contrast-agent 6.15.1 → 6.15.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da127ad5e9e6a680c97012fff322627848cafb812164a7c9eb2b4200790342a8
-  data.tar.gz: 222870b966c8ebc16dc5cc0fc4452e3a50326b9669c06606dd2e3c798fec1bf9
+  metadata.gz: a2f94b8a7a87febf8c10b58cf5133081a6dc3183c158ad59c202921efc23753e
+  data.tar.gz: 2e3fff601596655f725a4bea7a8b6f309a5f702557cfb009ad82b1d424da8d40
 SHA512:
-  metadata.gz: 46014984fee94a0a0244ab9374e4699b7e09737720384edd3e584d0c6c19fa3741f2ae34c961b8aea9ba7d4bea9cabab7ed406979ff878b61ffd9db9b4993556
-  data.tar.gz: d164ae2ab0cad83e3369f8e330a0a8b98d6ca9c36dca768134202e5c9bf1f5aa3130a7e45488f9994ce3044e33805f49c72a79eae4dded097d4f3fd13986ae5a
+  metadata.gz: cd0a28ee1a7331401a4709e1aec63a44b272d9d93ba9e6dcebd47270078165b42e3955fe8d938311b10cae4ec60cfaa92d9bee088b3a6056a2461fb00c6a4ab8
+  data.tar.gz: ba7ab7bebd769fd3057533da348a260e208bb622fe50aab3d0e68f8709413579bac258588680f04a65aa68ff4f5dbf0a2038d56fde7fd2ef2892a095e0e8e388

data/lib/contrast/agent/telemetry/base.rb

@@ -7,12 +7,13 @@ require 'contrast/agent/telemetry/client'
 require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/telemetry/telemetry'
 require 'contrast/agent/telemetry/exception'
+require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Agent
     module Telemetry
       # This class will initialize and hold everything needed for the telemetry
-      class Base < WorkerThread
+      class Base < WorkerThread # rubocop:disable Metrics/ClassLength
         include Contrast::Components::Logger::InstanceMethods
         # this is where we will send the data from the agents
         URL = 'https://telemetry.ruby.contrastsecurity.com/'
@@ -48,6 +49,8 @@ module Contrast
           private
 
           def telemetry_enabled?
+            return false if Contrast::AGENT.disabled? || Contrast::Utils::JobServersRunning.job_servers_running?
+
             opt_out_telemetry = return_value(:telemetry_opt_outs).to_s
             return false if opt_out_telemetry.casecmp?('true') || opt_out_telemetry == '1'
 
@@ -56,7 +59,9 @@ module Contrast
             @_client = Contrast::Agent::Telemetry::Client.new
             ip_opt_out_telemetry = @_client.initialize_connection(URL)
             if ip_opt_out_telemetry.nil?
-              logger.warn("[Telemetry] Connection was not established properly!!! \n
+              # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+              #   an infinite loop w/ telemetry
+              logger.debug("[Telemetry] Connection was not established properly!!! \n
                           Telemetry reporting will be disabled!")
               return false
             end
@@ -74,6 +79,8 @@ module Contrast
         end
 
         def attempt_to_start?
+          return unless super
+
           unless cs__class.enabled?
             logger.info('[Telemetry] Telemetry service is disabled!')
             return false
@@ -92,7 +99,7 @@ module Contrast
 
         def send_event event
           if ::Contrast::AGENT.disabled?
-            logger.warn('[Telemetry] Attempted to queue event with Agent disabled', caller: caller, event: event)
+            logger.debug('[Telemetry] Attempted to queue event with Agent disabled', caller: caller, event: event)
             return
           end
 
@@ -148,7 +155,9 @@ module Contrast
                     sleep(retry_sleep_time) unless retry_sleep_time.nil?
                   end
                 rescue StandardError => e
-                  logger.error('[Telemetry] Could not send message to service from telemetry queue.', e)
+                  # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+                  #   an infinite loop w/ telemetry
+                  logger.debug('[Telemetry] Could not send message to service from telemetry queue.', e)
                   stop!
                 end
               end

data/lib/contrast/agent/telemetry/client.rb

@@ -100,7 +100,9 @@ module Contrast
         def get_event_json event
           Array(event.to_controlled_hash).to_json
         rescue Exception => e # rubocop:disable Lint/RescueException
-          logger.error('[Telemetry] Unable to convert TelemetryEvent to JSON string', e, hsh)
+          # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+          #   an infinite loop w/ telemetry
+          logger.debug('[Telemetry] Unable to convert TelemetryEvent to JSON string', e, hsh)
           raise(e)
         end
       end

data/lib/contrast/agent/telemetry/telemetry.rb

@@ -94,6 +94,12 @@ module Contrast
         def telemetry_exceptions_enabled?
           opts_out_telemetry = return_value(:telemetry_opt_outs).to_s
           return false if opts_out_telemetry.casecmp?('true') || opts_out_telemetry == '1'
+          # Double check if telemetry is enabled, this includes a check for Agent enable setting in the
+          # config. In case of disabled Agent the queue won't be created and the Telemetry would not
+          # be enabled. This check is here to prevent a loop of error creations that could no be added
+          # to a queue ( because the client cannot be initialized if the Agent is disabled or settings are
+          # missing).
+          return false unless Contrast::Agent::Telemetry::Base.enabled?
 
           true
         end

data/lib/contrast/agent/thread/thread_watcher.rb

@@ -7,6 +7,7 @@ require 'contrast/agent/reporting/reporting_workers/reporting_workers'
 require 'contrast/agent/telemetry/base'
 require 'contrast/agent/protect/input_analyzer/worth_watching_analyzer'
 require 'contrast/config/diagnostics'
+require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Agent
@@ -28,6 +29,11 @@ module Contrast
       attr_reader :reporter_app_settings_worker
 
       def initialize
+        if Contrast::AGENT.disabled? || Contrast::Utils::JobServersRunning.job_servers_running?
+          logger.info('Agent Disabled, shutting down all threads...')
+          return
+        end
+
         @heapdump_util = Contrast::Utils::HeapDumpUtil.new
         @reporter = Contrast::Agent::Reporter.new
         @reporter_heartbeat = Contrast::Agent::ReportingWorkers::ReporterHeartbeat.new
@@ -37,7 +43,7 @@ module Contrast
         @worth_watching_analyzer = Contrast::Agent::Protect::WorthWatchingInputAnalyzer.new unless protect_disabled?
       end
 
-      # @return [Hash, nil] map of process to thread startup status
+      # @return [Array<Contrast::Agent::WorkerThread>] map of process to thread startup status
       def startup!
         check_before_start
 

data/lib/contrast/agent/thread/worker_thread.rb

@@ -29,7 +29,7 @@ module Contrast
       #
       # @return [Boolean]
       def attempt_to_start?
-        true
+        Contrast::AGENT.enabled?
       end
 
       def clean_properties

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '6.15.1'
+    VERSION = '6.15.2'
   end
 end

data/lib/contrast/components/agent.rb

@@ -9,6 +9,7 @@ require 'contrast/components/security_logger'
 require 'contrast/components/heap_dump'
 require 'contrast/components/ruby_component'
 require 'contrast/components/polling'
+require 'contrast/agent/hooks/tracepoint_hook'
 
 module Contrast
   module Components
@@ -23,6 +24,8 @@ module Contrast
         attr_reader :canon_name
         # @return [Array]
         attr_reader :config_values
+        # @return [Boolean]
+        attr_accessor :enable
 
         CANON_NAME = 'agent'
         CONFIG_VALUES = %w[enabled? omit_body?].cs__freeze

data/lib/contrast/configuration.rb

@@ -53,6 +53,7 @@ module Contrast
     # @return [String,nil]
     attr_reader :config_file
 
+    CONTRAST_ENV_MARKER = 'CONTRAST__'
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'
     MILLISECOND_MARKER = '_ms'
     CONVERSION = {}.cs__freeze
@@ -67,6 +68,14 @@ module Contrast
       config_kv = deep_symbolize_all_keys(load_config)
       config_sources = assign_source_to(config_kv, Contrast::Components::Config::Sources::YAML)
 
+      unless cli_options
+        cli_options = {}
+        ENV.each do |key, value|
+          next unless key.to_s.start_with?(CONTRAST_ENV_MARKER)
+
+          cli_options[key] = value
+        end
+      end
       # Overlay CLI options - they take precedence over config file
       cli_options = deep_symbolize_all_keys(cli_options)
       if cli_options

data/lib/contrast/framework/manager.rb

@@ -11,6 +11,7 @@ require 'contrast/framework/rack/support'
 require 'contrast/framework/rails/support'
 require 'contrast/framework/sinatra/support'
 require 'contrast/utils/class_util'
+require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Framework
@@ -28,6 +29,8 @@ module Contrast
       ].cs__freeze
 
       def initialize
+        return if Contrast::AGENT.disabled? || Contrast::Utils::JobServersRunning.job_servers_running?
+
         @_frameworks = SUPPORTED_FRAMEWORKS.map do |framework_klass|
           next unless enable_framework_support?(framework_klass.detection_class)
 
@@ -116,8 +119,8 @@ module Contrast
       # @param request [Contrast::Agent::Request] the current request.
       # @return [Contrast::Agent::Reporting::RouteCoverage] the current route as a Dtm.
       def get_route_information request
-        @_frameworks.lazy.map { |framework_support| framework_support.current_route_coverage(request) }.
-            reject(&:nil?).first # rubocop:disable Style/CollectionCompact
+        @_frameworks&.lazy&.map { |framework_support| framework_support.current_route_coverage(request) }&.
+            reject(&:nil?)&.first
       end
 
       # Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect

data/lib/contrast/funchook/funchook.rb

@@ -28,7 +28,6 @@ module Funchook
         logger.warn('Unable to find funchook')
       else
         @path = absolute_path(actual_path_segments)
-        logger.info('Funchook found', path: @path)
       end
       @path
     end

data/lib/contrast/logger/aliased_logging.rb

@@ -40,12 +40,38 @@ module Contrast
 
       private
 
+      # There's a weird circular import in our code that we don't have time to untangle. This is 100% bad code and
+      # I'm sorry to the future team, but this is all we got.
+      #
+      # If the configuration we need is not available, we'll skip out for now - it means the agent isn't ready. We
+      # won't get telemetry exceptions at this point, but that means the agent hasn't initialized and there's a
+      # chance we're not supposed to. Essentially, we fail closed.
+      #
+      # Once we have the agent initialized, we'll use the value to check. Since it cannot change once set, we'll use
+      # the saved value.
+      #
+      # - HM
+      #
+      # @return [Boolean]
+      def buildable?
+        if @_buildable.nil?
+          return false unless defined?(Contrast) &&
+              defined?(Contrast::Agent) &&
+              defined?(Contrast::Agent::Telemetry)
+
+          @_buildable = Contrast::Agent::Telemetry.exceptions_enabled?
+        end
+        @_buildable
+      end
+
       # @param type [ALIASED_FATAL, ALIASED_ERROR, ALIASED_WARN] the type of error, used to indicate the function used
       #   for logging
       # @param message [String] the exception message
       # @param exception [Exception] The exception or error
       # @param data [Object] Any structured data
       def build_exception type, message = nil, exception = nil, data = nil
+        return unless buildable?
+
         stack_trace = wrapped_caller_locations
         caller_idx = stack_trace&.find_index { |stack| stack.to_s.include?(type) } || 0
         # The caller_stack is the method in which the error occurred, so has to be above this method

data/lib/contrast/utils/job_servers_running.rb

@@ -1,15 +1,13 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/logger'
+require 'contrast/components/ruby_component'
 
 module Contrast
   module Utils
     # A module that detects whether any job servers attached to
     # the application are running
     module JobServersRunning
-      extend Contrast::Components::Logger::InstanceMethods
-
       class << self
         def job_servers_running?
           sidekiq_running? || rake_running?
@@ -20,7 +18,6 @@ module Contrast
         def sidekiq_running?
           return unless defined?(Sidekiq) && Sidekiq.cs__respond_to?(:server?) && Sidekiq.server?
 
-          logger.trace('Detected the spawn of a Sidekiq process')
           true
         end
 
@@ -32,13 +29,18 @@ module Contrast
             return
           end
 
-          disabled_rake_tasks = ::Contrast::APP_CONTEXT.disabled_agent_rake_tasks
+          # This might be called before component even exist, so we backup to
+          # default disabled rake tasks.
+          disabled_rake_tasks = if Contrast.const_defined?(:APP_CONTEXT) # rubocop:disable Security/Module/ConstDefined
+                                  Contrast::APP_CONTEXT.disabled_agent_rake_tasks
+                                else
+                                  Contrast::Components::Ruby::Interface::DISABLED_RAKE_TASK_LIST
+                                end
           has_disabled_task = Rake.application.top_level_tasks.any? do |top_level_task|
             disabled_rake_tasks.include?(top_level_task)
           end
           return false unless has_disabled_task
 
-          logger.trace('Detected startup within Rake task')
           true
         end
       end

data/lib/contrast/utils/log_utils.rb

@@ -51,7 +51,7 @@ module Contrast
         logger.extend(Contrast::Logger::Application)
         logger.extend(Contrast::Logger::Request)
         logger.extend(Contrast::Logger::Time)
-        logger.extend(Contrast::Logger::AliasedLogging) if Contrast::Agent::Telemetry.exceptions_enabled?
+        logger.extend(Contrast::Logger::AliasedLogging)
       end
 
       # Determine the valid path to which to log, given the precedence of config > settings > default.

data/lib/contrast/utils/middleware_utils.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/config/yaml_file'
+require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Utils
@@ -30,6 +31,9 @@ module Contrast
           logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
         elsif ::Contrast::AGENT.disabled?
           logger.warn('Contrast disabled by configuration. Continuing without instrumentation.')
+        elsif Contrast::Utils::JobServersRunning.job_servers_running?
+          logger.info('Server job detected disabling Agent...')
+          ::Contrast::AGENT.disable!
         else
           ::Contrast::AGENT.enable!
         end

data/lib/contrast/utils/net_http_base.rb

@@ -43,7 +43,9 @@ module Contrast
         logger.debug('Client verified', service: service_name, url: url)
         net_http_client
       rescue StandardError => e
-        logger.error('Connection failed', e, service: service_name, url: url)
+        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+        #   an infinite loop w/ telemetry
+        logger.debug('Connection failed', e, service: service_name, url: url)
         nil
       end
 
@@ -72,7 +74,9 @@ module Contrast
              Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, Errno::EHOSTUNREACH, Errno::EISCONN,
              Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH => e
 
-        logger.warn("#{ service_name } connection failed", e.message)
+        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+        #   an infinite loop w/ telemetry
+        logger.debug("#{ service_name } connection failed", e.message)
         false
       end
 
@@ -110,7 +114,9 @@ module Contrast
           client.key = OpenSSL::PKey::RSA.new(File.read(Contrast::API.certification_key_file)).to_s
         end
       rescue Errno::ENOENT => e
-        logger.error('Custom certificates failed', e.message)
+        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+        #   an infinite loop w/ telemetry
+        logger.debug('Custom certificates failed', e.message)
       end
 
       # sets default setting for client validation of certificates and

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 6.15.1
+  version: 6.15.2
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-02-16 00:00:00.000000000 Z
+date: 2023-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -678,22 +678,22 @@ email:
 executables: []
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_hash/extconf.rb
+- ext/cs__assess_marshal_module/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__scope/extconf.rb
 - ext/cs__assess_kernel/extconf.rb
-- ext/cs__assess_string_interpolation/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_array/extconf.rb
+- ext/cs__os_information/extconf.rb
 - ext/cs__assess_string/extconf.rb
+- ext/cs__assess_hash/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
-- ext/cs__tests/extconf.rb
 - ext/cs__assess_module/extconf.rb
-- ext/cs__assess_yield_track/extconf.rb
-- ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__scope/extconf.rb
+- ext/cs__assess_string_interpolation/extconf.rb
+- ext/cs__tests/extconf.rb
 - ext/cs__assess_test/extconf.rb
-- ext/cs__os_information/extconf.rb
-- ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_array/extconf.rb
+- ext/cs__assess_fiber_track/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"