contrast-agent 6.7.0 → 6.8.0

data/lib/contrast/config/protect_rules_configuration.rb

@@ -10,9 +10,18 @@ module Contrast
       include Contrast::Config::BaseConfiguration
 
       attr_accessor :disabled_rules
-      attr_writer :bot_blocker, :cmd_injection, :sql_injection, :nosql_injection, :untrusted_deserialization,
-                  :xxe, :path_traversal, :reflected_xss, :unsafe_file_upload, :rule_base, :cmdi_command_backdoors,
-                  :sqli_dangerous_function
+      attr_reader :bot_blocker,
+                  :cmd_injection, :cmdi_command_backdoors,
+                  :cmd_injection_semantic_chained_commands, :cmd_injection_semantic_dangerous_paths,
+                  :method_tampering,
+                  :nosql_injection,
+                  :path_traversal, :path_traversal_semantic_file_security_bypass,
+                  :reflected_xss,
+                  :sql_injection, :sqli_dangerous_function,
+                  :unsafe_file_upload,
+                  :untrusted_deserialization,
+                  :xxe,
+                  :rule_base
 
       BASE_RULE = 'Contrast::Agent::Protect::Rule::Base'.cs__freeze
 
@@ -23,73 +32,26 @@ module Contrast
         @rule_base = Contrast::Config::ProtectRuleConfiguration.new(hsh[BASE_RULE.to_sym])
         @bot_blocker = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'bot-blocker'])
         @cmd_injection = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'cmd-injection'])
+        @cmdi_command_backdoors =
+          Contrast::Config::ProtectRuleConfiguration.new(hsh[:'cmd-injection-command-backdoors'])
+        @cmdi_chained_command =
+          Contrast::Config::ProtectRuleConfiguration.new(hsh[:'cmd-injection-semantic-chained-commands'])
+        @cmdi_dangerous_path =
+          Contrast::Config::ProtectRuleConfiguration.new(hsh[:'cmd-injection-semantic-dangerous-paths'])
         @method_tampering = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'method-tampering'])
         @nosql_injection = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'nosql-injection'])
         @path_traversal = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'path-traversal'])
+        @path_traversal_semantic_file_security_bypass =
+          Contrast::Config::ProtectRuleConfiguration.new(hsh[:'path-traversal-semantic-file-security-bypass'])
         @reflected_xss = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'reflected-xss'])
         @sql_injection = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'sql-injection'])
         @sqli_dangerous_function =
           Contrast::Config::ProtectRuleConfiguration.new(hsh[:'sql-injection-semantic-dangerous-functions'])
         @unsafe_file_upload = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'unsafe-file-upload'])
         @untrusted_deserialization = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'untrusted-deserialization'])
-        @cmdi_command_backdoors = Contrast::Config::ProtectRuleConfiguration.new(hsh[
-                                                                                   :'cmd-injection-command-backdoors'
-                                                                                 ])
         @xxe = Contrast::Config::ProtectRuleConfiguration.new(hsh[:xxe])
       end
 
-      def bot_blocker
-        @bot_blocker ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def cmd_injection
-        @cmd_injection ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def sql_injection
-        @sql_injection ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def nosql_injection
-        @nosql_injection ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def untrusted_deserialization
-        @untrusted_deserialization ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def method_tampering
-        @method_tampering ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def xxe
-        @xxe ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def path_traversal
-        @path_traversal ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def reflected_xss
-        @reflected_xss ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def unsafe_file_upload
-        @unsafe_file_upload ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def cmdi_command_backdoors
-        @cmdi_command_backdoors ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def rule_base
-        @rule_base ||= Contrast::Config::ProtectRuleConfiguration.new
-      end
-
-      def sqli_dangerous_function
-        @sqli_dangerous_function = Contrast::Config::ProtectRuleConfiguration.new
-      end
-
       def []= key, value
         instance_variable_set("@#{ convert_key(key) }".to_sym, value)
       end

data/lib/contrast/configuration.rb

@@ -13,7 +13,6 @@ require 'contrast/components/scope'
 require 'contrast/components/inventory'
 require 'contrast/components/protect'
 require 'contrast/components/assess'
-require 'contrast/components/service'
 require 'contrast/config/server_configuration'
 
 module Contrast
@@ -44,14 +43,12 @@ module Contrast
     attr_writer :inventory
     # @return [Contrast::Components::Protect::Interface]
     attr_writer :protect
-    # @return [Contrast::Components::Service::Interface]
-    attr_writer :service
     # @return [Boolean, nil]
     attr_accessor :enable
 
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'
     MILLISECOND_MARKER = '_ms'
-    CONVERSION = { 'agent.service.enable' => 'agent.start_bundled_service' }.cs__freeze
+    CONVERSION = {}.cs__freeze
     CONFIG_BASE_PATHS = ['', 'config/', '/etc/contrast/ruby/', '/etc/contrast/', '/etc/'].cs__freeze
     KEYS_TO_REDACT = %i[api_key url service_key user_name].cs__freeze
     REDACTED = '**REDACTED**'
@@ -77,7 +74,6 @@ module Contrast
       @assess = Contrast::Components::Assess::Interface.new(config_kv[:assess])
       @inventory = Contrast::Components::Inventory::Interface.new(config_kv[:inventory])
       @protect = Contrast::Components::Protect::Interface.new(config_kv[:protect])
-      @service = Contrast::Components::Service::Interface.new(config_kv[:service])
     end
 
     # Get a loggable YAML format of this configuration
@@ -122,11 +118,6 @@ module Contrast
       @protect ||= Contrast::Components::Protect::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
     end
 
-    # @return [Contrast::Components::Service::Interface]
-    def service
-      @service ||= Contrast::Components::Service::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
-    end
-
     protected
 
     # TODO: RUBY-546 move utility methods to auxiliary classes

data/lib/contrast/extension/assess/array.rb

@@ -5,6 +5,7 @@ require 'contrast/agent/patching/policy/patch'
 require 'contrast/agent/patching/policy/patcher'
 require 'contrast/components/scope'
 require 'contrast/agent/assess/events/event_data'
+require 'cs__assess_array/cs__assess_array'
 
 module Contrast
   module Extension
@@ -61,6 +62,14 @@ module Contrast
           end
         end
       end
+
+      # Helper module to call cs__join
+      module ContrastArray
+        def join *args
+          cs__join(*args)
+          super(*args)
+        end
+      end
     end
   end
 end

data/lib/contrast/extension/delegator.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'delegate'
+
 # Some developers override various methods on Delegator, which can often
 # involve changing expected method parity/behavior which in turn prevents us
 # from being able to reliably use affected methods. Let's alias these methods

data/lib/contrast/framework/manager.rb

@@ -71,9 +71,11 @@ module Contrast
         first_framework_result(:application_name, 'root')
       end
 
+      # @return app_root [String] path
       def app_root
         found = first_framework_result(:application_root, nil)
-        found || ::Rack::Directory.new('').root
+        found ||= ::Rack::Directory.new('').root
+        found.to_s
       end
 
       # Build a request from the provided env, based on the framework(s) we're currently supporting.

data/lib/contrast/framework/rails/railtie.rb

@@ -25,7 +25,6 @@ module Contrast
         end
 
         rake_tasks do
-          load 'contrast/tasks/service.rb'
           load 'contrast/tasks/config.rb'
         end
       end

data/lib/contrast/framework/rails/support.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/dtm.pb'
 require 'contrast/framework/base_support'
 require 'contrast/framework/rails/patch/support'
 require 'contrast/utils/string_utils'

data/lib/contrast/tasks/config.rb

@@ -7,7 +7,7 @@ require 'contrast/agent/reporting/reporter'
 
 module Contrast
   # A Rake task to generate a contrast_security.yaml file with some basic settings
-  module Config # rubocop:disable Metrics/ModuleLength
+  module Config
     extend Rake::DSL
     DEFAULT_CONFIG = {
         'api' => {
@@ -17,13 +17,6 @@ module Contrast
             'user_name' => 'Enter your Contrast user name'
         },
         'agent' => {
-            'service' => {
-                'logger' => {
-                    'path' => 'contrast_service.log',
-                    'level' => 'ERROR' # DEBUG | INFO | WARN | ERROR
-                },
-                'socket' => '/tmp/contrast_service.sock'
-            },
             'logger' => {
                 'level' => 'ERROR',
                 'path' => 'contrast_agent.log'

data/lib/contrast/utils/duck_utils.rb

@@ -13,6 +13,7 @@ module Contrast
         # @param method [Symbol]
         # @return [Boolean]
         def quacks_to? object, method
+          object.cs__respond_to?(method)
           return true if object.cs__respond_to?(method)
           return false unless object.is_a?(Delegator)
 

data/lib/contrast/utils/input_classification_base.rb

@@ -0,0 +1,156 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will include all the similar information for all input classifications
+        # between different rules
+        module InputClassificationBase
+          UNKNOWN_KEY = 'unknown'
+          THRESHOLD = 90.cs__freeze
+          WORTHWATCHING_THRESHOLD = 10.cs__freeze
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Components::Logger::InstanceMethods
+
+          KEYS_NEEDED = [COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE].cs__freeze
+
+          # Input Classification stage is done to determine if an user input is
+          # DEFINITEATTACK or to be ignored.
+          #
+          # @param rule_id [String] Name of the protect rule.
+          # @param input_type [Symbol, Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #                                                       agent analysis from the current
+          #                                                       Request.
+          # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
+          def classify rule_id, input_type, value, input_analysis
+            return unless (rule = Contrast::PROTECT.rule(rule_id))
+            return unless rule.applicable_user_inputs.include?(input_type)
+            return unless input_analysis.request
+
+            Array(value).each do |val|
+              Array(val).each do |v|
+                next unless v
+
+                result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, v)
+                input_analysis.results << result unless result.nil?
+              end
+            end
+
+            input_analysis
+          rescue StandardError => e
+            logger.debug("An Error was recorded in the input classification of the #{ rule_id }")
+            logger.debug(e)
+          end
+
+          # Creates new isntance of InputAnalysisResult with basic info.
+          #
+          # @param rule_id [String] The name of the Protect Rule.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          # @param path [String] the path of the current request context.
+          #
+          # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          def new_ia_result rule_id, input_type, path, value = nil
+            res = Contrast::Agent::Reporting::InputAnalysisResult.new
+            res.rule_id = rule_id
+            res.input_type = input_type
+            res.path = path
+            res.value = value
+            res
+          end
+
+          # This methods checks if input is value that matches a key in the input.
+          #
+          # @param request [Contrast::Agent::Request] the current request context.
+          # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          #
+          # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
+          def add_needed_key request, result, input_type, value
+            case input_type
+            when COOKIE_VALUE
+              result.key = request.cookies.key(value)
+            when PARAMETER_VALUE, URL_PARAMETER
+              result.key = request.parameters.key(value)
+            when HEADER
+              result.key = request.headers.key(value)
+            when UNKNOWN
+              result.key = UNKNOWN_KEY
+            else
+              result.key
+            end
+          rescue StandardError => e
+            logger.warn('Could not find proper key for input traced value', message: e)
+          end
+
+          # Some input types are not yet supported from the AgentLib.
+          # This will convert the type to the closet possible if viable,
+          # so that the input tracing could be done.
+          #
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @return [Integer<Contrast::AgentLib::Interface::INPUT_SET>]
+          def convert_input_type input_type
+            case input_type
+            when BODY, DWR_VALUE
+              Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
+            when HEADER
+              Contrast::AGENT_LIB.input_set[:HEADER_VALUE]
+            when MULTIPART_VALUE, MULTIPART_FIELD_NAME
+              Contrast::AGENT_LIB.input_set[:MULTIPART_NAME]
+            else
+              Contrast::AGENT_LIB.input_set[input_type]
+            end
+          rescue StandardError
+            Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
+          end
+
+          private
+
+          # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+          # key if needed and Creates new instance of InputAnalysisResult.
+          #
+          # @param request [Contrast::Agent::Request] the current request context.
+          # @param rule_id [String] The name of the Protect Rule.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          #
+          # @return res [Contrast::Agent::Reporting::InputAnalysisResult, nil]
+          def create_new_input_result request, rule_id, input_type, value
+            return unless Contrast::AGENT_LIB
+
+            input_eval = Contrast::AGENT_LIB.eval_input(value,
+                                                        convert_input_type(input_type),
+                                                        Contrast::AGENT_LIB.rule_set[rule_id],
+                                                        Contrast::AGENT_LIB.
+                                                          eval_option[:WORTHWATCHING])
+
+            ia_result = new_ia_result(rule_id, input_type, request.path, value)
+            score = input_eval&.score || 0
+            if score >= WORTHWATCHING_THRESHOLD
+              ia_result.score_level = WORTHWATCHING
+              ia_result.ids << self::WORTHWATCHING_MATCH
+            else
+              ia_result.score_level = IGNORE
+              return
+            end
+
+            add_needed_key(request, ia_result, input_type, value) if KEYS_NEEDED.include?(input_type)
+            ia_result
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/os.rb

@@ -13,26 +13,6 @@ module Contrast
       extend Contrast::Components::Scope::InstanceMethods
 
       class << self
-        def running?
-          result = false
-          with_contrast_scope do
-            process = `ps aux | grep contrast-servic[e]`
-            processes = process.split("\n")
-            result = !processes.empty? && processes.any? { |process_descriptor| !process_descriptor.include?('grep') }
-          end
-          result
-        end
-
-        # check if service was killed and is a zombie process
-        # returns an array of zombie process PIDs as strings; empty array if there are none
-        def zombie_pids
-          with_contrast_scope do
-            # retrieve pid of service processes
-            zombie_pid_list = `ps aux | grep contrast-servic[e] | grep Z | awk '{print $2}'`
-            zombie_pid_list.split("\n")
-          end
-        end
-
         # Check current OS type
         # returns true if check is correct or false if not
         def windows?

data/lib/contrast/utils/response_utils.rb

@@ -7,22 +7,6 @@ module Contrast
     module ResponseUtils
       private
 
-      # From the dtm for normalized_response_headers:
-      #   Key is UPPERCASE_UNDERSCORE
-      #
-      #   Example: Content-Type: text/html; charset=utf-8
-      #   "CONTENT_TYPE" => Content-Type,["text/html; charset=utf8"]
-      def append_pair map, key, value
-        return unless key && value
-        return if value.is_a?(Hash)
-
-        safe_key = Contrast::Utils::StringUtils.force_utf8(key)
-        hash_key = Contrast::Utils::StringUtils.normalized_key(safe_key)
-        map[hash_key] ||= Contrast::Api::Dtm::Pair.new
-        map[hash_key].key = safe_key
-        map[hash_key].values << Contrast::Utils::StringUtils.force_utf8(value)
-      end
-
       HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
 
       # Given some holder of the content of the response's body, extract that

data/lib/contrast/utils/stack_trace_utils.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/reporting_events/application_defend_attack_sample_stack'
-require 'contrast/api'
 
 module Contrast
   module Utils
@@ -33,16 +32,7 @@ module Contrast
         end
 
         # Call and translate a caller_locations array to an array of
-        # StackTraceElement for TeamServer to display, excluding any Contrast
-        # code found.
-        #
-        # @return [Array<Contrast::Api::Dtm::StackTraceElement>]
-        def build_protect_stack_array
-          build_protect_stack(Contrast::Api::Dtm::StackTraceElement)
-        end
-
-        # Call and translate a caller_locations array to an array of
-        # StackTraceElement for TeamServer to display, excluding any Contrast
+        # ApplicationDefendAttackSampleStack for TeamServer to display, excluding any Contrast
         # code found.
         #
         # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack>]
@@ -59,10 +49,8 @@ module Contrast
           end
         end
 
-        # @param clazz [Class] Contrast::Api::Dtm::StackTraceElement or
-        #   Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack
-        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack|
-        #   Contrast::Api::Dtm::StackTraceElement>]
+        # @param clazz [Class] Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack
+        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack>]
         def build_protect_stack clazz
           stack = caller(3, 21)
           return [] unless stack

data/lib/contrast/utils/string_utils.rb

@@ -22,13 +22,6 @@ module Contrast
           !str.nil? && !str.to_s.empty?
         end
 
-        def protobuf_format data, truncate: true
-          data = data&.to_s
-          data = Contrast::Utils::StringUtils.force_utf8(data)
-          data = Contrast::Utils::StringUtils.truncate(data) if truncate
-          data
-        end
-
         # Protobuf has a very strict typing. Nil is not a String and will throw
         # an exception if you try to set it. Use this to be safe.
         # Uses the object share to avoid creating several new strings per request
@@ -93,6 +86,16 @@ module Contrast
             @_normalized_keys[str] = cut
           end
         end
+
+        # transform string from snake_case to Capitalized Text
+        #
+        # @param str[String] string to transform
+        # @return [String]
+        def transform_string str
+          return unless str
+
+          str.split('-').map(&:capitalize).join(' ')
+        end
       end
     end
   end

data/lib/contrast.rb

@@ -55,7 +55,6 @@ end
 
 require 'contrast/components/assess'
 require 'contrast/components/config'
-require 'contrast/components/contrast_service'
 require 'contrast/components/logger'
 require 'contrast/components/protect'
 require 'contrast/components/sampling'
@@ -64,7 +63,7 @@ require 'contrast/components/settings'
 require 'contrast/utils/telemetry_hash'
 require 'contrast/utils/telemetry'
 require 'contrast/agent/telemetry/events/exceptions/telemetry_exception_event'
-require 'protobuf' # TODO: RUBY-1438
+require 'contrast/agent_lib/interface'
 
 module Contrast
   CONFIG = Contrast::Components::Config::Interface.new
@@ -76,7 +75,7 @@ module Contrast
   INVENTORY = CONFIG.inventory
   AGENT = CONFIG.agent
   LOGGER = AGENT.logger
-  CONTRAST_SERVICE = Contrast::Components::ContrastService::Interface.new
+  AGENT_LIB = Contrast::AgentLib::Interface.new
   APP_CONTEXT = CONFIG.application
 end
 

data/resources/protect/policy.json

@@ -251,8 +251,7 @@
           }
         }
       ]
-    },
-    {
+    }, {
       "name": "sql-injection",
       "applicator": "Contrast::Agent::Protect::Policy::AppliesSqliRule",
       "applicator_method": "apply_rule",

data/ruby-agent.gemspec

@@ -117,7 +117,8 @@ end
 def self.add_dependencies spec
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
   spec.add_dependency 'rack', '~> 2.0'
-  spec.add_dependency 'activesupport', '>= 3.2' # TODO: RUBY-1438 remove w/ protobuf code
+  spec.add_dependency 'contrast-agent-lib', '~> 0.1.0'
+  spec.add_dependency 'ffi', '~> 1.0'
 end
 
 # Enumerate the files required to build the Agent.
@@ -136,9 +137,6 @@ def self.add_files spec
         f.match(/(.*\.ya?ml)/)
   end
 
-  spec.files << 'lib/contrast/api/dtm.pb.rb'
-  spec.files << 'lib/contrast/api/settings.pb.rb'
-  spec.files += Dir['service_executables/**/*']
   spec.files += Dir['funchook/**/*']
   spec.files += Dir['shared_libraries/**/*']
 
@@ -179,7 +177,6 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ['>= 2.7.0', '< 3.2.0']
 
   spec.bindir        = 'exe'
-  spec.executables   = ['contrast_service']
   # Keep cs__common first, it handles funchook.h right now.
   spec.extensions = Dir['ext/cs__common/extconf.rb', 'ext/**/extconf.rb']
   spec.require_paths = ['lib']