contrast-agent 6.4.0 → 6.6.0

data/lib/contrast/agent/worker_thread.rb

@@ -1,10 +1,14 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+
 module Contrast
   module Agent
     # Base class for threads that do async processing
     class WorkerThread
+      include Contrast::Components::Logger::InstanceMethods
+
       def initialize
         @_thread = nil
       end
@@ -27,6 +31,12 @@ module Contrast
       def attempt_to_start?
         true
       end
+
+      def clean_properties
+        logger.debug("Cleaning PROPERTIES_HASH size: #{ Contrast::Agent::Assess::Tracker::PROPERTIES_HASH.size }")
+        Contrast::Agent::Assess::Tracker.cleanup!
+        logger.debug("Cleaned PROPERTIES_HASH size: #{ Contrast::Agent::Assess::Tracker::PROPERTIES_HASH.size }")
+      end
     end
   end
 end

data/lib/contrast/api/communication/response_processor.rb

@@ -80,7 +80,7 @@ module Contrast
 
             logger.info('Current rule settings:')
 
-            ::Contrast::PROTECT.rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
+            ::Contrast::PROTECT.defend_rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
             logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
           end
         end

data/lib/contrast/components/agent.rb

@@ -3,6 +3,8 @@
 
 require 'rubygems/version'
 require 'contrast/agent/rule_set'
+require 'contrast/components/logger'
+require 'contrast/components/heap_dump'
 
 module Contrast
   module Components
@@ -13,9 +15,50 @@ module Contrast
       class Interface
         include Contrast::Components::ComponentBase
 
+        def initialize hsh = {}
+          return unless hsh
+
+          @_enable = hsh[:enable]
+          @_start_bundled_service = hsh[:start_bundled_service]
+          @_omit_body = hsh[:omit_body]
+          @_service = Contrast::Config::ServiceConfiguration.new(hsh[:service])
+          @_logger = Contrast::Components::Logger::Interface.new(hsh[:logger])
+          @_ruby = Contrast::Config::RubyConfiguration.new(hsh[:ruby])
+          @_heap_dump = Contrast::Components::HeapDump::Interface.new(hsh[:heap_dump])
+        end
+
+        # @return [Boolean, true]
+        def start_bundled_service?
+          @_start_bundled_service.nil? ? true : @_start_bundled_service
+        end
+
+        def service
+          return @_service unless @_service.nil?
+
+          @_service = Contrast::Config::ServiceConfiguration.new
+        end
+
+        def logger
+          return @_logger unless @_logger.nil?
+
+          @_logger = Contrast::Components::Logger::Interface.new
+        end
+
+        def ruby
+          return @_ruby unless @_ruby.nil?
+
+          @_ruby = Contrast::Config::RubyConfiguration.new
+        end
+
+        def heap_dump
+          return @_heap_dump unless @_heap_dump.nil?
+
+          @_heap_dump = Contrast::Components::HeapDump::Interface.new
+        end
+
         def enabled?
-          @_enabled = !false?(::Contrast::CONFIG.root.enable) if @_enabled.nil?
-          @_enabled
+          @_enable = !false?(::Contrast::CONFIG.root.enable) if @_enable.nil?
+          @_enable
         end
 
         def disabled?
@@ -23,11 +66,11 @@ module Contrast
         end
 
         def enable!
-          @_enabled = true
+          @_enable = true
         end
 
         def disable!
-          @_enabled = false
+          @_enable = false
           Contrast::Agent::TracePointHook.disable
           Contrast::Agent.thread_watcher&.shutdown!
         end
@@ -41,8 +84,7 @@ module Contrast
         end
 
         def patch_yield?
-          @_patch_yield = !false?(::Contrast::CONFIG.root.agent.ruby.propagate_yield) if @_patch_yield.nil?
-          @_patch_yield
+          !false?(ruby.propagate_yield)
         end
 
         def interpolation_enabled?
@@ -52,18 +94,14 @@ module Contrast
         end
 
         def omit_body?
-          @_omit_body = true?(::Contrast::CONFIG.root.agent.omit_body) if @_omit_body.nil?
           @_omit_body
         end
 
         def exception_control
           @_exception_control ||= {
-              enable: true?(::Contrast::CONFIG.root.agent.ruby.exceptions.capture),
-              status:
-                ::Contrast::CONFIG.root.agent.ruby.exceptions.override_status || 403,
-              message:
-                ::Contrast::CONFIG.root.agent.ruby.exceptions.override_message ||
-                    Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
+              enable: true?(ruby.exceptions.capture),
+              status: ruby.exceptions.override_status || 403,
+              message: ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
           }
         end
 
@@ -87,7 +125,7 @@ module Contrast
         def retrieve_protect_ruleset
           return {} unless enabled? && ::Contrast::PROTECT.enabled?
 
-          ::Contrast::PROTECT.rules
+          ::Contrast::PROTECT.defend_rules
         end
       end
     end

data/lib/contrast/components/api.rb

@@ -3,6 +3,9 @@
 
 require 'contrast/components/base'
 require 'contrast/components/config'
+require 'contrast/config/api_proxy_configuration'
+require 'contrast/config/request_audit_configuration'
+require 'contrast/config/certification_configuration'
 
 module Contrast
   module Components
@@ -12,50 +15,86 @@ module Contrast
       # parent_configuration_spec.yaml.
       class Interface
         include Contrast::Components::ComponentBase
+        include Contrast::Config::BaseConfiguration
+
+        # @return [String]
+        attr_accessor :api_key
+        # @return [String]
+        attr_accessor :user_name
+        # @return [String]
+        attr_accessor :service_key
+        attr_writer :url
+
+        DEFAULT_URL = 'https://app.contrastsecurity.com/Contrast'
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @api_key = hsh[:api_key]
+          @url = hsh[:url]
+          @user_name = hsh[:user_name]
+          @service_key = hsh[:service_key]
+          @_proxy = Contrast::Config::ApiProxyConfiguration.new(hsh[:proxy])
+          @_request_audit = Contrast::Config::RequestAuditConfiguration.new(hsh[:request_audit])
+          @_certificate = Contrast::Config::CertificationConfiguration.new(hsh[:certificate])
+        end
 
-        def api_url
-          @_api_url ||= begin
-            tmp = ::Contrast::CONFIG.root.api.url
-            tmp += '/Contrast' unless tmp.end_with?('/Contrast')
-            tmp
-          end
+        def url
+          @url.nil? ? DEFAULT_URL : @url
         end
 
-        def api_key
-          @_api_key ||= ::Contrast::CONFIG.root.api.api_key
+        # @return [Contrast::Config::ApiProxyConfiguration]
+        def proxy
+          return @_proxy unless @_proxy.nil?
+
+          @_proxy = Contrast::Config::ApiProxyConfiguration.new
         end
 
-        def service_key
-          @_service_key ||= ::Contrast::CONFIG.root.api.service_key
+        # @return [Contrast::Config::RequestAuditConfiguration]
+        def request_audit
+          return @_request_audit unless @_request_audit.nil?
+
+          @_request_audit = Contrast::Config::RequestAuditConfiguration.new
         end
 
-        def username
-          @_username ||= ::Contrast::CONFIG.root.api.user_name
+        # @return [Contrast::Config::CertificationConfiguration]
+        def certificate
+          return @_certificate unless @_certificate.nil?
+
+          @_certificate = Contrast::Config::CertificationConfiguration.new
         end
 
-        def proxy_enabled?
-          return @_proxy_enabled unless @_proxy_enabled.nil?
+        def api_url
+          @_api_url ||= begin
+            tmp = Contrast::CONFIG.root.api.url
+            tmp += '/Contrast' unless tmp.end_with?('/Contrast')
+            tmp
+          end
+        end
 
-          @_proxy_enabled = true?(::Contrast::CONFIG.root.api.proxy.enable)
+        def proxy_enable
+          return @_proxy_enable unless @_proxy_enable.nil?
+
+          @_proxy_enable = true?(::Contrast::CONFIG.root.api.proxy.enable)
         end
 
         def proxy_url
-          @_proxy_url ||= ::Contrast::CONFIG.root.api.proxy.url
+          proxy.url
         end
 
-        def request_audit_enable?
+        def request_audit_enable
           return @_request_audit_enable unless @_request_audit_enable.nil?
 
           @_request_audit_enable = true?(::Contrast::CONFIG.root.api.request_audit.enable)
         end
 
-        def request_audit_requests?
+        def request_audit_requests
           return @_request_audit_requests unless @_request_audit_requests.nil?
 
           @_request_audit_requests = true?(::Contrast::CONFIG.root.api.request_audit.requests)
         end
 
-        def request_audit_responses?
+        def request_audit_responses
           return @_request_audit_responses unless @_request_audit_responses.nil?
 
           @_request_audit_responses = true?(::Contrast::CONFIG.root.api.request_audit.responses)
@@ -65,10 +104,8 @@ module Contrast
           @_request_audit_path ||= ::Contrast::CONFIG.root.api.request_audit.path.to_s
         end
 
-        def certification_enabled?
-          return @_certification_enabled unless @_certification_enabled.nil?
-
-          @_certification_enabled = certification_truly_enabled?(::Contrast::CONFIG.root.api.certificate)
+        def certification_enable
+          @_certification_enable ||= certification_truly_enabled?(::Contrast::CONFIG.root.api.certificate)
         end
 
         def certification_ca_file

data/lib/contrast/components/assess.rb

@@ -118,6 +118,22 @@ module Contrast
           ::Contrast::SETTINGS.assess_state.session_id
         end
 
+        def max_source_events
+          ::Contrast::CONFIG.root.assess.max_context_source_events
+        end
+
+        def max_propagation_events
+          ::Contrast::CONFIG.root.assess.max_propagation_events
+        end
+
+        def time_limit_threshold
+          ::Contrast::CONFIG.root.assess.time_limit_threshold
+        end
+
+        def max_rule_reported
+          ::Contrast::CONFIG.root.assess.max_rule_reported
+        end
+
         private
 
         def forcibly_enabled?

data/lib/contrast/components/contrast_service.rb

@@ -29,7 +29,7 @@ module Contrast
 
           # Requirement says "must be true" but that
           # should be "must not be false" -- oops.
-          @_use_bundled_service ||= !false?(::Contrast::CONFIG.root.agent.start_bundled_service) &&
+          @_use_bundled_service ||= !false?(::Contrast::CONFIG.root.agent.start_bundled_service?) &&
               # Either a valid host or a valid socket
               # Path validity is the service's problem
               (LOCALHOST.match?(host) || !!socket_path)

data/lib/contrast/components/heap_dump.rb

@@ -2,11 +2,61 @@
 # frozen_string_literal: true
 
 require 'contrast/components/base'
-require 'contrast/components/heap_dump'
+require 'contrast/config/base_configuration'
 
 module Contrast
   module Components
     module HeapDump
+      # Interface used to build the HeapDump settings and component.
+      class Interface
+        include Contrast::Config::BaseConfiguration
+
+        DEFAULT_PATH = 'contrast_heap_dumps' # saved
+        DEFAULT_MS = 10_000
+        DEFAULT_COUNT = 5
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @_enable = hsh[:enable]
+          @_path = hsh[:path]
+          @_delay_ms = hsh[:delay_ms]
+          @_window_ms = hsh[:window_ms]
+          @_count = hsh[:count]
+          @_clean = hsh[:clean]
+        end
+
+        # @return [Boolean, String] should dumps be taken
+        def enable
+          @_enable.nil? ? Contrast::Utils::ObjectShare::FALSE : @_enable
+        end
+
+        # @return [String, DEFAULT_PATH] dir to which dumps should be
+        def path
+          @_path ||= DEFAULT_PATH
+        end
+
+        # @return [Integer, DEFAULT_MS] time, in ms, after initialization
+        def delay_ms
+          @_delay_ms ||= DEFAULT_MS
+        end
+
+        # @return [Integer, DEFAULT_MS] ms between each dump
+        def window_ms
+          @_window_ms ||= DEFAULT_MS
+        end
+
+        # @return [Integer, DEFAULT_COUNT] number of dumps to take
+        def count
+          @_count ||= DEFAULT_COUNT
+        end
+
+        # @return [Boolean, String] remove temporary objects or not
+        def clean
+          @_clean.nil? ? Contrast::Utils::ObjectShare::FALSE : @_clean
+        end
+      end
+
       # A wrapper build around the Common Agent Configuration project to allow
       # for access of the values contained in its
       # parent_configuration_spec.yaml.

data/lib/contrast/components/inventory.rb

@@ -1,29 +1,35 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/base'
+
 module Contrast
   module Components
     module Inventory
-      # A wrapper build around the Common Agent Configuration project to allow
-      # for access of the values contained in its
-      # parent_configuration_spec.yaml.
-      # Specifically, this allows for querying the state of the Inventory
-      # product.
+      # Interface component for Inventory settings used to store the values from
+      # settings file and assert state with check methods.
       class Interface
         include Contrast::Components::ComponentBase
 
-        def enabled?
-          @_enabled = !false?(::Contrast::CONFIG.root.inventory.enable) if @_enabled.nil?
-          @_enabled
+        # @return [Array, nil] tags
+        attr_accessor :tags
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @enable = !false?(hsh[:enable])
+          @analyze_libraries = !false?(hsh[:analyze_libraries])
+          @tags = hsh[:tags]
         end
 
-        def analyze_libraries?
-          @_analyze_libraries = !false?(::Contrast::CONFIG.root.inventory.analyze_libraries) if @_analyze_libraries.nil?
-          @_analyze_libraries
+        # return [Boolean]
+        def enable
+          @enable.nil? ? true : @enable
         end
 
-        def tags
-          ::Contrast::CONFIG.root.inventory&.tags
+        # return [Boolean]
+        def analyze_libraries
+          @analyze_libraries.nil? ? true : @analyze_libraries
         end
       end
     end

data/lib/contrast/components/logger.rb

@@ -28,8 +28,26 @@ module Contrast
         end
       end
 
+      # So This class here follows the update for the configuration
+      # and from know on ( if it's as we planned it to be) it will hold the
+      # instance methods and will initialize new instances for where they're needed
       class Interface
         include InstanceMethods
+
+        # @return [String, nil]
+        attr_accessor :path
+        # @return [String, nil]
+        attr_accessor :level
+        # @return [String, nil]
+        attr_accessor :progname
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @path = hsh[:path]
+          @level = hsh[:level]
+          @progname = hsh[:progname]
+        end
       end
     end
   end

data/lib/contrast/components/protect.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/components/base'
+require 'contrast/config/exception_configuration'
+require 'contrast/config/protect_rule_configuration'
 
 module Contrast
   module Components
@@ -10,6 +12,39 @@ module Contrast
       # its parent_configuration_spec.yaml.  Specifically, this allows for querying the state of the Protect product.
       class Interface
         include Contrast::Components::ComponentBase
+        include Contrast::Config::BaseConfiguration
+
+        # @return [Boolean, nil]
+        attr_accessor :enable
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @_exceptions = Contrast::Config::ExceptionConfiguration.new(hsh[:exceptions])
+          @_rules = Contrast::Config::ProtectRulesConfiguration.new(hsh[:rules])
+          @enable = hsh[:enable]
+        end
+
+        # @return [Contrast::Config::ExceptionConfiguration]
+        def exceptions
+          @_exceptions ||= Contrast::Config::ExceptionConfiguration.new
+        end
+
+        # Name is kept the same - rules to correspond to config,
+        # mapping. - root.protect.rules
+        #
+        # @return [Contrast::Config::ProtectRulesConfiguration]
+        def rules
+          @_rules ||= Contrast::Config::ProtectRulesConfiguration.new
+        end
+
+        def rules= new_rules
+          @_rules = new_rules
+        end
+
+        def exceptions= new_exceptions
+          @_exceptions = new_exceptions
+        end
 
         def enabled?
           # config overrides if forcibly set
@@ -23,7 +58,12 @@ module Contrast
           ::Contrast::CONFIG.root.protect.rules
         end
 
-        def rules
+        # Returns Protect array of all initialized
+        # protect rules.
+        #
+        # @return defend_rules[Hash<Contrast::SETTINGS.protect_state.rules>]
+        #
+        def defend_rules
           ::Contrast::SETTINGS.protect_state.rules
         end
 

data/lib/contrast/components/sampling.rb

@@ -91,6 +91,35 @@ module Contrast
         include Constants
         include ClassMethods
       end
+
+      class Interface # :nodoc:
+        include InstanceMethods
+        include Contrast::Config::BaseConfiguration
+
+        # @return [Integer, nil]
+        attr_reader :baseline
+        # @return [Integer, nil]
+        attr_reader :request_frequency
+        # @return [Integer, nil]
+        attr_reader :response_frequency
+        # @return [Integer, nil]
+        attr_reader :window_ms
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @enable = hsh[:enable]
+          @baseline = hsh[:baseline]
+          @request_frequency = hsh[:request_frequency]
+          @response_frequency = hsh[:response_frequency]
+          @window_ms = hsh[:window_ms]
+        end
+
+        # @return [Boolean, false]
+        def enable
+          !!@enable
+        end
+      end
     end
   end
 end

data/lib/contrast/config/assess_configuration.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/sampling'
+
 module Contrast
   module Config
     # Common Configuration settings. Those in this section pertain to the
@@ -15,6 +17,10 @@ module Contrast
       attr_writer :enable_scan_response, :enable_dynamic_sources, :sampling, :rules, :stacktraces
 
       DEFAULT_STACKTRACES = 'ALL'
+      DEFAULT_MAX_SOURCE_EVENTS = 50_000
+      DEFAULT_MAX_PROPAGATION_EVENTS = 50_000
+      DEFAULT_MAX_RULE_REPORTED = 50_000
+      DEFAULT_MAX_RULE_TIME_THRESHOLD = 300_000
 
       def initialize hsh = {}
         return unless hsh
@@ -24,9 +30,13 @@ module Contrast
         @enable_scan_response = hsh[:enable_scan_response]
         @enable_dynamic_sources = hsh[:enable_dynamic_sources]
         @enable_original_object = hsh[:enable_original_object]
-        @sampling = Contrast::Config::SamplingConfiguration.new(hsh[:sampling])
+        @sampling = Contrast::Components::Sampling::Interface.new(hsh[:sampling])
         @rules = Contrast::Config::AssessRulesConfiguration.new(hsh[:rules])
         @stacktraces = hsh[:stacktraces]
+        @max_context_source_events = hsh[:max_context_source_events]
+        @max_propagation_events = hsh[:max_propagation_events]
+        @max_rule_reported = hsh[:max_rule_reported]
+        @time_limit_threshold = hsh[:time_limit_threshold]
       end
 
       # @return [Boolean, true]
@@ -44,9 +54,9 @@ module Contrast
         @enable_original_object.nil? ? true : @enable_original_object
       end
 
-      # @return [Contrast::Config::SamplingConfiguration]
+      # @return [Contrast::Components::Sampling::Interface]
       def sampling
-        @sampling ||= Contrast::Config::SamplingConfiguration.new
+        @sampling ||= Contrast::Components::Sampling::Interface.new
       end
 
       # @return [Contrast::Config::AssessRulesConfiguration]
@@ -58,6 +68,26 @@ module Contrast
       def stacktraces
         @stacktraces ||= DEFAULT_STACKTRACES
       end
+
+      # @return [int] max number of context source events in single request
+      def max_context_source_events
+        @max_context_source_events ||= DEFAULT_MAX_SOURCE_EVENTS
+      end
+
+      # @return [int] max number of propagation events in single request
+      def max_propagation_events
+        @max_propagation_events ||= DEFAULT_MAX_PROPAGATION_EVENTS
+      end
+
+      # @return [int] max number of rules reported within time_limit_threshold
+      def max_rule_reported
+        @max_rule_reported ||= DEFAULT_MAX_RULE_REPORTED
+      end
+
+      # @return [int] max ms threshold for reporting rules
+      def time_limit_threshold
+        @time_limit_threshold ||= DEFAULT_MAX_RULE_TIME_THRESHOLD
+      end
     end
   end
 end

data/lib/contrast/config/base_configuration.rb

@@ -10,12 +10,18 @@ module Contrast
     # Configuration settings to usable Ruby classes.
     module BaseConfiguration
       extend Forwardable
+      AT_UNDERSCORE = '@_'
 
       def to_hash
         hsh = {}
         instance_variables.each do |iv|
-          # strip the '@' to get the key
-          key = iv.to_s[1..]
+          # strip the '@' of '@_' to get the key
+          string_iv = iv.to_s
+          key = if string_iv.include?(AT_UNDERSCORE)
+                  string_iv[2..]
+                else
+                  string_iv[1..]
+                end
           hsh[key] = send(key.to_sym)
         end
         hsh