contrast-agent 6.7.0 → 6.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c688788c7666c5ea72351e52ad02fe838923dc0dde589199917d2bfa96080630
-  data.tar.gz: f63416e47b9b815f0ec7a79858fb11f866bf5c49c952cf278dfb851679f44957
+  metadata.gz: 2c32847e196cdcf1540bd39373f9327a46e50cb1c4be6516f2ad5664696c0221
+  data.tar.gz: 03b9bc37cf6b8fe3fd0662f120f6f24cc9faf868cf91c7fb698ccbcb52f15aac
 SHA512:
-  metadata.gz: 0b5ee56bb30a55609a6252a105c8ab60e0bf66bdcac23e4efa937cfbc99f7669ab5ed7ffdc41dfd1b9659a09a93d2f7714af0eb398b46069542f0dff753c1ccd
-  data.tar.gz: 84b72b0f516808677745cc1ea7ecdedf762309ceb79eaac2908f1f16ac6abc811f2997bc50673e78101d7845ddd67a73c996c7ed3ebdbca6d33cf88883926499
+  metadata.gz: 204a13ebf2cc20d9302d55a1d2201cc0f8f2ba35b5bf1b3392f75c0636f8ab5224de54106af8349c16da111d86f2381e894d8925eccf2df1e46e4d04b99eb7be
+  data.tar.gz: ac50424a98754b82bab6576b7205cdb3f6243f5dc6aa9c55f817f15cfba61e1f0858c27a66efd18457442f0b4f2e8ea42cdfcbecdd67c6941edcd86c77b11164

data/.gitignore

@@ -21,7 +21,6 @@
 bin
 ruby-spec
 mspec
-service_executables
 
 # rspec generated files
 /spec/dummy_files/*
@@ -57,7 +56,6 @@ contrast-agent-*.gem
 
 .ruby-version
 .ruby-gemset
-service_executables/*-*
 
 # IDE stuff
 tags

data/.simplecov

@@ -4,6 +4,5 @@
 SimpleCov.minimum_coverage(line: 94)
 SimpleCov.start do
   add_filter '/spec/'
-  add_filter '/lib/protobuf/'
   enable_coverage :branch
 end

data/Rakefile

@@ -6,7 +6,6 @@ $stdout.sync = true
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rake/extensiontask'
-load 'protobuf/tasks/compile.rake'
 require 'fileutils'
 
 CLOBBER << 'shared_libraries/*'

data/ext/cs__assess_array/cs__assess_array.c

@@ -31,15 +31,46 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
     return result;
 }
 
+static VALUE contrast_assess_prepend_array_join(const int argc, const VALUE *argv,
+                                        const VALUE ary) {
+    VALUE sep, result;
+    /* We need to figure out the separator the join method actually used. */
+    /* First, check if one was provided. */
+    rb_scan_args(argc, argv, "01", &sep);
+    /* Second, check to see if `$;` is set*/
+    if (NIL_P(sep)) {
+        sep = rb_output_fs;
+    }
+
+    /* call the Array.join but patched one */
+    result = rb_ary_join(ary, sep);
+    /* call the Contrast::Extensions::Assess::ArrayPropagator#cs__track_join */
+    result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3,
+                        ary, sep, result);
+
+    /*call original occurs in ruby*/
+    return Qtrue;
+}
+
 void Init_cs__assess_array(void) {
-    array_propagator =
-        rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
-    rb_sym_assess_track_array_join = rb_intern("cs__track_join");
-    /*
-     * Here we need to check before using the alias or prepend spec
-     * This patch is happening here, we register the cs__track_join
-     * method of the Array propagator, and call it here from Ruby.
-     */
-    rb_sym_assess_array_join =
-        contrast_register_patch("Array", "join", contrast_assess_array_join);
+
+     VALUE rb_mod_ary = rb_const_get(rb_cObject, rb_intern("Array"));
+     VALUE rb_sym_ary_join = ID2SYM(rb_intern("join"));
+     // check if prepended
+     VALUE is_prepended = contrast_check_prepended(rb_mod_ary, rb_sym_ary_join, Qtrue);
+     // register the cs__track_join method of the Array propagator, and call it here from Ruby.
+     array_propagator = rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
+     rb_sym_assess_track_array_join = rb_intern("cs__track_join");
+
+     // register the cs__join method of the ContrastArray for prepending, and call it here from Ruby.
+     VALUE contrast_array = rb_define_module_under(core_assess, "ContrastArray");
+     rb_define_module_function(contrast_array, "cs__join", contrast_assess_prepend_array_join, -1);
+
+    if(is_prepended == Qtrue) {
+       // do nothing prepend is done in Ruby
+    } else {
+       // register alias patch
+        rb_sym_assess_array_join =
+            contrast_register_patch("Array", "join", contrast_assess_array_join);
+    }
 }

data/ext/cs__assess_array/cs__assess_array.h

@@ -3,8 +3,11 @@
 static VALUE array_propagator;
 static VALUE rb_sym_assess_array_join;
 static VALUE rb_sym_assess_track_array_join;
-
+static VALUE rb_mod_ary, rb_sym_ary_join, is_prepended, contrast_array;
 static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
                                         const VALUE ary);
 
+static VALUE contrast_assess_prepend_array_join(const int argc, const VALUE *argv,
+                                        const VALUE ary);
+
 void Init_cs__assess_array(void);

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -23,7 +23,7 @@ module Contrast
         # A trigger method is one which can perform a dangerous action, as described by the
         # Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after
         # invocation in order to determine if the call was done safely. In those cases where it was not, a Finding
-        # report is issued to the Service.
+        # report is issued to TeamServer.
         module TriggerMethod
           extend Contrast::Components::Logger::InstanceMethods
           extend Contrast::Utils::Assess::TriggerMethodUtils
@@ -105,7 +105,7 @@ module Contrast
               nil
             end
 
-            # Given a finding, append it to an activity message and send it to the Service for processing. If an
+            # Given a finding, append it to an activity message and send it to the TeamServer for processing. If an
             # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
             # immediately report it with the finding.
             #

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a REDOS finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module REDOSValidator
             RULE_NAME = 'redos'
 

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a SSRF finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module SSRFValidator
             RULE_NAME = 'ssrf'
             URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

@@ -8,7 +8,7 @@ module Contrast
         module TriggerValidation
           # Validator used to assert a Reflected XSS finding is actually
           # vulnerable before serializing that finding as a DTM to report to
-          # the service.
+          # the TeamServer.
           module XSSValidator
             RULE_NAME = 'reflected-xss'
             SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze

data/lib/contrast/agent/excluder.rb

@@ -1,13 +1,17 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/reporting/settings/url_exclusion'
+
 module Contrast
   module Agent
     # Given an array of exclusion matcher instances provides methods to
     # determine if the exclusions apply to particular urls.
     class Excluder # rubocop:disable Metrics/ClassLength
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       attr_reader :exclusions
 
+      # @param exclusions [Array<Contrast::Agent::ExclusionMatcher>]
       def initialize exclusions = []
         @exclusions = exclusions
       end
@@ -16,12 +20,12 @@ module Contrast
       # then we can avoid any tracking for the request.
       #
       # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
-      # return [Boolean]
+      # @return [Boolean]
       def assess_excluded_by_url? request
         request_path = request.path
 
-        assess_url_exclusions_for_all_rules.any? do |exclusion|
-          path_match?(exclusion, request_path)
+        assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path)
         end
       end
 
@@ -34,9 +38,9 @@ module Contrast
       def assess_excluded_by_url_and_rule? request, rule_id
         request_path = request.path
 
-        assess_url_exclusions.any? do |exclusion|
-          path_match?(exclusion, request_path) &&
-              (exclusion.assessment_rules.empty? || exclusion.assessment_rules.include?(rule_id))
+        assess_url_exclusions.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path) &&
+              (exclusion_matcher.assess_rules.empty? || exclusion_matcher.assess_rules.include?(rule_id))
         end
       end
 
@@ -44,13 +48,14 @@ module Contrast
       # rules, then we can avoid tracking this entry.
       #
       # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
-      # @param rule_id [String]
+      # @param source_type [String]
+      # @param source_name [String]
       # return [Boolean]
       def assess_excluded_by_input? request, source_type, source_name
         request_path = request.path
 
-        assess_input_exclusions_for_all_rules.any? do |exclusion|
-          input_match?(exclusion, source_type, source_name) && path_match?(exclusion, request_path)
+        assess_input_exclusions_for_all_rules.any? do |exclusion_matcher|
+          input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher, request_path)
         end
       end
 
@@ -66,11 +71,11 @@ module Contrast
 
         # We need to check for url exclusions here for the input rules as the url exclusions
         # that have already been checked didn't include the INPUT exclusions. So we look for
-        # any INPUT exclusions that apply to the current url and the suppleid rule.
+        # any INPUT exclusions that apply to the current url and the supplied rule.
         path = request.path
-        rule_input_exclusions = assess_input_exclusions.select do |exclusion|
-          (exclusion.protection_rules.empty? || exclusion.protection_rules.include?(rule)) && path_match?(exclusion,
-                                                                                                          path)
+        rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
+          (exclusion_matcher.protection_rules.empty? || exclusion_matcher.protection_rules.include?(rule)) &&
+              path_match?(exclusion_matcher, path)
         end
         return false if rule_input_exclusions.empty?
 
@@ -94,72 +99,85 @@ module Contrast
       def protect_excluded_by_url? request
         request_path = request.path
 
-        protect_url_exclusions_for_all_rules.any? do |exclusion|
-          path_match?(exclusion, request_path)
+        protect_url_exclusions_for_all_rules.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path)
         end
       end
 
       private
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_url_exclusions_for_all_rules
-        @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion|
-          exclusion.assessment_rules.empty?
+        @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.assess_rules.empty?
         end
       end
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_url_exclusions
-        @_assess_url_exclusions ||= assess_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::URL
+        @_assess_url_exclusions ||= assess_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :URL
         end
       end
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_input_exclusions_for_all_rules
-        @_assess_input_exclusions_for_all_rules ||= assess_input_exclusions.select do |exclusion|
-          exclusion.assessment_rules.empty?
+        @_assess_input_exclusions_for_all_rules ||= assess_input_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.assess_rules.empty?
         end
       end
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_input_exclusions
-        @_assess_input_exclusions ||= assess_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::INPUT
+        @_assess_input_exclusions ||= assess_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :INPUT
         end
       end
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_exclusions
         @_assess_exclusions ||= @exclusions.select(&:assess)
       end
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_url_exclusions_for_all_rules
-        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion|
-          exclusion.protection_rules.empty?
+        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.protect_rules.empty?
         end
       end
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_url_exclusions
-        @_protect_url_exclusions ||= protect_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::URL
+        @_protect_url_exclusions ||= protect_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :URL
         end
       end
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_exclusions
         @_protect_exclusions ||= @exclusions.select(&:protect)
       end
 
-      def path_match? exclusion, path
-        exclusion.wildcard_url || exclusion.urls.any? { |url| url.match?(path) }
+      # @return [Boolean]
+      def path_match? exclusion_matcher, path
+        exclusion_matcher.wildcard_url || exclusion_matcher.urls.any? { |url| url.match?(path) }
       end
 
+      # @param exclusion [Contrast::Agent::ExclusionMatcher]
+      # @param source_type [String]
+      # @param source_name [String]
+      # @return [Boolean]
       def input_match? exclusion, source_type, source_name
         case exclusion.input_type
-        when Contrast::Api::Settings::Exclusion::InputType::PARAMETER
+        when 'PARAMETER'
           input_match_parameter?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::COOKIE
+        when 'COOKIE'
           input_match_cookie?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::HEADER
+        when 'HEADER'
           input_match_header?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::BODY
+        when 'BODY'
           Contrast::Agent::Assess::Policy::SourceMethod::BODY_TYPE == source_type
-        when Contrast::Api::Settings::Exclusion::InputType::QUERYSTRING
+        when 'QUERYSTRING'
           Contrast::Agent::Assess::Policy::SourceMethod::QUERYSTRING_TYPE == source_type
         else
           false

data/lib/contrast/agent/exclusion_matcher.rb

@@ -2,6 +2,10 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/agent/reporting/settings/exclusion_base'
+require 'contrast/agent/reporting/settings/code_exclusion'
+require 'contrast/agent/reporting/settings/input_exclusion'
+require 'contrast/agent/reporting/settings/url_exclusion'
 
 module Contrast
   module Agent
@@ -13,22 +17,30 @@ module Contrast
 
       extend Forwardable
 
-      attr_reader :protect, :assess, :urls, :wildcard_url, :wildcard_input
+      attr_reader :protect, :assess, :type, :urls, :wildcard_url, :wildcard_input
 
-      def_delegators :@exclusion, :type, :assessment_rules, :protection_rules, :input_type, :input_name
+      def_delegators :@exclusion, :protect_rules, :assess_rules, :input_type, :input_name
 
       # Create a matcher around an exclusion sent from TeamServer.
       #
-      # @param excl [Contrast::Api::Settings::Exclusion]
+      # @param excl [Contrast::Agent::Reporting::Settings::ExclusionBase]
       # @return [Contrast::Agent::ExclusionMatcher]
       def initialize excl
         @exclusion = excl
         @protect = @exclusion.protect
         @assess = @exclusion.assess
 
-        handle_wildcard_input
-        handle_wildcard_url
-        handle_wildcard_code
+        case excl
+        when Contrast::Agent::Reporting::Settings::CodeExclusion
+          handle_wildcard_code
+          @type = :CODE
+        when Contrast::Agent::Reporting::Settings::InputExclusion
+          handle_wildcard_input
+          @type = :INPUT
+        when Contrast::Agent::Reporting::Settings::UrlExclusion
+          handle_wildcard_url
+          @type = :URL
+        end
       end
 
       # According to the docs for exclusions, user input applies to all inputs if
@@ -97,7 +109,7 @@ module Contrast
       end
 
       def code?
-        @exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::CODE
+        @type == :CODE
       end
 
       def match_all?
@@ -105,12 +117,12 @@ module Contrast
       end
 
       # Determine if the given rule is excluded by this exclusion.
-      # In this case, the `protection_rules` being empty means apply to all rules,
+      # In this case, the `protect_rules` being empty means apply to all rules,
       # not no rules
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def protection_rule? rule
-        protect? && (@exclusion.protection_rules.empty? || @exclusion.protection_rules.include?(rule))
+        protect? && (@exclusion.protect_rules.empty? || @exclusion.protect_rules.include?(rule))
       end
 
       # Determine if the given rule is excluded by this exclusion.

data/lib/contrast/agent/middleware.rb

@@ -73,12 +73,12 @@ module Contrast
       private
 
       # Startup the Agent as part of the initialization process:
-      # - start the service sending thread, responsible for sending and processing messages
-      # - start the heartbeat thread, which triggers service startup
+      # - start the TeamServer sending thread, responsible for sending and processing messages
+      # - start the heartbeat thread, which handles periodic messages to TeamServer
       # - start instrumenting libraries and do a 'catchup' patch for everything we didn't see get loaded
       # - enable TracePoint, which handles all class loads and required instrumentation going forward
       def agent_startup_routine
-        logger.debug_with_time('middleware: starting service') do
+        logger.debug_with_time('middleware: starting reporting threads') do
           Contrast::Agent.thread_watcher.ensure_running?
         end
 
@@ -147,7 +147,7 @@ module Contrast
       #    which is being triggered when there is a failure within the pre-call with the agent
       def pre_call_with_agent context, request_handler
         with_contrast_scope do
-          context.service_extract_request
+          context.protect_input_analysis
           request_handler.ruleset.prefilter
         end
       rescue StandardError => e

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -56,6 +56,7 @@ module Contrast
               unless Contrast::Agent::Assess.cs__object_method_prepended?(Marshal, :load, false)
                 apply_marshal_load_alias_patch
               end
+              apply_array_join_prepend_patch if Contrast::Agent::Assess.cs__object_method_prepended?(Array, :join, true)
               true
             end
           end
@@ -121,6 +122,11 @@ module Contrast
             Marshal.alias_method(:cs__marshal_load, :load)
             Marshal.alias_method(:load, :cs__marshal_load)
           end
+
+          # Prepend Contrast::Extension::Assess::ContrastArray to pick up the ContrastArray#join method
+          def apply_array_join_prepend_patch
+            Array.prepend(Contrast::Extension::Assess::ContrastArray)
+          end
         end
       end
     end