RubyGems - contrast-agent - Versions diffs - 5.3.0 → 6.1.1 - Mend

contrast-agent 5.3.0 → 6.1.1

Files changed (306) hide show

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb CHANGED Viewed

@@ -17,13 +17,6 @@ module Contrast
           class CacheControl < HeaderRule
             include BodyRule
             include Framework::RailsSupport
-            def rule_id
-              'cache-controls-missing'
-            end
-            protected
             HEADER_KEYS = %w[Cache-Control].cs__freeze
             ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
             DEFAULT_SAFE = false
@@ -31,55 +24,75 @@ module Contrast
             HEAD_TAG = /<head>/i.cs__freeze
             NAME = 'cache-control'
+            def rule_id
+              'cache-controls-missing'
+            end
+            protected
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
             # @param response [Contrast::Agent::Response] the response of the application
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
-              has_header, evidence = process_header(response)
-              return evidence unless evidence.nil?
+              return unless header?(response) && meta_tag?(response)
+              header_evidence = header_evidence(response)
+              return if header_evidence.nil?
-              has_tag, evidence = process_body(response)
-              return evidence unless evidence.nil?
-              return {} if !has_header && !has_tag
+              tag_evidence = tag_evidence(response)
+              return if tag_evidence.nil?
-              nil
+              { DATA => [header_evidence, tag_evidence] }
             end
-            # Process Header value to determine if it violates rule
+            # Is a cache-control header available?
             # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Array[Boolean, Hash]] whether the header exists and the evidence hash or nil
-            def process_header response
-              # Rails 7 adds support for the cache_control header directly in the
-              # rack response, we should use that value
-              if framework_supported?
-                cache_control = response.rack_response.cache_control
-                has_header = !cache_control.empty?
-                not_valid = has_header && !((cache_control[:no_cache]) || (cache_control[:no_store]))
-                # evidence requires header value string, pull directly instead of rebuilding from hash
-                return has_header, evidence(HEADER_TYPE, NAME, cache_control_to_s(cache_control)) if not_valid
-              else
-                # This rule is violated if the header is not there is there,
-                # but the value is not 'no-store' or 'no-cache'
-                cache_control = get_header_value(response)
-                has_header = !!cache_control
-                not_valid = has_header && !valid_header?(cache_control)
-                return has_header, evidence(HEADER_TYPE, NAME, cache_control) if not_valid
+            # @return [Boolean]
+            def header? response
+              cache_control = cache_control_from(response)
+              framework_supported? ? !cache_control.blank? : !!cache_control
+            end
+            # Is a cache-control meta tag available?
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def meta_tag? response
+              return false if meta_tags(response).empty?
+              meta_tags(response).each do |tag|
+                return true if meta_cache_tag?(tag[HTML_PROP])
               end
-              [has_header, nil]
+              false
+            end
+            def meta_tags response
+              return @_meta_tags if defined? @meta_tags
+              @_meta_tags = html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR)
+            end
+            # Process Header value to determine if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence hash or nil
+            def header_evidence response
+              cache_control = cache_control_from(response)
+              value = framework_supported? ? cache_control : cache_control_to_s(cache_control)
+              # If header is valid, then this portion of the rule isn't violated.
+              return if valid_header?(value)
+              # evidence requires header value string, pull directly instead of rebuilding from hash
+              evidence(HEADER_TYPE, NAME, value)
             end
-            # Process Body to determine cache control exists as meta tag and if it violates rule
+            # Process Body to determine if cache control meta tag violates rule
             # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Array[Boolean, Hash]] whether the meta tags exists and the evidence hash or nil
-            def process_body response
-              body = response.body
-              # check if the meta tag is include it
-              meta_tags = html_elements(body&.split(HEAD_TAG)&.last, META_START_STR)
-              meta_tags.each do |tag|
-                return true, evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
+            # @return [Hash, nil] the evidence hash or nil
+            def tag_evidence response
+              meta_tags(response).each do |tag|
+                return evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag?(tag[HTML_PROP])
               end
-              [!meta_tags.empty?, nil]
             end
             def potential_elements section, element_start
@@ -121,13 +134,23 @@ module Contrast
             end
             # This method accepts the violation and transforms it to the proper hash
-            # before return in as violation
+            # before returning a violation
             #
             # @param type [String] String of Header or META of the type
             # @param name [String] String of either cache-control or pragma
             # @param value [String] String of the violated value
             def evidence type, name, value
-              { DATA => { type: type, name: name, value: value }.to_s }
+              { type: type, name: name, value: value }.to_json
+            end
+            def cache_control_from response
+              # Rails 7 adds support for the cache_control header directly in the
+              # rack response, we should use that value
+              if framework_supported? && response.rack_response.cs__is_a?(Rack::Response)
+                response.rack_response.cache_control
+              else
+                get_header_value(response)
+              end
             end
             # Rebuilds the String value of the Cache-Control Header

data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb CHANGED Viewed

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check the content of the HTTP Response to determine if the headers contains the required header
           class ClickJacking < HeaderRule
-            def rule_id
-              'clickjacking-control-missing'
-            end
             HEADER_KEYS = %w[X-Frame-Options].cs__freeze
             ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
             DEFAULT_SAFE = false
+            def rule_id
+              'clickjacking-control-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb CHANGED Viewed

@@ -12,12 +12,6 @@ module Contrast
         module Response
           # These rules check that the HTTP Headers include CSP header types
           class CspHeaderInsecure < HeaderRule
-            def rule_id
-              'csp-header-insecure'
-            end
-            protected
             HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
             DEFAULT_SAFE = false
             SETTINGS = %w[
@@ -28,6 +22,12 @@ module Contrast
             ASTERISK_REGEXP = /[*]/.cs__freeze
             SAFE_REFLECTED_XSS = /1/.cs__freeze
+            def rule_id
+              'csp-header-insecure'
+            end
+            protected
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
             # @param response [Contrast::Agent::Response] the response of the application

data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb CHANGED Viewed

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check that the HTTP Headers include CSP header types
           class CspHeaderMissing < HeaderRule
-            def rule_id
-              'csp-header-missing'
-            end
             HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
             ACCEPTED_VALUES = [/(.)/].cs__freeze
             DEFAULT_SAFE = false
+            def rule_id
+              'csp-header-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb CHANGED Viewed

@@ -12,16 +12,16 @@ module Contrast
           # This rule checks if the HTTP Headers include HSTS header and ensures that the max-age value
           # is set to a value greater than 0.
           class HSTSHeader < HeaderRule
+            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
+            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
+            DEFAULT_SAFE = true
             def rule_id
               'hsts-header-missing'
             end
             protected
-            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
-            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
-            DEFAULT_SAFE = true
             def evidence data
               # get only the value of the max-age property
               val = data&.split('=')&.last

data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb CHANGED Viewed

@@ -32,7 +32,7 @@ module Contrast
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
               body = response.body
-              forms = html_elements(body, FORM_START_REGEXP, true)
+              forms = html_elements(body, FORM_START_REGEXP, capture_overflow: true)
               forms.each do |form|
                 # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
                 # skip out on the first violation.

data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb CHANGED Viewed

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check the content of the HTTP Response to determine if the response contains the needed header
           class XContentType < HeaderRule
-            def rule_id
-              'xcontenttype-header-missing'
-            end
             HEADER_KEYS = %w[X-Content-Type-Options].cs__freeze
             ACCEPTED_VALUES = [/^nosniff/i].cs__freeze
             DEFAULT_SAFE = false
+            def rule_id
+              'xcontenttype-header-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb CHANGED Viewed

@@ -13,15 +13,14 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if the response contains the needed header
           class XXssProtection < HeaderRule
             include Framework::RailsSupport
+            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
+            ACCEPTED_VALUES = [/^1/].cs__freeze
+            DEFAULT_SAFE = true
             def rule_id
               'xxssprotection-header-disabled'
             end
-            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
-            ACCEPTED_VALUES = [/^1/].cs__freeze
-            DEFAULT_SAFE = true
             protected
             def analyze_response? response

data/lib/contrast/agent/assess/tag.rb CHANGED Viewed

@@ -12,6 +12,19 @@ module Contrast
                     :start_idx, # start of range
                     :end_idx    # end of range (calculated from start + length), exclusive
+        # Update range should be how start and end index of tags are changed,
+        # as it includes validation
+        #
+        # Note that we allow start_idx == end_idx b/c this is how we determine
+        # if a tag range is 'covered' in trigger detection
+        ERROR_NEGATIVE_START = 'Unable to set start idx negative'
+        BELOW = 'BELOW'
+        ERROR_END_BEFORE_START = 'Unable to set start idx after end idx'
+        LOW_SPAN = 'LOW_SPAN'
+        WITHIN = 'WITHIN'
+        WITHOUT = 'WITHOUT'
+        HIGH_SPAN = 'HIGH_SPAN'
+        ABOVE = 'ABOVE'
         # Initialize a new tag
         #
         # @param label [String] the label of the tag
@@ -109,13 +122,6 @@ module Contrast
         end
         alias_method :to_s, :str_val
-        BELOW = 'BELOW'
-        LOW_SPAN = 'LOW_SPAN'
-        WITHIN = 'WITHIN'
-        WITHOUT = 'WITHOUT'
-        HIGH_SPAN = 'HIGH_SPAN'
-        ABOVE = 'ABOVE'
         # The tag is ______ the range
         # rrrrrrr == self.range, the range of the tag
         def compare_range start, stop
@@ -154,13 +160,6 @@ module Contrast
         private
-        # Update range should be how start and end index of tags are changed,
-        # as it includes validation
-        #
-        # Note that we allow start_idx == end_idx b/c this is how we determine
-        # if a tag range is 'covered' in trigger detection
-        ERROR_NEGATIVE_START = 'Unable to set start idx negative'
-        ERROR_END_BEFORE_START = 'Unable to set start idx after end idx'
         def update_range start_idx, end_idx
           raise(ArgumentError, ERROR_NEGATIVE_START) if start_idx.negative?
           raise(ArgumentError, ERROR_END_BEFORE_START) if end_idx < start_idx

data/lib/contrast/agent/at_exit_hook.rb CHANGED Viewed

@@ -31,7 +31,18 @@ module Contrast
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context
-        Contrast::Agent.messaging_queue.send_event_immediately(context.activity)
+        if Contrast::Agent::Reporter.enabled?
+          [
+            context.new_observed_route,
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.server_activity),
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity.library_usages),
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
+          ].each do |event|
+            Contrast::Agent.reporter&.send_event_immediately(event)
+          end
+        else
+          Contrast::Agent.messaging_queue&.send_event_immediately(context.activity)
+        end
       end
     end
   end

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb CHANGED Viewed

@@ -24,13 +24,6 @@ module Contrast
           def method_scope
             :contrast
           end
-          # TODO: RUBY-99999 remove, used to clean up logs while debugging
-          # def validate
-          #   return if class_name
-          #
-          #   raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
-          # end
         end
       end
     end

data/lib/contrast/agent/deadzone/policy/policy.rb CHANGED Viewed

@@ -35,12 +35,6 @@ module Contrast
             end
           end
-          def validate
-            return if class_name
-            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
-          end
           def module_names
             @_module_names ||= Set.new(deadzones.map(&:class_name))
           end

data/lib/contrast/agent/exclusion_matcher.rb CHANGED Viewed

@@ -51,7 +51,7 @@ module Contrast
         @urls = []
         @exclusion.urls.each do |url|
-          url_pattern = build_regexp(url, true, true)
+          url_pattern = build_regexp(url, start_anchor: true, end_anchor: true)
           @urls << url_pattern if url_pattern
         end
       end
@@ -66,7 +66,7 @@ module Contrast
         @wildcard_exclusions = []
         @exclusion.denylist.each do |code|
           class_name, method_name = code.split(Contrast::Utils::ObjectShare::COLON)
-          class_pattern = build_regexp(class_name, false, true)
+          class_pattern = build_regexp(class_name, start_anchor: false, end_anchor: true)
           method_pattern = build_regexp(method_name)
           next unless class_pattern && method_pattern
@@ -74,7 +74,7 @@ module Contrast
         end
       end
-      def build_regexp pattern, start_anchor = false, end_anchor = false
+      def build_regexp pattern, start_anchor: false, end_anchor: false
         pattern = Contrast::Utils::ObjectShare::CARROT + pattern if start_anchor
         pattern += Contrast::Utils::ObjectShare::DOLLAR_SIGN if end_anchor
         Regexp.compile(pattern)

data/lib/contrast/agent/inventory/database_config.rb CHANGED Viewed

@@ -44,20 +44,27 @@ module Contrast
               end
             end
           rescue StandardError => e
-            logger.error('Unable to append db config', e)
+            logger.warn('Unable to append db config', e)
             nil
           end
           private
           # We capture the active record configuration used by this application, as reported by
-          # ActiveRecord::Base.connection_config, so that we can record it once and report it as needed.
+          # ActiveRecord::Base.connection_db_config, so that we can record it once and report it as needed.
           #
           # @return [Hash]
           def active_record_config
             return @_active_record_config if instance_variable_defined?(:@_active_record_config)
-            @_active_record_config = ActiveRecord::Base.connection_config rescue nil # rubocop:disable Style/RescueModifier
+            @_active_record_config = if ActiveRecord::Base.cs__respond_to?(:connection_db_config)
+                                       ActiveRecord::Base.connection_db_config
+                                     else
+                                       # TODO: RUBY-99999 - Remove when Rails 6.0 is not supported
+                                       ActiveRecord::Base.connection_config
+                                     end
+          rescue StandardError
+            nil
           end
           # The classes we instrument in order to determine which, if any, database(s) an application connects to take

data/lib/contrast/agent/middleware.rb CHANGED Viewed

@@ -13,7 +13,7 @@ require 'contrast/utils/heap_dump_util'
 require 'contrast/utils/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
-require 'contrast/agent/startup_metrics_telemetry_event'
+require 'contrast/agent/telemetry/events/startup_metrics_event'
 require 'contrast/utils/middleware_utils'
 require 'contrast/utils/timer'
@@ -48,6 +48,9 @@ module Contrast
           return
         end
         agent_startup_routine
+      rescue StandardError => e
+        logger.error('Unable to initialize the agent. Disabling permanently.', e)
+        ::Contrast::AGENT.disable! # ensure the agent is disabled (probably redundant)
       end
       # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready to do some
@@ -78,9 +81,9 @@ module Contrast
           Contrast::Agent.thread_watcher.ensure_running?
         end
-        if Contrast::Agent::Telemetry.enabled?
+        if Contrast::Agent::Telemetry::Base.enabled?
           logger.debug_with_time('middleware: sending startup metrics telemetry event') do
-            event = Contrast::Agent::StartupMetricsTelemetryEvent.new
+            event = Contrast::Agent::Telemetry::StartupMetricsEvent.new
             Contrast::Agent.thread_watcher.telemetry_queue.send_event(event)
           end
         end
@@ -145,7 +148,7 @@ module Contrast
           request_handler.ruleset.prefilter
         end
       rescue StandardError => e
-        raise e if security_exception?(e)
+        raise(e) if security_exception?(e)
         logger.error('Unable to execute agent pre_call', e)
       end
@@ -163,6 +166,8 @@ module Contrast
           # Build and report all collected findings prior response
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
+          # All protect rules, which are trigger but require response to be reported
+          Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity
@@ -175,7 +180,7 @@ module Contrast
         end
       # unsuccessful attack
       rescue StandardError => e
-        raise e if security_exception?(e)
+        raise(e) if security_exception?(e)
         logger.error('Unable to execute agent post_call', e)
       end

data/lib/contrast/agent/patching/policy/after_load_patch.rb CHANGED Viewed

@@ -47,7 +47,7 @@ module Contrast
             return true  unless target_defined? # bc no methods are loaded
             return false unless method_to_instrument
-            !module_lookup.instance_methods.include? method_to_instrument
+            !module_lookup.instance_methods.include?(method_to_instrument)
           end
           def applies? loaded_module_name
@@ -59,9 +59,7 @@ module Contrast
           end
           def instrument!
-            return if instrumenting_module == :'Contrast::Framework::Rails::Rewrite' && RAILS_VER >= '2.6.0'
-            require instrumentation_file_path
+            require(instrumentation_file_path)
             if instrumenting_module
               mod = Module.cs__const_get(instrumenting_module)
@@ -74,7 +72,7 @@ module Contrast
           def module_lookup
             @_module_lookup ||= begin
-              Module.cs__const_get module_name
+              Module.cs__const_get(module_name)
             rescue StandardError => _e
               nil
             end

data/lib/contrast/agent/patching/policy/after_load_patcher.rb CHANGED Viewed

@@ -43,7 +43,7 @@ module Contrast
               ].cs__freeze
               paths.each do |p|
                 path_part = "cs__assess_#{ p }"
-                Contrast::Extension::Assess::InstrumentHelper.instrument "#{ path_part }/#{ path_part }"
+                Contrast::Extension::Assess::InstrumentHelper.instrument("#{ path_part }/#{ path_part }")
               end
               true
             end
@@ -73,7 +73,7 @@ module Contrast
           # handling
           def apply_require_patches!
             @_apply_require_patches ||= begin
-              require 'contrast/extension/thread'
+              require('contrast/extension/thread')
               true
             rescue LoadError, StandardError => e
               logger.error('failed instrumenting apply_require_patches!', e)

data/lib/contrast/agent/patching/policy/method_policy_extend.rb CHANGED Viewed

@@ -38,8 +38,8 @@ module Contrast
                                                  deadzone_node: deadzone_node
                                              })
-            return method_policy unless check_method_policy_nodes_empty? source_node, propagation_node, trigger_node,
-                                                                         protect_node, inventory_node, deadzone_node
+            return method_policy unless check_method_policy_nodes_empty?(source_node, propagation_node, trigger_node,
+                                                                         protect_node, inventory_node, deadzone_node)
             create_new_node(module_policy, method_policy) if module_policy.deadzone_nodes&.any?
             method_policy
@@ -74,9 +74,9 @@ module Contrast
               next unless node.method_name.nil?
               klass = Module.cs__const_get(node.class_name)
-              next unless it_defined? klass, method_policy.method_name
+              next unless it_defined?(klass, method_policy.method_name)
-              new_node = set_new_node method_policy, klass, node
+              new_node = set_new_node(method_policy, klass, node)
               method_policy.instance_variable_set(:@method_visibility, new_node.method_visibility)
               method_policy.instance_variable_set(:@deadzone_node, node)
               module_policy.deadzone_nodes << new_node