contrast-agent 5.3.0 → 6.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (161) hide show
  1. checksums.yaml +4 -4
  2. data/ext/cs__assess_array/cs__assess_array.c +7 -0
  3. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +19 -5
  4. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
  5. data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
  6. data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -2
  7. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
  8. data/ext/cs__assess_module/cs__assess_module.c +1 -1
  9. data/ext/cs__assess_string/cs__assess_string.c +13 -1
  10. data/ext/cs__common/cs__common.c +12 -11
  11. data/ext/cs__contrast_patch/cs__contrast_patch.c +54 -43
  12. data/ext/cs__os_information/cs__os_information.c +13 -10
  13. data/ext/cs__scope/cs__scope.c +146 -97
  14. data/lib/contrast/agent/assess/finalizers/hash.rb +2 -0
  15. data/lib/contrast/agent/assess/policy/policy_node.rb +50 -27
  16. data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
  17. data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
  18. data/lib/contrast/agent/assess/policy/propagation_method.rb +47 -13
  19. data/lib/contrast/agent/assess/policy/propagator/buffer.rb +118 -0
  20. data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
  21. data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
  22. data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
  23. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
  24. data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
  25. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  26. data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
  27. data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
  28. data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -1
  29. data/lib/contrast/agent/assess/property/tagged.rb +1 -1
  30. data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
  31. data/lib/contrast/agent/assess/rule/response/body_rule.rb +3 -3
  32. data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +1 -1
  33. data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
  34. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
  35. data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
  36. data/lib/contrast/agent/exclusion_matcher.rb +3 -3
  37. data/lib/contrast/agent/middleware.rb +3 -1
  38. data/lib/contrast/agent/patching/policy/patcher.rb +3 -3
  39. data/lib/contrast/agent/patching/policy/policy_node.rb +15 -2
  40. data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
  41. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +61 -8
  42. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -1
  43. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +2 -2
  44. data/lib/contrast/agent/protect/rule/base.rb +37 -5
  45. data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
  46. data/lib/contrast/agent/protect/rule/cmd_injection.rb +13 -0
  47. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
  48. data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
  49. data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
  50. data/lib/contrast/agent/protect/rule/http_method_tampering.rb +8 -0
  51. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
  52. data/lib/contrast/agent/protect/rule/no_sqli.rb +27 -0
  53. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +18 -54
  54. data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -4
  55. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
  56. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
  57. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
  58. data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
  59. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
  60. data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
  61. data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
  62. data/lib/contrast/agent/reporting/masker/masker.rb +246 -0
  63. data/lib/contrast/agent/reporting/masker/masker_utils.rb +58 -0
  64. data/lib/contrast/agent/reporting/report.rb +2 -0
  65. data/lib/contrast/agent/reporting/reporter.rb +23 -11
  66. data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +30 -0
  67. data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +7 -3
  68. data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +40 -0
  69. data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
  70. data/lib/contrast/agent/reporting/reporting_events/finding.rb +1 -1
  71. data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
  72. data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +9 -9
  73. data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +2 -1
  74. data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +2 -1
  75. data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
  76. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +16 -5
  77. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +27 -26
  78. data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
  79. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +97 -0
  80. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +68 -6
  81. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
  82. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +122 -96
  83. data/lib/contrast/agent/reporting/settings/application_settings.rb +9 -0
  84. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +5 -33
  85. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
  86. data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
  87. data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
  88. data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
  89. data/lib/contrast/agent/request_context.rb +1 -1
  90. data/lib/contrast/agent/request_context_extend.rb +1 -1
  91. data/lib/contrast/agent/request_handler.rb +4 -0
  92. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +51 -0
  93. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +36 -0
  94. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +97 -0
  95. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +65 -0
  96. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +47 -0
  97. data/lib/contrast/agent/{metric_telemetry_event.rb → telemetry/events/metric_telemetry_event.rb} +1 -1
  98. data/lib/contrast/agent/{startup_metrics_telemetry_event.rb → telemetry/events/startup_metrics_telemetry_event.rb} +3 -3
  99. data/lib/contrast/agent/{telemetry_event.rb → telemetry/events/telemetry_event.rb} +1 -1
  100. data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +32 -19
  101. data/lib/contrast/agent/thread_watcher.rb +1 -1
  102. data/lib/contrast/agent/version.rb +1 -1
  103. data/lib/contrast/agent.rb +3 -0
  104. data/lib/contrast/api/communication/speedracer.rb +1 -1
  105. data/lib/contrast/api/decorators/address.rb +1 -1
  106. data/lib/contrast/api/decorators/response_type.rb +30 -0
  107. data/lib/contrast/api/decorators.rb +1 -0
  108. data/lib/contrast/components/app_context.rb +0 -4
  109. data/lib/contrast/components/assess.rb +14 -0
  110. data/lib/contrast/components/protect.rb +2 -2
  111. data/lib/contrast/components/sampling.rb +7 -11
  112. data/lib/contrast/components/settings.rb +106 -8
  113. data/lib/contrast/config/agent_configuration.rb +13 -30
  114. data/lib/contrast/config/api_configuration.rb +4 -67
  115. data/lib/contrast/config/api_proxy_configuration.rb +2 -45
  116. data/lib/contrast/config/application_configuration.rb +9 -84
  117. data/lib/contrast/config/assess_configuration.rb +10 -69
  118. data/lib/contrast/config/assess_rules_configuration.rb +9 -38
  119. data/lib/contrast/config/base_configuration.rb +17 -50
  120. data/lib/contrast/config/certification_configuration.rb +6 -63
  121. data/lib/contrast/config/exception_configuration.rb +5 -52
  122. data/lib/contrast/config/heap_dump_configuration.rb +6 -64
  123. data/lib/contrast/config/inventory_configuration.rb +2 -49
  124. data/lib/contrast/config/logger_configuration.rb +0 -36
  125. data/lib/contrast/config/protect_configuration.rb +17 -7
  126. data/lib/contrast/config/protect_rule_configuration.rb +12 -30
  127. data/lib/contrast/config/protect_rules_configuration.rb +21 -26
  128. data/lib/contrast/config/request_audit_configuration.rb +6 -48
  129. data/lib/contrast/config/root_configuration.rb +52 -12
  130. data/lib/contrast/config/ruby_configuration.rb +0 -36
  131. data/lib/contrast/config/sampling_configuration.rb +1 -57
  132. data/lib/contrast/config/server_configuration.rb +0 -36
  133. data/lib/contrast/config/service_configuration.rb +5 -44
  134. data/lib/contrast/configuration.rb +2 -3
  135. data/lib/contrast/extension/assess/string.rb +20 -1
  136. data/lib/contrast/extension/module.rb +0 -1
  137. data/lib/contrast/framework/manager.rb +2 -2
  138. data/lib/contrast/logger/application.rb +1 -1
  139. data/lib/contrast/logger/cef_log.rb +1 -1
  140. data/lib/contrast/tasks/config.rb +90 -3
  141. data/lib/contrast/utils/assess/object_store.rb +36 -0
  142. data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
  143. data/lib/contrast/utils/class_util.rb +3 -12
  144. data/lib/contrast/utils/input_classification.rb +73 -0
  145. data/lib/contrast/utils/log_utils.rb +1 -1
  146. data/lib/contrast/utils/middleware_utils.rb +9 -8
  147. data/lib/contrast/utils/net_http_base.rb +1 -1
  148. data/lib/contrast/utils/object_share.rb +2 -1
  149. data/lib/contrast/utils/os.rb +0 -5
  150. data/lib/contrast/utils/patching/policy/patch_utils.rb +4 -5
  151. data/lib/contrast/utils/response_utils.rb +18 -33
  152. data/lib/contrast/utils/telemetry.rb +1 -1
  153. data/lib/contrast/utils/telemetry_client.rb +1 -1
  154. data/lib/contrast/utils/telemetry_identifier.rb +1 -1
  155. data/resources/assess/policy.json +98 -0
  156. data/resources/deadzone/policy.json +0 -86
  157. data/ruby-agent.gemspec +9 -8
  158. data/service_executables/VERSION +1 -1
  159. data/service_executables/linux/contrast-service +0 -0
  160. data/service_executables/mac/contrast-service +0 -0
  161. metadata +73 -28
@@ -4,12 +4,12 @@
4
4
  module Contrast
5
5
  module Agent
6
6
  module Reporting
7
- #
8
- # @attr_accessor id - [String] - Hash of library as identified by the agent
9
- # @attr_accessor names Array[String] - List of file paths that have been loaded out of or executed by the library
10
- #
7
+ # The usage, meaning loaded files, of a library seen during this request
11
8
  class LibraryUsageObservation
12
- attr_accessor :id, :names
9
+ # @param [String] Sha256Sum of library as identified by the agent
10
+ attr_accessor :id
11
+ # @param [Array<String>] List of file paths that have been loaded out of or executed by the library
12
+ attr_reader :names
13
13
 
14
14
  class << self
15
15
  # Convert a DTM for SpeedRacer to an Event for TeamServer.
@@ -15,16 +15,16 @@ module Contrast
15
15
  # externally accessible endpoints within the application, as registered to the application framework. This also
16
16
  # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
17
17
  # recorded.
18
- #
19
- # @attr_accessor signature [String] the method signature used to uniquely identify the coverage report.
20
- # @attr_accessor url [String] the normalized URL used to access the method in the route.
21
- # @attr_accessor verb [String] the HTTP Verb used to access the method in the route.
22
- # @attr_accessor agent_session_id_value [Integer] the session of this process, as determined from TeamServer on
23
- # application create.
24
- # @attr_accessor sources [Array<Contrast::Agent::Reporting::TraceEventSource>] the sources of user input accessed
25
- # during this request. Used for remediation determinations in TeamServer.
26
18
  class ObservedRoute < Contrast::Agent::Reporting::ReportingEvent
27
- attr_accessor :sources, :agent_session_id_value, :signature, :verb, :url
19
+ # @param [String] the method signature used to uniquely identify the coverage report.
20
+ attr_accessor :signature
21
+ # @param [String] the normalized URL used to access the method in the route.
22
+ attr_accessor :url
23
+ # @param [String] the HTTP Verb used to access the method in the route.
24
+ attr_accessor :verb
25
+ # @param [Array<Contrast::Agent::Reporting::TraceEventSource>] the sources of user input accessed during this
26
+ # request. Used for remediation determinations in TeamServer.
27
+ attr_reader :sources
28
28
 
29
29
  def initialize
30
30
  @event_endpoint = Contrast::Agent::Reporting::Endpoints.observed_route
@@ -1,6 +1,7 @@
1
1
  # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
+ require 'contrast/components/assess'
4
5
  require 'contrast/components/logger'
5
6
  require 'contrast/agent/reporting/reporting_events/reporting_event'
6
7
 
@@ -29,7 +30,7 @@ module Contrast
29
30
  @app_name = ::Contrast::APP_CONTEXT.app_name
30
31
  @app_version = ::Contrast::APP_CONTEXT.app_version
31
32
  @routes = []
32
- @agent_session_id_value = Contrast::APP_CONTEXT.session_id
33
+ @agent_session_id_value = ::Contrast::ASSESS.session_id
33
34
  end
34
35
 
35
36
  # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -4,6 +4,7 @@
4
4
  require 'contrast/components/logger'
5
5
  require 'contrast/utils/assess/trigger_method_utils'
6
6
  require 'contrast/agent/reporting/reporting_utilities/endpoints'
7
+ require 'contrast/components/assess'
7
8
 
8
9
  module Contrast
9
10
  module Agent
@@ -19,7 +20,7 @@ module Contrast
19
20
  attr_reader :event_method
20
21
 
21
22
  def initialize
22
- @agent_session_id_value = '0' # TODO: RUBY-1514 Contrast::APP_CONTEXT.session_id once we have app start
23
+ @agent_session_id_value = ::Contrast::ASSESS.session_id
23
24
  @event_endpoint ||= nil
24
25
  @event_method ||= :POST
25
26
  end
@@ -15,13 +15,15 @@ module Contrast
15
15
  # externally accessible endpoints within the application, as registered to the application framework. This also
16
16
  # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
17
17
  # recorded.
18
- #
19
- # @attr_accessor route [String] the method signature used to uniquely identify the coverage report.
20
- # @attr_accessor url [String] the normalized URL used to access the method in the route.
21
- # @attr_accessor verb [String] the HTTP Verb used to access the method in the route.
22
- # @attr_accessor count [Integer] the number of times this was hit; no longer needed as it can be derived.
23
18
  class RouteCoverage
24
- attr_accessor :route, :url, :verb, :count
19
+ # @param [String] the method signature used to uniquely identify the coverage report.
20
+ attr_accessor :route
21
+ # @param [String] the normalized URL used to access the method in the route.
22
+ attr_accessor :url
23
+ # @param [String] the HTTP Verb used to access the method in the route.
24
+ attr_accessor :verb
25
+ # @param [Integer] the number of times this was hit; no longer needed as it can be derived.
26
+ attr_reader :count
25
27
 
26
28
  def initialize
27
29
  @route = Contrast::Utils::ObjectShare::EMPTY_STRING
@@ -30,7 +30,7 @@ module Contrast
30
30
  # @return [Net::HTTP, nil] Return open connection or nil
31
31
  def initialize_connection
32
32
  # for this client we would use proxy and custom certificate file if available
33
- super(SERVICE_NAME, Contrast::API.api_url, true, true)
33
+ super(SERVICE_NAME, Contrast::API.api_url, use_proxy: true, use_custom_cert: true)
34
34
  end
35
35
 
36
36
  def initialize
@@ -55,13 +55,12 @@ module Contrast
55
55
  # @param connection [Net::HTTP] open connection
56
56
  # @param send_immediately [Boolean] flag for the logger
57
57
  # @return response [Net::HTTP::Response, nil] response from TS if no response
58
- def send_event event, connection, send_immediately = false
58
+ def send_event event, connection, send_immediately: false
59
59
  return unless Contrast::Agent::Reporter.enabled?
60
60
  return unless connection
61
61
 
62
- response = send_events(event, connection)
63
- log_send_event event if send_immediately
64
- response
62
+ log_send_event(event) if send_immediately
63
+ send_events(event, connection)
65
64
  rescue StandardError => e
66
65
  handle_error event, e
67
66
  end
@@ -78,6 +77,18 @@ module Contrast
78
77
  response_handler.sleep?
79
78
  end
80
79
 
80
+ def timeout
81
+ response_handler.timeout
82
+ end
83
+
84
+ def mode
85
+ response_handler.mode
86
+ end
87
+
88
+ def reset_mode
89
+ response_handler.reset_mode
90
+ end
91
+
81
92
  def wake_up
82
93
  response_handler.wake_up
83
94
  end
@@ -3,6 +3,7 @@
3
3
 
4
4
  require 'contrast/components/logger'
5
5
  require 'contrast/components/scope'
6
+ require 'contrast/agent/reporting/reporting_events/application_startup'
6
7
  require 'contrast/agent/reporting/reporting_utilities/reporter_client'
7
8
  require 'contrast/agent/reporting/reporting_utilities/endpoints'
8
9
 
@@ -15,6 +16,12 @@ module Contrast
15
16
  include Contrast::Components::Scope::InstanceMethods
16
17
  include Contrast::Agent::Reporting::Endpoints
17
18
 
19
+ # List the events that need to be sent when agent starts up
20
+ STARTUP_EVENTS = [
21
+ Contrast::Agent::Reporting::ApplicationStartup,
22
+ Contrast::Agent::Reporting::AgentStartup
23
+ ].cs__freeze
24
+
18
25
  # @param event [Contrast::Agent::Reporting::Preflight] the preflight we handle here
19
26
  # @param response [Net::HTTP::Response,nil] The response we handle and read from
20
27
  # @param connection [Net::HTTP] open connection
@@ -31,7 +38,7 @@ module Contrast
31
38
  return unless corresponding_finding
32
39
 
33
40
  audit&.audit_event(corresponding_finding, response) if ::Contrast::API.request_audit_enable?
34
- send_event(corresponding_finding, connection, true)
41
+ send_event(corresponding_finding, connection, send_immediately: true)
35
42
  nil
36
43
  rescue StandardError => e
37
44
  logger.error('Unable to handle response', e)
@@ -92,38 +99,28 @@ module Contrast
92
99
  # Handles response processing and sets status
93
100
  #
94
101
  # @param response [Net::HTTP::Response]
95
- # @return response [Net::HTTP::Response]
96
102
  def process_response response
97
103
  response_handler.process(response)
98
104
  logger.debug('Successfully sent startup messages to service.')
99
105
  status.success!
100
- response
101
106
  end
102
107
 
103
108
  # build the request headers and assign endpoint
104
109
  #
105
- # @param event event [Contrast::Api::Dtm::AgentStartup, Contrast::Agent::Reporting::ReportingEvent]
110
+ # @param event event [Contrast::Agent::Reporting::ReportingEvent]
106
111
  # One of the DTMs valid for the event field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
107
112
  # @return [Net::HTTP::Post,Net::HTTP::Put]
108
113
  def build_request event
109
114
  with_contrast_scope do
110
- request = if event.cs__is_a?(Contrast::Agent::Reporting::ReportingEvent)
111
- case event.event_method
112
- when :PUT
113
- Net::HTTP::Put.new(event.event_endpoint)
114
- when :POST
115
- Net::HTTP::Post.new(event.event_endpoint)
116
- end
117
- else # TODO: RUBY-1438 -- remove
118
- Net::HTTP::Put.new(Contrast::Agent::Reporting::Endpoints::NG_ENDPOINTS[:agent_startup])
115
+ request = case event.event_method
116
+ when :PUT
117
+ Net::HTTP::Put.new(event.event_endpoint)
118
+ else # :POST
119
+ Net::HTTP::Post.new(event.event_endpoint)
119
120
  end
120
121
  build_headers(request)
121
- if event.cs__is_a?(Contrast::Agent::Reporting::ReportingEvent)
122
- event.attach_headers(request)
123
- request.body = event.to_controlled_hash.to_json
124
- else
125
- request.body = event.to_json
126
- end
122
+ event.attach_headers(request)
123
+ request.body = event.to_controlled_hash.to_json
127
124
  request
128
125
  end
129
126
  end
@@ -131,15 +128,17 @@ module Contrast
131
128
  # Send Agent Startup event
132
129
  #
133
130
  # @param connection [Net::HTTP] open connection
134
- # @return response [Net::HTTP::Response] response from TS
135
131
  def send_agent_startup connection
136
132
  logger.debug('Preparing to send startup messages')
137
- startup = Contrast::APP_CONTEXT.build_agent_startup_message
138
- request = build_request(startup)
139
- response = connection.request(request)
140
- process_response(response)
141
- rescue StandardError => e
142
- handle_error(startup, e)
133
+
134
+ STARTUP_EVENTS.each do |event|
135
+ startup_event = event.new
136
+ request = build_request(startup_event)
137
+ response = connection.request(request)
138
+ process_response(response)
139
+ rescue StandardError => e
140
+ handle_error(startup_event, e)
141
+ end
143
142
  end
144
143
 
145
144
  # Sent different events to different endpoints
@@ -147,10 +146,12 @@ module Contrast
147
146
  # @param event [Contrast::Api::Dtm,Contrast::Agent::Reporting::ReportingEvent] Main reporting event, all events
148
147
  # inherit it
149
148
  # @param connection [Net::HTTP] open connection
149
+ # @return [Net::HTTP::Response]
150
150
  def send_events event, connection
151
151
  request = build_request(event)
152
152
  response = connection.request(request)
153
153
  process_response(response)
154
+ response
154
155
  rescue StandardError => e
155
156
  handle_error(event, e)
156
157
  end
@@ -53,7 +53,7 @@ module Contrast
53
53
  end
54
54
 
55
55
  # @param rule_id [String] the rule_id
56
- # @return [Hash, nil] return array with key and value of the pair
56
+ # @return [Array, nil] return array with key and value of the pair
57
57
  def find_by_rule_id rule_id
58
58
  return unless rule_id
59
59
 
@@ -0,0 +1,97 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Agent
6
+ module Reporting
7
+ # This module will hold the methods for TS response conversion to settings objects.
8
+ module ResponseExtractor
9
+ private
10
+
11
+ # @param response_data [Hash]
12
+ # @param res [Contrast::Agent::Reporting::Response]
13
+ def extract_assess response_data, res
14
+ assessments = response_data[:settings][:assessment]
15
+ return unless assessments
16
+
17
+ res.application_settings.assess.disabled_rules = assessments[:disabledRules]
18
+ res.application_settings.assess.session_id = assessments[:sessionId]
19
+ end
20
+
21
+ # @param response_data [Hash]
22
+ # @param res [Contrast::Agent::Reporting::Response]
23
+ def extract_protect response_data, res
24
+ protect = response_data[:settings][:defend]
25
+ return unless protect
26
+
27
+ res.application_settings.protect.protection_rules = protect[:protectionRules]
28
+ res.application_settings.protect.virtual_patches = protect[:virtualPatches]
29
+ end
30
+
31
+ # @param response_data [Hash]
32
+ # @param res [Contrast::Agent::Reporting::Response]
33
+ def extract_exclusions response_data, res
34
+ exclusions = response_data[:settings][:exceptions]
35
+ return unless exclusions
36
+
37
+ res.application_settings.exclusions.code_exclusions = exclusions[:codeExceptions]
38
+ res.application_settings.exclusions.input_exclusions = exclusions[:inputExceptions]
39
+ res.application_settings.exclusions.url_exclusions = exclusions[:urlExceptions]
40
+ end
41
+
42
+ # @param response_data [Hash]
43
+ # @param res [Contrast::Agent::Reporting::Response]
44
+ def extract_reactions response_data, res
45
+ res.application_settings.reactions = response_data[:settings][:reactions]
46
+ end
47
+
48
+ # @param response_data [Hash]
49
+ # @param res [Contrast::Agent::Reporting::Response]
50
+ def extract_assess_server_features response_data, res
51
+ assess = response_data[:assessment]
52
+ return unless assess
53
+
54
+ res.server_features.assess.enabled = assess[:enabled]
55
+ res.server_features.assess.sampling = assess[:sampling]
56
+ res.server_features.assess.sanitizers = assess[:sanitizers]
57
+ res.server_features.assess.validators = assess[:validators]
58
+ end
59
+
60
+ # @param response_data [Hash]
61
+ # @param res [Contrast::Agent::Reporting::Response]
62
+ def extract_protect_server_features response_data, res
63
+ protect = response_data[:defend]
64
+ return unless protect
65
+
66
+ res.server_features.protect.enabled = protect[:enabled]
67
+ res.server_features.protect.bot_blocker = protect[:bot_blocker]
68
+ res.server_features.protect.syslog = protect[:syslog]
69
+ end
70
+
71
+ # @param response_data [Hash]
72
+ # @param res [Contrast::Agent::Reporting::Response]
73
+ def extract_protect_lists response_data, res
74
+ protect = response_data[:defend]
75
+ return unless protect
76
+
77
+ res.server_features.protect.ip_allowlist = protect[:ipAllowlist]
78
+ res.server_features.protect.ip_denylist = protect[:ipDenyList]
79
+ res.server_features.protect.log_enchancers = protect[:logEnhancers]
80
+ res.server_features.protect.rule_definition_list = protect[:ruleDefinitionList]
81
+ end
82
+
83
+ # Here we extract the rules and state for the sensitive data masking policy
84
+ # Received from TS.
85
+ #
86
+ # @param response_data [Hash]
87
+ # @param res [Contrast::Agent::Reporting::Response]
88
+ def extract_sensitive_data_policy response_data, res
89
+ sensitive_data = response_data[:settings][:sensitive_data_masking_policy]
90
+ res.application_settings.sensitive_data_masking.mask_http_body = sensitive_data[:mask_http_body]
91
+ res.application_settings.sensitive_data_masking.mask_attack_vector = sensitive_data[:mask_attack_vector]
92
+ res.application_settings.sensitive_data_masking.build_rules_form_settings sensitive_data[:rules]
93
+ end
94
+ end
95
+ end
96
+ end
97
+ end
@@ -5,6 +5,7 @@ require 'contrast/api/communication/response_processor'
5
5
  require 'contrast/api/decorators/application_settings'
6
6
  require 'contrast/agent/reporting/reporting_utilities/response'
7
7
  require 'contrast/agent/reporting/reporting_utilities/response_handler_utils'
8
+ require 'contrast/agent/reporting/reporting_utilities/response_handler_mode'
8
9
  require 'contrast/api/decorators/server_features'
9
10
  require 'contrast/components/logger'
10
11
  require 'json'
@@ -16,23 +17,26 @@ module Contrast
16
17
  class ResponseHandler < Contrast::Api::Communication::ResponseProcessor
17
18
  include Contrast::Components::Logger::InstanceMethods
18
19
  include Contrast::Agent::Reporting::ResponseHandlerUtils
20
+ # 15 min
21
+ TIMEOUT = 900.cs__freeze
22
+
19
23
  # Process the response from TS
20
24
  #
21
25
  # @param response [Net::HTTP::Response, nil]
22
26
  # @return response [Net::HTTP::Response, nil]
23
27
  def process response
24
28
  logger.debug('Reporter Received a response')
25
- return unless analyze_response_code? response&.code
29
+ return unless analyze_response? response
26
30
 
27
- # handle the response body and obtain server_features or app_settings
31
+ # Handle the response body and obtain server_features or app_settings
28
32
  report_response = convert_response response
29
33
 
30
34
  return unless report_response
31
35
 
32
36
  update_agent_settings report_response
33
37
  update_reaction report_response
34
- # this one is called from super needs to be placed here after protobuf
35
- update_features report_response.server_features, report_response.application_settings
38
+ # This one is called from super needs to be placed here after protobuf end of life.
39
+ update_features(report_response.server_features, report_response.application_settings)
36
40
  logger.trace('Agent settings updated in response to Service', protect_on: ::Contrast::PROTECT.enabled?,
37
41
  assess_on: ::Contrast::ASSESS.enabled?)
38
42
  response
@@ -41,16 +45,74 @@ module Contrast
41
45
  nil
42
46
  end
43
47
 
44
- # if sleep is true puts reporting service to sleep
48
+ # If sleep is true puts reporting service to sleep.
45
49
  def sleep?
46
50
  @_sleep = wake_up if @_sleep.nil?
47
51
  @_sleep
48
52
  end
49
53
 
50
- # wakes the reporting service
54
+ # For how long the agent should wait until retry
55
+ # to send message
56
+ #
57
+ # @return timeout [Integer] the time for reporter
58
+ # to be suspended.
59
+ def timeout
60
+ @_timeout ||= TIMEOUT
61
+ end
62
+
63
+ def mode
64
+ @_mode ||= Contrast::Agent::Reporting::ResponseHandlerMode.new
65
+ end
66
+
67
+ # Wakes the reporting service
51
68
  def wake_up
52
69
  @_sleep = false
53
70
  end
71
+
72
+ private
73
+
74
+ # Handles the errors code received from TS and takes appropriate action.
75
+ # If we are here the response.code is an error that needs handling [4XX]
76
+ #
77
+ # @param response [Net::HTTP::Response]
78
+ def handle_error response
79
+ case response&.code
80
+ when ERROR_CODES[:message_not_sent]
81
+ handle_response_errors response, UNSUCCESSFULLY_RECEIVED_MSG, mode.running
82
+ when ERROR_CODES[:access_forbidden]
83
+ handle_response_errors response, FORBIDDEN_MSG, mode.running
84
+ when ERROR_CODES[:access_forbidden_no_action]
85
+ handle_response_errors response, FORBIDDEN_NO_ACTION_MSG, mode.running
86
+ when ERROR_CODES[:application_do_not_exist]
87
+ handle_response_errors response, APP_NON_EXISTENT_MSG, mode.disabled
88
+ when ERROR_CODES[:unprocessable_entity]
89
+ handle_response_errors response, UNPROCESSABLE_ENTITY_MSG, mode.disabled
90
+ when ERROR_CODES[:too_many_requests]
91
+ handle_response_errors response, RETRY_AFTER_MSG, mode.resending
92
+ else
93
+ logger.debug('Response Error code could not be processed')
94
+ end
95
+ end
96
+
97
+ # Suspend the reporter and try again in time. If not set
98
+ # the timeout is set to 15 min As default:
99
+ #
100
+ # @param message [String] Message to log.
101
+ # @param timeout [Integer,nil] The timeout to wait and retry after.
102
+ # @param error_message [String, nil] Error message if any received.
103
+ def suspend_reporting message, timeout, error_message
104
+ @_timeout = timeout || Contrast::Agent::Reporting::ResponseHandler::TIMEOUT
105
+ log_debug_msg message, timeout: @_timeout, error_message: error_message || 'none'
106
+ @_sleep = true
107
+ end
108
+
109
+ # Log what we've received.
110
+ #
111
+ # @param message [String] Message to log
112
+ # @param info_hash [Hash] information about the context to log.
113
+ def log_debug_msg message, info_hash
114
+ logger.debug(message, info_hash)
115
+ end
54
116
  end
55
117
  end
56
118
  end
@@ -0,0 +1,63 @@
1
+ # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
+ # frozen_string_literal: true
3
+
4
+ module Contrast
5
+ module Agent
6
+ module Reporting
7
+ # This class will hold the mode state in which the reporter will send
8
+ # event ot TS.
9
+ class ResponseHandlerMode
10
+ # Reader for the running mode type.
11
+ #
12
+ # @return [Symbol] Reporter's client and Response Handler are running
13
+ # and responses are being processed.
14
+ attr_reader :running
15
+ # Reader for the disabled mode type.
16
+ #
17
+ # @return [Symbol] Reporter's client and Response Handler are disabled
18
+ # due to received Error. The Reporting is disabled for this application.
19
+ attr_reader :disabled
20
+ # Reader for the resending/retry mode type.
21
+ #
22
+ # @return [Symbol] Reporter's client and Response Handler are suspended
23
+ # for a TS received amount of time and will try to resend the previous
24
+ # request after that.
25
+ attr_reader :resending
26
+ # Reader for all supported modes.
27
+ #
28
+ # @return [Array<Symbol>] Reporter's client and Response Handler all
29
+ # available modes of operation.
30
+ attr_reader :modes
31
+
32
+ def initialize
33
+ @running = :running
34
+ @disabled = :disabled
35
+ @resending = :resending
36
+ @modes = [@running, @disabled, @resending].cs__freeze
37
+ end
38
+
39
+ # Current mode.
40
+ #
41
+ # @return [Symbol] Reporter's client and Response Handler
42
+ # current mode of operation.
43
+ def status
44
+ @_status ||= running
45
+ end
46
+
47
+ # Set current mode.
48
+ #
49
+ # @return [Symbol] Reporter's client and Response Handler
50
+ # current mode of operation.
51
+ def status= mode
52
+ @_status = mode if mode.cs__is_a?(Symbol) && modes.include?(mode)
53
+ end
54
+
55
+ # Reset mode
56
+ #
57
+ def reset_mode
58
+ @_status = running
59
+ end
60
+ end
61
+ end
62
+ end
63
+ end