contrast-agent 6.6.5 → 6.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +3 -0
- data/.gitmodules +0 -3
- data/ext/cs__scope/cs__scope.c +1 -1
- data/lib/contrast/agent/assess/contrast_event.rb +2 -24
- data/lib/contrast/agent/assess/events/source_event.rb +7 -61
- data/lib/contrast/agent/assess/finalizers/hash.rb +11 -0
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +0 -55
- data/lib/contrast/agent/assess/policy/policy_node.rb +3 -3
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +0 -1
- data/lib/contrast/agent/assess/policy/propagation_node.rb +4 -4
- data/lib/contrast/agent/assess/policy/source_method.rb +24 -1
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -5
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +6 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +36 -132
- data/lib/contrast/agent/assess/policy/trigger_node.rb +3 -3
- data/lib/contrast/agent/assess/property/evented.rb +2 -12
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +42 -84
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +11 -27
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +1 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +77 -62
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +6 -1
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +5 -5
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +1 -7
- data/lib/contrast/agent/excluder.rb +206 -0
- data/lib/contrast/agent/exclusion_matcher.rb +6 -0
- data/lib/contrast/agent/inventory/database_config.rb +6 -10
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +4 -0
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -0
- data/lib/contrast/agent/protect/rule/base.rb +49 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +1 -0
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +18 -105
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +129 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +169 -0
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -1
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +51 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb +67 -0
- data/lib/contrast/agent/protect/rule/sqli.rb +6 -31
- data/lib/contrast/agent/protect/rule/xxe.rb +2 -0
- data/lib/contrast/agent/protect/rule.rb +3 -1
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +6 -0
- data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb +22 -0
- data/lib/contrast/agent/reporting/reporter.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +1 -4
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -23
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +19 -49
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +12 -9
- data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +23 -21
- data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb +5 -18
- data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb +1 -0
- data/lib/contrast/{api/decorators/trace_taint_range_tags.rb → agent/reporting/reporting_events/finding_event_taint_range_tags.rb} +7 -6
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +10 -14
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +11 -0
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +3 -1
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +11 -23
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +8 -26
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +4 -7
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +3 -3
- data/lib/contrast/agent/request.rb +2 -2
- data/lib/contrast/agent/request_context.rb +8 -20
- data/lib/contrast/agent/request_context_extend.rb +15 -36
- data/lib/contrast/agent/request_handler.rb +0 -8
- data/lib/contrast/agent/response.rb +0 -18
- data/lib/contrast/agent/telemetry/events/event.rb +1 -1
- data/lib/contrast/agent/telemetry/events/metric_event.rb +1 -1
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +3 -3
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +2 -3
- data/lib/contrast/api/communication/socket_client.rb +4 -4
- data/lib/contrast/api/communication/speedracer.rb +4 -8
- data/lib/contrast/api/decorators/agent_startup.rb +5 -6
- data/lib/contrast/api/decorators/application_settings.rb +2 -1
- data/lib/contrast/api/decorators/application_startup.rb +6 -6
- data/lib/contrast/api/decorators/message.rb +0 -4
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -6
- data/lib/contrast/api/decorators.rb +0 -6
- data/lib/contrast/api/dtm.pb.rb +0 -489
- data/lib/contrast/components/agent.rb +16 -12
- data/lib/contrast/components/api.rb +10 -10
- data/lib/contrast/components/app_context.rb +3 -3
- data/lib/contrast/components/app_context_extend.rb +1 -1
- data/lib/contrast/components/assess.rb +92 -38
- data/lib/contrast/components/assess_rules.rb +36 -0
- data/lib/contrast/components/config.rb +54 -12
- data/lib/contrast/components/contrast_service.rb +8 -8
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/protect.rb +5 -5
- data/lib/contrast/components/ruby_component.rb +81 -0
- data/lib/contrast/components/sampling.rb +1 -1
- data/lib/contrast/components/security_logger.rb +23 -0
- data/lib/contrast/components/service.rb +55 -0
- data/lib/contrast/components/settings.rb +12 -4
- data/lib/contrast/config/base_configuration.rb +1 -1
- data/lib/contrast/config/protect_rules_configuration.rb +17 -3
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config.rb +0 -6
- data/lib/contrast/configuration.rb +81 -17
- data/lib/contrast/extension/assess/exec_trigger.rb +3 -1
- data/lib/contrast/extension/assess/marshal.rb +3 -2
- data/lib/contrast/extension/assess/string.rb +0 -1
- data/lib/contrast/extension/extension.rb +1 -1
- data/lib/contrast/framework/base_support.rb +0 -5
- data/lib/contrast/framework/grape/support.rb +1 -23
- data/lib/contrast/framework/manager.rb +0 -10
- data/lib/contrast/framework/rails/support.rb +5 -58
- data/lib/contrast/framework/sinatra/support.rb +2 -21
- data/lib/contrast/logger/cef_log.rb +21 -3
- data/lib/contrast/logger/log.rb +1 -11
- data/lib/contrast/tasks/config.rb +4 -2
- data/lib/contrast/utils/assess/event_limit_utils.rb +5 -8
- data/lib/contrast/utils/assess/trigger_method_utils.rb +10 -18
- data/lib/contrast/utils/findings.rb +6 -5
- data/lib/contrast/utils/hash_digest.rb +9 -24
- data/lib/contrast/utils/hash_digest_extend.rb +6 -6
- data/lib/contrast/utils/invalid_configuration_util.rb +21 -58
- data/lib/contrast/utils/log_utils.rb +32 -8
- data/lib/contrast/utils/net_http_base.rb +2 -2
- data/lib/contrast/utils/patching/policy/patch_utils.rb +3 -2
- data/lib/contrast/utils/stack_trace_utils.rb +0 -25
- data/lib/contrast/utils/string_utils.rb +9 -0
- data/lib/contrast/utils/telemetry_client.rb +13 -7
- data/lib/contrast.rb +5 -10
- metadata +22 -28
- data/lib/contrast/agent/reporting/reporting_events/trace_event_source.rb +0 -30
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +0 -36
- data/lib/contrast/api/decorators/activity.rb +0 -33
- data/lib/contrast/api/decorators/architecture_component.rb +0 -36
- data/lib/contrast/api/decorators/finding.rb +0 -29
- data/lib/contrast/api/decorators/route_coverage.rb +0 -91
- data/lib/contrast/api/decorators/trace_event.rb +0 -120
- data/lib/contrast/api/decorators/trace_event_object.rb +0 -63
- data/lib/contrast/api/decorators/trace_event_signature.rb +0 -69
- data/lib/contrast/api/decorators/trace_taint_range.rb +0 -52
- data/lib/contrast/config/assess_configuration.rb +0 -93
- data/lib/contrast/config/assess_rules_configuration.rb +0 -32
- data/lib/contrast/config/root_configuration.rb +0 -90
- data/lib/contrast/config/ruby_configuration.rb +0 -81
- data/lib/contrast/config/service_configuration.rb +0 -49
- data/lib/contrast/utils/preflight_util.rb +0 -13
@@ -5,6 +5,7 @@ require 'socket'
|
|
5
5
|
require 'contrast/agent/version'
|
6
6
|
require 'contrast/utils/object_share'
|
7
7
|
require 'contrast/logger/aliased_logging'
|
8
|
+
require 'fileutils'
|
8
9
|
|
9
10
|
module Contrast
|
10
11
|
module Utils
|
@@ -18,6 +19,17 @@ module Contrast
|
|
18
19
|
PROGNAME = 'Contrast Agent'
|
19
20
|
DATE_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%L%z'
|
20
21
|
|
22
|
+
# StringIO is a valid path because it logs directly to a string buffer
|
23
|
+
def write_permission? path
|
24
|
+
return false if path.nil?
|
25
|
+
return true if path.is_a?(StringIO)
|
26
|
+
return File.writable?(path) if File.exist?(path)
|
27
|
+
|
28
|
+
dir_name = File.dirname(File.absolute_path(path))
|
29
|
+
FileUtils.mkdir_p(dir_name) unless Dir.exist?(dir_name)
|
30
|
+
File.writable?(dir_name)
|
31
|
+
end
|
32
|
+
|
21
33
|
private
|
22
34
|
|
23
35
|
def build path: STDOUT_STR, level_const: DEFAULT_LEVEL, progname: PROGNAME
|
@@ -48,26 +60,26 @@ module Contrast
|
|
48
60
|
# TeamServer.
|
49
61
|
# @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
|
50
62
|
def find_valid_path log_file
|
51
|
-
config = ::Contrast::CONFIG.
|
63
|
+
config = ::Contrast::CONFIG.agent.logger
|
52
64
|
config_path = config&.path&.length.to_i.positive? ? config.path : nil
|
53
65
|
valid_path(config_path || log_file)
|
54
66
|
end
|
55
67
|
|
56
|
-
def valid_path path
|
68
|
+
def valid_path path, default_name: DEFAULT_NAME
|
57
69
|
path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
|
58
70
|
return path if path == STDOUT_STR
|
59
71
|
return path if path == STDERR_STR
|
60
72
|
|
61
|
-
path =
|
73
|
+
path = default_name if path.empty?
|
62
74
|
if write_permission?(path)
|
63
75
|
path
|
64
|
-
elsif write_permission?(
|
76
|
+
elsif write_permission?(default_name)
|
65
77
|
# Log once when the path is invalid. We'll change to this path, so no
|
66
78
|
# need to log again.
|
67
|
-
if previous_path !=
|
68
|
-
$stdout.puts("[!] Unable to write to '#{ path }'. Writing to default log '#{
|
79
|
+
if previous_path != default_name
|
80
|
+
$stdout.puts("[!] Unable to write to '#{ path }'. Writing to default log '#{ default_name }' instead.")
|
69
81
|
end
|
70
|
-
|
82
|
+
default_name
|
71
83
|
else
|
72
84
|
# Log once when the path is invalid. We'll change to this path, so no
|
73
85
|
# need to log again.
|
@@ -82,7 +94,7 @@ module Contrast
|
|
82
94
|
# TeamServer.
|
83
95
|
# @return [::Ougai::Logging::Severity] the level at which to log
|
84
96
|
def find_valid_level log_level
|
85
|
-
config = ::Contrast::CONFIG.
|
97
|
+
config = ::Contrast::CONFIG.agent.logger
|
86
98
|
config_level = config&.level&.length&.positive? ? config.level : nil
|
87
99
|
|
88
100
|
valid_level(config_level || log_level)
|
@@ -167,6 +179,18 @@ module Contrast
|
|
167
179
|
end
|
168
180
|
end
|
169
181
|
|
182
|
+
def valid_level level
|
183
|
+
level ||= DEFAULT_LEVEL
|
184
|
+
level = level.upcase
|
185
|
+
if VALID_LEVELS.include?(level)
|
186
|
+
Object.cs__const_get("::Logger::Severity::#{ level }")
|
187
|
+
else
|
188
|
+
DEFAULT_LEVEL
|
189
|
+
end
|
190
|
+
rescue StandardError
|
191
|
+
DEFAULT_LEVEL
|
192
|
+
end
|
193
|
+
|
170
194
|
# This method will extract the metadata information from context and other places
|
171
195
|
#
|
172
196
|
# initial structure of the data:
|
@@ -26,10 +26,10 @@ module Contrast
|
|
26
26
|
return unless url
|
27
27
|
|
28
28
|
addr = URI(url)
|
29
|
-
# the proxy is enabled only if there is provided url even if the enable is set to true
|
30
29
|
return if addr.host.nil? || addr.port.nil?
|
31
|
-
return if addr.scheme != 'https' && !addr.host.to_s.include?('localhost')
|
30
|
+
return if addr.scheme != 'https' && !addr.host.to_s.include?('localhost')
|
32
31
|
|
32
|
+
# the proxy is enabled only if there is provided url even if the enable is set to true
|
33
33
|
proxy_addr = URI(Contrast::API.proxy_url) if proxy_enabled?
|
34
34
|
net_http_client = initialize_client(addr, proxy_addr, use_proxy, use_custom_cert)
|
35
35
|
return if net_http_client.nil?
|
@@ -117,7 +117,8 @@ module Contrast
|
|
117
117
|
return ret if current_context && !current_context.analyze_request?
|
118
118
|
|
119
119
|
trigger_node = method_policy.trigger_node
|
120
|
-
|
120
|
+
|
121
|
+
if trigger_node && !trigger_node.nil?
|
121
122
|
Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
|
122
123
|
end
|
123
124
|
if method_policy.source_node
|
@@ -135,7 +136,7 @@ module Contrast
|
|
135
136
|
rescue StandardError => e
|
136
137
|
logger.error('Unable to assess method call.', e)
|
137
138
|
rescue Exception => e # rubocop:disable Lint/RescueException
|
138
|
-
logger.error('Unable to assess method call.', e)
|
139
|
+
logger.error('Unable to assess method call due to exception.', e)
|
139
140
|
raise(e)
|
140
141
|
ensure
|
141
142
|
ret.rewind if Contrast::Utils::IOUtil.should_rewind?(ret)
|
@@ -50,31 +50,6 @@ module Contrast
|
|
50
50
|
build_protect_stack(Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack)
|
51
51
|
end
|
52
52
|
|
53
|
-
# Translate a caller array to an array of TraceStacks for TeamServer to
|
54
|
-
# display, excluding any Contrast code found.
|
55
|
-
#
|
56
|
-
# @param stack [Array<String>] the output of Kernel.caller
|
57
|
-
# @return [Array<Contrast::Api::Dtm::TraceStack]
|
58
|
-
def build_assess_stack_array stack
|
59
|
-
converted = []
|
60
|
-
return converted unless stack
|
61
|
-
|
62
|
-
i = 0
|
63
|
-
while i < stack.length
|
64
|
-
caller_location = stack[i]
|
65
|
-
i += 1
|
66
|
-
next if caller_location.include?(AGENT_CLASS_MARKER)
|
67
|
-
|
68
|
-
# To play nice with the way that TeamServer is rendering these
|
69
|
-
# values, we only populate the file_name field with exactly what we
|
70
|
-
# want them to display
|
71
|
-
element = Contrast::Api::Dtm::TraceStack.new
|
72
|
-
element.file_name = caller_location
|
73
|
-
converted << element
|
74
|
-
end
|
75
|
-
converted
|
76
|
-
end
|
77
|
-
|
78
53
|
private
|
79
54
|
|
80
55
|
def reject_caller_entries stack
|
@@ -37,12 +37,21 @@ module Contrast
|
|
37
37
|
end
|
38
38
|
|
39
39
|
# Truncate a string to 255 characters max length
|
40
|
+
#
|
41
|
+
# @param str [String] the string tt truncate
|
42
|
+
# @param default [String] what to default to
|
43
|
+
# @return [String]
|
40
44
|
def truncate str, default = Contrast::Utils::ObjectShare::EMPTY_STRING
|
41
45
|
return default if str.nil?
|
42
46
|
|
43
47
|
str.to_s[0..255]
|
44
48
|
end
|
45
49
|
|
50
|
+
# Cast the given object, which should be a String, into a UTF-8 String for reporting. All given objects will be
|
51
|
+
# cast to their to_s form, except nil which will become the ObjectShare::EMPTY_STRING, and then cast.
|
52
|
+
#
|
53
|
+
# @param str [String, Object, nil]
|
54
|
+
# @return [String]
|
46
55
|
def force_utf8 str
|
47
56
|
return Contrast::Utils::ObjectShare::EMPTY_STRING unless str
|
48
57
|
|
@@ -34,18 +34,12 @@ module Contrast
|
|
34
34
|
def build_request event
|
35
35
|
return unless valid_event?(event)
|
36
36
|
|
37
|
-
string_body = if event.cs__is_a?(Contrast::Agent::Telemetry::TelemetryException::Event)
|
38
|
-
[event.to_controlled_hash]
|
39
|
-
else
|
40
|
-
[event.to_hash]
|
41
|
-
end
|
42
|
-
|
43
37
|
header = {
|
44
38
|
'User-Agent' => "<#{ Contrast::Utils::ObjectShare::RUBY }>-<#{ Contrast::Agent::VERSION }>",
|
45
39
|
'Content-Type' => 'application/json'
|
46
40
|
}
|
47
41
|
request = Net::HTTP::Post.new(build_path(event), header)
|
48
|
-
request.body =
|
42
|
+
request.body = get_event_json(event)
|
49
43
|
request
|
50
44
|
end
|
51
45
|
|
@@ -97,6 +91,18 @@ module Contrast
|
|
97
91
|
path = endpoint == EXCEPTIONS ? Contrast::Agent::Telemetry::TelemetryException::Event.path : event.path
|
98
92
|
"#{ Contrast::Agent::Telemetry::Base::URL }#{ endpoint }#{ path }"
|
99
93
|
end
|
94
|
+
|
95
|
+
# Helper Method to get json representation of Telemetry Event data, handles error on to_json
|
96
|
+
#
|
97
|
+
# @param event [Contrast::Agent::Telemetry::Event, Array<Contrast::Agent::Telemetry::TelemetryException::Event>]
|
98
|
+
# @return [String] - JSON
|
99
|
+
def get_event_json event
|
100
|
+
hsh = [event.to_controlled_hash]
|
101
|
+
hsh.to_json
|
102
|
+
rescue Exception => e # rubocop:disable Lint/RescueException
|
103
|
+
logger.error('Unable to convert TelemetryEvent to JSON string', e, hsh)
|
104
|
+
raise(e)
|
105
|
+
end
|
100
106
|
end
|
101
107
|
end
|
102
108
|
end
|
data/lib/contrast.rb
CHANGED
@@ -53,13 +53,9 @@ if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
|
|
53
53
|
end
|
54
54
|
end
|
55
55
|
|
56
|
-
require 'contrast/components/agent'
|
57
|
-
require 'contrast/components/api'
|
58
|
-
require 'contrast/components/app_context'
|
59
56
|
require 'contrast/components/assess'
|
60
57
|
require 'contrast/components/config'
|
61
58
|
require 'contrast/components/contrast_service'
|
62
|
-
require 'contrast/components/inventory'
|
63
59
|
require 'contrast/components/logger'
|
64
60
|
require 'contrast/components/protect'
|
65
61
|
require 'contrast/components/sampling'
|
@@ -73,15 +69,15 @@ require 'protobuf' # TODO: RUBY-1438
|
|
73
69
|
module Contrast
|
74
70
|
CONFIG = Contrast::Components::Config::Interface.new
|
75
71
|
SCOPE = Contrast::Components::Scope::Interface.new
|
76
|
-
API = CONFIG.
|
72
|
+
API = CONFIG.api
|
77
73
|
SETTINGS = Contrast::Components::Settings::Interface.new
|
78
|
-
ASSESS =
|
74
|
+
ASSESS = CONFIG.assess
|
79
75
|
PROTECT = Contrast::Components::Protect::Interface.new
|
80
|
-
INVENTORY = CONFIG.
|
81
|
-
AGENT = CONFIG.
|
76
|
+
INVENTORY = CONFIG.inventory
|
77
|
+
AGENT = CONFIG.agent
|
82
78
|
LOGGER = AGENT.logger
|
83
79
|
CONTRAST_SERVICE = Contrast::Components::ContrastService::Interface.new
|
84
|
-
APP_CONTEXT = CONFIG.
|
80
|
+
APP_CONTEXT = CONFIG.application
|
85
81
|
end
|
86
82
|
|
87
83
|
module Contrast
|
@@ -95,7 +91,6 @@ require 'contrast/agent/version'
|
|
95
91
|
|
96
92
|
# shared utils
|
97
93
|
require 'contrast/utils/timer'
|
98
|
-
require 'contrast/utils/preflight_util'
|
99
94
|
|
100
95
|
require 'contrast/utils/assess/sampling_util'
|
101
96
|
require 'contrast/agent'
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: contrast-agent
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.7.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- galen.palmer@contrastsecurity.com
|
@@ -13,7 +13,7 @@ authors:
|
|
13
13
|
autorequire:
|
14
14
|
bindir: exe
|
15
15
|
cert_chain: []
|
16
|
-
date: 2022-08-
|
16
|
+
date: 2022-08-31 00:00:00.000000000 Z
|
17
17
|
dependencies:
|
18
18
|
- !ruby/object:Gem::Dependency
|
19
19
|
name: bundler
|
@@ -665,22 +665,22 @@ executables:
|
|
665
665
|
- contrast_service
|
666
666
|
extensions:
|
667
667
|
- ext/cs__common/extconf.rb
|
668
|
-
- ext/cs__tests/extconf.rb
|
669
|
-
- ext/cs__assess_module/extconf.rb
|
670
|
-
- ext/cs__assess_array/extconf.rb
|
671
668
|
- ext/cs__assess_hash/extconf.rb
|
672
669
|
- ext/cs__assess_basic_object/extconf.rb
|
673
|
-
- ext/cs__assess_regexp/extconf.rb
|
674
|
-
- ext/cs__os_information/extconf.rb
|
675
|
-
- ext/cs__assess_test/extconf.rb
|
676
670
|
- ext/cs__assess_string/extconf.rb
|
677
|
-
- ext/
|
671
|
+
- ext/cs__assess_regexp/extconf.rb
|
672
|
+
- ext/cs__assess_yield_track/extconf.rb
|
678
673
|
- ext/cs__assess_string_interpolation/extconf.rb
|
679
674
|
- ext/cs__scope/extconf.rb
|
675
|
+
- ext/cs__contrast_patch/extconf.rb
|
676
|
+
- ext/cs__assess_module/extconf.rb
|
677
|
+
- ext/cs__assess_kernel/extconf.rb
|
680
678
|
- ext/cs__assess_marshal_module/extconf.rb
|
679
|
+
- ext/cs__assess_test/extconf.rb
|
680
|
+
- ext/cs__os_information/extconf.rb
|
681
|
+
- ext/cs__assess_array/extconf.rb
|
682
|
+
- ext/cs__tests/extconf.rb
|
681
683
|
- ext/cs__assess_fiber_track/extconf.rb
|
682
|
-
- ext/cs__assess_yield_track/extconf.rb
|
683
|
-
- ext/cs__assess_kernel/extconf.rb
|
684
684
|
extra_rdoc_files: []
|
685
685
|
files:
|
686
686
|
- ".clang-format"
|
@@ -960,6 +960,7 @@ files:
|
|
960
960
|
- lib/contrast/agent/deadzone/policy/deadzone_node.rb
|
961
961
|
- lib/contrast/agent/deadzone/policy/policy.rb
|
962
962
|
- lib/contrast/agent/disable_reaction.rb
|
963
|
+
- lib/contrast/agent/excluder.rb
|
963
964
|
- lib/contrast/agent/exclusion_matcher.rb
|
964
965
|
- lib/contrast/agent/inventory.rb
|
965
966
|
- lib/contrast/agent/inventory/database_config.rb
|
@@ -997,6 +998,8 @@ files:
|
|
997
998
|
- lib/contrast/agent/protect/rule/base.rb
|
998
999
|
- lib/contrast/agent/protect/rule/base_service.rb
|
999
1000
|
- lib/contrast/agent/protect/rule/cmd_injection.rb
|
1001
|
+
- lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb
|
1002
|
+
- lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb
|
1000
1003
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb
|
1001
1004
|
- lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb
|
1002
1005
|
- lib/contrast/agent/protect/rule/default_scanner.rb
|
@@ -1012,7 +1015,9 @@ files:
|
|
1012
1015
|
- lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb
|
1013
1016
|
- lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb
|
1014
1017
|
- lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb
|
1018
|
+
- lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb
|
1015
1019
|
- lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb
|
1020
|
+
- lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb
|
1016
1021
|
- lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb
|
1017
1022
|
- lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb
|
1018
1023
|
- lib/contrast/agent/protect/rule/unsafe_file_upload.rb
|
@@ -1035,6 +1040,7 @@ files:
|
|
1035
1040
|
- lib/contrast/agent/reporting/details/path_traversal_details.rb
|
1036
1041
|
- lib/contrast/agent/reporting/details/path_traversal_semantic_analysis_details.rb
|
1037
1042
|
- lib/contrast/agent/reporting/details/protect_rule_details.rb
|
1043
|
+
- lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb
|
1038
1044
|
- lib/contrast/agent/reporting/details/sqli_details.rb
|
1039
1045
|
- lib/contrast/agent/reporting/details/untrusted_deserialization_details.rb
|
1040
1046
|
- lib/contrast/agent/reporting/details/virtual_patch_details.rb
|
@@ -1077,6 +1083,7 @@ files:
|
|
1077
1083
|
- lib/contrast/agent/reporting/reporting_events/finding_event_source.rb
|
1078
1084
|
- lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb
|
1079
1085
|
- lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb
|
1086
|
+
- lib/contrast/agent/reporting/reporting_events/finding_event_taint_range_tags.rb
|
1080
1087
|
- lib/contrast/agent/reporting/reporting_events/finding_request.rb
|
1081
1088
|
- lib/contrast/agent/reporting/reporting_events/library_discovery.rb
|
1082
1089
|
- lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb
|
@@ -1091,10 +1098,8 @@ files:
|
|
1091
1098
|
- lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb
|
1092
1099
|
- lib/contrast/agent/reporting/reporting_events/server_activity.rb
|
1093
1100
|
- lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb
|
1094
|
-
- lib/contrast/agent/reporting/reporting_events/trace_event_source.rb
|
1095
1101
|
- lib/contrast/agent/reporting/reporting_utilities/audit.rb
|
1096
1102
|
- lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb
|
1097
|
-
- lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb
|
1098
1103
|
- lib/contrast/agent/reporting/reporting_utilities/endpoints.rb
|
1099
1104
|
- lib/contrast/agent/reporting/reporting_utilities/headers.rb
|
1100
1105
|
- lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb
|
@@ -1167,14 +1172,11 @@ files:
|
|
1167
1172
|
- lib/contrast/api/communication/tcp_socket.rb
|
1168
1173
|
- lib/contrast/api/communication/unix_socket.rb
|
1169
1174
|
- lib/contrast/api/decorators.rb
|
1170
|
-
- lib/contrast/api/decorators/activity.rb
|
1171
1175
|
- lib/contrast/api/decorators/address.rb
|
1172
1176
|
- lib/contrast/api/decorators/agent_startup.rb
|
1173
1177
|
- lib/contrast/api/decorators/application_settings.rb
|
1174
1178
|
- lib/contrast/api/decorators/application_startup.rb
|
1175
|
-
- lib/contrast/api/decorators/architecture_component.rb
|
1176
1179
|
- lib/contrast/api/decorators/bot_blocker.rb
|
1177
|
-
- lib/contrast/api/decorators/finding.rb
|
1178
1180
|
- lib/contrast/api/decorators/http_request.rb
|
1179
1181
|
- lib/contrast/api/decorators/input_analysis.rb
|
1180
1182
|
- lib/contrast/api/decorators/instrumentation_mode.rb
|
@@ -1182,13 +1184,7 @@ files:
|
|
1182
1184
|
- lib/contrast/api/decorators/message.rb
|
1183
1185
|
- lib/contrast/api/decorators/rasp_rule_sample.rb
|
1184
1186
|
- lib/contrast/api/decorators/response_type.rb
|
1185
|
-
- lib/contrast/api/decorators/route_coverage.rb
|
1186
1187
|
- lib/contrast/api/decorators/server_features.rb
|
1187
|
-
- lib/contrast/api/decorators/trace_event.rb
|
1188
|
-
- lib/contrast/api/decorators/trace_event_object.rb
|
1189
|
-
- lib/contrast/api/decorators/trace_event_signature.rb
|
1190
|
-
- lib/contrast/api/decorators/trace_taint_range.rb
|
1191
|
-
- lib/contrast/api/decorators/trace_taint_range_tags.rb
|
1192
1188
|
- lib/contrast/api/decorators/user_input.rb
|
1193
1189
|
- lib/contrast/api/decorators/virtual_patch.rb
|
1194
1190
|
- lib/contrast/api/dtm.pb.rb
|
@@ -1198,6 +1194,7 @@ files:
|
|
1198
1194
|
- lib/contrast/components/app_context.rb
|
1199
1195
|
- lib/contrast/components/app_context_extend.rb
|
1200
1196
|
- lib/contrast/components/assess.rb
|
1197
|
+
- lib/contrast/components/assess_rules.rb
|
1201
1198
|
- lib/contrast/components/base.rb
|
1202
1199
|
- lib/contrast/components/config.rb
|
1203
1200
|
- lib/contrast/components/contrast_service.rb
|
@@ -1205,13 +1202,14 @@ files:
|
|
1205
1202
|
- lib/contrast/components/inventory.rb
|
1206
1203
|
- lib/contrast/components/logger.rb
|
1207
1204
|
- lib/contrast/components/protect.rb
|
1205
|
+
- lib/contrast/components/ruby_component.rb
|
1208
1206
|
- lib/contrast/components/sampling.rb
|
1209
1207
|
- lib/contrast/components/scope.rb
|
1208
|
+
- lib/contrast/components/security_logger.rb
|
1209
|
+
- lib/contrast/components/service.rb
|
1210
1210
|
- lib/contrast/components/settings.rb
|
1211
1211
|
- lib/contrast/config.rb
|
1212
1212
|
- lib/contrast/config/api_proxy_configuration.rb
|
1213
|
-
- lib/contrast/config/assess_configuration.rb
|
1214
|
-
- lib/contrast/config/assess_rules_configuration.rb
|
1215
1213
|
- lib/contrast/config/base_configuration.rb
|
1216
1214
|
- lib/contrast/config/certification_configuration.rb
|
1217
1215
|
- lib/contrast/config/env_variables.rb
|
@@ -1219,10 +1217,7 @@ files:
|
|
1219
1217
|
- lib/contrast/config/protect_rule_configuration.rb
|
1220
1218
|
- lib/contrast/config/protect_rules_configuration.rb
|
1221
1219
|
- lib/contrast/config/request_audit_configuration.rb
|
1222
|
-
- lib/contrast/config/root_configuration.rb
|
1223
|
-
- lib/contrast/config/ruby_configuration.rb
|
1224
1220
|
- lib/contrast/config/server_configuration.rb
|
1225
|
-
- lib/contrast/config/service_configuration.rb
|
1226
1221
|
- lib/contrast/configuration.rb
|
1227
1222
|
- lib/contrast/extension/assess.rb
|
1228
1223
|
- lib/contrast/extension/assess/array.rb
|
@@ -1298,7 +1293,6 @@ files:
|
|
1298
1293
|
- lib/contrast/utils/os.rb
|
1299
1294
|
- lib/contrast/utils/patching/policy/patch_utils.rb
|
1300
1295
|
- lib/contrast/utils/patching/policy/patcher_utils.rb
|
1301
|
-
- lib/contrast/utils/preflight_util.rb
|
1302
1296
|
- lib/contrast/utils/request_utils.rb
|
1303
1297
|
- lib/contrast/utils/resource_loader.rb
|
1304
1298
|
- lib/contrast/utils/response_utils.rb
|
@@ -1,30 +0,0 @@
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
-
# frozen_string_literal: true
|
3
|
-
|
4
|
-
require 'json'
|
5
|
-
require 'contrast/components/logger'
|
6
|
-
require 'contrast/utils/object_share'
|
7
|
-
|
8
|
-
module Contrast
|
9
|
-
module Agent
|
10
|
-
module Reporting
|
11
|
-
# This is the new Trace Event Source class which will include all the needed information for the new reporting
|
12
|
-
# system to relay this information in the Route Observation messages.
|
13
|
-
class TraceEventSource
|
14
|
-
attr_accessor :name, :type
|
15
|
-
|
16
|
-
def initialize
|
17
|
-
@name = Contrast::Utils::ObjectShare::EMPTY_STRING
|
18
|
-
@type = Contrast::Utils::ObjectShare::EMPTY_STRING
|
19
|
-
end
|
20
|
-
|
21
|
-
def to_controlled_hash
|
22
|
-
{
|
23
|
-
name: @name,
|
24
|
-
type: @type
|
25
|
-
}
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
@@ -1,36 +0,0 @@
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
-
# frozen_string_literal: true
|
3
|
-
|
4
|
-
require 'contrast/agent/reporting/reporting_events/application_activity'
|
5
|
-
require 'contrast/api/dtm.pb'
|
6
|
-
|
7
|
-
module Contrast
|
8
|
-
module Agent
|
9
|
-
module Reporting
|
10
|
-
# Util module for checking DTM message type. It temporarily allows for the conversion from a DTM to an
|
11
|
-
# EventReport.
|
12
|
-
# TODO: RUBY-1438 -- remove
|
13
|
-
module DtmMessage
|
14
|
-
class << self
|
15
|
-
# @param dtm [Contrast::Api::Dtm::Finding,Object]
|
16
|
-
# @return [Boolean]
|
17
|
-
def finding? dtm
|
18
|
-
dtm.cs__is_a?(Contrast::Api::Dtm::Finding)
|
19
|
-
end
|
20
|
-
|
21
|
-
# Converts DTM message to Reporting Event for those messages that have conversion methods crated. We use this
|
22
|
-
# as we work to move away from requiring the Service.
|
23
|
-
#
|
24
|
-
# @param dtm [Contrast::Api::Dtm]
|
25
|
-
# @return event [Contrast::Agent::Reporting::ReportingEvent, nil]
|
26
|
-
def dtm_to_event dtm
|
27
|
-
# For the others, we convert them.
|
28
|
-
return Contrast::Agent::Reporting::Finding.convert(dtm) if finding?(dtm)
|
29
|
-
|
30
|
-
nil
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
36
|
-
end
|
@@ -1,33 +0,0 @@
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
-
# frozen_string_literal: true
|
3
|
-
|
4
|
-
require 'contrast/utils/string_utils'
|
5
|
-
|
6
|
-
module Contrast
|
7
|
-
module Api
|
8
|
-
module Decorators
|
9
|
-
# Used to decorate the {Contrast::Api::Dtm::Activity} protobuf model
|
10
|
-
# to handle conversion between framework route classes and the dtm.
|
11
|
-
module Activity
|
12
|
-
def self.included klass
|
13
|
-
klass.extend(ClassMethods)
|
14
|
-
end
|
15
|
-
|
16
|
-
# Class methods for Activity
|
17
|
-
module ClassMethods
|
18
|
-
def source_or_string obj
|
19
|
-
if obj.cs__is_a?(Regexp)
|
20
|
-
obj.source
|
21
|
-
elsif obj.cs__respond_to?(:safe_string)
|
22
|
-
obj.safe_string
|
23
|
-
else
|
24
|
-
obj.to_s
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
|
33
|
-
Contrast::Api::Dtm::Activity.include(Contrast::Api::Decorators::Activity)
|
@@ -1,36 +0,0 @@
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
-
# frozen_string_literal: true
|
3
|
-
|
4
|
-
require 'contrast/utils/string_utils'
|
5
|
-
|
6
|
-
module Contrast
|
7
|
-
module Api
|
8
|
-
module Decorators
|
9
|
-
# Used to decorate the {Contrast::Api::Dtm::ArchitectureComponent} protobuf model so it can own some of the data
|
10
|
-
# massaging required for AppUpdate and Activity dtms.
|
11
|
-
module ArchitectureComponent
|
12
|
-
def self.included klass
|
13
|
-
klass.extend(ClassMethods)
|
14
|
-
end
|
15
|
-
|
16
|
-
# Used to add class methods to the ApplicationUpdate class on inclusion of the decorator
|
17
|
-
module ClassMethods
|
18
|
-
# TeamServer only accepts certain values for ArchitectureComponents.
|
19
|
-
# DO NOT CHANGE THIS!
|
20
|
-
AC_TYPE_DB = 'db'
|
21
|
-
|
22
|
-
# Create a Contrast::Api::Dtm::ArchitectureComponent of the database type.
|
23
|
-
#
|
24
|
-
# @return [Contrast::Api::Dtm::ArchitectureComponent]
|
25
|
-
def build_database
|
26
|
-
msg = Contrast::Api::Dtm::ArchitectureComponent.new
|
27
|
-
msg.type = AC_TYPE_DB
|
28
|
-
msg
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
|
36
|
-
Contrast::Api::Dtm::ArchitectureComponent.include(Contrast::Api::Decorators::ArchitectureComponent)
|
@@ -1,29 +0,0 @@
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
-
# frozen_string_literal: true
|
3
|
-
|
4
|
-
require 'contrast/api/dtm.pb'
|
5
|
-
require 'contrast/utils/string_utils'
|
6
|
-
require 'contrast/components/base'
|
7
|
-
|
8
|
-
module Contrast
|
9
|
-
module Api
|
10
|
-
module Decorators
|
11
|
-
# Used to decorate the {Contrast::Api::Dtm::Finding} protobuf
|
12
|
-
# model so it can own the request which its data is for.
|
13
|
-
module Finding
|
14
|
-
def self.included klass
|
15
|
-
klass.extend(ClassMethods)
|
16
|
-
end
|
17
|
-
|
18
|
-
# Used to add class methods to the AgentStartup class on inclusion of the decorator
|
19
|
-
module ClassMethods
|
20
|
-
def build
|
21
|
-
new
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
|
29
|
-
Contrast::Api::Dtm::Finding.include(Contrast::Api::Decorators::Finding)
|