contrast-agent 5.3.0 → 6.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +1 -1
- data/Rakefile +1 -1
- data/ext/build_funchook.rb +3 -3
- data/ext/cs__assess_array/cs__assess_array.c +7 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +24 -6
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
- data/ext/cs__assess_hash/cs__assess_hash.c +3 -4
- data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -2
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +26 -12
- data/ext/cs__assess_module/cs__assess_module.c +1 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +15 -2
- data/ext/cs__assess_regexp/cs__assess_regexp.h +2 -0
- data/ext/cs__assess_string/cs__assess_string.c +21 -1
- data/ext/cs__assess_test/cs__assess_test.h +9 -0
- data/ext/cs__assess_test/cs__assess_tests.c +22 -0
- data/ext/cs__assess_test/extconf.rb +5 -0
- data/ext/cs__common/cs__common.c +113 -11
- data/ext/cs__common/cs__common.h +29 -5
- data/ext/cs__contrast_patch/cs__contrast_patch.c +55 -44
- data/ext/cs__os_information/cs__os_information.c +13 -10
- data/ext/cs__scope/cs__scope.c +146 -97
- data/ext/cs__tests/cs__tests.c +12 -0
- data/ext/cs__tests/cs__tests.h +3 -0
- data/ext/cs__tests/extconf.rb +5 -0
- data/ext/extconf_common.rb +1 -1
- data/lib/contrast/agent/assess/contrast_object.rb +16 -16
- data/lib/contrast/agent/assess/events/source_event.rb +17 -19
- data/lib/contrast/agent/assess/finalizers/hash.rb +4 -2
- data/lib/contrast/agent/assess/policy/policy.rb +9 -10
- data/lib/contrast/agent/assess/policy/policy_node.rb +58 -36
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +51 -0
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -16
- data/lib/contrast/agent/assess/policy/preshift.rb +8 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +48 -14
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -3
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +119 -0
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +19 -4
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +18 -2
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +17 -3
- data/lib/contrast/agent/assess/policy/propagator/split.rb +17 -21
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/source_method.rb +7 -7
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +11 -17
- data/lib/contrast/agent/assess/policy/trigger_node.rb +16 -16
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +2 -2
- data/lib/contrast/agent/assess/property/tagged.rb +3 -3
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +6 -8
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +6 -7
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +12 -7
- data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +13 -6
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +3 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +66 -43
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +6 -6
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +3 -4
- data/lib/contrast/agent/assess/tag.rb +13 -14
- data/lib/contrast/agent/at_exit_hook.rb +12 -1
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +0 -7
- data/lib/contrast/agent/deadzone/policy/policy.rb +0 -6
- data/lib/contrast/agent/exclusion_matcher.rb +3 -3
- data/lib/contrast/agent/inventory/database_config.rb +10 -3
- data/lib/contrast/agent/middleware.rb +10 -5
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -5
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +2 -2
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +4 -4
- data/lib/contrast/agent/patching/policy/patch.rb +20 -19
- data/lib/contrast/agent/patching/policy/patch_status.rb +10 -3
- data/lib/contrast/agent/patching/policy/patcher.rb +4 -4
- data/lib/contrast/agent/patching/policy/policy.rb +13 -15
- data/lib/contrast/agent/patching/policy/policy_node.rb +32 -21
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/exploitable_collection.rb +38 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +132 -75
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +4 -3
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -3
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +4 -4
- data/lib/contrast/agent/protect/rule/base.rb +53 -9
- data/lib/contrast/agent/protect/rule/base_service.rb +31 -12
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +23 -3
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +83 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +64 -0
- data/lib/contrast/agent/protect/rule/default_scanner.rb +2 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +18 -7
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +96 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +72 -46
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +231 -0
- data/lib/contrast/agent/protect/rule/no_sqli.rb +28 -2
- data/lib/contrast/agent/protect/rule/path_traversal.rb +13 -3
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +18 -54
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +2 -5
- data/lib/contrast/agent/protect/rule/sqli.rb +16 -23
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +82 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +45 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +42 -0
- data/lib/contrast/agent/protect/rule/xss.rb +17 -0
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +14 -13
- data/lib/contrast/agent/protect/rule/xxe.rb +25 -3
- data/lib/contrast/agent/reaction_processor.rb +1 -1
- data/lib/contrast/agent/reporting/attack_result/attack_result.rb +63 -0
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +52 -0
- data/lib/contrast/agent/reporting/attack_result/response_type.rb +29 -0
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +87 -0
- data/lib/contrast/agent/reporting/masker/masker.rb +243 -0
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +62 -0
- data/lib/contrast/agent/reporting/report.rb +2 -0
- data/lib/contrast/agent/reporting/reporter.rb +29 -22
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +49 -0
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +34 -0
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +96 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +182 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +56 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +13 -5
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +60 -0
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +44 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +7 -12
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +10 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +2 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +5 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +16 -12
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/preflight.rb +10 -8
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +8 -11
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +8 -6
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +12 -20
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +17 -27
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +38 -0
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +8 -0
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +29 -13
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +64 -76
- data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +17 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +100 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +75 -13
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +63 -0
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +163 -122
- data/lib/contrast/agent/reporting/settings/application_settings.rb +10 -1
- data/lib/contrast/agent/reporting/settings/assess.rb +5 -5
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +7 -35
- data/lib/contrast/agent/reporting/settings/exclusions.rb +3 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +21 -6
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +6 -6
- data/lib/contrast/agent/reporting/settings/reaction.rb +3 -3
- data/lib/contrast/agent/reporting/settings/sampling.rb +36 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +110 -0
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +58 -0
- data/lib/contrast/agent/reporting/settings/server_features.rb +2 -2
- data/lib/contrast/agent/request.rb +5 -5
- data/lib/contrast/agent/request_context.rb +25 -21
- data/lib/contrast/agent/request_context_extend.rb +12 -25
- data/lib/contrast/agent/request_handler.rb +7 -3
- data/lib/contrast/agent/response.rb +2 -0
- data/lib/contrast/agent/rule_set.rb +2 -2
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +6 -48
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/telemetry/base.rb +155 -0
- data/lib/contrast/agent/telemetry/events/event.rb +35 -0
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +59 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +44 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +115 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +83 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +64 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb +20 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb +30 -0
- data/lib/contrast/agent/telemetry/events/metric_event.rb +28 -0
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +123 -0
- data/lib/contrast/agent/thread_watcher.rb +52 -68
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent/worker_thread.rb +8 -0
- data/lib/contrast/agent.rb +4 -3
- data/lib/contrast/api/communication/messaging_queue.rb +29 -12
- data/lib/contrast/api/communication/response_processor.rb +7 -10
- data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +1 -1
- data/lib/contrast/api/communication/speedracer.rb +3 -3
- data/lib/contrast/api/decorators/activity.rb +33 -0
- data/lib/contrast/api/decorators/address.rb +1 -1
- data/lib/contrast/api/decorators/agent_startup.rb +10 -9
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +4 -4
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/response_type.rb +17 -0
- data/lib/contrast/api/decorators.rb +1 -0
- data/lib/contrast/components/agent.rb +1 -1
- data/lib/contrast/components/app_context.rb +0 -4
- data/lib/contrast/components/assess.rb +14 -0
- data/lib/contrast/components/base.rb +1 -1
- data/lib/contrast/components/config.rb +19 -28
- data/lib/contrast/components/contrast_service.rb +13 -1
- data/lib/contrast/components/protect.rb +2 -2
- data/lib/contrast/components/sampling.rb +8 -12
- data/lib/contrast/components/settings.rb +151 -19
- data/lib/contrast/config/agent_configuration.rb +34 -41
- data/lib/contrast/config/api_configuration.rb +16 -75
- data/lib/contrast/config/api_proxy_configuration.rb +9 -48
- data/lib/contrast/config/application_configuration.rb +24 -95
- data/lib/contrast/config/assess_configuration.rb +21 -76
- data/lib/contrast/config/assess_rules_configuration.rb +13 -38
- data/lib/contrast/config/base_configuration.rb +11 -76
- data/lib/contrast/config/certification_configuration.rb +15 -68
- data/lib/contrast/config/exception_configuration.rb +15 -59
- data/lib/contrast/config/heap_dump_configuration.rb +19 -73
- data/lib/contrast/config/inventory_configuration.rb +11 -55
- data/lib/contrast/config/logger_configuration.rb +8 -41
- data/lib/contrast/config/protect_configuration.rb +23 -10
- data/lib/contrast/config/protect_rule_configuration.rb +23 -37
- data/lib/contrast/config/protect_rules_configuration.rb +39 -43
- data/lib/contrast/config/request_audit_configuration.rb +16 -55
- data/lib/contrast/config/root_configuration.rb +71 -14
- data/lib/contrast/config/ruby_configuration.rb +14 -47
- data/lib/contrast/config/sampling_configuration.rb +12 -65
- data/lib/contrast/config/server_configuration.rb +13 -45
- data/lib/contrast/config/service_configuration.rb +18 -54
- data/lib/contrast/configuration.rb +25 -17
- data/lib/contrast/extension/assess/array.rb +1 -1
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/assess/marshal.rb +1 -1
- data/lib/contrast/extension/assess/string.rb +20 -1
- data/lib/contrast/extension/extension.rb +2 -2
- data/lib/contrast/extension/module.rb +0 -1
- data/lib/contrast/framework/base_support.rb +8 -8
- data/lib/contrast/framework/grape/support.rb +3 -3
- data/lib/contrast/framework/manager.rb +7 -7
- data/lib/contrast/framework/manager_extend.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +14 -3
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +3 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +14 -46
- data/lib/contrast/framework/rails/support.rb +2 -2
- data/lib/contrast/framework/sinatra/support.rb +1 -1
- data/lib/contrast/logger/aliased_logging.rb +94 -0
- data/lib/contrast/logger/application.rb +1 -5
- data/lib/contrast/logger/cef_log.rb +15 -15
- data/lib/contrast/logger/format.rb +1 -1
- data/lib/contrast/logger/log.rb +8 -8
- data/lib/contrast/tasks/config.rb +100 -4
- data/lib/contrast/tasks/service.rb +2 -2
- data/lib/contrast/utils/assess/object_store.rb +36 -0
- data/lib/contrast/utils/assess/propagation_method_utils.rb +6 -0
- data/lib/contrast/utils/assess/tracking_util.rb +4 -4
- data/lib/contrast/utils/class_util.rb +9 -22
- data/lib/contrast/utils/findings.rb +3 -3
- data/lib/contrast/utils/hash_digest.rb +6 -7
- data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
- data/lib/contrast/utils/input_classification.rb +73 -0
- data/lib/contrast/utils/invalid_configuration_util.rb +2 -2
- data/lib/contrast/utils/log_utils.rb +7 -5
- data/lib/contrast/utils/lru_cache.rb +1 -1
- data/lib/contrast/utils/metrics_hash.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +15 -14
- data/lib/contrast/utils/net_http_base.rb +5 -5
- data/lib/contrast/utils/object_share.rb +2 -1
- data/lib/contrast/utils/os.rb +1 -6
- data/lib/contrast/utils/patching/policy/patch_utils.rb +6 -7
- data/lib/contrast/utils/request_utils.rb +2 -2
- data/lib/contrast/utils/response_utils.rb +18 -33
- data/lib/contrast/utils/sha256_builder.rb +4 -4
- data/lib/contrast/utils/stack_trace_utils.rb +31 -13
- data/lib/contrast/utils/telemetry.rb +22 -7
- data/lib/contrast/utils/telemetry_client.rb +28 -16
- data/lib/contrast/utils/telemetry_hash.rb +41 -0
- data/lib/contrast/utils/telemetry_identifier.rb +18 -3
- data/lib/contrast/utils/timer.rb +1 -1
- data/lib/contrast.rb +9 -0
- data/resources/assess/policy.json +99 -1
- data/resources/deadzone/policy.json +0 -86
- data/ruby-agent.gemspec +10 -9
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +99 -29
- data/lib/contrast/agent/metric_telemetry_event.rb +0 -26
- data/lib/contrast/agent/startup_metrics_telemetry_event.rb +0 -121
- data/lib/contrast/agent/telemetry.rb +0 -137
- data/lib/contrast/agent/telemetry_event.rb +0 -33
- data/lib/contrast/utils/exclude_key.rb +0 -20
@@ -28,7 +28,7 @@ module Contrast
|
|
28
28
|
@_build_receiver ||= begin
|
29
29
|
address = new
|
30
30
|
address.host = 'localhost'
|
31
|
-
address.ip = '127.0.0.1'
|
31
|
+
address.ip = '127.0.0.1' # rubocop:disable Style/IpAddresses
|
32
32
|
begin
|
33
33
|
Timeout.timeout(1) do
|
34
34
|
address.host = Contrast::Utils::StringUtils.force_utf8(Socket.gethostname)
|
@@ -27,11 +27,11 @@ module Contrast
|
|
27
27
|
def build name, path, type
|
28
28
|
msg = new
|
29
29
|
msg.server_version = Contrast::Agent::VERSION
|
30
|
-
msg.server_name = Contrast::Utils::StringUtils.protobuf_format
|
31
|
-
msg.server_path = Contrast::Utils::StringUtils.protobuf_format
|
32
|
-
msg.server_type = Contrast::Utils::StringUtils.protobuf_format
|
30
|
+
msg.server_name = Contrast::Utils::StringUtils.protobuf_format(name)
|
31
|
+
msg.server_path = Contrast::Utils::StringUtils.protobuf_format(path)
|
32
|
+
msg.server_type = Contrast::Utils::StringUtils.protobuf_format(type)
|
33
33
|
config!(msg)
|
34
|
-
msg.finding_tags = Contrast::Utils::StringUtils.protobuf_format
|
34
|
+
msg.finding_tags = Contrast::Utils::StringUtils.protobuf_format(::Contrast::ASSESS.tags)
|
35
35
|
msg
|
36
36
|
end
|
37
37
|
|
@@ -41,11 +41,12 @@ module Contrast
|
|
41
41
|
#
|
42
42
|
# @param msg [Contrast::Api::Dtm::AgentStartup]
|
43
43
|
def config! msg
|
44
|
-
msg.version = Contrast::Utils::StringUtils.protobuf_format
|
45
|
-
msg.server_tags = Contrast::Utils::StringUtils.protobuf_format
|
46
|
-
msg.library_tags = Contrast::Utils::StringUtils.protobuf_format
|
47
|
-
msg.environment = Contrast::Utils::StringUtils.protobuf_format
|
48
|
-
msg.application_tags =
|
44
|
+
msg.version = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.server.version)
|
45
|
+
msg.server_tags = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.server.tags)
|
46
|
+
msg.library_tags = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.inventory.tags)
|
47
|
+
msg.environment = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.server.environment)
|
48
|
+
msg.application_tags =
|
49
|
+
Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.tags)
|
49
50
|
end
|
50
51
|
end
|
51
52
|
end
|
@@ -23,7 +23,7 @@ module Contrast
|
|
23
23
|
# Convert protobuf protect rule settings into a hash that settings state understands
|
24
24
|
def translated_protection_mode_by_id
|
25
25
|
protection_rules = self.protection_rules.map { |pr, _hash| [pr.id, pr.mode] } # [[RULE_ID, MODE]]
|
26
|
-
protection_rules.select! { |(_id, mode)| MODE_ALLOWLIST.include?
|
26
|
+
protection_rules.select! { |(_id, mode)| MODE_ALLOWLIST.include?(mode) } # [REMOVE IF MODE INVALID]
|
27
27
|
protection_rules.to_h # {RULE_ID => MODE}
|
28
28
|
end
|
29
29
|
|
@@ -24,12 +24,12 @@ module Contrast
|
|
24
24
|
# @return [Contrast::Api::Dtm::ApplicationCreate]
|
25
25
|
def build
|
26
26
|
msg = new
|
27
|
-
msg.code = Contrast::Utils::StringUtils.protobuf_format
|
28
|
-
msg.group = Contrast::Utils::StringUtils.protobuf_format
|
29
|
-
msg.metadata = Contrast::Utils::StringUtils.protobuf_format
|
27
|
+
msg.code = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.code)
|
28
|
+
msg.group = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.group)
|
29
|
+
msg.metadata = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.metadata)
|
30
30
|
msg.mode = Contrast::Api::Dtm::InstrumentationMode.build
|
31
31
|
msg.app_version =
|
32
|
-
Contrast::Utils::StringUtils.protobuf_format
|
32
|
+
Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.version.to_s) # rubocop:disable Layout/AssignmentIndentation Layout/FirstArgumentIndentation:
|
33
33
|
session!(msg)
|
34
34
|
msg
|
35
35
|
end
|
@@ -94,7 +94,7 @@ module Contrast
|
|
94
94
|
return true if ::Contrast::AGENT.omit_body?
|
95
95
|
return false if request.document_type != :NORMAL
|
96
96
|
|
97
|
-
request.
|
97
|
+
request.media_type&.include?('multipart/form-data')
|
98
98
|
end
|
99
99
|
|
100
100
|
def append_pair map, key, value
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/api/dtm.pb'
|
5
|
+
require 'protobuf/message'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Api
|
9
|
+
module Dtm
|
10
|
+
class AttackResult < ::Protobuf::Message
|
11
|
+
class ResponseType < ::Protobuf::Enum
|
12
|
+
define :SUSPICIOUS, 6
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
@@ -75,7 +75,7 @@ module Contrast
|
|
75
75
|
|
76
76
|
# Insert ourselves into the application, keeping our middleware at the outermost layer of the onion
|
77
77
|
def insert_middleware app
|
78
|
-
app.middleware.insert_before
|
78
|
+
app.middleware.insert_before(0, Contrast::Agent::Middleware)
|
79
79
|
end
|
80
80
|
|
81
81
|
def enable_tracepoint
|
@@ -110,6 +110,20 @@ module Contrast
|
|
110
110
|
[]
|
111
111
|
end
|
112
112
|
|
113
|
+
def track_original_object?
|
114
|
+
if @_track_original_object.nil?
|
115
|
+
@_track_original_object = !false?(::Contrast::CONFIG.root.assess.enable_original_object)
|
116
|
+
end
|
117
|
+
|
118
|
+
@_track_original_object
|
119
|
+
end
|
120
|
+
|
121
|
+
# The id for this process, based on the session metadata or id provided by the user, as indicated in
|
122
|
+
# application startup.
|
123
|
+
def session_id
|
124
|
+
::Contrast::SETTINGS.assess_state.session_id
|
125
|
+
end
|
126
|
+
|
113
127
|
private
|
114
128
|
|
115
129
|
def forcibly_enabled?
|
@@ -28,6 +28,12 @@ module Contrast
|
|
28
28
|
CONTRAST_NAME = 'Contrast Agent'
|
29
29
|
|
30
30
|
class Interface # :nodoc:
|
31
|
+
SESSION_VARIABLES = 'Invalid configuration. '\
|
32
|
+
"Setting both application.session_id and application.session_metadata is not allowed.\n"
|
33
|
+
API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
|
34
|
+
API_KEY = "Invalid configuration. Missing a required connection value 'api_key' is not set."
|
35
|
+
API_SERVICE_KEY = "Invalid configuration. Missing a required connection value 'service_tag' is not set."
|
36
|
+
API_USERNAME = "Invalid configuration. Missing a required connection value 'user_name' is not set."
|
31
37
|
def initialize
|
32
38
|
build
|
33
39
|
end
|
@@ -72,14 +78,21 @@ module Contrast
|
|
72
78
|
@config.loggable
|
73
79
|
end
|
74
80
|
|
81
|
+
# Typically, this would be accessed through Contrast::SETTINGS, but we're specifically checking for the user
|
82
|
+
# provided value here rather than that echoed back by TeamServer.
|
83
|
+
#
|
84
|
+
# @return [String,nil] the value of the session id set in the configuration, or nil if unset
|
85
|
+
def session_id
|
86
|
+
root.application.session_id
|
87
|
+
end
|
88
|
+
|
89
|
+
# @return [String,nil] the value of the session metadata set in the configuration, or nil if unset
|
90
|
+
def session_metadata
|
91
|
+
root.application.session_metadata
|
92
|
+
end
|
93
|
+
|
75
94
|
private
|
76
95
|
|
77
|
-
SESSION_VARIABLES = 'Invalid configuration. '\
|
78
|
-
"Setting both application.session_id and application.session_metadata is not allowed.\n"
|
79
|
-
API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
|
80
|
-
API_KEY = "Invalid configuration. Missing a required connection value 'api_key' is not set."
|
81
|
-
API_SERVICE_KEY = "Invalid configuration. Missing a required connection value 'service_tag' is not set."
|
82
|
-
API_USERNAME = "Invalid configuration. Missing a required connection value 'user_name' is not set."
|
83
96
|
# The config has information about how to construct the logger. If the config is invalid, and you want to know
|
84
97
|
# about it, then you have a circular dependency if you try to log it, so we use basic proto_logger to do this
|
85
98
|
# job.
|
@@ -127,28 +140,6 @@ module Contrast
|
|
127
140
|
end
|
128
141
|
end
|
129
142
|
|
130
|
-
# Typically, this would be accessed through
|
131
|
-
# Contrast::Components::AppContext, but we're too early in the
|
132
|
-
# initialization of the Agent to use that mechanism, so we look it up
|
133
|
-
# directly for ourselves
|
134
|
-
#
|
135
|
-
# @return [String,nil] the value of the session id set in the
|
136
|
-
# configuration, or nil if unset
|
137
|
-
def session_id
|
138
|
-
root.application.session_id
|
139
|
-
end
|
140
|
-
|
141
|
-
# Typically, this would be accessed through
|
142
|
-
# Contrast::Components::AppContext, but we're too early in the
|
143
|
-
# initialization of the Agent to use that mechanism, so we look it up
|
144
|
-
# directly for ourselves
|
145
|
-
#
|
146
|
-
# @return [String,nil] the value of the session metadata set in the
|
147
|
-
# configuration, or nil if unset
|
148
|
-
def session_metadata
|
149
|
-
root.application.session_metadata
|
150
|
-
end
|
151
|
-
|
152
143
|
# Typically, the following values would be accessed through Contrast::Components::AppContext
|
153
144
|
# and Contrast::Components::API, but we're too early in the initialization of the Agent to use
|
154
145
|
# that mechanism, so we look it up directly for ourselves.
|
@@ -18,7 +18,10 @@ module Contrast
|
|
18
18
|
DEFAULT_SERVICE_LEVEL = :TRACE
|
19
19
|
# The Rails ActionDispatch regexp for localhost IP + literal localhost
|
20
20
|
# https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/request.rb#L32
|
21
|
-
LOCALHOST = Regexp.union
|
21
|
+
LOCALHOST = Regexp.union([
|
22
|
+
/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/,
|
23
|
+
/^localhost$/
|
24
|
+
])
|
22
25
|
|
23
26
|
def use_bundled_service?
|
24
27
|
# Validates the config to decide if it's suitable for starting
|
@@ -38,6 +41,15 @@ module Contrast
|
|
38
41
|
@_use_agent_communication = true?(::Contrast::CONFIG.root.agent.service.bypass)
|
39
42
|
end
|
40
43
|
|
44
|
+
# If we're using the agent directly and not using protect, then there is no need to start the service. Because
|
45
|
+
# we only know this at startup when hardcoded as such (b/c TS could turn protect on otherwise), we can only do
|
46
|
+
# so when bypass is on and protect is off in local config
|
47
|
+
#
|
48
|
+
# @return [Boolean]
|
49
|
+
def unnecessary?
|
50
|
+
::Contrast::CONTRAST_SERVICE.use_agent_communication? && ::Contrast::PROTECT.forcibly_disabled?
|
51
|
+
end
|
52
|
+
|
41
53
|
def host
|
42
54
|
@_host ||=
|
43
55
|
(::Contrast::CONFIG.root.agent.service.host || Contrast::Config::ServiceConfiguration::DEFAULT_HOST).to_s
|
@@ -41,7 +41,7 @@ module Contrast
|
|
41
41
|
def report_any_command_execution?
|
42
42
|
if @_report_any_command_execution.nil?
|
43
43
|
ctrl = rule_config[Contrast::Agent::Protect::Rule::CmdInjection::NAME]
|
44
|
-
@_report_any_command_execution = true?(ctrl.disable_system_commands)
|
44
|
+
@_report_any_command_execution = ctrl && true?(ctrl.disable_system_commands)
|
45
45
|
end
|
46
46
|
@_report_any_command_execution
|
47
47
|
end
|
@@ -50,7 +50,7 @@ module Contrast
|
|
50
50
|
if @_report_custom_code_sysfile_access.nil?
|
51
51
|
name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.tr('-', '_')
|
52
52
|
ctrl = rule_config[name_changed]
|
53
|
-
@_report_custom_code_sysfile_access = true?(ctrl.detect_custom_code_accessing_system_files)
|
53
|
+
@_report_custom_code_sysfile_access = ctrl && true?(ctrl.detect_custom_code_accessing_system_files)
|
54
54
|
end
|
55
55
|
@_report_custom_code_sysfile_access
|
56
56
|
end
|
@@ -25,7 +25,7 @@ module Contrast
|
|
25
25
|
def sampling_control
|
26
26
|
@_sampling_control ||= begin
|
27
27
|
config_settings = ::Contrast::CONFIG.root.assess&.sampling
|
28
|
-
settings = ::Contrast::SETTINGS&.assess_state&.
|
28
|
+
settings = ::Contrast::SETTINGS&.assess_state&.sampling_settings
|
29
29
|
{
|
30
30
|
enabled: enabled?(config_settings, settings),
|
31
31
|
baseline: baseline(config_settings, settings),
|
@@ -48,7 +48,7 @@ module Contrast
|
|
48
48
|
# @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
|
49
49
|
# @return [Boolean] the resolution of the config_settings, settings, and default value
|
50
50
|
def enabled? config_settings, settings
|
51
|
-
true?([config_settings&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED].
|
51
|
+
true?([config_settings&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED].compact[0])
|
52
52
|
end
|
53
53
|
|
54
54
|
# @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
|
@@ -56,7 +56,7 @@ module Contrast
|
|
56
56
|
# @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
|
57
57
|
# @return [Integer] the resolution of the config_settings, settings, and default value
|
58
58
|
def baseline config_settings, settings
|
59
|
-
[config_settings&.baseline, settings&.baseline
|
59
|
+
[config_settings&.baseline, settings&.baseline].map(&:to_i).find(&:positive?) || DEFAULT_SAMPLING_BASELINE
|
60
60
|
end
|
61
61
|
|
62
62
|
# @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
|
@@ -64,10 +64,8 @@ module Contrast
|
|
64
64
|
# @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
|
65
65
|
# @return [Integer] the resolution of the config_settings, settings, and default value
|
66
66
|
def request_frequency config_settings, settings
|
67
|
-
[
|
68
|
-
|
69
|
-
DEFAULT_SAMPLING_REQUEST_FREQUENCY
|
70
|
-
].map(&:to_i).find(&:positive?)
|
67
|
+
[config_settings&.request_frequency, settings&.request_frequency].map(&:to_i).find(&:positive?) ||
|
68
|
+
DEFAULT_SAMPLING_REQUEST_FREQUENCY
|
71
69
|
end
|
72
70
|
|
73
71
|
# @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
|
@@ -75,10 +73,8 @@ module Contrast
|
|
75
73
|
# @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
|
76
74
|
# @return [Integer] the resolution of the config_settings, settings, and default value
|
77
75
|
def response_frequency config_settings, settings
|
78
|
-
[
|
79
|
-
|
80
|
-
DEFAULT_SAMPLING_RESPONSE_FREQUENCY
|
81
|
-
].map(&:to_i).find(&:positive?)
|
76
|
+
[config_settings&.response_frequency, settings&.response_frequency].map(&:to_i).find(&:positive?) ||
|
77
|
+
DEFAULT_SAMPLING_RESPONSE_FREQUENCY
|
82
78
|
end
|
83
79
|
|
84
80
|
# @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
|
@@ -86,7 +82,7 @@ module Contrast
|
|
86
82
|
# @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
|
87
83
|
# @return [Integer] the resolution of the config_settings, settings, and default value
|
88
84
|
def window config_settings, settings
|
89
|
-
[config_settings&.window_ms, settings&.window_ms
|
85
|
+
[config_settings&.window_ms, settings&.window_ms].map(&:to_i).find(&:positive?) || DEFAULT_SAMPLING_WINDOW_MS
|
90
86
|
end
|
91
87
|
end
|
92
88
|
|
@@ -2,6 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/api/settings.pb'
|
5
|
+
require 'contrast/agent/reporting/settings/sensitive_data_masking'
|
5
6
|
|
6
7
|
module Contrast
|
7
8
|
module Components
|
@@ -13,12 +14,14 @@ module Contrast
|
|
13
14
|
APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).
|
14
15
|
new(Hash.new(Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION), [])
|
15
16
|
PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
|
16
|
-
ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules).new(false, nil,
|
17
|
+
ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).new(false, nil,
|
18
|
+
[], nil) do
|
17
19
|
def sampling_settings= new_val
|
18
20
|
@sampling_settings = new_val
|
19
21
|
Contrast::Utils::Assess::SamplingUtil.instance.update
|
20
22
|
end
|
21
23
|
end
|
24
|
+
SENSITIVE_DATA_MASKING_BASE = Contrast::Agent::Reporting::Settings::SensitiveDataMasking.new
|
22
25
|
|
23
26
|
# This is a class.
|
24
27
|
class Interface
|
@@ -26,7 +29,67 @@ module Contrast
|
|
26
29
|
|
27
30
|
# tainted_columns are database columns that receive unsanitized input.
|
28
31
|
attr_reader :tainted_columns # This can probably go into assess_state?
|
29
|
-
|
32
|
+
# Current state for Assess.
|
33
|
+
# enabled [Boolean] Indicate if the assess feature set is enabled for this server or not.
|
34
|
+
#
|
35
|
+
# sampling [Hash<AssessSampling>] Hash of AssessSampling Used to control the sampling feature in the agent: {
|
36
|
+
# baseline [Integer] The number of baseline requests to take before switching to sampling
|
37
|
+
# for the window.
|
38
|
+
# enabled [Boolean] If the sampling feature should be used or not.
|
39
|
+
# frequency [Integer] The number of requests to skip before observing during the sampling
|
40
|
+
# window after the baseline.
|
41
|
+
# responseFrequency [Integer]
|
42
|
+
# window [Integer]
|
43
|
+
# }
|
44
|
+
#
|
45
|
+
# disabled_assess_rules [array<AssessRuleID(String)>] Assess rules to disable for this application.
|
46
|
+
attr_reader :assess_state
|
47
|
+
# Current State for Protect.
|
48
|
+
# enabled [Boolean] Indicate if the protect feature set is enabled for this server or not.
|
49
|
+
#
|
50
|
+
# Protection rules are returned as:
|
51
|
+
# rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
|
52
|
+
attr_reader :protect_state
|
53
|
+
# Current Application State.
|
54
|
+
#
|
55
|
+
# modes_by_id [Hash<Rule_id => Mode] Returns Hash with rules and their current mode.
|
56
|
+
# exclusion_matchers [Array] Array of all the exclusions.
|
57
|
+
# code_exclusions [Array<CodeExclusion>] Array of CodeExclusion: {
|
58
|
+
# name [String] The name of the exclusion as defined by the user in TS.
|
59
|
+
# modes [String] If this exclusion applies to assess or protect. [assess, defend]
|
60
|
+
# assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
|
61
|
+
# denylist [String] The call, if in the stack, should result in the agent not taking action.
|
62
|
+
# input_exclusions [Array<InputExclusions>] Array of InputExclusions: {
|
63
|
+
# name [String] The name of the input.
|
64
|
+
# modes [String] If this exclusion applies to assess or protect. [assess, defend]
|
65
|
+
# assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
|
66
|
+
# protect_rules [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
|
67
|
+
# urls [Array] Array of URLs to which the exclusions apply. URL [String]
|
68
|
+
# match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
|
69
|
+
# type [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
|
70
|
+
# }
|
71
|
+
# url_exclusions [Array<UrlExclusions>] Array of UrlExclusions: {
|
72
|
+
# name [String] The name of the input.
|
73
|
+
# modes [String] If this exclusion applies to assess or protect. [assess, defend]
|
74
|
+
# assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
|
75
|
+
# protect_rules [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
|
76
|
+
# urls [Array] Array of URLs to which the exclusions apply. URL [String]
|
77
|
+
# match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
|
78
|
+
# type [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
|
79
|
+
# }
|
80
|
+
attr_reader :application_state
|
81
|
+
# This the structure that will hold the masking rules send from TS.
|
82
|
+
#
|
83
|
+
# @return [Contrast::Agent::Reporting::Settings::SensitiveDataMasking]:
|
84
|
+
# mask_http_body [Boolean] Policy flag to enable the use of masking on request body.
|
85
|
+
# rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>]
|
86
|
+
# Rules to follow when using the masking. Each rules contains Id [String]
|
87
|
+
# and Keywords [Array<String>].
|
88
|
+
attr_reader :sensitive_data_masking
|
89
|
+
# @return [Integer] the time, in ms, that application settings last changed
|
90
|
+
attr_reader :last_app_update_ms
|
91
|
+
# @return [Integer] the time, in ms, that server settings last changed
|
92
|
+
attr_reader :last_server_update_ms
|
30
93
|
|
31
94
|
def initialize
|
32
95
|
reset_state
|
@@ -36,32 +99,31 @@ module Contrast
|
|
36
99
|
@application_state.exclusion_matchers.select(&:code?)
|
37
100
|
end
|
38
101
|
|
39
|
-
# @param
|
40
|
-
def update_from_server_features
|
41
|
-
if
|
42
|
-
|
43
|
-
@assess_state.enabled = features.server_features.assess.enabled?
|
44
|
-
@assess_state.sampling_settings = features.server_features.assess.sampling
|
102
|
+
# @param features_response [Contrast::Api::Settings::ServerFeatures, Contrast::Agent::Reporting::Response]
|
103
|
+
def update_from_server_features features_response
|
104
|
+
if features_response.cs__is_a?(Contrast::Agent::Reporting::Response)
|
105
|
+
update_from_response(features_response)
|
45
106
|
else
|
46
|
-
@protect_state.enabled =
|
47
|
-
@assess_state.enabled =
|
48
|
-
@assess_state.sampling_settings =
|
107
|
+
@protect_state.enabled = features_response.protect_enabled?
|
108
|
+
@assess_state.enabled = features_response.assess_enabled?
|
109
|
+
@assess_state.sampling_settings = features_response.assess.sampling
|
110
|
+
@last_server_update_ms = Contrast::Utils::Timer.now_ms
|
49
111
|
end
|
112
|
+
@last_server_update_ms = Contrast::Utils::Timer.now_ms
|
50
113
|
end
|
51
114
|
|
52
|
-
# @param
|
53
|
-
def update_from_application_settings
|
54
|
-
if
|
55
|
-
|
56
|
-
# TODO: RUBY-1438 this needs to be translated
|
57
|
-
# @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
|
58
|
-
@assess_state.disabled_assess_rules = features.application_settings.assess.disabled_rules
|
115
|
+
# @param settings_response [Contrast::Api::Settings::ApplicationSettings, Contrast::Agent::Reporting::Response]
|
116
|
+
def update_from_application_settings settings_response
|
117
|
+
if settings_response&.cs__class == Contrast::Agent::Reporting::Response
|
118
|
+
update_from_response(settings_response)
|
59
119
|
else
|
60
|
-
new_vals =
|
120
|
+
new_vals = settings_response.application_state_translation
|
61
121
|
@application_state.modes_by_id = new_vals[:modes_by_id]
|
62
122
|
@application_state.exclusion_matchers = new_vals[:exclusion_matchers]
|
63
123
|
@assess_state.disabled_assess_rules = new_vals[:disabled_assess_rules]
|
124
|
+
@last_app_update_ms = Contrast::Utils::Timer.now_ms
|
64
125
|
end
|
126
|
+
@last_app_update_ms = Contrast::Utils::Timer.now_ms
|
65
127
|
end
|
66
128
|
|
67
129
|
# Wipe state to zero.
|
@@ -70,6 +132,7 @@ module Contrast
|
|
70
132
|
@assess_state = ASSESS_STATE_BASE.dup
|
71
133
|
@application_state = APPLICATION_STATE_BASE.dup
|
72
134
|
@tainted_columns = {}
|
135
|
+
@sensitive_data_masking = SENSITIVE_DATA_MASKING_BASE.dup
|
73
136
|
end
|
74
137
|
|
75
138
|
def build_protect_rules
|
@@ -86,6 +149,75 @@ module Contrast
|
|
86
149
|
Contrast::Agent::Protect::Rule::Xss.new
|
87
150
|
Contrast::Agent::Protect::Rule::Xxe.new
|
88
151
|
end
|
152
|
+
|
153
|
+
# Update the sensitive data masking policy from settings,
|
154
|
+
# received from TS. In case the settings are empty,
|
155
|
+
# keep current ones.
|
156
|
+
#
|
157
|
+
# @param sensitive_data_masking [Contrast::Agent::Reporting::Settings::SensitiveDataMasking]
|
158
|
+
# Ts Response settings for sensitive data masking policy
|
159
|
+
def update_sensitive_data_policy sensitive_data_masking
|
160
|
+
@sensitive_data_masking.mask_http_body = sensitive_data_masking.mask_http_body? unless
|
161
|
+
settings_empty?(sensitive_data_masking.mask_http_body?)
|
162
|
+
@sensitive_data_masking.mask_attack_vector = sensitive_data_masking.mask_attack_vector? unless
|
163
|
+
settings_empty?(sensitive_data_masking.mask_attack_vector?)
|
164
|
+
return if settings_empty?(sensitive_data_masking.rules)
|
165
|
+
|
166
|
+
@sensitive_data_masking.rules = sensitive_data_masking.rules
|
167
|
+
# update with the newly received rules.
|
168
|
+
Contrast::Agent::Reporting::Masker.send(:update_dictionary)
|
169
|
+
end
|
170
|
+
|
171
|
+
private
|
172
|
+
|
173
|
+
# @param response [Contrast::Agent::Reporting::Response]
|
174
|
+
def update_from_response response
|
175
|
+
if (server_features = response.server_features)
|
176
|
+
update_server_features(server_features)
|
177
|
+
end
|
178
|
+
return unless (app_settings = response.application_settings)
|
179
|
+
|
180
|
+
update_application_settings(app_settings)
|
181
|
+
end
|
182
|
+
|
183
|
+
# @param server_features [Contrast::Agent::Reporting::Settings::FeatureSettings]
|
184
|
+
def update_server_features server_features
|
185
|
+
return unless server_features
|
186
|
+
|
187
|
+
log_file = server_features.log_file
|
188
|
+
log_level = server_features.log_level
|
189
|
+
Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
|
190
|
+
@protect_state.enabled = server_features.protect.enabled?
|
191
|
+
@assess_state.enabled = server_features.assess.enabled?
|
192
|
+
@assess_state.sampling_settings = server_features.assess.sampling
|
193
|
+
@last_server_update_ms = Contrast::Utils::Timer.now_ms
|
194
|
+
end
|
195
|
+
|
196
|
+
# @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
|
197
|
+
def update_application_settings app_settings
|
198
|
+
return unless app_settings
|
199
|
+
|
200
|
+
@application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
|
201
|
+
# TODO: RUBY-1438 this needs to be translated
|
202
|
+
# @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
|
203
|
+
update_sensitive_data_policy(app_settings.sensitive_data_masking)
|
204
|
+
@assess_state.disabled_assess_rules = app_settings.assess.disabled_rules
|
205
|
+
if app_settings.assess.session_id && !app_settings.assess.session_id.blank?
|
206
|
+
@assess_state.session_id = app_settings.assess.session_id
|
207
|
+
end
|
208
|
+
@last_app_update_ms = Contrast::Utils::Timer.now_ms
|
209
|
+
end
|
210
|
+
|
211
|
+
# check if settings are empty and return true if so.
|
212
|
+
#
|
213
|
+
# @param settings [String, Boolean, Array, Hash]
|
214
|
+
# @return true | false
|
215
|
+
def settings_empty? settings
|
216
|
+
return false if !!settings == settings
|
217
|
+
return true if settings.nil? || settings.empty?
|
218
|
+
|
219
|
+
false
|
220
|
+
end
|
89
221
|
end
|
90
222
|
end
|
91
223
|
end
|