RubyGems - contrast-agent - Versions diffs - 6.1.0 → 6.1.1 - Mend

contrast-agent 6.1.0 → 6.1.1

Files changed (179) hide show

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb CHANGED Viewed

@@ -17,13 +17,6 @@ module Contrast
           class CacheControl < HeaderRule
             include BodyRule
             include Framework::RailsSupport
-            def rule_id
-              'cache-controls-missing'
-            end
-            protected
             HEADER_KEYS = %w[Cache-Control].cs__freeze
             ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
             DEFAULT_SAFE = false
@@ -31,6 +24,12 @@ module Contrast
             HEAD_TAG = /<head>/i.cs__freeze
             NAME = 'cache-control'
+            def rule_id
+              'cache-controls-missing'
+            end
+            protected
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
             # @param response [Contrast::Agent::Response] the response of the application
@@ -62,7 +61,7 @@ module Contrast
               return false if meta_tags(response).empty?
               meta_tags(response).each do |tag|
-                return true if meta_cache_tag? tag[HTML_PROP]
+                return true if meta_cache_tag?(tag[HTML_PROP])
               end
               false
@@ -92,7 +91,7 @@ module Contrast
             # @return [Hash, nil] the evidence hash or nil
             def tag_evidence response
               meta_tags(response).each do |tag|
-                return evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
+                return evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag?(tag[HTML_PROP])
               end
             end

data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb CHANGED Viewed

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check the content of the HTTP Response to determine if the headers contains the required header
           class ClickJacking < HeaderRule
-            def rule_id
-              'clickjacking-control-missing'
-            end
             HEADER_KEYS = %w[X-Frame-Options].cs__freeze
             ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
             DEFAULT_SAFE = false
+            def rule_id
+              'clickjacking-control-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb CHANGED Viewed

@@ -12,12 +12,6 @@ module Contrast
         module Response
           # These rules check that the HTTP Headers include CSP header types
           class CspHeaderInsecure < HeaderRule
-            def rule_id
-              'csp-header-insecure'
-            end
-            protected
             HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
             DEFAULT_SAFE = false
             SETTINGS = %w[
@@ -28,6 +22,12 @@ module Contrast
             ASTERISK_REGEXP = /[*]/.cs__freeze
             SAFE_REFLECTED_XSS = /1/.cs__freeze
+            def rule_id
+              'csp-header-insecure'
+            end
+            protected
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
             # @param response [Contrast::Agent::Response] the response of the application

data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb CHANGED Viewed

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check that the HTTP Headers include CSP header types
           class CspHeaderMissing < HeaderRule
-            def rule_id
-              'csp-header-missing'
-            end
             HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
             ACCEPTED_VALUES = [/(.)/].cs__freeze
             DEFAULT_SAFE = false
+            def rule_id
+              'csp-header-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb CHANGED Viewed

@@ -12,16 +12,16 @@ module Contrast
           # This rule checks if the HTTP Headers include HSTS header and ensures that the max-age value
           # is set to a value greater than 0.
           class HSTSHeader < HeaderRule
+            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
+            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
+            DEFAULT_SAFE = true
             def rule_id
               'hsts-header-missing'
             end
             protected
-            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
-            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
-            DEFAULT_SAFE = true
             def evidence data
               # get only the value of the max-age property
               val = data&.split('=')&.last

data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb CHANGED Viewed

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check the content of the HTTP Response to determine if the response contains the needed header
           class XContentType < HeaderRule
-            def rule_id
-              'xcontenttype-header-missing'
-            end
             HEADER_KEYS = %w[X-Content-Type-Options].cs__freeze
             ACCEPTED_VALUES = [/^nosniff/i].cs__freeze
             DEFAULT_SAFE = false
+            def rule_id
+              'xcontenttype-header-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb CHANGED Viewed

@@ -13,15 +13,14 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if the response contains the needed header
           class XXssProtection < HeaderRule
             include Framework::RailsSupport
+            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
+            ACCEPTED_VALUES = [/^1/].cs__freeze
+            DEFAULT_SAFE = true
             def rule_id
               'xxssprotection-header-disabled'
             end
-            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
-            ACCEPTED_VALUES = [/^1/].cs__freeze
-            DEFAULT_SAFE = true
             protected
             def analyze_response? response

data/lib/contrast/agent/assess/tag.rb CHANGED Viewed

@@ -12,6 +12,19 @@ module Contrast
                     :start_idx, # start of range
                     :end_idx    # end of range (calculated from start + length), exclusive
+        # Update range should be how start and end index of tags are changed,
+        # as it includes validation
+        #
+        # Note that we allow start_idx == end_idx b/c this is how we determine
+        # if a tag range is 'covered' in trigger detection
+        ERROR_NEGATIVE_START = 'Unable to set start idx negative'
+        BELOW = 'BELOW'
+        ERROR_END_BEFORE_START = 'Unable to set start idx after end idx'
+        LOW_SPAN = 'LOW_SPAN'
+        WITHIN = 'WITHIN'
+        WITHOUT = 'WITHOUT'
+        HIGH_SPAN = 'HIGH_SPAN'
+        ABOVE = 'ABOVE'
         # Initialize a new tag
         #
         # @param label [String] the label of the tag
@@ -109,13 +122,6 @@ module Contrast
         end
         alias_method :to_s, :str_val
-        BELOW = 'BELOW'
-        LOW_SPAN = 'LOW_SPAN'
-        WITHIN = 'WITHIN'
-        WITHOUT = 'WITHOUT'
-        HIGH_SPAN = 'HIGH_SPAN'
-        ABOVE = 'ABOVE'
         # The tag is ______ the range
         # rrrrrrr == self.range, the range of the tag
         def compare_range start, stop
@@ -154,13 +160,6 @@ module Contrast
         private
-        # Update range should be how start and end index of tags are changed,
-        # as it includes validation
-        #
-        # Note that we allow start_idx == end_idx b/c this is how we determine
-        # if a tag range is 'covered' in trigger detection
-        ERROR_NEGATIVE_START = 'Unable to set start idx negative'
-        ERROR_END_BEFORE_START = 'Unable to set start idx after end idx'
         def update_range start_idx, end_idx
           raise(ArgumentError, ERROR_NEGATIVE_START) if start_idx.negative?
           raise(ArgumentError, ERROR_END_BEFORE_START) if end_idx < start_idx

data/lib/contrast/agent/at_exit_hook.rb CHANGED Viewed

@@ -31,7 +31,18 @@ module Contrast
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context
-        Contrast::Agent.messaging_queue&.send_event_immediately(context.activity)
+        if Contrast::Agent::Reporter.enabled?
+          [
+            context.new_observed_route,
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.server_activity),
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity.library_usages),
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
+          ].each do |event|
+            Contrast::Agent.reporter&.send_event_immediately(event)
+          end
+        else
+          Contrast::Agent.messaging_queue&.send_event_immediately(context.activity)
+        end
       end
     end
   end

data/lib/contrast/agent/middleware.rb CHANGED Viewed

@@ -48,6 +48,9 @@ module Contrast
           return
         end
         agent_startup_routine
+      rescue StandardError => e
+        logger.error('Unable to initialize the agent. Disabling permanently.', e)
+        ::Contrast::AGENT.disable! # ensure the agent is disabled (probably redundant)
       end
       # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready to do some
@@ -145,7 +148,7 @@ module Contrast
           request_handler.ruleset.prefilter
         end
       rescue StandardError => e
-        raise e if security_exception?(e)
+        raise(e) if security_exception?(e)
         logger.error('Unable to execute agent pre_call', e)
       end
@@ -164,7 +167,7 @@ module Contrast
           # Build and report all collected findings prior response
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
           # All protect rules, which are trigger but require response to be reported
-          Contrast::Agent::EXPLOITS.report_recorded_exploits context unless Contrast::Agent::EXPLOITS.collection.empty?
+          Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity
@@ -177,7 +180,7 @@ module Contrast
         end
       # unsuccessful attack
       rescue StandardError => e
-        raise e if security_exception?(e)
+        raise(e) if security_exception?(e)
         logger.error('Unable to execute agent post_call', e)
       end

data/lib/contrast/agent/patching/policy/after_load_patch.rb CHANGED Viewed

@@ -47,7 +47,7 @@ module Contrast
             return true  unless target_defined? # bc no methods are loaded
             return false unless method_to_instrument
-            !module_lookup.instance_methods.include? method_to_instrument
+            !module_lookup.instance_methods.include?(method_to_instrument)
           end
           def applies? loaded_module_name
@@ -59,7 +59,7 @@ module Contrast
           end
           def instrument!
-            require instrumentation_file_path
+            require(instrumentation_file_path)
             if instrumenting_module
               mod = Module.cs__const_get(instrumenting_module)
@@ -72,7 +72,7 @@ module Contrast
           def module_lookup
             @_module_lookup ||= begin
-              Module.cs__const_get module_name
+              Module.cs__const_get(module_name)
             rescue StandardError => _e
               nil
             end

data/lib/contrast/agent/patching/policy/after_load_patcher.rb CHANGED Viewed

@@ -43,7 +43,7 @@ module Contrast
               ].cs__freeze
               paths.each do |p|
                 path_part = "cs__assess_#{ p }"
-                Contrast::Extension::Assess::InstrumentHelper.instrument "#{ path_part }/#{ path_part }"
+                Contrast::Extension::Assess::InstrumentHelper.instrument("#{ path_part }/#{ path_part }")
               end
               true
             end
@@ -73,7 +73,7 @@ module Contrast
           # handling
           def apply_require_patches!
             @_apply_require_patches ||= begin
-              require 'contrast/extension/thread'
+              require('contrast/extension/thread')
               true
             rescue LoadError, StandardError => e
               logger.error('failed instrumenting apply_require_patches!', e)

data/lib/contrast/agent/patching/policy/method_policy_extend.rb CHANGED Viewed

@@ -38,8 +38,8 @@ module Contrast
                                                  deadzone_node: deadzone_node
                                              })
-            return method_policy unless check_method_policy_nodes_empty? source_node, propagation_node, trigger_node,
-                                                                         protect_node, inventory_node, deadzone_node
+            return method_policy unless check_method_policy_nodes_empty?(source_node, propagation_node, trigger_node,
+                                                                         protect_node, inventory_node, deadzone_node)
             create_new_node(module_policy, method_policy) if module_policy.deadzone_nodes&.any?
             method_policy
@@ -74,9 +74,9 @@ module Contrast
               next unless node.method_name.nil?
               klass = Module.cs__const_get(node.class_name)
-              next unless it_defined? klass, method_policy.method_name
+              next unless it_defined?(klass, method_policy.method_name)
-              new_node = set_new_node method_policy, klass, node
+              new_node = set_new_node(method_policy, klass, node)
               method_policy.instance_variable_set(:@method_visibility, new_node.method_visibility)
               method_policy.instance_variable_set(:@deadzone_node, node)
               module_policy.deadzone_nodes << new_node

data/lib/contrast/agent/patching/policy/patch.rb CHANGED Viewed

@@ -49,11 +49,11 @@ module Contrast
             ].cs__freeze
             def enter_method_scope! method_policy
-              contrast_enter_method_scopes! method_policy.scopes_to_enter
+              contrast_enter_method_scopes!(method_policy.scopes_to_enter)
             end
             def exit_method_scope! method_policy
-              contrast_exit_method_scopes! method_policy.scopes_to_exit
+              contrast_exit_method_scopes!(method_policy.scopes_to_exit)
             end
             # @param mod [Module] the module in which the patch should be
@@ -122,7 +122,7 @@ module Contrast
               underlying_method_name = underlying_method_name(method_name, impl)
               target_module = Module.cs__const_get(target_module_name)
-              target_module = target_module.cs__singleton_class if %i[prepend_singleton alias_singleton].include? impl
+              target_module = target_module.cs__singleton_class if %i[prepend_singleton alias_singleton].include?(impl)
               visibility = if target_module.private_instance_methods(false).include?(method_name)
                              :private
@@ -131,14 +131,14 @@ module Contrast
                            elsif target_module.public_instance_methods(false).include?(method_name)
                              :public
                            else
-                             raise NoMethodError,
-                                   <<~ERR
+                             raise(NoMethodError,
+                                   <<~ERR)
                                      Tried to register a C-defined #{ impl } patch for \
                                      #{ target_module_name }##{ method_name }, but can't find :#{ method_name }.
                                    ERR
                            end
-              reflect_implementation impl, target_module, unbound_method, visibility
+              reflect_implementation(impl, target_module, unbound_method, visibility)
               # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
               # can't invoke this logging method or we'll seg fault as we'd
               # change the method definition mid-call
@@ -166,7 +166,7 @@ module Contrast
               when :alias_instance, :alias_singleton
                 # Core to patching. Ignore define method usage cop.
                 # rubocop:disable Performance/Kernel/DefineMethod
-                unless target_module.instance_methods(false).include? underlying_method_name
+                unless target_module.instance_methods(false).include?(underlying_method_name)
                   # alias_method may be private
                   target_module.send(:alias_method, underlying_method_name, method_name)
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
@@ -178,7 +178,7 @@ module Contrast
                 prepending_module.send(visibility, method_name)
                 # This prepends to the singleton class (it patches a class method)
-                target_module.prepend prepending_module
+                target_module.prepend(prepending_module)
                 # rubocop:enable Performance/Kernel/DefineMethod
               end
             end
@@ -204,7 +204,7 @@ module Contrast
             end
             def underlying_method_name method_name, impl
-              return method_name.to_sym if %i[prepend_instance prepend_singleton].include? impl
+              return method_name.to_sym if %i[prepend_instance prepend_singleton].include?(impl)
               build_unbound_method_name(method_name).to_sym
             end

data/lib/contrast/agent/patching/policy/patch_status.rb CHANGED Viewed

@@ -99,10 +99,17 @@ module Contrast
               :CONTRAST_PATCH_POLICY_STATUS
             end
+            # @param mod [Module or Class] the entity on which the patch has been placed
+            # @param method [Symbol] the method being patched
+            # @param ret [Contrast::Agent::Patching::Policy::MethodPolicy] the policy of the patched method
             def update_holder mod, method, ret
-              mod.instance_variable_set(method_info_key, {}) unless mod.instance_variable_defined?(method_info_key)
-              holder = mod.instance_variable_get(method_info_key)
-              holder[method] = ret
+              unless mod.instance_variable_defined?(method_info_key) &&
+                    (holder = mod.instance_variable_get(method_info_key))
+                holder = {}
+                mod.instance_variable_set(method_info_key, holder)
+              end
+              holder[method] = ret # rubocop:disable Lint/UselessSetterCall
             end
             def find_info_for candidates, method

data/lib/contrast/agent/patching/policy/policy.rb CHANGED Viewed

@@ -20,6 +20,19 @@ module Contrast
         class Policy
           include Singleton
           include Contrast::Components::Logger::InstanceMethods
+          SOURCES_KEY = 'sources'
+          PROPAGATION_KEY = 'propagators'
+          RULES_KEY = 'rules'
+          TRIGGERS_KEY = 'triggers'
+          def initialize
+            @sources = []
+            @propagators = []
+            @triggers = []
+            @providers = {}
+            json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
+            from_hash_string(json)
+          end
           # Indicates the folder in `resources` where this policy lives.
           def self.policy_folder
@@ -38,25 +51,10 @@ module Contrast
           attr_reader :sources, :propagators, :triggers, :providers
-          SOURCES_KEY =          'sources'
-          PROPAGATION_KEY =      'propagators'
-          RULES_KEY = 'rules'
-          TRIGGERS_KEY = 'triggers'
           def self.policy_json
             File.join(policy_folder, 'policy.json').cs__freeze
           end
-          def initialize
-            @sources = []
-            @propagators = []
-            @triggers = []
-            @providers = {}
-            json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
-            from_hash_string(json)
-          end
           # Our policy for patching rules is a 'dope ass' JSON file. Rather than hard code in a bunch of things to
           # monkey patch, we let the JSON file define the conditions in which modifications are applied. This let's us
           # be flexible and extensible.

data/lib/contrast/agent/patching/policy/policy_node.rb CHANGED Viewed

@@ -14,6 +14,23 @@ module Contrast
         # @abstract
         class PolicyNode
           include Contrast::Components::Scope::InstanceMethods
+          JSON_METHOD_VISIBILITY = 'method_visibility'
+          JSON_PROPERTIES = 'properties'
+          JSON_METHOD_NAME = 'method_name'
+          JSON_METHOD_SCOPE = 'scope'
+          # The keys used to read from policy.json to create the individual
+          # policy nodes. These are common across node types
+          JSON_CLASS_NAME = 'class_name'
+          JSON_INSTANCE_METHOD = 'instance_method'
+          def initialize policy_hash = {}
+            @class_name = policy_hash[JSON_CLASS_NAME]
+            @instance_method = policy_hash[JSON_INSTANCE_METHOD]
+            @method_name = policy_hash[JSON_METHOD_NAME]
+            @method_scope = policy_hash[JSON_METHOD_SCOPE]
+            @method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
+            @properties = policy_hash[JSON_PROPERTIES]
+            symbolize
+          end
           # Name of the class in which the method is being invoked.
           attr_accessor :class_name
@@ -31,21 +48,11 @@ module Contrast
           attr_reader :method_scope
           def node_class
-            raise NoMethodError, 'specify the type of the feature for which this node patches'
+            raise(NoMethodError, 'specify the type of the feature for which this node patches')
           end
           def feature
-            raise NoMethodError, 'specify the name of the feature for which this node patches'
-          end
-          def initialize policy_hash = {}
-            @class_name = policy_hash[JSON_CLASS_NAME]
-            @instance_method = policy_hash[JSON_INSTANCE_METHOD]
-            @method_name = policy_hash[JSON_METHOD_NAME]
-            @method_scope = policy_hash[JSON_METHOD_SCOPE]
-            @method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
-            @properties = policy_hash[JSON_PROPERTIES]
-            symbolize
+            raise(NoMethodError, 'specify the name of the feature for which this node patches')
           end
           def id
@@ -91,15 +98,6 @@ module Contrast
             @method_visibility = @method_visibility.to_sym if @method_visibility
             @method_scope = @method_scope.to_sym if @method_scope
           end
-          # The keys used to read from policy.json to create the individual
-          # policy nodes. These are common across node types
-          JSON_CLASS_NAME = 'class_name'
-          JSON_INSTANCE_METHOD = 'instance_method'
-          JSON_METHOD_NAME = 'method_name'
-          JSON_METHOD_SCOPE = 'scope'
-          JSON_METHOD_VISIBILITY = 'method_visibility'
-          JSON_PROPERTIES = 'properties'
         end
       end
     end

data/lib/contrast/agent/patching/policy/trigger_node.rb CHANGED Viewed

@@ -24,6 +24,7 @@ module Contrast
           attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties,
                       :rule_id
+          NODE = 'Trigger'
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
             @rule_id = rule_hash[JSON_NAME]
@@ -36,7 +37,6 @@ module Contrast
             @applicator_method = (trigger_hash[JSON_APPLICATOR_METHOD] || rule_hash[JSON_APPLICATOR_METHOD]).to_sym
           end
-          NODE = 'Trigger'
           def node_class
             NODE
           end