contrast-agent 6.6.5 → 6.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +3 -0
- data/.gitmodules +0 -3
- data/ext/cs__scope/cs__scope.c +1 -1
- data/lib/contrast/agent/assess/contrast_event.rb +2 -24
- data/lib/contrast/agent/assess/events/source_event.rb +7 -61
- data/lib/contrast/agent/assess/finalizers/hash.rb +11 -0
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +0 -55
- data/lib/contrast/agent/assess/policy/policy_node.rb +3 -3
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +0 -1
- data/lib/contrast/agent/assess/policy/propagation_node.rb +4 -4
- data/lib/contrast/agent/assess/policy/source_method.rb +24 -1
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -5
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +6 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +36 -132
- data/lib/contrast/agent/assess/policy/trigger_node.rb +3 -3
- data/lib/contrast/agent/assess/property/evented.rb +2 -12
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +42 -84
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +11 -27
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +1 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +77 -62
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +6 -1
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +5 -5
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +1 -7
- data/lib/contrast/agent/excluder.rb +206 -0
- data/lib/contrast/agent/exclusion_matcher.rb +6 -0
- data/lib/contrast/agent/inventory/database_config.rb +6 -10
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +4 -0
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -0
- data/lib/contrast/agent/protect/rule/base.rb +49 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +1 -0
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +18 -105
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +129 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +169 -0
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -1
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +51 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb +67 -0
- data/lib/contrast/agent/protect/rule/sqli.rb +6 -31
- data/lib/contrast/agent/protect/rule/xxe.rb +2 -0
- data/lib/contrast/agent/protect/rule.rb +3 -1
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +6 -0
- data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb +22 -0
- data/lib/contrast/agent/reporting/reporter.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +1 -4
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -23
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +19 -49
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +12 -9
- data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +23 -21
- data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb +5 -18
- data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb +1 -0
- data/lib/contrast/{api/decorators/trace_taint_range_tags.rb → agent/reporting/reporting_events/finding_event_taint_range_tags.rb} +7 -6
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +10 -14
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +11 -0
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +3 -1
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +11 -23
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +8 -26
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +4 -7
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +3 -3
- data/lib/contrast/agent/request.rb +2 -2
- data/lib/contrast/agent/request_context.rb +8 -20
- data/lib/contrast/agent/request_context_extend.rb +15 -36
- data/lib/contrast/agent/request_handler.rb +0 -8
- data/lib/contrast/agent/response.rb +0 -18
- data/lib/contrast/agent/telemetry/events/event.rb +1 -1
- data/lib/contrast/agent/telemetry/events/metric_event.rb +1 -1
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +3 -3
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +2 -3
- data/lib/contrast/api/communication/socket_client.rb +4 -4
- data/lib/contrast/api/communication/speedracer.rb +4 -8
- data/lib/contrast/api/decorators/agent_startup.rb +5 -6
- data/lib/contrast/api/decorators/application_settings.rb +2 -1
- data/lib/contrast/api/decorators/application_startup.rb +6 -6
- data/lib/contrast/api/decorators/message.rb +0 -4
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -6
- data/lib/contrast/api/decorators.rb +0 -6
- data/lib/contrast/api/dtm.pb.rb +0 -489
- data/lib/contrast/components/agent.rb +16 -12
- data/lib/contrast/components/api.rb +10 -10
- data/lib/contrast/components/app_context.rb +3 -3
- data/lib/contrast/components/app_context_extend.rb +1 -1
- data/lib/contrast/components/assess.rb +92 -38
- data/lib/contrast/components/assess_rules.rb +36 -0
- data/lib/contrast/components/config.rb +54 -12
- data/lib/contrast/components/contrast_service.rb +8 -8
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/protect.rb +5 -5
- data/lib/contrast/components/ruby_component.rb +81 -0
- data/lib/contrast/components/sampling.rb +1 -1
- data/lib/contrast/components/security_logger.rb +23 -0
- data/lib/contrast/components/service.rb +55 -0
- data/lib/contrast/components/settings.rb +12 -4
- data/lib/contrast/config/base_configuration.rb +1 -1
- data/lib/contrast/config/protect_rules_configuration.rb +17 -3
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config.rb +0 -6
- data/lib/contrast/configuration.rb +81 -17
- data/lib/contrast/extension/assess/exec_trigger.rb +3 -1
- data/lib/contrast/extension/assess/marshal.rb +3 -2
- data/lib/contrast/extension/assess/string.rb +0 -1
- data/lib/contrast/extension/extension.rb +1 -1
- data/lib/contrast/framework/base_support.rb +0 -5
- data/lib/contrast/framework/grape/support.rb +1 -23
- data/lib/contrast/framework/manager.rb +0 -10
- data/lib/contrast/framework/rails/support.rb +5 -58
- data/lib/contrast/framework/sinatra/support.rb +2 -21
- data/lib/contrast/logger/cef_log.rb +21 -3
- data/lib/contrast/logger/log.rb +1 -11
- data/lib/contrast/tasks/config.rb +4 -2
- data/lib/contrast/utils/assess/event_limit_utils.rb +5 -8
- data/lib/contrast/utils/assess/trigger_method_utils.rb +10 -18
- data/lib/contrast/utils/findings.rb +6 -5
- data/lib/contrast/utils/hash_digest.rb +9 -24
- data/lib/contrast/utils/hash_digest_extend.rb +6 -6
- data/lib/contrast/utils/invalid_configuration_util.rb +21 -58
- data/lib/contrast/utils/log_utils.rb +32 -8
- data/lib/contrast/utils/net_http_base.rb +2 -2
- data/lib/contrast/utils/patching/policy/patch_utils.rb +3 -2
- data/lib/contrast/utils/stack_trace_utils.rb +0 -25
- data/lib/contrast/utils/string_utils.rb +9 -0
- data/lib/contrast/utils/telemetry_client.rb +13 -7
- data/lib/contrast.rb +5 -10
- metadata +22 -28
- data/lib/contrast/agent/reporting/reporting_events/trace_event_source.rb +0 -30
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +0 -36
- data/lib/contrast/api/decorators/activity.rb +0 -33
- data/lib/contrast/api/decorators/architecture_component.rb +0 -36
- data/lib/contrast/api/decorators/finding.rb +0 -29
- data/lib/contrast/api/decorators/route_coverage.rb +0 -91
- data/lib/contrast/api/decorators/trace_event.rb +0 -120
- data/lib/contrast/api/decorators/trace_event_object.rb +0 -63
- data/lib/contrast/api/decorators/trace_event_signature.rb +0 -69
- data/lib/contrast/api/decorators/trace_taint_range.rb +0 -52
- data/lib/contrast/config/assess_configuration.rb +0 -93
- data/lib/contrast/config/assess_rules_configuration.rb +0 -32
- data/lib/contrast/config/root_configuration.rb +0 -90
- data/lib/contrast/config/ruby_configuration.rb +0 -81
- data/lib/contrast/config/service_configuration.rb +0 -49
- data/lib/contrast/utils/preflight_util.rb +0 -13
|
@@ -5,6 +5,7 @@ require 'socket'
|
|
|
5
5
|
require 'contrast/agent/version'
|
|
6
6
|
require 'contrast/utils/object_share'
|
|
7
7
|
require 'contrast/logger/aliased_logging'
|
|
8
|
+
require 'fileutils'
|
|
8
9
|
|
|
9
10
|
module Contrast
|
|
10
11
|
module Utils
|
|
@@ -18,6 +19,17 @@ module Contrast
|
|
|
18
19
|
PROGNAME = 'Contrast Agent'
|
|
19
20
|
DATE_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%L%z'
|
|
20
21
|
|
|
22
|
+
# StringIO is a valid path because it logs directly to a string buffer
|
|
23
|
+
def write_permission? path
|
|
24
|
+
return false if path.nil?
|
|
25
|
+
return true if path.is_a?(StringIO)
|
|
26
|
+
return File.writable?(path) if File.exist?(path)
|
|
27
|
+
|
|
28
|
+
dir_name = File.dirname(File.absolute_path(path))
|
|
29
|
+
FileUtils.mkdir_p(dir_name) unless Dir.exist?(dir_name)
|
|
30
|
+
File.writable?(dir_name)
|
|
31
|
+
end
|
|
32
|
+
|
|
21
33
|
private
|
|
22
34
|
|
|
23
35
|
def build path: STDOUT_STR, level_const: DEFAULT_LEVEL, progname: PROGNAME
|
|
@@ -48,26 +60,26 @@ module Contrast
|
|
|
48
60
|
# TeamServer.
|
|
49
61
|
# @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
|
|
50
62
|
def find_valid_path log_file
|
|
51
|
-
config = ::Contrast::CONFIG.
|
|
63
|
+
config = ::Contrast::CONFIG.agent.logger
|
|
52
64
|
config_path = config&.path&.length.to_i.positive? ? config.path : nil
|
|
53
65
|
valid_path(config_path || log_file)
|
|
54
66
|
end
|
|
55
67
|
|
|
56
|
-
def valid_path path
|
|
68
|
+
def valid_path path, default_name: DEFAULT_NAME
|
|
57
69
|
path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
|
|
58
70
|
return path if path == STDOUT_STR
|
|
59
71
|
return path if path == STDERR_STR
|
|
60
72
|
|
|
61
|
-
path =
|
|
73
|
+
path = default_name if path.empty?
|
|
62
74
|
if write_permission?(path)
|
|
63
75
|
path
|
|
64
|
-
elsif write_permission?(
|
|
76
|
+
elsif write_permission?(default_name)
|
|
65
77
|
# Log once when the path is invalid. We'll change to this path, so no
|
|
66
78
|
# need to log again.
|
|
67
|
-
if previous_path !=
|
|
68
|
-
$stdout.puts("[!] Unable to write to '#{ path }'. Writing to default log '#{
|
|
79
|
+
if previous_path != default_name
|
|
80
|
+
$stdout.puts("[!] Unable to write to '#{ path }'. Writing to default log '#{ default_name }' instead.")
|
|
69
81
|
end
|
|
70
|
-
|
|
82
|
+
default_name
|
|
71
83
|
else
|
|
72
84
|
# Log once when the path is invalid. We'll change to this path, so no
|
|
73
85
|
# need to log again.
|
|
@@ -82,7 +94,7 @@ module Contrast
|
|
|
82
94
|
# TeamServer.
|
|
83
95
|
# @return [::Ougai::Logging::Severity] the level at which to log
|
|
84
96
|
def find_valid_level log_level
|
|
85
|
-
config = ::Contrast::CONFIG.
|
|
97
|
+
config = ::Contrast::CONFIG.agent.logger
|
|
86
98
|
config_level = config&.level&.length&.positive? ? config.level : nil
|
|
87
99
|
|
|
88
100
|
valid_level(config_level || log_level)
|
|
@@ -167,6 +179,18 @@ module Contrast
|
|
|
167
179
|
end
|
|
168
180
|
end
|
|
169
181
|
|
|
182
|
+
def valid_level level
|
|
183
|
+
level ||= DEFAULT_LEVEL
|
|
184
|
+
level = level.upcase
|
|
185
|
+
if VALID_LEVELS.include?(level)
|
|
186
|
+
Object.cs__const_get("::Logger::Severity::#{ level }")
|
|
187
|
+
else
|
|
188
|
+
DEFAULT_LEVEL
|
|
189
|
+
end
|
|
190
|
+
rescue StandardError
|
|
191
|
+
DEFAULT_LEVEL
|
|
192
|
+
end
|
|
193
|
+
|
|
170
194
|
# This method will extract the metadata information from context and other places
|
|
171
195
|
#
|
|
172
196
|
# initial structure of the data:
|
|
@@ -26,10 +26,10 @@ module Contrast
|
|
|
26
26
|
return unless url
|
|
27
27
|
|
|
28
28
|
addr = URI(url)
|
|
29
|
-
# the proxy is enabled only if there is provided url even if the enable is set to true
|
|
30
29
|
return if addr.host.nil? || addr.port.nil?
|
|
31
|
-
return if addr.scheme != 'https' && !addr.host.to_s.include?('localhost')
|
|
30
|
+
return if addr.scheme != 'https' && !addr.host.to_s.include?('localhost')
|
|
32
31
|
|
|
32
|
+
# the proxy is enabled only if there is provided url even if the enable is set to true
|
|
33
33
|
proxy_addr = URI(Contrast::API.proxy_url) if proxy_enabled?
|
|
34
34
|
net_http_client = initialize_client(addr, proxy_addr, use_proxy, use_custom_cert)
|
|
35
35
|
return if net_http_client.nil?
|
|
@@ -117,7 +117,8 @@ module Contrast
|
|
|
117
117
|
return ret if current_context && !current_context.analyze_request?
|
|
118
118
|
|
|
119
119
|
trigger_node = method_policy.trigger_node
|
|
120
|
-
|
|
120
|
+
|
|
121
|
+
if trigger_node && !trigger_node.nil?
|
|
121
122
|
Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
|
|
122
123
|
end
|
|
123
124
|
if method_policy.source_node
|
|
@@ -135,7 +136,7 @@ module Contrast
|
|
|
135
136
|
rescue StandardError => e
|
|
136
137
|
logger.error('Unable to assess method call.', e)
|
|
137
138
|
rescue Exception => e # rubocop:disable Lint/RescueException
|
|
138
|
-
logger.error('Unable to assess method call.', e)
|
|
139
|
+
logger.error('Unable to assess method call due to exception.', e)
|
|
139
140
|
raise(e)
|
|
140
141
|
ensure
|
|
141
142
|
ret.rewind if Contrast::Utils::IOUtil.should_rewind?(ret)
|
|
@@ -50,31 +50,6 @@ module Contrast
|
|
|
50
50
|
build_protect_stack(Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack)
|
|
51
51
|
end
|
|
52
52
|
|
|
53
|
-
# Translate a caller array to an array of TraceStacks for TeamServer to
|
|
54
|
-
# display, excluding any Contrast code found.
|
|
55
|
-
#
|
|
56
|
-
# @param stack [Array<String>] the output of Kernel.caller
|
|
57
|
-
# @return [Array<Contrast::Api::Dtm::TraceStack]
|
|
58
|
-
def build_assess_stack_array stack
|
|
59
|
-
converted = []
|
|
60
|
-
return converted unless stack
|
|
61
|
-
|
|
62
|
-
i = 0
|
|
63
|
-
while i < stack.length
|
|
64
|
-
caller_location = stack[i]
|
|
65
|
-
i += 1
|
|
66
|
-
next if caller_location.include?(AGENT_CLASS_MARKER)
|
|
67
|
-
|
|
68
|
-
# To play nice with the way that TeamServer is rendering these
|
|
69
|
-
# values, we only populate the file_name field with exactly what we
|
|
70
|
-
# want them to display
|
|
71
|
-
element = Contrast::Api::Dtm::TraceStack.new
|
|
72
|
-
element.file_name = caller_location
|
|
73
|
-
converted << element
|
|
74
|
-
end
|
|
75
|
-
converted
|
|
76
|
-
end
|
|
77
|
-
|
|
78
53
|
private
|
|
79
54
|
|
|
80
55
|
def reject_caller_entries stack
|
|
@@ -37,12 +37,21 @@ module Contrast
|
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
# Truncate a string to 255 characters max length
|
|
40
|
+
#
|
|
41
|
+
# @param str [String] the string tt truncate
|
|
42
|
+
# @param default [String] what to default to
|
|
43
|
+
# @return [String]
|
|
40
44
|
def truncate str, default = Contrast::Utils::ObjectShare::EMPTY_STRING
|
|
41
45
|
return default if str.nil?
|
|
42
46
|
|
|
43
47
|
str.to_s[0..255]
|
|
44
48
|
end
|
|
45
49
|
|
|
50
|
+
# Cast the given object, which should be a String, into a UTF-8 String for reporting. All given objects will be
|
|
51
|
+
# cast to their to_s form, except nil which will become the ObjectShare::EMPTY_STRING, and then cast.
|
|
52
|
+
#
|
|
53
|
+
# @param str [String, Object, nil]
|
|
54
|
+
# @return [String]
|
|
46
55
|
def force_utf8 str
|
|
47
56
|
return Contrast::Utils::ObjectShare::EMPTY_STRING unless str
|
|
48
57
|
|
|
@@ -34,18 +34,12 @@ module Contrast
|
|
|
34
34
|
def build_request event
|
|
35
35
|
return unless valid_event?(event)
|
|
36
36
|
|
|
37
|
-
string_body = if event.cs__is_a?(Contrast::Agent::Telemetry::TelemetryException::Event)
|
|
38
|
-
[event.to_controlled_hash]
|
|
39
|
-
else
|
|
40
|
-
[event.to_hash]
|
|
41
|
-
end
|
|
42
|
-
|
|
43
37
|
header = {
|
|
44
38
|
'User-Agent' => "<#{ Contrast::Utils::ObjectShare::RUBY }>-<#{ Contrast::Agent::VERSION }>",
|
|
45
39
|
'Content-Type' => 'application/json'
|
|
46
40
|
}
|
|
47
41
|
request = Net::HTTP::Post.new(build_path(event), header)
|
|
48
|
-
request.body =
|
|
42
|
+
request.body = get_event_json(event)
|
|
49
43
|
request
|
|
50
44
|
end
|
|
51
45
|
|
|
@@ -97,6 +91,18 @@ module Contrast
|
|
|
97
91
|
path = endpoint == EXCEPTIONS ? Contrast::Agent::Telemetry::TelemetryException::Event.path : event.path
|
|
98
92
|
"#{ Contrast::Agent::Telemetry::Base::URL }#{ endpoint }#{ path }"
|
|
99
93
|
end
|
|
94
|
+
|
|
95
|
+
# Helper Method to get json representation of Telemetry Event data, handles error on to_json
|
|
96
|
+
#
|
|
97
|
+
# @param event [Contrast::Agent::Telemetry::Event, Array<Contrast::Agent::Telemetry::TelemetryException::Event>]
|
|
98
|
+
# @return [String] - JSON
|
|
99
|
+
def get_event_json event
|
|
100
|
+
hsh = [event.to_controlled_hash]
|
|
101
|
+
hsh.to_json
|
|
102
|
+
rescue Exception => e # rubocop:disable Lint/RescueException
|
|
103
|
+
logger.error('Unable to convert TelemetryEvent to JSON string', e, hsh)
|
|
104
|
+
raise(e)
|
|
105
|
+
end
|
|
100
106
|
end
|
|
101
107
|
end
|
|
102
108
|
end
|
data/lib/contrast.rb
CHANGED
|
@@ -53,13 +53,9 @@ if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
|
|
|
53
53
|
end
|
|
54
54
|
end
|
|
55
55
|
|
|
56
|
-
require 'contrast/components/agent'
|
|
57
|
-
require 'contrast/components/api'
|
|
58
|
-
require 'contrast/components/app_context'
|
|
59
56
|
require 'contrast/components/assess'
|
|
60
57
|
require 'contrast/components/config'
|
|
61
58
|
require 'contrast/components/contrast_service'
|
|
62
|
-
require 'contrast/components/inventory'
|
|
63
59
|
require 'contrast/components/logger'
|
|
64
60
|
require 'contrast/components/protect'
|
|
65
61
|
require 'contrast/components/sampling'
|
|
@@ -73,15 +69,15 @@ require 'protobuf' # TODO: RUBY-1438
|
|
|
73
69
|
module Contrast
|
|
74
70
|
CONFIG = Contrast::Components::Config::Interface.new
|
|
75
71
|
SCOPE = Contrast::Components::Scope::Interface.new
|
|
76
|
-
API = CONFIG.
|
|
72
|
+
API = CONFIG.api
|
|
77
73
|
SETTINGS = Contrast::Components::Settings::Interface.new
|
|
78
|
-
ASSESS =
|
|
74
|
+
ASSESS = CONFIG.assess
|
|
79
75
|
PROTECT = Contrast::Components::Protect::Interface.new
|
|
80
|
-
INVENTORY = CONFIG.
|
|
81
|
-
AGENT = CONFIG.
|
|
76
|
+
INVENTORY = CONFIG.inventory
|
|
77
|
+
AGENT = CONFIG.agent
|
|
82
78
|
LOGGER = AGENT.logger
|
|
83
79
|
CONTRAST_SERVICE = Contrast::Components::ContrastService::Interface.new
|
|
84
|
-
APP_CONTEXT = CONFIG.
|
|
80
|
+
APP_CONTEXT = CONFIG.application
|
|
85
81
|
end
|
|
86
82
|
|
|
87
83
|
module Contrast
|
|
@@ -95,7 +91,6 @@ require 'contrast/agent/version'
|
|
|
95
91
|
|
|
96
92
|
# shared utils
|
|
97
93
|
require 'contrast/utils/timer'
|
|
98
|
-
require 'contrast/utils/preflight_util'
|
|
99
94
|
|
|
100
95
|
require 'contrast/utils/assess/sampling_util'
|
|
101
96
|
require 'contrast/agent'
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: contrast-agent
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.
|
|
4
|
+
version: 6.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- galen.palmer@contrastsecurity.com
|
|
@@ -13,7 +13,7 @@ authors:
|
|
|
13
13
|
autorequire:
|
|
14
14
|
bindir: exe
|
|
15
15
|
cert_chain: []
|
|
16
|
-
date: 2022-08-
|
|
16
|
+
date: 2022-08-31 00:00:00.000000000 Z
|
|
17
17
|
dependencies:
|
|
18
18
|
- !ruby/object:Gem::Dependency
|
|
19
19
|
name: bundler
|
|
@@ -665,22 +665,22 @@ executables:
|
|
|
665
665
|
- contrast_service
|
|
666
666
|
extensions:
|
|
667
667
|
- ext/cs__common/extconf.rb
|
|
668
|
-
- ext/cs__tests/extconf.rb
|
|
669
|
-
- ext/cs__assess_module/extconf.rb
|
|
670
|
-
- ext/cs__assess_array/extconf.rb
|
|
671
668
|
- ext/cs__assess_hash/extconf.rb
|
|
672
669
|
- ext/cs__assess_basic_object/extconf.rb
|
|
673
|
-
- ext/cs__assess_regexp/extconf.rb
|
|
674
|
-
- ext/cs__os_information/extconf.rb
|
|
675
|
-
- ext/cs__assess_test/extconf.rb
|
|
676
670
|
- ext/cs__assess_string/extconf.rb
|
|
677
|
-
- ext/
|
|
671
|
+
- ext/cs__assess_regexp/extconf.rb
|
|
672
|
+
- ext/cs__assess_yield_track/extconf.rb
|
|
678
673
|
- ext/cs__assess_string_interpolation/extconf.rb
|
|
679
674
|
- ext/cs__scope/extconf.rb
|
|
675
|
+
- ext/cs__contrast_patch/extconf.rb
|
|
676
|
+
- ext/cs__assess_module/extconf.rb
|
|
677
|
+
- ext/cs__assess_kernel/extconf.rb
|
|
680
678
|
- ext/cs__assess_marshal_module/extconf.rb
|
|
679
|
+
- ext/cs__assess_test/extconf.rb
|
|
680
|
+
- ext/cs__os_information/extconf.rb
|
|
681
|
+
- ext/cs__assess_array/extconf.rb
|
|
682
|
+
- ext/cs__tests/extconf.rb
|
|
681
683
|
- ext/cs__assess_fiber_track/extconf.rb
|
|
682
|
-
- ext/cs__assess_yield_track/extconf.rb
|
|
683
|
-
- ext/cs__assess_kernel/extconf.rb
|
|
684
684
|
extra_rdoc_files: []
|
|
685
685
|
files:
|
|
686
686
|
- ".clang-format"
|
|
@@ -960,6 +960,7 @@ files:
|
|
|
960
960
|
- lib/contrast/agent/deadzone/policy/deadzone_node.rb
|
|
961
961
|
- lib/contrast/agent/deadzone/policy/policy.rb
|
|
962
962
|
- lib/contrast/agent/disable_reaction.rb
|
|
963
|
+
- lib/contrast/agent/excluder.rb
|
|
963
964
|
- lib/contrast/agent/exclusion_matcher.rb
|
|
964
965
|
- lib/contrast/agent/inventory.rb
|
|
965
966
|
- lib/contrast/agent/inventory/database_config.rb
|
|
@@ -997,6 +998,8 @@ files:
|
|
|
997
998
|
- lib/contrast/agent/protect/rule/base.rb
|
|
998
999
|
- lib/contrast/agent/protect/rule/base_service.rb
|
|
999
1000
|
- lib/contrast/agent/protect/rule/cmd_injection.rb
|
|
1001
|
+
- lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb
|
|
1002
|
+
- lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb
|
|
1000
1003
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb
|
|
1001
1004
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb
|
|
1002
1005
|
- lib/contrast/agent/protect/rule/default_scanner.rb
|
|
@@ -1012,7 +1015,9 @@ files:
|
|
|
1012
1015
|
- lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb
|
|
1013
1016
|
- lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb
|
|
1014
1017
|
- lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb
|
|
1018
|
+
- lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb
|
|
1015
1019
|
- lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb
|
|
1020
|
+
- lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb
|
|
1016
1021
|
- lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb
|
|
1017
1022
|
- lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb
|
|
1018
1023
|
- lib/contrast/agent/protect/rule/unsafe_file_upload.rb
|
|
@@ -1035,6 +1040,7 @@ files:
|
|
|
1035
1040
|
- lib/contrast/agent/reporting/details/path_traversal_details.rb
|
|
1036
1041
|
- lib/contrast/agent/reporting/details/path_traversal_semantic_analysis_details.rb
|
|
1037
1042
|
- lib/contrast/agent/reporting/details/protect_rule_details.rb
|
|
1043
|
+
- lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb
|
|
1038
1044
|
- lib/contrast/agent/reporting/details/sqli_details.rb
|
|
1039
1045
|
- lib/contrast/agent/reporting/details/untrusted_deserialization_details.rb
|
|
1040
1046
|
- lib/contrast/agent/reporting/details/virtual_patch_details.rb
|
|
@@ -1077,6 +1083,7 @@ files:
|
|
|
1077
1083
|
- lib/contrast/agent/reporting/reporting_events/finding_event_source.rb
|
|
1078
1084
|
- lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb
|
|
1079
1085
|
- lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb
|
|
1086
|
+
- lib/contrast/agent/reporting/reporting_events/finding_event_taint_range_tags.rb
|
|
1080
1087
|
- lib/contrast/agent/reporting/reporting_events/finding_request.rb
|
|
1081
1088
|
- lib/contrast/agent/reporting/reporting_events/library_discovery.rb
|
|
1082
1089
|
- lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb
|
|
@@ -1091,10 +1098,8 @@ files:
|
|
|
1091
1098
|
- lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb
|
|
1092
1099
|
- lib/contrast/agent/reporting/reporting_events/server_activity.rb
|
|
1093
1100
|
- lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb
|
|
1094
|
-
- lib/contrast/agent/reporting/reporting_events/trace_event_source.rb
|
|
1095
1101
|
- lib/contrast/agent/reporting/reporting_utilities/audit.rb
|
|
1096
1102
|
- lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb
|
|
1097
|
-
- lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb
|
|
1098
1103
|
- lib/contrast/agent/reporting/reporting_utilities/endpoints.rb
|
|
1099
1104
|
- lib/contrast/agent/reporting/reporting_utilities/headers.rb
|
|
1100
1105
|
- lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb
|
|
@@ -1167,14 +1172,11 @@ files:
|
|
|
1167
1172
|
- lib/contrast/api/communication/tcp_socket.rb
|
|
1168
1173
|
- lib/contrast/api/communication/unix_socket.rb
|
|
1169
1174
|
- lib/contrast/api/decorators.rb
|
|
1170
|
-
- lib/contrast/api/decorators/activity.rb
|
|
1171
1175
|
- lib/contrast/api/decorators/address.rb
|
|
1172
1176
|
- lib/contrast/api/decorators/agent_startup.rb
|
|
1173
1177
|
- lib/contrast/api/decorators/application_settings.rb
|
|
1174
1178
|
- lib/contrast/api/decorators/application_startup.rb
|
|
1175
|
-
- lib/contrast/api/decorators/architecture_component.rb
|
|
1176
1179
|
- lib/contrast/api/decorators/bot_blocker.rb
|
|
1177
|
-
- lib/contrast/api/decorators/finding.rb
|
|
1178
1180
|
- lib/contrast/api/decorators/http_request.rb
|
|
1179
1181
|
- lib/contrast/api/decorators/input_analysis.rb
|
|
1180
1182
|
- lib/contrast/api/decorators/instrumentation_mode.rb
|
|
@@ -1182,13 +1184,7 @@ files:
|
|
|
1182
1184
|
- lib/contrast/api/decorators/message.rb
|
|
1183
1185
|
- lib/contrast/api/decorators/rasp_rule_sample.rb
|
|
1184
1186
|
- lib/contrast/api/decorators/response_type.rb
|
|
1185
|
-
- lib/contrast/api/decorators/route_coverage.rb
|
|
1186
1187
|
- lib/contrast/api/decorators/server_features.rb
|
|
1187
|
-
- lib/contrast/api/decorators/trace_event.rb
|
|
1188
|
-
- lib/contrast/api/decorators/trace_event_object.rb
|
|
1189
|
-
- lib/contrast/api/decorators/trace_event_signature.rb
|
|
1190
|
-
- lib/contrast/api/decorators/trace_taint_range.rb
|
|
1191
|
-
- lib/contrast/api/decorators/trace_taint_range_tags.rb
|
|
1192
1188
|
- lib/contrast/api/decorators/user_input.rb
|
|
1193
1189
|
- lib/contrast/api/decorators/virtual_patch.rb
|
|
1194
1190
|
- lib/contrast/api/dtm.pb.rb
|
|
@@ -1198,6 +1194,7 @@ files:
|
|
|
1198
1194
|
- lib/contrast/components/app_context.rb
|
|
1199
1195
|
- lib/contrast/components/app_context_extend.rb
|
|
1200
1196
|
- lib/contrast/components/assess.rb
|
|
1197
|
+
- lib/contrast/components/assess_rules.rb
|
|
1201
1198
|
- lib/contrast/components/base.rb
|
|
1202
1199
|
- lib/contrast/components/config.rb
|
|
1203
1200
|
- lib/contrast/components/contrast_service.rb
|
|
@@ -1205,13 +1202,14 @@ files:
|
|
|
1205
1202
|
- lib/contrast/components/inventory.rb
|
|
1206
1203
|
- lib/contrast/components/logger.rb
|
|
1207
1204
|
- lib/contrast/components/protect.rb
|
|
1205
|
+
- lib/contrast/components/ruby_component.rb
|
|
1208
1206
|
- lib/contrast/components/sampling.rb
|
|
1209
1207
|
- lib/contrast/components/scope.rb
|
|
1208
|
+
- lib/contrast/components/security_logger.rb
|
|
1209
|
+
- lib/contrast/components/service.rb
|
|
1210
1210
|
- lib/contrast/components/settings.rb
|
|
1211
1211
|
- lib/contrast/config.rb
|
|
1212
1212
|
- lib/contrast/config/api_proxy_configuration.rb
|
|
1213
|
-
- lib/contrast/config/assess_configuration.rb
|
|
1214
|
-
- lib/contrast/config/assess_rules_configuration.rb
|
|
1215
1213
|
- lib/contrast/config/base_configuration.rb
|
|
1216
1214
|
- lib/contrast/config/certification_configuration.rb
|
|
1217
1215
|
- lib/contrast/config/env_variables.rb
|
|
@@ -1219,10 +1217,7 @@ files:
|
|
|
1219
1217
|
- lib/contrast/config/protect_rule_configuration.rb
|
|
1220
1218
|
- lib/contrast/config/protect_rules_configuration.rb
|
|
1221
1219
|
- lib/contrast/config/request_audit_configuration.rb
|
|
1222
|
-
- lib/contrast/config/root_configuration.rb
|
|
1223
|
-
- lib/contrast/config/ruby_configuration.rb
|
|
1224
1220
|
- lib/contrast/config/server_configuration.rb
|
|
1225
|
-
- lib/contrast/config/service_configuration.rb
|
|
1226
1221
|
- lib/contrast/configuration.rb
|
|
1227
1222
|
- lib/contrast/extension/assess.rb
|
|
1228
1223
|
- lib/contrast/extension/assess/array.rb
|
|
@@ -1298,7 +1293,6 @@ files:
|
|
|
1298
1293
|
- lib/contrast/utils/os.rb
|
|
1299
1294
|
- lib/contrast/utils/patching/policy/patch_utils.rb
|
|
1300
1295
|
- lib/contrast/utils/patching/policy/patcher_utils.rb
|
|
1301
|
-
- lib/contrast/utils/preflight_util.rb
|
|
1302
1296
|
- lib/contrast/utils/request_utils.rb
|
|
1303
1297
|
- lib/contrast/utils/resource_loader.rb
|
|
1304
1298
|
- lib/contrast/utils/response_utils.rb
|
|
@@ -1,30 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
require 'json'
|
|
5
|
-
require 'contrast/components/logger'
|
|
6
|
-
require 'contrast/utils/object_share'
|
|
7
|
-
|
|
8
|
-
module Contrast
|
|
9
|
-
module Agent
|
|
10
|
-
module Reporting
|
|
11
|
-
# This is the new Trace Event Source class which will include all the needed information for the new reporting
|
|
12
|
-
# system to relay this information in the Route Observation messages.
|
|
13
|
-
class TraceEventSource
|
|
14
|
-
attr_accessor :name, :type
|
|
15
|
-
|
|
16
|
-
def initialize
|
|
17
|
-
@name = Contrast::Utils::ObjectShare::EMPTY_STRING
|
|
18
|
-
@type = Contrast::Utils::ObjectShare::EMPTY_STRING
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
def to_controlled_hash
|
|
22
|
-
{
|
|
23
|
-
name: @name,
|
|
24
|
-
type: @type
|
|
25
|
-
}
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
end
|
|
29
|
-
end
|
|
30
|
-
end
|
|
@@ -1,36 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
require 'contrast/agent/reporting/reporting_events/application_activity'
|
|
5
|
-
require 'contrast/api/dtm.pb'
|
|
6
|
-
|
|
7
|
-
module Contrast
|
|
8
|
-
module Agent
|
|
9
|
-
module Reporting
|
|
10
|
-
# Util module for checking DTM message type. It temporarily allows for the conversion from a DTM to an
|
|
11
|
-
# EventReport.
|
|
12
|
-
# TODO: RUBY-1438 -- remove
|
|
13
|
-
module DtmMessage
|
|
14
|
-
class << self
|
|
15
|
-
# @param dtm [Contrast::Api::Dtm::Finding,Object]
|
|
16
|
-
# @return [Boolean]
|
|
17
|
-
def finding? dtm
|
|
18
|
-
dtm.cs__is_a?(Contrast::Api::Dtm::Finding)
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
# Converts DTM message to Reporting Event for those messages that have conversion methods crated. We use this
|
|
22
|
-
# as we work to move away from requiring the Service.
|
|
23
|
-
#
|
|
24
|
-
# @param dtm [Contrast::Api::Dtm]
|
|
25
|
-
# @return event [Contrast::Agent::Reporting::ReportingEvent, nil]
|
|
26
|
-
def dtm_to_event dtm
|
|
27
|
-
# For the others, we convert them.
|
|
28
|
-
return Contrast::Agent::Reporting::Finding.convert(dtm) if finding?(dtm)
|
|
29
|
-
|
|
30
|
-
nil
|
|
31
|
-
end
|
|
32
|
-
end
|
|
33
|
-
end
|
|
34
|
-
end
|
|
35
|
-
end
|
|
36
|
-
end
|
|
@@ -1,33 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
require 'contrast/utils/string_utils'
|
|
5
|
-
|
|
6
|
-
module Contrast
|
|
7
|
-
module Api
|
|
8
|
-
module Decorators
|
|
9
|
-
# Used to decorate the {Contrast::Api::Dtm::Activity} protobuf model
|
|
10
|
-
# to handle conversion between framework route classes and the dtm.
|
|
11
|
-
module Activity
|
|
12
|
-
def self.included klass
|
|
13
|
-
klass.extend(ClassMethods)
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
# Class methods for Activity
|
|
17
|
-
module ClassMethods
|
|
18
|
-
def source_or_string obj
|
|
19
|
-
if obj.cs__is_a?(Regexp)
|
|
20
|
-
obj.source
|
|
21
|
-
elsif obj.cs__respond_to?(:safe_string)
|
|
22
|
-
obj.safe_string
|
|
23
|
-
else
|
|
24
|
-
obj.to_s
|
|
25
|
-
end
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
end
|
|
29
|
-
end
|
|
30
|
-
end
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
Contrast::Api::Dtm::Activity.include(Contrast::Api::Decorators::Activity)
|
|
@@ -1,36 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
require 'contrast/utils/string_utils'
|
|
5
|
-
|
|
6
|
-
module Contrast
|
|
7
|
-
module Api
|
|
8
|
-
module Decorators
|
|
9
|
-
# Used to decorate the {Contrast::Api::Dtm::ArchitectureComponent} protobuf model so it can own some of the data
|
|
10
|
-
# massaging required for AppUpdate and Activity dtms.
|
|
11
|
-
module ArchitectureComponent
|
|
12
|
-
def self.included klass
|
|
13
|
-
klass.extend(ClassMethods)
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
# Used to add class methods to the ApplicationUpdate class on inclusion of the decorator
|
|
17
|
-
module ClassMethods
|
|
18
|
-
# TeamServer only accepts certain values for ArchitectureComponents.
|
|
19
|
-
# DO NOT CHANGE THIS!
|
|
20
|
-
AC_TYPE_DB = 'db'
|
|
21
|
-
|
|
22
|
-
# Create a Contrast::Api::Dtm::ArchitectureComponent of the database type.
|
|
23
|
-
#
|
|
24
|
-
# @return [Contrast::Api::Dtm::ArchitectureComponent]
|
|
25
|
-
def build_database
|
|
26
|
-
msg = Contrast::Api::Dtm::ArchitectureComponent.new
|
|
27
|
-
msg.type = AC_TYPE_DB
|
|
28
|
-
msg
|
|
29
|
-
end
|
|
30
|
-
end
|
|
31
|
-
end
|
|
32
|
-
end
|
|
33
|
-
end
|
|
34
|
-
end
|
|
35
|
-
|
|
36
|
-
Contrast::Api::Dtm::ArchitectureComponent.include(Contrast::Api::Decorators::ArchitectureComponent)
|
|
@@ -1,29 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
require 'contrast/api/dtm.pb'
|
|
5
|
-
require 'contrast/utils/string_utils'
|
|
6
|
-
require 'contrast/components/base'
|
|
7
|
-
|
|
8
|
-
module Contrast
|
|
9
|
-
module Api
|
|
10
|
-
module Decorators
|
|
11
|
-
# Used to decorate the {Contrast::Api::Dtm::Finding} protobuf
|
|
12
|
-
# model so it can own the request which its data is for.
|
|
13
|
-
module Finding
|
|
14
|
-
def self.included klass
|
|
15
|
-
klass.extend(ClassMethods)
|
|
16
|
-
end
|
|
17
|
-
|
|
18
|
-
# Used to add class methods to the AgentStartup class on inclusion of the decorator
|
|
19
|
-
module ClassMethods
|
|
20
|
-
def build
|
|
21
|
-
new
|
|
22
|
-
end
|
|
23
|
-
end
|
|
24
|
-
end
|
|
25
|
-
end
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
Contrast::Api::Dtm::Finding.include(Contrast::Api::Decorators::Finding)
|