contrast-agent 6.0.0 → 6.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +1 -1
- data/Rakefile +1 -1
- data/ext/build_funchook.rb +3 -3
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +5 -1
- data/ext/cs__assess_regexp/cs__assess_regexp.c +15 -2
- data/ext/cs__assess_regexp/cs__assess_regexp.h +2 -0
- data/ext/cs__assess_string/cs__assess_string.c +8 -0
- data/ext/cs__assess_test/cs__assess_test.h +9 -0
- data/ext/cs__assess_test/cs__assess_tests.c +22 -0
- data/ext/cs__assess_test/extconf.rb +5 -0
- data/ext/cs__common/cs__common.c +101 -0
- data/ext/cs__common/cs__common.h +29 -5
- data/ext/cs__contrast_patch/cs__contrast_patch.c +1 -1
- data/ext/cs__tests/cs__tests.c +12 -0
- data/ext/cs__tests/cs__tests.h +3 -0
- data/ext/cs__tests/extconf.rb +5 -0
- data/ext/extconf_common.rb +1 -1
- data/lib/contrast/agent/assess/contrast_object.rb +16 -16
- data/lib/contrast/agent/assess/events/source_event.rb +17 -19
- data/lib/contrast/agent/assess/finalizers/hash.rb +2 -2
- data/lib/contrast/agent/assess/policy/policy.rb +9 -10
- data/lib/contrast/agent/assess/policy/policy_node.rb +9 -10
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -16
- data/lib/contrast/agent/assess/policy/propagation_method.rb +3 -3
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -3
- data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/buffer.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +17 -21
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
- data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +10 -18
- data/lib/contrast/agent/assess/policy/trigger_node.rb +16 -16
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
- data/lib/contrast/agent/assess/property/evented.rb +2 -2
- data/lib/contrast/agent/assess/property/tagged.rb +2 -2
- data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +6 -8
- data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +6 -7
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +12 -7
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +13 -6
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +66 -43
- data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +6 -6
- data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +4 -4
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +3 -4
- data/lib/contrast/agent/assess/tag.rb +13 -14
- data/lib/contrast/agent/at_exit_hook.rb +12 -1
- data/lib/contrast/agent/inventory/database_config.rb +22 -7
- data/lib/contrast/agent/middleware.rb +9 -6
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +3 -5
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +2 -2
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +4 -4
- data/lib/contrast/agent/patching/policy/patch.rb +20 -19
- data/lib/contrast/agent/patching/policy/patch_status.rb +10 -3
- data/lib/contrast/agent/patching/policy/patcher.rb +1 -1
- data/lib/contrast/agent/patching/policy/policy.rb +13 -15
- data/lib/contrast/agent/patching/policy/policy_node.rb +19 -21
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +126 -122
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +4 -4
- data/lib/contrast/agent/protect/rule/base.rb +30 -18
- data/lib/contrast/agent/protect/rule/base_service.rb +31 -14
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +16 -9
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +3 -3
- data/lib/contrast/agent/protect/rule/default_scanner.rb +2 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +18 -7
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +74 -74
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +71 -53
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +3 -3
- data/lib/contrast/agent/protect/rule/no_sqli.rb +15 -16
- data/lib/contrast/agent/protect/rule/path_traversal.rb +13 -3
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +1 -1
- data/lib/contrast/agent/protect/rule/sqli.rb +16 -23
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +61 -61
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +29 -29
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +32 -32
- data/lib/contrast/agent/protect/rule/xss.rb +17 -0
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +14 -13
- data/lib/contrast/agent/protect/rule/xxe.rb +25 -3
- data/lib/contrast/agent/reaction_processor.rb +1 -1
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +36 -36
- data/lib/contrast/agent/reporting/masker/masker.rb +18 -21
- data/lib/contrast/agent/reporting/masker/masker_utils.rb +10 -6
- data/lib/contrast/agent/reporting/reporter.rb +11 -16
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +49 -0
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +96 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +182 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +56 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +22 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +70 -0
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +60 -0
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +15 -11
- data/lib/contrast/agent/reporting/reporting_events/application_update.rb +7 -12
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +9 -3
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +2 -4
- data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +7 -3
- data/lib/contrast/agent/reporting/reporting_events/poll.rb +6 -2
- data/lib/contrast/agent/reporting/reporting_events/preflight.rb +10 -8
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +6 -10
- data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +12 -20
- data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +27 -0
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +17 -27
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +38 -0
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +8 -0
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +15 -10
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +54 -67
- data/lib/contrast/agent/reporting/reporting_utilities/response.rb +17 -7
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +9 -6
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +17 -17
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +47 -32
- data/lib/contrast/agent/reporting/settings/application_settings.rb +1 -1
- data/lib/contrast/agent/reporting/settings/assess.rb +5 -5
- data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +3 -3
- data/lib/contrast/agent/reporting/settings/exclusions.rb +3 -3
- data/lib/contrast/agent/reporting/settings/protect.rb +21 -6
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +6 -6
- data/lib/contrast/agent/reporting/settings/reaction.rb +3 -3
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +2 -2
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +2 -2
- data/lib/contrast/agent/reporting/settings/server_features.rb +2 -2
- data/lib/contrast/agent/request.rb +5 -5
- data/lib/contrast/agent/request_context.rb +23 -19
- data/lib/contrast/agent/request_context_extend.rb +11 -24
- data/lib/contrast/agent/request_handler.rb +4 -4
- data/lib/contrast/agent/response.rb +2 -0
- data/lib/contrast/agent/rule_set.rb +2 -2
- data/lib/contrast/agent/scope.rb +1 -1
- data/lib/contrast/agent/service_heartbeat.rb +6 -48
- data/lib/contrast/agent/static_analysis.rb +1 -1
- data/lib/contrast/agent/telemetry/base.rb +155 -0
- data/lib/contrast/agent/telemetry/events/event.rb +35 -0
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +119 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_base.rb +44 -36
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +29 -21
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message.rb +91 -73
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb +62 -44
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb +50 -33
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb +20 -0
- data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb +30 -0
- data/lib/contrast/agent/telemetry/events/metric_event.rb +28 -0
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +123 -0
- data/lib/contrast/agent/thread_watcher.rb +52 -68
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent/worker_thread.rb +8 -0
- data/lib/contrast/agent.rb +1 -3
- data/lib/contrast/api/communication/messaging_queue.rb +29 -12
- data/lib/contrast/api/communication/response_processor.rb +7 -10
- data/lib/contrast/api/communication/service_lifecycle.rb +1 -1
- data/lib/contrast/api/communication/socket.rb +1 -1
- data/lib/contrast/api/communication/socket_client.rb +1 -1
- data/lib/contrast/api/communication/speedracer.rb +3 -3
- data/lib/contrast/api/decorators/activity.rb +33 -0
- data/lib/contrast/api/decorators/agent_startup.rb +10 -9
- data/lib/contrast/api/decorators/application_settings.rb +1 -1
- data/lib/contrast/api/decorators/application_startup.rb +4 -4
- data/lib/contrast/api/decorators/http_request.rb +1 -1
- data/lib/contrast/api/decorators/response_type.rb +4 -17
- data/lib/contrast/components/agent.rb +1 -1
- data/lib/contrast/components/base.rb +1 -1
- data/lib/contrast/components/config.rb +19 -28
- data/lib/contrast/components/contrast_service.rb +13 -1
- data/lib/contrast/components/sampling.rb +1 -1
- data/lib/contrast/components/settings.rb +58 -24
- data/lib/contrast/config/agent_configuration.rb +21 -11
- data/lib/contrast/config/api_configuration.rb +12 -8
- data/lib/contrast/config/api_proxy_configuration.rb +7 -3
- data/lib/contrast/config/application_configuration.rb +15 -11
- data/lib/contrast/config/assess_configuration.rb +13 -9
- data/lib/contrast/config/assess_rules_configuration.rb +6 -2
- data/lib/contrast/config/base_configuration.rb +3 -35
- data/lib/contrast/config/certification_configuration.rb +9 -5
- data/lib/contrast/config/exception_configuration.rb +10 -7
- data/lib/contrast/config/heap_dump_configuration.rb +13 -9
- data/lib/contrast/config/inventory_configuration.rb +9 -6
- data/lib/contrast/config/logger_configuration.rb +9 -6
- data/lib/contrast/config/protect_configuration.rb +9 -6
- data/lib/contrast/config/protect_rule_configuration.rb +12 -8
- data/lib/contrast/config/protect_rules_configuration.rb +19 -18
- data/lib/contrast/config/request_audit_configuration.rb +10 -7
- data/lib/contrast/config/root_configuration.rb +29 -12
- data/lib/contrast/config/ruby_configuration.rb +14 -11
- data/lib/contrast/config/sampling_configuration.rb +11 -8
- data/lib/contrast/config/server_configuration.rb +13 -9
- data/lib/contrast/config/service_configuration.rb +14 -11
- data/lib/contrast/configuration.rb +23 -14
- data/lib/contrast/extension/assess/array.rb +1 -1
- data/lib/contrast/extension/assess/erb.rb +1 -1
- data/lib/contrast/extension/assess/marshal.rb +1 -1
- data/lib/contrast/extension/assess/string.rb +1 -1
- data/lib/contrast/extension/extension.rb +2 -2
- data/lib/contrast/framework/base_support.rb +8 -8
- data/lib/contrast/framework/grape/support.rb +3 -3
- data/lib/contrast/framework/manager.rb +5 -5
- data/lib/contrast/framework/manager_extend.rb +1 -1
- data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +14 -3
- data/lib/contrast/framework/rails/patch/assess_configuration.rb +3 -3
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/patch/support.rb +14 -46
- data/lib/contrast/framework/rails/support.rb +2 -2
- data/lib/contrast/framework/sinatra/support.rb +1 -1
- data/lib/contrast/logger/aliased_logging.rb +94 -0
- data/lib/contrast/logger/application.rb +0 -4
- data/lib/contrast/logger/cef_log.rb +14 -14
- data/lib/contrast/logger/format.rb +1 -1
- data/lib/contrast/logger/log.rb +8 -8
- data/lib/contrast/tasks/config.rb +30 -21
- data/lib/contrast/tasks/service.rb +2 -2
- data/lib/contrast/utils/assess/tracking_util.rb +4 -4
- data/lib/contrast/utils/class_util.rb +6 -10
- data/lib/contrast/utils/findings.rb +3 -3
- data/lib/contrast/utils/hash_digest.rb +6 -7
- data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
- data/lib/contrast/utils/invalid_configuration_util.rb +2 -2
- data/lib/contrast/utils/log_utils.rb +6 -4
- data/lib/contrast/utils/lru_cache.rb +1 -1
- data/lib/contrast/utils/metrics_hash.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +6 -6
- data/lib/contrast/utils/net_http_base.rb +4 -4
- data/lib/contrast/utils/object_share.rb +1 -1
- data/lib/contrast/utils/os.rb +1 -1
- data/lib/contrast/utils/patching/policy/patch_utils.rb +2 -2
- data/lib/contrast/utils/request_utils.rb +2 -2
- data/lib/contrast/utils/sha256_builder.rb +4 -4
- data/lib/contrast/utils/stack_trace_utils.rb +31 -13
- data/lib/contrast/utils/telemetry.rb +22 -7
- data/lib/contrast/utils/telemetry_client.rb +27 -15
- data/lib/contrast/utils/telemetry_hash.rb +41 -0
- data/lib/contrast/utils/telemetry_identifier.rb +18 -3
- data/lib/contrast/utils/timer.rb +1 -1
- data/lib/contrast.rb +9 -0
- data/resources/assess/policy.json +1 -1
- data/ruby-agent.gemspec +1 -1
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +41 -16
- data/lib/contrast/agent/telemetry/events/metric_telemetry_event.rb +0 -26
- data/lib/contrast/agent/telemetry/events/startup_metrics_telemetry_event.rb +0 -121
- data/lib/contrast/agent/telemetry/events/telemetry_event.rb +0 -33
- data/lib/contrast/agent/telemetry/telemetry.rb +0 -150
- data/lib/contrast/utils/exclude_key.rb +0 -20
@@ -32,22 +32,8 @@ module Contrast
|
|
32
32
|
mod = trace_point.self
|
33
33
|
return if mod.cs__frozen? || mod.singleton_class?
|
34
34
|
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
def different_ruby_version trace_point, provider_values, mod
|
39
|
-
# TODO: RUBY-1014 - remove non-AST approach
|
40
|
-
if RUBY_VERSION >= '2.6.0'
|
41
|
-
# TODO: RUBY-714 EOL 2.5. That check will be removed and the code will be brought back in here.
|
42
|
-
ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
|
43
|
-
provider_values.each do |provider|
|
44
|
-
provider.parse(trace_point, ast)
|
45
|
-
end
|
46
|
-
else
|
47
|
-
provider_values.each do |provider|
|
48
|
-
provider.analyze(mod)
|
49
|
-
end
|
50
|
-
end
|
35
|
+
ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
|
36
|
+
provider_values.each { |provider| provider.parse(trace_point, ast) }
|
51
37
|
end
|
52
38
|
|
53
39
|
def policy
|
@@ -216,8 +216,8 @@ module Contrast
|
|
216
216
|
# If we are using the original object tracking, the preshift object is not created.
|
217
217
|
# Instead identify the source as the original object itself and propagate with it.
|
218
218
|
source = propagation_node.use_original_object? ? propagation_data.object : preshift
|
219
|
-
handle_propagation
|
220
|
-
update_properties
|
219
|
+
handle_propagation(propagation_class, propagation_node, source, target)
|
220
|
+
update_properties(restore_frozen_state, propagation_node, target, propagation_data, ret)
|
221
221
|
end
|
222
222
|
|
223
223
|
def handle_propagation propagation_class, propagation_node, source, target
|
@@ -230,7 +230,7 @@ module Contrast
|
|
230
230
|
|
231
231
|
def update_properties restore_frozen_state, propagation_node, target, propagation_data, ret
|
232
232
|
if propagation_node.use_original_on_bang_method?
|
233
|
-
properties = use_original_object_properties
|
233
|
+
properties = use_original_object_properties(propagation_data)
|
234
234
|
|
235
235
|
return unless properties
|
236
236
|
else
|
@@ -22,6 +22,8 @@ module Contrast
|
|
22
22
|
attr_reader :untags, :patch_method
|
23
23
|
attr_accessor :action, :patch_class
|
24
24
|
|
25
|
+
TAGGER = 'Tagger'
|
26
|
+
PROPAGATOR = 'Propagator'
|
25
27
|
# Most things here carry over from PolicyNode.
|
26
28
|
# A couple things are new / have new rules
|
27
29
|
#
|
@@ -41,9 +43,6 @@ module Contrast
|
|
41
43
|
validate
|
42
44
|
end
|
43
45
|
|
44
|
-
TAGGER = 'Tagger'
|
45
|
-
PROPAGATOR = 'Propagator'
|
46
|
-
|
47
46
|
def node_class
|
48
47
|
@_node_class ||= tagger? ? TAGGER : PROPAGATOR
|
49
48
|
end
|
@@ -26,7 +26,7 @@ module Contrast
|
|
26
26
|
end
|
27
27
|
|
28
28
|
def propagate _propagation_node, _preshift, _target
|
29
|
-
raise
|
29
|
+
raise(NoMethodError("Expected Base propagator subclass: #{ cs__class } to implement #propagate"))
|
30
30
|
end
|
31
31
|
end
|
32
32
|
end
|
@@ -106,7 +106,8 @@ module Contrast
|
|
106
106
|
ret
|
107
107
|
else
|
108
108
|
# SELECT
|
109
|
-
Contrast::Agent::Assess::Policy::Propagator::Select.select_tagger
|
109
|
+
Contrast::Agent::Assess::Policy::Propagator::Select.select_tagger(propagation_node, preshift, ret,
|
110
|
+
nil)
|
110
111
|
end
|
111
112
|
end
|
112
113
|
end
|
@@ -31,7 +31,7 @@ module Contrast
|
|
31
31
|
::Contrast::ASSESS.tainted_columns[class_name] = tainted_columns.keys
|
32
32
|
end
|
33
33
|
|
34
|
-
Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources
|
34
|
+
Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources(class_type, tainted_columns)
|
35
35
|
end
|
36
36
|
|
37
37
|
private
|
@@ -41,7 +41,7 @@ module Contrast
|
|
41
41
|
source = find_source(propagation_node.sources[0], preshift)
|
42
42
|
return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
|
43
43
|
|
44
|
-
update_element_properties
|
44
|
+
update_element_properties(propagation_node, target, preshift, source_properties)
|
45
45
|
nil
|
46
46
|
end
|
47
47
|
|
@@ -97,7 +97,7 @@ module Contrast
|
|
97
97
|
def instrument_string_split
|
98
98
|
@_instrument_string_split ||= begin
|
99
99
|
if ::Contrast::AGENT.patch_yield? && Funchook.available?
|
100
|
-
require
|
100
|
+
require('cs__assess_yield_track/cs__assess_yield_track')
|
101
101
|
end
|
102
102
|
true
|
103
103
|
rescue StandardError => e
|
@@ -178,27 +178,23 @@ module Contrast
|
|
178
178
|
end
|
179
179
|
end
|
180
180
|
|
181
|
-
|
182
|
-
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
def split *args, &block
|
193
|
-
if block
|
194
|
-
Contrast::Agent::Assess::Policy::Propagator::Split.wrap_split(self, args) do
|
195
|
-
cs__patched_string_split_special(*args, &block)
|
196
|
-
end
|
197
|
-
else
|
181
|
+
# Special class to handle String#split in which, when given a block, propagates each split piece directly.
|
182
|
+
class String
|
183
|
+
alias_method :cs__patched_string_split_special, :split
|
184
|
+
|
185
|
+
# Override of the the standard split method to handle the direct yield case.
|
186
|
+
#
|
187
|
+
# Note: because this patch is applied before our standard propagation, this call is wrapped in it. As such, any call
|
188
|
+
# here happens in scope, so there is no need to manage it on our own.
|
189
|
+
def split *args, &block
|
190
|
+
if block
|
191
|
+
Contrast::Agent::Assess::Policy::Propagator::Split.wrap_split(self, args) do
|
198
192
|
cs__patched_string_split_special(*args, &block)
|
199
193
|
end
|
194
|
+
else
|
195
|
+
cs__patched_string_split_special(*args, &block)
|
200
196
|
end
|
201
197
|
end
|
202
|
-
|
203
|
-
Contrast::Agent::Assess::Policy::Propagator::Split.instrument_string_split
|
204
198
|
end
|
199
|
+
|
200
|
+
Contrast::Agent::Assess::Policy::Propagator::Split.instrument_string_split
|
@@ -40,7 +40,7 @@ module Contrast
|
|
40
40
|
source = preshift.object
|
41
41
|
args = preshift.args
|
42
42
|
properties.splat_from(source, ret)
|
43
|
-
event_data = Contrast::Agent::Assess::Events::EventData.new
|
43
|
+
event_data = Contrast::Agent::Assess::Events::EventData.new(patcher, ret, source, ret, args)
|
44
44
|
properties.build_event(event_data)
|
45
45
|
ret
|
46
46
|
end
|
@@ -15,13 +15,13 @@ module Contrast
|
|
15
15
|
|
16
16
|
JSON_TYPE = 'type'
|
17
17
|
SOURCE_TAG = 'UNTRUSTED'
|
18
|
+
SOURCE = 'Source'
|
18
19
|
def initialize source_hash = {}
|
19
20
|
super(source_hash)
|
20
21
|
@type = source_hash[JSON_TYPE]
|
21
22
|
@tags << SOURCE_TAG
|
22
23
|
end
|
23
24
|
|
24
|
-
SOURCE = 'Source'
|
25
25
|
def node_class
|
26
26
|
SOURCE
|
27
27
|
end
|
@@ -12,6 +12,7 @@ require 'contrast/agent/reporting/reporting_events/preflight'
|
|
12
12
|
require 'contrast/agent/reporting/reporting_events/preflight_message'
|
13
13
|
require 'contrast/agent/reporting/reporting_events/route_discovery'
|
14
14
|
require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
|
15
|
+
require 'contrast/agent/reporting/reporting_utilities/build_preflight'
|
15
16
|
|
16
17
|
module Contrast
|
17
18
|
module Agent
|
@@ -92,7 +93,7 @@ module Contrast
|
|
92
93
|
content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
|
93
94
|
|
94
95
|
if content_type.nil? && trigger_node.collectable?
|
95
|
-
Contrast::Agent::FINDINGS.collect_finding
|
96
|
+
Contrast::Agent::FINDINGS.collect_finding(trigger_node, source, object, ret, *args)
|
96
97
|
return
|
97
98
|
end
|
98
99
|
|
@@ -105,8 +106,8 @@ module Contrast
|
|
105
106
|
handle_new_finding(trigger_node, source, object, ret, request, *args)
|
106
107
|
else # TODO: RUBY-1438 -- remove
|
107
108
|
finding = Contrast::Api::Dtm::Finding.new
|
108
|
-
event_data = Contrast::Agent::Assess::Events::EventData.new
|
109
|
-
append_to_finding
|
109
|
+
event_data = Contrast::Agent::Assess::Events::EventData.new(trigger_node, source, object, ret, args)
|
110
|
+
append_to_finding(finding, event_data, request)
|
110
111
|
logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
|
111
112
|
rule: trigger_node.rule_id)
|
112
113
|
report_finding(finding, request)
|
@@ -142,28 +143,19 @@ module Contrast
|
|
142
143
|
|
143
144
|
# If we're out of request context, then we need to report this finding ourselves,
|
144
145
|
# so we'll send it in the one-off activity we created.
|
145
|
-
Contrast::Agent.messaging_queue
|
146
|
+
Contrast::Agent.messaging_queue&.send_event_eventually(activity)
|
146
147
|
end
|
147
148
|
|
148
149
|
def handle_new_finding trigger_node, source, object, ret, request, *args
|
149
150
|
# sent to reporter
|
150
151
|
# here we will generate new type of finding
|
151
|
-
ruby_finding = Contrast::Agent::Reporting::Finding.new
|
152
|
-
ruby_finding.attach_data
|
152
|
+
ruby_finding = Contrast::Agent::Reporting::Finding.new(trigger_node.rule_id)
|
153
|
+
ruby_finding.attach_data(trigger_node, source, object, ret, request, *args)
|
153
154
|
hash_code = Contrast::Utils::HashDigest.generate_event_hash(ruby_finding, source, request)
|
154
155
|
ruby_finding.hash_code = hash_code
|
155
|
-
# save the current finding
|
156
|
-
Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
|
157
156
|
|
158
|
-
new_preflight = Contrast::Agent::Reporting::
|
159
|
-
|
160
|
-
if request.route
|
161
|
-
new_preflight_message.routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
|
162
|
-
end
|
163
|
-
new_preflight_message.hash_code = hash_code
|
164
|
-
new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
|
165
|
-
new_preflight.messages << new_preflight_message
|
166
|
-
Contrast::Agent.reporter&.send_event_immediately(new_preflight)
|
157
|
+
new_preflight = Contrast::Agent::Reporting::BuildPreflight.build(ruby_finding, request)
|
158
|
+
Contrast::Agent.reporter&.send_event(new_preflight)
|
167
159
|
end
|
168
160
|
|
169
161
|
private
|
@@ -217,7 +209,7 @@ module Contrast
|
|
217
209
|
properties = Contrast::Agent::Assess::Tracker.properties(source)
|
218
210
|
return unless properties
|
219
211
|
|
220
|
-
build_events
|
212
|
+
build_events(finding, properties.event) if properties.event
|
221
213
|
|
222
214
|
# Google::Protobuf::Map doesn't support merge!, so we have to do this long form
|
223
215
|
source_props = properties.properties
|
@@ -28,6 +28,21 @@ module Contrast
|
|
28
28
|
|
29
29
|
attr_reader :rule_id, :required_tags, :disallowed_tags, :good_value, :bad_value
|
30
30
|
|
31
|
+
ENCODER_START = 'CUSTOM_ENCODED_'
|
32
|
+
# By default, any rule will be triggered if the source
|
33
|
+
# of the rule event has an untrusted tag range that is
|
34
|
+
# not covered by one of its disallowed tags.
|
35
|
+
UNTRUSTED = 'UNTRUSTED'
|
36
|
+
TRIGGER = 'Trigger'
|
37
|
+
VALIDATOR_START = 'CUSTOM_VALIDATED_'
|
38
|
+
# If a level 1 rule comes from TeamServer, it will have the
|
39
|
+
# tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
|
40
|
+
# All rules should take this into account.
|
41
|
+
# Additionally, if something is marked 'limited-chars' it means
|
42
|
+
# it has been properly vetted to not contain dangerous input.
|
43
|
+
LIMITED_CHARS = 'LIMITED_CHARS'
|
44
|
+
CUSTOM_ENCODED = 'CUSTOM_ENCODED'
|
45
|
+
CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
|
31
46
|
def initialize trigger_hash = {}, rule_hash = {}
|
32
47
|
super(trigger_hash)
|
33
48
|
good_value = trigger_hash[JSON_GOOD_VALUE]
|
@@ -46,7 +61,6 @@ module Contrast
|
|
46
61
|
validate
|
47
62
|
end
|
48
63
|
|
49
|
-
TRIGGER = 'Trigger'
|
50
64
|
def node_class
|
51
65
|
TRIGGER
|
52
66
|
end
|
@@ -138,10 +152,6 @@ module Contrast
|
|
138
152
|
|
139
153
|
private
|
140
154
|
|
141
|
-
# By default, any rule will be triggered if the source
|
142
|
-
# of the rule event has an untrusted tag range that is
|
143
|
-
# not covered by one of its disallowed tags.
|
144
|
-
UNTRUSTED = 'UNTRUSTED'
|
145
155
|
def populate_tags required_tags
|
146
156
|
return unless dataflow?
|
147
157
|
|
@@ -150,16 +160,6 @@ module Contrast
|
|
150
160
|
@required_tags << UNTRUSTED
|
151
161
|
end
|
152
162
|
|
153
|
-
ENCODER_START = 'CUSTOM_ENCODED_'
|
154
|
-
VALIDATOR_START = 'CUSTOM_VALIDATED_'
|
155
|
-
# If a level 1 rule comes from TeamServer, it will have the
|
156
|
-
# tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
|
157
|
-
# All rules should take this into account.
|
158
|
-
# Additionally, if something is marked 'limited-chars' it means
|
159
|
-
# it has been properly vetted to not contain dangerous input.
|
160
|
-
LIMITED_CHARS = 'LIMITED_CHARS'
|
161
|
-
CUSTOM_ENCODED = 'CUSTOM_ENCODED'
|
162
|
-
CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
|
163
163
|
def populate_disallowed disallowed_tags
|
164
164
|
return unless dataflow?
|
165
165
|
|
@@ -195,7 +195,7 @@ module Contrast
|
|
195
195
|
chunking = false
|
196
196
|
ranges = []
|
197
197
|
# find the start and end range of required tags:
|
198
|
-
search_ranges = find_required_ranges
|
198
|
+
search_ranges = find_required_ranges(properties, required_tags)
|
199
199
|
start_range = search_ranges.first
|
200
200
|
end_range = search_ranges.last + 1
|
201
201
|
|
@@ -42,8 +42,8 @@ module Contrast
|
|
42
42
|
return unless event.source_type
|
43
43
|
return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
|
44
44
|
|
45
|
-
append_to_dtm
|
46
|
-
append_to_ruby_object
|
45
|
+
append_to_dtm(current_request, event)
|
46
|
+
append_to_ruby_object(current_request, event)
|
47
47
|
end
|
48
48
|
|
49
49
|
def append_to_dtm current_request, event
|
@@ -91,7 +91,7 @@ module Contrast
|
|
91
91
|
value.each do |tag|
|
92
92
|
comparison = tag.compare_range(range.begin, range.end)
|
93
93
|
# ABOVE and BELOW are not affected by this check
|
94
|
-
tags_remove_comparison
|
94
|
+
tags_remove_comparison(comparison, tag, remove, add, range)
|
95
95
|
end
|
96
96
|
value.delete_if { |tag| remove.include?(tag) }
|
97
97
|
Contrast::Utils::TagUtil.ordered_merge(value, add)
|
@@ -166,7 +166,7 @@ module Contrast
|
|
166
166
|
comparison = tag.compare_range(range.begin, range.end)
|
167
167
|
length = range.end - range.begin
|
168
168
|
# BELOW is not affected by this check
|
169
|
-
shift_tags_comparison
|
169
|
+
shift_tags_comparison(comparison, add, tag, length, range)
|
170
170
|
end
|
171
171
|
Contrast::Utils::TagUtil.ordered_merge(value, add)
|
172
172
|
end
|
@@ -12,28 +12,27 @@ module Contrast
|
|
12
12
|
# 2) the value is a non-empty array of only Fixnums
|
13
13
|
class HardcodedKey
|
14
14
|
include Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule
|
15
|
-
|
15
|
+
REDACTED_MARKER = ' = [**REDACTED**]'
|
16
16
|
NAME = 'hardcoded-key'
|
17
|
-
def rule_id
|
18
|
-
NAME
|
19
|
-
end
|
20
|
-
|
21
17
|
# These are names, determined by the security team (Matt & Ar), that
|
22
18
|
# indicate a field is likely to be a password or secret token of some
|
23
19
|
# sort.
|
24
20
|
KEY_FIELD_NAMES = %w[KEY AES DES IV SECRET].cs__freeze
|
25
|
-
|
26
21
|
# These are markers whose presence indicates that a field is more
|
27
22
|
# likely to be a descriptor or requirement than an actual key.
|
28
23
|
# We should ignore fields that contain them.
|
29
24
|
NON_KEY_PARTIAL_NAMES = %w[CONTENT_CODES RESPONSE_CODES ERROR_CODES].cs__freeze
|
25
|
+
BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
|
26
|
+
|
27
|
+
def rule_id
|
28
|
+
NAME
|
29
|
+
end
|
30
30
|
|
31
31
|
def name_passes? constant_string
|
32
32
|
KEY_FIELD_NAMES.any? { |name| constant_string.index(name) } &&
|
33
33
|
NON_KEY_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
|
34
34
|
end
|
35
35
|
|
36
|
-
BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
|
37
36
|
# Determine if the given value node violates the hardcode key rule
|
38
37
|
# @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
|
39
38
|
# evaluate
|
@@ -66,7 +65,6 @@ module Contrast
|
|
66
65
|
true
|
67
66
|
end
|
68
67
|
|
69
|
-
REDACTED_MARKER = ' = [**REDACTED**]'
|
70
68
|
def redacted_marker
|
71
69
|
REDACTED_MARKER
|
72
70
|
end
|
@@ -15,12 +15,9 @@ module Contrast
|
|
15
15
|
# mixing the characters counts as a violation of this rule
|
16
16
|
class HardcodedPassword
|
17
17
|
include Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule
|
18
|
-
|
19
18
|
NAME = 'hardcoded-password'
|
20
|
-
|
21
|
-
|
22
|
-
end
|
23
|
-
|
19
|
+
REDACTED_MARKER = ' = "**REDACTED**"'
|
20
|
+
PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
|
24
21
|
# These are names, determined by the security team (Matt & Ar), that
|
25
22
|
# indicate a field is likely to be a password or secret token of some
|
26
23
|
# sort.
|
@@ -34,6 +31,10 @@ module Contrast
|
|
34
31
|
URI
|
35
32
|
].cs__freeze
|
36
33
|
|
34
|
+
def rule_id
|
35
|
+
NAME
|
36
|
+
end
|
37
|
+
|
37
38
|
# If the constant looks like a password and it doesn't look like a
|
38
39
|
# password descriptor, it passes for this rule
|
39
40
|
def name_passes? constant_string
|
@@ -62,12 +63,10 @@ module Contrast
|
|
62
63
|
# characters are probably more likely to appear together in a
|
63
64
|
# default placeholder than in a password. Note this is opposite of
|
64
65
|
# the behavior in Java
|
65
|
-
PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
|
66
66
|
def probably_property_name? value
|
67
67
|
value.match?(PROPERTY_NAME_PATTERN)
|
68
68
|
end
|
69
69
|
|
70
|
-
REDACTED_MARKER = ' = "**REDACTED**"'
|
71
70
|
def redacted_marker
|
72
71
|
REDACTED_MARKER
|
73
72
|
end
|
@@ -86,9 +86,9 @@ module Contrast
|
|
86
86
|
return unless value_node_passes?(value)
|
87
87
|
|
88
88
|
if Contrast::Agent::Reporter.enabled?
|
89
|
-
new_finding_and_reporting
|
89
|
+
new_finding_and_reporting(mod, name)
|
90
90
|
else # TODO: RUBY-1438 -- remove
|
91
|
-
build_finding
|
91
|
+
build_finding(mod, name)
|
92
92
|
end
|
93
93
|
end
|
94
94
|
|
@@ -112,13 +112,18 @@ module Contrast
|
|
112
112
|
def build_finding clazz, constant_string
|
113
113
|
class_name = clazz.cs__name
|
114
114
|
|
115
|
-
finding = assign_finding
|
116
|
-
Contrast::
|
115
|
+
finding = assign_finding(class_name, constant_string)
|
116
|
+
activity = Contrast::Api::Dtm::Activity.new
|
117
|
+
activity.findings << finding
|
118
|
+
Contrast::Agent.messaging_queue.send_event_eventually(activity, force: true)
|
117
119
|
rescue StandardError => e
|
118
120
|
logger.error('Unable to build a finding for Hardcoded Rule', e)
|
119
121
|
nil
|
120
122
|
end
|
121
123
|
|
124
|
+
# @param class_name [String] the name of the class in which the hardcoded value is present
|
125
|
+
# @param constant_string [String] the name of the constant
|
126
|
+
# @return [Contrast::Api::Dtm::Finding]
|
122
127
|
def assign_finding class_name, constant_string
|
123
128
|
finding = Contrast::Api::Dtm::Finding.new
|
124
129
|
finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
|
@@ -148,17 +153,17 @@ module Contrast
|
|
148
153
|
|
149
154
|
# extract to new method
|
150
155
|
# here we will generate new type of finding
|
151
|
-
ruby_finding = Contrast::Agent::Reporting::Finding.new
|
156
|
+
ruby_finding = Contrast::Agent::Reporting::Finding.new(rule_id)
|
152
157
|
ruby_finding.hash_code = hash
|
153
158
|
ruby_finding.properties[SOURCE_KEY] = clazz.cs__name
|
154
159
|
ruby_finding.properties[CONSTANT_NAME_KEY] = constant_string
|
155
160
|
ruby_finding.properties[CODE_SOURCE_KEY] = constant_string + redacted_marker
|
156
|
-
save_and_report_finding
|
161
|
+
save_and_report_finding(ruby_finding, new_preflight)
|
157
162
|
end
|
158
163
|
|
159
164
|
def save_and_report_finding ruby_finding, new_preflight
|
160
165
|
Contrast::Agent::Reporting::ReportingStorage[hash] = ruby_finding
|
161
|
-
Contrast::Agent.reporter&.
|
166
|
+
Contrast::Agent.reporter&.send_event(new_preflight)
|
162
167
|
end
|
163
168
|
end
|
164
169
|
end
|
@@ -4,6 +4,7 @@
|
|
4
4
|
require 'rack'
|
5
5
|
require 'json'
|
6
6
|
require 'contrast/agent/reporting/reporting_utilities/dtm_message'
|
7
|
+
require 'contrast/agent/reporting/reporting_utilities/build_preflight'
|
7
8
|
require 'contrast/utils/hash_digest'
|
8
9
|
require 'contrast/utils/preflight_util'
|
9
10
|
require 'contrast/utils/string_utils'
|
@@ -16,6 +17,7 @@ module Contrast
|
|
16
17
|
# These rules check the content of the HTTP Response to determine if something was set incorrectly or
|
17
18
|
# insecurely in it.
|
18
19
|
class BaseRule
|
20
|
+
DATA = 'data'.cs__freeze
|
19
21
|
# Analyze a given application response to determine if it violates the rule
|
20
22
|
#
|
21
23
|
# TODO: RUBY-999999 either extract the response's body or memoize it to some degree so that it's not
|
@@ -32,8 +34,13 @@ module Contrast
|
|
32
34
|
|
33
35
|
if Contrast::Agent::Reporter.enabled?
|
34
36
|
report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(finding)
|
35
|
-
|
36
|
-
|
37
|
+
if report.is_a?(Contrast::Agent::Reporting::Finding)
|
38
|
+
request = Contrast::Agent::REQUEST_TRACKER.current&.request
|
39
|
+
preflight = Contrast::Agent::Reporting::BuildPreflight.build(report, request)
|
40
|
+
Contrast::Agent.reporter&.send_event(preflight)
|
41
|
+
else
|
42
|
+
Contrast::Agent.reporter&.send_event(report)
|
43
|
+
end
|
37
44
|
else
|
38
45
|
Contrast::Agent::REQUEST_TRACKER.current.activity.findings << finding
|
39
46
|
end
|
@@ -41,8 +48,6 @@ module Contrast
|
|
41
48
|
|
42
49
|
protected
|
43
50
|
|
44
|
-
DATA = 'data'.cs__freeze
|
45
|
-
|
46
51
|
# Rules discern which responses they can/should analyze.
|
47
52
|
#
|
48
53
|
# @param response [Contrast::Agent::Response] the response of the application
|
@@ -58,7 +63,7 @@ module Contrast
|
|
58
63
|
|
59
64
|
# Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
|
60
65
|
#
|
61
|
-
# @param
|
66
|
+
# @param _response [Contrast::Agent::Response] the response of the application
|
62
67
|
# @return [Hash, nil] the evidence required to prove the violation of the rule
|
63
68
|
def violated? _response; end
|
64
69
|
|
@@ -76,7 +81,7 @@ module Contrast
|
|
76
81
|
finding.rule_id = rule_id
|
77
82
|
context = Contrast::Agent::REQUEST_TRACKER.current
|
78
83
|
finding.routes << context.route if context&.route
|
79
|
-
build_evidence
|
84
|
+
build_evidence(evidence, finding)
|
80
85
|
hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
|
81
86
|
finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
|
82
87
|
finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
|
@@ -92,6 +97,8 @@ module Contrast
|
|
92
97
|
evidence.each_pair do |key, value|
|
93
98
|
finding.properties[key] = if value.cs__is_a?(Hash)
|
94
99
|
Contrast::Utils::StringUtils.protobuf_format(value.to_json)
|
100
|
+
elsif value.cs__is_a?(Array)
|
101
|
+
value.map { Contrast::Utils::StringUtils.protobuf_format(_1) }.to_s
|
95
102
|
else
|
96
103
|
Contrast::Utils::StringUtils.protobuf_format(value)
|
97
104
|
end
|