2.new(256).hexdigest(Contrast::Utils::Telemetry::Identifier.mac ||
-                                                                  ('_' + SecureRandom.uuid))
+                                                                  "_#{ SecureRandom.uuid }")
         end
 
         def enabled?
@@ -44,17 +44,15 @@ module Contrast
         private
 
         def telemetry_enabled?
-          opt_out_telemetry = return_value(:telemetry_opt_outs)
-          return false if opt_out_telemetry.to_s.casecmp('true').zero?
-          return false if opt_out_telemetry.to_s.casecmp('1').zero?
+          opt_out_telemetry = return_value(:telemetry_opt_outs).to_s
+          return false if opt_out_telemetry.casecmp?('true') || opt_out_telemetry == '1'
 
           # In case of connection error, do not create the background thread or queue,
           # as if the opt-out env var was set
           @_client = Contrast::Utils::TelemetryClient.new
           ip_opt_out_telemetry = @_client.initialize_connection(URL)
           if ip_opt_out_telemetry.nil?
-            logger.warn('Connection was not established properly!!!')
-            logger.warn('THE SERVICE IS GOING TO BE TERMINATED!!')
+            logger.warn("Connection was not established properly!!! \n Telemetry reporting will be disabled!")
             return false
           end
 
@@ -87,17 +85,27 @@ module Contrast
         # general metrics every 3 hours, starting from implementation startup.
         @_thread = Contrast::Agent::Thread.new do
           logger.debug('Starting background telemetry thread.')
-          event = queue.pop
-
-          begin
-            logger.debug('This is the current processed event', event)
-            res = client.send_request event, connection
-            sleep_time = client.handle_response res
-            sleep(sleep_time) unless sleep_time.nil?
-          rescue StandardError => e
-            logger.error('Could not send message to service from telemetry queue.', e)
+          loop do
+            next unless client && connection
+
+            until queue.empty?
+              event = queue.pop
+              begin
+                logger.debug('This is the current processed event', event)
+                sleep_time = request_with_response event
+                if sleep_time
+                  sleep(sleep_time)
+                  logger.debug('Retrying to process event', event)
+                  retry_sleep_time = request_with_response event
+                  sleep(retry_sleep_time) unless retry_sleep_time.nil?
+                end
+              rescue StandardError => e
+                logger.error('Could not send message to service from telemetry queue.', e)
+                stop!
+              end
+            end
+            sleep(SUGGESTED_TIMEOUT)
           end
-          sleep(SUGGESTED_TIMEOUT)
         end
       end
 
@@ -110,7 +118,6 @@ module Contrast
         return unless cs__class.enabled?
 
         logger.debug('Enqueued event for sending', event_type: event.cs__class)
-
         queue << event if event
       end
 
@@ -123,8 +130,14 @@ module Contrast
       def stop!
         return unless running?
 
-        super
+        @_enabled = false
         delete_queue!
+        super
+      end
+
+      def request_with_response event
+        res = client.send_request event, connection
+        client.handle_response res
       end
 
       private

data/lib/contrast/agent/thread_watcher.rb

@@ -5,7 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/agent/service_heartbeat'
 require 'contrast/api/communication/messaging_queue'
 require 'contrast/agent/reporting/report'
-require 'contrast/agent/telemetry'
+require 'contrast/agent/telemetry/telemetry'
 
 module Contrast
   module Agent

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '5.1.0'
+    VERSION = '6.0.0'
   end
 end

data/lib/contrast/agent.rb

@@ -32,6 +32,8 @@ require 'contrast/utils/invalid_configuration_util'
 # Collect findings
 require 'contrast/utils/findings'
 
+# Collect Exploites and Attacks
+require 'contrast/agent/protect/exploitable_collection'
 # scoping
 require 'contrast/agent/scope'
 
@@ -52,6 +54,7 @@ module Contrast
     # build a map for tracking the context of the current request
     REQUEST_TRACKER = Contrast::Utils::ThreadTracker.new
     FINDINGS = Contrast::Utils::Findings.new
+    EXPLOITS = Contrast::Agent::Protect::ExploitableCollection.new
 
     # @return [Contrast::Framework::Manager]
     def self.framework_manager

data/lib/contrast/api/communication/speedracer.rb

@@ -42,7 +42,7 @@ module Contrast
                 return
               end
             end
-            unless status.startup_messages_sent?
+            unless status.startup_messages_sent? || Contrast::Agent::Reporter.enabled?
               startup_responses = send_initialization_messages
               return false unless startup_responses
 

data/lib/contrast/api/decorators/address.rb

@@ -28,7 +28,7 @@ module Contrast
             @_build_receiver ||= begin
               address = new
               address.host = 'localhost'
-              address.ip = '127.0.0.1'
+              address.ip = '127.0.0.1' # rubocop:disable Style/IpAddresses
               begin
                 Timeout.timeout(1) do
                   address.host = Contrast::Utils::StringUtils.force_utf8(Socket.gethostname)

data/lib/contrast/api/decorators/bot_blocker.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/base'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::BotBlockerDetails} protobuf
+      # model so it can own the request which its data is for.
+      module BotBlockerDetails
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+
+          # @param result [Contrast::Api::Dtm::BotBlockerDetails]
+          def to_controlled_hash result
+            {
+                bot: result.bot,
+                user_agent: result.user_agent
+            }
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::BotBlockerDetails.include(Contrast::Api::Decorators::BotBlockerDetails)

data/lib/contrast/api/decorators/ip_denylist.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/base'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::IpDenylistDetails} protobuf
+      # model so it can own the request which its data is for.
+      module IpDenylistDetails
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+
+          # @param result [Contrast::Api::Dtm::IpDenylistDetails]
+          def to_controlled_hash result
+            {
+                ip: result.ip,
+                uuid: result.uuid
+            }
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::IpDenylistDetails.include(Contrast::Api::Decorators::IpDenylistDetails)

data/lib/contrast/api/decorators/rasp_rule_sample.rb

@@ -20,6 +20,35 @@ module Contrast
             sample.user_input.document_type = Contrast::Utils::StringUtils.force_utf8(context.request.document_type)
             sample
           end
+
+          # @param result [Contrast::Api::Dtm::RaspRuleSample]
+          def to_controlled_hash result
+            {
+                timestamp: Time.at(result.timestamp_ms).iso8601,
+                user_input: result.user_input,
+                brute_force: result.brute_force,
+                bot_blocker: result.bot_blocker,
+                cmdi: result.cmdi,
+                csrf: result.csrf,
+                cve: result.cve,
+                untrusted_deserialization: result.untrusted_deserialization,
+                el_injection: result.el_injection,
+                mark_of_the_beast: result.mark_of_the_beast,
+                padding_oracle: result.padding_oracle,
+                path_traversal: result.path_traversal,
+                re_dos: result.re_dos,
+                sqli: result.sqli,
+                ssrf: result.ssrf,
+                virtual_patch: result.virtual_patch,
+                xss: result.xss,
+                xxe: result.xxe,
+                no_sqli: result.no_sqli,
+                method_tampering: result.method_tampering,
+                path_traversal_semantic: result.path_traversal_semantic,
+                ssjs: result.ssjs,
+                ip_denylist: result.ip_denylist
+            }
+          end
         end
       end
     end

data/lib/contrast/api/decorators/response_type.rb

@@ -0,0 +1,30 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'protobuf/message'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::AttackResult::ResponseType} protobuf
+      # model so it can add SUSPICIOUS.
+      module ResponseType
+        ::Protobuf::Enum.define(:SUSPICIOUS, 6)
+
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the  class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::AttackResult::ResponseType.include(Contrast::Api::Decorators::ResponseType)

data/lib/contrast/api/decorators/user_input.rb

@@ -25,11 +25,21 @@ module Contrast
             return UNKNOWN_USER_INPUT.dup unless ia_result
 
             user_input = new
-            user_input.input_type = ia_result.input_type.to_i
             user_input.matcher_ids = ia_result.ids
             user_input.path = ia_result.path.to_s
             user_input.key = ia_result.key.to_s
             user_input.value = ia_result.value.to_s
+            if ia_result.input_type
+              #
+              # InputAnalysis have local Agent implementation, so we need ot take care of difference
+              # if we pass data from wrong place - we need to handle the TypeError in throws
+              begin
+                user_input.input_type = ia_result.input_type.to_i
+              rescue TypeError, NoMethodError => _e
+                user_input.input_type = ia_result.input_type
+              end
+            end
+
             user_input
           end
         end

data/lib/contrast/api/decorators/virtual_patch.rb

@@ -0,0 +1,34 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/base'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the {Contrast::Api::Dtm::VirtualPatchDetails} protobuf
+      # model so it can own the request which its data is for.
+      module VirtualPatchDetails
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+
+        # Used to add class methods to the AgentStartup class on inclusion of the decorator
+        module ClassMethods
+          def build
+            new
+          end
+
+          # @param result [Contrast::Api::Dtm::VirtualPatchDetails]
+          def to_controlled_hash result
+            { uuid: result.uuid }
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::VirtualPatchDetails.include(Contrast::Api::Decorators::VirtualPatchDetails)

data/lib/contrast/api/decorators.rb

@@ -28,3 +28,4 @@ require 'contrast/api/decorators/rasp_rule_sample'
 require 'contrast/api/decorators/user_input'
 require 'contrast/api/decorators/address'
 require 'contrast/api/decorators/http_request'
+require 'contrast/api/decorators/response_type'

data/lib/contrast/components/app_context.rb

@@ -48,10 +48,6 @@ module Contrast
           end
         end
 
-        def session_id
-          @_session_id ||= build_app_startup_message.session_id
-        end
-
         def app_version
           @_app_version ||= Contrast::CONFIG.root.application.version
         end

data/lib/contrast/components/assess.rb

@@ -110,6 +110,20 @@ module Contrast
               []
         end
 
+        def track_original_object?
+          if @_track_original_object.nil?
+            @_track_original_object = !false?(::Contrast::CONFIG.root.assess.enable_original_object)
+          end
+
+          @_track_original_object
+        end
+
+        # The id for this process, based on the session metadata or id provided by the user, as indicated in
+        # application startup.
+        def session_id
+          ::Contrast::SETTINGS.assess_state.session_id
+        end
+
         private
 
         def forcibly_enabled?

data/lib/contrast/components/logger.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/logger/log'
+require 'contrast/logger/cef_log'
 require 'contrast/components/base'
 
 module Contrast
@@ -12,6 +13,10 @@ module Contrast
           Contrast::Logger::Log.instance.logger
         end
 
+        def cef_logger
+          @_cef_logger ||= Contrast::Logger::CEFLog.instance.tap(&:build_logger)
+        end
+
         def add_trace_perf_logging_for sym, custom_message = nil
           logger.add_trace_perf_logging(self, sym, custom_message)
         end

data/lib/contrast/components/protect.rb

@@ -28,7 +28,8 @@ module Contrast
         end
 
         def rule_mode rule_id
-          ::Contrast::CONFIG.root.protect.rules[rule_id]&.applicable_mode ||
+          str = rule_id.tr('-', '_')
+          ::Contrast::CONFIG.root.protect.rules[str]&.applicable_mode ||
               ::Contrast::SETTINGS.application_state.modes_by_id[rule_id] ||
               Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
         end
@@ -40,15 +41,16 @@ module Contrast
         def report_any_command_execution?
           if @_report_any_command_execution.nil?
             ctrl = rule_config[Contrast::Agent::Protect::Rule::CmdInjection::NAME]
-            @_report_any_command_execution = true?(ctrl.disable_system_commands)
+            @_report_any_command_execution = ctrl && true?(ctrl.disable_system_commands)
           end
           @_report_any_command_execution
         end
 
         def report_custom_code_sysfile_access?
           if @_report_custom_code_sysfile_access.nil?
-            ctrl = rule_config[Contrast::Agent::Protect::Rule::PathTraversal::NAME]
-            @_report_custom_code_sysfile_access = true?(ctrl.detect_custom_code_accessing_system_files)
+            name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.tr('-', '_')
+            ctrl = rule_config[name_changed]
+            @_report_custom_code_sysfile_access = ctrl && true?(ctrl.detect_custom_code_accessing_system_files)
           end
           @_report_custom_code_sysfile_access
         end

data/lib/contrast/components/sampling.rb

@@ -48,7 +48,7 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Boolean] the resolution of the config_settings, settings, and default value
         def enabled? config_settings, settings
-          true?([config_settings&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED].reject(&:nil?)[0])
+          true?([config_settings&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED].compact[0])
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -56,7 +56,7 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def baseline config_settings, settings
-          [config_settings&.baseline, settings&.baseline, DEFAULT_SAMPLING_BASELINE].map(&:to_i).find(&:positive?)
+          [config_settings&.baseline, settings&.baseline].map(&:to_i).find(&:positive?) || DEFAULT_SAMPLING_BASELINE
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -64,10 +64,8 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def request_frequency config_settings, settings
-          [
-            config_settings&.request_frequency, settings&.request_frequency,
-            DEFAULT_SAMPLING_REQUEST_FREQUENCY
-          ].map(&:to_i).find(&:positive?)
+          [config_settings&.request_frequency, settings&.request_frequency].map(&:to_i).find(&:positive?) ||
+              DEFAULT_SAMPLING_REQUEST_FREQUENCY
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -75,10 +73,8 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def response_frequency config_settings, settings
-          [
-            config_settings&.response_frequency, settings&.response_frequency,
-            DEFAULT_SAMPLING_RESPONSE_FREQUENCY
-          ].map(&:to_i).find(&:positive?)
+          [config_settings&.response_frequency, settings&.response_frequency].map(&:to_i).find(&:positive?) ||
+              DEFAULT_SAMPLING_RESPONSE_FREQUENCY
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -86,7 +82,7 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def window config_settings, settings
-          [config_settings&.window_ms, settings&.window_ms, DEFAULT_SAMPLING_WINDOW_MS].map(&:to_i).find(&:positive?)
+          [config_settings&.window_ms, settings&.window_ms].map(&:to_i).find(&:positive?) || DEFAULT_SAMPLING_WINDOW_MS
         end
       end