contrast-agent 6.6.2 → 6.6.5

data/lib/contrast/agent/reporting/masker/masker.rb

@@ -30,21 +30,18 @@ module Contrast
 
           # Mask sensitive data according to the contrast sensitive data rules.
           #
-          # @param [Contrast::Api::Dtm::Activity]
+          # @param [Contrast::Agent::Reporting::ApplicationActivity]
           def mask activity
-            return unless Contrast::Agent::Reporter.enabled?
             return unless activity
 
-            logger.debug('Searching for sensitive data',
-                         activity: activity.__id__,
-                         request: activity.http_request&.uuid)
+            logger.debug('Masker: masking sensitive data', activity: activity.__id__, request: activity.request&.__id__)
             mask_body(activity)
             mask_query_string(activity)
             mask_request_params(activity)
             mask_request_cookies(activity)
             mask_request_headers(activity)
           rescue StandardError => _e
-            logger.debug('Could not mask activity!', activity: activity.__id__, request: activity.http_request&.uuid)
+            logger.debug('Could not mask activity!', activity: activity.__id__, request: activity.request&.__id__)
           end
 
           private
@@ -64,68 +61,67 @@ module Contrast
 
           # Mask request body:
           #
-          # @param activity [Contrast::Api::Dtm::Activity]
+          # @param activity [Contrast::Agent::Reporting::ApplicationActivity]
           # @return masked_body [String, nil]
           def mask_body activity
             return unless mask_body?
 
-            body = activity.http_request.request_body
+            body = activity.request.body
             return if body.nil? || body.empty?
 
-            activity.http_request.request_body = BODY_MASK
-            activity.http_request.request_body_binary = BODY_BINARY_MASK
+            activity.request.body = BODY_MASK
+            activity.request.body_binary = BODY_BINARY_MASK
           end
 
           # Mask request params.
           #
-          # @param activity [Contrast::Api::Dtm::Activity]
+          # @param activity [Contrast::Agent::Reporting::ApplicationActivity]
           # @return masked_body [String, nil]
           def mask_request_params activity
-            params = activity.http_request.normalized_request_params
+            params = activity.request.parameters
             return unless params
 
-            mask_with_dictionary(activity.results, params)
+            mask_with_dictionary(activity.attack_results, params)
           end
 
           def mask_request_headers activity
-            if activity.http_request.parsed_request_headers
-              # Used normalized request_headers
-              mask_with_dictionary(activity.results, activity.http_request.normalized_request_headers)
-            else
-              headers = activity.http_request.request_headers
-              mask_field_hash(headers, activity.results)
-            end
+            headers = activity.request.headers
+            return if headers&.empty?
+
+            # Used normalized request_headers
+            mask = mask_with_dictionary(activity.attack_results, headers)
+            activity.request.headers = mask if mask
           end
 
           # Mask Cookies.
           #
-          # @param activity [Contrast::Api::Dtm::Activity] Activity to mask
+          # @param activity [Contrast::Agent::Reporting::ApplicationActivity] Activity to mask
           # @return masked_values [Hash, nil]
           def mask_request_cookies activity
-            cookies = activity.http_request.normalized_cookies
-            return unless cookies
+            cookies = activity.request.cookies
+            return if cookies&.empty?
 
-            mask_with_dictionary(activity.results, cookies)
+            mask_with_dictionary(activity.attack_results, cookies)
           end
 
           # Mask request query string:
           # exp: password => sensitive to password => contrast-redacted-password
           #
-          # @param activity [Contrast::Api::Dtm::Activity]
+          # @param activity [Contrast::Agent::Reporting::ApplicationActivity]
           # @return masked_query [String]
           def mask_query_string activity
-            qs = activity.http_request.query_string
+            qs = activity.request.query_string
             return if qs.nil? || qs.empty?
 
-            mask_field_hash(qs, activity.results) unless qs.cs__is_a?(String)
-            mask_raw_query(qs, activity.results)
+            mask = mask_raw_query(qs, activity.attack_results)
+            activity.request.query_string = mask if mask
           end
 
           # Mask if the value in the passed hash are matched against dictionary
           # keyword. If the mask_attack_vector flag is set, this will also mask
           # any attack.
           #
-          # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+          # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivity>]
           # results to match against.
           # @param hash [Hash] Normalized hash representing the key/val pair from
           # the activity's http request parameters.
@@ -134,81 +130,98 @@ module Contrast
             return if hash.nil? || hash.empty?
 
             hash.each do |key, val|
-              match = dictionary_matcher(key)
-              next unless match
-
-              # The normalized values are paired.
-              # key => Contrast::Api::Dtm::Pair (key, val<Values>).
-              # try one level down
-              if val.cs__respond_to?(:values)
-                mask_values(key, val, results)
+              next unless dictionary_match(key)
+
+              if val.cs__is_a?(Array)
+                mask_values(key, val, hash, results)
               else
                 # Just assign keys.
                 mask_hash(key, val, hash, results)
               end
             end
-            hash
           end
 
-          # Mask the values of DTM pair with attack vector condition check.
-          # if the attack vector flag is set then mask the attack value.
+          # Mask the values of key value pair with array of string as input.
+          # If the mask_attack_vector? flag is set then the attack vector won't be
+          # masked.
           #
-          # @param key [String] current iterable key from Protobuf::Field::FieldHash
-          # pointing to Contrast::Api::Dtm::Pair<key, val>(holding the value to mask)
-          # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+          # @param key [String]
+          # @param hash [Hash] Normalized hash representing the key/val pair.
+          # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivity>]
           # results to match against.
-          # @param val [Contrast::Api::Dtm::Pair<Value>]
-          def mask_values key, val, results
-            val.values.each.with_index do |v, idx|
+          # @param val [String, Array<String>]
+          def mask_values key, val, hash, results
+            val.each.with_index do |v, idx|
               # Mask the attack vector only if the flag is set.
-              val.values[idx] = MASK + key.downcase if attack_vector?(results, v) && mask_attack_vector?
+              hash[key][idx] = MASK + key.downcase if attack_vector?(results, v) && mask_attack_vector?
               # It is not attack vector and we mask it as normal.
-              val.values[idx] = MASK + key.downcase unless attack_vector?(results, v)
+              hash[key][idx] = MASK + key.downcase unless attack_vector?(results, v)
             end
-            val
+            hash
           end
 
-          # Handles the masking of Field hash with string values.
-          # this case is used when called from #mask_field_hash
-          # and #mask_raw_query helper methods. Since they dont
-          # return values containing sub-values  (key, val<Values>).
+          # Handles the masking of hash
           #
           # @param key [String] current iterable key from Protobuf::Field::FieldHash
           # @param val [String] normalized value to be matched against the results
           # and masked.
           # @param hash [Hash] Normalized hash representing the key/val pair.
-          # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+          # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivity>]
           # results to match against.
+          # @return [Hash]
           def mask_hash key, val, hash, results
+            # Mask the attack vector only if the flag is set.
             hash[key] = MASK + key.downcase if attack_vector?(results, val) && mask_attack_vector?
+            # It is not attack vector we mask it.
             hash[key] = MASK + key.downcase unless attack_vector?(results, val)
+            hash
           end
 
           # Match to see if values matches input from AttackResults array.
           # If match is found and the attack result's response is any of
           # [BAP(Block At Perimeter), BLOCKED, PROBED] the return is true.
           #
-          # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+          # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivity>]
           # results to match against.
           # @param value [String] Input to match.
-          # @return true | false
+          # @return [Boolean]
           def attack_vector? results, value
             return false unless value && results
 
-            results.each do |result|
-              # Check samples Contrast::Api::Dtm::RaspRuleSample
-              # is the value in sample and the response is valid?
-              result.samples.any? do |sample|
-                # Check user input Contrast::Api::Dtm::UserInput.
-                match = sample.user_input.value == value.to_s &&
-                    result.response&.name != Contrast::Agent::Reporting::ResponseType::NO_ACTION
+            results.each do |attacker|
+              attacker.each do |activity|
+                blocked = iterate_attack_samples(activity.blocked, value)
+                return blocked if blocked
+
+                exploited = iterate_attack_samples(activity.exploited, value)
+                return exploited if exploited
 
-                return match if match
+                ineffective = iterate_attack_samples(activity.ineffective, value)
+                return ineffective if ineffective
+
+                suspicious = iterate_attack_samples(activity.suspicious, value)
+                return suspicious if suspicious
               end
             end
             false
           end
 
+          # Go through activity samples and search for a matching input.
+          #
+          # @param activity [Contrast::Agent::Reporting::ApplicationDefendAttackActivity]
+          # @param value [String] Input to match.
+          # @return [Boolean]
+          def iterate_attack_samples activity, value
+            return false unless activity
+
+            activity.samples.any? do |sample|
+              match = sample.user_input.value == value.to_s
+
+              return true if match
+            end
+            false
+          end
+
           # Consult with our current settings state.
           #
           # @return true | false
@@ -227,7 +240,7 @@ module Contrast
           #
           # @param value [String] Value to check.
           # @return match [String, nil] from the Dictionary, or nil.
-          def dictionary_matcher value
+          def dictionary_match value
             return unless @_dictionary
 
             @_dictionary.each do |rule|

data/lib/contrast/agent/reporting/masker/masker_utils.rb

@@ -9,35 +9,6 @@ module Contrast
       # helper methods used for masking
       module MaskerUtils
         include Contrast::Utils::ObjectShare
-        # Helper to deal with Protobuf FieldHash.
-        #
-        # @param field_hash [Protobuf::Field::FieldHash] hash to be masked
-        # @param results [Array<Contrast::Api::Dtm::AttackResults>]
-        # results to match against.
-        # @return [Hash]
-        def mask_field_hash field_hash, results
-          return {} unless field_hash&.any?
-
-          hash = {}
-          # Because this is the start of a built string, we have to be sure that it is not frozen.
-          masked = +''
-          field_hash.each do |entry|
-            # Protobuf::Field::FieldHash produces array, with the key as first param and value as second.
-            new_value = entry[1].delete(SEMICOLON).split(SPACE)
-            new_value.each do |value|
-              arr = value.split(EQUALS)
-              # Add to new hash.
-              hash[arr[0]] = arr[1]
-            end
-            # Mask the newly created hash.
-            mask_with_dictionary(results, hash)
-
-            # Restore to original form.
-            hash.each { |k, v| masked += "#{ k }=#{ v }; " }
-            masked.rstrip!
-            field_hash[entry[0]] = masked
-          end
-        end
 
         # Mask raw query as it comes from the env.
         # exp:
@@ -45,7 +16,7 @@ module Contrast
         # 'ssn=contrast-redacted-ssn&id=contrast-redacted-id'
         #
         # @param query [String]
-        # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+        # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivitys>]
         # results to match against.
         def mask_raw_query query, results
           masked = EMPTY_STRING

data/lib/contrast/agent/reporting/reporting_events/application_activity.rb

@@ -5,6 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/agent/reporting/reporting_events/application_reporting_event'
 require 'contrast/agent/reporting/reporting_events/application_defend_activity'
 require 'contrast/agent/reporting/reporting_events/application_inventory_activity'
+require 'contrast/agent/reporting/attack_result/response_type'
 
 module Contrast
   module Agent
@@ -12,38 +13,106 @@ module Contrast
       # This is the new ApplicationActivity class which will include all the needed information for the new reporting
       # system to report
       class ApplicationActivity < Contrast::Agent::Reporting::ApplicationReportingEvent
-        class << self
-          # @param app_activity_dtm [Contrast::Api::Dtm::Activity]
-          # @return [Contrast::Agent::Reporting::ApplicationActivity]
-          def convert app_activity_dtm
-            app_activity = new
-            app_activity.attach_data(app_activity_dtm)
-            app_activity
-          end
-        end
+        include Contrast::Agent::Reporting::ResponseType
+
+        # @return [Integer]
+        attr_accessor :query_count
+        # @return [Array]
+        attr_accessor :routes
+        # @return [Array]
+        attr_accessor :dynamic_sources
+        # @return [Contrast::Agent::Response]
+        attr_accessor :response
 
         def initialize
+          @routes = []
+          @dynamic_sources = {}
+          @query_count = 0
           @event_method = :PUT
           @event_type = :application_activity
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_activity
           super
         end
 
+        # @return [Contrast::Agent::Reporting::FindingRequest] Current context's request
+        def request
+          @_request ||= FindingRequest.convert(Contrast::Agent::REQUEST_TRACKER.current&.request)
+        end
+
+        # @return [Contrast::Agent::Reporting::ApplicationDefendActivity] main
+        # activity for all protect rules.
+        def defend
+          @_defend ||= Contrast::Agent::Reporting::ApplicationDefendActivity.new
+        end
+
+        # @return [Contrast::Agent::Reporting::ApplicationInventoryActivity] main
+        # activity for all inventory activity reporting.
+        def inventory
+          @_inventory ||= Contrast::Agent::Reporting::ApplicationInventoryActivity.new
+        end
+
+        # @return file_name [String] used for audit
         def file_name
           'activity-application'
         end
 
         def to_controlled_hash
           hsh = { lastUpdate: since_last_update }
-          hsh[:defend] = @defend&.to_controlled_hash if @defend
-          hsh[:inventory] = @inventory&.to_controlled_hash if @inventory
+          hsh[:defend] = @_defend&.to_controlled_hash if @_defend
+          hsh[:inventory] = @_inventory&.to_controlled_hash if @_inventory
           hsh
         end
 
-        # @param activity_dtm [Contrast::Api::Dtm::ApplicationActivity]
-        def attach_data activity_dtm
-          @defend = Contrast::Agent::Reporting::ApplicationDefendActivity.convert(activity_dtm)
-          @inventory = Contrast::Agent::Reporting::ApplicationInventoryActivity.convert(activity_dtm)
+        # Look for attack results and access to samples by
+        # searching with rule_id and response_type
+        #
+        # @param rule_id [String] name of the protect rule
+        # @param response_type[Symbol<Contrast::Agent::Reporting::ResponseType]
+        #  filter by response type
+        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity>, nil]
+        # return any matches.
+        def attack_results_for rule_id, response_type = nil
+          results = []
+          defend.attackers.each do |attacker|
+            results << case response_type
+                       when BLOCKED, BLOCK_AT_PERIMETER
+                         attacker.protection_rules[rule_id].blocked
+                       when EXPLOITED
+                         attacker.protection_rules[rule_id].exploited
+                       when PROBED
+                         attacker.protection_rules[rule_id].ineffective
+                       when SUSPICIOUS
+                         attacker.protection_rules[rule_id].suspicious
+                       else
+                         attacker.protection_rules[rule_id]
+                       end
+          end
+          results
+        end
+
+        # By reference. List of all results only by values, no rule_ids.
+        #
+        # @return [Array<[Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]>]
+        def attack_results
+          results = []
+          defend.attackers.each { |a| results << a.protection_rules.values }
+          results
+        end
+
+        # This is primary used for attaching new data and merging existing
+        # samples per rule entry in attackers, and to make sure the attack
+        # time_map is updated correctly.
+        #
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+        def attach_defend attack_result
+          defend.attach_data(attack_result)
+        end
+
+        # This is primary used for attaching new inventory reporting
+        #
+        # @param architecture [Contrast::Agent::Reporting::AttackResult]
+        def attach_inventory architecture
+          inventory.attach_data(architecture)
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb

@@ -13,20 +13,9 @@ module Contrast
         # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackerActivity>]
         attr_reader :attackers
 
-        class << self
-          # @param activity_dtm [Contrast::Api::Dtm::ApplicationActivity]
-          # @return [Contrast::Agent::Reporting::ApplicationDefendActivity]
-          def convert activity_dtm
-            activity = new
-            activity.attach_data(activity_dtm.results)
-            activity
-          end
-        end
-
         def initialize
           @attackers = []
           @event_type = :application_defend_activity
-          super
         end
 
         def to_controlled_hash
@@ -35,20 +24,19 @@ module Contrast
           }
         end
 
-        # @param attack_dtms [Array<Contrast::Api::Dtm::AttackResult>]
-        def attach_data attack_dtms
-          attack_dtms.each do |attack_result|
-            attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.convert(attack_result)
-            existing_attacker_activity = attackers.find do |existing|
-              existing.source_forwarded_for == attacker_activity.source_forwarded_for &&
-                  existing.source_ip == attacker_activity.source_ip
-            end
-            rule = attack_result.rule_id
-            if existing_attacker_activity
-              attach_existing(existing_attacker_activity, attacker_activity, rule)
-            else
-              attackers << attacker_activity
-            end
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+        def attach_data attack_result
+          attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.new
+          attacker_activity.attach_data(attack_result)
+          existing_attacker_activity = attackers.find do |existing|
+            existing.source_forwarded_for == attacker_activity.source_forwarded_for &&
+                existing.source_ip == attacker_activity.source_ip
+          end
+          rule = attack_result.rule_id
+          if existing_attacker_activity
+            attach_existing(existing_attacker_activity, attacker_activity, rule)
+          else
+            attackers << attacker_activity
           end
         end
 

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb

@@ -19,44 +19,39 @@ module Contrast
         attr_accessor :ineffective
         # @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
         attr_accessor :suspicious
-
-        class << self
-          # @param attack_result [Contrast::Api::Dtm::AttackResult]
-          def convert attack_result
-            activity = new
-            activity.attach_data(attack_result)
-            activity
-          end
-        end
+        # Helper method to determine before hand the response type and iv needed for access
+        #
+        # @return [Contrast::Agent::Reporting::ResponseType]
+        attr_reader :response_type
 
         def initialize
           @start_time = start_time
-          super
         end
 
         def to_controlled_hash
           {
               startTime: @start_time,
-              blocked: blocked&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              exploited: exploited&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              ineffective: ineffective&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              suspicious: suspicious&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
+              blocked: @blocked&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              exploited: @exploited&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              ineffective: @ineffective&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              suspicious: @suspicious&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
           }
         end
 
-        # @param attack_result [Contrast::Api::Dtm::AttackResult]
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         # @return [Contrast::Agent::Reporting::Defend::AttackSampleActivity]
         def attach_data attack_result
-          attack_sample_activity =
-            Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.convert(attack_result)
-          case attack_result.response
-          when ::Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+          attack_sample_activity = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
+          attack_sample_activity.attach_data(attack_result)
+          @response_type = attack_result.response
+          case response_type
+          when ::Contrast::Agent::Reporting::ResponseType::BLOCKED
             @blocked = attack_sample_activity
-          when ::Contrast::Api::Dtm::AttackResult::ResponseType::MONITORED
+          when ::Contrast::Agent::Reporting::ResponseType::MONITORED
             @exploited = attack_sample_activity
-          when ::Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+          when ::Contrast::Agent::Reporting::ResponseType::PROBED
             @ineffective = attack_sample_activity
-          when ::Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
+          when ::Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
             @suspicious = attack_sample_activity
           end
         end