contrast-agent 6.1.2 → 6.4.0

data/proto/rpc.proto

@@ -0,0 +1,71 @@
+// Copyright (c) 2009 Shardul Deo
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+// Authors: Shardul Deo, BJ Neilsen
+//
+// Protobufs needed for socket rpcs.
+
+syntax = "proto2";
+
+package protobuf.socketrpc;
+
+message Request
+{
+  required string service_name = 1;             // Fully- qualified Service class name
+  required string method_name = 2;              // Service method to invoke
+  optional bytes request_proto = 3;             // Serialized request bytes
+  optional string caller = 4;                   // Calling hostname or address
+  repeated Header headers = 5;                  // General purpose request headers
+}
+
+message Response
+{
+  optional bytes response_proto = 1;            // Serialized response
+  optional string error = 2;                    // Error message, if any
+  optional bool callback = 3 [default = false]; // Was callback invoked (not sure what this is for)
+  optional ErrorReason error_reason = 4;        // Error Reason
+  optional string server = 5;                   // Server hostname or address
+}
+
+message Header {
+  required string key = 1;
+  optional string value = 2;
+}
+
+// Possible error reasons
+// The server-side errors are returned in the response from the server.
+// The client-side errors are returned by the client-side code when it doesn't
+// have a response from the server.
+enum ErrorReason
+{
+  // Server-side errors
+  BAD_REQUEST_DATA = 0;                         // Server received bad request data
+  BAD_REQUEST_PROTO = 1;                        // Server received bad request proto
+  SERVICE_NOT_FOUND = 2;                        // Service not found on server
+  METHOD_NOT_FOUND = 3;                         // Method not found on server
+  RPC_ERROR = 4;                                // Rpc threw exception on server
+  RPC_FAILED = 5;                               // Rpc failed on server
+
+  // Client-side errors (these are returned by the client-side code)
+  INVALID_REQUEST_PROTO = 6;                    // Rpc was called with invalid request proto
+  BAD_RESPONSE_PROTO = 7;                       // Server returned a bad response proto
+  UNKNOWN_HOST = 8;                             // Could not find supplied host
+  IO_ERROR = 9;                                 // I/O error while communicating with server
+}

data/resources/assess/policy.json

@@ -1092,17 +1092,8 @@
       "patch_method": "sprintf_tagger",
       "source": "O,P1",
       "target": "R"
-    }, {
-      "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
-      "instance_method": true,
-      "method_visibility": "public",
-      "method_name":"quote",
-      "source": "P0",
-      "target": "R",
-      "action": "SPLAT",
-      "tags":["SQL_ENCODED"],
-      "untags":["SQL_DECODED"]
-    }, {
+    },
+    {
       "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
       "instance_method": true,
       "method_visibility": "public",

data/ruby-agent.gemspec

@@ -113,9 +113,9 @@ end
 # dependencies.csv in this directory to indicate that and create a
 # corresponding update to the fake gem server data in TeamServer.
 def self.add_dependencies spec
-  spec.add_dependency 'ougai', '~> 1.8'
-  spec.add_dependency 'protobuf', '~> 3.10'
+  spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
   spec.add_dependency 'rack', '~> 2.0'
+  spec.add_dependency 'activesupport', '>= 3.2' # TODO: RUBY-1438 remove w/ protobuf code
 end
 
 # Enumerate the files required to build the Agent.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 6.1.2
+  version: 6.4.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-05-12 00:00:00.000000000 Z
+date: 2022-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -585,44 +585,50 @@ dependencies:
   name: ougai
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
-  name: protobuf
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.10'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: rack
+  name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.2'
 description: This gem instantiates a Rack middleware for rack-based web applications
   in order to provide Interactive Application Security Testing and Protection.
 email:
@@ -631,22 +637,22 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_kernel/extconf.rb
-- ext/cs__assess_string/extconf.rb
-- ext/cs__assess_test/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_array/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
 - ext/cs__assess_hash/extconf.rb
-- ext/cs__scope/extconf.rb
 - ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__assess_module/extconf.rb
+- ext/cs__assess_string_interpolation/extconf.rb
+- ext/cs__assess_kernel/extconf.rb
+- ext/cs__assess_marshal_module/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
 - ext/cs__os_information/extconf.rb
+- ext/cs__assess_array/extconf.rb
 - ext/cs__tests/extconf.rb
+- ext/cs__assess_module/extconf.rb
 - ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_string/extconf.rb
+- ext/cs__scope/extconf.rb
+- ext/cs__assess_test/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -689,9 +695,9 @@ files:
 - ext/cs__assess_string/cs__assess_string.c
 - ext/cs__assess_string/cs__assess_string.h
 - ext/cs__assess_string/extconf.rb
-- ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c
-- ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h
-- ext/cs__assess_string_interpolation26/extconf.rb
+- ext/cs__assess_string_interpolation/cs__assess_string_interpolation.c
+- ext/cs__assess_string_interpolation/cs__assess_string_interpolation.h
+- ext/cs__assess_string_interpolation/extconf.rb
 - ext/cs__assess_test/cs__assess_test.h
 - ext/cs__assess_test/cs__assess_tests.c
 - ext/cs__assess_test/extconf.rb
@@ -1057,14 +1063,27 @@ files:
 - lib/contrast/agent/reporting/settings/application_settings.rb
 - lib/contrast/agent/reporting/settings/assess.rb
 - lib/contrast/agent/reporting/settings/assess_server_feature.rb
+- lib/contrast/agent/reporting/settings/bot_blocker.rb
+- lib/contrast/agent/reporting/settings/code_exclusion.rb
+- lib/contrast/agent/reporting/settings/exclusion_base.rb
 - lib/contrast/agent/reporting/settings/exclusions.rb
+- lib/contrast/agent/reporting/settings/helpers.rb
+- lib/contrast/agent/reporting/settings/input_exclusion.rb
+- lib/contrast/agent/reporting/settings/ip_filter.rb
+- lib/contrast/agent/reporting/settings/keyword.rb
+- lib/contrast/agent/reporting/settings/log_enhancer.rb
 - lib/contrast/agent/reporting/settings/protect.rb
 - lib/contrast/agent/reporting/settings/protect_server_feature.rb
 - lib/contrast/agent/reporting/settings/reaction.rb
+- lib/contrast/agent/reporting/settings/rule_definition.rb
 - lib/contrast/agent/reporting/settings/sampling.rb
+- lib/contrast/agent/reporting/settings/sanitizer.rb
 - lib/contrast/agent/reporting/settings/sensitive_data_masking.rb
 - lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb
 - lib/contrast/agent/reporting/settings/server_features.rb
+- lib/contrast/agent/reporting/settings/syslog.rb
+- lib/contrast/agent/reporting/settings/url_exclusion.rb
+- lib/contrast/agent/reporting/settings/validator.rb
 - lib/contrast/agent/request.rb
 - lib/contrast/agent/request_context.rb
 - lib/contrast/agent/request_context_extend.rb
@@ -1083,7 +1102,6 @@ files:
 - lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_message_exception.rb
 - lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_stack_frame.rb
 - lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb
-- lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb
 - lib/contrast/agent/telemetry/events/metric_event.rb
 - lib/contrast/agent/telemetry/events/startup_metrics_event.rb
 - lib/contrast/agent/thread.rb
@@ -1109,7 +1127,6 @@ files:
 - lib/contrast/api/decorators/agent_startup.rb
 - lib/contrast/api/decorators/application_settings.rb
 - lib/contrast/api/decorators/application_startup.rb
-- lib/contrast/api/decorators/application_update.rb
 - lib/contrast/api/decorators/architecture_component.rb
 - lib/contrast/api/decorators/bot_blocker.rb
 - lib/contrast/api/decorators/finding.rb
@@ -1117,8 +1134,6 @@ files:
 - lib/contrast/api/decorators/input_analysis.rb
 - lib/contrast/api/decorators/instrumentation_mode.rb
 - lib/contrast/api/decorators/ip_denylist.rb
-- lib/contrast/api/decorators/library.rb
-- lib/contrast/api/decorators/library_usage_update.rb
 - lib/contrast/api/decorators/message.rb
 - lib/contrast/api/decorators/rasp_rule_sample.rb
 - lib/contrast/api/decorators/response_type.rb
@@ -1194,7 +1209,6 @@ files:
 - lib/contrast/framework/grape/support.rb
 - lib/contrast/framework/manager.rb
 - lib/contrast/framework/manager_extend.rb
-- lib/contrast/framework/platform_version.rb
 - lib/contrast/framework/rack/patch/session_cookie.rb
 - lib/contrast/framework/rack/patch/support.rb
 - lib/contrast/framework/rack/support.rb
@@ -1259,6 +1273,67 @@ files:
 - lib/contrast/utils/telemetry_identifier.rb
 - lib/contrast/utils/thread_tracker.rb
 - lib/contrast/utils/timer.rb
+- lib/protobuf.rb
+- lib/protobuf/code_generator.rb
+- lib/protobuf/decoder.rb
+- lib/protobuf/deprecation.rb
+- lib/protobuf/descriptors.rb
+- lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb
+- lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb
+- lib/protobuf/encoder.rb
+- lib/protobuf/enum.rb
+- lib/protobuf/exceptions.rb
+- lib/protobuf/field.rb
+- lib/protobuf/field/base_field.rb
+- lib/protobuf/field/base_field_object_definitions.rb
+- lib/protobuf/field/bool_field.rb
+- lib/protobuf/field/bytes_field.rb
+- lib/protobuf/field/double_field.rb
+- lib/protobuf/field/enum_field.rb
+- lib/protobuf/field/field_array.rb
+- lib/protobuf/field/field_hash.rb
+- lib/protobuf/field/fixed32_field.rb
+- lib/protobuf/field/fixed64_field.rb
+- lib/protobuf/field/float_field.rb
+- lib/protobuf/field/int32_field.rb
+- lib/protobuf/field/int64_field.rb
+- lib/protobuf/field/integer_field.rb
+- lib/protobuf/field/message_field.rb
+- lib/protobuf/field/sfixed32_field.rb
+- lib/protobuf/field/sfixed64_field.rb
+- lib/protobuf/field/signed_integer_field.rb
+- lib/protobuf/field/sint32_field.rb
+- lib/protobuf/field/sint64_field.rb
+- lib/protobuf/field/string_field.rb
+- lib/protobuf/field/uint32_field.rb
+- lib/protobuf/field/uint64_field.rb
+- lib/protobuf/field/varint_field.rb
+- lib/protobuf/generators/base.rb
+- lib/protobuf/generators/enum_generator.rb
+- lib/protobuf/generators/extension_generator.rb
+- lib/protobuf/generators/field_generator.rb
+- lib/protobuf/generators/file_generator.rb
+- lib/protobuf/generators/group_generator.rb
+- lib/protobuf/generators/message_generator.rb
+- lib/protobuf/generators/option_generator.rb
+- lib/protobuf/generators/printable.rb
+- lib/protobuf/generators/service_generator.rb
+- lib/protobuf/lifecycle.rb
+- lib/protobuf/logging.rb
+- lib/protobuf/message.rb
+- lib/protobuf/message/fields.rb
+- lib/protobuf/message/serialization.rb
+- lib/protobuf/optionable.rb
+- lib/protobuf/tasks.rb
+- lib/protobuf/tasks/compile.rake
+- lib/protobuf/varint.rb
+- lib/protobuf/varint_pure.rb
+- lib/protobuf/version.rb
+- lib/protobuf/wire_type.rb
+- proto/dynamic_discovery.proto
+- proto/google/protobuf/compiler/plugin.proto
+- proto/google/protobuf/descriptor.proto
+- proto/rpc.proto
 - resources/assess/policy.json
 - resources/deadzone/policy.json
 - resources/inventory/policy.json

data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions_report.rb

@@ -1,30 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Agent
-    module Telemetry
-      # This module will handle the reporting of the TelemetryExceptionHash
-      module TelemetryExceptionReport
-        # Here we will send any exceptions gathered. The telemetry_hash is split into batches of 256
-        # and then added to the telemetry queue. Since this method is called before entering the
-        # until queue loop any updates after clearing the Contrast::TELEMETRY_EXCEPTIONS would have
-        # to wait for the sending process to be completed, so accumulating new batches.
-        # This methods expects queue and error_messages methods from Contrast::Agent::Telemetry::Base
-        def push_exceptions
-          return unless Contrast::TELEMETRY_EXCEPTIONS&.any?
-
-          Contrast::TELEMETRY_EXCEPTIONS.values.each_slice(256) { |tuple| error_messages.push(tuple) }
-          # Clear the hash. All exceptions now live in @_error_messages instance variable. and we will
-          # add them to the queue. Clearing would make the hash available to be populated again while the
-          # sending is proceeding.
-          Contrast::TELEMETRY_EXCEPTIONS.clear
-          # Add batch to queue. We need to shift here, because we want to report from the oldest batch to
-          # the newest. And even if somehow the array is filled during sending the new messages would stay
-          # and wait their turn.
-          queue << error_messages.shift until error_messages.empty?
-        end
-      end
-    end
-  end
-end

data/lib/contrast/api/decorators/application_update.rb

@@ -1,52 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/string_utils'
-
-module Contrast
-  module Api
-    module Decorators
-      # Used to decorate the {Contrast::Api::Dtm::ApplicationUpdate} protobuf
-      # model so it can own some of the data massaging required for AppUpdate
-      # dtm.
-      module ApplicationUpdate
-        def self.included klass
-          klass.extend(ClassMethods)
-        end
-
-        def append_library_update library_dtm_list
-          library_dtm_list.each do |library_dtm|
-            libraries[library_dtm.hash_code] = library_dtm
-          end
-        end
-
-        # TS only allows you to report 500 routes per application
-        def append_route_coverage_data route_coverage_dtms
-          route_coverage_dtms.take(500).each do |route_coverage_dtm|
-            routes << route_coverage_dtm
-          end
-        end
-
-        def append_platform_version platform_version
-          self.platform = Contrast::Api::Dtm::Platform.new if platform.nil?
-          platform.major = platform_version.major
-          platform.minor = platform_version.minor
-          platform.build = platform_version.patch
-        end
-
-        # Used to add class methods to the ApplicationUpdate class on inclusion of the decorator
-        module ClassMethods
-          def build
-            msg = new
-            msg.append_route_coverage_data(Contrast::Agent.framework_manager.find_route_discovery_data)
-            msg.append_platform_version(Contrast::Agent.framework_manager.platform_version)
-            msg.append_library_update(Contrast::Agent::Inventory::DependencyAnalysis.instance.library_pb_list)
-            msg
-          end
-        end
-      end
-    end
-  end
-end
-
-Contrast::Api::Dtm::ApplicationUpdate.include(Contrast::Api::Decorators::ApplicationUpdate)

data/lib/contrast/api/decorators/library.rb

@@ -1,56 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/string_utils'
-require 'contrast/utils/sha256_builder'
-require 'yaml'
-
-module Contrast
-  module Api
-    module Decorators
-      # Used to decorate the Library protobuf model to handle Gem::Specification translation
-      module Library
-        StringUtils = Contrast::Utils::StringUtils
-
-        def self.included klass
-          klass.extend(ClassMethods)
-        end
-
-        # Used to add class methods to the Library class on inclusion of the decorator
-        module ClassMethods
-          def build digest, gem_specification
-            msg = new
-            msg.file_path = StringUtils.force_utf8(gem_specification.name) # rubocop:disable Security/Module/Name
-            msg.hash_code   = StringUtils.force_utf8(digest)
-            msg.version     = StringUtils.force_utf8(gem_specification.version)
-            msg.manifest    = StringUtils.force_utf8(build_manifest(gem_specification))
-            msg.external_ms = date_to_ms(gem_specification.date)
-            msg.internal_ms = msg.external_ms
-            msg.url         = StringUtils.force_utf8(gem_specification.homepage)
-            msg.class_count = file_count(gem_specification.full_gem_path.to_s)
-            msg.used_class_count = 0
-            msg
-          end
-
-          # These are all the code files that are located in the Gem directory loaded
-          # by the current environment; this includes more than Ruby files
-          def file_count path
-            Contrast::Utils::Sha256Builder.instance.files(path).length
-          end
-
-          def build_manifest spec
-            StringUtils.force_utf8(spec.to_yaml.to_s)
-          rescue StandardError
-            nil
-          end
-
-          def date_to_ms date
-            (date.to_f * 1000.0).to_i
-          end
-        end
-      end
-    end
-  end
-end
-
-Contrast::Api::Dtm::Library.include(Contrast::Api::Decorators::Library)

data/lib/contrast/api/decorators/library_usage_update.rb

@@ -1,31 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/string_utils'
-
-module Contrast
-  module Api
-    module Decorators
-      # Used to decorate the LibraryUsageUpdate protobuf
-      module LibraryUsageUpdate
-        def self.included klass
-          klass.extend(ClassMethods)
-        end
-
-        # Used to add class methods to the LibraryUsageUpdate class on inclusion of the decorator
-        module ClassMethods
-          def build digest, files
-            msg = new
-            msg.hash_code = Contrast::Utils::StringUtils.force_utf8(digest)
-            files.each do |required_file|
-              msg.class_names[required_file] = true
-            end
-            msg
-          end
-        end
-      end
-    end
-  end
-end
-
-Contrast::Api::Dtm::LibraryUsageUpdate.include(Contrast::Api::Decorators::LibraryUsageUpdate)

data/lib/contrast/framework/platform_version.rb

@@ -1,22 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Framework
-    # Used to map version strings from frameworks to ApplicationUpdate dtm
-    class PlatformVersion
-      attr_reader :major, :minor, :patch
-
-      def initialize major, minor, patch
-        @major = major || ''
-        @minor = minor || ''
-        @patch = patch || ''
-      end
-
-      def self.from_string platform_version_string
-        version_array = platform_version_string.split(Contrast::Utils::ObjectShare::PERIOD)
-        new(version_array[0], version_array[1], version_array[2])
-      end
-    end
-  end
-end