contrast-agent 6.6.3 → 6.7.0

data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb

@@ -28,25 +28,12 @@ module Contrast
 
         AGENT_CLASS_MARKER = '/lib/contrast/'
 
-        class << self
-          # @param stack [String]
-          # @return [Contrast::Agent::Reporting::FindingEventStack,nil]
-          def convert stack
-            return unless stack
-            return if stack.include?(AGENT_CLASS_MARKER)
-
-            report = new
-            report.attach_data(stack)
-            report
-          end
-        end
-
-        # Parse the data from a Contrast::Agent::Assess::Tag to attach what is required for reporting to TeamServer to
-        # this Contrast::Agent::Reporting::FindingEventTaintRange
+        # To play nice with the way that TeamServer is rendering these values, we only populate the file_name field with
+        # exactly what we want them to display.
         #
-        # @param stack [String]
-        def attach_data stack
-          @file = stack
+        # @param file_name [String] the caller location this stack frame represents.
+        def initialize file_name
+          @file = file_name
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for

data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/tag'
+require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
 require 'contrast/components/logger'
 
 module Contrast

data/lib/contrast/{api/decorators/trace_taint_range_tags.rb → agent/reporting/reporting_events/finding_event_taint_range_tags.rb}

@@ -2,13 +2,13 @@
 # frozen_string_literal: true
 
 module Contrast
-  module Api
-    module Decorators
-      # A holder for the valid tags that can be sent to the Service, and
-      # ultimately TS, that we have to honor. Placed here so as not to clutter
-      # other code.
-      module TraceTaintRangeTags
+  module Agent
+    module Reporting
+      # A holder for the valid tags that can be sent to TeamServer that we have to honor. Placed here so as not to
+      # clutter other code.
+      module FindingEventTaintRangeTags
         # EventTagTypeDTM
+        # @return [Array<Symbol>]
         VALID_TAGS = %w[
           XML_ENCODED
           XML_DECODED
@@ -97,6 +97,7 @@ module Contrast
           DATABASE_WRITE
         ].cs__freeze
 
+        # @return [Array<Symbol>]
         VALID_SOURCE_TAGS = %w[NO_NEWLINES UNTRUSTED CROSS_SITE LIMITED_CHARS].cs__freeze
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -13,10 +13,12 @@ module Contrast
       class FindingRequest
         include Contrast::Components::Logger::InstanceMethods
 
+        OMITTED_BODY = '{{body-omitted-by-contrast}}'
+
         # @return [String] the body of this request
-        attr_reader :body
+        attr_accessor :body
         # @return [Hash<String,Array<String>>] the headers of this request
-        attr_reader :headers
+        attr_accessor :headers
         # @return [String] the HTTP verb of this request
         attr_reader :method
         # @return [Hash<String,Array<String>>] the parameters of this request
@@ -26,16 +28,27 @@ module Contrast
         # @return [String] the HTTP(S) protocol of this request
         attr_reader :protocol
         # @return [String] the query string of this request
-        attr_reader :query_string
+        attr_accessor :query_string
         # @return [String] the url, including path and script, of this request
         attr_reader :uri
         # @return [String] the HTTP version of this request
         attr_reader :version
+        # @return [Integer]
+        attr_reader :ip
+        # @return [String] Byte representation of the body
+        attr_accessor :body_binary
+        # @return [Hash]
+        attr_reader :cookies
+        # REMOVE_DTM_REQUEST
+        # @return [Contrast::Api::Dtm::HttpRequest]
+        attr_reader :dtm
 
         class << self
           # @param request [Contrast::Agent::Request]
           # @return [Contrast::Agent::Reporting::FindingRequest]
           def convert request
+            return unless request
+
             report = new
             report.attach_data(request)
             report
@@ -47,15 +60,11 @@ module Contrast
         #
         # @param request [Contrast::Agent::Request]
         def attach_data request
+          # REMOVE_DTM_REQUEST
+          @dtm = request.dtm
           @body = request.body
           @headers = {}
-          request.headers.each_pair do |key, value|
-            # We need to change from the uppercase _ format to capitalized - format.
-            header = key.split('_')
-            header.each(&:capitalize!)
-            header = header.join('-')
-            headers[header] = value.split
-          end
+          extract_headers(request)
           @method = request.request_method
           @parameters = {}
           request.parameters.each_pair { |key, value| @parameters[key] = Array(value) }
@@ -64,6 +73,14 @@ module Contrast
           @query_string = request.query_string
           @uri = request.normalized_uri
           @version = request.version
+          @ip = request.ip || ''
+          @body_binary = if omit_body?(request)
+                           OMITTED_BODY
+                         else
+                           Contrast::Utils::StringUtils.force_utf8(request.body)
+                         end
+          @cookies = {}
+          @cookies = request.cookies unless request.cookies.empty?
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -92,12 +109,30 @@ module Contrast
           }
         end
 
+        def omit_body? request
+          return true if ::Contrast::AGENT.omit_body?
+          return false if request.document_type != :NORMAL
+
+          request.media_type&.include?('multipart/form-data')
+        end
+
         def validate
           unless method && !method.empty? # rubocop:disable Security/Object/Method
             raise(ArgumentError, "#{ self } did not have a proper method. Unable to continue.")
           end
           raise(ArgumentError, "#{ self } did not have a proper uri. Unable to continue.") unless uri && !uri.empty?
         end
+
+        # @param request [Contrast::Agent::Request]
+        def extract_headers request
+          request.headers.each_pair do |key, value|
+            # We need to change from the uppercase _ format to capitalized - format.
+            header = key.split('_')
+            header.each(&:capitalize!)
+            header = header.join('-')
+            headers[header] = value.split
+          end
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb

@@ -11,7 +11,7 @@ module Contrast
         include Contrast::Components::Logger::InstanceMethods
 
         # @param [String] Sha256Sum of library as identified by the agent
-        attr_accessor :id
+        attr_reader :id
         # @param [Array<String>] List of file paths that have been loaded out of or executed by the library
         attr_reader :names
 

data/lib/contrast/agent/reporting/reporting_events/observed_route.rb

@@ -24,7 +24,7 @@ module Contrast
         attr_accessor :url
         # @param [String] the HTTP Verb used  to access the method in the route.
         attr_accessor :verb
-        # @param [Array<Contrast::Agent::Reporting::TraceEventSource>] the sources of user input accessed during this
+        # @param [Array<Contrast::Agent::Reporting::FindingEventSource>] the sources of user input accessed during this
         #   request. Used for remediation determinations in TeamServer.
         attr_reader :sources
 
@@ -56,7 +56,7 @@ module Contrast
 
           {
               session_id: ::Contrast::ASSESS.session_id,
-              sources: @sources.map(&:to_controlled_hash),
+              sources: @sources.map(&:to_controlled_observation_hash),
               signature: @signature,
               verb: @verb,
               url: @url

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -1,9 +1,10 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/reporting/reporting_events/reporting_event'
 require 'contrast/components/assess'
 require 'contrast/components/logger'
-require 'contrast/agent/reporting/reporting_events/reporting_event'
+require 'contrast/utils/string_utils'
 
 module Contrast
   module Agent
@@ -13,6 +14,8 @@ module Contrast
       # identifying information of a Finding/Trace, which TeamServer will use to determine if it requires the full
       # information of the Finding/Trace to be reported.
       class PreflightMessage
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] the message identifier; rule_id,hash
         attr_accessor :data
         # @return [String] CRC checksum of the finding to which this message pertains
@@ -26,9 +29,6 @@ module Contrast
         CODE = :TRACE
 
         def initialize
-          @app_language = Contrast::Utils::ObjectShare::RUBY
-          @app_name = ::Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
-          @app_version = ::Contrast::APP_CONTEXT.version
           @routes = []
         end
 
@@ -47,24 +47,20 @@ module Contrast
 
           {
               code: CODE,
-              app_language: @app_language,
-              app_name: @app_name,
-              app_version: @app_version,
+              app_language: Contrast::Utils::ObjectShare::RUBY,
+              app_name: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
+              app_version: ::Contrast::APP_CONTEXT.version,
               data: '',
               key: 0,
-              routes: @routes,
+              routes: @routes.map(&:to_controlled_hash),
               session_id: ::Contrast::ASSESS.session_id
           }
         end
 
         # @raise [ArgumentError]
         def validate
-          raise(ArgumentError, "#{ cs__class } did not have a proper data. Unable to continue.") unless data
-          unless @app_name
-            raise(ArgumentError, "#{ cs__class } did not have a proper application name. Unable to continue.")
-          end
-          unless @app_language
-            raise(ArgumentError, "#{ cs__class } did not have a proper application language. Unable to continue.")
+          unless Contrast::Utils::StringUtils.present?(data)
+            raise(ArgumentError, "#{ cs__class } did not have a proper data. Unable to continue.")
           end
           unless ::Contrast::ASSESS.session_id
             raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")

data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb

@@ -49,6 +49,17 @@ module Contrast
 
         # @raise [ArgumentError]
         def validate; end
+
+        # Helper method to get json representation of event and handle errors
+        #
+        #  @return [String] - JSON
+        def event_json
+          hsh = to_controlled_hash
+          hsh.to_json
+        rescue Exception => e # rubocop:disable Lint/RescueException
+          logger.error('Unable to convert JSON string', e, hsh)
+          raise(e)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb

@@ -42,7 +42,9 @@ module Contrast
         # @param url [String] the literal url of the route actively being executed
         # @return [Contrast::Agent::Reporting::RouteCoverage]
         def attach_rack_based_data final_controller, method, route_pattern, url = nil
-          if route_pattern.cs__is_a?(Grape::Router::Route)
+          if Contrast::Utils::ClassUtil.truly_defined?('Grape::Router::Route') &&
+                route_pattern.cs__is_a?(Grape::Router::Route)
+
             safe_pattern = route_pattern.pattern&.path&.to_s
             safe_url = source_or_string(url || safe_pattern)
           else

data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb

@@ -14,34 +14,22 @@ module Contrast
       # externally accessible endpoints within the application, as registered to the application framework. They may or
       # may not have been invoked at the time of reporting.
       #
-      # @attr_reader observations [observations] the routes and verbs seen that match to this Route
-      # @attr_reader signature [String] the unique identifier for this route; typically the method signature. Required
-      #   for reporting.
       class RouteDiscovery
         include Contrast::Components::Logger::InstanceMethods
 
-        # required attributes
-        attr_reader :observations, :signature
+        # @return [Array<Contrast::Agent::Reporting::RouteDiscoveryObservation>] the routes and verbs seen that match
+        #   to this Route.
+        attr_reader :observations
+        # @return [String] the unique identifier for this route; typically the method signature. Required for
+        #   reporting.
+        attr_accessor :signature
 
-        class << self
-          # Convert a DTM for SpeedRacer to an Event for TeamServer.
-          #
-          # @param route_coverage_dtm [Contrast::Api::Dtm::RouteCoverage]
-          # @return [Contrast::Agent::Reporting::RouteDiscovery]
-          def convert route_coverage_dtm
-            report = new
-            report.attach_data(route_coverage_dtm)
-            report
-          end
-        end
-
-        # Attach the data from the protobuf models to this reporter so that it can be sent to TeamServer directly
-        #
-        # @param route_coverage_dtm [Contrast::Api::Dtm::RouteCoverage]
-        def attach_data route_coverage_dtm
-          @signature = route_coverage_dtm.route
+        # @param signature [String]
+        # @param observation [Contrast::Agent::Reporting::RouteDiscoveryObservation]
+        def initialize signature, observation
+          @signature = signature
           @observations = []
-          observations << Contrast::Agent::Reporting::RouteDiscoveryObservation.convert(route_coverage_dtm)
+          observations << observation
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for

data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb

@@ -12,36 +12,18 @@ module Contrast
       # reporting system to relay this information in the Application Update messages. These route observations are
       # used by TeamServer to construct the route coverage information for the assess feature. They represent the
       # literal URL and HTTP verb used to invoke a method in the application, as routed by the application framework.
-      #
-      # @attr_reader url [String] the URL requested to hit this endpoint. Required for reporting.
-      # @attr_reader verb [String] the HTTP Method requested to his this endpoint. Empty means all, so is allowed.
-      #   for reporting.
       class RouteDiscoveryObservation
         include Contrast::Components::Logger::InstanceMethods
 
-        # required attributes
-        attr_reader :url
-        # optional attributes
-        attr_reader :verb
+        # @return [String] the URL requested to hit this endpoint. Required for reporting; required attributes
+        attr_accessor :url
+        # @return [String] the HTTP Method requested to his this endpoint. Empty means all, so is allowed for
+        #   reporting; optional attributes
+        attr_accessor :verb
 
-        class << self
-          # Convert a DTM for SpeedRacer to an Event for TeamServer.
-          #
-          # @param route_coverage_dtm [Contrast::Api::Dtm::RouteCoverage]
-          # @return [Contrast::Agent::Reporting::RouteDiscoveryObservation]
-          def convert route_coverage_dtm
-            report = new
-            report.attach_data(route_coverage_dtm)
-            report
-          end
-        end
-
-        # Attach the data from the protobuf models to this reporter so that it can be sent to TeamServer directly
-        #
-        # @param route_coverage_dtm [Contrast::Api::Dtm::RouteCoverage]
-        def attach_data route_coverage_dtm
-          @url = route_coverage_dtm.url
-          @verb = route_coverage_dtm.verb if Contrast::Utils::StringUtils.present?(route_coverage_dtm.verb)
+        def initialize url, verb
+          @url = url
+          @verb = verb if Contrast::Utils::StringUtils.present?(verb)
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -29,7 +29,7 @@ module Contrast
           return unless ::Contrast::API.request_audit_requests || ::Contrast::API.request_audit_responses
 
           file_name = event.cs__respond_to?(:file_name) ? event.file_name : event.cs__class.cs__name.to_s.downcase
-          data = event.to_controlled_hash.to_json
+          data = event.event_json
           log_data(:request, file_name, data) if data
           return unless ::Contrast::API.request_audit_responses
 

data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb

@@ -14,17 +14,14 @@ module Contrast
       module BuildPreflight
         class << self
           # @param finding [Contrast::Agent::Reporting::Finding]
-          # @param request [Contrast::Agent::Request] current request
-          def build finding, request
+          # @return [Contrast::Agent::Reporting::Preflight, nil]
+          def generate finding
             return unless finding
 
-            # save the current finding
-            Contrast::Agent::Reporting::ReportingStorage[finding.hash_code] = finding
-
             new_preflight = Contrast::Agent::Reporting::Preflight.new
             new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-            if request&.route
-              new_preflight_message.routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
+            finding.routes.each do |route|
+              new_preflight_message.routes << route
             end
             new_preflight_message.hash_code = finding.hash_code
             new_preflight_message.data = "#{ finding.rule_id },#{ finding.hash_code }"

data/lib/contrast/agent/reporting/reporting_utilities/headers.rb

@@ -32,7 +32,7 @@ module Contrast
           @encoding = ENCODING
         end
 
-        def to_hash
+        def to_contrast_hash
           {
               app_name: @app_name,
               api_key: @api_key,

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -43,7 +43,6 @@ module Contrast
         # @param connection [Net::HTTP] open connection
         def startup! connection
           return if status.startup_messages_sent?
-          return unless Contrast::Agent::Reporter.enabled?
 
           send_agent_startup(connection)
         end
@@ -57,6 +56,8 @@ module Contrast
         def send_event event, connection
           return unless connection
 
+          logger.debug('Preparing to send reporting event', event_class: event.cs__class)
+
           request = build_request(event)
           response = connection.request(request)
           audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -69,7 +69,7 @@ module Contrast
         # Handles standard error case, logs and set status for failure
         #
         # @param event [Contrast::Agent::Reporting::ReportingEvent]
-        # One of the DTMs valid for the event field of Contrast::Api::Dtm::Message|Contrast::Api::Dtm::Activity
+        #   One of the DTMs valid for the event field of Contrast::Api::Dtm::Message
         # @param error_msg [StandardError]
         # @return nil [NilClass] to be passed as response
         def handle_error event, error_msg
@@ -105,7 +105,7 @@ module Contrast
           findings_to_return = response.body.split(',').delete_if { |el| el.include?('*') }
           findings_to_return.each do |index|
             preflight_message = event.messages[index.to_i]
-            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message.hash_code)
+            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message.data)
             next unless corresponding_finding
 
             send_event(corresponding_finding, connection)
@@ -130,7 +130,7 @@ module Contrast
                       end
             build_headers(request)
             event.attach_headers(request)
-            request.body = event.to_controlled_hash.to_json
+            request.body = event.event_json
             request
           end
         end

data/lib/contrast/agent/request.rb

@@ -33,10 +33,10 @@ module Contrast
 
       # @return [Rack::Request] The passed to the Agent RackRequest to be wrapped.
       attr_reader :rack_request
-      # @return [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
-      attr_accessor :route
       # @return [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of this request
       attr_accessor :observed_route
+      # @return [Contrast::Agent::Reporting::RouteDiscovery]
+      attr_accessor :discovered_route
 
       # Delegate calls to the following methods to the attribute @rack_request
       def_delegators :@rack_request, :base_url, :cookies, :env, :ip, :media_type, :path, :port, :query_string,
@@ -142,6 +142,8 @@ module Contrast
         @_body
       end
 
+      # REMOVE_DTM_REQUEST
+      #
       # Unlike most of our translation, which is called where needed for each
       # message and forgotten, we'll leave this method to call the build as we
       # don't want to pay to reconstruct the DTM for this Request multiple

data/lib/contrast/agent/request_context.rb

@@ -12,6 +12,7 @@ require 'contrast/utils/request_utils'
 require 'contrast/agent/request_context_extend'
 require 'contrast/agent/reporting/reporting_events/observed_route'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/reporting/reporting_events/application_activity'
 
 module Contrast
   module Agent
@@ -25,7 +26,7 @@ module Contrast
 
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
 
-      # @return [Contrast::Api::Dtm::Activity] the application activity found in this request
+      # @return [Contrast::Agent::Reporting:ApplicationActivity] the application activity found in this request
       attr_reader :activity
       # @return [Hash] context used to log the request
       attr_reader :logging_hash
@@ -36,10 +37,12 @@ module Contrast
       # @return [Contrast::Agent::Response] our wrapper around the Rack::Response or Array for this context,
       #   only available after the application has finished its processing
       attr_reader :response
-      # @return [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
-      attr_reader :route
+      # @return [Contrast::Agent::Reporting::RouteDiscovery] the route, used for findings, of this request
+      attr_reader :discovered_route
       # @return [Contrast::Api::Settings::InputAnalysis] the protect input analysis of sources on this request
       attr_reader :speedracer_input_analysis
+      # @return [Array<String>] the hash of findings already reported fro this request
+      attr_reader :reported_findings
       # @return [Contrast::Utils::Timer] when the context was created
       attr_reader :timer
 
@@ -53,9 +56,7 @@ module Contrast
 
           # instantiate helper for request and response
           @request = Contrast::Agent::Request.new(rack_request)
-
-          @activity = Contrast::Api::Dtm::Activity.new
-          @activity.http_request = request.dtm
+          @activity = Contrast::Agent::Reporting::ApplicationActivity.new
 
           # build analyzer
           @do_not_track = false
@@ -80,6 +81,8 @@ module Contrast
             @sample_req, @sample_res = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
           end
 
+          @reported_findings = []
+
           handle_routes
         end
       end
@@ -125,7 +128,7 @@ module Contrast
       end
 
       def reset_activity
-        @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
+        @activity = Contrast::Agent::Reporting::ApplicationActivity.new
         @observed_route = Contrast::Agent::Reporting::ObservedRoute.new
       end
 
@@ -133,14 +136,8 @@ module Contrast
 
       def handle_routes
         @observed_route = Contrast::Agent::Reporting::ObservedRoute.new
-        # TODO: RUBY-1705 when we no longer need the DTM style, delete this method and use the get_route_information
-        #   instead.
-        route_dtm = Contrast::Agent.framework_manager.get_route_dtm(@request)
-        # new_route_coverage_dtm = Contrast::Agent.framework_manager.get_route_information(@request)
-        # TODO: RUBY-1705 -- delete append_route_coverage
-        append_route_coverage(route_dtm)
-        # TODO: RUBY-1705 -- change to take [Contrast::Agent::Reporting::ObservedRoute]
-        append_to_observed_route(route_dtm)
+        reporting_route = Contrast::Agent.framework_manager.get_route_information(@request)
+        append_to_observed_route(reporting_route)
       end
     end
   end