RubyGems - contrast-agent - Versions diffs - 6.6.4 → 6.8.0 - Mend

contrast-agent 6.6.4 → 6.8.0

Files changed (340) hide show

data/lib/contrast/components/assess_rules.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/config/base_configuration'
+module Contrast
+  module Components
+    # Common Configuration settings. Those in this section pertain to the
+    # disabled assess rule functionality of the Agent.
+    module AssessRules
+      class Interface # :nodoc:
+        include Contrast::Config::BaseConfiguration
+        SPEC_KEY = :disabled_rules.cs__freeze
+        # @return [Array, nil] list of disabled assess rules
+        attr_accessor :disabled_rules
+        def initialize hsh = {}
+          return unless hsh
+          @disabled_rules = cast_disabled_rules(hsh)
+        end
+        private
+        def cast_disabled_rules hsh
+          return unless hsh
+          return unless hsh.key?(SPEC_KEY)
+          return hsh[SPEC_KEY] if hsh[SPEC_KEY].cs__is_a?(Array)
+          hsh[SPEC_KEY].split(',').map(&:strip) if hsh[SPEC_KEY].cs__is_a?(String)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/components/config.rb CHANGED Viewed

@@ -34,6 +34,9 @@ module Contrast
         API_KEY = "Invalid configuration. Missing a required connection value 'api_key' is not set."
         API_SERVICE_KEY = "Invalid configuration. Missing a required connection value 'service_tag' is not set."
         API_USERNAME = "Invalid configuration. Missing a required connection value 'user_name' is not set."
+        attr_reader :config
         def initialize
           build
         end
@@ -62,9 +65,39 @@ module Contrast
         end
         alias_method :rebuild, :build
-        # @return [Contrast::Config::RootConfiguration]
-        def root
-          @config.root
+        # @return [Contrast::Components::Api::Interface]
+        def api
+          @config.api
+        end
+        # @return [Contrast::Components::Agent::Interface]
+        def agent
+          @config.agent
+        end
+        # @return [Contrast::Components::AppContext::Interface]
+        def application
+          @config.application
+        end
+        # @return [Contrast::Config::ServerConfiguration]
+        def server
+          @config.server
+        end
+        # @return [Contrast::Components::Assess::Interface]
+        def assess
+          @config.assess
+        end
+        # @return [Contrast::Components::Inventory::Interface]
+        def inventory
+          @config.inventory
+        end
+        # @return [Contrast::Components::Protect::Interface]
+        def protect
+          @config.protect
         end
         def valid?
@@ -72,6 +105,10 @@ module Contrast
           @_valid
         end
+        def enable
+          @config.enable
+        end
         def invalid?
           !valid?
         end
@@ -85,12 +122,12 @@ module Contrast
         #
         # @return [String,nil] the value of the session id set in the configuration, or nil if unset
         def session_id
-          root.application.session_id
+          application.session_id
         end
         # @return [String,nil] the value of the session metadata set in the configuration, or nil if unset
         def session_metadata
-          root.application.session_metadata
+          application.session_metadata
         end
         private
@@ -115,13 +152,10 @@ module Contrast
           true
         end
-        # If the agent is to use the bypass to communicate with TeamServer directly, than it must have the
-        # configuration values required for that connection.
+        # The agent must have the configuration values required for the connection to TeamServer.
         #
         # @return [boolean]
         def valid_api?
-          return true unless bypass
           msg = []
           msg << API_URL unless api_url
           msg << API_KEY unless api_key
@@ -138,7 +172,7 @@ module Contrast
             next unless env_key.to_s.start_with?(CONTRAST_ENV_MARKER)
             config_item = Contrast::Utils::EnvConfigurationItem.new(env_key, env_value)
-            assign_value_to_path_array(root, config_item.dot_path_array, config_item.value)
+            assign_value_to_path_array(self, config_item.dot_path_array, config_item.value)
           end
         end
@@ -148,7 +182,7 @@ module Contrast
         #
         # @return [String, nil]
         def api_url
-          root.api.url
+          api.url
         end
         # Typically, the following values would be accessed through Contrast::Components::AppContext
@@ -157,7 +191,7 @@ module Contrast
         #
         # @return [String, nil]
         def api_key
-          root.api.api_key
+          api.api_key
         end
         # Typically, the following values would be accessed through Contrast::Components::AppContext
@@ -166,7 +200,7 @@ module Contrast
         #
         # @return [String, nil]
         def api_service_key
-          root.api.service_key
+          api.service_key
         end
         # Typically, the following values would be accessed through Contrast::Components::AppContext
@@ -175,16 +209,7 @@ module Contrast
         #
         # @return [String, nil]
         def api_username
-          root.api.user_name
-        end
-        # Typically, the following values would be accessed through Contrast::Components::AppContext
-        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
-        # that mechanism, so we look it up directly for ourselves.
-        #
-        # @return [String, nil]
-        def bypass
-          root.agent.service.bypass
+          api.user_name
         end
         # Typically, the following values would be accessed through Contrast::Components::AppContext
@@ -193,7 +218,7 @@ module Contrast
         #
         # @return [String, nil]
         def logger_path
-          root.agent.logger.path
+          agent.logger.path
         end
         # Assign the value from an ENV variable to the Contrast::Config::RootConfiguration object, when

data/lib/contrast/components/heap_dump.rb CHANGED Viewed

@@ -71,7 +71,7 @@ module Contrast
         def heap_dump_control
           @_heap_dump_control ||= begin
-            config = ::Contrast::CONFIG.root&.agent&.heap_dump
+            config = ::Contrast::CONFIG&.agent&.heap_dump
             {
                 enabled: true?(config&.enable),
                 path: File.absolute_path(config&.path),

data/lib/contrast/components/protect.rb CHANGED Viewed

@@ -16,6 +16,8 @@ module Contrast
         # @return [Boolean, nil]
         attr_accessor :enable
+        # @return [Boolean, nil]
+        attr_accessor :agent_lib
         def initialize hsh = {}
           return unless hsh
@@ -23,6 +25,7 @@ module Contrast
           @_exceptions = Contrast::Config::ExceptionConfiguration.new(hsh[:exceptions])
           @_rules = Contrast::Config::ProtectRulesConfiguration.new(hsh[:rules])
           @enable = hsh[:enable]
+          @agent_lib = hsh[:agent_lib]
         end
         # @return [Contrast::Config::ExceptionConfiguration]
@@ -31,7 +34,7 @@ module Contrast
         end
         # Name is kept the same - rules to correspond to config,
-        # mapping. - root.protect.rules
+        # mapping. - protect.rules
         #
         # @return [Contrast::Config::ProtectRulesConfiguration]
         def rules
@@ -55,7 +58,7 @@ module Contrast
         end
         def rule_config
-          ::Contrast::CONFIG.root.protect.rules
+          ::Contrast::CONFIG.protect.rules
         end
         # Returns Protect array of all initialized
@@ -69,9 +72,9 @@ module Contrast
         def rule_mode rule_id
           str = rule_id.tr('-', '_')
-          ::Contrast::CONFIG.root.protect.rules[str]&.applicable_mode ||
+          ::Contrast::CONFIG.protect.rules[str]&.applicable_mode ||
               ::Contrast::SETTINGS.application_state.modes_by_id[rule_id] ||
-              Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
+              :NO_ACTION
         end
         def rule name
@@ -98,7 +101,7 @@ module Contrast
         def forcibly_disabled?
           return @_forcibly_disabled unless @_forcibly_disabled.nil?
-          @_forcibly_disabled = false?(::Contrast::CONFIG.root.protect.enable)
+          @_forcibly_disabled = false?(::Contrast::CONFIG.protect.enable)
         end
         private
@@ -106,7 +109,7 @@ module Contrast
         def forcibly_enabled?
           return @_forcibly_enabled unless @_forcibly_enabled.nil?
-          @_forcibly_enabled ||= true?(::Contrast::CONFIG.root.protect.enable)
+          @_forcibly_enabled ||= true?(::Contrast::CONFIG.protect.enable)
         end
       end
     end

data/lib/contrast/components/ruby_component.rb ADDED Viewed

@@ -0,0 +1,81 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Components
+    module Ruby
+      # A wrapper build around the Common Agent Configuration project to allow
+      # for access of the values contained in its
+      # parent_configuration_spec.yaml.
+      # Those in this section pertain to the specific settings that apply to Ruby
+      class Interface
+        include Contrast::Components::ComponentBase
+        DISABLED_RAKE_TASK_LIST = %w[
+          about assets:clean assets:clobber assets:environment
+          assets:precompile assets:precompile:all db:create db:drop db:fixtures:load db:migrate
+          db:migrate:status db:rollback db:schema:cache:clear db:schema:cache:dump db:schema:dump
+          db:schema:load db:seed db:setup db:structure:dump db:version doc:app graphql:install graphql:object
+          log:clear middleware notes notes:custom rails:template rails:update routes secret spec spec:features
+          spec:requests spec:controllers spec:helpers spec:models spec:views spec:routing spec:rcov stats
+          test test:all test:all:db test:recent test:single test:uncommitted time:zones:all tmp:clear
+          tmp:create webpacker:compile
+        ].cs__freeze
+        DEFAULT_UNINSTRUMENTED_NAMESPACES = %w[FactoryGirl FactoryBot].cs__freeze
+        attr_writer :disabled_agent_rake_tasks, :exceptions, :propagate_yield, :require_scan,
+                    :non_request_tracking, :uninstrument_namespace
+        def initialize hsh = {}
+          return unless hsh
+          @disabled_agent_rake_tasks = hsh[:disabled_agent_rake_tasks]
+          @exceptions = Contrast::Config::ExceptionConfiguration.new(hsh[:exceptions])
+          @propagate_yield = hsh[:propagate_yield]
+          @require_scan = hsh[:require_scan]
+          @non_request_tracking = hsh[:non_request_tracking]
+          @uninstrument_namespace = hsh[:uninstrument_namespace]
+        end
+        # These commands being detected will result the agent disabling instrumentation, generally any command
+        # that doesn't result in the application listening on a port can be added here, this normally includes tasks
+        # that are ran pre-startup(like migrations) or to show information about the application(such as routes)
+        # @return [Array, DISABLED_RAKE_TASK_LIST]
+        def disabled_agent_rake_tasks
+          @disabled_agent_rake_tasks.nil? ? DISABLED_RAKE_TASK_LIST : @disabled_agent_rake_tasks
+        end
+        # rubocop:disable Naming/MemoizedInstanceVariableName
+        # @return [Contrast::Config::ExceptionConfiguration]
+        def exceptions
+          @exceptions ||= Contrast::Config::ExceptionConfiguration.new
+        end
+        # rubocop:enable Naming/MemoizedInstanceVariableName
+        # controls whether or not we patch the rb_yield block to track split propagation
+        # @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
+        def propagate_yield
+          @propagate_yield.nil? ? Contrast::Utils::ObjectShare::TRUE : @propagate_yield
+        end
+        # control whether or not we run file scanning rules on require
+        # @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
+        def require_scan
+          @require_scan.nil? ?  Contrast::Utils::ObjectShare::TRUE  : @require_scan
+        end
+        # controls tracking outside of request
+        # @return [Boolean, Contrast::Utils::ObjectShare::FALSE]
+        def non_request_tracking
+          @non_request_tracking.nil? ? Contrast::Utils::ObjectShare::FALSE : @non_request_tracking
+        end
+        # @return [Array, DEFAULT_UNINSTRUMENTED_NAMESPACES]
+        def uninstrument_namespace
+          @uninstrument_namespace.nil? ? DEFAULT_UNINSTRUMENTED_NAMESPACES : @uninstrument_namespace
+        end
+      end
+    end
+  end
+end

data/lib/contrast/components/sampling.rb CHANGED Viewed

@@ -24,7 +24,7 @@ module Contrast
         def sampling_control
           @_sampling_control ||= begin
-            config_settings = ::Contrast::CONFIG.root.assess&.sampling
+            config_settings = ::Contrast::CONFIG.assess&.sampling
             settings = ::Contrast::SETTINGS&.assess_state&.sampling_settings
             {
                 enabled: enabled?(config_settings, settings),

data/lib/contrast/components/security_logger.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Components
+    module SecurityLogger
+      # Here we will read and store the setting for the CEF Logging functionality
+      class Interface
+        # @return [String, nil]
+        attr_accessor :path
+        # @return [String, nil]
+        attr_accessor :level
+        def initialize hsh = {}
+          return unless hsh
+          @path = hsh[:path]
+          @level = hsh[:level]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/components/settings.rb CHANGED Viewed

@@ -1,8 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/api/settings.pb'
+require 'contrast/agent/excluder'
 require 'contrast/agent/reporting/settings/sensitive_data_masking'
+require 'contrast/components/config'
 module Contrast
   module Components
@@ -11,8 +12,7 @@ module Contrast
     # directives (likely provided by TeamServer) about product operation.
     # 'Settings' is not a generic term for 'configurable stuff'.
     module Settings
-      APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).
-          new(Hash.new(Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION), [])
+      APPLICATION_STATE_BASE = Struct.new(:modes_by_id).new(Hash.new(:NO_ACTION))
       PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
       ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).new(false, nil,
                                                                                                             [], nil) do
@@ -53,30 +53,6 @@ module Contrast
         # Current Application State.
         #
         # modes_by_id [Hash<Rule_id => Mode] Returns Hash with rules and their current mode.
-        # exclusion_matchers [Array] Array of all the exclusions.
-        # code_exclusions [Array<CodeExclusion>] Array of CodeExclusion: {
-        #   name         [String] The name of the exclusion as defined by the user in TS.
-        #   modes        [String] If this exclusion applies to assess or protect. [assess, defend]
-        #   assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
-        #   denylist     [String] The call, if in the stack, should result in the agent not taking action.
-        # input_exclusions [Array<InputExclusions>] Array of InputExclusions: {
-        #   name           [String] The name of the input.
-        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
-        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
-        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
-        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
-        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
-        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
-        # }
-        # url_exclusions [Array<UrlExclusions>] Array of UrlExclusions: {
-        #   name           [String] The name of the input.
-        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
-        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
-        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
-        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
-        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
-        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
-        # }
         attr_reader :application_state
         # This the structure that will hold the masking rules send from TS.
         #
@@ -90,39 +66,40 @@ module Contrast
         attr_reader :last_app_update_ms
         # @return [Integer] the time, in ms, that server settings last changed
         attr_reader :last_server_update_ms
+        # @return [Contrast::Agent::Excluder] a wrapper around the exclusion rules for the application
+        attr_reader :excluder
         def initialize
           reset_state
         end
         def code_exclusions
-          @application_state.exclusion_matchers.select(&:code?)
+          excluder&.exclusions&.select(&:code?)
         end
-        # @param features_response [Contrast::Api::Settings::ServerFeatures, Contrast::Agent::Reporting::Response]
+        # @param features_response [Contrast::Agent::Reporting::Response]
         def update_from_server_features features_response
-          if features_response.cs__is_a?(Contrast::Agent::Reporting::Response)
-            update_from_response(features_response)
-          else
-            @protect_state.enabled = features_response.protect_enabled?
-            @assess_state.enabled = features_response.assess_enabled?
-            @assess_state.sampling_settings = features_response.assess.sampling
-            @last_server_update_ms = Contrast::Utils::Timer.now_ms
-          end
+          return unless (server_features = features_response&.server_features)
+          log_file = server_features.log_file
+          log_level = server_features.log_level
+          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
+          @protect_state.enabled = server_features.protect.enabled?
+          @assess_state.enabled = server_features.assess.enabled?
+          @assess_state.sampling_settings = server_features.assess.sampling
           @last_server_update_ms = Contrast::Utils::Timer.now_ms
         end
-        # @param settings_response [Contrast::Api::Settings::ApplicationSettings, Contrast::Agent::Reporting::Response]
+        # @param settings_response [Contrast::Agent::Reporting::Response]
         def update_from_application_settings settings_response
-          if settings_response&.cs__class == Contrast::Agent::Reporting::Response
-            update_from_response(settings_response)
-          else
-            new_vals = settings_response.application_state_translation
-            @application_state.modes_by_id = new_vals[:modes_by_id]
-            @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
-            @assess_state.disabled_assess_rules = new_vals[:disabled_assess_rules]
-            @last_app_update_ms = Contrast::Utils::Timer.now_ms
-          end
+          return unless (app_settings = settings_response&.application_settings)
+          @application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
+          update_exclusion_matchers(app_settings.exclusions)
+          update_sensitive_data_policy(app_settings.sensitive_data_masking)
+          @assess_state.disabled_assess_rules = app_settings.assess.disabled_rules
+          new_session_id = app_settings.assess.session_id
+          @assess_state.session_id = new_session_id if new_session_id && !new_session_id.blank?
           @last_app_update_ms = Contrast::Utils::Timer.now_ms
         end
@@ -133,12 +110,14 @@ module Contrast
           @application_state = APPLICATION_STATE_BASE.dup
           @tainted_columns = {}
           @sensitive_data_masking = SENSITIVE_DATA_MASKING_BASE.dup
+          @excluder = Contrast::Agent::Excluder.new
         end
         def build_protect_rules
           @protect_state.rules = {}
           # Rules. They add themselves on initialize.
+          Contrast::Agent::Protect::Rule::BotBlocker.new
           Contrast::Agent::Protect::Rule::CmdInjection.new
           Contrast::Agent::Protect::Rule::Deserialization.new
           Contrast::Agent::Protect::Rule::HttpMethodTampering.new
@@ -150,6 +129,21 @@ module Contrast
           Contrast::Agent::Protect::Rule::Xxe.new
         end
+        # @param exclusions [Contrast::Agent::Reporting::Settings::Exclusions]
+        def update_exclusion_matchers exclusions
+          matchers = []
+          exclusions.url_exclusions.each do |exclusion|
+            matchers << Contrast::Agent::ExclusionMatcher.new(exclusion)
+          end
+          exclusions.input_exclusions.each do |exclusion|
+            matchers << Contrast::Agent::ExclusionMatcher.new(exclusion)
+          end
+          exclusions.code_exclusions.each do |exclusion|
+            matchers << Contrast::Agent::ExclusionMatcher.new(exclusion)
+          end
+          @excluder = Contrast::Agent::Excluder.new(matchers)
+        end
         # Update the sensitive data masking policy from settings,
         # received from TS. In case the settings are empty,
         # keep current ones.
@@ -170,44 +164,6 @@ module Contrast
         private
-        # @param response [Contrast::Agent::Reporting::Response]
-        def update_from_response response
-          if (server_features = response.server_features)
-            update_server_features(server_features)
-          end
-          return unless (app_settings = response.application_settings)
-          update_application_settings(app_settings)
-        end
-        # @param server_features [Contrast::Agent::Reporting::Settings::FeatureSettings]
-        def update_server_features server_features
-          return unless server_features
-          log_file = server_features.log_file
-          log_level = server_features.log_level
-          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
-          @protect_state.enabled = server_features.protect.enabled?
-          @assess_state.enabled = server_features.assess.enabled?
-          @assess_state.sampling_settings = server_features.assess.sampling
-          @last_server_update_ms = Contrast::Utils::Timer.now_ms
-        end
-        # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
-        def update_application_settings app_settings
-          return unless app_settings
-          @application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
-          # TODO: RUBY-1438 this needs to be translated
-          # @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
-          update_sensitive_data_policy(app_settings.sensitive_data_masking)
-          @assess_state.disabled_assess_rules = app_settings.assess.disabled_rules
-          if app_settings.assess.session_id && !app_settings.assess.session_id.blank?
-            @assess_state.session_id = app_settings.assess.session_id
-          end
-          @last_app_update_ms = Contrast::Utils::Timer.now_ms
-        end
         # check if settings are empty and return true if so.
         #
         # @param settings [String, Boolean, Array, Hash]

data/lib/contrast/config/base_configuration.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Contrast
       extend Forwardable
       AT_UNDERSCORE = '@_'
-      def to_hash
+      def to_contrast_hash
         hsh = {}
         instance_variables.each do |iv|
           # strip the '@' of '@_' to get the key

data/lib/contrast/config/protect_rule_configuration.rb CHANGED Viewed

@@ -33,24 +33,24 @@ module Contrast
       end
       # To convert the user input mode from config to a standard format used by TS & SR, we need to convert the given
-      # String to its Contrast::Api::Settings::ProtectionRule::Mode equivalent. If a nonsense value is provided, it'll
+      # String to its recognized symbol equivalent. If a nonsense value is provided, it'll
       # be treated the same as disabling the rule.
       #
-      # @return [Contrast::Api::Settings::ProtectionRule::Mode, nil]
+      # @return [Symbol]
       def applicable_mode
         return unless mode
         case mode
         when 'permit'
-          Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+          :PERMIT
         when 'block_at_perimeter'
-          Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
+          :BLOCK_AT_PERIMETER
         when 'block'
-          Contrast::Api::Settings::ProtectionRule::Mode::BLOCK
+          :BLOCK
         when 'monitor'
-          Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
+          :MONITOR
         else
-          Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
+          :NO_ACTION
         end
       end
     end