contrast-agent 5.3.0 → 6.0.0

data/lib/contrast/components/settings.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/api/settings.pb'
+require 'contrast/agent/reporting/settings/sensitive_data_masking'
 
 module Contrast
   module Components
@@ -13,12 +14,14 @@ module Contrast
       APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).
           new(Hash.new(Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION), [])
       PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
-      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules).new(false, nil, []) do
+      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).new(false, nil,
+                                                                                                            [], nil) do
         def sampling_settings= new_val
           @sampling_settings = new_val
           Contrast::Utils::Assess::SamplingUtil.instance.update
         end
       end
+      SENSITIVE_DATA_MASKING_BASE = Contrast::Agent::Reporting::Settings::SensitiveDataMasking.new
 
       # This is a class.
       class Interface
@@ -26,7 +29,63 @@ module Contrast
 
         # tainted_columns are database columns that receive unsanitized input.
         attr_reader :tainted_columns # This can probably go into assess_state?
-        attr_reader :assess_state, :protect_state, :application_state
+        # Current state for Assess.
+        # enabled [Boolean] Indicate if the assess feature set is enabled for this server or not.
+        #
+        # sampling [Hash<AssessSampling>] Hash of AssessSampling Used to control the sampling feature in the agent: {
+        #  baseline          [Integer] The number of baseline requests to take before switching to sampling
+        #                               for the window.
+        #  enabled           [Boolean] If the sampling feature should be used or not.
+        #  frequency         [Integer] The number of requests to skip before observing during the sampling
+        #                               window after the baseline.
+        #  responseFrequency [Integer]
+        #  window            [Integer]
+        # }
+        #
+        # disabled_assess_rules [array<AssessRuleID(String)>] Assess rules to disable for this application.
+        attr_reader :assess_state
+        # Current State for Protect.
+        # enabled [Boolean] Indicate if the protect feature set is enabled for this server or not.
+        #
+        # Protection rules are returned as:
+        # rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
+        attr_reader :protect_state
+        # Current Application State.
+        #
+        # modes_by_id [Hash<Rule_id => Mode] Returns Hash with rules and their current mode.
+        # exclusion_matchers [Array] Array of all the exclusions.
+        # code_exclusions [Array<CodeExclusion>] Array of CodeExclusion: {
+        #   name         [String] The name of the exclusion as defined by the user in TS.
+        #   modes        [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   denylist     [String] The call, if in the stack, should result in the agent not taking action.
+        # input_exclusions [Array<InputExclusions>] Array of InputExclusions: {
+        #   name           [String] The name of the input.
+        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
+        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
+        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
+        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
+        # }
+        # url_exclusions [Array<UrlExclusions>] Array of UrlExclusions: {
+        #   name           [String] The name of the input.
+        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
+        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
+        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
+        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
+        # }
+        attr_reader :application_state
+        # This the structure that will hold the masking rules send from TS.
+        #
+        # @return [Contrast::Agent::Reporting::Settings::SensitiveDataMasking]:
+        #           mask_http_body [Boolean] Policy flag to enable the use of masking on request body.
+        #           rules          [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>]
+        #                          Rules to follow when using the masking. Each rules contains Id [String]
+        #                          and Keywords [Array<String>].
+        attr_reader :sensitive_data_masking
 
         def initialize
           reset_state
@@ -38,10 +97,14 @@ module Contrast
 
         # @param features [Contrast::Api::Settings::ServerFeatures, Contrast::Agent::Reporting::Response]
         def update_from_server_features features
-          if features&.class == Contrast::Agent::Reporting::Response
-            @protect_state.enabled = features.server_features.protect.enabled?
-            @assess_state.enabled = features.server_features.assess.enabled?
-            @assess_state.sampling_settings = features.server_features.assess.sampling
+          if features.cs__is_a?(Contrast::Agent::Reporting::Response)
+            server_features = features.server_features
+            log_file = server_features.log_file
+            log_level = server_features.log_level
+            Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
+            @protect_state.enabled = server_features.protect.enabled?
+            @assess_state.enabled = server_features.assess.enabled?
+            @assess_state.sampling_settings = server_features.assess.sampling
           else
             @protect_state.enabled = features.protect_enabled?
             @assess_state.enabled = features.assess_enabled?
@@ -52,10 +115,13 @@ module Contrast
         # @param features [Contrast::Api::Settings::ApplicationSettings, Contrast::Agent::Reporting::Response]
         def update_from_application_settings features
           if features&.class == Contrast::Agent::Reporting::Response
-            @application_state.modes_by_id = features.application_settings.protect.protection_rules_to_settings_hash
+            settings = features.application_settings
+            @application_state.modes_by_id = settings.protect.protection_rules_to_settings_hash
             # TODO: RUBY-1438 this needs to be translated
             # @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
-            @assess_state.disabled_assess_rules = features.application_settings.assess.disabled_rules
+            update_sensitive_data_policy(settings.sensitive_data_masking)
+            @assess_state.disabled_assess_rules = settings.assess.disabled_rules
+            @assess_state.session_id = settings.assess.session_id if settings.assess.session_id
           else
             new_vals = features.application_state_translation
             @application_state.modes_by_id = new_vals[:modes_by_id]
@@ -70,6 +136,7 @@ module Contrast
           @assess_state = ASSESS_STATE_BASE.dup
           @application_state = APPLICATION_STATE_BASE.dup
           @tainted_columns = {}
+          @sensitive_data_masking = SENSITIVE_DATA_MASKING_BASE.dup
         end
 
         def build_protect_rules
@@ -86,6 +153,37 @@ module Contrast
           Contrast::Agent::Protect::Rule::Xss.new
           Contrast::Agent::Protect::Rule::Xxe.new
         end
+
+        # Update the sensitive data masking policy from settings,
+        # received from TS. In case the settings are empty,
+        # keep current ones.
+        #
+        # @param sensitive_data_masking [Contrast::Agent::Reporting::Settings::SensitiveDataMasking]
+        # Ts Response settings for sensitive data masking policy
+        def update_sensitive_data_policy sensitive_data_masking
+          @sensitive_data_masking.mask_http_body = sensitive_data_masking.mask_http_body? unless
+            settings_empty?(sensitive_data_masking.mask_http_body?)
+          @sensitive_data_masking.mask_attack_vector = sensitive_data_masking.mask_attack_vector? unless
+            settings_empty?(sensitive_data_masking.mask_attack_vector?)
+          return if settings_empty?(sensitive_data_masking.rules)
+
+          @sensitive_data_masking.rules = sensitive_data_masking.rules
+          # update with the newly received rules.
+          Contrast::Agent::Reporting::Masker.send(:update_dictionary)
+        end
+
+        private
+
+        # check if settings are empty and return true if so.
+        #
+        # @param settings [String, Boolean, Array, Hash]
+        # @return true | false
+        def settings_empty? settings
+          return false if !!settings == settings
+          return true if settings.nil? || settings.empty?
+
+          false
+        end
       end
     end
   end

data/lib/contrast/config/agent_configuration.rb

@@ -12,7 +12,10 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # core functionality of the Agent.
     class AgentConfiguration < BaseConfiguration
-      attr_accessor :enable, :omit_body, :start_bundled_service, :api
+      # @return [Boolean, nil]
+      attr_accessor :enable
+      # @return [Boolean, nil]
+      attr_accessor :omit_body
       attr_writer :ruby, :service, :logger, :heap_dump
 
       def initialize hsh = {}
@@ -23,47 +26,27 @@ module Contrast
         @logger = Contrast::Config::LoggerConfiguration.new(traverse_config(hsh, :logger))
         @ruby = Contrast::Config::RubyConfiguration.new(traverse_config(hsh, :ruby))
         @heap_dump = Contrast::Config::HeapDumpConfiguration.new(traverse_config(hsh, :heap_dump))
-        @configuration_map = {}
-        build_configuration_map
+      end
+
+      # @return [Boolean, true]
+      def start_bundled_service
+        @start_bundled_service.nil? ? true : @start_bundled_service
       end
 
       def service
-        @service ||= Contrast::Config::ServiceConfiguration.new({})
+        @service ||= Contrast::Config::ServiceConfiguration.new
       end
 
       def logger
-        @logger ||= Contrast::Config::LoggerConfiguration.new({})
+        @logger ||= Contrast::Config::LoggerConfiguration.new
       end
 
       def ruby
-        @ruby ||= Contrast::Config::RubyConfiguration.new({})
+        @ruby ||= Contrast::Config::RubyConfiguration.new
       end
 
       def heap_dump
-        @heap_dump ||= Contrast::Config::HeapDumpConfiguration.new({})
-      end
-
-      # Traverse the given entity to build out the configuration graph.
-      #
-      # The values will be either a hash, indicating internal nodes to
-      # traverse, or a value to set or the EMPTY_VALUE symbol, indicating a
-      # leaf node.
-      #
-      # The spec_key are the Contrast defined keys based on the instance variables of
-      # a given configuration.
-      def traverse_config values, spec_key
-        internal_nodes = values.cs__respond_to?(:has_key?)
-        val = internal_nodes ? value_from_key_config(spec_key, values) : nil
-        val == EMPTY_VALUE ? nil : val
-      end
-
-      def build_configuration_map
-        instance_variables.each do |key|
-          str_key = key.to_s.tr('@', '')
-          next if str_key == 'configuration_map'
-
-          @configuration_map[str_key] = send(str_key.to_sym)
-        end
+        @heap_dump ||= Contrast::Config::HeapDumpConfiguration.new
       end
     end
   end

data/lib/contrast/config/api_configuration.rb

@@ -10,11 +10,12 @@ module Contrast
     # Api keys configuration
     class ApiConfiguration < BaseConfiguration
       # @return [String]
-      attr_reader :api_key
+      attr_accessor :api_key
       # @return [String]
-      attr_reader :user_name
+      attr_accessor :user_name
       # @return [String]
-      attr_reader :service_key
+      attr_accessor :service_key
+      attr_writer :url, :proxy, :request_audit, :certificate
 
       DEFAULT_URL = 'https://app.contrastsecurity.com/Contrast'
 
@@ -26,8 +27,6 @@ module Contrast
         @proxy = Contrast::Config::ApiProxyConfiguration.new(traverse_config(hsh, :proxy))
         @request_audit = Contrast::Config::RequestAuditConfiguration.new(traverse_config(hsh, :request_audit))
         @certificate = Contrast::Config::CertificationConfiguration.new(traverse_config(hsh, :certificate))
-        @configuration_map = {}
-        build_configuration_map
       end
 
       def url
@@ -48,68 +47,6 @@ module Contrast
       def certificate
         @certificate ||= Contrast::Config::CertificationConfiguration.new
       end
-
-      def api_key= value
-        self['api_key'] = value
-      end
-
-      def url= value
-        self['url'] = value
-      end
-
-      def user_name= value
-        self['user_name'] = value
-      end
-
-      def service_key= value
-        self['service_key'] = value
-      end
-
-      def proxy= value
-        self['proxy'] = value
-      end
-
-      def request_audit= value
-        self['request_audit'] = value
-      end
-
-      def certificate= value
-        self['certificate'] = value
-      end
-
-      # TODO: RUBY-1493 MOVE TO BASE CONFIG
-
-      def []= key, value
-        instance_variable_set("@#{ key }".to_sym, value)
-        @configuration_map[key] = value
-      end
-
-      def [] key
-        send(key.to_sym)
-      end
-
-      # Traverse the given entity to build out the configuration graph.
-      #
-      # The values will be either a hash, indicating internal nodes to
-      # traverse, or a value to set or the EMPTY_VALUE symbol, indicating a
-      # leaf node.
-      #
-      # The spec_key are the Contrast defined keys based on the instance variables of
-      # a given configuration.
-      def traverse_config values, spec_key
-        internal_nodes = values.cs__respond_to?(:has_key?)
-        val = internal_nodes ? value_from_key_config(spec_key, values) : nil
-        val == EMPTY_VALUE ? nil : val
-      end
-
-      def build_configuration_map
-        instance_variables.each do |key|
-          str_key = key.to_s.tr('@', '')
-          next if str_key == 'configuration_map'
-
-          @configuration_map[str_key] = send(str_key.to_sym)
-        end
-      end
     end
   end
 end

data/lib/contrast/config/api_proxy_configuration.rb

@@ -6,61 +6,18 @@ module Contrast
     # Api Proxy keys configuration
     class ApiProxyConfiguration < BaseConfiguration
       # @return [String] proxy url
-      attr_reader :url
+      attr_accessor :url
+      attr_writer :enable
 
       def initialize hsh = {}
         @enable = traverse_config(hsh, :enable)
         @url = traverse_config(hsh, :url)
-        @configuration_map = {}
-        build_configuration_map
       end
 
       # @return [Boolean, false]
       def enable
         @enable.nil? ? false : @enable
       end
-
-      def enable= value
-        self['enable'] = value
-      end
-
-      def url= value
-        self['url'] = value
-      end
-
-      # TODO: RUBY-1493 MOVE TO BASE CONFIG
-
-      def []= key, value
-        instance_variable_set("@#{ key }".to_sym, value)
-        @configuration_map[key] = value
-      end
-
-      def [] key
-        send(key.to_sym)
-      end
-
-      # Traverse the given entity to build out the configuration graph.
-      #
-      # The values will be either a hash, indicating internal nodes to
-      # traverse, or a value to set or the EMPTY_VALUE symbol, indicating a
-      # leaf node.
-      #
-      # The spec_key are the Contrast defined keys based on the instance variables of
-      # a given configuration.
-      def traverse_config values, spec_key
-        internal_nodes = values.cs__respond_to?(:has_key?)
-        val = internal_nodes ? value_from_key_config(spec_key, values) : nil
-        val == EMPTY_VALUE ? nil : val
-      end
-
-      def build_configuration_map
-        instance_variables.each do |key|
-          str_key = key.to_s.tr('@', '')
-          next if str_key == 'configuration_map'
-
-          @configuration_map[str_key] = send(str_key.to_sym)
-        end
-      end
     end
   end
 end

data/lib/contrast/config/application_configuration.rb

@@ -9,21 +9,22 @@ module Contrast
     # application identification functionality of the Agent.
     class ApplicationConfiguration < BaseConfiguration
       # @return [String]
-      attr_reader :name
+      attr_accessor :name
       # @return [String]
-      attr_reader :version
+      attr_accessor :version
       # @return [String]
-      attr_reader :language
+      attr_accessor :language
       # @return [String]
-      attr_reader :path
+      attr_accessor :path
       # @return [String]
-      attr_reader :group
+      attr_accessor :group
       # @return [String]
-      attr_reader :tags
+      attr_accessor :tags
       # @return [String]
-      attr_reader :code
+      attr_accessor :code
       # @return [String]
-      attr_reader :metadata
+      attr_accessor :metadata
+      attr_writer :session_id, :session_metadata
 
       def initialize hsh = {}
         @name = traverse_config(hsh, :name)
@@ -36,8 +37,6 @@ module Contrast
         @metadata = traverse_config(hsh, :metadata)
         @session_id = traverse_config(hsh, :session_id)
         @session_metadata = traverse_config(hsh, :session_metadata)
-        @configuration_map = {}
-        build_configuration_map
       end
 
       # @return [String, Contrast::Utils::ObjectShare::EMPTY_STRING]
@@ -49,80 +48,6 @@ module Contrast
       def session_metadata
         @session_metadata ||= Contrast::Utils::ObjectShare::EMPTY_STRING
       end
-
-      def name= value
-        self['name'] = value
-      end
-
-      def version= value
-        self['version'] = value
-      end
-
-      def language= value
-        self['language'] = value
-      end
-
-      def path= value
-        self['path'] = value
-      end
-
-      def group= value
-        self['group'] = value
-      end
-
-      def tags= value
-        self['tags'] = value
-      end
-
-      def code= value
-        self['code'] = value
-      end
-
-      def metadata= value
-        self['metadata'] = value
-      end
-
-      def session_id= value
-        self['session_id'] = value
-      end
-
-      def session_metadata= value
-        self['session_metadata'] = value
-      end
-
-      # TODO: RUBY-1493 MOVE TO BASE CONFIG
-
-      def []= key, value
-        instance_variable_set("@#{ key }".to_sym, value)
-        @configuration_map[key] = value
-      end
-
-      def [] key
-        send(key.to_sym)
-      end
-
-      # Traverse the given entity to build out the configuration graph.
-      #
-      # The values will be either a hash, indicating internal nodes to
-      # traverse, or a value to set or the EMPTY_VALUE symbol, indicating a
-      # leaf node.
-      #
-      # The spec_key are the Contrast defined keys based on the instance variables of
-      # a given configuration.
-      def traverse_config values, spec_key
-        internal_nodes = values.cs__respond_to?(:has_key?)
-        val = internal_nodes ? value_from_key_config(spec_key, values) : nil
-        val == EMPTY_VALUE ? nil : val
-      end
-
-      def build_configuration_map
-        instance_variables.each do |key|
-          str_key = key.to_s.tr('@', '')
-          next if str_key == 'configuration_map'
-
-          @configuration_map[str_key] = send(str_key.to_sym)
-        end
-      end
     end
   end
 end

data/lib/contrast/config/assess_configuration.rb

@@ -7,7 +7,10 @@ module Contrast
     # assess functionality of the Agent.
     class AssessConfiguration < BaseConfiguration
       # @return [String, nil]
-      attr_reader :tags
+      attr_accessor :tags
+      # @return [Boolean, nil]
+      attr_accessor :enable
+      attr_writer :enable_scan_response, :enable_dynamic_sources, :sampling, :rules, :stacktraces
 
       DEFAULT_STACKTRACES = 'ALL'
 
@@ -16,16 +19,10 @@ module Contrast
         @tags = traverse_config(hsh, :tags)
         @enable_scan_response = traverse_config(hsh, :enable_scan_response)
         @enable_dynamic_sources = traverse_config(hsh, :enable_dynamic_sources)
+        @enable_original_object = traverse_config(hsh, :enable_original_object)
         @sampling = Contrast::Config::SamplingConfiguration.new(traverse_config(hsh, :sampling))
         @rules = Contrast::Config::AssessRulesConfiguration.new(traverse_config(hsh, :rules))
         @stacktraces = traverse_config(hsh, :stacktraces)
-        @configuration_map = {}
-        build_configuration_map
-      end
-
-      # @return [Boolean, true]
-      def enable
-        @enable.nil? ? true : @enable
       end
 
       # @return [Boolean, true]
@@ -38,6 +35,11 @@ module Contrast
         @enable_dynamic_sources.nil? ? true : @enable_dynamic_sources
       end
 
+      # @return [Boolean, true]
+      def enable_original_object
+        @enable_original_object.nil? ? true : @enable_original_object
+      end
+
       # @return [Contrast::Config::SamplingConfiguration]
       def sampling
         @sampling ||= Contrast::Config::SamplingConfiguration.new
@@ -52,67 +54,6 @@ module Contrast
       def stacktraces
         @stacktraces ||= DEFAULT_STACKTRACES
       end
-
-      def enable= value
-        self['enable'] = value
-      end
-
-      def tags= value
-        self['tags'] = value
-      end
-
-      def enable_scan_response= value
-        self['enable_scan_response'] = value
-      end
-
-      def enable_dynamic_sources= value
-        self['enable_dynamic_sources'] = value
-      end
-
-      def sampling= value
-        self['sampling'] = value
-      end
-
-      def rules= value
-        self['rules'] = value
-      end
-
-      def stacktraces= value
-        self['stacktraces'] = value
-      end
-      # TODO: RUBY-1493 MOVE TO BASE CONFIG
-
-      def []= key, value
-        instance_variable_set("@#{ key }".to_sym, value)
-        @configuration_map[key] = value
-      end
-
-      def [] key
-        send(key.to_sym)
-      end
-
-      # Traverse the given entity to build out the configuration graph.
-      #
-      # The values will be either a hash, indicating internal nodes to
-      # traverse, or a value to set or the EMPTY_VALUE symbol, indicating a
-      # leaf node.
-      #
-      # The spec_key are the Contrast defined keys based on the instance variables of
-      # a given configuration.
-      def traverse_config values, spec_key
-        internal_nodes = values.cs__respond_to?(:has_key?)
-        val = internal_nodes ? value_from_key_config(spec_key, values) : nil
-        val == EMPTY_VALUE ? nil : val
-      end
-
-      def build_configuration_map
-        instance_variables.each do |key|
-          str_key = key.to_s.tr('@', '')
-          next if str_key == 'configuration_map'
-
-          @configuration_map[str_key] = send(str_key.to_sym)
-        end
-      end
     end
   end
 end

data/lib/contrast/config/assess_rules_configuration.rb

@@ -6,51 +6,22 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # disabled assess rule functionality of the Agent.
     class AssessRulesConfiguration < BaseConfiguration
+      SPEC_KEY = :disabled_rules.cs__freeze
       # @return [Array, nil] list of disabled assess rules
-      attr_reader :disabled_rules
+      attr_accessor :disabled_rules
 
       def initialize hsh = {}
-        @disabled_rules = traverse_config(hsh, :disabled_rules)
-        @configuration_map = {}
-        build_configuration_map
+        @disabled_rules = cast_disabled_rules hsh
       end
 
-      def disabled_rules= value
-        self['disabled_rules'] = value
-      end
-
-      # TODO: RUBY-1493 MOVE TO BASE CONFIG
-
-      def []= key, value
-        instance_variable_set("@#{ key }".to_sym, value)
-        @configuration_map[key] = value
-      end
-
-      def [] key
-        send(key.to_sym)
-      end
-
-      # Traverse the given entity to build out the configuration graph.
-      #
-      # The values will be either a hash, indicating internal nodes to
-      # traverse, or a value to set or the EMPTY_VALUE symbol, indicating a
-      # leaf node.
-      #
-      # The spec_key are the Contrast defined keys based on the instance variables of
-      # a given configuration.
-      def traverse_config values, spec_key
-        internal_nodes = values.cs__respond_to?(:has_key?)
-        val = internal_nodes ? value_from_key_config(spec_key, values) : nil
-        val == EMPTY_VALUE ? nil : val
-      end
+      private
 
-      def build_configuration_map
-        instance_variables.each do |key|
-          str_key = key.to_s.tr('@', '')
-          next if str_key == 'configuration_map'
+      def cast_disabled_rules hsh
+        return unless hsh
+        return unless hsh.key?(SPEC_KEY)
+        return hsh[SPEC_KEY] if hsh[SPEC_KEY].cs__is_a?(Array)
 
-          @configuration_map[str_key] = send(str_key.to_sym)
-        end
+        hsh[SPEC_KEY].split(',').map(&:strip) if hsh[SPEC_KEY].cs__is_a?(String)
       end
     end
   end