contrast-agent 5.1.0 → 6.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +7 -5
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +7 -7
- data/ext/cs__assess_string/cs__assess_string.c +13 -1
- data/ext/cs__common/cs__common.c +16 -11
- data/ext/cs__common/cs__common.h +1 -0
- data/ext/cs__contrast_patch/cs__contrast_patch.c +100 -64
- data/ext/cs__contrast_patch/cs__contrast_patch.h +2 -0
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +796 -0
- data/ext/cs__scope/cs__scope.h +88 -0
- data/ext/cs__scope/extconf.rb +5 -0
- data/lib/contrast/agent/assess/contrast_event.rb +20 -13
- data/lib/contrast/agent/assess/contrast_object.rb +4 -1
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
- data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -5
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +2 -0
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/trigger_method.rb +6 -1
- data/lib/contrast/agent/assess/property/tagged.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/{autocomplete_rule.rb → auto_complete_rule.rb} +4 -3
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +12 -79
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +109 -0
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +157 -0
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +14 -15
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +5 -25
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +29 -0
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +70 -0
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +12 -36
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +2 -1
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +26 -0
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +35 -0
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/middleware.rb +4 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +1 -3
- data/lib/contrast/agent/patching/policy/patch.rb +2 -6
- data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
- data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +147 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
- data/lib/contrast/agent/protect/rule/base.rb +61 -2
- data/lib/contrast/agent/protect/rule/base_service.rb +12 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/deserialization.rb +6 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +13 -1
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -0
- data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +88 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +118 -0
- data/lib/contrast/agent/protect/rule/sqli.rb +33 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +4 -0
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +115 -0
- data/lib/contrast/agent/reporting/input_analysis/input_type.rb +44 -0
- data/lib/contrast/agent/reporting/input_analysis/score_level.rb +21 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
- data/lib/contrast/agent/reporting/report.rb +3 -0
- data/lib/contrast/agent/reporting/reporter.rb +31 -12
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +69 -36
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +88 -59
- data/lib/contrast/agent/reporting/reporting_events/{finding_object.rb → finding_event_object.rb} +24 -20
- data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +39 -0
- data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/{finding_signature.rb → finding_event_signature.rb} +29 -24
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +12 -8
- data/lib/contrast/agent/reporting/reporting_events/{finding_stack.rb → finding_event_stack.rb} +23 -19
- data/lib/contrast/agent/reporting/reporting_events/{finding_taint_range.rb → finding_event_taint_range.rb} +17 -15
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +26 -53
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +29 -0
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +6 -4
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +1 -0
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +10 -3
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +17 -5
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -45
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +69 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +123 -85
- data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/request_context.rb +7 -2
- data/lib/contrast/agent/request_context_extend.rb +85 -21
- data/lib/contrast/agent/request_handler.rb +4 -0
- data/lib/contrast/agent/scope.rb +102 -107
- data/lib/contrast/agent/service_heartbeat.rb +45 -2
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
- data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
- data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
- data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
- data/lib/contrast/agent/thread_watcher.rb +1 -1
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +3 -0
- data/lib/contrast/api/communication/speedracer.rb +1 -1
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/bot_blocker.rb +37 -0
- data/lib/contrast/api/decorators/ip_denylist.rb +37 -0
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +29 -0
- data/lib/contrast/api/decorators/response_type.rb +30 -0
- data/lib/contrast/api/decorators/user_input.rb +11 -1
- data/lib/contrast/api/decorators/virtual_patch.rb +34 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/logger.rb +5 -0
- data/lib/contrast/components/protect.rb +6 -4
- data/lib/contrast/components/sampling.rb +7 -11
- data/lib/contrast/components/scope.rb +98 -91
- data/lib/contrast/components/settings.rb +106 -8
- data/lib/contrast/config/agent_configuration.rb +41 -12
- data/lib/contrast/config/api_configuration.rb +37 -12
- data/lib/contrast/config/api_proxy_configuration.rb +12 -3
- data/lib/contrast/config/application_configuration.rb +38 -14
- data/lib/contrast/config/assess_configuration.rb +47 -12
- data/lib/contrast/config/assess_rules_configuration.rb +15 -3
- data/lib/contrast/config/base_configuration.rb +18 -50
- data/lib/contrast/config/certification_configuration.rb +17 -3
- data/lib/contrast/config/exception_configuration.rb +14 -3
- data/lib/contrast/config/heap_dump_configuration.rb +43 -17
- data/lib/contrast/config/inventory_configuration.rb +17 -3
- data/lib/contrast/config/logger_configuration.rb +10 -3
- data/lib/contrast/config/protect_configuration.rb +17 -7
- data/lib/contrast/config/protect_rule_configuration.rb +17 -8
- data/lib/contrast/config/protect_rules_configuration.rb +115 -17
- data/lib/contrast/config/request_audit_configuration.rb +26 -3
- data/lib/contrast/config/root_configuration.rb +52 -12
- data/lib/contrast/config/ruby_configuration.rb +60 -22
- data/lib/contrast/config/sampling_configuration.rb +19 -9
- data/lib/contrast/config/server_configuration.rb +19 -10
- data/lib/contrast/config/service_configuration.rb +27 -11
- data/lib/contrast/configuration.rb +5 -3
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/manager.rb +2 -2
- data/lib/contrast/logger/application.rb +1 -1
- data/lib/contrast/logger/cef_log.rb +151 -0
- data/lib/contrast/tasks/config.rb +90 -3
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/class_util.rb +3 -12
- data/lib/contrast/utils/hash_digest.rb +14 -6
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/log_utils.rb +114 -0
- data/lib/contrast/utils/middleware_utils.rb +9 -9
- data/lib/contrast/utils/net_http_base.rb +13 -10
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +0 -5
- data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -9
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/telemetry.rb +1 -1
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/lib/contrast/utils/telemetry_identifier.rb +1 -1
- data/lib/contrast.rb +4 -3
- data/resources/assess/policy.json +98 -0
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +9 -8
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +103 -38
- data/lib/contrast/agent/assess/rule/response/cachecontrol_rule.rb +0 -184
- data/lib/contrast/agent/assess/rule/response/clickjacking_rule.rb +0 -66
- data/lib/contrast/agent/assess/rule/response/x_content_type_rule.rb +0 -52
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb +0 -53
- data/lib/contrast/extension/kernel.rb +0 -54
@@ -6,9 +6,6 @@ module Contrast
|
|
6
6
|
# Common Configuration settings. Those in this section pertain to the
|
7
7
|
# specific settings that apply to Ruby
|
8
8
|
class RubyConfiguration < BaseConfiguration
|
9
|
-
# These commands being detected will result the agent disabling instrumentation, generally any command
|
10
|
-
# that doesn't result in the application listening on a port can be added here, this normally includes tasks
|
11
|
-
# that are ran pre-startup(like migrations) or to show information about the application(such as routes)
|
12
9
|
DISABLED_RAKE_TASK_LIST = %w[
|
13
10
|
about assets:clean assets:clobber assets:environment
|
14
11
|
assets:precompile assets:precompile:all db:create db:drop db:fixtures:load db:migrate
|
@@ -22,25 +19,66 @@ module Contrast
|
|
22
19
|
|
23
20
|
DEFAULT_UNINSTRUMENTED_NAMESPACES = %w[FactoryGirl FactoryBot].cs__freeze
|
24
21
|
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
22
|
+
attr_writer :disabled_agent_rake_tasks, :exceptions, :interpolate, :propagate_yield, :require_scan,
|
23
|
+
:track_frozen_sources, :non_request_tracking, :uninstrument_namespace
|
24
|
+
|
25
|
+
def initialize hsh = {}
|
26
|
+
@disabled_agent_rake_tasks = traverse_config(hsh, :disabled_agent_rake_tasks)
|
27
|
+
@exceptions = Contrast::Config::ExceptionConfiguration.new(traverse_config(hsh, :exceptions))
|
28
|
+
@interpolate = traverse_config(hsh, :interpolate)
|
29
|
+
@propagate_yield = traverse_config(hsh, :propagate_yield)
|
30
|
+
@require_scan = traverse_config(hsh, :require_scan)
|
31
|
+
@track_frozen_sources = traverse_config(hsh, :track_frozen_sources)
|
32
|
+
@non_request_tracking = traverse_config(hsh, :non_request_tracking)
|
33
|
+
@uninstrument_namespace = traverse_config(hsh, :uninstrument_namespace)
|
34
|
+
end
|
35
|
+
|
36
|
+
# These commands being detected will result the agent disabling instrumentation, generally any command
|
37
|
+
# that doesn't result in the application listening on a port can be added here, this normally includes tasks
|
38
|
+
# that are ran pre-startup(like migrations) or to show information about the application(such as routes)
|
39
|
+
# @return [Array, DISABLED_RAKE_TASK_LIST]
|
40
|
+
def disabled_agent_rake_tasks
|
41
|
+
@disabled_agent_rake_tasks.nil? ? DISABLED_RAKE_TASK_LIST : @disabled_agent_rake_tasks
|
42
|
+
end
|
43
|
+
|
44
|
+
# @return [Contrast::Config::ExceptionConfiguration]
|
45
|
+
def exceptions
|
46
|
+
@exceptions ||= Contrast::Config::ExceptionConfiguration.new
|
47
|
+
end
|
48
|
+
|
49
|
+
# controls whether or not we patch interpolation, either by rewrite or by funchook
|
50
|
+
# @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
|
51
|
+
def interpolate
|
52
|
+
@interpolate.nil? ? Contrast::Utils::ObjectShare::TRUE : @interpolate
|
53
|
+
end
|
54
|
+
|
55
|
+
# controls whether or not we patch the rb_yield block to track split propagation
|
56
|
+
# @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
|
57
|
+
def propagate_yield
|
58
|
+
@propagate_yield.nil? ? Contrast::Utils::ObjectShare::TRUE : @propagate_yield
|
59
|
+
end
|
60
|
+
|
61
|
+
# control whether or not we run file scanning rules on require
|
62
|
+
# @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
|
63
|
+
def require_scan
|
64
|
+
@require_scan.nil? ? Contrast::Utils::ObjectShare::TRUE : @require_scan
|
65
|
+
end
|
66
|
+
|
67
|
+
# controls whether or not we track frozen Strings by replacing them
|
68
|
+
# @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
|
69
|
+
def track_frozen_sources
|
70
|
+
@track_frozen_sources.nil? ? Contrast::Utils::ObjectShare::TRUE : @track_frozen_sources
|
71
|
+
end
|
72
|
+
|
73
|
+
# controls tracking outside of request
|
74
|
+
# @return [Boolean, Contrast::Utils::ObjectShare::FALSE]
|
75
|
+
def non_request_tracking
|
76
|
+
@non_request_tracking.nil? ? Contrast::Utils::ObjectShare::FALSE : @non_request_tracking
|
77
|
+
end
|
78
|
+
|
79
|
+
# @return [Array, DEFAULT_UNINSTRUMENTED_NAMESPACES]
|
80
|
+
def uninstrument_namespace
|
81
|
+
@uninstrument_namespace.nil? ? DEFAULT_UNINSTRUMENTED_NAMESPACES : @uninstrument_namespace
|
44
82
|
end
|
45
83
|
end
|
46
84
|
end
|
@@ -6,16 +6,26 @@ module Contrast
|
|
6
6
|
# Common Configuration settings. Those in this section pertain to the
|
7
7
|
# sampling functionality of the Agent.
|
8
8
|
class SamplingConfiguration < BaseConfiguration
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
9
|
+
# @return [Integer, nil]
|
10
|
+
attr_reader :baseline
|
11
|
+
# @return [Integer, nil]
|
12
|
+
attr_reader :request_frequency
|
13
|
+
# @return [Integer, nil]
|
14
|
+
attr_reader :response_frequency
|
15
|
+
# @return [Integer, nil]
|
16
|
+
attr_reader :window_ms
|
16
17
|
|
17
|
-
def initialize hsh
|
18
|
-
|
18
|
+
def initialize hsh = {}
|
19
|
+
@enable = traverse_config(hsh, :enable)
|
20
|
+
@baseline = traverse_config(hsh, :baseline)
|
21
|
+
@request_frequency = traverse_config(hsh, :request_frequency)
|
22
|
+
@response_frequency = traverse_config(hsh, :response_frequency)
|
23
|
+
@window_ms = traverse_config(hsh, :window_ms)
|
24
|
+
end
|
25
|
+
|
26
|
+
# @return [Boolean, false]
|
27
|
+
def enable
|
28
|
+
!!@enable
|
19
29
|
end
|
20
30
|
end
|
21
31
|
end
|
@@ -6,17 +6,26 @@ module Contrast
|
|
6
6
|
# Common Configuration settings. Those in this section pertain to the
|
7
7
|
# server identification functionality of the Agent.
|
8
8
|
class ServerConfiguration < BaseConfiguration
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
9
|
+
# @return [String, nil]
|
10
|
+
attr_accessor :name
|
11
|
+
# @return [String, nil]
|
12
|
+
attr_accessor :path
|
13
|
+
# @return [String, nil]
|
14
|
+
attr_accessor :type
|
15
|
+
# @return [Array, nil]
|
16
|
+
attr_accessor :tags
|
17
|
+
# @return [String, nil]
|
18
|
+
attr_accessor :environment
|
19
|
+
# @return [String, nil]
|
20
|
+
attr_accessor :version
|
17
21
|
|
18
|
-
def initialize hsh
|
19
|
-
|
22
|
+
def initialize hsh = {}
|
23
|
+
@path = traverse_config(hsh, :path)
|
24
|
+
@name = traverse_config(hsh, :name)
|
25
|
+
@type = traverse_config(hsh, :type)
|
26
|
+
@tags = traverse_config(hsh, :tags)
|
27
|
+
@environment = traverse_config(hsh, :environment)
|
28
|
+
@version = traverse_config(hsh, :version)
|
20
29
|
end
|
21
30
|
end
|
22
31
|
end
|
@@ -10,20 +10,36 @@ module Contrast
|
|
10
10
|
class ServiceConfiguration < BaseConfiguration
|
11
11
|
# We don't set these b/c we've been asked to handle the default values of
|
12
12
|
# these settings differently, logging when we have to use them.
|
13
|
-
DEFAULT_HOST = '127.0.0.1'
|
13
|
+
DEFAULT_HOST = '127.0.0.1' # rubocop:disable Style/IpAddresses
|
14
14
|
DEFAULT_PORT = '30555'
|
15
15
|
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
16
|
+
attr_writer :logger, :bypass
|
17
|
+
# @return [String, nil]
|
18
|
+
attr_accessor :socket
|
19
|
+
# @return [String, nil]
|
20
|
+
attr_accessor :port
|
21
|
+
# @return [String, nil]
|
22
|
+
attr_accessor :host
|
23
|
+
# @return [Boolean, nil]
|
24
|
+
attr_accessor :enable
|
24
25
|
|
25
|
-
def initialize hsh
|
26
|
-
|
26
|
+
def initialize hsh = {}
|
27
|
+
@enable = traverse_config(hsh, :enable)
|
28
|
+
@host = traverse_config(hsh, :host)
|
29
|
+
@port = traverse_config(hsh, :port)
|
30
|
+
@socket = traverse_config(hsh, :socket)
|
31
|
+
@logger = Contrast::Config::LoggerConfiguration.new(traverse_config(hsh, :logger))
|
32
|
+
@bypass = traverse_config(hsh, :bypass)
|
33
|
+
end
|
34
|
+
|
35
|
+
# @return [Contrast::Config::LoggerConfiguration]
|
36
|
+
def logger
|
37
|
+
@logger ||= Contrast::Config::LoggerConfiguration.new
|
38
|
+
end
|
39
|
+
|
40
|
+
# @return [Boolean, false]
|
41
|
+
def bypass
|
42
|
+
@bypass.nil? ? false : @bypass
|
27
43
|
end
|
28
44
|
end
|
29
45
|
end
|
@@ -217,10 +217,12 @@ module Contrast
|
|
217
217
|
def convert_to_hash convert = root, hash = {}
|
218
218
|
case convert
|
219
219
|
when Contrast::Config::BaseConfiguration
|
220
|
-
|
221
|
-
|
220
|
+
# to_hash returns @configuration_map
|
221
|
+
convert.to_hash.each_key do |key|
|
222
|
+
next if Contrast::Utils::ExcludeKey.excludable?(key.to_s)
|
222
223
|
|
223
|
-
|
224
|
+
# change '-' to '_' for ProtectRulesConfiguration
|
225
|
+
hash[key] = convert_to_hash(convert.send(key.tr('-', '_').to_sym), {})
|
224
226
|
end
|
225
227
|
hash
|
226
228
|
else
|
@@ -13,7 +13,7 @@ module Contrast
|
|
13
13
|
# methods which are too complex to fit into one of the standard
|
14
14
|
# Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
|
15
15
|
# String Class or exposing our methods there.
|
16
|
-
class StringPropagator
|
16
|
+
class StringPropagator
|
17
17
|
extend Contrast::Components::Logger::InstanceMethods
|
18
18
|
extend Contrast::Components::Scope::InstanceMethods
|
19
19
|
|
@@ -43,6 +43,7 @@ module Contrast
|
|
43
43
|
offset = 0
|
44
44
|
inputs.each do |input|
|
45
45
|
properties.copy_from(input, result, offset)
|
46
|
+
add_dynamic_sources_info input, result
|
46
47
|
offset += input.length
|
47
48
|
parent_event = Contrast::Agent::Assess::Tracker.properties(input)&.event
|
48
49
|
parent_events << parent_event if parent_event
|
@@ -58,6 +59,24 @@ module Contrast
|
|
58
59
|
rescue StandardError => e
|
59
60
|
logger.error('Unable to track interpolation', e)
|
60
61
|
end
|
62
|
+
|
63
|
+
private
|
64
|
+
|
65
|
+
# When there is a string interpolation on input coming from tainted database,
|
66
|
+
# the Contrast::Agent::Assess::Properties::Updated.copy_from method won't copy
|
67
|
+
# the dynamic source properties needed in the build findings from TS to display
|
68
|
+
# the column and Table information as database source information.
|
69
|
+
#
|
70
|
+
# @param source [Object] the source object with the required properties.
|
71
|
+
# @param target [Object] the result form the interpolation and the object
|
72
|
+
# that needs to keep the source properties, in order to be reporter on
|
73
|
+
# trigger event.
|
74
|
+
# @return updated_properties [Hash<DynamicSourceInfo>, nil]
|
75
|
+
def add_dynamic_sources_info source, target
|
76
|
+
return unless (dynamic_props = Contrast::Agent::Assess::Tracker.properties(source)&.properties)
|
77
|
+
|
78
|
+
Contrast::Agent::Assess::Tracker.properties(target)&.add_properties(dynamic_props)
|
79
|
+
end
|
61
80
|
end
|
62
81
|
end
|
63
82
|
end
|
@@ -125,7 +125,7 @@ module Contrast
|
|
125
125
|
# @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
|
126
126
|
def get_route_dtm request
|
127
127
|
@_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.
|
128
|
-
reject(&:nil?).first
|
128
|
+
reject(&:nil?).first # rubocop:disable Style/CollectionCompact
|
129
129
|
end
|
130
130
|
|
131
131
|
# Iterate through current frameworks and return the current request's route. This will be the first non-nil
|
@@ -135,7 +135,7 @@ module Contrast
|
|
135
135
|
# @return [Contrast::Agent::Reporting::RouteCoverage] the current route as a Dtm.
|
136
136
|
def get_route_information request
|
137
137
|
@_frameworks.lazy.map { |framework_support| framework_support.current_route_coverage(request) }.
|
138
|
-
reject(&:nil?).first
|
138
|
+
reject(&:nil?).first # rubocop:disable Style/CollectionCompact
|
139
139
|
end
|
140
140
|
|
141
141
|
# Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect
|
@@ -19,7 +19,7 @@ module Contrast
|
|
19
19
|
env_key = env_key.to_s
|
20
20
|
next unless ENV_KEYS.include?(env_key) ||
|
21
21
|
(env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) &&
|
22
|
-
!env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER
|
22
|
+
!env_key.start_with?("#{ Contrast::Components::Config::CONTRAST_ENV_MARKER }API"))
|
23
23
|
|
24
24
|
info('Environment settings', key: env_key, value: env_value)
|
25
25
|
end
|
@@ -0,0 +1,151 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'logger'
|
5
|
+
require 'singleton'
|
6
|
+
|
7
|
+
require 'contrast/extension/module'
|
8
|
+
require 'contrast/logger/application'
|
9
|
+
require 'contrast/logger/format'
|
10
|
+
require 'contrast/logger/request'
|
11
|
+
require 'contrast/logger/time'
|
12
|
+
require 'contrast/logger/log'
|
13
|
+
require 'contrast/components/config'
|
14
|
+
require 'contrast/utils/log_utils'
|
15
|
+
|
16
|
+
module Contrast
|
17
|
+
# Used as a wrapper around our logging. The module option specifically adds in a new method for error that raises the
|
18
|
+
# logged exception, used in testing so that we can see if anything unexpected happens without it being swallowed
|
19
|
+
# while still providing safe options for customers.
|
20
|
+
module Logger
|
21
|
+
# For development set following env var to raise logged exceptions instead of just logging.
|
22
|
+
if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
|
23
|
+
::Logger.class_eval do
|
24
|
+
alias_method :cs__error, :error
|
25
|
+
alias_method :cs__warn, :warn
|
26
|
+
|
27
|
+
def error *args, **kwargs
|
28
|
+
if kwargs.empty?
|
29
|
+
cs__error(*args)
|
30
|
+
else
|
31
|
+
cs__error(*args, **kwargs)
|
32
|
+
end
|
33
|
+
args.each { |arg| raise arg if arg && arg.cs__class < Exception }
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
# This is the CEF Logger implementation. It uses the default ::Logger.
|
39
|
+
class CEFLog
|
40
|
+
include Singleton
|
41
|
+
include ::Contrast::Utils::LogUtils
|
42
|
+
include ::Contrast::Utils::CEFLogUtils
|
43
|
+
|
44
|
+
attr_reader :previous_path, :previous_level
|
45
|
+
|
46
|
+
def initialize
|
47
|
+
build_logger
|
48
|
+
end
|
49
|
+
|
50
|
+
# Given new settings from TeamServer, update our logging to use the new file and level, assuming they weren't
|
51
|
+
# set by local configuration.
|
52
|
+
#
|
53
|
+
# @param log_level [String] the level at which to log, as provided by TeamServer settings
|
54
|
+
def build_logger log_level = nil
|
55
|
+
current_level_const = find_valid_level(log_level)
|
56
|
+
level_change = current_level_const != previous_level
|
57
|
+
|
58
|
+
# don't needlessly recreate logger
|
59
|
+
return if @cef_logger && !level_change
|
60
|
+
|
61
|
+
@previous_level = current_level_const
|
62
|
+
|
63
|
+
@_cef_logger = build(path: DEFAULT_CEF_NAME, level_const: current_level_const)
|
64
|
+
# If we're logging to a new path, then let's start it w/ our helpful
|
65
|
+
# data gathering messages
|
66
|
+
# log_update if path_change
|
67
|
+
rescue StandardError => e
|
68
|
+
# rubocop:disable Rails/Output
|
69
|
+
if @_cef_logger
|
70
|
+
@_cef_logger.error('Unable to process update to LoggerManager.', e)
|
71
|
+
else
|
72
|
+
puts 'Unable to process update to LoggerManager.'
|
73
|
+
raise e if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
|
74
|
+
|
75
|
+
puts e.message
|
76
|
+
puts e.backtrace.join("\n")
|
77
|
+
end
|
78
|
+
# rubocop:enable Rails/Output
|
79
|
+
end
|
80
|
+
|
81
|
+
def cef_logger
|
82
|
+
@_cef_logger
|
83
|
+
end
|
84
|
+
|
85
|
+
def log msg, level = @_cef_logger.level
|
86
|
+
case level
|
87
|
+
when ::Logger::Severity::INFO
|
88
|
+
@_cef_logger.info(msg)
|
89
|
+
when ::Logger::Severity::ERROR
|
90
|
+
@_cef_logger.error(msg)
|
91
|
+
when ::Logger::Severity::WARN
|
92
|
+
@_cef_logger.warn(msg)
|
93
|
+
when ::Logger::Severity::FATAL
|
94
|
+
@_cef_logger.fatal(msg)
|
95
|
+
else
|
96
|
+
@_cef_logger.debug(msg)
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
100
|
+
def virtual_patch_message patch, outcome
|
101
|
+
message = "Virtual Patch #{ patch.fetch(:name, '') } - #{ patch[:uuid] } was triggered by this request."
|
102
|
+
log [message, patch, outcome], ::Logger::Severity::DEBUG
|
103
|
+
end
|
104
|
+
|
105
|
+
def bot_blocking_message matching_bot, outcome
|
106
|
+
message = "User agent #{ matching_bot[:user_agent] } matched the disallowed value #{ matching_bot[:bot] }"
|
107
|
+
log [message, matching_bot, outcome], ::Logger::Severity::DEBUG
|
108
|
+
end
|
109
|
+
|
110
|
+
def ip_denylisted_message remote_ip, block_entry, outcome
|
111
|
+
message = "IP Address #{ remote_ip } matched the disallowed value" \
|
112
|
+
"#{ block_entry[:ip] } in the IP Blacklist #{ block_entry[:uuid] }"
|
113
|
+
log [message, block_entry, outcome], ::Logger::Severity::DEBUG
|
114
|
+
end
|
115
|
+
|
116
|
+
def successful_attack rule_id, outcome, input_type = nil, input_value = nil
|
117
|
+
if input_type.present? && input_value.present?
|
118
|
+
successful_attack_with_input = "#{ input_type } had a value that successfully exploited" \
|
119
|
+
"#{ rule_id } - #{ input_value }"
|
120
|
+
log [successful_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN
|
121
|
+
else
|
122
|
+
successful_attack_wo_input = "An effective attack was detected against #{ rule_id }"
|
123
|
+
log [successful_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil
|
128
|
+
if input_type.present? && input_value.present?
|
129
|
+
ineffective_attack_with_input = "#{ input_type } had a value that matched a signature for, " \
|
130
|
+
"but did not successfully exploit #{ rule_id } - #{ input_value }"
|
131
|
+
log [ineffective_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN
|
132
|
+
else
|
133
|
+
ineffective_attack_wo_input = "An unsuccessful attack was detected against #{ rule_id }"
|
134
|
+
log [ineffective_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
# newer - currently not in the agent, currently is a probe for us
|
139
|
+
def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil
|
140
|
+
if input_type.present? && input_value.present?
|
141
|
+
suspicious_attack_with = "#{ input_type } included a potential attack value that was detected" \
|
142
|
+
"as suspicious using #{ rule_id } - #{ input_value }"
|
143
|
+
log [suspicious_attack_with, rule_id, outcome], ::Logger::WARN
|
144
|
+
elsif input_value.present?
|
145
|
+
suspicious_attack_without = "Suspicious activity indicates a potential attack using #{ rule_id }"
|
146
|
+
log [suspicious_attack_without, rule_id, outcome], ::Logger::WARN
|
147
|
+
end
|
148
|
+
end
|
149
|
+
end
|
150
|
+
end
|
151
|
+
end
|
@@ -2,6 +2,8 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'yaml'
|
5
|
+
require 'contrast/configuration'
|
6
|
+
require 'contrast/agent/reporting/reporter'
|
5
7
|
|
6
8
|
module Contrast
|
7
9
|
# A Rake task to generate a contrast_security.yaml file with some basic settings
|
@@ -29,6 +31,8 @@ module Contrast
|
|
29
31
|
}
|
30
32
|
}.cs__freeze
|
31
33
|
|
34
|
+
SKIP_LOG = %w[service_key api_key].cs__freeze
|
35
|
+
|
32
36
|
namespace :contrast do
|
33
37
|
namespace :config do
|
34
38
|
desc 'Create a contrast_security.yaml in the applications root directory'
|
@@ -38,9 +42,7 @@ module Contrast
|
|
38
42
|
if File.exist?(target_path)
|
39
43
|
puts 'WARNING: contrast_security.yaml already exists'
|
40
44
|
else
|
41
|
-
File.
|
42
|
-
f.write(YAML.dump(DEFAULT_CONFIG))
|
43
|
-
end
|
45
|
+
File.write(target_path, YAML.dump(DEFAULT_CONFIG))
|
44
46
|
|
45
47
|
puts "Created contrast_security.yaml at #{ target_path }"
|
46
48
|
puts 'Open the file and enter your Contrast Security api keys or set them via environment variables'
|
@@ -49,5 +51,90 @@ module Contrast
|
|
49
51
|
end
|
50
52
|
end
|
51
53
|
end
|
54
|
+
|
55
|
+
namespace :contrast do
|
56
|
+
namespace :config do
|
57
|
+
desc 'Validate the provided Contrast configuration and confirm connectivity'
|
58
|
+
task validate: :environment do
|
59
|
+
puts 'Validating Agent Configuration...'
|
60
|
+
Contrast::Config.validate_config
|
61
|
+
puts '...done!'
|
62
|
+
puts 'Validating Contrast Reporter Headers...'
|
63
|
+
reporter = Contrast::Config.validate_headers
|
64
|
+
puts '...done!'
|
65
|
+
puts 'Testing Client Connection...'
|
66
|
+
Contrast::Config.test_connection(reporter) if reporter
|
67
|
+
puts '...done!'
|
68
|
+
end
|
69
|
+
end
|
70
|
+
def self.validate_config # rubocop:disable Metrics/PerceivedComplexity
|
71
|
+
config = Contrast::Configuration.new
|
72
|
+
abort('Unable to Build Config') unless config
|
73
|
+
|
74
|
+
required = %i[url api_key service_key user_name]
|
75
|
+
|
76
|
+
missing = []
|
77
|
+
config.root.api.each do |key, value|
|
78
|
+
puts "#{ key }::#{ value }" unless value.is_a?(Contrast::Config::BaseConfiguration) || SKIP_LOG.includes?(key)
|
79
|
+
if value.is_a?(Contrast::Config::ApiProxyConfiguration)
|
80
|
+
Contrast::Config.validate_proxy(value)
|
81
|
+
elsif value.is_a?(Contrast::Config::CertificationConfiguration)
|
82
|
+
Contrast::Config.validate_cert(value)
|
83
|
+
next
|
84
|
+
elsif value.is_a?(Contrast::Config::RequestAuditConfiguration)
|
85
|
+
Contrast::Config.validate_audit(value)
|
86
|
+
next
|
87
|
+
elsif value == Contrast::Config::BaseConfiguration::EMPTY_VALUE && required.includes?(key.to_sym)
|
88
|
+
missing << key
|
89
|
+
end
|
90
|
+
end
|
91
|
+
abort("Missing required API configuration values: #{ missing.join(', ') }") unless missing.empty?
|
92
|
+
end
|
93
|
+
|
94
|
+
def self.validate_proxy config
|
95
|
+
puts "Proxy Enabled: #{ config.enable }"
|
96
|
+
return unless config.enable
|
97
|
+
|
98
|
+
puts "Proxy URL: #{ config.url }"
|
99
|
+
abort('Proxy Enabled but no Proxy URL given') unless config.url
|
100
|
+
end
|
101
|
+
|
102
|
+
def self.validate_cert config
|
103
|
+
puts "Certification Enabled: #{ config.enable }"
|
104
|
+
return unless config.enable
|
105
|
+
|
106
|
+
puts "CA File: #{ config.ca_file }"
|
107
|
+
abort('CA file path not provided') unless config.ca_file
|
108
|
+
puts "Cert File: #{ config.cert_file }"
|
109
|
+
abort('Cert file path not provided') unless config.cert_file
|
110
|
+
puts "Key File: #{ config.key_file }"
|
111
|
+
abort('Key file path not provided') unless config.key_file
|
112
|
+
end
|
113
|
+
|
114
|
+
def self.validate_audit config
|
115
|
+
puts "Request Audit Enabled: #{ config.enable }"
|
116
|
+
return unless config.enable
|
117
|
+
|
118
|
+
config.each do |k, v|
|
119
|
+
puts "#{ k }::#{ v }"
|
120
|
+
end
|
121
|
+
end
|
122
|
+
|
123
|
+
def self.validate_headers
|
124
|
+
missing = []
|
125
|
+
reporter = Contrast::Agent::Reporter.new
|
126
|
+
reporter.client.headers.to_hash.each_pair do |key, value|
|
127
|
+
puts "#{ key }::#{ value }"
|
128
|
+
missing << key if value.nil?
|
129
|
+
end
|
130
|
+
abort("Missing required header values: #{ missing.join(', ') }") unless missing.empty?
|
131
|
+
reporter
|
132
|
+
end
|
133
|
+
|
134
|
+
def self.test_connection reporter
|
135
|
+
abort('Failed to Initialize Connection please check error logs for details') unless reporter.connection
|
136
|
+
abort('Failed to Start Client please check error logs for details') unless reporter.client.startup!
|
137
|
+
end
|
138
|
+
end
|
52
139
|
end
|
53
140
|
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Utils
|
6
|
+
module Assess
|
7
|
+
# keep track of object properties and events data
|
8
|
+
class ObjectStore
|
9
|
+
def initialize capacity = 500
|
10
|
+
@capacity = capacity
|
11
|
+
@cache = {}
|
12
|
+
end
|
13
|
+
|
14
|
+
def get
|
15
|
+
@cache
|
16
|
+
end
|
17
|
+
|
18
|
+
def [] key
|
19
|
+
@cache[key]
|
20
|
+
end
|
21
|
+
|
22
|
+
def delete key
|
23
|
+
@cache.delete(key)
|
24
|
+
end
|
25
|
+
|
26
|
+
# We would keep object ids with capacity.
|
27
|
+
# If a reference is kept to an object only by it's id,
|
28
|
+
# It would be CG-ted safely.
|
29
|
+
def []= key, value
|
30
|
+
@cache[key] = value
|
31
|
+
@cache.shift if @cache.length > @capacity
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
@@ -10,6 +10,7 @@ module Contrast
|
|
10
10
|
APPEND_ACTION = 'APPEND'
|
11
11
|
CENTER_ACTION = 'CENTER'
|
12
12
|
INSERT_ACTION = 'INSERT'
|
13
|
+
BUFFER_ACTION = 'BUFFER'
|
13
14
|
KEEP_ACTION = 'KEEP'
|
14
15
|
NEXT_ACTION = 'NEXT'
|
15
16
|
NOOP_ACTION = 'NOOP'
|
@@ -30,6 +31,7 @@ module Contrast
|
|
30
31
|
INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
|
31
32
|
KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
|
32
33
|
NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
|
34
|
+
BUFFER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Buffer,
|
33
35
|
NOOP_ACTION => nil,
|
34
36
|
PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
|
35
37
|
REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
|
@@ -94,6 +96,10 @@ module Contrast
|
|
94
96
|
def can_propagate? propagation_node, preshift, target
|
95
97
|
return false unless appropriate_target?(propagation_node, target)
|
96
98
|
return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
|
99
|
+
if propagation_node.use_original_object?
|
100
|
+
# return true since we don't have preshift while using the original object.
|
101
|
+
return true
|
102
|
+
end
|
97
103
|
return false unless preshift
|
98
104
|
|
99
105
|
propagation_node.sources.each do |source|
|