contrast-agent 6.1.1 → 6.3.0

data/lib/contrast/agent/reporting/settings/sanitizer.rb

@@ -0,0 +1,38 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The sanitizers defined by the user for use by the agent on this server for this organization.
+        class Sanitizer
+          ATTRIBUTES = %i[uuid api tags rules].cs__freeze
+
+          # @return uuid [String]
+          attr_accessor :uuid
+          # @return api [String]
+          attr_accessor :api
+          # @return uuid [Array<String>]
+          attr_accessor :tags
+          # @return uuid [Array<String>]
+          attr_accessor :rules
+
+          def initialize
+            @tags = []
+            @rules = []
+          end
+
+          def to_controlled_hash
+            {
+                api: api,
+                rules: rules,
+                tags: tags,
+                uuid: uuid
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb

@@ -66,7 +66,7 @@ module Contrast
           # @param settings_rules [Hash] Response settings under Settings/sensitive_data_masking_policy/rules
           # @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, nil
           def build_rules_form_settings settings_rules
-            return unless settings_rules || settings_rules.empty?
+            return if settings_rules.nil? || settings_rules.empty?
 
             settings_rules.each do |rule|
               instance = Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule.new
@@ -77,6 +77,14 @@ module Contrast
             rules
           end
 
+          def to_controlled_hash
+            {
+                rules: rules.map(&:to_controlled_hash),
+                mask_attack_vector: mask_attack_vector?,
+                mask_http_body: mask_http_body?
+            }
+          end
+
           private
 
           # Determine if parameter is array of Rules.

data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb

@@ -40,6 +40,13 @@ module Contrast
             @_keywords = words_array if string_array?(words_array)
           end
 
+          def to_controlled_hash
+            {
+                id: rule_id,
+                keywords: keywords
+            }
+          end
+
           private
 
           # Determine if a array is array of strings.

data/lib/contrast/agent/reporting/settings/server_features.rb

@@ -71,6 +71,14 @@ module Contrast
           def protect
             @_protect ||= Contrast::Agent::Reporting::Settings::ProtectServerFeature.new
           end
+
+          def to_controlled_hash
+            {
+                assessment: @_assess ? assess.to_controlled_hash : {},
+                defend: @_protect ? protect.to_controlled_hash : {},
+                telemetry: telemetry
+            }.compact
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/settings/syslog.rb

@@ -0,0 +1,176 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # Controls for the syslogging feature in the agent
+        class Syslog
+          CONNECTION_TYPE = %w[UNENCRYPTED ENCRYPTED].cs__freeze
+          # Used for:
+          # severity_blocked, severity_blocked_perimeter, severity_exploited, severity_probed,
+          # severity_probed_perimeter
+          SEVERITIES = %w[ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG].cs__freeze
+          SYSLOG_METHODS = %i[
+            enable= ip= port= facility= protocol= connection_type= severity_exploited= severity_blocked=
+            severity_probed= severity_probed_suspicious= severity_blocked_perimeter= severity_probed_perimeter=
+          ].cs__freeze
+          SYSLOG_RESPONSE_KEYS = %i[
+            syslogEnabled syslogIpAddress syslogPortNumber syslogFacilityCode syslogProtocol
+            syslogConnectionType syslogSeverityExploited syslogSeverityBlocked syslogSeverityProbed
+            syslogSeveritySuspicious syslogSeverityBlockedPerimeter syslogSeverityProbedPerimeter
+          ].cs__freeze
+
+          # @return enable [Boolean]
+          attr_accessor :enable
+          # @return ip [Integer]
+          attr_accessor :ip
+          # @return port [Integer]
+          attr_accessor :port
+          # @return facility [Integer]
+          attr_accessor :facility
+          # @return protocol [String]
+          attr_accessor :protocol
+
+          def initialize
+            @enable = false
+            @ip = Contrast::Utils::ObjectShare::EMPTY_STRING
+            @port = 0
+            @facility = 0
+          end
+
+          # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
+          def connection_type
+            @_connection_type ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the connection type
+          #
+          # @param type [String, Symbol] one of UNENCRYPTED, ENCRYPTED
+          # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
+          def connection_type= type
+            @_connection_type = type if valid_entry?(type, CONNECTION_TYPE)
+          end
+
+          # @return severity_blocked [String]
+          def severity_blocked
+            @_severity_blocked ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the severity type
+          #
+          # @param severity [String, Symbol] one of UNENCRYPTED, ENCRYPTED
+          # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
+          def severity_blocked= severity
+            @_severity_blocked = severity if valid_entry?(severity, SEVERITIES)
+          end
+
+          # @return severity_blocked [String]
+          def severity_blocked_perimeter
+            @_severity_blocked_perimeter ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the severity type
+          #
+          # @param severity [String, Symbol] one of UNENCRYPTED, ENCRYPTED
+          # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
+          def severity_blocked_perimeter= severity
+            @_severity_blocked_perimeter = severity if valid_entry?(severity, SEVERITIES)
+          end
+
+          # @return severity_blocked [String]
+          def severity_exploited
+            @_severity_exploited ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the severity type
+          #
+          # @param severity [String, Symbol] one of UNENCRYPTED, ENCRYPTED
+          # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
+          def severity_exploited= severity
+            @_severity_exploited = severity if valid_entry?(severity, SEVERITIES)
+          end
+
+          # @return severity_blocked [String]
+          def severity_probed
+            @_severity_probed ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the severity type
+          #
+          # @param severity [String, Symbol] one of UNENCRYPTED, ENCRYPTED
+          # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
+          def severity_probed= severity
+            @_severity_probed = severity if valid_entry?(severity, SEVERITIES)
+          end
+
+          # @return severity_blocked [String]
+          def severity_probed_perimeter
+            @_severity_probed_perimeter ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the severity type
+          #
+          # @param severity [String, Symbol] one of UNENCRYPTED, ENCRYPTED
+          # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
+          def severity_probed_perimeter= severity
+            @_severity_probed_perimeter = severity if valid_entry?(severity, SEVERITIES)
+          end
+
+          # @return severity_blocked [String]
+          def severity_probed_suspicious
+            @_severity_probed_suspicious ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the severity type
+          #
+          # @param severity [String, Symbol] one of UNENCRYPTED, ENCRYPTED
+          # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
+          def severity_probed_suspicious= severity
+            @_severity_probed_suspicious = severity if valid_entry?(severity, SEVERITIES)
+          end
+
+          # @param settings_array [Array] Settings retrieved from response
+          def assign_array settings_array
+            Contrast::Agent::Reporting::Settings::Syslog::SYSLOG_METHODS.each_with_index do |method, index|
+              send(method, settings_array[SYSLOG_RESPONSE_KEYS[index]])
+            end
+          end
+
+          def to_controlled_hash
+            {
+                syslogEnabled: enable,
+                syslogIpAddress: ip,
+                syslogPortNumber: port,
+                syslogFacilityCode: facility,
+                syslogConnectionType: connection_type,
+                syslogProtocol: protocol,
+                syslogSeverityExploited: severity_exploited,
+                syslogSeverityBlocked: severity_blocked,
+                syslogSeverityProbed: severity_probed,
+                syslogSeveritySuspicious: severity_probed_suspicious,
+                syslogSeverityBlockedPerimeter: severity_blocked_perimeter,
+                syslogSeverityProbedPerimeter: severity_probed_perimeter
+            }
+          end
+
+          private
+
+          # Gets String or Symbol value and assigns it to iv after
+          # validation with allowed types.
+          #
+          # @param value [String, Symbol] value to write
+          # @param validation_hash [Hash] to validate against
+          def valid_entry? value, validation_hash
+            return false unless value && validation_hash
+
+            validation_hash.include?(value)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/url_exclusion.rb

@@ -0,0 +1,42 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/settings/exclusion_base'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # UrlExclusions class
+        class UrlExclusion < ExclusionBase
+          ATTRIBUTES = BASE_ATTRIBUTES.dup << :urls
+          ATTRIBUTES << :match_strategy
+          ATTRIBUTES.cs__freeze
+          STRATEGIES = %w[ALL ONLY].cs__freeze
+
+          # @return urls [Array<String>]
+          attr_accessor :urls
+
+          # @return match_strategy [String] The type of the input
+          def match_strategy
+            @_match_strategy ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # @param new_strategy [String] Set new input type.
+          # @return type [String] The type of the input.
+          def match_strategy= new_strategy
+            @_match_strategy = new_strategy if STRATEGIES.include?(new_strategy)
+          end
+
+          def to_controlled_hash
+            hash = super
+            hash[:urls] = urls
+            hash[:matchStrategy] = match_strategy
+            hash
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/validator.rb

@@ -0,0 +1,17 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/settings/sanitizer'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The validators defined by the user for use by the agent on this server for this organization.
+        class Validator < Sanitizer
+          # This uses the same fields as Sanitizer.
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/request.rb

@@ -17,12 +17,6 @@ module Contrast
     # provides access to the original Rack::Request object as well as extracts
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
-    #
-    # @attr_reader rack_request [Rack::Request] The passed to the Agent RackRequest to be wrapped.
-    # @attr_accessor route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
-    # @attr_accessor observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage of this request
-    # @attr_accessor new_observed_route [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of
-    # this request
     class Request
       include Contrast::Utils::RequestUtils
       include Contrast::Components::Logger::InstanceMethods
@@ -37,8 +31,12 @@ module Contrast
       STATIC_SUFFIXES = /\.(?:js|css|jpeg|jpg|gif|png|ico|woff|svg|pdf|eot|ttf|jar)$/i.cs__freeze
       MEDIA_TYPE_MARKERS = %w[image/ text/css text/javascript].cs__freeze
 
+      # @return [Rack::Request] The passed to the Agent RackRequest to be wrapped.
       attr_reader :rack_request
-      attr_accessor :route, :observed_route, :new_observed_route
+      # @return [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
+      attr_accessor :route
+      # @return [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of this request
+      attr_accessor :observed_route
 
       # Delegate calls to the following methods to the attribute @rack_request
       def_delegators :@rack_request, :base_url, :cookies, :env, :ip, :media_type, :path, :port, :query_string,

data/lib/contrast/agent/request_context.rb

@@ -30,8 +30,6 @@ module Contrast
       # @return [Hash] context used to log the request
       attr_reader :logging_hash
       # @return [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of this request
-      attr_reader :new_observed_route
-      # @return [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
       attr_reader :observed_route
       # @return [Contrast::Agent::Request] our wrapper around the Rack::Request for this context
       attr_reader :request
@@ -40,8 +38,6 @@ module Contrast
       attr_reader :response
       # @return [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
       attr_reader :route
-      # @return [Contrast::Api::Dtm::ServerActivity] the server activity found in this request
-      attr_reader :server_activity
       # @return [Contrast::Api::Settings::InputAnalysis] the protect input analysis of sources on this request
       attr_reader :speedracer_input_analysis
       # @return [Contrast::Utils::Timer] when the context was created
@@ -59,8 +55,6 @@ module Contrast
           @activity = Contrast::Api::Dtm::Activity.new
           @activity.http_request = request.dtm
 
-          @server_activity = Contrast::Api::Dtm::ServerActivity.new
-
           # build analyzer
           @do_not_track = false
           @speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
@@ -124,20 +118,21 @@ module Contrast
 
       def reset_activity
         @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
-        @server_activity = Contrast::Api::Dtm::ServerActivity.new
-        @observed_route = Contrast::Api::Dtm::ObservedRoute.new # TODO: RUBY-1438 -- remove
-        @new_observed_route = Contrast::Agent::Reporting::ObservedRoute.new
+        @observed_route = Contrast::Agent::Reporting::ObservedRoute.new
       end
 
       private
 
       def handle_routes
-        @observed_route = Contrast::Api::Dtm::ObservedRoute.new # TODO: RUBY-1438 -- remove
-        @new_observed_route = Contrast::Agent::Reporting::ObservedRoute.new
+        @observed_route = Contrast::Agent::Reporting::ObservedRoute.new
+        # TODO: RUBY-1705 when we no longer need the DTM style, delete this method and use the get_route_information
+        #   instead.
         route_dtm = Contrast::Agent.framework_manager.get_route_dtm(@request)
-        new_route_coverage_dtm = Contrast::Agent.framework_manager.get_route_information(@request)
+        # new_route_coverage_dtm = Contrast::Agent.framework_manager.get_route_information(@request)
+        # TODO: RUBY-1705 -- delete append_route_coverage
         append_route_coverage(route_dtm)
-        append_to_new_observed_route(new_route_coverage_dtm)
+        # TODO: RUBY-1705 -- change to take [Contrast::Agent::Reporting::ObservedRoute]
+        append_to_observed_route(route_dtm)
       end
     end
   end

data/lib/contrast/agent/request_context_extend.rb

@@ -38,23 +38,20 @@ module Contrast
         @activity.routes << route
 
         # For TS routes
-        @observed_route.signature  = route.route
-        @observed_route.verb       = route.verb
-        @observed_route.url        = route.url if route.url
         @request.route = route
-        @request.observed_route = @observed_route
       end
 
       # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
       # where it is necessary for our route coverage and finding vulnerability discovery features to function.
       #
-      def append_to_new_observed_route route
+      # @param route [Contrast::Api::Dtm::RouteCoverage]
+      def append_to_observed_route route
         return unless route
 
-        @new_observed_route.signature  = route.route
-        @new_observed_route.verb       = route.verb
-        @new_observed_route.url        = route.url if route.url
-        @request.new_observed_route = @new_observed_route
+        @observed_route.signature  = route.route
+        @observed_route.verb       = route.verb
+        @observed_route.url        = route.url if route.url
+        @request.observed_route    = @observed_route
       end
 
       # Collect the results for the given rule with the given action
@@ -71,6 +68,7 @@ module Contrast
         end
       end
 
+      # @raise [Contrast::SecurityException]
       def service_extract_request
         return false unless ::Contrast::AGENT.enabled?
         return false unless ::Contrast::PROTECT.enabled?
@@ -105,6 +103,7 @@ module Contrast
       # Normally these should be generated on Speedracer for any attacks detected during prefilter.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
+      # @raise[Contrast::SecurityException]
       def handle_protect_state agent_settings
         return unless agent_settings&.protect_state
 

data/lib/contrast/agent/request_handler.rb

@@ -22,52 +22,27 @@ module Contrast
         @ruleset = ::Contrast::AGENT.ruleset
       end
 
-      # Send Activities messages to TS [Contrast::Agent::Reporting::ServerActivity,
-      #                                 Contrast::Api::Dtm::ServerActivity,
-      #                                 Contrast::Api::Dtm::Activity,
-      #                                 Contrast::Api::Dtm::ObservedRoute]
-      # If bypass is enabled use the reporting service if not than the messages are
-      # send with speedracer
-      # TODO: RUBY-1355
-      # TODO: RUBY-1358
-      # TODO: RUBY-1438 -- remove
+      # Send Activities messages to TS [Contrast::Api::Dtm::Activity]
+      # TODO: RUBY-1704
+      # TODO: RUBY-1438
       def send_activity_messages
-        events = [context.activity]
-        unless Contrast::Agent::Reporter.enabled?
-          Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
-          events << context.server_activity
-          events << context.observed_route
-        end
-        events.each do |message|
-          Contrast::Agent.messaging_queue&.send_event_eventually(message)
-        end
+        Contrast::Agent.messaging_queue&.send_event_eventually(context.activity)
       end
 
       # reports events[Contrast::Agent::Reporting::ReporterEvent] to TS
       # This method is used to send our JSON messages directly to TeamServer at the end of each request. As we move
       # more endpoints over, this method will take the messages originally sent by #send_actiivty_messages. At the end,
       # that method should be removed.
-      def report_activity # rubocop:disable Metrics/AbcSize
-        return unless Contrast::Agent::Reporter.enabled?
+      def report_activity
+        return unless (reporter = Contrast::Agent.reporter)
 
-        reporter = Contrast::Agent.reporter
-        return unless reporter
+        reporter.send_event(context.observed_route)
+        return unless Contrast::Agent::Reporter.enabled?
 
         # Mask Sensitive Data
         Contrast::Agent::Reporting::Masker.mask(context.activity)
-
-        Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
-        [
-          context.new_observed_route,
-          Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.server_activity),
-          Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity.library_usages),
-          Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
-        ].each do |event|
-          reporter.send_event(event)
-        rescue StandardError => e
-          logger.warn('Unable to send Event Activity', e)
-        end
-        context.activity.library_usages.clear # TODO: RUBY-1355 remove when no longer using activity
+        event = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
+        reporter.send_event(event)
       end
 
       # If the response is streaming, we should only perform filtering on our stream safe rules

data/lib/contrast/agent/rule_set.rb

@@ -14,6 +14,8 @@ module Contrast
       # The main action here is snapshotting the request as provided to the application from the
       # user before any application code has acted upon it. Additionally, this is where Protect will
       # terminate requests on attack detection if set to block at perimeter
+      #
+      # @raise [Contrast::SecurityException] raises error if security exception is thrown in prefilter
       def prefilter
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context&.analyze_request?
@@ -30,6 +32,8 @@ module Contrast
 
       # The filtering that needs occur after the application has acted on the request and the response
       # has been created. The main actions here are analyzing the response for unsafe state or actions.
+      #
+      # @raise [Contrast::SecurityException] raises error if security exception is thrown in postfilter
       def postfilter
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context&.analyze_response?

data/lib/contrast/agent/service_heartbeat.rb

@@ -22,7 +22,7 @@ module Contrast
         @_thread = Contrast::Agent::Thread.new do
           logger.info('Starting heartbeat thread.')
           loop do
-            Contrast::Agent.messaging_queue.send_event_eventually(poll_message)
+            Contrast::Agent.messaging_queue&.send_event_eventually(poll_message)
             sleep(REFRESH_INTERVAL_SEC)
           end
         end

data/lib/contrast/agent/static_analysis.rb

@@ -4,7 +4,6 @@
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/agent/reporting/reporting_events/application_update'
-require 'contrast/api/decorators/application_update'
 
 module Contrast
   module Agent
@@ -24,23 +23,15 @@ module Contrast
           end
         end
 
-        # TODO: RUBY-1356
         def send_inventory_message
           return unless ::Contrast::INVENTORY.enabled?
 
-          app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.build
-
-          Contrast::Agent::Inventory::DatabaseConfig.append_db_config(app_update_msg)
-          # TODO: RUBY-1438 -- remove and build ReportingEvent directly
-          if Contrast::Agent.reporter
-            report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(app_update_msg)
-            Contrast::Agent.reporter.send_event(report)
-
-            # This is being reported separately because we extract the data from the same message
-            inventory_report = Contrast::Agent::Reporting::ApplicationInventory.convert(app_update_msg)
-            Contrast::Agent.reporter.send_event(inventory_report)
-          else
-            Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg, force: true)
+          report = Contrast::Agent::Reporting::ApplicationUpdate.new
+          # This convert here is left as it'll be easier to be replaced when the Library is being changed
+          report.libraries = Contrast::Agent::Inventory::DependencyAnalysis.instance.library_pb_list
+          Contrast::Agent::Inventory::DatabaseConfig.append_db_config(report)
+          [report, Contrast::Agent::Reporting::ApplicationInventory.new].each do |e|
+            Contrast::Agent.reporter.send_event(e)
           end
         end