contrast-agent 6.11.0 → 6.13.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (471) hide show
  1. checksums.yaml +4 -4
  2. data/.simplecov +1 -1
  3. data/Gemfile +1 -1
  4. data/Rakefile +1 -1
  5. data/ext/build_funchook.rb +1 -1
  6. data/ext/cs__assess_array/cs__assess_array.c +24 -18
  7. data/ext/cs__assess_array/extconf.rb +1 -1
  8. data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
  9. data/ext/cs__assess_basic_object/extconf.rb +1 -1
  10. data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
  11. data/ext/cs__assess_fiber_track/extconf.rb +1 -1
  12. data/ext/cs__assess_hash/cs__assess_hash.c +1 -1
  13. data/ext/cs__assess_hash/extconf.rb +1 -1
  14. data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
  15. data/ext/cs__assess_kernel/extconf.rb +1 -1
  16. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +7 -5
  17. data/ext/cs__assess_marshal_module/extconf.rb +1 -1
  18. data/ext/cs__assess_module/cs__assess_module.c +1 -1
  19. data/ext/cs__assess_module/extconf.rb +1 -1
  20. data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
  21. data/ext/cs__assess_regexp/extconf.rb +1 -1
  22. data/ext/cs__assess_string/cs__assess_string.c +1 -1
  23. data/ext/cs__assess_string/extconf.rb +1 -1
  24. data/ext/cs__assess_string_interpolation/cs__assess_string_interpolation.c +1 -1
  25. data/ext/cs__assess_string_interpolation/extconf.rb +1 -1
  26. data/ext/cs__assess_test/extconf.rb +1 -1
  27. data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
  28. data/ext/cs__assess_yield_track/extconf.rb +1 -1
  29. data/ext/cs__common/cs__common.c +1 -1
  30. data/ext/cs__common/extconf.rb +1 -1
  31. data/ext/cs__contrast_patch/cs__contrast_patch.c +12 -10
  32. data/ext/cs__contrast_patch/extconf.rb +1 -1
  33. data/ext/cs__os_information/cs__os_information.c +1 -1
  34. data/ext/cs__os_information/extconf.rb +1 -1
  35. data/ext/cs__scope/cs__scope.c +390 -207
  36. data/ext/cs__scope/cs__scope.h +3 -1
  37. data/ext/cs__scope/extconf.rb +1 -1
  38. data/ext/cs__tests/cs__tests.c +1 -1
  39. data/ext/cs__tests/extconf.rb +1 -1
  40. data/ext/extconf_common.rb +1 -1
  41. data/lib/contrast/agent/assess/contrast_object.rb +1 -1
  42. data/lib/contrast/agent/assess/events/event_data.rb +1 -1
  43. data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
  44. data/lib/contrast/agent/assess/finalizers/hash.rb +1 -1
  45. data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +1 -1
  46. data/lib/contrast/agent/assess/policy/patcher.rb +1 -1
  47. data/lib/contrast/agent/assess/policy/policy.rb +1 -1
  48. data/lib/contrast/agent/assess/policy/policy_node.rb +1 -1
  49. data/lib/contrast/agent/assess/policy/policy_node_utils.rb +1 -1
  50. data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
  51. data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
  52. data/lib/contrast/agent/assess/policy/propagation_method.rb +1 -1
  53. data/lib/contrast/agent/assess/policy/propagation_node.rb +1 -1
  54. data/lib/contrast/agent/assess/policy/propagator/append.rb +1 -1
  55. data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
  56. data/lib/contrast/agent/assess/policy/propagator/buffer.rb +1 -1
  57. data/lib/contrast/agent/assess/policy/propagator/center.rb +1 -1
  58. data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
  59. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -1
  60. data/lib/contrast/agent/assess/policy/propagator/insert.rb +1 -1
  61. data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
  62. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +1 -1
  63. data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
  64. data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
  65. data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb +1 -1
  66. data/lib/contrast/agent/assess/policy/propagator/remove.rb +1 -1
  67. data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
  68. data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
  69. data/lib/contrast/agent/assess/policy/propagator/select.rb +1 -1
  70. data/lib/contrast/agent/assess/policy/propagator/splat.rb +1 -1
  71. data/lib/contrast/agent/assess/policy/propagator/split.rb +1 -1
  72. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +1 -1
  73. data/lib/contrast/agent/assess/policy/propagator/substitution_utils.rb +1 -1
  74. data/lib/contrast/agent/assess/policy/propagator/trim.rb +1 -1
  75. data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
  76. data/lib/contrast/agent/assess/policy/source_method.rb +1 -3
  77. data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
  78. data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +1 -1
  79. data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +1 -1
  80. data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +2 -1
  81. data/lib/contrast/agent/assess/policy/trigger/xpath.rb +1 -1
  82. data/lib/contrast/agent/assess/policy/trigger_method.rb +1 -1
  83. data/lib/contrast/agent/assess/policy/trigger_node.rb +1 -1
  84. data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +39 -1
  85. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
  86. data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +1 -1
  87. data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
  88. data/lib/contrast/agent/assess/properties.rb +1 -1
  89. data/lib/contrast/agent/assess/property/evented.rb +1 -1
  90. data/lib/contrast/agent/assess/property/tagged.rb +1 -1
  91. data/lib/contrast/agent/assess/property/updated.rb +1 -1
  92. data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +1 -1
  93. data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +1 -1
  94. data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +1 -1
  95. data/lib/contrast/agent/assess/rule/provider.rb +1 -1
  96. data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb +1 -1
  97. data/lib/contrast/agent/assess/rule/response/base_rule.rb +1 -1
  98. data/lib/contrast/agent/assess/rule/response/body_rule.rb +1 -1
  99. data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +1 -1
  100. data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb +1 -1
  101. data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +1 -1
  102. data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb +1 -1
  103. data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +1 -1
  104. data/lib/contrast/agent/assess/rule/response/header_rule.rb +1 -1
  105. data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +1 -1
  106. data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb +1 -1
  107. data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb +1 -1
  108. data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +1 -1
  109. data/lib/contrast/agent/assess/tag.rb +1 -1
  110. data/lib/contrast/agent/assess/tracker.rb +1 -1
  111. data/lib/contrast/agent/assess.rb +1 -1
  112. data/lib/contrast/agent/at_exit_hook.rb +1 -1
  113. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
  114. data/lib/contrast/agent/deadzone/policy/policy.rb +1 -1
  115. data/lib/contrast/agent/disable_reaction.rb +1 -1
  116. data/lib/contrast/agent/excluder.rb +125 -43
  117. data/lib/contrast/agent/exclusion_matcher.rb +11 -55
  118. data/lib/contrast/agent/inventory/database_config.rb +1 -1
  119. data/lib/contrast/agent/inventory/dependencies.rb +1 -1
  120. data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
  121. data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +1 -1
  122. data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
  123. data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
  124. data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
  125. data/lib/contrast/agent/inventory.rb +1 -1
  126. data/lib/contrast/agent/middleware.rb +21 -8
  127. data/lib/contrast/agent/module_data.rb +1 -1
  128. data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
  129. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +1 -1
  130. data/lib/contrast/agent/patching/policy/method_policy.rb +1 -1
  131. data/lib/contrast/agent/patching/policy/method_policy_extend.rb +1 -1
  132. data/lib/contrast/agent/patching/policy/module_policy.rb +1 -1
  133. data/lib/contrast/agent/patching/policy/patch.rb +1 -1
  134. data/lib/contrast/agent/patching/policy/patch_status.rb +1 -1
  135. data/lib/contrast/agent/patching/policy/patcher.rb +1 -1
  136. data/lib/contrast/agent/patching/policy/policy.rb +1 -1
  137. data/lib/contrast/agent/patching/policy/policy_node.rb +1 -1
  138. data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
  139. data/lib/contrast/agent/protect/exploitable_collection.rb +1 -1
  140. data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +4 -2
  141. data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +12 -11
  142. data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +1 -1
  143. data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +1 -1
  144. data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +1 -1
  145. data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
  146. data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -1
  147. data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
  148. data/lib/contrast/agent/protect/policy/policy.rb +1 -1
  149. data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -1
  150. data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
  151. data/lib/contrast/agent/protect/rule/base.rb +9 -19
  152. data/lib/contrast/agent/protect/rule/base_service.rb +33 -10
  153. data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +1 -1
  154. data/lib/contrast/agent/protect/rule/bot_blocker.rb +1 -1
  155. data/lib/contrast/agent/protect/rule/cmd_injection.rb +1 -1
  156. data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -50
  157. data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +11 -18
  158. data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +10 -11
  159. data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +10 -11
  160. data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +1 -1
  161. data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
  162. data/lib/contrast/agent/protect/rule/deserialization.rb +2 -3
  163. data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +1 -1
  164. data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +1 -1
  165. data/lib/contrast/agent/protect/rule/no_sqli.rb +1 -13
  166. data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +1 -1
  167. data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +34 -9
  168. data/lib/contrast/agent/protect/rule/path_traversal.rb +1 -47
  169. data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +1 -1
  170. data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
  171. data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
  172. data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
  173. data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +1 -1
  174. data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +1 -1
  175. data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb +5 -5
  176. data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
  177. data/lib/contrast/agent/protect/rule/sqli.rb +1 -13
  178. data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +1 -1
  179. data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +1 -2
  180. data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +1 -1
  181. data/lib/contrast/agent/protect/rule/xss.rb +1 -1
  182. data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +1 -1
  183. data/lib/contrast/agent/protect/rule/xxe.rb +2 -3
  184. data/lib/contrast/agent/protect/rule.rb +1 -1
  185. data/lib/contrast/agent/reporting/attack_result/attack_result.rb +1 -1
  186. data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +1 -1
  187. data/lib/contrast/agent/reporting/attack_result/response_type.rb +1 -1
  188. data/lib/contrast/agent/reporting/attack_result/user_input.rb +1 -1
  189. data/lib/contrast/{api/communication → agent/reporting}/connection_status.rb +3 -17
  190. data/lib/contrast/agent/reporting/details/bot_blocker_details.rb +1 -1
  191. data/lib/contrast/agent/reporting/details/cmd_injection_details.rb +1 -1
  192. data/lib/contrast/agent/reporting/details/details.rb +1 -1
  193. data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +1 -1
  194. data/lib/contrast/agent/reporting/details/no_sqli_details.rb +1 -1
  195. data/lib/contrast/agent/reporting/details/path_traversal_details.rb +1 -1
  196. data/lib/contrast/agent/reporting/details/path_traversal_semantic_analysis_details.rb +1 -1
  197. data/lib/contrast/agent/reporting/details/protect_rule_details.rb +1 -1
  198. data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb +1 -1
  199. data/lib/contrast/agent/reporting/details/sqli_details.rb +1 -1
  200. data/lib/contrast/agent/reporting/details/untrusted_deserialization_details.rb +1 -1
  201. data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +1 -1
  202. data/lib/contrast/agent/reporting/details/xss_details.rb +1 -1
  203. data/lib/contrast/agent/reporting/details/xss_match.rb +1 -1
  204. data/lib/contrast/agent/reporting/details/xxe_details.rb +1 -1
  205. data/lib/contrast/agent/reporting/details/xxe_match.rb +1 -1
  206. data/lib/contrast/agent/reporting/details/xxe_wrapper.rb +1 -1
  207. data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +1 -1
  208. data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +1 -1
  209. data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -1
  210. data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +1 -1
  211. data/lib/contrast/agent/reporting/input_analysis/input_type.rb +1 -1
  212. data/lib/contrast/agent/reporting/input_analysis/score_level.rb +1 -1
  213. data/lib/contrast/agent/reporting/masker/masker.rb +1 -1
  214. data/lib/contrast/agent/reporting/masker/masker_utils.rb +1 -1
  215. data/lib/contrast/agent/reporting/report.rb +1 -1
  216. data/lib/contrast/agent/reporting/reporter.rb +10 -9
  217. data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +2 -2
  218. data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +5 -4
  219. data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +13 -9
  220. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +5 -6
  221. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -1
  222. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +4 -3
  223. data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack.rb +1 -1
  224. data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +19 -12
  225. data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +2 -2
  226. data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +2 -2
  227. data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +1 -1
  228. data/lib/contrast/agent/reporting/reporting_events/application_settings.rb +2 -2
  229. data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +2 -2
  230. data/lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb +1 -1
  231. data/lib/contrast/agent/reporting/reporting_events/application_update.rb +2 -3
  232. data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +4 -10
  233. data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +3 -11
  234. data/lib/contrast/agent/reporting/reporting_events/finding.rb +2 -11
  235. data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +5 -12
  236. data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb +4 -12
  237. data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb +9 -13
  238. data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb +9 -13
  239. data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +5 -12
  240. data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +10 -21
  241. data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb +9 -12
  242. data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb +10 -14
  243. data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range_tags.rb +1 -1
  244. data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +4 -12
  245. data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +14 -14
  246. data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +14 -14
  247. data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb +3 -11
  248. data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +2 -11
  249. data/lib/contrast/agent/reporting/reporting_events/poll.rb +2 -2
  250. data/lib/contrast/agent/reporting/reporting_events/preflight.rb +13 -2
  251. data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +5 -13
  252. data/lib/contrast/agent/reporting/reporting_events/reportable_hash.rb +47 -0
  253. data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +4 -35
  254. data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +1 -3
  255. data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +9 -13
  256. data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +9 -13
  257. data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +1 -1
  258. data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +2 -2
  259. data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +5 -2
  260. data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +5 -2
  261. data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +1 -1
  262. data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +6 -3
  263. data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb +4 -4
  264. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +6 -19
  265. data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +20 -3
  266. data/lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb +1 -1
  267. data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
  268. data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +2 -22
  269. data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +1 -1
  270. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb +1 -1
  271. data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +22 -5
  272. data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +1 -1
  273. data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +1 -1
  274. data/lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb +1 -1
  275. data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +1 -1
  276. data/lib/contrast/agent/reporting/settings/application_settings.rb +1 -1
  277. data/lib/contrast/agent/reporting/settings/assess.rb +1 -1
  278. data/lib/contrast/agent/reporting/settings/assess_rule.rb +1 -1
  279. data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +1 -1
  280. data/lib/contrast/agent/reporting/settings/bot_blocker.rb +1 -1
  281. data/lib/contrast/agent/reporting/settings/exclusion_base.rb +90 -12
  282. data/lib/contrast/agent/reporting/settings/exclusions.rb +11 -31
  283. data/lib/contrast/agent/reporting/settings/helpers.rb +41 -5
  284. data/lib/contrast/agent/reporting/settings/input_exclusion.rb +54 -10
  285. data/lib/contrast/agent/reporting/settings/ip_filter.rb +1 -1
  286. data/lib/contrast/agent/reporting/settings/keyword.rb +1 -1
  287. data/lib/contrast/agent/reporting/settings/log_enhancer.rb +1 -1
  288. data/lib/contrast/agent/reporting/settings/protect.rb +1 -1
  289. data/lib/contrast/agent/reporting/settings/protect_rule.rb +1 -1
  290. data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
  291. data/lib/contrast/agent/reporting/settings/reaction.rb +1 -1
  292. data/lib/contrast/agent/reporting/settings/rule_definition.rb +1 -1
  293. data/lib/contrast/agent/reporting/settings/sampling.rb +1 -1
  294. data/lib/contrast/agent/reporting/settings/sanitizer.rb +1 -1
  295. data/lib/contrast/agent/reporting/settings/security_logger.rb +1 -1
  296. data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +1 -1
  297. data/lib/contrast/agent/reporting/settings/sensitive_data_masking_rule.rb +1 -1
  298. data/lib/contrast/agent/reporting/settings/server_features.rb +1 -1
  299. data/lib/contrast/agent/reporting/settings/syslog.rb +1 -1
  300. data/lib/contrast/agent/reporting/settings/url_exclusion.rb +2 -26
  301. data/lib/contrast/agent/reporting/settings/validator.rb +1 -1
  302. data/lib/contrast/agent/reporting/settings/virtual_patch.rb +1 -1
  303. data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb +1 -1
  304. data/lib/contrast/agent/request.rb +1 -1
  305. data/lib/contrast/agent/request_context.rb +1 -1
  306. data/lib/contrast/agent/request_context_extend.rb +1 -1
  307. data/lib/contrast/agent/request_handler.rb +1 -1
  308. data/lib/contrast/agent/response.rb +1 -1
  309. data/lib/contrast/agent/rule_set.rb +1 -1
  310. data/lib/contrast/agent/scope.rb +9 -1
  311. data/lib/contrast/agent/static_analysis.rb +1 -1
  312. data/lib/contrast/agent/telemetry/base.rb +21 -12
  313. data/lib/contrast/agent/telemetry/client.rb +109 -0
  314. data/lib/contrast/agent/telemetry/{events/event.rb → event.rb} +1 -1
  315. data/lib/contrast/agent/telemetry/{events/exceptions/telemetry_exception_base.rb → exception/base.rb} +2 -2
  316. data/lib/contrast/agent/telemetry/{events/exceptions/telemetry_exception_event.rb → exception/event.rb} +10 -10
  317. data/lib/contrast/agent/telemetry/{events/exceptions/telemetry_exception_message.rb → exception/message.rb} +9 -9
  318. data/lib/contrast/agent/telemetry/{events/exceptions/telemetry_exception_message_exception.rb → exception/message_exception.rb} +9 -9
  319. data/lib/contrast/agent/telemetry/{events/exceptions/telemetry_exception_stack_frame.rb → exception/stack_frame.rb} +4 -4
  320. data/lib/contrast/agent/telemetry/exception.rb +19 -0
  321. data/lib/contrast/agent/telemetry/hash.rb +71 -0
  322. data/lib/contrast/{utils/telemetry_identifier.rb → agent/telemetry/identifier.rb} +5 -5
  323. data/lib/contrast/agent/telemetry/{events/metric_event.rb → metric_event.rb} +2 -2
  324. data/lib/contrast/agent/telemetry/{events/startup_metrics_event.rb → startup_metrics_event.rb} +2 -2
  325. data/lib/contrast/{utils → agent}/telemetry.rb +3 -3
  326. data/lib/contrast/agent/thread.rb +1 -1
  327. data/lib/contrast/agent/thread_watcher.rb +28 -31
  328. data/lib/contrast/agent/tracepoint_hook.rb +1 -1
  329. data/lib/contrast/agent/version.rb +2 -2
  330. data/lib/contrast/agent/worker_thread.rb +1 -1
  331. data/lib/contrast/agent.rb +6 -2
  332. data/lib/contrast/agent_lib/api/command_injection.rb +1 -1
  333. data/lib/contrast/agent_lib/api/init.rb +1 -1
  334. data/lib/contrast/agent_lib/api/input_tracing.rb +1 -1
  335. data/lib/contrast/agent_lib/api/panic.rb +1 -1
  336. data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +1 -1
  337. data/lib/contrast/agent_lib/interface.rb +1 -1
  338. data/lib/contrast/agent_lib/interface_base.rb +2 -2
  339. data/lib/contrast/agent_lib/return_types/eval_result.rb +1 -1
  340. data/lib/contrast/agent_lib/test.rb +1 -1
  341. data/lib/contrast/components/agent.rb +1 -1
  342. data/lib/contrast/components/api.rb +1 -1
  343. data/lib/contrast/components/app_context.rb +1 -1
  344. data/lib/contrast/components/app_context_extend.rb +1 -1
  345. data/lib/contrast/components/assess.rb +1 -1
  346. data/lib/contrast/components/assess_rules.rb +1 -1
  347. data/lib/contrast/components/base.rb +1 -1
  348. data/lib/contrast/components/config/sources.rb +1 -1
  349. data/lib/contrast/components/config.rb +1 -1
  350. data/lib/contrast/components/heap_dump.rb +1 -1
  351. data/lib/contrast/components/inventory.rb +1 -1
  352. data/lib/contrast/components/logger.rb +1 -1
  353. data/lib/contrast/components/polling.rb +4 -4
  354. data/lib/contrast/components/protect.rb +1 -1
  355. data/lib/contrast/components/ruby_component.rb +45 -6
  356. data/lib/contrast/components/sampling.rb +6 -6
  357. data/lib/contrast/components/scope.rb +9 -1
  358. data/lib/contrast/components/security_logger.rb +1 -1
  359. data/lib/contrast/components/settings.rb +13 -12
  360. data/lib/contrast/config/api_proxy_configuration.rb +1 -1
  361. data/lib/contrast/config/base_configuration.rb +1 -1
  362. data/lib/contrast/config/certification_configuration.rb +1 -1
  363. data/lib/contrast/config/config.rb +14 -12
  364. data/lib/contrast/config/diagnostics.rb +12 -3
  365. data/lib/contrast/config/diagnostics_tools.rb +2 -1
  366. data/lib/contrast/config/effective_config.rb +81 -15
  367. data/lib/contrast/config/effective_config_value.rb +4 -4
  368. data/lib/contrast/config/env_variables.rb +1 -1
  369. data/lib/contrast/config/exception_configuration.rb +1 -1
  370. data/lib/contrast/config/protect_rule_configuration.rb +1 -1
  371. data/lib/contrast/config/protect_rules_configuration.rb +1 -1
  372. data/lib/contrast/config/request_audit_configuration.rb +1 -1
  373. data/lib/contrast/config/server_configuration.rb +2 -2
  374. data/lib/contrast/config.rb +1 -1
  375. data/lib/contrast/configuration.rb +1 -1
  376. data/lib/contrast/extension/assess/array.rb +1 -1
  377. data/lib/contrast/extension/assess/erb.rb +1 -1
  378. data/lib/contrast/extension/assess/eval_trigger.rb +1 -1
  379. data/lib/contrast/extension/assess/exec_trigger.rb +1 -1
  380. data/lib/contrast/extension/assess/fiber.rb +1 -1
  381. data/lib/contrast/extension/assess/hash.rb +1 -1
  382. data/lib/contrast/extension/assess/kernel.rb +1 -1
  383. data/lib/contrast/extension/assess/marshal.rb +1 -1
  384. data/lib/contrast/extension/assess/regexp.rb +1 -1
  385. data/lib/contrast/extension/assess/string.rb +1 -1
  386. data/lib/contrast/extension/assess.rb +1 -1
  387. data/lib/contrast/extension/delegator.rb +1 -1
  388. data/lib/contrast/extension/extension.rb +1 -1
  389. data/lib/contrast/extension/inventory.rb +1 -1
  390. data/lib/contrast/extension/module.rb +1 -1
  391. data/lib/contrast/extension/object.rb +1 -1
  392. data/lib/contrast/extension/protect/psych.rb +1 -1
  393. data/lib/contrast/extension/protect.rb +1 -1
  394. data/lib/contrast/extension/thread.rb +1 -1
  395. data/lib/contrast/framework/base_support.rb +1 -1
  396. data/lib/contrast/framework/grape/support.rb +1 -1
  397. data/lib/contrast/framework/manager.rb +1 -1
  398. data/lib/contrast/framework/manager_extend.rb +1 -1
  399. data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
  400. data/lib/contrast/framework/rack/patch/support.rb +1 -1
  401. data/lib/contrast/framework/rack/support.rb +1 -1
  402. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
  403. data/lib/contrast/framework/rails/patch/assess_configuration.rb +1 -1
  404. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
  405. data/lib/contrast/framework/rails/patch/support.rb +1 -1
  406. data/lib/contrast/framework/rails/railtie.rb +1 -1
  407. data/lib/contrast/framework/rails/support.rb +1 -1
  408. data/lib/contrast/framework/sinatra/patch/encrypted_session_cookie.rb +39 -0
  409. data/lib/contrast/framework/sinatra/support.rb +14 -1
  410. data/lib/contrast/funchook/funchook.rb +1 -1
  411. data/lib/contrast/logger/aliased_logging.rb +12 -14
  412. data/lib/contrast/logger/application.rb +1 -1
  413. data/lib/contrast/logger/cef_log.rb +1 -1
  414. data/lib/contrast/logger/format.rb +1 -1
  415. data/lib/contrast/logger/log.rb +1 -1
  416. data/lib/contrast/logger/request.rb +1 -1
  417. data/lib/contrast/logger/time.rb +1 -1
  418. data/lib/contrast/security_exception.rb +1 -1
  419. data/lib/contrast/tasks/config.rb +1 -1
  420. data/lib/contrast/utils/assess/event_limit_utils.rb +1 -1
  421. data/lib/contrast/utils/assess/object_store.rb +1 -1
  422. data/lib/contrast/utils/assess/propagation_method_utils.rb +1 -1
  423. data/lib/contrast/utils/assess/property/tagged_utils.rb +1 -1
  424. data/lib/contrast/utils/assess/sampling_util.rb +1 -1
  425. data/lib/contrast/utils/assess/source_method_utils.rb +1 -1
  426. data/lib/contrast/utils/assess/split_utils.rb +1 -1
  427. data/lib/contrast/utils/assess/tracking_util.rb +1 -1
  428. data/lib/contrast/utils/assess/trigger_method_utils.rb +1 -1
  429. data/lib/contrast/utils/class_util.rb +1 -1
  430. data/lib/contrast/utils/duck_utils.rb +1 -1
  431. data/lib/contrast/utils/env_configuration_item.rb +1 -1
  432. data/lib/contrast/utils/findings.rb +1 -1
  433. data/lib/contrast/utils/hash_digest.rb +1 -1
  434. data/lib/contrast/utils/hash_digest_extend.rb +1 -1
  435. data/lib/contrast/utils/head_dump_utils_extend.rb +1 -1
  436. data/lib/contrast/utils/heap_dump_util.rb +1 -1
  437. data/lib/contrast/utils/input_classification_base.rb +2 -5
  438. data/lib/contrast/utils/invalid_configuration_util.rb +1 -1
  439. data/lib/contrast/utils/io_util.rb +1 -1
  440. data/lib/contrast/utils/job_servers_running.rb +1 -1
  441. data/lib/contrast/utils/log_utils.rb +2 -2
  442. data/lib/contrast/utils/lru_cache.rb +1 -1
  443. data/lib/contrast/utils/metrics_hash.rb +1 -1
  444. data/lib/contrast/utils/middleware_utils.rb +4 -4
  445. data/lib/contrast/utils/net_http_base.rb +3 -3
  446. data/lib/contrast/utils/object_share.rb +2 -1
  447. data/lib/contrast/utils/os.rb +1 -1
  448. data/lib/contrast/utils/patching/policy/patch_utils.rb +1 -1
  449. data/lib/contrast/utils/patching/policy/patcher_utils.rb +1 -1
  450. data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +12 -4
  451. data/lib/contrast/utils/request_utils.rb +1 -1
  452. data/lib/contrast/utils/resource_loader.rb +1 -1
  453. data/lib/contrast/utils/response_utils.rb +1 -1
  454. data/lib/contrast/utils/routes_sent.rb +1 -2
  455. data/lib/contrast/utils/sha256_builder.rb +1 -1
  456. data/lib/contrast/utils/silence_maker.rb +16 -0
  457. data/lib/contrast/utils/stack_trace_utils.rb +1 -1
  458. data/lib/contrast/utils/string_utils.rb +1 -1
  459. data/lib/contrast/utils/tag_util.rb +1 -1
  460. data/lib/contrast/utils/thread_tracker.rb +1 -1
  461. data/lib/contrast/utils/timer.rb +1 -1
  462. data/lib/contrast-agent.rb +1 -1
  463. data/lib/contrast.rb +7 -6
  464. data/resources/assess/policy.json +26 -0
  465. data/ruby-agent.gemspec +2 -2
  466. metadata +31 -30
  467. data/lib/contrast/agent/reporting/settings/code_exclusion.rb +0 -32
  468. data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +0 -124
  469. data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exceptions.rb +0 -19
  470. data/lib/contrast/utils/telemetry_client.rb +0 -107
  471. data/lib/contrast/utils/telemetry_hash.rb +0 -65
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/assess/rule/response/base_rule'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/assess/rule/response/header_rule'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/assess/rule/response/framework/rails_support'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/logger'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/assess/finalizers/hash'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/logger'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/patching/policy/policy_node'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/deadzone/policy/deadzone_node'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/logger'
@@ -1,13 +1,16 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/reporting/settings/url_exclusion'
5
+ require 'contrast/agent/reporting/input_analysis/input_type'
5
6
 
6
7
  module Contrast
7
8
  module Agent
8
9
  # Given an array of exclusion matcher instances provides methods to
9
10
  # determine if the exclusions apply to particular urls.
10
11
  class Excluder # rubocop:disable Metrics/ClassLength
12
+ include Contrast::Agent::Reporting::InputType
13
+
11
14
  # @return [Array<Contrast::Agent::ExclusionMatcher>]
12
15
  attr_reader :exclusions
13
16
 
@@ -16,16 +19,40 @@ module Contrast
16
19
  @exclusions = exclusions
17
20
  end
18
21
 
22
+ # Determine if an input is excluded for protect rule.
23
+ #
24
+ # @param results [Array<Contrast::Agent::Reporting::InputAnalysisResult>]
25
+ # @param request_path [String] Current request path
26
+ def protect_excluded_by_input? results, request_path
27
+ return false unless results.any?
28
+
29
+ exclusion_matched = 0
30
+ protect_input_exclusions.any? do |exclusion_match|
31
+ # each exclusion against each input result
32
+ results.each do |rule_result|
33
+ # check and see the rule_id match first or if this applicable for all protect rules.
34
+ next unless exclusion_match.protection_rule?(rule_result.rule_id)
35
+
36
+ # Based on strategy:
37
+ match = input_match_strategy(exclusion_match,
38
+ input_match?(exclusion_match, rule_result.input_type, rule_result.key),
39
+ request_path)
40
+ exclusion_matched += 1 if match
41
+ end
42
+ end
43
+ return false if exclusion_matched.zero?
44
+
45
+ true
46
+ end
47
+
19
48
  # If an assess URL exclusion rule applies to the current url, *and* is defined as "All Rules"
20
49
  # then we can avoid any tracking for the request.
21
50
  #
22
51
  # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
23
52
  # @return [Boolean]
24
53
  def assess_excluded_by_url? request
25
- request_path = request.path
26
-
27
54
  assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
28
- path_match?(exclusion_matcher, request_path)
55
+ path_match?(exclusion_matcher, request.path)
29
56
  end
30
57
  end
31
58
 
@@ -74,7 +101,7 @@ module Contrast
74
101
  # any INPUT exclusions that apply to the current url and the supplied rule.
75
102
  path = request.path
76
103
  rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
77
- (exclusion_matcher.protection_rules.empty? || exclusion_matcher.protection_rules.include?(rule)) &&
104
+ (exclusion_matcher.protect_rules.empty? || exclusion_matcher.protect_rules.include?(rule)) &&
78
105
  path_match?(exclusion_matcher, path)
79
106
  end
80
107
  return false if rule_input_exclusions.empty?
@@ -94,18 +121,35 @@ module Contrast
94
121
  # If a protect URL exclusion rule applies to the current url, *and* is defined as "All Rules"
95
122
  # then we can avoid using the rule for the request.
96
123
  #
97
- # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
124
+ # @param rule_id [String]
125
+ # @param path [String]
98
126
  # return [Boolean]
99
- def protect_excluded_by_url? request
100
- request_path = request.path
127
+ def protect_excluded_by_url? rule_id, path
128
+ protect_url_exclusions.any? do |exclusion_matcher|
129
+ next unless exclusion_matcher.protection_rule?(rule_id)
101
130
 
102
- protect_url_exclusions_for_all_rules.any? do |exclusion_matcher|
103
- path_match?(exclusion_matcher, request_path)
131
+ return true if path_match?(exclusion_matcher, path)
104
132
  end
105
133
  end
106
134
 
107
135
  private
108
136
 
137
+ # Here we check to see the matching strategy. If ALL is set we need to exclude any input matching
138
+ # the exclusion. If ONLY is set, that means that we have a set if urls to match and apply the
139
+ # input exclusion only to those matching urls.
140
+ #
141
+ # @param exclusion_match [Contrast::Agent::ExclusionMatcher]
142
+ # @param input_match [Boolean] does the input match the exclusion
143
+ # @param request_path [String] Current request path
144
+ # @return [Boolean]
145
+ def input_match_strategy exclusion_match, input_match, request_path
146
+ # for ALL urls
147
+ return input_match if exclusion_match.match_all?
148
+
149
+ # for ONLY match we need to check if there is an input and url match.
150
+ input_match && path_match?(exclusion_match, request_path)
151
+ end
152
+
109
153
  # @return [Array<Contrast::Agent::ExclusionMatcher>]
110
154
  def assess_url_exclusions_for_all_rules
111
155
  @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion_matcher|
@@ -116,7 +160,7 @@ module Contrast
116
160
  # @return [Array<Contrast::Agent::ExclusionMatcher>]
117
161
  def assess_url_exclusions
118
162
  @_assess_url_exclusions ||= assess_exclusions.select do |exclusion_matcher|
119
- exclusion_matcher.type == :URL
163
+ exclusion_matcher.exclusion_type == :URL
120
164
  end
121
165
  end
122
166
 
@@ -130,7 +174,7 @@ module Contrast
130
174
  # @return [Array<Contrast::Agent::ExclusionMatcher>]
131
175
  def assess_input_exclusions
132
176
  @_assess_input_exclusions ||= assess_exclusions.select do |exclusion_matcher|
133
- exclusion_matcher.type == :INPUT
177
+ exclusion_matcher.exclusion_type == :INPUT
134
178
  end
135
179
  end
136
180
 
@@ -139,17 +183,10 @@ module Contrast
139
183
  @_assess_exclusions ||= @exclusions.select(&:assess)
140
184
  end
141
185
 
142
- # @return [Array<Contrast::Agent::ExclusionMatcher>]
143
- def protect_url_exclusions_for_all_rules
144
- @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion_matcher|
145
- exclusion_matcher.protect_rules.empty?
146
- end
147
- end
148
-
149
186
  # @return [Array<Contrast::Agent::ExclusionMatcher>]
150
187
  def protect_url_exclusions
151
188
  @_protect_url_exclusions ||= protect_exclusions.select do |exclusion_matcher|
152
- exclusion_matcher.type == :URL
189
+ exclusion_matcher.exclusion_type == :URL
153
190
  end
154
191
  end
155
192
 
@@ -158,9 +195,19 @@ module Contrast
158
195
  @_protect_exclusions ||= @exclusions.select(&:protect)
159
196
  end
160
197
 
198
+ # @return [Array<Contrast::Agent::ExclusionMatcher>]
199
+ def protect_input_exclusions
200
+ @_protect_input_exclusions ||= protect_exclusions.select do |exclusion_matcher|
201
+ exclusion_matcher.exclusion_type == :INPUT
202
+ end
203
+ end
204
+
161
205
  # @return [Boolean]
162
206
  def path_match? exclusion_matcher, path
163
- exclusion_matcher.wildcard_url || exclusion_matcher.urls.any? { |url| url.match?(path) }
207
+ return false unless path
208
+
209
+ exclusion_matcher.wildcard_url ||
210
+ exclusion_matcher.urls.any? { |url| url.match?(path) || regexp_match?(url, path) }
164
211
  end
165
212
 
166
213
  # @param exclusion [Contrast::Agent::ExclusionMatcher]
@@ -168,7 +215,7 @@ module Contrast
168
215
  # @param source_name [String]
169
216
  # @return [Boolean]
170
217
  def input_match? exclusion, source_type, source_name
171
- case exclusion.input_type
218
+ case exclusion.type
172
219
  when 'PARAMETER'
173
220
  input_match_parameter?(exclusion, source_type, source_name)
174
221
  when 'COOKIE'
@@ -176,49 +223,84 @@ module Contrast
176
223
  when 'HEADER'
177
224
  input_match_header?(exclusion, source_type, source_name)
178
225
  when 'BODY'
179
- Contrast::Agent::Assess::Policy::SourceMethod::BODY_TYPE == source_type
226
+ BODY == source_type
180
227
  when 'QUERYSTRING'
181
- Contrast::Agent::Assess::Policy::SourceMethod::QUERYSTRING_TYPE == source_type
228
+ QUERYSTRING == source_type
182
229
  else
183
230
  false
184
231
  end
185
232
  end
186
233
 
234
+ # Returns true if parameter exclusion is found.
235
+ #
236
+ # @param exclusion [Contrast::Agent::ExclusionMatcher]
237
+ # @param source_type [Contrast::Agent::Reporting::InputType<Symbol>]
238
+ # @param source_name [String] value to match
239
+ # @return [Boolean]
187
240
  def input_match_parameter? exclusion, source_type, source_name
188
- return false unless [
189
- Contrast::Agent::Assess::Policy::SourceMethod::PARAMETER_TYPE,
190
- Contrast::Agent::Assess::Policy::SourceMethod::PARAMETER_KEY_TYPE
191
- ].include?(source_type)
241
+ return false unless params_types.include?(source_type)
192
242
 
193
- exclusion.wildcard_input || (exclusion.input_name == source_name) || regexp_match?(exclusion.input_name,
194
- source_name)
243
+ input_value_match?(exclusion, source_name)
195
244
  end
196
245
 
246
+ # Returns true if cookie exclusion is found.
247
+ #
248
+ # @param exclusion [Contrast::Agent::ExclusionMatcher]
249
+ # @param source_type [Contrast::Agent::Reporting::InputType<Symbol>]
250
+ # @param source_name [String] value to match
251
+ # @return [Boolean]
197
252
  def input_match_cookie? exclusion, source_type, source_name
198
- return false unless [
199
- Contrast::Agent::Assess::Policy::SourceMethod::COOKIE_TYPE,
200
- Contrast::Agent::Assess::Policy::SourceMethod::COOKIE_KEY_TYPE
201
- ].include?(source_type)
253
+ return false unless cookie_types.include?(source_type)
202
254
 
203
- exclusion.wildcard_input || exclusion.input_name == source_name || regexp_match?(exclusion.input_name,
204
- source_name)
255
+ input_value_match?(exclusion, source_name)
205
256
  end
206
257
 
258
+ # Returns true if header exclusion is found.
259
+ #
260
+ # @param exclusion [Contrast::Agent::ExclusionMatcher]
261
+ # @param source_type [Contrast::Agent::Reporting::InputType<Symbol>]
262
+ # @param source_name [String] value to match
263
+ # @return [Boolean]
207
264
  def input_match_header? exclusion, source_type, source_name
208
- return false unless [
209
- Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE,
210
- Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE
211
- ].include?(source_type)
265
+ return false unless source_type == HEADER
212
266
 
213
- exclusion.wildcard_input || exclusion.input_name.casecmp(source_name).zero? || regexp_match?(
214
- exclusion.input_name, source_name)
267
+ input_value_match?(exclusion, source_name, header: true)
215
268
  end
216
269
 
270
+ # regexp check for input name match
271
+ #
272
+ # @return [Boolean]
217
273
  def regexp_match? possible_pattern, source_name
218
- Regexp.new("^#{ possible_pattern }$").match?(source_name)
274
+ Regexp.new("^#{ possible_pattern }$").match?(source_name) || Regexp.new(possible_pattern).match?(source_name)
219
275
  rescue RegexpError
220
276
  false
221
277
  end
278
+
279
+ # Returns true if ia input matches exclusion input name, or it's a all input type - wildcard [*, .*]
280
+ #
281
+ # @param exclusion [Contrast::Agent::ExclusionMatcher]
282
+ # @param source_name [String] value to match
283
+ # @param header [Boolean]
284
+ # @return [Boolean]
285
+ def input_value_match? exclusion, source_name, header: nil
286
+ exclusion.wildcard_input ||
287
+ (header.nil? ? (exclusion.name == source_name) : exclusion.name.casecmp(source_name).zero?) || # rubocop:disable Security/Module/Name
288
+ regexp_match?(exclusion.name, source_name) || exclusion.input_name == source_name # rubocop:disable Security/Module/Name
289
+ end
290
+
291
+ # Input types to match against exclusions parameter type.
292
+ #
293
+ # @return [Array<Symbol>]
294
+ def params_types
295
+ @_params_types ||= [PARAMETER_VALUE, PARAMETER_NAME].cs__freeze
296
+ end
297
+
298
+ # Input types to match against exclusions cookie type.
299
+ #
300
+ # @return [Array<Symbol>]
301
+ def cookie_types
302
+ @_cookie_types ||= [COOKIE_NAME, COOKIE_VALUE].cs__freeze
303
+ end
222
304
  end
223
305
  end
224
306
  end
@@ -1,9 +1,8 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/logger'
5
5
  require 'contrast/agent/reporting/settings/exclusion_base'
6
- require 'contrast/agent/reporting/settings/code_exclusion'
7
6
  require 'contrast/agent/reporting/settings/input_exclusion'
8
7
  require 'contrast/agent/reporting/settings/url_exclusion'
9
8
 
@@ -14,12 +13,13 @@ module Contrast
14
13
  # functions of the Agent are suppressed for that request or event.
15
14
  class ExclusionMatcher
16
15
  include Contrast::Components::Logger::InstanceMethods
17
-
18
16
  extend Forwardable
19
17
 
20
- attr_reader :protect, :assess, :type, :urls, :wildcard_url, :wildcard_input
18
+ attr_reader :protect, :assess, :exclusion_type, :wildcard_url, :wildcard_input
19
+
20
+ def_delegators :@exclusion, :protect_rules, :assess_rules, :type, :name, :input_name, :urls, :match_strategy
21
21
 
22
- def_delegators :@exclusion, :protect_rules, :assess_rules, :input_type, :input_name
22
+ MATCH_ALL = 'ALL'.cs__freeze
23
23
 
24
24
  # Create a matcher around an exclusion sent from TeamServer.
25
25
  #
@@ -31,15 +31,12 @@ module Contrast
31
31
  @assess = @exclusion.assess
32
32
 
33
33
  case excl
34
- when Contrast::Agent::Reporting::Settings::CodeExclusion
35
- handle_wildcard_code
36
- @type = :CODE
37
34
  when Contrast::Agent::Reporting::Settings::InputExclusion
38
35
  handle_wildcard_input
39
- @type = :INPUT
36
+ @exclusion_type = :INPUT
40
37
  when Contrast::Agent::Reporting::Settings::UrlExclusion
41
38
  handle_wildcard_url
42
- @type = :URL
39
+ @exclusion_type = :URL
43
40
  end
44
41
  end
45
42
 
@@ -48,10 +45,9 @@ module Contrast
48
45
  # regexp beyond this.
49
46
  # https://docs.contrastsecurity.com/admin-policymgmt.html#exclude
50
47
  def handle_wildcard_input
51
- return unless @exclusion.input_name
48
+ return unless @exclusion.name # rubocop:disable Security/Module/Name
52
49
 
53
- @wildcard_input = @exclusion.input_name == '.*' ||
54
- @exclusion.input_name == Contrast::Utils::ObjectShare::ASTERISK
50
+ @wildcard_input = @exclusion.name == '.*' || @exclusion.name == Contrast::Utils::ObjectShare::ASTERISK # rubocop:disable Security/Module/Name
55
51
  end
56
52
 
57
53
  # According to the docs for exclusions, urls apply to all urls if the url
@@ -74,24 +70,6 @@ module Contrast
74
70
  end
75
71
  end
76
72
 
77
- # According to the docs for exclusions, code applies to the entire stacktrace
78
- # of the caller, and can act as a regexp. Per our user instructions in the
79
- # Contrast UI, these comparisons must be done at the end of the input.
80
- # https://docs.contrastsecurity.com/admin-policymgmt.html#exclude
81
- def handle_wildcard_code
82
- return unless @exclusion.denylist&.any?
83
-
84
- @wildcard_exclusions = []
85
- @exclusion.denylist.each do |code|
86
- class_name, method_name = code.split(Contrast::Utils::ObjectShare::COLON)
87
- class_pattern = build_regexp(class_name, start_anchor: false, end_anchor: true)
88
- method_pattern = build_regexp(method_name)
89
- next unless class_pattern && method_pattern
90
-
91
- @wildcard_exclusions << [class_pattern, method_pattern]
92
- end
93
- end
94
-
95
73
  def build_regexp pattern, start_anchor: false, end_anchor: false
96
74
  pattern = Contrast::Utils::ObjectShare::CARROT + pattern if start_anchor
97
75
  pattern += Contrast::Utils::ObjectShare::DOLLAR_SIGN if end_anchor
@@ -108,12 +86,8 @@ module Contrast
108
86
  @assess
109
87
  end
110
88
 
111
- def code?
112
- @type == :CODE
113
- end
114
-
115
89
  def match_all?
116
- @exclusion.urls.nil? || @exclusion.urls.empty?
90
+ (@exclusion.urls.nil? || @exclusion.urls.empty?) && @exclusion.match_strategy == MATCH_ALL
117
91
  end
118
92
 
119
93
  # Determine if the given rule is excluded by this exclusion.
@@ -131,25 +105,7 @@ module Contrast
131
105
  #
132
106
  # @param rule - the id of the rule which we're checking for exclusion
133
107
  def assess_rule? rule
134
- assess? && (@exclusion.assessment_rules.empty? || @exclusion.assessment_rules.include?(rule))
135
- end
136
-
137
- def match_code? stack_trace
138
- return false unless code?
139
- return false if @wildcard_exclusions&.empty?
140
-
141
- @wildcard_exclusions.each do |code|
142
- class_name = code[0]
143
- method_name = code[1]
144
- stack_trace.each do |location|
145
- next unless location.base_label.match?(method_name)
146
- next unless location.path.match?(class_name)
147
-
148
- return true
149
- end
150
- end
151
-
152
- false
108
+ assess? && (@exclusion.assess_rules.empty? || @exclusion.assess_rules.include?(rule))
153
109
  end
154
110
  end
155
111
  end
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/reporting/reporting_events/architecture_component'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/reporting/reporting_events/library_discovery'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/reporting/reporting_events/library_usage_observation'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/logger'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/inventory/policy/trigger_node'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/patching/policy/trigger_node'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'ipaddr'
@@ -10,10 +10,10 @@ require 'contrast/utils/object_share'
10
10
  require 'contrast/components/logger'
11
11
  require 'contrast/components/scope'
12
12
  require 'contrast/utils/heap_dump_util'
13
- require 'contrast/utils/telemetry'
13
+ require 'contrast/agent/telemetry'
14
14
  require 'contrast/agent/request_handler'
15
15
  require 'contrast/agent/static_analysis'
16
- require 'contrast/agent/telemetry/events/startup_metrics_event'
16
+ require 'contrast/agent/telemetry/startup_metrics_event'
17
17
  require 'contrast/agent/protect/input_analyzer/input_analyzer'
18
18
  require 'contrast/utils/middleware_utils'
19
19
  require 'contrast/utils/reporting/application_activity_batch_utils'
@@ -57,14 +57,29 @@ module Contrast
57
57
 
58
58
  # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready to do some
59
59
  # processing on a per request basis. If not, we just pass the request along to the next middleware in the stack.
60
+ # If Application Scope feature is enabled we execute the env call with that scope, enabling only analysis for
61
+ # the current application, and nothing outside that.
60
62
  #
61
63
  # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
62
64
  # this Request
63
65
  # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back to the user up
64
66
  # the Rack framework.
65
67
  def call env
68
+ return with_app_scope { call_routine(env) } if Contrast::RUBY_INTERFACE.start_with_application_scope?
69
+
70
+ call_routine(env)
71
+ end
72
+
73
+ private
74
+
75
+ # This is the call routine we do when we are hooked to the middleware stack.
76
+ #
77
+ # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
78
+ # this Request
79
+ # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back to the user up
80
+ # the Rack framework.
81
+ def call_routine env
66
82
  logger.trace_with_time('Elapsed time for Contrast::Agent::Middleware#call') do
67
- ::Contrast::Agent::ThreadWatcher.check_before_start
68
83
  return app.call(env) unless ::Contrast::AGENT.enabled?
69
84
 
70
85
  Contrast::Agent.heapdump_util.start_thread!
@@ -73,8 +88,6 @@ module Contrast
73
88
  end
74
89
  end
75
90
 
76
- private
77
-
78
91
  # Startup the Agent as part of the initialization process:
79
92
  # - start the TeamServer sending thread, responsible for sending and processing messages
80
93
  # - start the heartbeat thread, which handles periodic messages to TeamServer
@@ -175,10 +188,10 @@ module Contrast
175
188
  Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
176
189
  # All protect rules, which are trigger but require response to be reported
177
190
  Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
178
- # Process Worth Watching Inputs for v2 rules
179
- Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
180
191
  # Now we can build the ia_results only for postfilter rules.
181
192
  context.protect_postfilter_ia
193
+ # Process Worth Watching Inputs for v2 rules
194
+ Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
182
195
 
183
196
  if Contrast::Agent.framework_manager.streaming?(env)
184
197
  context.reset_activity
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/components/scope'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/patching/policy/after_load_patch'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/patching/policy/method_policy_extend'
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Contrast
@@ -1,4 +1,4 @@
1
- # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
1
+ # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require 'contrast/agent/patching/policy/method_policy'