contrast-agent 6.6.4 → 6.6.5

data/lib/contrast/agent/request_context_extend.rb

@@ -23,6 +23,7 @@ module Contrast
       include Contrast::Utils::CEFLogUtils
       include Contrast::Components::Logger::InstanceMethods
       BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
+      CEF_LOGGING_RULES = %w[bot-blocker virtual-patch ip-denylist].cs__freeze
       # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
       # where it is necessary for our route coverage and finding vulnerability discovery features to function.
       #
@@ -34,8 +35,10 @@ module Contrast
         # For our findings
         @route = route
 
+        # REMOVE_DTM_ACTIVITY
+        #
         # For SR findings
-        @activity.routes << route
+        @dtm_activity.routes << route
 
         # For TS routes
         @request.route = route
@@ -54,27 +57,14 @@ module Contrast
         @request.observed_route    = @observed_route
       end
 
-      # Collect the results for the given rule with the given action
-      #
-      # @param rule [String] the id of the rule to which the results apply
-      # @param response_type [Symbol] the result of the response, matching a value of
-      #   Contrast::Api::Dtm::AttackResult::ResponseType
-      # @return [Array<Contrast::Api::Dtm::AttackResult>]
-      def results_for rule, response_type = nil
-        if response_type.nil?
-          activity.results.select { |r| r.rule_id == rule }
-        else
-          activity.results.select { |r| r.rule_id == rule && r.response == response_type }
-        end
-      end
-
       # @raise [Contrast::SecurityException]
       def service_extract_request
         return false unless ::Contrast::AGENT.enabled?
         return false unless ::Contrast::PROTECT.enabled?
         return false if @do_not_track
 
-        service_response = Contrast::Agent&.messaging_queue&.send_event_immediately(@activity.http_request)
+        # REMOVE_DTM_ACTIVITY
+        service_response = Contrast::Agent&.messaging_queue&.send_event_immediately(@activity.request.dtm)
         return false unless service_response
 
         handle_protect_state(service_response)
@@ -112,6 +102,7 @@ module Contrast
         @do_not_track = true unless state.track_request
         return unless state.security_exception
 
+        # make sure the activity get send before the error
         # If Contrast Service has NOT handled the input analysis, handle them here
         build_attack_results(agent_settings)
         logger.debug('Contrast Service said to block this request')
@@ -126,7 +117,6 @@ module Contrast
         @response = Contrast::Agent::Response.new(rack_response)
         return unless @sample_res
 
-        #
         # TODO: RUBY-1376 once all rules translated, move this to if/else w/ the enabled
         if Contrast::Agent::Reporter.enabled?
           Contrast::Agent::Assess::Rule::Response::AutoComplete.new.analyze(@response)
@@ -139,7 +129,8 @@ module Contrast
           Contrast::Agent::Assess::Rule::Response::XContentType.new.analyze(@response)
           Contrast::Agent::Assess::Rule::Response::XXssProtection.new.analyze(@response)
         else
-          activity.http_response = @response.dtm
+          # REMOVE_DTM_ACTIVITY
+          dtm_activity.http_response = @response.dtm
         end
       rescue StandardError => e
         logger.error('Unable to extract information after request', e)
@@ -147,7 +138,7 @@ module Contrast
 
       # This here is for things we don't have implemented
       def log_to_cef
-        activity.results.each { |attack_result| logging_logic(attack_result, attack_result.rule_id.downcase) }
+        activity.defend.attackers.each { |attacker| logging_logic(attacker.protection_rules) }
       end
 
       # @param input_analysis [Contrast::Api::Settings::InputAnalysis]
@@ -177,7 +168,7 @@ module Contrast
 
         results_by_rule.each_pair do |_, attack_result|
           logger.info('Blocking attack result', rule: attack_result.rule_id)
-          activity.results << attack_result
+          activity.attach_defend(attack_result)
         end
       end
 
@@ -199,28 +190,56 @@ module Contrast
                           end
       end
 
-      def logging_logic result, rule_id
-        rules = %w[bot_blocker virtual_patch ip_denylist]
-        return unless rules.include?(rule_id)
-
-        rule_details = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0]).fetch(rule_id.to_sym)
-        outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
-        case rule_id
-        when /bot_blocker/i
-          blocker_to_json = Contrast::Api::Dtm::BotBlockerDetails.to_controlled_hash(rule_details)
-          cef_logger.bot_blocking_message(blocker_to_json, outcome)
-        when /virtual_patch/i
-          virtual_patch_to_json = Contrast::Api::Dtm::VirtualPatchDetails.to_controlled_hash(rule_details)
-          cef_logger.virtual_patch_message(virtual_patch_to_json, outcome)
-        when /ip_denylist/i
-          sender_ip = extract_sender_ip
-          ip_denylist_to_json = Contrast::Api::Dtm::IpDenylistDetails.to_controlled_hash(rule_details)
-          return unless sender_ip
-          return unless sender_ip.include?(ip_denylist_to_json[:ip])
-
-          cef_logger.ip_denylisted_message(sender_ip, ip_denylist_to_json, outcome)
+      # @param protection_rules [Array<rule_id => Contrast::Agent::Reporting::ApplicationDefendAttackActivity>] Array
+      # of all protection rules per active attackers of this request life cycle.
+      def logging_logic protection_rules
+        protection_rules.any? do |rule_id, activity|
+          next unless CEF_LOGGING_RULES.include?(rule_id)
+
+          outcome = activity.response_type
+          rule_details = details_builder(outcome, activity)
+          case rule_id
+          when /bot-blocker/i
+            cef_logger.bot_blocking_message(rule_details.to_controlled_hash, outcome) if rule_details
+          when /virtual-patch/i
+            cef_logger.virtual_patch_message(rule_details.to_controlled_hash, outcome) if rule_details
+          when /ip-denylist/i
+            sender_ip = extract_sender_ip
+            next unless sender_ip
+            next unless rule_details && rule_details.ip == sender_ip
+
+            cef_logger.ip_denylisted_message(sender_ip, rule_details.to_controlled_hash, outcome)
+          end
+        end
+      end
+
+      # @param outcome [Symbol<Contrast::Agent::Reporting::ResponseType>]
+      # @param activity [Contrast::Agent::Reporting::ApplicationDefendAttackActivity]
+      def details_builder outcome, activity
+        case outcome
+        when ::Contrast::Agent::Reporting::ResponseType::BLOCKED
+          blocked = activity.blocked
+          get_details(blocked)
+        when ::Contrast::Agent::Reporting::ResponseType::MONITORED
+          exploited = activity.exploited
+          get_details(exploited)
+        when ::Contrast::Agent::Reporting::ResponseType::PROBED
+          ineffective = activity.ineffective
+          get_details(ineffective)
+        when ::Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
+          activity.suspicious.samples[0].details
+          suspicious = activity.suspicious
+          get_details(suspicious)
         end
       end
+
+      # @param type [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
+      # @return details [Contrast::Agent::Reporting::ProtectRuleDetails] depends on rule
+      def get_details type
+        sample = nil
+        sample = type.samples[0] unless type.samples.empty?
+        sample&.details
+      end
     end
   end
 end

data/lib/contrast/agent/request_handler.rb

@@ -22,13 +22,6 @@ module Contrast
         @ruleset = ::Contrast::AGENT.ruleset
       end
 
-      # Send Activities messages to TS [Contrast::Api::Dtm::Activity]
-      # TODO: RUBY-1704
-      # TODO: RUBY-1438
-      def send_activity_messages
-        Contrast::Agent.messaging_queue&.send_event_eventually(context.activity)
-      end
-
       # reports events[Contrast::Agent::Reporting::ReporterEvent] to TS
       # This method is used to send our JSON messages directly to TeamServer at the end of each request. As we move
       # more endpoints over, this method will take the messages originally sent by #send_actiivty_messages. At the end,
@@ -37,11 +30,16 @@ module Contrast
         return unless (reporter = Contrast::Agent.reporter)
 
         reporter.send_event(context.observed_route)
-        return unless Contrast::Agent::Reporter.enabled?
+        # return unless Contrast::Agent::Reporter.enabled?
+
+        # REMOVE_DTM_ACTIVITY after reporter routes, responses, findings are implemented
+        #
+        # This reports routes, findings and traces with response dependent rules.
+        Contrast::Agent.messaging_queue&.send_event_eventually(context.dtm_activity)
 
         # Mask Sensitive Data
         Contrast::Agent::Reporting::Masker.mask(context.activity)
-        event = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
+        event = context.activity
         reporter.send_event(event)
       end
 

data/lib/contrast/agent/service_heartbeat.rb

@@ -19,7 +19,7 @@ module Contrast
         @_thread = Contrast::Agent::Thread.new do
           logger.info('Starting heartbeat thread.')
           loop do
-            logger.info("Queue Size: #{ Contrast::Agent.messaging_queue.queue&.length }")
+            logger.info("Queue Size: #{ Contrast::Agent.messaging_queue&.queue&.length }")
             Contrast::Agent.messaging_queue&.send_event_eventually(poll_message)
             clean_properties
             sleep(REFRESH_INTERVAL_SEC)

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '6.6.4'
+    VERSION = '6.6.5'
   end
 end

data/lib/contrast/components/app_context.rb

@@ -27,17 +27,17 @@ module Contrast
         DEFAULT_SERVER_PATH = '/'
 
         # @return [String]
-        attr_reader :version
+        attr_accessor :version
         # @return [String]
-        attr_reader :language
+        attr_accessor :language
         # @return [String]
-        attr_reader :group
+        attr_accessor :group
         # @return [String]
-        attr_reader :tags
+        attr_accessor :tags
         # @return [String]
-        attr_reader :code
+        attr_accessor :code
         # @return [String]
-        attr_reader :metadata
+        attr_accessor :metadata
 
         def initialize hsh = {}
           original_pid

data/lib/contrast/config/assess_configuration.rb

@@ -19,7 +19,7 @@ module Contrast
       DEFAULT_STACKTRACES = 'ALL'
       DEFAULT_MAX_SOURCE_EVENTS = 50_000
       DEFAULT_MAX_PROPAGATION_EVENTS = 50_000
-      DEFAULT_MAX_RULE_REPORTED = 50_000
+      DEFAULT_MAX_RULE_REPORTED = 100
       DEFAULT_MAX_RULE_TIME_THRESHOLD = 300_000
 
       def initialize hsh = {}

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -20,12 +20,7 @@ module Contrast
                 Contrast::Agent.reporter&.send_event_immediately(event)
               end
 
-              if Contrast::Agent::Reporter.enabled?
-                event = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
-                Contrast::Agent.reporter&.send_event_immediately(event)
-              else
-                Contrast::Agent.messaging_queue&.send_event_immediately(context.activity)
-              end
+              Contrast::Agent.reporter&.send_event_immediately(context.activity)
             end
 
             def instrument

data/lib/contrast/utils/assess/event_limit_utils.rb

@@ -30,16 +30,29 @@ module Contrast
           false # policy does not have limit
         end
 
-        def event_limit_for_rule? rule_id
-          if Contrast::Utils::Timer.now_ms > threshold_time_limit
-            @_rule_counts = nil
-            @_threshold_time_limit = nil
+        def event_limit_for_rule? rule_id # rubocop:disable Metrics/AbcSize
+          return false unless (context = Contrast::Agent::REQUEST_TRACKER.current)
+
+          saved_request_ids = rule_counts.keys.map { |k| k.to_s.split('_')[1] }
+
+          # if we passed the threshold and we actually have records for that request - wipe them
+          if saved_request_ids.uniq.include?(context.request.__id__)
+            restore_defaults
             threshold_time_limit
           end
-          rule_counts[rule_id] += 1
+
+          # if we have recorded rule counts, but none of them are for the current request_id
+          # eventually we can try and play with the time_limit_threshold -> DEFAULT_MAX_RULE_TIME_THRESHOLD
+          unless !rule_counts.empty? && saved_request_ids.include?(context.request.__id__)
+            restore_defaults
+            threshold_time_limit
+          end
+
+          rule_key = "#{ rule_id }_#{ context.request.__id__ }"
+          rule_counts[rule_key] += 1
           # TODO: RUBY-1680 remove default
-          rule_counts[rule_id] >=
-              (::Contrast::ASSESS.max_rule_reported || Contrast::Config::AssessConfiguration::DEFAULT_MAX_RULE_REPORTED)
+          # we don't need the default here because we either return from the config, or we return the default
+          rule_counts[rule_key] >= ::Contrast::ASSESS.max_rule_reported
         end
 
         # Increments the event count for the type of event that is being tracked
@@ -90,6 +103,12 @@ module Contrast
         def threshold_time_limit
           @_threshold_time_limit ||= Contrast::Utils::Timer.now_ms + (::Contrast::ASSESS.time_limit_threshold || 0)
         end
+
+        # @return nil
+        def restore_defaults
+          @_rule_counts = nil
+          @_threshold_time_limit = nil
+        end
       end
     end
   end

data/lib/contrast/utils/log_utils.rb

@@ -3,6 +3,7 @@
 
 require 'socket'
 require 'contrast/agent/version'
+require 'contrast/utils/object_share'
 require 'contrast/logger/aliased_logging'
 
 module Contrast
@@ -175,13 +176,10 @@ module Contrast
       # initially here we will use case to add it
       def extract_metadata rule_id = nil, outcome = nil
         message = []
-        sender_info = context&.activity&.http_request&.sender
+        request = context&.activity&.request
+        sender_info = { ip: request&.ip || Contrast::Utils::ObjectShare::EMPTY_STRING, port: request&.port || 0 }
         rule_id ? message << "pri=#{ rule_id } " : 'asd'
-        request_method = if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
-                           context.request.rack_request.env['REQUEST_METHOD']
-                         else
-                           DEFAULT_METADATA
-                         end
+        request_method = assign_request_method(context)
         app_name = ::Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
         attach_request_and_sender_info(message, sender_info)
         message << "request=#{ context.request.url } "
@@ -198,10 +196,10 @@ module Contrast
         src = if needed_header
                 needed_header
               else
-                sender_info.ip.length > 1 ? sender_info.ip : DEFAULT_METADATA
+                sender_info[:ip].length > 1 ? sender_info[:ip] : DEFAULT_METADATA
               end
         message << "src=#{ src }"
-        message << "port=#{ sender_info.port }"
+        message << "port=#{ sender_info[:port] }"
       end
 
       def extract_ip_address
@@ -216,9 +214,17 @@ module Contrast
       end
 
       def extract_sender_ip
-        request_headers = context.activity.http_request.request_headers&.transform_keys(&:to_s)
+        request_headers = context.activity.request.headers&.transform_keys(&:to_s)
         request_headers['X-Forwarded-For']
       end
+
+      def assign_request_method context
+        if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
+          context.request.rack_request.env['REQUEST_METHOD']
+        else
+          DEFAULT_METADATA
+        end
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 6.6.4
+  version: 6.6.5
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-07-20 00:00:00.000000000 Z
+date: 2022-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -1026,6 +1026,23 @@ files:
 - lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb
 - lib/contrast/agent/reporting/attack_result/response_type.rb
 - lib/contrast/agent/reporting/attack_result/user_input.rb
+- lib/contrast/agent/reporting/details/bot_blocker_details.rb
+- lib/contrast/agent/reporting/details/cmd_injection_details.rb
+- lib/contrast/agent/reporting/details/details.rb
+- lib/contrast/agent/reporting/details/http_method_tempering_details.rb
+- lib/contrast/agent/reporting/details/ip_denylist_details.rb
+- lib/contrast/agent/reporting/details/no_sqli_details.rb
+- lib/contrast/agent/reporting/details/path_traversal_details.rb
+- lib/contrast/agent/reporting/details/path_traversal_semantic_analysis_details.rb
+- lib/contrast/agent/reporting/details/protect_rule_details.rb
+- lib/contrast/agent/reporting/details/sqli_details.rb
+- lib/contrast/agent/reporting/details/untrusted_deserialization_details.rb
+- lib/contrast/agent/reporting/details/virtual_patch_details.rb
+- lib/contrast/agent/reporting/details/xss_details.rb
+- lib/contrast/agent/reporting/details/xss_match.rb
+- lib/contrast/agent/reporting/details/xxe_details.rb
+- lib/contrast/agent/reporting/details/xxe_match.rb
+- lib/contrast/agent/reporting/details/xxe_wrapper.rb
 - lib/contrast/agent/reporting/input_analysis/input_analysis.rb
 - lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb
 - lib/contrast/agent/reporting/input_analysis/input_type.rb