contrast-agent 6.14.0 → 6.15.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/contrast/agent/{assess.rb → assess/assess.rb} +1 -1
- data/lib/contrast/agent/{module_data.rb → assess/module_data.rb} +0 -0
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +3 -0
- data/lib/contrast/agent/assess/policy/policy_node.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagation_method.rb +2 -2
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +0 -1
- data/lib/contrast/agent/assess/policy/source_method.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +36 -1
- data/lib/contrast/agent/{excluder.rb → excluder/excluder.rb} +0 -0
- data/lib/contrast/agent/{exclusion_matcher.rb → excluder/exclusion_matcher.rb} +0 -0
- data/lib/contrast/agent/{at_exit_hook.rb → hooks/at_exit_hook.rb} +0 -0
- data/lib/contrast/agent/{tracepoint_hook.rb → hooks/tracepoint_hook.rb} +0 -0
- data/lib/contrast/agent/inventory/database_config.rb +1 -0
- data/lib/contrast/agent/{inventory.rb → inventory/inventory.rb} +0 -0
- data/lib/contrast/agent/{middleware.rb → middleware/middleware.rb} +3 -3
- data/lib/contrast/agent/{static_analysis.rb → middleware/static_analysis.rb} +0 -0
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +5 -5
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -1
- data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/base.rb +121 -134
- data/lib/contrast/agent/protect/rule/{bot_blocker.rb → bot_blocker/bot_blocker.rb} +2 -2
- data/lib/contrast/agent/protect/rule/{cmd_injection.rb → cmdi/cmd_injection.rb} +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +3 -3
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +2 -2
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +2 -2
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/{deserialization.rb → deserialization/deserialization.rb} +2 -2
- data/lib/contrast/agent/protect/rule/{no_sqli.rb → no_sqli/no_sqli.rb} +3 -3
- data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/{path_traversal.rb → path_traversal/path_traversal.rb} +2 -2
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +3 -3
- data/lib/contrast/agent/protect/rule/{sql_sample_builder.rb → sqli/sql_sample_builder.rb} +0 -1
- data/lib/contrast/agent/protect/rule/{sqli.rb → sqli/sqli.rb} +2 -2
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +1 -1
- data/lib/contrast/agent/protect/rule/{unsafe_file_upload.rb → unsafe_file_upload/unsafe_file_upload.rb} +2 -2
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/utils/builders.rb +111 -0
- data/lib/contrast/agent/protect/rule/utils/filters.rb +110 -0
- data/lib/contrast/agent/protect/rule/{xss.rb → xss/xss.rb} +2 -2
- data/lib/contrast/agent/protect/rule/{xxe.rb → xxe/xxe.rb} +2 -2
- data/lib/contrast/agent/protect/rule.rb +8 -9
- data/lib/contrast/agent/{disable_reaction.rb → reactions/disable_reaction.rb} +0 -0
- data/lib/contrast/agent/reporting/reporter.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +3 -3
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +1 -1
- data/lib/contrast/agent/{request.rb → request/request.rb} +0 -0
- data/lib/contrast/agent/{request_context.rb → request/request_context.rb} +3 -3
- data/lib/contrast/agent/{request_context_extend.rb → request/request_context_extend.rb} +0 -0
- data/lib/contrast/agent/{request_handler.rb → request/request_handler.rb} +0 -0
- data/lib/contrast/agent/{response.rb → response/response.rb} +0 -0
- data/lib/contrast/agent/{scope.rb → scope/scope.rb} +0 -0
- data/lib/contrast/agent/telemetry/base.rb +2 -2
- data/lib/contrast/agent/{telemetry.rb → telemetry/telemetry.rb} +0 -0
- data/lib/contrast/agent/{thread.rb → thread/thread.rb} +0 -0
- data/lib/contrast/agent/{thread_watcher.rb → thread/thread_watcher.rb} +0 -0
- data/lib/contrast/agent/{worker_thread.rb → thread/worker_thread.rb} +0 -0
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +11 -11
- data/lib/contrast/components/agent.rb +1 -1
- data/lib/contrast/components/assess.rb +1 -0
- data/lib/contrast/{agent → components}/rule_set.rb +0 -0
- data/lib/contrast/components/scope.rb +1 -1
- data/lib/contrast/components/settings.rb +1 -1
- data/lib/contrast/extension/assess/exec_trigger.rb +1 -1
- data/lib/contrast/extension/assess/string.rb +4 -3
- data/lib/contrast.rb +1 -1
- data/ruby-agent.gemspec +4 -2
- metadata +53 -58
- data/lib/contrast/agent/protect/rule/base_service.rb +0 -175
@@ -0,0 +1,111 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Agent
|
6
|
+
module Protect
|
7
|
+
module Rule
|
8
|
+
# Module to hold base builder methods used by Contrast::Agent::Protect::Rule::Base class.
|
9
|
+
module Builders
|
10
|
+
# A given input, candidate_string, was determined to violate a
|
11
|
+
# protect rule and did exploit the application, or at least made it
|
12
|
+
# to exploitable code in the case where we blocked the attack. As
|
13
|
+
# such, we need to build a result to report this violation to
|
14
|
+
# TeamServer.
|
15
|
+
#
|
16
|
+
# @param context [Contrast::Agent::RequestContext] the context of the
|
17
|
+
# request in which this input is evaluated.
|
18
|
+
# @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
|
19
|
+
# analysis of the input that was determined to be an attack
|
20
|
+
# @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
|
21
|
+
# attack result for this rule, if one exists, in the case of
|
22
|
+
# multiple inputs being found to violate the protection criteria
|
23
|
+
# @param candidate_string [String] the value of the input which may
|
24
|
+
# be an attack
|
25
|
+
# @param kwargs [Hash] key - value pairs of context individual rules
|
26
|
+
# need to build out details to send to the TeamServer to tell the
|
27
|
+
# story of the attack
|
28
|
+
# @return [Contrast::Agent::Reporting::AttackResult] the attack result from
|
29
|
+
# this input
|
30
|
+
def build_attack_with_match context, ia_result, result, candidate_string, **kwargs
|
31
|
+
result ||= build_attack_result(context)
|
32
|
+
update_successful_attack_response(context, ia_result, result, candidate_string)
|
33
|
+
append_sample(context, ia_result, result, candidate_string, **kwargs)
|
34
|
+
|
35
|
+
result
|
36
|
+
end
|
37
|
+
|
38
|
+
# A given input, candidate_string, was determined to violate a
|
39
|
+
# protect rule but did not exploit the application. As such, we need
|
40
|
+
# to build a result to report this violation to TeamServer.
|
41
|
+
#
|
42
|
+
# @param context [Contrast::Agent::RequestContext, nil] the context of the
|
43
|
+
# request in which this input is evaluated.
|
44
|
+
# @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
|
45
|
+
# analysis of the input that was determined to be an attack
|
46
|
+
# @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
|
47
|
+
# attack result for this rule, if one exists, in the case of
|
48
|
+
# multiple inputs being found to violate the protection criteria
|
49
|
+
# @param kwargs [Hash, nil] key - value pairs of context individual rules
|
50
|
+
# need to build out details to send to TeamServer to tell the
|
51
|
+
# story of the attack
|
52
|
+
# @return [Contrast::Agent::Reporting::AttackResult] the attack result from
|
53
|
+
# this input
|
54
|
+
def build_attack_without_match context, ia_result, result, **kwargs
|
55
|
+
result ||= build_attack_result(context)
|
56
|
+
update_perimeter_attack_response(context, ia_result, result)
|
57
|
+
append_sample(context, ia_result, result, nil, **kwargs)
|
58
|
+
|
59
|
+
result
|
60
|
+
end
|
61
|
+
|
62
|
+
# Set up an attack result for the current rule
|
63
|
+
#
|
64
|
+
# @param _context [Contrast::Agent::RequestContext] the context of
|
65
|
+
# the current request
|
66
|
+
# @return [Contrast::Agent::Reporting::AttackResult]
|
67
|
+
def build_attack_result _context
|
68
|
+
result = Contrast::Agent::Reporting::AttackResult.new
|
69
|
+
result.rule_id = rule_name
|
70
|
+
result
|
71
|
+
end
|
72
|
+
|
73
|
+
# Override if rule can make use of the candidate string or kwargs to
|
74
|
+
# build rasp rule sample.
|
75
|
+
#
|
76
|
+
# @param context [Contrast::Agent::RequestContext]
|
77
|
+
# @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
|
78
|
+
# was determined to be an attack
|
79
|
+
# @param _candidate_string [String] potential attack value/ input containing attack value
|
80
|
+
# @param _kwargs [Hash]
|
81
|
+
# @return [Contrast::Agent::Reporting::RaspRuleSample]
|
82
|
+
def build_sample context, ia_result, _candidate_string, **_kwargs
|
83
|
+
build_base_sample(context, ia_result)
|
84
|
+
end
|
85
|
+
|
86
|
+
# @param context [Contrast::Agent::RequestContext]
|
87
|
+
# @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
|
88
|
+
# was determined to be an attack
|
89
|
+
# @return [Contrast::Agent::Reporting::RaspRuleSample]
|
90
|
+
def build_base_sample context, ia_result
|
91
|
+
Contrast::Agent::Reporting::RaspRuleSample.build(context, ia_result)
|
92
|
+
end
|
93
|
+
|
94
|
+
# Used to build and report semantic rules.
|
95
|
+
#
|
96
|
+
# @param context [Contrast::Agent::RequestContext] current request contest
|
97
|
+
# @param potential_attack_string [String]
|
98
|
+
def build_violation context, potential_attack_string
|
99
|
+
result = build_attack_result(context)
|
100
|
+
update_successful_attack_response(context, nil, result, potential_attack_string)
|
101
|
+
return unless result
|
102
|
+
|
103
|
+
append_sample(context, nil, result, potential_attack_string)
|
104
|
+
cef_logging(result, :successful_attack)
|
105
|
+
result
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|
110
|
+
end
|
111
|
+
end
|
@@ -0,0 +1,110 @@
|
|
1
|
+
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Agent
|
6
|
+
module Protect
|
7
|
+
module Rule
|
8
|
+
# Module to hold required generic filters (prefilter, infilter, postfilter)
|
9
|
+
module Filters
|
10
|
+
POSTFILTER_MODES = Set.new(%i[BLOCK MONITOR]).cs__freeze
|
11
|
+
|
12
|
+
# Actions required for the rules that have to happen before the
|
13
|
+
# application has completed its processing of the request.
|
14
|
+
#
|
15
|
+
# For most rules, these actions are performed within the analysis
|
16
|
+
# engine and communicated as an input analysis result. Those that
|
17
|
+
# require specific action need to provide that action.
|
18
|
+
#
|
19
|
+
# @param context [Contrast::Agent::RequestContext] the context for
|
20
|
+
# the current request
|
21
|
+
def prefilter context
|
22
|
+
return unless prefilter?(context)
|
23
|
+
|
24
|
+
ia_results = gather_ia_results(context)
|
25
|
+
|
26
|
+
ia_results.each do |ia_result|
|
27
|
+
result = build_attack_result(context)
|
28
|
+
build_attack_without_match(context, ia_result, result)
|
29
|
+
append_to_activity(context, result)
|
30
|
+
|
31
|
+
cef_logging(result, :successful_attack)
|
32
|
+
raise(Contrast::SecurityException.new(self, block_message)) if blocked?
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
# Prefilter check always called before infilter to check if the rule is infilter
|
37
|
+
# capable, not disabled or in other way excluded by url or input exclusions.
|
38
|
+
#
|
39
|
+
# @param context [Contrast::Agent::RequestContext]
|
40
|
+
# @return [Boolean]
|
41
|
+
def prefilter? context
|
42
|
+
return false unless context
|
43
|
+
return false unless enabled?
|
44
|
+
return false unless (results = gather_ia_results(context)) && results.any?
|
45
|
+
return false if protect_excluded_by_url?(rule_name, context.request.path)
|
46
|
+
return false if protect_excluded_by_input?(results, context.request.path)
|
47
|
+
|
48
|
+
true
|
49
|
+
end
|
50
|
+
|
51
|
+
# This should only ever be called directly from patched code and will
|
52
|
+
# have a different implementation based on the rule. As such, there
|
53
|
+
# is not parent implementation.
|
54
|
+
#
|
55
|
+
# @param _context [Contrast::Agent::RequestContext] the context for
|
56
|
+
# the current request
|
57
|
+
# @param _match_string [String] the input that violated the rule and
|
58
|
+
# matched the attack detection logic
|
59
|
+
# @param _kwargs [Hash] key-value pairs used by the rule to build a
|
60
|
+
# report.
|
61
|
+
def infilter _context, _match_string, **_kwargs; end
|
62
|
+
|
63
|
+
# Infilter check always called before infilter to check if the rule is infilter
|
64
|
+
# capable, not disabled or in other way excluded by url or input exclusions.
|
65
|
+
#
|
66
|
+
# @param context [Contrast::Agent::RequestContext]
|
67
|
+
# @return [Boolean]
|
68
|
+
def infilter? context
|
69
|
+
return false unless enabled?
|
70
|
+
return false unless (results = gather_ia_results(context)) && results.any?
|
71
|
+
return false if protect_excluded_by_url?(rule_name, context.request.path)
|
72
|
+
return false if protect_excluded_by_input?(results, context.request.path)
|
73
|
+
|
74
|
+
true
|
75
|
+
end
|
76
|
+
|
77
|
+
# Actions required for the rules that have to happen after the
|
78
|
+
# application has completed its processing of the request.
|
79
|
+
#
|
80
|
+
# Any implementation here needs to account for the fact that
|
81
|
+
# responses may be streaming and, as such, transformations of the
|
82
|
+
# response itself may not be permissible.
|
83
|
+
#
|
84
|
+
# Override for rules that need the response
|
85
|
+
# Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify
|
86
|
+
# the response streamed responses will break
|
87
|
+
#
|
88
|
+
# @param context [Contrast::Agent::RequestContext]
|
89
|
+
# @raise [Contrast::SecurityException]
|
90
|
+
def postfilter context
|
91
|
+
return unless enabled? && POSTFILTER_MODES.include?(mode)
|
92
|
+
return false if protect_excluded_by_url?(rule_name, context.request.path)
|
93
|
+
return if protect_excluded_by_input?(gather_ia_results(context), context.request.path)
|
94
|
+
|
95
|
+
return if mode == :NO_ACTION || mode == :PERMIT
|
96
|
+
|
97
|
+
result = find_postfilter_attacker(context, nil)
|
98
|
+
return unless result&.samples&.any?
|
99
|
+
|
100
|
+
cef_logging(result)
|
101
|
+
append_to_activity(context, result)
|
102
|
+
return unless result.response == :BLOCKED
|
103
|
+
|
104
|
+
raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|
110
|
+
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/protect/rule/
|
4
|
+
require 'contrast/agent/protect/rule/base'
|
5
5
|
require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
|
6
6
|
require 'contrast/agent/reporting/input_analysis/input_type'
|
7
7
|
|
@@ -10,7 +10,7 @@ module Contrast
|
|
10
10
|
module Protect
|
11
11
|
module Rule
|
12
12
|
# The Ruby implementation of the Protect Cross-Site Scripting rule.
|
13
|
-
class Xss < Contrast::Agent::Protect::Rule::
|
13
|
+
class Xss < Contrast::Agent::Protect::Rule::Base
|
14
14
|
include Contrast::Agent::Reporting::InputType
|
15
15
|
NAME = 'reflected-xss'
|
16
16
|
BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/protect/rule/
|
4
|
+
require 'contrast/agent/protect/rule/base'
|
5
5
|
require 'contrast/agent/reporting/details/xxe_details'
|
6
6
|
require 'contrast/agent/reporting/details/xxe_match'
|
7
7
|
require 'contrast/agent/reporting/details/xxe_wrapper'
|
@@ -14,7 +14,7 @@ module Contrast
|
|
14
14
|
module Rule
|
15
15
|
# Implementation of the XXE Protect Rule used to evaluate XML calls for exploit
|
16
16
|
# of unsafe external entity resolution.
|
17
|
-
class Xxe < Contrast::Agent::Protect::Rule::
|
17
|
+
class Xxe < Contrast::Agent::Protect::Rule::Base
|
18
18
|
include Contrast::Components::Logger::InstanceMethods
|
19
19
|
INPUT_NAME = 'XML Prolog'
|
20
20
|
|
@@ -16,14 +16,13 @@ end
|
|
16
16
|
|
17
17
|
# The classes required for All Rasp Rules
|
18
18
|
require 'contrast/agent/protect/rule/base'
|
19
|
-
require 'contrast/agent/protect/rule/base_service'
|
20
19
|
|
21
20
|
# The classes required for the XSS Rasp Rule
|
22
|
-
require 'contrast/agent/protect/rule/xss'
|
21
|
+
require 'contrast/agent/protect/rule/xss/xss'
|
23
22
|
|
24
23
|
# The classes required for the SQLI
|
25
24
|
require 'contrast/agent/protect/rule/default_scanner'
|
26
|
-
require 'contrast/agent/protect/rule/sqli'
|
25
|
+
require 'contrast/agent/protect/rule/sqli/sqli'
|
27
26
|
require 'contrast/agent/protect/rule/sqli/default_sql_scanner'
|
28
27
|
require 'contrast/agent/protect/rule/sqli/mysql_sql_scanner'
|
29
28
|
require 'contrast/agent/protect/rule/sqli/postgres_sql_scanner'
|
@@ -31,22 +30,22 @@ require 'contrast/agent/protect/rule/sqli/sqlite_sql_scanner'
|
|
31
30
|
require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
|
32
31
|
|
33
32
|
# The classes required for Path Traversal
|
34
|
-
require 'contrast/agent/protect/rule/path_traversal'
|
33
|
+
require 'contrast/agent/protect/rule/path_traversal/path_traversal'
|
35
34
|
|
36
35
|
# The classes required for Command Injection and sub-rules
|
37
|
-
require 'contrast/agent/protect/rule/cmd_injection'
|
36
|
+
require 'contrast/agent/protect/rule/cmdi/cmd_injection'
|
38
37
|
require 'contrast/agent/protect/rule/cmdi/cmdi_backdoors'
|
39
38
|
|
40
39
|
# The classes required for XXE
|
41
|
-
require 'contrast/agent/protect/rule/xxe'
|
40
|
+
require 'contrast/agent/protect/rule/xxe/xxe'
|
42
41
|
require 'contrast/agent/protect/rule/xxe/entity_wrapper'
|
43
42
|
|
44
43
|
# The classes required for Untrusted Deserialization
|
45
|
-
require 'contrast/agent/protect/rule/deserialization'
|
44
|
+
require 'contrast/agent/protect/rule/deserialization/deserialization'
|
46
45
|
|
47
46
|
# The classes required for the NoSQLi
|
48
|
-
require 'contrast/agent/protect/rule/no_sqli'
|
47
|
+
require 'contrast/agent/protect/rule/no_sqli/no_sqli'
|
49
48
|
require 'contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner'
|
50
49
|
|
51
50
|
# The classes required for Unsafe File Upload
|
52
|
-
require 'contrast/agent/protect/rule/unsafe_file_upload'
|
51
|
+
require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'
|
File without changes
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/worker_thread'
|
4
|
+
require 'contrast/agent/thread/worker_thread'
|
5
5
|
require 'contrast/agent/reporting/report'
|
6
6
|
require 'contrast/components/logger'
|
7
7
|
require 'contrast/agent/reporting/reporting_events/agent_startup'
|
@@ -1,9 +1,9 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/protect/rule/cmd_injection'
|
5
|
-
require 'contrast/agent/protect/rule/deserialization'
|
6
|
-
require 'contrast/agent/protect/rule/no_sqli'
|
4
|
+
require 'contrast/agent/protect/rule/cmdi/cmd_injection'
|
5
|
+
require 'contrast/agent/protect/rule/deserialization/deserialization'
|
6
|
+
require 'contrast/agent/protect/rule/no_sqli/no_sqli'
|
7
7
|
require 'contrast/agent/reporting/attack_result/user_input'
|
8
8
|
require 'contrast/agent/reporting/attack_result/response_type'
|
9
9
|
require 'contrast/components/logger'
|
@@ -3,7 +3,7 @@
|
|
3
3
|
|
4
4
|
require 'contrast/agent/reporting/reporting_utilities/ng_response_extractor'
|
5
5
|
require 'contrast/agent/reporting/reporting_utilities/response_extractor'
|
6
|
-
require 'contrast/agent/disable_reaction'
|
6
|
+
require 'contrast/agent/reactions/disable_reaction'
|
7
7
|
|
8
8
|
module Contrast
|
9
9
|
module Agent
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/worker_thread'
|
4
|
+
require 'contrast/agent/thread/worker_thread'
|
5
5
|
require 'contrast/agent/reporting/report'
|
6
6
|
|
7
7
|
module Contrast
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/worker_thread'
|
4
|
+
require 'contrast/agent/thread/worker_thread'
|
5
5
|
require 'contrast/agent/reporting/report'
|
6
6
|
require 'contrast/agent/inventory/dependency_usage_analysis'
|
7
7
|
require 'contrast/agent/reporting/reporting_events/poll'
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/worker_thread'
|
4
|
+
require 'contrast/agent/thread/worker_thread'
|
5
5
|
require 'contrast/agent/reporting/report'
|
6
6
|
|
7
7
|
module Contrast
|
File without changes
|
@@ -2,13 +2,13 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/timer'
|
5
|
-
require 'contrast/agent/request'
|
6
|
-
require 'contrast/agent/response'
|
5
|
+
require 'contrast/agent/request/request'
|
6
|
+
require 'contrast/agent/response/response'
|
7
7
|
require 'contrast/agent/inventory/database_config'
|
8
8
|
require 'contrast/components/logger'
|
9
9
|
require 'contrast/components/scope'
|
10
10
|
require 'contrast/utils/request_utils'
|
11
|
-
require 'contrast/agent/request_context_extend'
|
11
|
+
require 'contrast/agent/request/request_context_extend'
|
12
12
|
require 'contrast/agent/reporting/reporting_events/observed_route'
|
13
13
|
require 'contrast/agent/reporting/input_analysis/input_analysis'
|
14
14
|
require 'contrast/agent/reporting/reporting_events/application_activity'
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -4,8 +4,8 @@
|
|
4
4
|
require 'contrast/config/env_variables'
|
5
5
|
require 'contrast/components/logger'
|
6
6
|
require 'contrast/agent/telemetry/client'
|
7
|
-
require 'contrast/agent/worker_thread'
|
8
|
-
require 'contrast/agent/telemetry'
|
7
|
+
require 'contrast/agent/thread/worker_thread'
|
8
|
+
require 'contrast/agent/telemetry/telemetry'
|
9
9
|
require 'contrast/agent/telemetry/exception'
|
10
10
|
|
11
11
|
module Contrast
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
data/lib/contrast/agent.rb
CHANGED
@@ -35,14 +35,14 @@ require 'contrast/utils/findings'
|
|
35
35
|
# Collect Exploites and Attacks
|
36
36
|
require 'contrast/agent/protect/exploitable_collection'
|
37
37
|
# scoping
|
38
|
-
require 'contrast/agent/scope'
|
38
|
+
require 'contrast/agent/scope/scope'
|
39
39
|
|
40
40
|
require 'contrast/utils/thread_tracker'
|
41
41
|
|
42
42
|
# Framework support
|
43
43
|
require 'contrast/framework/manager'
|
44
44
|
|
45
|
-
require 'contrast/agent/thread_watcher'
|
45
|
+
require 'contrast/agent/thread/thread_watcher'
|
46
46
|
require 'contrast/utils/silence_maker'
|
47
47
|
|
48
48
|
module Contrast
|
@@ -103,27 +103,27 @@ end
|
|
103
103
|
|
104
104
|
require 'contrast/utils/resource_loader'
|
105
105
|
require 'contrast/utils/duck_utils'
|
106
|
-
require 'contrast/agent/tracepoint_hook'
|
107
|
-
require 'contrast/agent/at_exit_hook'
|
106
|
+
require 'contrast/agent/hooks/tracepoint_hook'
|
107
|
+
require 'contrast/agent/hooks/at_exit_hook'
|
108
108
|
|
109
|
-
require 'contrast/agent/exclusion_matcher'
|
109
|
+
require 'contrast/agent/excluder/exclusion_matcher'
|
110
110
|
|
111
|
-
# threads that handle contrast
|
112
|
-
require 'contrast/agent/thread'
|
111
|
+
# threads that handle contrast scoper
|
112
|
+
require 'contrast/agent/thread/thread'
|
113
113
|
|
114
114
|
# keep track of attacks
|
115
|
-
require 'contrast/agent/request_context'
|
115
|
+
require 'contrast/agent/request/request_context'
|
116
116
|
|
117
|
-
require 'contrast/agent/assess'
|
117
|
+
require 'contrast/agent/assess/assess'
|
118
118
|
|
119
119
|
# protect rules
|
120
120
|
require 'contrast/agent/protect/rule'
|
121
121
|
|
122
122
|
# application libraries and technologies
|
123
|
-
require 'contrast/agent/inventory'
|
123
|
+
require 'contrast/agent/inventory/inventory'
|
124
124
|
|
125
125
|
# rack event monitoring
|
126
|
-
require 'contrast/agent/middleware'
|
126
|
+
require 'contrast/agent/middleware/middleware'
|
127
127
|
|
128
128
|
# Install the patches we need before the application has a chance to initialize
|
129
129
|
Contrast::Agent.framework_manager.before_load_patches!
|
@@ -3,7 +3,7 @@
|
|
3
3
|
|
4
4
|
require 'rubygems/version'
|
5
5
|
require 'contrast/components/base'
|
6
|
-
require 'contrast/
|
6
|
+
require 'contrast/components/rule_set'
|
7
7
|
require 'contrast/components/logger'
|
8
8
|
require 'contrast/components/security_logger'
|
9
9
|
require 'contrast/components/heap_dump'
|
File without changes
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/excluder'
|
4
|
+
require 'contrast/agent/excluder/excluder'
|
5
5
|
require 'contrast/agent/reporting/settings/sensitive_data_masking'
|
6
6
|
require 'contrast/components/config'
|
7
7
|
require 'contrast/components/logger'
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/agent/at_exit_hook'
|
4
|
+
require 'contrast/agent/hooks/at_exit_hook'
|
5
5
|
|
6
6
|
module Contrast
|
7
7
|
module Extension
|
@@ -14,9 +14,6 @@ module Contrast
|
|
14
14
|
# Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
|
15
15
|
# String Class or exposing our methods there.
|
16
16
|
class StringPropagator
|
17
|
-
extend Contrast::Components::Logger::InstanceMethods
|
18
|
-
extend Contrast::Components::Scope::InstanceMethods
|
19
|
-
|
20
17
|
NODE_HASH = {
|
21
18
|
'class_name' => 'String',
|
22
19
|
'instance_method' => true,
|
@@ -31,6 +28,8 @@ module Contrast
|
|
31
28
|
INTERPOLATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
|
32
29
|
|
33
30
|
class << self
|
31
|
+
include Contrast::Components::Logger::InstanceMethods
|
32
|
+
include Contrast::Components::Scope::InstanceMethods
|
34
33
|
# We call this method from C, and the Scope check is happening there. If we are in
|
35
34
|
# Contrast Scope the method won't be invoked.
|
36
35
|
#
|
@@ -76,6 +75,8 @@ module Contrast
|
|
76
75
|
return unless (dynamic_props = Contrast::Agent::Assess::Tracker.properties(source)&.properties)
|
77
76
|
|
78
77
|
Contrast::Agent::Assess::Tracker.properties(target)&.add_properties(dynamic_props)
|
78
|
+
rescue StandardError => e
|
79
|
+
logger.error('Unable to copy Dynamic track interpolation', e)
|
79
80
|
end
|
80
81
|
end
|
81
82
|
end
|
data/lib/contrast.rb
CHANGED
@@ -62,7 +62,7 @@ require 'contrast/components/scope'
|
|
62
62
|
require 'contrast/components/settings'
|
63
63
|
require 'contrast/utils/routes_sent'
|
64
64
|
require 'contrast/agent/telemetry/hash'
|
65
|
-
require 'contrast/agent/telemetry'
|
65
|
+
require 'contrast/agent/telemetry/telemetry'
|
66
66
|
require 'contrast/agent/telemetry/exception/event'
|
67
67
|
require 'contrast/agent_lib/interface'
|
68
68
|
|
data/ruby-agent.gemspec
CHANGED
@@ -120,10 +120,12 @@ end
|
|
120
120
|
# dependencies.csv in this directory to indicate that and create a
|
121
121
|
# corresponding update to the fake gem server data in TeamServer.
|
122
122
|
def self.add_dependencies spec
|
123
|
+
spec.add_dependency 'ffi', '~> 1.0'
|
123
124
|
spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
|
124
125
|
spec.add_dependency 'rack', '~> 2.0'
|
125
|
-
|
126
|
-
|
126
|
+
|
127
|
+
# bind this directly as we've had issues w/ build changes on bug release
|
128
|
+
spec.add_dependency 'contrast-agent-lib', '1.1.0'
|
127
129
|
end
|
128
130
|
|
129
131
|
# Enumerate the files required to build the Agent.
|