contrast-agent 6.0.0 → 6.1.2

data/lib/contrast/agent/reporting/masker/masker.rb

@@ -33,21 +33,18 @@ module Contrast
           # @param [Contrast::Api::Dtm::Activity]
           def mask activity
             return unless Contrast::Agent::Reporter.enabled?
-            return unless activity || activity.http_request || activity.results
+            return unless activity
 
             logger.debug('Searching for sensitive data',
                          activity: activity.__id__,
                          request: activity.http_request&.uuid)
-            mask_body activity
-            mask_query_string activity
-            mask_request_params activity
-            mask_request_cookies activity
-            mask_request_headers activity
-          rescue StandardError => e
-            logger.debug('Could not mask activity!',
-                         activity: activity.__id__,
-                         request: activity.http_request&.uuid,
-                         error_msg: e.message)
+            mask_body(activity)
+            mask_query_string(activity)
+            mask_request_params(activity)
+            mask_request_cookies(activity)
+            mask_request_headers(activity)
+          rescue StandardError => _e
+            logger.debug('Could not mask activity!', activity: activity.__id__, request: activity.http_request&.uuid)
           end
 
           private
@@ -87,16 +84,16 @@ module Contrast
             params = activity.http_request.normalized_request_params
             return unless params
 
-            mask_with_dictionary activity.results, params
+            mask_with_dictionary(activity.results, params)
           end
 
           def mask_request_headers activity
             if activity.http_request.parsed_request_headers
               # Used normalized request_headers
-              mask_with_dictionary activity.results, activity.http_request.normalized_request_headers
+              mask_with_dictionary(activity.results, activity.http_request.normalized_request_headers)
             else
               headers = activity.http_request.request_headers
-              mask_field_hash headers, activity.results
+              mask_field_hash(headers, activity.results)
             end
           end
 
@@ -108,7 +105,7 @@ module Contrast
             cookies = activity.http_request.normalized_cookies
             return unless cookies
 
-            mask_with_dictionary activity.results, cookies
+            mask_with_dictionary(activity.results, cookies)
           end
 
           # Mask request query string:
@@ -120,8 +117,8 @@ module Contrast
             qs = activity.http_request.query_string
             return if qs.nil? || qs.empty?
 
-            mask_field_hash qs, activity.results unless qs.cs__is_a?(String)
-            mask_raw_query qs, activity.results
+            mask_field_hash(qs, activity.results) unless qs.cs__is_a?(String)
+            mask_raw_query(qs, activity.results)
           end
 
           # Mask if the value in the passed hash are matched against dictionary
@@ -137,17 +134,17 @@ module Contrast
             return if hash.nil? || hash.empty?
 
             hash.each do |key, val|
-              match = dictionary_matcher key
+              match = dictionary_matcher(key)
               next unless match
 
               # The normalized values are paired.
               # key => Contrast::Api::Dtm::Pair (key, val<Values>).
               # try one level down
-              if val.cs__respond_to? :values
-                mask_values key, val, results
+              if val.cs__respond_to?(:values)
+                mask_values(key, val, results)
               else
                 # Just assign keys.
-                mask_hash key, val, hash, results
+                mask_hash(key, val, hash, results)
               end
             end
             hash

data/lib/contrast/agent/reporting/masker/masker_utils.rb

@@ -14,10 +14,14 @@ module Contrast
         # @param field_hash [Protobuf::Field::FieldHash] hash to be masked
         # @param results [Array<Contrast::Api::Dtm::AttackResults>]
         # results to match against.
+        # @return [Hash]
         def mask_field_hash field_hash, results
+          return {} unless field_hash&.any?
+
           hash = {}
-          masked = EMPTY_STRING
-          field_hash.any? do |entry|
+          # Because this is the start of a built string, we have to be sure that it is not frozen.
+          masked = +''
+          field_hash.each do |entry|
             # Protobuf::Field::FieldHash produces array, with the key as first param and value as second.
             new_value = entry[1].delete(SEMICOLON).split(SPACE)
             new_value.each do |value|
@@ -26,10 +30,10 @@ module Contrast
               hash[arr[0]] = arr[1]
             end
             # Mask the newly created hash.
-            mask_with_dictionary results, hash
+            mask_with_dictionary(results, hash)
 
             # Restore to original form.
-            hash.each { |k, v| masked += "#{ k + EQUALS }#{ v + SEMICOLON + SPACE }" }
+            hash.each { |k, v| masked += "#{ k }=#{ v }; " }
             masked.rstrip!
             field_hash[entry[0]] = masked
           end
@@ -46,9 +50,9 @@ module Contrast
         def mask_raw_query query, results
           masked = EMPTY_STRING
           hash = URI.decode_www_form(query).to_h
-          mask_with_dictionary results, hash
+          mask_with_dictionary(results, hash)
           # Restore to string form.
-          hash.each { |k, v| masked += "#{ k + EQUALS }#{ v }#{ AMPERSAND }" }
+          hash.each { |k, v| masked += "#{ k }=#{ v }&" }
           query = masked
           query.chomp!(masked[-1])
         end

data/lib/contrast/agent/reporting/reporter.rb

@@ -31,10 +31,6 @@ module Contrast
         @_connection ||= client.initialize_connection
       end
 
-      def audit
-        @_audit ||= Contrast::Agent::Reporting::Audit.new
-      end
-
       def attempt_to_start?
         unless cs__class.enabled?
           logger.warn('Reporter service is disabled!')
@@ -65,7 +61,7 @@ module Contrast
       # Suspend the Reporter and try sending the event after the timeout.
       # The timeout is either default 15 min or received via TS response.
       #
-      # @param event [Contrast::Agent::Reporting::FindingEvent] Freshly pop-ed event.
+      # @param event [Contrast::Agent::Reporting::ReportingEvent] Freshly pop-ed event.
       def handle_resend event
         sleep(client.timeout) if client.sleep?
         # Retry once than discard the event. This is trigger on too many events of
@@ -75,6 +71,7 @@ module Contrast
         client.wake_up
       end
 
+      # @param event [Contrast::Agent::Reporting::ReportingEvent]
       def send_event event
         if ::Contrast::AGENT.disabled?
           logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
@@ -84,23 +81,21 @@ module Contrast
         return unless cs__class.enabled?
 
         logger.debug('Enqueued event for sending', event_type: event.cs__class)
-        audit&.audit_event(event) if ::Contrast::API.request_audit_enable?
         queue << event
       end
 
       # Use this to bypass the messaging queue and leave response processing to the caller
+      #
+      # @param event [Contrast::Agent::Reporting::ReportingEvent]
+      # @return [Net::HTTPResponse, nil]
       def send_event_immediately event
         if ::Contrast::AGENT.disabled?
           logger.warn('Reporter attempted to send event immediately with Agent disabled', caller: caller, event: event)
           return
         end
-        response = client.send_event(event, connection, true)
-        return unless response
-
-        client.handle_response(event, response, connection)
-        audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable?
+        client.send_event(event, connection, send_immediately: true)
       rescue StandardError => e
-        logger.error('Could not send message to service from Reporter queue.', e)
+        logger.error('Could not send message to TeamServer from Reporter queue.', e)
       end
 
       def delete_queue!
@@ -122,12 +117,12 @@ module Contrast
         @_queue ||= Queue.new
       end
 
+      # @param event [Contrast::Agent::Reporting::ReportingEvent]
       def process_event event
-        response = client.send_event(event, connection)
-        audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable?
-        handle_resend event
+        client.send_event(event, connection)
+        handle_resend(event) if client.mode.status == client.mode.resending
       rescue StandardError => e
-        logger.error('Could not send message to service from Reporter queue.', e)
+        logger.error('Could not send message to TeamServer from Reporter queue.', e)
       end
     end
   end

data/lib/contrast/agent/reporting/reporter_heartbeat.rb

@@ -0,0 +1,49 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/reporting_events/agent_startup'
+
+module Contrast
+  module Agent
+    # The ReporterHeartbeat will make sure that the process remains marked alive by TeamServer and that we periodically
+    # reach out to get the latest settings for this application.
+    class ReporterHeartbeat < WorkerThread
+      include Contrast::Components::Logger::InstanceMethods
+
+      # TeamServer will mark an application offline after 5 minutes. Sending this every one should be more than enough
+      # to satisfy our goals.
+      REFRESH_INTERVAL_SEC = 60
+
+      # check if we can report to TS
+      #
+      # @return[Boolean] true if bypass is enabled, or false if bypass disabled
+      def enabled?
+        @_enabled = Contrast::CONTRAST_SERVICE.use_agent_communication? if @_enabled.nil?
+        @_enabled
+      end
+
+      def connection
+        @_connection ||= client.initialize_connection
+      end
+
+      def start_thread!
+        return if running?
+
+        @_thread = Contrast::Agent::Thread.new do
+          logger.info('Starting heartbeat thread.')
+          loop do
+            Contrast::Agent.reporter&.send_event(poll_message)
+            sleep(REFRESH_INTERVAL_SEC)
+          end
+        end
+      end
+
+      def poll_message
+        @_poll_message ||= Contrast::Agent::Reporting::Poll.new
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/reporting/reporting_events/reporting_event'
+require 'contrast/agent/reporting/reporting_events/server_reporting_event'
 require 'contrast/config'
 
 module Contrast
@@ -9,7 +9,7 @@ module Contrast
     module Reporting
       #	AgentStartup Event which sends the agent data to TeamServer on the startup of a server or process,
       # used to create a new Server entity there.
-      class AgentStartup < Contrast::Agent::Reporting::ReportingEvent
+      class AgentStartup < Contrast::Agent::Reporting::ServerReportingEvent
         def initialize
           @event_method = :PUT
           @event_endpoint = Contrast::Agent::Reporting::Endpoints::NG_ENDPOINTS[:agent_startup]
@@ -17,6 +17,10 @@ module Contrast
           super
         end
 
+        def file_name
+          'agent-startup'
+        end
+
         def to_controlled_hash
           {
               environment: ::Contrast::CONFIG.root.server.environment,

data/lib/contrast/agent/reporting/reporting_events/application_activity.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/reporting_events/application_reporting_event'
+require 'contrast/agent/reporting/reporting_events/application_defend_activity'
+require 'contrast/agent/reporting/reporting_events/application_inventory_activity'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new ApplicationActivity class which will include all the needed information for the new reporting
+      # system to report
+      class ApplicationActivity < Contrast::Agent::Reporting::ApplicationReportingEvent
+        class << self
+          # @param app_activity_dtm [Contrast::Api::Dtm::Activity]
+          # @return [Contrast::Agent::Reporting::ApplicationActivity]
+          def convert app_activity_dtm
+            app_activity = new
+            app_activity.attach_data(app_activity_dtm)
+            app_activity
+          end
+        end
+
+        def initialize
+          @event_method = :PUT
+          @event_type = :application_activity
+          @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_activity
+          super
+        end
+
+        def file_name
+          'activity-application'
+        end
+
+        def to_controlled_hash
+          hsh = { lastUpdate: since_last_update }
+          hsh[:defend] = @defend&.to_controlled_hash if @defend
+          hsh[:inventory] = @inventory&.to_controlled_hash if @inventory
+          hsh
+        end
+
+        # @param activity_dtm [Contrast::Api::Dtm::ApplicationActivity]
+        def attach_data activity_dtm
+          @defend = Contrast::Agent::Reporting::ApplicationDefendActivity.convert(activity_dtm)
+          @inventory = Contrast::Agent::Reporting::ApplicationInventoryActivity.convert(activity_dtm)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb

@@ -0,0 +1,96 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/reporting_events/application_defend_attacker_activity'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new ApplicationDefendActivity class which includes information about the defense of the application
+      # which was discovered during exercise of the application during this activity period.
+      class ApplicationDefendActivity
+        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackerActivity>]
+        attr_reader :attackers
+
+        class << self
+          # @param activity_dtm [Contrast::Api::Dtm::ApplicationActivity]
+          # @return [Contrast::Agent::Reporting::ApplicationDefendActivity]
+          def convert activity_dtm
+            activity = new
+            activity.attach_data(activity_dtm.results)
+            activity
+          end
+        end
+
+        def initialize
+          @attackers = []
+          @event_type = :application_defend_activity
+          super
+        end
+
+        def to_controlled_hash
+          {
+              attackers: attackers.map(&:to_controlled_hash)
+          }
+        end
+
+        # @param attack_dtms [Array<Contrast::Api::Dtm::AttackResult>]
+        def attach_data attack_dtms
+          attack_dtms.each do |attack_result|
+            attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.convert(attack_result)
+            existing_attacker_activity = attackers.find do |existing|
+              existing.source_forwarded_for == attacker_activity.source_forwarded_for &&
+                  existing.source_ip == attacker_activity.source_ip
+            end
+            rule = attack_result.rule_id
+            if existing_attacker_activity
+              attach_existing(existing_attacker_activity, attacker_activity, rule)
+            else
+              attackers << attacker_activity
+            end
+          end
+        end
+
+        # @param existing_attacker_activity [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]
+        # @param attacker_activity [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]
+        # @param rule [String]
+        def attach_existing existing_attacker_activity, attacker_activity, rule
+          # TODO: RUBY-1663 figure out attack time mapping
+          new_violation = attacker_activity.protection_rules[rule]
+          if (previously_violated = existing_attacker_activity.protection_rules[rule])
+            if (new_blocked = new_violation.blocked&.samples)
+              unless previously_violated.blocked
+                previously_violated.blocked = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
+              end
+              previously_violated.blocked.samples.concat(new_blocked)
+            end
+
+            if (new_exploited = new_violation.exploited&.samples)
+              unless previously_violated.exploited
+                previously_violated.exploited = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
+              end
+              previously_violated.exploited.samples.concat(new_exploited)
+            end
+
+            if (new_ineffective = new_violation.ineffective&.samples)
+              unless previously_violated.ineffective
+                previously_violated.ineffective = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
+              end
+              previously_violated.ineffective.samples.concat(new_ineffective)
+            end
+
+            if (new_suspicious = new_violation.suspicious&.samples)
+              unless previously_violated.suspicious
+                previously_violated.suspicious = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
+              end
+              previously_violated.suspicious.samples.concat(new_suspicious)
+            end
+          else
+            existing_attacker_activity.protection_rules[rule] = new_violation
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb

@@ -0,0 +1,70 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'contrast/api/decorators/response_type'
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new ApplicationDefendAttackActivity class which will include the attacks sent by the source.
+      class ApplicationDefendAttackActivity
+        # @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
+        attr_accessor :blocked
+        # @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
+        attr_accessor :exploited
+        # @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
+        attr_accessor :ineffective
+        # @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
+        attr_accessor :suspicious
+
+        class << self
+          # @param attack_result [Contrast::Api::Dtm::AttackResult]
+          def convert attack_result
+            activity = new
+            activity.attach_data(attack_result)
+            activity
+          end
+        end
+
+        def initialize
+          @start_time = start_time
+          super
+        end
+
+        def to_controlled_hash
+          {
+              startTime: @start_time,
+              blocked: blocked&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              exploited: exploited&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              ineffective: ineffective&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              suspicious: suspicious&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
+          }
+        end
+
+        # @param attack_result [Contrast::Api::Dtm::AttackResult]
+        # @return [Contrast::Agent::Reporting::Defend::AttackSampleActivity]
+        def attach_data attack_result
+          attack_sample_activity =
+            Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.convert(attack_result)
+          case attack_result.response
+          when ::Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+            @blocked = attack_sample_activity
+          when ::Contrast::Api::Dtm::AttackResult::ResponseType::MONITORED
+            @exploited = attack_sample_activity
+          when ::Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+            @ineffective = attack_sample_activity
+          when ::Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
+            @suspicious = attack_sample_activity
+          end
+        end
+
+        def start_time
+          Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms
+        end
+      end
+    end
+  end
+end