contrast-agent 6.6.5 → 6.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +3 -0
- data/.gitmodules +0 -3
- data/ext/cs__scope/cs__scope.c +1 -1
- data/lib/contrast/agent/assess/contrast_event.rb +2 -24
- data/lib/contrast/agent/assess/events/source_event.rb +7 -61
- data/lib/contrast/agent/assess/finalizers/hash.rb +11 -0
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +0 -55
- data/lib/contrast/agent/assess/policy/policy_node.rb +3 -3
- data/lib/contrast/agent/assess/policy/policy_node_utils.rb +0 -1
- data/lib/contrast/agent/assess/policy/propagation_node.rb +4 -4
- data/lib/contrast/agent/assess/policy/source_method.rb +24 -1
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -5
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +6 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +36 -132
- data/lib/contrast/agent/assess/policy/trigger_node.rb +3 -3
- data/lib/contrast/agent/assess/property/evented.rb +2 -12
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +42 -84
- data/lib/contrast/agent/assess/rule/response/base_rule.rb +11 -27
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +1 -3
- data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb +77 -62
- data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb +6 -1
- data/lib/contrast/agent/assess/rule/response/header_rule.rb +5 -5
- data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb +1 -1
- data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb +1 -1
- data/lib/contrast/agent/assess/tracker.rb +1 -7
- data/lib/contrast/agent/excluder.rb +206 -0
- data/lib/contrast/agent/exclusion_matcher.rb +6 -0
- data/lib/contrast/agent/inventory/database_config.rb +6 -10
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +4 -0
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +1 -0
- data/lib/contrast/agent/protect/rule/base.rb +49 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +1 -0
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +18 -105
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +129 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +169 -0
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -1
- data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +51 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb +67 -0
- data/lib/contrast/agent/protect/rule/sqli.rb +6 -31
- data/lib/contrast/agent/protect/rule/xxe.rb +2 -0
- data/lib/contrast/agent/protect/rule.rb +3 -1
- data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +6 -0
- data/lib/contrast/agent/reporting/details/sqli_dangerous_functions.rb +22 -0
- data/lib/contrast/agent/reporting/reporter.rb +1 -2
- data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +1 -4
- data/lib/contrast/agent/reporting/reporting_events/application_startup.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -23
- data/lib/contrast/agent/reporting/reporting_events/finding.rb +19 -49
- data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +12 -9
- data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +23 -21
- data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb +5 -18
- data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb +1 -0
- data/lib/contrast/{api/decorators/trace_taint_range_tags.rb → agent/reporting/reporting_events/finding_event_taint_range_tags.rb} +7 -6
- data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +2 -2
- data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb +10 -14
- data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb +11 -0
- data/lib/contrast/agent/reporting/reporting_events/route_coverage.rb +3 -1
- data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +11 -23
- data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +8 -26
- data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb +4 -7
- data/lib/contrast/agent/reporting/reporting_utilities/headers.rb +1 -1
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +3 -3
- data/lib/contrast/agent/request.rb +2 -2
- data/lib/contrast/agent/request_context.rb +8 -20
- data/lib/contrast/agent/request_context_extend.rb +15 -36
- data/lib/contrast/agent/request_handler.rb +0 -8
- data/lib/contrast/agent/response.rb +0 -18
- data/lib/contrast/agent/telemetry/events/event.rb +1 -1
- data/lib/contrast/agent/telemetry/events/metric_event.rb +1 -1
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +3 -3
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +2 -3
- data/lib/contrast/api/communication/socket_client.rb +4 -4
- data/lib/contrast/api/communication/speedracer.rb +4 -8
- data/lib/contrast/api/decorators/agent_startup.rb +5 -6
- data/lib/contrast/api/decorators/application_settings.rb +2 -1
- data/lib/contrast/api/decorators/application_startup.rb +6 -6
- data/lib/contrast/api/decorators/message.rb +0 -4
- data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -6
- data/lib/contrast/api/decorators.rb +0 -6
- data/lib/contrast/api/dtm.pb.rb +0 -489
- data/lib/contrast/components/agent.rb +16 -12
- data/lib/contrast/components/api.rb +10 -10
- data/lib/contrast/components/app_context.rb +3 -3
- data/lib/contrast/components/app_context_extend.rb +1 -1
- data/lib/contrast/components/assess.rb +92 -38
- data/lib/contrast/components/assess_rules.rb +36 -0
- data/lib/contrast/components/config.rb +54 -12
- data/lib/contrast/components/contrast_service.rb +8 -8
- data/lib/contrast/components/heap_dump.rb +1 -1
- data/lib/contrast/components/protect.rb +5 -5
- data/lib/contrast/components/ruby_component.rb +81 -0
- data/lib/contrast/components/sampling.rb +1 -1
- data/lib/contrast/components/security_logger.rb +23 -0
- data/lib/contrast/components/service.rb +55 -0
- data/lib/contrast/components/settings.rb +12 -4
- data/lib/contrast/config/base_configuration.rb +1 -1
- data/lib/contrast/config/protect_rules_configuration.rb +17 -3
- data/lib/contrast/config/server_configuration.rb +1 -1
- data/lib/contrast/config.rb +0 -6
- data/lib/contrast/configuration.rb +81 -17
- data/lib/contrast/extension/assess/exec_trigger.rb +3 -1
- data/lib/contrast/extension/assess/marshal.rb +3 -2
- data/lib/contrast/extension/assess/string.rb +0 -1
- data/lib/contrast/extension/extension.rb +1 -1
- data/lib/contrast/framework/base_support.rb +0 -5
- data/lib/contrast/framework/grape/support.rb +1 -23
- data/lib/contrast/framework/manager.rb +0 -10
- data/lib/contrast/framework/rails/support.rb +5 -58
- data/lib/contrast/framework/sinatra/support.rb +2 -21
- data/lib/contrast/logger/cef_log.rb +21 -3
- data/lib/contrast/logger/log.rb +1 -11
- data/lib/contrast/tasks/config.rb +4 -2
- data/lib/contrast/utils/assess/event_limit_utils.rb +5 -8
- data/lib/contrast/utils/assess/trigger_method_utils.rb +10 -18
- data/lib/contrast/utils/findings.rb +6 -5
- data/lib/contrast/utils/hash_digest.rb +9 -24
- data/lib/contrast/utils/hash_digest_extend.rb +6 -6
- data/lib/contrast/utils/invalid_configuration_util.rb +21 -58
- data/lib/contrast/utils/log_utils.rb +32 -8
- data/lib/contrast/utils/net_http_base.rb +2 -2
- data/lib/contrast/utils/patching/policy/patch_utils.rb +3 -2
- data/lib/contrast/utils/stack_trace_utils.rb +0 -25
- data/lib/contrast/utils/string_utils.rb +9 -0
- data/lib/contrast/utils/telemetry_client.rb +13 -7
- data/lib/contrast.rb +5 -10
- metadata +22 -28
- data/lib/contrast/agent/reporting/reporting_events/trace_event_source.rb +0 -30
- data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb +0 -36
- data/lib/contrast/api/decorators/activity.rb +0 -33
- data/lib/contrast/api/decorators/architecture_component.rb +0 -36
- data/lib/contrast/api/decorators/finding.rb +0 -29
- data/lib/contrast/api/decorators/route_coverage.rb +0 -91
- data/lib/contrast/api/decorators/trace_event.rb +0 -120
- data/lib/contrast/api/decorators/trace_event_object.rb +0 -63
- data/lib/contrast/api/decorators/trace_event_signature.rb +0 -69
- data/lib/contrast/api/decorators/trace_taint_range.rb +0 -52
- data/lib/contrast/config/assess_configuration.rb +0 -93
- data/lib/contrast/config/assess_rules_configuration.rb +0 -32
- data/lib/contrast/config/root_configuration.rb +0 -90
- data/lib/contrast/config/ruby_configuration.rb +0 -81
- data/lib/contrast/config/service_configuration.rb +0 -49
- data/lib/contrast/utils/preflight_util.rb +0 -13
|
@@ -1,81 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
module Contrast
|
|
5
|
-
module Config
|
|
6
|
-
# Common Configuration settings. Those in this section pertain to the specific settings that apply to Ruby
|
|
7
|
-
class RubyConfiguration
|
|
8
|
-
include Contrast::Config::BaseConfiguration
|
|
9
|
-
|
|
10
|
-
DISABLED_RAKE_TASK_LIST = %w[
|
|
11
|
-
about assets:clean assets:clobber assets:environment
|
|
12
|
-
assets:precompile assets:precompile:all db:create db:drop db:fixtures:load db:migrate
|
|
13
|
-
db:migrate:status db:rollback db:schema:cache:clear db:schema:cache:dump db:schema:dump
|
|
14
|
-
db:schema:load db:seed db:setup db:structure:dump db:version doc:app graphql:install graphql:object
|
|
15
|
-
log:clear middleware notes notes:custom rails:template rails:update routes secret spec spec:features
|
|
16
|
-
spec:requests spec:controllers spec:helpers spec:models spec:views spec:routing spec:rcov stats
|
|
17
|
-
test test:all test:all:db test:recent test:single test:uncommitted time:zones:all tmp:clear
|
|
18
|
-
tmp:create webpacker:compile contrast:service:start contrast:service:status contrast:service:stop
|
|
19
|
-
].cs__freeze
|
|
20
|
-
|
|
21
|
-
DEFAULT_UNINSTRUMENTED_NAMESPACES = %w[FactoryGirl FactoryBot].cs__freeze
|
|
22
|
-
|
|
23
|
-
attr_writer :disabled_agent_rake_tasks, :exceptions, :interpolate, :propagate_yield, :require_scan,
|
|
24
|
-
:non_request_tracking, :uninstrument_namespace
|
|
25
|
-
|
|
26
|
-
def initialize hsh = {}
|
|
27
|
-
return unless hsh
|
|
28
|
-
|
|
29
|
-
@disabled_agent_rake_tasks = hsh[:disabled_agent_rake_tasks]
|
|
30
|
-
@exceptions = Contrast::Config::ExceptionConfiguration.new(hsh[:exceptions])
|
|
31
|
-
@interpolate = hsh[:interpolate]
|
|
32
|
-
@propagate_yield = hsh[:propagate_yield]
|
|
33
|
-
@require_scan = hsh[:require_scan]
|
|
34
|
-
@non_request_tracking = hsh[:non_request_tracking]
|
|
35
|
-
@uninstrument_namespace = hsh[:uninstrument_namespace]
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
# These commands being detected will result the agent disabling instrumentation, generally any command
|
|
39
|
-
# that doesn't result in the application listening on a port can be added here, this normally includes tasks
|
|
40
|
-
# that are ran pre-startup(like migrations) or to show information about the application(such as routes)
|
|
41
|
-
# @return [Array, DISABLED_RAKE_TASK_LIST]
|
|
42
|
-
def disabled_agent_rake_tasks
|
|
43
|
-
@disabled_agent_rake_tasks.nil? ? DISABLED_RAKE_TASK_LIST : @disabled_agent_rake_tasks
|
|
44
|
-
end
|
|
45
|
-
|
|
46
|
-
# @return [Contrast::Config::ExceptionConfiguration]
|
|
47
|
-
def exceptions
|
|
48
|
-
@exceptions ||= Contrast::Config::ExceptionConfiguration.new
|
|
49
|
-
end
|
|
50
|
-
|
|
51
|
-
# controls whether or not we patch interpolation, either by rewrite or by funchook
|
|
52
|
-
# @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
|
|
53
|
-
def interpolate
|
|
54
|
-
@interpolate.nil? ? Contrast::Utils::ObjectShare::TRUE : @interpolate
|
|
55
|
-
end
|
|
56
|
-
|
|
57
|
-
# controls whether or not we patch the rb_yield block to track split propagation
|
|
58
|
-
# @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
|
|
59
|
-
def propagate_yield
|
|
60
|
-
@propagate_yield.nil? ? Contrast::Utils::ObjectShare::TRUE : @propagate_yield
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
# control whether or not we run file scanning rules on require
|
|
64
|
-
# @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
|
|
65
|
-
def require_scan
|
|
66
|
-
@require_scan.nil? ? Contrast::Utils::ObjectShare::TRUE : @require_scan
|
|
67
|
-
end
|
|
68
|
-
|
|
69
|
-
# controls tracking outside of request
|
|
70
|
-
# @return [Boolean, Contrast::Utils::ObjectShare::FALSE]
|
|
71
|
-
def non_request_tracking
|
|
72
|
-
@non_request_tracking.nil? ? Contrast::Utils::ObjectShare::FALSE : @non_request_tracking
|
|
73
|
-
end
|
|
74
|
-
|
|
75
|
-
# @return [Array, DEFAULT_UNINSTRUMENTED_NAMESPACES]
|
|
76
|
-
def uninstrument_namespace
|
|
77
|
-
@uninstrument_namespace.nil? ? DEFAULT_UNINSTRUMENTED_NAMESPACES : @uninstrument_namespace
|
|
78
|
-
end
|
|
79
|
-
end
|
|
80
|
-
end
|
|
81
|
-
end
|
|
@@ -1,49 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
require 'contrast/components/logger'
|
|
5
|
-
|
|
6
|
-
module Contrast
|
|
7
|
-
module Config
|
|
8
|
-
# Common Configuration settings. Those in this section pertain to the communication between the Agent & the Service
|
|
9
|
-
class ServiceConfiguration
|
|
10
|
-
include Contrast::Config::BaseConfiguration
|
|
11
|
-
|
|
12
|
-
# We don't set these b/c we've been asked to handle the default values of these settings differently, logging
|
|
13
|
-
# when we have to use them.
|
|
14
|
-
DEFAULT_HOST = '127.0.0.1' # rubocop:disable Style/IpAddresses
|
|
15
|
-
DEFAULT_PORT = '30555'
|
|
16
|
-
|
|
17
|
-
attr_writer :logger, :bypass
|
|
18
|
-
# @return [String, nil]
|
|
19
|
-
attr_accessor :socket
|
|
20
|
-
# @return [String, nil]
|
|
21
|
-
attr_accessor :port
|
|
22
|
-
# @return [String, nil]
|
|
23
|
-
attr_accessor :host
|
|
24
|
-
# @return [Boolean, nil]
|
|
25
|
-
attr_accessor :enable
|
|
26
|
-
|
|
27
|
-
def initialize hsh = {}
|
|
28
|
-
return unless hsh
|
|
29
|
-
|
|
30
|
-
@enable = hsh[:enable]
|
|
31
|
-
@host = hsh[:host]
|
|
32
|
-
@port = hsh[:port]
|
|
33
|
-
@socket = hsh[:socket]
|
|
34
|
-
@logger = Contrast::Components::Logger::Interface.new(hsh[:logger])
|
|
35
|
-
@bypass = hsh[:bypass]
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
# @return [Contrast::Components::Logger::Interface]
|
|
39
|
-
def logger
|
|
40
|
-
@logger ||= Contrast::Components::Logger::Interface.new
|
|
41
|
-
end
|
|
42
|
-
|
|
43
|
-
# @return [Boolean, false]
|
|
44
|
-
def bypass
|
|
45
|
-
@bypass.nil? ? false : @bypass
|
|
46
|
-
end
|
|
47
|
-
end
|
|
48
|
-
end
|
|
49
|
-
end
|
|
@@ -1,13 +0,0 @@
|
|
|
1
|
-
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
-
# frozen_string_literal: true
|
|
3
|
-
|
|
4
|
-
module Contrast
|
|
5
|
-
module Utils
|
|
6
|
-
# Utility for generating preflight message token
|
|
7
|
-
module PreflightUtil
|
|
8
|
-
def self.create_preflight finding
|
|
9
|
-
"#{ finding.rule_id },#{ finding.hash_code }"
|
|
10
|
-
end
|
|
11
|
-
end
|
|
12
|
-
end
|
|
13
|
-
end
|