contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/utils/log_utils.rb

@@ -3,7 +3,9 @@
 
 require 'socket'
 require 'contrast/agent/version'
+require 'contrast/utils/object_share'
 require 'contrast/logger/aliased_logging'
+require 'fileutils'
 
 module Contrast
   module Utils
@@ -17,6 +19,17 @@ module Contrast
       PROGNAME         = 'Contrast Agent'
       DATE_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%L%z'
 
+      # StringIO is a valid path because it logs directly to a string buffer
+      def write_permission? path
+        return false if path.nil?
+        return true if path.is_a?(StringIO)
+        return File.writable?(path) if File.exist?(path)
+
+        dir_name = File.dirname(File.absolute_path(path))
+        FileUtils.mkdir_p(dir_name) unless Dir.exist?(dir_name)
+        File.writable?(dir_name)
+      end
+
       private
 
       def build path: STDOUT_STR, level_const: DEFAULT_LEVEL, progname: PROGNAME
@@ -47,26 +60,26 @@ module Contrast
       #   TeamServer.
       # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
       def find_valid_path log_file
-        config = ::Contrast::CONFIG.root.agent.logger
+        config = ::Contrast::CONFIG.agent.logger
         config_path = config&.path&.length.to_i.positive? ? config.path : nil
         valid_path(config_path || log_file)
       end
 
-      def valid_path path
+      def valid_path path, default_name: DEFAULT_NAME
         path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
         return path if path == STDOUT_STR
         return path if path == STDERR_STR
 
-        path = DEFAULT_NAME if path.empty?
+        path = default_name if path.empty?
         if write_permission?(path)
           path
-        elsif write_permission?(DEFAULT_NAME)
+        elsif write_permission?(default_name)
           # Log once when the path is invalid. We'll change to this path, so no
           # need to log again.
-          if previous_path != DEFAULT_NAME
-            $stdout.puts("[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead.")
+          if previous_path != default_name
+            $stdout.puts("[!] Unable to write to '#{ path }'. Writing to default log '#{ default_name }' instead.")
           end
-          DEFAULT_NAME
+          default_name
         else
           # Log once when the path is invalid. We'll change to this path, so no
           # need to log again.
@@ -81,7 +94,7 @@ module Contrast
       #   TeamServer.
       # @return [::Ougai::Logging::Severity] the level at which to log
       def find_valid_level log_level
-        config = ::Contrast::CONFIG.root.agent.logger
+        config = ::Contrast::CONFIG.agent.logger
         config_level = config&.level&.length&.positive? ? config.level : nil
 
         valid_level(config_level || log_level)
@@ -166,6 +179,18 @@ module Contrast
         end
       end
 
+      def valid_level level
+        level ||= DEFAULT_LEVEL
+        level = level.upcase
+        if VALID_LEVELS.include?(level)
+          Object.cs__const_get("::Logger::Severity::#{ level }")
+        else
+          DEFAULT_LEVEL
+        end
+      rescue StandardError
+        DEFAULT_LEVEL
+      end
+
       # This method will extract the metadata information from context and other places
       #
       # initial structure of the data:
@@ -175,13 +200,10 @@ module Contrast
       # initially here we will use case to add it
       def extract_metadata rule_id = nil, outcome = nil
         message = []
-        sender_info = context&.activity&.http_request&.sender
+        request = context&.activity&.request
+        sender_info = { ip: request&.ip || Contrast::Utils::ObjectShare::EMPTY_STRING, port: request&.port || 0 }
         rule_id ? message << "pri=#{ rule_id } " : 'asd'
-        request_method = if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
-                           context.request.rack_request.env['REQUEST_METHOD']
-                         else
-                           DEFAULT_METADATA
-                         end
+        request_method = assign_request_method(context)
         app_name = ::Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
         attach_request_and_sender_info(message, sender_info)
         message << "request=#{ context.request.url } "
@@ -198,10 +220,10 @@ module Contrast
         src = if needed_header
                 needed_header
               else
-                sender_info.ip.length > 1 ? sender_info.ip : DEFAULT_METADATA
+                sender_info[:ip].length > 1 ? sender_info[:ip] : DEFAULT_METADATA
               end
         message << "src=#{ src }"
-        message << "port=#{ sender_info.port }"
+        message << "port=#{ sender_info[:port] }"
       end
 
       def extract_ip_address
@@ -216,9 +238,17 @@ module Contrast
       end
 
       def extract_sender_ip
-        request_headers = context.activity.http_request.request_headers&.transform_keys(&:to_s)
+        request_headers = context.activity.request.headers&.transform_keys(&:to_s)
         request_headers['X-Forwarded-For']
       end
+
+      def assign_request_method context
+        if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
+          context.request.rack_request.env['REQUEST_METHOD']
+        else
+          DEFAULT_METADATA
+        end
+      end
     end
   end
 end

data/lib/contrast/utils/net_http_base.rb

@@ -26,10 +26,10 @@ module Contrast
         return unless url
 
         addr = URI(url)
-        # the proxy is enabled only if there is provided url even if the enable is set to true
         return if addr.host.nil? || addr.port.nil?
-        return if addr.scheme != 'https' && !addr.host.to_s.include?('localhost') # TODO: RUBY-99999 allow http w/ localhost # rubocop:disable Layout/LineLength
+        return if addr.scheme != 'https' && !addr.host.to_s.include?('localhost')
 
+        # the proxy is enabled only if there is provided url even if the enable is set to true
         proxy_addr = URI(Contrast::API.proxy_url) if proxy_enabled?
         net_http_client = initialize_client(addr, proxy_addr, use_proxy, use_custom_cert)
         return if net_http_client.nil?

data/lib/contrast/utils/os.rb

@@ -13,26 +13,6 @@ module Contrast
       extend Contrast::Components::Scope::InstanceMethods
 
       class << self
-        def running?
-          result = false
-          with_contrast_scope do
-            process = `ps aux | grep contrast-servic[e]`
-            processes = process.split("\n")
-            result = !processes.empty? && processes.any? { |process_descriptor| !process_descriptor.include?('grep') }
-          end
-          result
-        end
-
-        # check if service was killed and is a zombie process
-        # returns an array of zombie process PIDs as strings; empty array if there are none
-        def zombie_pids
-          with_contrast_scope do
-            # retrieve pid of service processes
-            zombie_pid_list = `ps aux | grep contrast-servic[e] | grep Z | awk '{print $2}'`
-            zombie_pid_list.split("\n")
-          end
-        end
-
         # Check current OS type
         # returns true if check is correct or false if not
         def windows?

data/lib/contrast/utils/patching/policy/patch_utils.rb

@@ -117,7 +117,8 @@ module Contrast
           return ret if current_context && !current_context.analyze_request?
 
           trigger_node = method_policy.trigger_node
-          if trigger_node
+
+          if trigger_node && !trigger_node.nil?
             Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
           end
           if method_policy.source_node
@@ -135,7 +136,7 @@ module Contrast
         rescue StandardError => e
           logger.error('Unable to assess method call.', e)
         rescue Exception => e # rubocop:disable Lint/RescueException
-          logger.error('Unable to assess method call.', e)
+          logger.error('Unable to assess method call due to exception.', e)
           raise(e)
         ensure
           ret.rewind if Contrast::Utils::IOUtil.should_rewind?(ret)

data/lib/contrast/utils/response_utils.rb

@@ -7,22 +7,6 @@ module Contrast
     module ResponseUtils
       private
 
-      # From the dtm for normalized_response_headers:
-      #   Key is UPPERCASE_UNDERSCORE
-      #
-      #   Example: Content-Type: text/html; charset=utf-8
-      #   "CONTENT_TYPE" => Content-Type,["text/html; charset=utf8"]
-      def append_pair map, key, value
-        return unless key && value
-        return if value.is_a?(Hash)
-
-        safe_key = Contrast::Utils::StringUtils.force_utf8(key)
-        hash_key = Contrast::Utils::StringUtils.normalized_key(safe_key)
-        map[hash_key] ||= Contrast::Api::Dtm::Pair.new
-        map[hash_key].key = safe_key
-        map[hash_key].values << Contrast::Utils::StringUtils.force_utf8(value)
-      end
-
       HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
 
       # Given some holder of the content of the response's body, extract that

data/lib/contrast/utils/stack_trace_utils.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack'
-require 'contrast/api'
 
 module Contrast
   module Utils
@@ -33,16 +32,7 @@ module Contrast
         end
 
         # Call and translate a caller_locations array to an array of
-        # StackTraceElement for TeamServer to display, excluding any Contrast
-        # code found.
-        #
-        # @return [Array<Contrast::Api::Dtm::StackTraceElement>]
-        def build_protect_stack_array
-          build_protect_stack(Contrast::Api::Dtm::StackTraceElement)
-        end
-
-        # Call and translate a caller_locations array to an array of
-        # StackTraceElement for TeamServer to display, excluding any Contrast
+        # ApplicationDefendAttackSampleStack for TeamServer to display, excluding any Contrast
         # code found.
         #
         # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack>]
@@ -50,31 +40,6 @@ module Contrast
           build_protect_stack(Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack)
         end
 
-        # Translate a caller array to an array of TraceStacks for TeamServer to
-        # display, excluding any Contrast code found.
-        #
-        # @param stack [Array<String>] the output of Kernel.caller
-        # @return [Array<Contrast::Api::Dtm::TraceStack]
-        def build_assess_stack_array stack
-          converted = []
-          return converted unless stack
-
-          i = 0
-          while i < stack.length
-            caller_location = stack[i]
-            i += 1
-            next if caller_location.include?(AGENT_CLASS_MARKER)
-
-            # To play nice with the way that TeamServer is rendering these
-            # values, we only populate the file_name field with exactly what we
-            # want them to display
-            element = Contrast::Api::Dtm::TraceStack.new
-            element.file_name = caller_location
-            converted << element
-          end
-          converted
-        end
-
         private
 
         def reject_caller_entries stack
@@ -84,10 +49,8 @@ module Contrast
           end
         end
 
-        # @param clazz [Class] Contrast::Api::Dtm::StackTraceElement or
-        #   Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack
-        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack|
-        #   Contrast::Api::Dtm::StackTraceElement>]
+        # @param clazz [Class] Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack
+        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack>]
         def build_protect_stack clazz
           stack = caller(3, 21)
           return [] unless stack

data/lib/contrast/utils/string_utils.rb

@@ -22,13 +22,6 @@ module Contrast
           !str.nil? && !str.to_s.empty?
         end
 
-        def protobuf_format data, truncate: true
-          data = data&.to_s
-          data = Contrast::Utils::StringUtils.force_utf8(data)
-          data = Contrast::Utils::StringUtils.truncate(data) if truncate
-          data
-        end
-
         # Protobuf has a very strict typing. Nil is not a String and will throw
         # an exception if you try to set it. Use this to be safe.
         # Uses the object share to avoid creating several new strings per request
@@ -37,12 +30,21 @@ module Contrast
         end
 
         # Truncate a string to 255 characters max length
+        #
+        # @param str [String] the string tt truncate
+        # @param default [String] what to default to
+        # @return [String]
         def truncate str, default = Contrast::Utils::ObjectShare::EMPTY_STRING
           return default if str.nil?
 
           str.to_s[0..255]
         end
 
+        # Cast the given object, which should be a String, into a UTF-8 String for reporting. All given objects will be
+        # cast to their to_s form, except nil which will become the ObjectShare::EMPTY_STRING, and then cast.
+        #
+        # @param str [String, Object, nil]
+        # @return [String]
         def force_utf8 str
           return Contrast::Utils::ObjectShare::EMPTY_STRING unless str
 
@@ -84,6 +86,16 @@ module Contrast
             @_normalized_keys[str] = cut
           end
         end
+
+        # transform string from snake_case to Capitalized Text
+        #
+        # @param str[String] string to transform
+        # @return [String]
+        def transform_string str
+          return unless str
+
+          str.split('-').map(&:capitalize).join(' ')
+        end
       end
     end
   end

data/lib/contrast/utils/telemetry_client.rb

@@ -34,18 +34,12 @@ module Contrast
       def build_request event
         return unless valid_event?(event)
 
-        string_body = if event.cs__is_a?(Contrast::Agent::Telemetry::TelemetryException::Event)
-                        [event.to_controlled_hash]
-                      else
-                        [event.to_hash]
-                      end
-
         header = {
             'User-Agent' => "<#{ Contrast::Utils::ObjectShare::RUBY }>-<#{ Contrast::Agent::VERSION }>",
             'Content-Type' => 'application/json'
         }
         request = Net::HTTP::Post.new(build_path(event), header)
-        request.body = string_body.to_json
+        request.body = get_event_json(event)
         request
       end
 
@@ -97,6 +91,18 @@ module Contrast
         path = endpoint == EXCEPTIONS ? Contrast::Agent::Telemetry::TelemetryException::Event.path : event.path
         "#{ Contrast::Agent::Telemetry::Base::URL }#{ endpoint }#{ path }"
       end
+
+      # Helper Method to get json representation of Telemetry Event data, handles error on to_json
+      #
+      # @param event [Contrast::Agent::Telemetry::Event, Array<Contrast::Agent::Telemetry::TelemetryException::Event>]
+      # @return [String] - JSON
+      def get_event_json event
+        hsh = [event.to_controlled_hash]
+        hsh.to_json
+      rescue Exception => e # rubocop:disable Lint/RescueException
+        logger.error('Unable to convert TelemetryEvent to JSON string', e, hsh)
+        raise(e)
+      end
     end
   end
 end

data/lib/contrast.rb

@@ -53,13 +53,8 @@ if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
   end
 end
 
-require 'contrast/components/agent'
-require 'contrast/components/api'
-require 'contrast/components/app_context'
 require 'contrast/components/assess'
 require 'contrast/components/config'
-require 'contrast/components/contrast_service'
-require 'contrast/components/inventory'
 require 'contrast/components/logger'
 require 'contrast/components/protect'
 require 'contrast/components/sampling'
@@ -68,20 +63,20 @@ require 'contrast/components/settings'
 require 'contrast/utils/telemetry_hash'
 require 'contrast/utils/telemetry'
 require 'contrast/agent/telemetry/events/exceptions/telemetry_exception_event'
-require 'protobuf' # TODO: RUBY-1438
+require 'contrast/agent_lib/interface'
 
 module Contrast
   CONFIG = Contrast::Components::Config::Interface.new
   SCOPE = Contrast::Components::Scope::Interface.new
-  API = CONFIG.root.api
+  API = CONFIG.api
   SETTINGS = Contrast::Components::Settings::Interface.new
-  ASSESS = Contrast::Components::Assess::Interface.new
+  ASSESS = CONFIG.assess
   PROTECT = Contrast::Components::Protect::Interface.new
-  INVENTORY = CONFIG.root.inventory
-  AGENT = CONFIG.root.agent
+  INVENTORY = CONFIG.inventory
+  AGENT = CONFIG.agent
   LOGGER = AGENT.logger
-  CONTRAST_SERVICE = Contrast::Components::ContrastService::Interface.new
-  APP_CONTEXT = CONFIG.root.application
+  AGENT_LIB = Contrast::AgentLib::Interface.new
+  APP_CONTEXT = CONFIG.application
 end
 
 module Contrast
@@ -95,7 +90,6 @@ require 'contrast/agent/version'
 
 # shared utils
 require 'contrast/utils/timer'
-require 'contrast/utils/preflight_util'
 
 require 'contrast/utils/assess/sampling_util'
 require 'contrast/agent'

data/resources/protect/policy.json

@@ -251,8 +251,7 @@
           }
         }
       ]
-    },
-    {
+    }, {
       "name": "sql-injection",
       "applicator": "Contrast::Agent::Protect::Policy::AppliesSqliRule",
       "applicator_method": "apply_rule",

data/ruby-agent.gemspec

@@ -117,7 +117,8 @@ end
 def self.add_dependencies spec
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
   spec.add_dependency 'rack', '~> 2.0'
-  spec.add_dependency 'activesupport', '>= 3.2' # TODO: RUBY-1438 remove w/ protobuf code
+  spec.add_dependency 'contrast-agent-lib', '~> 0.1.0'
+  spec.add_dependency 'ffi', '~> 1.0'
 end
 
 # Enumerate the files required to build the Agent.
@@ -136,9 +137,6 @@ def self.add_files spec
         f.match(/(.*\.ya?ml)/)
   end
 
-  spec.files << 'lib/contrast/api/dtm.pb.rb'
-  spec.files << 'lib/contrast/api/settings.pb.rb'
-  spec.files += Dir['service_executables/**/*']
   spec.files += Dir['funchook/**/*']
   spec.files += Dir['shared_libraries/**/*']
 
@@ -179,7 +177,6 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ['>= 2.7.0', '< 3.2.0']
 
   spec.bindir        = 'exe'
-  spec.executables   = ['contrast_service']
   # Keep cs__common first, it handles funchook.h right now.
   spec.extensions = Dir['ext/cs__common/extconf.rb', 'ext/**/extconf.rb']
   spec.require_paths = ['lib']