contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/reporting_events/application_defend_attack_activity'
 
 module Contrast
@@ -12,7 +13,7 @@ module Contrast
       class ApplicationDefendAttackerActivity
         # @return [Hash<String,Contrast::Agent::Reporting::ApplicationDefendAttackActivity>] map of rule-id to violated
         #   samples for that rule
-        attr_reader :protection_rules
+        attr_accessor :protection_rules
         # @return [String, nil] the IP address of the request from which the attack originated; used to identify unique
         #   attackers
         attr_reader :source_ip
@@ -20,25 +21,14 @@ module Contrast
         #   identify unique attackers
         attr_reader :source_forwarded_for
 
-        class << self
-          # @param attack_result_dtm [Contrast::Api::Dtm::AttackResult]
-          # @return [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]
-          def convert attack_result_dtm
-            activity = new
-            activity.attach_data(attack_result_dtm)
-            activity
-          end
-        end
-
         def initialize
           @protection_rules = {}
-          req = Contrast::Agent::REQUEST_TRACKER.current.activity.http_request
+          req = Contrast::Agent::REQUEST_TRACKER.current&.request
           if req
-            @source_ip = req.sender.ip
-            @source_forwarded_for = req.request_headers['X-Forwarded-For']
+            @source_ip = req.ip || Contrast::Utils::ObjectShare::EMPTY_STRING
+            @source_forwarded_for = req.headers['X-Forwarded-For']
           end
           @event_type = :application_defend_attacker_activity
-          super
         end
 
         def to_controlled_hash
@@ -51,10 +41,12 @@ module Contrast
           }
         end
 
-        # @param attack_result [Contrast::Api::Dtm::AttackResult]
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
-          @protection_rules[attack_result.rule_id] =
-            Contrast::Agent::Reporting::ApplicationDefendAttackActivity.convert(attack_result)
+          @protection_rules[attack_result.rule_id] = Contrast::Agent::Reporting::ApplicationDefendAttackActivity.new.
+              tap do |activity|
+            activity.attach_data(attack_result)
+          end
         end
 
         def process_protection_rules

data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb

@@ -18,16 +18,6 @@ module Contrast
         # @ return [Array<String>, nil] - User-Agent Header value
         attr_reader :browsers
 
-        class << self
-          # @param activity_dtm [Contrast::Api::Dtm::ApplicationActivity]
-          # @return [Contrast::Agent::Reporting::ApplicationInventoryActivity]
-          def convert activity_dtm
-            inventory = new
-            inventory.attach_data(activity_dtm)
-            inventory
-          end
-        end
-
         def initialize
           @event_type = :application_inventory_activity
           @browsers = []
@@ -43,11 +33,13 @@ module Contrast
           }
         end
 
-        def attach_data activity
-          activity.architectures.each do |architecture|
-            @components << Contrast::Agent::Reporting::ArchitectureComponent.convert(architecture)
+        # @param architectures [Array<Contrast::Agent::Reporting::ArchitectureComponent>,
+        # Contrast::Agent::Reporting::ArchitectureComponent]
+        def attach_data architectures
+          Array(architectures).each do |architecture|
+            @components << architecture
           end
-          request_headers = activity.http_request&.request_headers
+          request_headers = Contrast::Agent::REQUEST_TRACKER.current&.request&.headers
           @browsers << request_headers['USER_AGENT'] if request_headers
         end
 

data/lib/contrast/agent/reporting/reporting_events/application_startup.rb

@@ -27,7 +27,7 @@ module Contrast
         #
         # @return [Hash]
         def to_controlled_hash
-          app_config = ::Contrast::CONFIG.root.application
+          app_config = ::Contrast::CONFIG.application
           {
               code: app_config.code,
               group: app_config.group,

data/lib/contrast/agent/reporting/reporting_events/application_update.rb

@@ -6,9 +6,7 @@ require 'contrast/agent/reporting/reporting_events/application_reporting_event'
 require 'contrast/agent/reporting/reporting_events/library_discovery'
 require 'contrast/agent/reporting/reporting_events/reporting_event'
 require 'contrast/agent/reporting/reporting_events/route_discovery'
-require 'contrast/api/dtm.pb'
 require 'contrast/components/logger'
-require 'json'
 
 module Contrast
   module Agent

data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/dtm.pb'
 require 'contrast/components/logger'
 
 module Contrast
@@ -20,37 +19,23 @@ module Contrast
       class ArchitectureComponent
         include Contrast::Components::Logger::InstanceMethods
         # required attributes
-        attr_reader :type, :url
+        attr_accessor :type, :url
         # optional attributes
-        attr_reader :remote_host, :remote_port, :vendor
+        attr_accessor :remote_host, :remote_port, :vendor
 
         # TeamServer only treats these specific values as valid for Architecture Components. It does not know how to
         # process a message with a different type.
+        AC_TYPE_DB = 'db'
         VALID_TYPES = %w[db ldap ws].cs__freeze
 
         class << self
-          # Convert a DTM for SpeedRacer to an Event for TeamServer.
-          #
-          # @param component_dtm [Contrast::Api::Dtm::ArchitectureComponent]
-          # @return [Contrast::Agent::Reporting::ArchitectureComponent]
-          def convert component_dtm
-            report = new
-            report.attach_data(component_dtm)
-            report
+          def build_database
+            msg = new
+            msg.type = AC_TYPE_DB
+            msg
           end
         end
 
-        # Attach the data from the protobuf models to this reporter so that it can be sent to TeamServer directly.
-        #
-        # @param component_dtm [Contrast::Api::Dtm::ArchitectureComponent]
-        def attach_data component_dtm
-          @remote_host = component_dtm.remote_host
-          @remote_port = component_dtm.remote_port
-          @type = component_dtm.type
-          @url = component_dtm.url
-          @vendor = component_dtm.vendor
-        end
-
         # Convert the instance variables on the class, and other information, into the identifiers required for
         # TeamServer to process the JSON form of this message.
         #

data/lib/contrast/agent/reporting/reporting_events/finding.rb

@@ -29,14 +29,14 @@ module Contrast
         # @return [Array<Contrast::Agent::Reporting::FindingEvent>] the events associated with this finding, if the
         #   finding is event (dataflow) based.
         attr_reader :events
-        # @return [String] the evidence associated with this finding, if the finding is event based. deprecated in
-        #   favor of properties
+        # # @return [String] the evidence associated with this finding, if the finding is event based. deprecated in
+        # #   favor of properties
         # attr_reader :evidence
         # @return [Hash<String,String>] properties that prove the violation of the rule for this finding
         attr_reader :properties
         # @return [Contrast::Agent::Reporting::FindingRequest] the request associated with this finding, if the finding
         #   is request based
-        attr_reader :request
+        attr_accessor :request
         # @return [String] the uniquely identifying hash of this finding
         attr_accessor :hash_code
 
@@ -54,16 +54,6 @@ module Contrast
           xxssprotection-header-disabled
         ].cs__freeze
 
-        class << self
-          # @param finding_dtm [Contrast::Api::Dtm::Finding]
-          # @return [Contrast::Agent::Reporting::Finding]
-          def convert finding_dtm
-            report = new(finding_dtm.rule_id)
-            report.attach_property_data(finding_dtm)
-            report
-          end
-        end
-
         def initialize rule_id
           @event_method = :PUT
           @event_endpoint = "#{ Contrast::API.api_url }/api/ng/traces"
@@ -100,28 +90,10 @@ module Contrast
           event_data = Contrast::Agent::Assess::Events::EventData.new(trigger_node, source, object, ret, args)
           contrast_event = Contrast::Agent::Assess::ContrastEvent.new(event_data)
           events << Contrast::Agent::Reporting::FindingEvent.convert(contrast_event)
-          attach_properties
           return unless request
 
           @request = Contrast::Agent::Reporting::FindingRequest.convert(request)
-          @routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route) if request.route
-        end
-
-        # Attach the data from a Contrast::Api::Dtm::Finding required for property based findings generated during
-        # response analysis.
-        #
-        # @param finding_dtm [Contrast::Api::Dtm::Finding]
-        def attach_property_data finding_dtm
-          @hash_code = finding_dtm.hash_code
-          @rule_id = finding_dtm.rule_id
-          finding_dtm.properties.each_pair do |key, value|
-            @properties[key] = value
-          end
-          finding_dtm.routes.each do |route|
-            @routes << Contrast::Agent::Reporting::RouteDiscovery.convert(route)
-          end
-          request = Contrast::Agent::REQUEST_TRACKER.current&.request
-          @request = Contrast::Agent::Reporting::FindingRequest.convert(request) if request
+          @routes << request.discovered_route if request.discovered_route
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -137,16 +109,9 @@ module Contrast
             return
           end
 
-          hsh = {
-              created: created,
-              hash: hash_code.to_s,
-              ruleId: rule_id,
-              session_id: ::Contrast::ASSESS.session_id,
-              version: 4
-          }
-          hsh[:events] = events.map(&:to_controlled_hash) if event_based?
-          # hsh[:evidence] = evidence unless event_based? || property_based?
-          hsh[:properties] = properties if property_based?
+          hsh = base_hash
+          hsh[:events] = events.map(&:to_controlled_hash) if events.any?
+          hsh[:properties] = properties if properties.any?
           hsh[:tags] = Contrast::ASSESS.tags if Contrast::ASSESS.tags
           return hsh unless request_based?
 
@@ -155,6 +120,17 @@ module Contrast
           hsh
         end
 
+        # @return [Hash] the base of every finding, regardless of type
+        def base_hash
+          {
+              created: created,
+              hash: hash_code.to_s,
+              ruleId: rule_id,
+              session_id: ::Contrast::ASSESS.session_id,
+              version: 4
+          }
+        end
+
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
@@ -174,12 +150,6 @@ module Contrast
 
         private
 
-        # Our events have properties on them. To report them to TeamServer, we need to pull them from our object up to
-        # the Contrast::Agent::Reporting::Finding level.
-        #
-        # TODO: RUBY-99999 put properties on events, not just on DTM
-        def attach_properties; end
-
         def build_events events, event
           return unless event
 
@@ -192,16 +162,16 @@ module Contrast
         # Rules which are event based must have an event to be sent to TeamServer. They include the Trigger, Regexp,
         # and Data flow type Rules, meaning all those which are not Properties based. Eventually, we may have
         # validation for each of those types; however, that's a refactor for after we've translated all rules from the
-        # Service and have had time to build proper child structure.
+        # TeamServer and have had time to build proper child structure.
         #
         # @return [Boolean]
         def event_based?
-          !property_based? && !config_based?
+          !property_based? && !config_based? && !hardcoded?
         end
 
         # Rules which are property based must have a property to be sent to TeamServer. Eventually, each rule may own
         # its own validation, as the properties each needs are different; however, that's a refactor for after we've
-        # translated all rules from the Service and have had time to build proper child structure.
+        # translated all rules from TeamServer and have had time to build proper child structure.
         #
         # @return [Boolean]
         def property_based?
@@ -210,7 +180,7 @@ module Contrast
 
         # Rules which are config based must have a configuration to be sent to TeamServer. Eventually, each rule may own
         # its own validation, as the properties each needs are different; however, that's a refactor for after we've
-        # translated all rules from the Service and have had time to build proper child structure.
+        # translated all rules from TeamServer and have had time to build proper child structure.
         #
         # @return [Boolean]
         def config_based?
@@ -219,7 +189,7 @@ module Contrast
 
         # Rules which are hardcode based send properties to TeamServer. Eventually, each rule may own its own
         # validation, as the properties each needs are different; however, that's a refactor for after we've
-        # translated all rules from the Service and have had time to build proper child structure.
+        # translated all rules from TeamServer and have had time to build proper child structure.
         #
         # @return [Boolean]
         def hardcoded?

data/lib/contrast/agent/reporting/reporting_events/finding_event.rb

@@ -100,6 +100,10 @@ module Contrast
           end
         end
 
+        def initialize
+          @event_sources = []
+        end
+
         # Parse the data from a Contrast::Agent::Assess::ContrastEvent to attach what is required for reporting to
         # TeamServer to this Contrast::Agent::Reporting::FindingEvent
         #
@@ -208,11 +212,9 @@ module Contrast
         #
         # @param event [Contrast::Agent::Assess::ContrastEvent]
         def event_sources! event
-          @event_sources = []
           return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
 
-          source = Contrast::Agent::Reporting::FindingEventSource.convert(event)
-          event_sources << source if source
+          event_sources << event.event_source if event.event_source
         end
 
         # Convert the parent id's of the given ContrastEvent to the reportable form for this FindingEvent.
@@ -237,12 +239,13 @@ module Contrast
         #
         # @param event [Contrast::Agent::Assess::ContrastEvent]
         def stack! event
-          @stack = []
-          event.stack_trace.each do |stack_event|
-            if (report = Contrast::Agent::Reporting::FindingEventStack.convert(stack_event))
-              stack << report
-            end
-          end
+          @stack = if event.stack_trace
+                     event.stack_trace.compact.map! do |stack_event|
+                       Contrast::Agent::Reporting::FindingEventStack.new(stack_event)
+                     end
+                   else
+                     Contrast::Utils::ObjectShare::EMPTY_ARRAY
+                   end
         end
 
         # Convert the taint ranges of the given ContrastEvent to the reportable form for this FindingEvent.

data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb

@@ -61,7 +61,7 @@ module Contrast
           # 8 is STATIC in Java... we have to placate them for now it has been requested that flags be removed since it
           # isn't used
           @flags = 8 unless node.instance_method?
-          @method_name = node.method_name
+          @method_name = node.method_name.to_s
           @return_type = type_name(event.ret)
           # if there's a ret, then this method isn't nil. not 100% full proof since you can return nil, but this is the
           # best we've got currently.

data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb

@@ -2,8 +2,6 @@
 # frozen_string_literal: true
 
 require 'base64'
-require 'contrast/agent/assess/contrast_event'
-require 'contrast/agent/assess/events/source_event'
 require 'contrast/components/logger'
 
 module Contrast
@@ -21,25 +19,11 @@ module Contrast
         # @return [String] the type of the source
         attr_reader :type
 
-        class << self
-          # @param event [Contrast::Agent::Assess::Events::ContrastEvent] the event to pull the source off of
-          # @return [Contrast::Agent::Reporting::FindingEventSource]
-          def convert event
-            return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
-
-            report = new
-            report.attach_data(event)
-            report
-          end
-        end
-
-        # Parse the data from a Contrast::Agent::Assess::Events::SourceEvent to attach what is required for reporting
-        # to TeamServer to this Contrast::Agent::Reporting::FindingEventSource
-        #
-        # @param event [Contrast::Agent::Assess::Events::SourceEvent] the event to pull the source off of
-        def attach_data event
-          @name = event.source_name
-          @type = event.source_type
+        # @param type [String]
+        # @param name [String]
+        def initialize type, name
+          @type = type
+          @name = name
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -61,6 +45,24 @@ module Contrast
           }
         end
 
+        # Convert this EventSource into the format expected for route observation
+        #
+        # @return [Hash]
+        # @raise [ArgumentError]
+        def to_controlled_observation_hash
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventSource observation validation failed with: ', e)
+            return
+          end
+
+          {
+              name: name, # rubocop:disable Security/Module/Name
+              type: type
+          }
+        end
+
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type && !type.empty?

data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb

@@ -28,25 +28,12 @@ module Contrast
 
         AGENT_CLASS_MARKER = '/lib/contrast/'
 
-        class << self
-          # @param stack [String]
-          # @return [Contrast::Agent::Reporting::FindingEventStack,nil]
-          def convert stack
-            return unless stack
-            return if stack.include?(AGENT_CLASS_MARKER)
-
-            report = new
-            report.attach_data(stack)
-            report
-          end
-        end
-
-        # Parse the data from a Contrast::Agent::Assess::Tag to attach what is required for reporting to TeamServer to
-        # this Contrast::Agent::Reporting::FindingEventTaintRange
+        # To play nice with the way that TeamServer is rendering these values, we only populate the file_name field with
+        # exactly what we want them to display.
         #
-        # @param stack [String]
-        def attach_data stack
-          @file = stack
+        # @param file_name [String] the caller location this stack frame represents.
+        def initialize file_name
+          @file = file_name
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for

data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/tag'
+require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
 require 'contrast/components/logger'
 
 module Contrast

data/lib/contrast/{api/decorators/trace_taint_range_tags.rb → agent/reporting/reporting_events/finding_event_taint_range_tags.rb}

@@ -2,13 +2,13 @@
 # frozen_string_literal: true
 
 module Contrast
-  module Api
-    module Decorators
-      # A holder for the valid tags that can be sent to the Service, and
-      # ultimately TS, that we have to honor. Placed here so as not to clutter
-      # other code.
-      module TraceTaintRangeTags
+  module Agent
+    module Reporting
+      # A holder for the valid tags that can be sent to TeamServer that we have to honor. Placed here so as not to
+      # clutter other code.
+      module FindingEventTaintRangeTags
         # EventTagTypeDTM
+        # @return [Array<Symbol>]
         VALID_TAGS = %w[
           XML_ENCODED
           XML_DECODED
@@ -97,6 +97,7 @@ module Contrast
           DATABASE_WRITE
         ].cs__freeze
 
+        # @return [Array<Symbol>]
         VALID_SOURCE_TAGS = %w[NO_NEWLINES UNTRUSTED CROSS_SITE LIMITED_CHARS].cs__freeze
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -13,10 +13,12 @@ module Contrast
       class FindingRequest
         include Contrast::Components::Logger::InstanceMethods
 
+        OMITTED_BODY = '{{body-omitted-by-contrast}}'
+
         # @return [String] the body of this request
-        attr_reader :body
+        attr_accessor :body
         # @return [Hash<String,Array<String>>] the headers of this request
-        attr_reader :headers
+        attr_accessor :headers
         # @return [String] the HTTP verb of this request
         attr_reader :method
         # @return [Hash<String,Array<String>>] the parameters of this request
@@ -26,16 +28,24 @@ module Contrast
         # @return [String] the HTTP(S) protocol of this request
         attr_reader :protocol
         # @return [String] the query string of this request
-        attr_reader :query_string
+        attr_accessor :query_string
         # @return [String] the url, including path and script, of this request
         attr_reader :uri
         # @return [String] the HTTP version of this request
         attr_reader :version
+        # @return [Integer]
+        attr_reader :ip
+        # @return [String] Byte representation of the body
+        attr_accessor :body_binary
+        # @return [Hash]
+        attr_reader :cookies
 
         class << self
           # @param request [Contrast::Agent::Request]
           # @return [Contrast::Agent::Reporting::FindingRequest]
           def convert request
+            return unless request
+
             report = new
             report.attach_data(request)
             report
@@ -49,13 +59,7 @@ module Contrast
         def attach_data request
           @body = request.body
           @headers = {}
-          request.headers.each_pair do |key, value|
-            # We need to change from the uppercase _ format to capitalized - format.
-            header = key.split('_')
-            header.each(&:capitalize!)
-            header = header.join('-')
-            headers[header] = value.split
-          end
+          extract_headers(request)
           @method = request.request_method
           @parameters = {}
           request.parameters.each_pair { |key, value| @parameters[key] = Array(value) }
@@ -64,6 +68,14 @@ module Contrast
           @query_string = request.query_string
           @uri = request.normalized_uri
           @version = request.version
+          @ip = request.ip || ''
+          @body_binary = if omit_body?(request)
+                           OMITTED_BODY
+                         else
+                           Contrast::Utils::StringUtils.force_utf8(request.body)
+                         end
+          @cookies = {}
+          @cookies = request.cookies unless request.cookies.empty?
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -92,12 +104,30 @@ module Contrast
           }
         end
 
+        def omit_body? request
+          return true if ::Contrast::AGENT.omit_body?
+          return false if request.document_type != :NORMAL
+
+          request.media_type&.include?('multipart/form-data')
+        end
+
         def validate
           unless method && !method.empty? # rubocop:disable Security/Object/Method
             raise(ArgumentError, "#{ self } did not have a proper method. Unable to continue.")
           end
           raise(ArgumentError, "#{ self } did not have a proper uri. Unable to continue.") unless uri && !uri.empty?
         end
+
+        # @param request [Contrast::Agent::Request]
+        def extract_headers request
+          request.headers.each_pair do |key, value|
+            # We need to change from the uppercase _ format to capitalized - format.
+            header = key.split('_')
+            header.each(&:capitalize!)
+            header = header.join('-')
+            headers[header] = value.split
+          end
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/dtm.pb'
 require 'contrast/utils/string_utils'
 require 'contrast/components/logger'
 

data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb

@@ -11,7 +11,7 @@ module Contrast
         include Contrast::Components::Logger::InstanceMethods
 
         # @param [String] Sha256Sum of library as identified by the agent
-        attr_accessor :id
+        attr_reader :id
         # @param [Array<String>] List of file paths that have been loaded out of or executed by the library
         attr_reader :names
 

data/lib/contrast/agent/reporting/reporting_events/observed_route.rb

@@ -24,7 +24,7 @@ module Contrast
         attr_accessor :url
         # @param [String] the HTTP Verb used  to access the method in the route.
         attr_accessor :verb
-        # @param [Array<Contrast::Agent::Reporting::TraceEventSource>] the sources of user input accessed during this
+        # @param [Array<Contrast::Agent::Reporting::FindingEventSource>] the sources of user input accessed during this
         #   request. Used for remediation determinations in TeamServer.
         attr_reader :sources
 
@@ -56,7 +56,7 @@ module Contrast
 
           {
               session_id: ::Contrast::ASSESS.session_id,
-              sources: @sources.map(&:to_controlled_hash),
+              sources: @sources.map(&:to_controlled_observation_hash),
               signature: @signature,
               verb: @verb,
               url: @url