contrast-agent 6.15.1 → 6.15.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da127ad5e9e6a680c97012fff322627848cafb812164a7c9eb2b4200790342a8
-  data.tar.gz: 222870b966c8ebc16dc5cc0fc4452e3a50326b9669c06606dd2e3c798fec1bf9
+  metadata.gz: bb55239bd37c7b0d2c3adc47d2e47ff25e331694b9be68522a29f8e4ce8c1220
+  data.tar.gz: 41a5a677403dd10c0dcd67673b32e32aa8f8ad04a82d963891f95ceaa25b46a1
 SHA512:
-  metadata.gz: 46014984fee94a0a0244ab9374e4699b7e09737720384edd3e584d0c6c19fa3741f2ae34c961b8aea9ba7d4bea9cabab7ed406979ff878b61ffd9db9b4993556
-  data.tar.gz: d164ae2ab0cad83e3369f8e330a0a8b98d6ca9c36dca768134202e5c9bf1f5aa3130a7e45488f9994ce3044e33805f49c72a79eae4dded097d4f3fd13986ae5a
+  metadata.gz: 94aaa0a8ed0b9fb08fb5c206bee3695cd1cc1f3a8b7752fa8c52abfb563a4e58fac60162ab13c4f06ceb785532ae1a76b93dcc8f348e99d29b112b265a88051b
+  data.tar.gz: 658421a2a8558bac001eb707340f0bc763012d06b9fdcfe1137fb3ceff6f53966d7cc9af9bced07f08411b5e44af1ad5c4f5805b54abaae0ad71dcc81011fbb9

data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb

@@ -33,8 +33,8 @@ module Contrast
         # Parse the given controller and route from a Rack based application framework in order to create an instance
         # of this class
         #
-        # @param final_controller [Grape::API, Sinatra::Base] the controller responsible for the definition of the
-        #   entrypoint of the route actively being executed
+        # @param final_controller [Class<Grape::API>, Class<Sinatra::Base>] the controller responsible for the
+        #   definition of the entrypoint of the route actively being executed
         # @param method [String] the HTTP request method of the route actively being executed
         # @param route_pattern [Grape::Router::Route, Mustermann::Sinatra] the pattern to which the url maps
         # @param url [String] the literal url of the route actively being executed

data/lib/contrast/agent/request/request_context.rb

@@ -135,6 +135,8 @@ module Contrast
         @observed_route = Contrast::Agent::Reporting::ObservedRoute.new
         reporting_route = Contrast::Agent.framework_manager.get_route_information(@request)
         append_to_observed_route(reporting_route)
+      rescue StandardError => e
+        logger.error('Unable to determine current route', e)
       end
     end
   end

data/lib/contrast/agent/telemetry/base.rb

@@ -7,12 +7,13 @@ require 'contrast/agent/telemetry/client'
 require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/telemetry/telemetry'
 require 'contrast/agent/telemetry/exception'
+require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Agent
     module Telemetry
       # This class will initialize and hold everything needed for the telemetry
-      class Base < WorkerThread
+      class Base < WorkerThread # rubocop:disable Metrics/ClassLength
         include Contrast::Components::Logger::InstanceMethods
         # this is where we will send the data from the agents
         URL = 'https://telemetry.ruby.contrastsecurity.com/'
@@ -48,6 +49,8 @@ module Contrast
           private
 
           def telemetry_enabled?
+            return false if Contrast::AGENT.disabled? || Contrast::Utils::JobServersRunning.job_servers_running?
+
             opt_out_telemetry = return_value(:telemetry_opt_outs).to_s
             return false if opt_out_telemetry.casecmp?('true') || opt_out_telemetry == '1'
 
@@ -56,7 +59,9 @@ module Contrast
             @_client = Contrast::Agent::Telemetry::Client.new
             ip_opt_out_telemetry = @_client.initialize_connection(URL)
             if ip_opt_out_telemetry.nil?
-              logger.warn("[Telemetry] Connection was not established properly!!! \n
+              # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+              #   an infinite loop w/ telemetry
+              logger.debug("[Telemetry] Connection was not established properly!!! \n
                           Telemetry reporting will be disabled!")
               return false
             end
@@ -74,6 +79,8 @@ module Contrast
         end
 
         def attempt_to_start?
+          return unless super
+
           unless cs__class.enabled?
             logger.info('[Telemetry] Telemetry service is disabled!')
             return false
@@ -92,7 +99,7 @@ module Contrast
 
         def send_event event
           if ::Contrast::AGENT.disabled?
-            logger.warn('[Telemetry] Attempted to queue event with Agent disabled', caller: caller, event: event)
+            logger.debug('[Telemetry] Attempted to queue event with Agent disabled', caller: caller, event: event)
             return
           end
 
@@ -148,7 +155,9 @@ module Contrast
                     sleep(retry_sleep_time) unless retry_sleep_time.nil?
                   end
                 rescue StandardError => e
-                  logger.error('[Telemetry] Could not send message to service from telemetry queue.', e)
+                  # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+                  #   an infinite loop w/ telemetry
+                  logger.debug('[Telemetry] Could not send message to service from telemetry queue.', e)
                   stop!
                 end
               end

data/lib/contrast/agent/telemetry/client.rb

@@ -100,7 +100,9 @@ module Contrast
         def get_event_json event
           Array(event.to_controlled_hash).to_json
         rescue Exception => e # rubocop:disable Lint/RescueException
-          logger.error('[Telemetry] Unable to convert TelemetryEvent to JSON string', e, hsh)
+          # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+          #   an infinite loop w/ telemetry
+          logger.debug('[Telemetry] Unable to convert TelemetryEvent to JSON string', e, hsh)
           raise(e)
         end
       end

data/lib/contrast/agent/telemetry/telemetry.rb

@@ -94,6 +94,12 @@ module Contrast
         def telemetry_exceptions_enabled?
           opts_out_telemetry = return_value(:telemetry_opt_outs).to_s
           return false if opts_out_telemetry.casecmp?('true') || opts_out_telemetry == '1'
+          # Double check if telemetry is enabled, this includes a check for Agent enable setting in the
+          # config. In case of disabled Agent the queue won't be created and the Telemetry would not
+          # be enabled. This check is here to prevent a loop of error creations that could no be added
+          # to a queue ( because the client cannot be initialized if the Agent is disabled or settings are
+          # missing).
+          return false unless Contrast::Agent::Telemetry::Base.enabled?
 
           true
         end

data/lib/contrast/agent/thread/thread_watcher.rb

@@ -7,6 +7,7 @@ require 'contrast/agent/reporting/reporting_workers/reporting_workers'
 require 'contrast/agent/telemetry/base'
 require 'contrast/agent/protect/input_analyzer/worth_watching_analyzer'
 require 'contrast/config/diagnostics'
+require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Agent
@@ -28,6 +29,11 @@ module Contrast
       attr_reader :reporter_app_settings_worker
 
       def initialize
+        if Contrast::AGENT.disabled? || Contrast::Utils::JobServersRunning.job_servers_running?
+          logger.info('Agent Disabled, shutting down all threads...')
+          return
+        end
+
         @heapdump_util = Contrast::Utils::HeapDumpUtil.new
         @reporter = Contrast::Agent::Reporter.new
         @reporter_heartbeat = Contrast::Agent::ReportingWorkers::ReporterHeartbeat.new
@@ -37,7 +43,7 @@ module Contrast
         @worth_watching_analyzer = Contrast::Agent::Protect::WorthWatchingInputAnalyzer.new unless protect_disabled?
       end
 
-      # @return [Hash, nil] map of process to thread startup status
+      # @return [Array<Contrast::Agent::WorkerThread>] map of process to thread startup status
       def startup!
         check_before_start
 

data/lib/contrast/agent/thread/worker_thread.rb

@@ -29,7 +29,7 @@ module Contrast
       #
       # @return [Boolean]
       def attempt_to_start?
-        true
+        Contrast::AGENT.enabled?
       end
 
       def clean_properties

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '6.15.1'
+    VERSION = '6.15.3'
   end
 end

data/lib/contrast/components/agent.rb

@@ -9,6 +9,7 @@ require 'contrast/components/security_logger'
 require 'contrast/components/heap_dump'
 require 'contrast/components/ruby_component'
 require 'contrast/components/polling'
+require 'contrast/agent/hooks/tracepoint_hook'
 
 module Contrast
   module Components
@@ -23,6 +24,8 @@ module Contrast
         attr_reader :canon_name
         # @return [Array]
         attr_reader :config_values
+        # @return [Boolean]
+        attr_accessor :enable
 
         CANON_NAME = 'agent'
         CONFIG_VALUES = %w[enabled? omit_body?].cs__freeze

data/lib/contrast/configuration.rb

@@ -53,6 +53,7 @@ module Contrast
     # @return [String,nil]
     attr_reader :config_file
 
+    CONTRAST_ENV_MARKER = 'CONTRAST__'
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'
     MILLISECOND_MARKER = '_ms'
     CONVERSION = {}.cs__freeze
@@ -67,6 +68,14 @@ module Contrast
       config_kv = deep_symbolize_all_keys(load_config)
       config_sources = assign_source_to(config_kv, Contrast::Components::Config::Sources::YAML)
 
+      unless cli_options
+        cli_options = {}
+        ENV.each do |key, value|
+          next unless key.to_s.start_with?(CONTRAST_ENV_MARKER)
+
+          cli_options[key] = value
+        end
+      end
       # Overlay CLI options - they take precedence over config file
       cli_options = deep_symbolize_all_keys(cli_options)
       if cli_options

data/lib/contrast/framework/manager.rb

@@ -11,6 +11,7 @@ require 'contrast/framework/rack/support'
 require 'contrast/framework/rails/support'
 require 'contrast/framework/sinatra/support'
 require 'contrast/utils/class_util'
+require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Framework
@@ -28,6 +29,8 @@ module Contrast
       ].cs__freeze
 
       def initialize
+        return if Contrast::AGENT.disabled? || Contrast::Utils::JobServersRunning.job_servers_running?
+
         @_frameworks = SUPPORTED_FRAMEWORKS.map do |framework_klass|
           next unless enable_framework_support?(framework_klass.detection_class)
 
@@ -116,8 +119,8 @@ module Contrast
       # @param request [Contrast::Agent::Request] the current request.
       # @return [Contrast::Agent::Reporting::RouteCoverage] the current route as a Dtm.
       def get_route_information request
-        @_frameworks.lazy.map { |framework_support| framework_support.current_route_coverage(request) }.
-            reject(&:nil?).first # rubocop:disable Style/CollectionCompact
+        @_frameworks&.lazy&.map { |framework_support| framework_support.current_route_coverage(request) }&.
+            reject(&:nil?)&.first
       end
 
       # Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect

data/lib/contrast/framework/sinatra/support.rb

@@ -67,30 +67,39 @@ module Contrast
           # Given the current request - return a RouteCoverage object
 
           # @param request [Contrast::Agent::Request] a contrast tracked request.
-          # @param controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
+          # @param _controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
           # @return [Contrast::Agent::Reporting::RouteCoverage, nil] a Dtm describing the route
           # matched to the request if a match was found.
-          def current_route_coverage request, controller = ::Sinatra::Base, full_route = nil
-            return unless sinatra_controller?(controller)
-
+          def current_route_coverage request, _controller = ::Sinatra::Base, full_route = nil
             method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
-
+            route = _cleaned_route(request)
             # Find route match--checking superclasses if necessary.
-            final_controller, route_pattern = _route_recurse(controller, method, _cleaned_route(request))
-            return unless final_controller && route_pattern
+            sinatra_controllers.each do |potential_controller|
+              next unless sinatra_controller?(potential_controller)
+
+              next if potential_controller.nil? || potential_controller.cs__class == NilClass
 
-            full_route ||= request.env[::Rack::PATH_INFO]
+              route_patterns = potential_controller.routes.fetch(method) { [] }.
+                  map(&:first)
+              route_pattern = route_patterns.find do |matcher|
+                matcher.params(route) # ::Mustermann::Sinatra match.
+              end
+              next unless route_pattern
 
-            new_route_coverage = Contrast::Agent::Reporting::RouteCoverage.new
-            new_route_coverage.attach_rack_based_data(final_controller, method, route_pattern, full_route)
-            new_route_coverage
+              full_route ||= request.env[::Rack::PATH_INFO]
+              new_route_coverage = Contrast::Agent::Reporting::RouteCoverage.new
+              new_route_coverage.attach_rack_based_data(potential_controller, method, route_pattern, full_route)
+              return new_route_coverage
+            end
+            nil
           end
 
           # Search object space for sinatra controllers--any class that subclasses ::Sinatra::Base.
           #
-          # @return [Array<::Sinatra::Base>] sinatra controlelrs
+          # @return [Array<Class<::Sinatra::Base>>] sinatra controlelrs
           def sinatra_controllers
-            [::Sinatra::Base] + ObjectSpace.each_object(Class).select { |clazz| sinatra_controller?(clazz) }
+            @_sinatra_controllers ||=
+              [::Sinatra::Base] + ObjectSpace.each_object(Class).select { |clazz| sinatra_controller?(clazz) }
           end
 
           def retrieve_request env
@@ -112,31 +121,6 @@ module Contrast
 
           private
 
-          # Given a controller and a route to match against, find the route_pattern and class that will serve the
-          # route. This is recursive as Sinatra's routing is recursive from subclass to super.
-          #
-          # @param controller [Sinatra::Base, #routes] a Sinatra application.
-          # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
-          # @param route [String] the relative route passed from Rack.
-          # @return [Array[Sinatra::Base, Mustermann::Sinatra], nil] Either the controller that
-          # will handle the route along with the route pattern or nil if no match.
-          def _route_recurse controller, method, route
-            return if controller.nil? || controller.cs__class == NilClass
-
-            route_patterns = controller.routes.fetch(method) { [] }.
-                map(&:first)
-            route_pattern = route_patterns&.find do |matcher|
-              matcher.params(route) # ::Mustermann::Sinatra match.
-            end
-
-            return controller, route_pattern if route_pattern
-
-            # Check routes defined in superclass if present.
-            return unless controller.superclass&.instance_variable_get(:@routes)
-
-            _route_recurse(controller.superclass, method, route)
-          end
-
           # Get route and do some cleanup matching that of Sinatra::Base#process_route.
           #
           # @param request [Contrast::Agent::Request] a contrast tracked request.

data/lib/contrast/funchook/funchook.rb

@@ -28,7 +28,6 @@ module Funchook
         logger.warn('Unable to find funchook')
       else
         @path = absolute_path(actual_path_segments)
-        logger.info('Funchook found', path: @path)
       end
       @path
     end

data/lib/contrast/logger/aliased_logging.rb

@@ -40,12 +40,38 @@ module Contrast
 
       private
 
+      # There's a weird circular import in our code that we don't have time to untangle. This is 100% bad code and
+      # I'm sorry to the future team, but this is all we got.
+      #
+      # If the configuration we need is not available, we'll skip out for now - it means the agent isn't ready. We
+      # won't get telemetry exceptions at this point, but that means the agent hasn't initialized and there's a
+      # chance we're not supposed to. Essentially, we fail closed.
+      #
+      # Once we have the agent initialized, we'll use the value to check. Since it cannot change once set, we'll use
+      # the saved value.
+      #
+      # - HM
+      #
+      # @return [Boolean]
+      def buildable?
+        if @_buildable.nil?
+          return false unless defined?(Contrast) &&
+              defined?(Contrast::Agent) &&
+              defined?(Contrast::Agent::Telemetry)
+
+          @_buildable = Contrast::Agent::Telemetry.exceptions_enabled?
+        end
+        @_buildable
+      end
+
       # @param type [ALIASED_FATAL, ALIASED_ERROR, ALIASED_WARN] the type of error, used to indicate the function used
       #   for logging
       # @param message [String] the exception message
       # @param exception [Exception] The exception or error
       # @param data [Object] Any structured data
       def build_exception type, message = nil, exception = nil, data = nil
+        return unless buildable?
+
         stack_trace = wrapped_caller_locations
         caller_idx = stack_trace&.find_index { |stack| stack.to_s.include?(type) } || 0
         # The caller_stack is the method in which the error occurred, so has to be above this method

data/lib/contrast/utils/hash_digest.rb

@@ -44,14 +44,15 @@ module Contrast
           update(route.signature)
           if (observation = route.observations[0])
             update(observation.verb)
+          else
+            update(request.request_method)
           end
-          return
-        end
-
-        return unless request ||= context&.request
+        else
+          return unless request ||= context&.request
 
-        update(request.normalized_uri) # the normalized URL used to access the method in the route.
-        update(request.request_method) # The HTTP method used in the request
+          update(request.normalized_uri) # the normalized URL used to access the method in the route.
+          update(request.request_method)
+        end
       end
 
       # Update to CRC checksum the event source name and source type.

data/lib/contrast/utils/job_servers_running.rb

@@ -1,15 +1,13 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/logger'
+require 'contrast/components/ruby_component'
 
 module Contrast
   module Utils
     # A module that detects whether any job servers attached to
     # the application are running
     module JobServersRunning
-      extend Contrast::Components::Logger::InstanceMethods
-
       class << self
         def job_servers_running?
           sidekiq_running? || rake_running?
@@ -20,7 +18,6 @@ module Contrast
         def sidekiq_running?
           return unless defined?(Sidekiq) && Sidekiq.cs__respond_to?(:server?) && Sidekiq.server?
 
-          logger.trace('Detected the spawn of a Sidekiq process')
           true
         end
 
@@ -32,13 +29,18 @@ module Contrast
             return
           end
 
-          disabled_rake_tasks = ::Contrast::APP_CONTEXT.disabled_agent_rake_tasks
+          # This might be called before component even exist, so we backup to
+          # default disabled rake tasks.
+          disabled_rake_tasks = if Contrast.const_defined?(:APP_CONTEXT) # rubocop:disable Security/Module/ConstDefined
+                                  Contrast::APP_CONTEXT.disabled_agent_rake_tasks
+                                else
+                                  Contrast::Components::Ruby::Interface::DISABLED_RAKE_TASK_LIST
+                                end
           has_disabled_task = Rake.application.top_level_tasks.any? do |top_level_task|
             disabled_rake_tasks.include?(top_level_task)
           end
           return false unless has_disabled_task
 
-          logger.trace('Detected startup within Rake task')
           true
         end
       end

data/lib/contrast/utils/log_utils.rb

@@ -51,7 +51,7 @@ module Contrast
         logger.extend(Contrast::Logger::Application)
         logger.extend(Contrast::Logger::Request)
         logger.extend(Contrast::Logger::Time)
-        logger.extend(Contrast::Logger::AliasedLogging) if Contrast::Agent::Telemetry.exceptions_enabled?
+        logger.extend(Contrast::Logger::AliasedLogging)
       end
 
       # Determine the valid path to which to log, given the precedence of config > settings > default.

data/lib/contrast/utils/middleware_utils.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/config/yaml_file'
+require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Utils
@@ -30,6 +31,9 @@ module Contrast
           logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
         elsif ::Contrast::AGENT.disabled?
           logger.warn('Contrast disabled by configuration. Continuing without instrumentation.')
+        elsif Contrast::Utils::JobServersRunning.job_servers_running?
+          logger.info('Server job detected disabling Agent...')
+          ::Contrast::AGENT.disable!
         else
           ::Contrast::AGENT.enable!
         end

data/lib/contrast/utils/net_http_base.rb

@@ -43,7 +43,9 @@ module Contrast
         logger.debug('Client verified', service: service_name, url: url)
         net_http_client
       rescue StandardError => e
-        logger.error('Connection failed', e, service: service_name, url: url)
+        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+        #   an infinite loop w/ telemetry
+        logger.debug('Connection failed', e, service: service_name, url: url)
         nil
       end
 
@@ -72,7 +74,9 @@ module Contrast
              Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, Errno::EHOSTUNREACH, Errno::EISCONN,
              Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH => e
 
-        logger.warn("#{ service_name } connection failed", e.message)
+        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+        #   an infinite loop w/ telemetry
+        logger.debug("#{ service_name } connection failed", e.message)
         false
       end
 
@@ -110,7 +114,9 @@ module Contrast
           client.key = OpenSSL::PKey::RSA.new(File.read(Contrast::API.certification_key_file)).to_s
         end
       rescue Errno::ENOENT => e
-        logger.error('Custom certificates failed', e.message)
+        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
+        #   an infinite loop w/ telemetry
+        logger.debug('Custom certificates failed', e.message)
       end
 
       # sets default setting for client validation of certificates and

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 6.15.1
+  version: 6.15.3
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-02-16 00:00:00.000000000 Z
+date: 2023-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -678,22 +678,22 @@ email:
 executables: []
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_hash/extconf.rb
+- ext/cs__assess_marshal_module/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__scope/extconf.rb
 - ext/cs__assess_kernel/extconf.rb
-- ext/cs__assess_string_interpolation/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_array/extconf.rb
+- ext/cs__os_information/extconf.rb
 - ext/cs__assess_string/extconf.rb
+- ext/cs__assess_hash/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
-- ext/cs__tests/extconf.rb
 - ext/cs__assess_module/extconf.rb
-- ext/cs__assess_yield_track/extconf.rb
-- ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__scope/extconf.rb
+- ext/cs__assess_string_interpolation/extconf.rb
+- ext/cs__tests/extconf.rb
 - ext/cs__assess_test/extconf.rb
-- ext/cs__os_information/extconf.rb
-- ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_array/extconf.rb
+- ext/cs__assess_fiber_track/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"