contrast-agent 6.14.0 → 6.15.1

data/lib/contrast/agent/protect/rule/utils/builders.rb

@@ -0,0 +1,111 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # Module to hold base builder methods used by Contrast::Agent::Protect::Rule::Base class.
+        module Builders
+          # A given input, candidate_string, was determined to violate a
+          # protect rule and did exploit the application, or at least made it
+          # to exploitable code in the case where we blocked the attack. As
+          # such, we need to build a result to report this violation to
+          # TeamServer.
+          #
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
+          #   analysis of the input that was determined to be an attack
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
+          #   attack result for this rule, if one exists, in the case of
+          #   multiple inputs being found to violate the protection criteria
+          # @param candidate_string [String] the value of the input which may
+          #   be an attack
+          # @param kwargs [Hash] key - value pairs of context individual rules
+          #   need to build out details to send to the TeamServer to tell the
+          #   story of the attack
+          # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
+          #   this input
+          def build_attack_with_match context, ia_result, result, candidate_string, **kwargs
+            result ||= build_attack_result(context)
+            update_successful_attack_response(context, ia_result, result, candidate_string)
+            append_sample(context, ia_result, result, candidate_string, **kwargs)
+
+            result
+          end
+
+          # A given input, candidate_string, was determined to violate a
+          # protect rule but did not exploit the application. As such, we need
+          # to build a result to report this violation to TeamServer.
+          #
+          # @param context [Contrast::Agent::RequestContext, nil] the context of the
+          #   request in which this input is evaluated.
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
+          #   analysis of the input that was determined to be an attack
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous
+          #   attack result for this rule, if one exists, in the case of
+          #   multiple inputs being found to violate the protection criteria
+          # @param kwargs [Hash, nil] key - value pairs of context individual rules
+          #   need to build out details to send to TeamServer to tell the
+          #   story of the attack
+          # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
+          #   this input
+          def build_attack_without_match context, ia_result, result, **kwargs
+            result ||= build_attack_result(context)
+            update_perimeter_attack_response(context, ia_result, result)
+            append_sample(context, ia_result, result, nil, **kwargs)
+
+            result
+          end
+
+          # Set up an attack result for the current rule
+          #
+          # @param _context  [Contrast::Agent::RequestContext] the context of
+          #   the current request
+          # @return [Contrast::Agent::Reporting::AttackResult]
+          def build_attack_result _context
+            result = Contrast::Agent::Reporting::AttackResult.new
+            result.rule_id = rule_name
+            result
+          end
+
+          # Override if rule can make use of the candidate string or kwargs to
+          # build rasp rule sample.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
+          # @param _candidate_string [String] potential attack value/ input containing attack value
+          # @param _kwargs [Hash]
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
+          def build_sample context, ia_result, _candidate_string, **_kwargs
+            build_base_sample(context, ia_result)
+          end
+
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
+          def build_base_sample context, ia_result
+            Contrast::Agent::Reporting::RaspRuleSample.build(context, ia_result)
+          end
+
+          # Used to build and report semantic rules.
+          #
+          # @param context [Contrast::Agent::RequestContext] current request contest
+          # @param potential_attack_string [String]
+          def build_violation context, potential_attack_string
+            result = build_attack_result(context)
+            update_successful_attack_response(context, nil, result, potential_attack_string)
+            return unless result
+
+            append_sample(context, nil, result, potential_attack_string)
+            cef_logging(result, :successful_attack)
+            result
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/utils/filters.rb

@@ -0,0 +1,110 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # Module to hold required generic filters (prefilter, infilter, postfilter)
+        module Filters
+          POSTFILTER_MODES = Set.new(%i[BLOCK MONITOR]).cs__freeze
+
+          # Actions required for the rules that have to happen before the
+          # application has completed its processing of the request.
+          #
+          # For most rules, these actions are performed within the analysis
+          # engine and communicated as an input analysis result. Those that
+          # require specific action need to provide that action.
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for
+          #   the current request
+          def prefilter context
+            return unless prefilter?(context)
+
+            ia_results = gather_ia_results(context)
+
+            ia_results.each do |ia_result|
+              result = build_attack_result(context)
+              build_attack_without_match(context, ia_result, result)
+              append_to_activity(context, result)
+
+              cef_logging(result, :successful_attack)
+              raise(Contrast::SecurityException.new(self, block_message)) if blocked?
+            end
+          end
+
+          # Prefilter check always called before infilter to check if the rule is infilter
+          # capable, not disabled or in other way excluded by url or input exclusions.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Boolean]
+          def prefilter? context
+            return false unless context
+            return false unless enabled?
+            return false unless (results = gather_ia_results(context)) && results.any?
+            return false if protect_excluded_by_url?(rule_name, context.request.path)
+            return false if protect_excluded_by_input?(results, context.request.path)
+
+            true
+          end
+
+          # This should only ever be called directly from patched code and will
+          # have a different implementation based on the rule. As such, there
+          # is not parent implementation.
+          #
+          # @param _context [Contrast::Agent::RequestContext] the context for
+          #   the current request
+          # @param _match_string [String] the input that violated the rule and
+          #   matched the attack detection logic
+          # @param _kwargs [Hash] key-value pairs used by the rule to build a
+          #   report.
+          def infilter _context, _match_string, **_kwargs; end
+
+          # Infilter check always called before infilter to check if the rule is infilter
+          # capable, not disabled or in other way excluded by url or input exclusions.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Boolean]
+          def infilter? context
+            return false unless enabled?
+            return false unless (results = gather_ia_results(context)) && results.any?
+            return false if protect_excluded_by_url?(rule_name, context.request.path)
+            return false if protect_excluded_by_input?(results, context.request.path)
+
+            true
+          end
+
+          # Actions required for the rules that have to happen after the
+          # application has completed its processing of the request.
+          #
+          # Any implementation here needs to account for the fact that
+          # responses may be streaming and, as such, transformations of the
+          # response itself may not be permissible.
+          #
+          # Override for rules that need the response
+          # Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify
+          # the response streamed responses will break
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @raise [Contrast::SecurityException]
+          def postfilter context
+            return unless enabled? && POSTFILTER_MODES.include?(mode)
+            return false if protect_excluded_by_url?(rule_name, context.request.path)
+            return if protect_excluded_by_input?(gather_ia_results(context), context.request.path)
+
+            return if mode == :NO_ACTION || mode == :PERMIT
+
+            result = find_postfilter_attacker(context, nil)
+            return unless result&.samples&.any?
+
+            cef_logging(result)
+            append_to_activity(context, result)
+            return unless result.response == :BLOCKED
+
+            raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/{xss.rb → xss/xss.rb}

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/base'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/reporting/input_analysis/input_type'
 
@@ -10,7 +10,7 @@ module Contrast
     module Protect
       module Rule
         # The Ruby implementation of the Protect Cross-Site Scripting rule.
-        class Xss < Contrast::Agent::Protect::Rule::BaseService
+        class Xss < Contrast::Agent::Protect::Rule::Base
           include Contrast::Agent::Reporting::InputType
           NAME = 'reflected-xss'
           BLOCK_MESSAGE = 'XSS rule triggered. Response blocked.'

data/lib/contrast/agent/protect/rule/{xxe.rb → xxe/xxe.rb}

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/base'
 require 'contrast/agent/reporting/details/xxe_details'
 require 'contrast/agent/reporting/details/xxe_match'
 require 'contrast/agent/reporting/details/xxe_wrapper'
@@ -14,7 +14,7 @@ module Contrast
       module Rule
         # Implementation of the XXE Protect Rule used to evaluate XML calls for exploit
         # of unsafe external entity resolution.
-        class Xxe < Contrast::Agent::Protect::Rule::BaseService
+        class Xxe < Contrast::Agent::Protect::Rule::Base
           include Contrast::Components::Logger::InstanceMethods
           INPUT_NAME = 'XML Prolog'
 

data/lib/contrast/agent/protect/rule.rb

@@ -16,14 +16,13 @@ end
 
 # The classes required for All Rasp Rules
 require 'contrast/agent/protect/rule/base'
-require 'contrast/agent/protect/rule/base_service'
 
 # The classes required for the XSS Rasp Rule
-require 'contrast/agent/protect/rule/xss'
+require 'contrast/agent/protect/rule/xss/xss'
 
 # The classes required for the SQLI
 require 'contrast/agent/protect/rule/default_scanner'
-require 'contrast/agent/protect/rule/sqli'
+require 'contrast/agent/protect/rule/sqli/sqli'
 require 'contrast/agent/protect/rule/sqli/default_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/mysql_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/postgres_sql_scanner'
@@ -31,22 +30,22 @@ require 'contrast/agent/protect/rule/sqli/sqlite_sql_scanner'
 require 'contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions'
 
 # The classes required for Path Traversal
-require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal'
 
 # The classes required for Command Injection and sub-rules
-require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/protect/rule/cmdi/cmd_injection'
 require 'contrast/agent/protect/rule/cmdi/cmdi_backdoors'
 
 # The classes required for XXE
-require 'contrast/agent/protect/rule/xxe'
+require 'contrast/agent/protect/rule/xxe/xxe'
 require 'contrast/agent/protect/rule/xxe/entity_wrapper'
 
 # The classes required for Untrusted Deserialization
-require 'contrast/agent/protect/rule/deserialization'
+require 'contrast/agent/protect/rule/deserialization/deserialization'
 
 # The classes required for the NoSQLi
-require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli'
 require 'contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner'
 
 # The classes required for Unsafe File Upload
-require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'

data/lib/contrast/agent/reporting/reporter.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/worker_thread'
+require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/reporting/report'
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/reporting_events/agent_startup'

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb

@@ -1,9 +1,9 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/cmd_injection'
-require 'contrast/agent/protect/rule/deserialization'
-require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/rule/cmdi/cmd_injection'
+require 'contrast/agent/protect/rule/deserialization/deserialization'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli'
 require 'contrast/agent/reporting/attack_result/user_input'
 require 'contrast/agent/reporting/attack_result/response_type'
 require 'contrast/components/logger'

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -3,7 +3,7 @@
 
 require 'contrast/agent/reporting/reporting_utilities/ng_response_extractor'
 require 'contrast/agent/reporting/reporting_utilities/response_extractor'
-require 'contrast/agent/disable_reaction'
+require 'contrast/agent/reactions/disable_reaction'
 
 module Contrast
   module Agent

data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/worker_thread'
+require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/reporting/report'
 
 module Contrast

data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/worker_thread'
+require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/reporting/report'
 require 'contrast/agent/inventory/dependency_usage_analysis'
 require 'contrast/agent/reporting/reporting_events/poll'

data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/worker_thread'
+require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/reporting/report'
 
 module Contrast

data/lib/contrast/agent/{request_context.rb → request/request_context.rb}

@@ -2,13 +2,13 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/timer'
-require 'contrast/agent/request'
-require 'contrast/agent/response'
+require 'contrast/agent/request/request'
+require 'contrast/agent/response/response'
 require 'contrast/agent/inventory/database_config'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/request_utils'
-require 'contrast/agent/request_context_extend'
+require 'contrast/agent/request/request_context_extend'
 require 'contrast/agent/reporting/reporting_events/observed_route'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
 require 'contrast/agent/reporting/reporting_events/application_activity'

data/lib/contrast/agent/telemetry/base.rb

@@ -4,8 +4,8 @@
 require 'contrast/config/env_variables'
 require 'contrast/components/logger'
 require 'contrast/agent/telemetry/client'
-require 'contrast/agent/worker_thread'
-require 'contrast/agent/telemetry'
+require 'contrast/agent/thread/worker_thread'
+require 'contrast/agent/telemetry/telemetry'
 require 'contrast/agent/telemetry/exception'
 
 module Contrast

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '6.14.0'
+    VERSION = '6.15.1'
   end
 end

data/lib/contrast/agent.rb

@@ -35,14 +35,14 @@ require 'contrast/utils/findings'
 # Collect Exploites and Attacks
 require 'contrast/agent/protect/exploitable_collection'
 # scoping
-require 'contrast/agent/scope'
+require 'contrast/agent/scope/scope'
 
 require 'contrast/utils/thread_tracker'
 
 # Framework support
 require 'contrast/framework/manager'
 
-require 'contrast/agent/thread_watcher'
+require 'contrast/agent/thread/thread_watcher'
 require 'contrast/utils/silence_maker'
 
 module Contrast
@@ -103,27 +103,27 @@ end
 
 require 'contrast/utils/resource_loader'
 require 'contrast/utils/duck_utils'
-require 'contrast/agent/tracepoint_hook'
-require 'contrast/agent/at_exit_hook'
+require 'contrast/agent/hooks/tracepoint_hook'
+require 'contrast/agent/hooks/at_exit_hook'
 
-require 'contrast/agent/exclusion_matcher'
+require 'contrast/agent/excluder/exclusion_matcher'
 
-# threads that handle contrast scope
-require 'contrast/agent/thread'
+# threads that handle contrast scoper
+require 'contrast/agent/thread/thread'
 
 # keep track of attacks
-require 'contrast/agent/request_context'
+require 'contrast/agent/request/request_context'
 
-require 'contrast/agent/assess'
+require 'contrast/agent/assess/assess'
 
 # protect rules
 require 'contrast/agent/protect/rule'
 
 # application libraries and technologies
-require 'contrast/agent/inventory'
+require 'contrast/agent/inventory/inventory'
 
 # rack event monitoring
-require 'contrast/agent/middleware'
+require 'contrast/agent/middleware/middleware'
 
 # Install the patches we need before the application has a chance to initialize
 Contrast::Agent.framework_manager.before_load_patches!

data/lib/contrast/components/agent.rb

@@ -3,7 +3,7 @@
 
 require 'rubygems/version'
 require 'contrast/components/base'
-require 'contrast/agent/rule_set'
+require 'contrast/components/rule_set'
 require 'contrast/components/logger'
 require 'contrast/components/security_logger'
 require 'contrast/components/heap_dump'

data/lib/contrast/components/assess.rb

@@ -45,6 +45,7 @@ module Contrast
           tags
           enable_scan_response
           enable_original_object
+          enable_dynamic_sources
           stacktraces
           max_context_source_events
           max_propagation_events

data/lib/contrast/components/scope.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'fiber'
-require 'contrast/agent/scope'
+require 'contrast/agent/scope/scope'
 require 'cs__scope/cs__scope'
 
 # This is the Scope component.

data/lib/contrast/components/settings.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/excluder'
+require 'contrast/agent/excluder/excluder'
 require 'contrast/agent/reporting/settings/sensitive_data_masking'
 require 'contrast/components/config'
 require 'contrast/components/logger'

data/lib/contrast/extension/assess/exec_trigger.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/at_exit_hook'
+require 'contrast/agent/hooks/at_exit_hook'
 
 module Contrast
   module Extension

data/lib/contrast/extension/assess/string.rb

@@ -14,9 +14,6 @@ module Contrast
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # String Class or exposing our methods there.
       class StringPropagator
-        extend Contrast::Components::Logger::InstanceMethods
-        extend Contrast::Components::Scope::InstanceMethods
-
         NODE_HASH = {
             'class_name' => 'String',
             'instance_method' => true,
@@ -31,6 +28,8 @@ module Contrast
         INTERPOLATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
         class << self
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Components::Scope::InstanceMethods
           # We call this method from C, and the Scope check is happening there. If we are in
           # Contrast Scope the method won't be invoked.
           #
@@ -76,6 +75,8 @@ module Contrast
             return unless (dynamic_props = Contrast::Agent::Assess::Tracker.properties(source)&.properties)
 
             Contrast::Agent::Assess::Tracker.properties(target)&.add_properties(dynamic_props)
+          rescue StandardError => e
+            logger.error('Unable to copy Dynamic track interpolation', e)
           end
         end
       end

data/lib/contrast.rb

@@ -62,7 +62,7 @@ require 'contrast/components/scope'
 require 'contrast/components/settings'
 require 'contrast/utils/routes_sent'
 require 'contrast/agent/telemetry/hash'
-require 'contrast/agent/telemetry'
+require 'contrast/agent/telemetry/telemetry'
 require 'contrast/agent/telemetry/exception/event'
 require 'contrast/agent_lib/interface'
 

data/ruby-agent.gemspec

@@ -120,10 +120,12 @@ end
 # dependencies.csv in this directory to indicate that and create a
 # corresponding update to the fake gem server data in TeamServer.
 def self.add_dependencies spec
+  spec.add_dependency 'ffi', '~> 1.0'
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
   spec.add_dependency 'rack', '~> 2.0'
-  spec.add_dependency 'contrast-agent-lib',  '~> 0.1.0', '>= 0.1.3'
-  spec.add_dependency 'ffi', '~> 1.0'
+
+  # bind this directly as we've had issues w/ build changes on bug release
+  spec.add_dependency 'contrast-agent-lib',  '1.1.0'
 end
 
 # Enumerate the files required to build the Agent.