contrast-agent 6.7.0 → 6.8.0

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -2,8 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
-require 'contrast/api/dtm.pb'
-require 'contrast/api/settings.pb'
 
 module Contrast
   module Agent
@@ -79,23 +77,25 @@ module Contrast
 
             modes_by_id = {}
             protection_rules.each do |rule|
-              setting_mode = rule[:mode]
-              next unless PROTECT_RULES_MODE.include?(setting_mode)
-
-              api_mode = case setting_mode
-                         when PROTECT_RULES_MODE[1]
-                           ::Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
-                         when PROTECT_RULES_MODE[2]
-                           if rule[:blockAtEntry]
-                             ::Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
+              setting_mode = rule[:mode] || rule['mode']
+              api_mode = if PROTECT_RULES_MODE.include?(setting_mode)
+                           case setting_mode
+                           when PROTECT_RULES_MODE[1]
+                             :MONITOR
+                           when PROTECT_RULES_MODE[2]
+                             if rule[:blockAtEntry] || rule['blockAtEntry']
+                               :BLOCK_AT_PERIMETER
+                             else
+                               :BLOCK
+                             end
                            else
-                             ::Contrast::Api::Settings::ProtectionRule::Mode::BLOCK
+                             :NO_ACTION
                            end
                          else
-                           ::Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
+                           setting_mode.to_sym
                          end
-
-              modes_by_id[rule[:id]] = api_mode
+              id = rule[:id] || rule['id']
+              modes_by_id[id] = api_mode
             end
             modes_by_id
           end

data/lib/contrast/agent/request.rb

@@ -74,7 +74,8 @@ module Contrast
       # @return uri [String]
       def normalized_uri
         @_normalized_uri ||= begin
-          path = rack_request.path_info
+          path = rack_request.path_info || rack_request.path.to_s
+          path = '/' if path.empty?
           uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
           uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
           uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
@@ -142,19 +143,6 @@ module Contrast
         @_body
       end
 
-      # REMOVE_DTM_REQUEST
-      #
-      # Unlike most of our translation, which is called where needed for each
-      # message and forgotten, we'll leave this method to call the build as we
-      # don't want to pay to reconstruct the DTM for this Request multiple
-      # times.
-      #
-      # @return [Contrast::Api::Dtm::HttpRequest] the SpeedRacer compatible
-      #   form of this Request
-      def dtm
-        @_dtm ||= Contrast::Api::Dtm::HttpRequest.build(self)
-      end
-
       # flattened hash of request params
       #
       # @return parameters [Hash]

data/lib/contrast/agent/request_context.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/dtm.pb'
 require 'contrast/utils/timer'
 require 'contrast/agent/request'
 require 'contrast/agent/response'
@@ -24,7 +23,7 @@ module Contrast
       include Contrast::Utils::RequestUtils
       include Contrast::Agent::RequestContextExtend
 
-      EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
+      INPUT_ANALYSIS = Contrast::Agent::Reporting::InputAnalysis.new
 
       # @return [Contrast::Agent::Reporting:ApplicationActivity] the application activity found in this request
       attr_reader :activity
@@ -39,8 +38,8 @@ module Contrast
       attr_reader :response
       # @return [Contrast::Agent::Reporting::RouteDiscovery] the route, used for findings, of this request
       attr_reader :discovered_route
-      # @return [Contrast::Api::Settings::InputAnalysis] the protect input analysis of sources on this request
-      attr_reader :speedracer_input_analysis
+      # @return [Contrast::Agent::Reporting::InputAnalysis]
+      attr_reader :agent_input_analysis
       # @return [Array<String>] the hash of findings already reported fro this request
       attr_reader :reported_findings
       # @return [Contrast::Utils::Timer] when the context was created
@@ -55,15 +54,13 @@ module Contrast
           @logging_hash = { request_id: __id__ }
 
           # instantiate helper for request and response
-          @request = Contrast::Agent::Request.new(rack_request)
+          @request = Contrast::Agent::Request.new(rack_request) if rack_request
           @activity = Contrast::Agent::Reporting::ApplicationActivity.new
 
           # build analyzer
           @do_not_track = false
-          @speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
-          speedracer_input_analysis.request = request
-
-          # TODO: RUBY-1627
+          @agent_input_analysis = INPUT_ANALYSIS
+          agent_input_analysis.request = request
 
           # flag to indicate whether the app is fully loaded
           @app_loaded = !!app_loaded

data/lib/contrast/agent/request_context_extend.rb

@@ -20,12 +20,9 @@ module Contrast
     # This class extends RequestContexts: this class acts to encapsulate information about the currently
     # executed request, making it available to the Agent for the duration of the request in a standardized
     # and normalized format which the Agent understands.
-    module RequestContextExtend # rubocop:disable Metrics/ModuleLength
+    module RequestContextExtend
       include Contrast::Utils::CEFLogUtils
       include Contrast::Components::Logger::InstanceMethods
-      BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
-      CEF_LOGGING_RULES = %w[bot-blocker virtual-patch ip-denylist].cs__freeze
-
       # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
       # where it is necessary for our route coverage and finding vulnerability discovery features to function.
       #
@@ -43,55 +40,24 @@ module Contrast
         @request.discovered_route = @discovered_route
       end
 
+      # If protect is enabled for this request, examine said request for any possible attack input. If those inputs
+      # provided match a rule which should block at the perimeter, that will be raised here.
+      #
       # @raise [Contrast::SecurityException]
-      def service_extract_request
+      def protect_input_analysis
         return false unless ::Contrast::AGENT.enabled?
         return false unless ::Contrast::PROTECT.enabled?
         return false if @do_not_track
 
-        service_response = Contrast::Agent&.messaging_queue&.send_event_immediately(@activity.request.dtm)
-        return false unless service_response
-
-        handle_protect_state(service_response)
-        ia = service_response.input_analysis
-        if ia
-          service_extract_logging(ia)
-          # TODO: RUBY-1629
-          # using Agent analysis
-          # initialize_agent_input_analysis request
-
-          @speedracer_input_analysis = ia
-          speedracer_input_analysis.request = request
+        if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
+          @agent_input_analysis = ia
         else
-          logger.trace('Analysis from Contrast Service was empty.')
-          false
+          logger.trace('Analysis from Agent was empty.')
         end
       rescue Contrast::SecurityException => e
         raise(e)
       rescue StandardError => e
-        logger.warn('Unable to extract Contrast Service information from request', e)
-        false
-      end
-
-      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
-      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
-      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
-      #
-      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
-      # @raise[Contrast::SecurityException]
-      def handle_protect_state agent_settings
-        return unless agent_settings&.protect_state
-
-        state = agent_settings.protect_state
-        @uuid = state.uuid
-        @do_not_track = true unless state.track_request
-        return unless state.security_exception
-
-        # make sure the activity get send before the error
-        # If Contrast Service has NOT handled the input analysis, handle them here
-        build_attack_results(agent_settings)
-        logger.debug('Contrast Service said to block this request')
-        raise(Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior')))
+        logger.warn('Unable to extract protect information from request', e)
       end
 
       # append anything we've learned to the request seen message this is the sum-total of all inventory information
@@ -114,111 +80,6 @@ module Contrast
       rescue StandardError => e
         logger.error('Unable to extract information after request', e)
       end
-
-      # This here is for things we don't have implemented
-      def log_to_cef
-        activity.defend.attackers.each { |attacker| logging_logic(attacker.protection_rules) }
-      end
-
-      # @param input_analysis [Contrast::Api::Settings::InputAnalysis]
-      def service_extract_logging input_analysis
-        log_to_cef
-        logger.trace('Analysis from Contrast Service', evaluations: input_analysis.results.length) if logger.trace?
-        logger.trace('Results', input_analysis: input_analysis.inspect) if logger.trace?
-      end
-
-      private
-
-      # Generate attack results directly from any evaluations on the agent settings object.
-      #
-      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
-      def build_attack_results agent_settings
-        return unless agent_settings&.input_analysis&.results&.any?
-
-        results_by_rule = {}
-        agent_settings.input_analysis.results.each do |ia_result|
-          rule_id = ia_result.rule_id
-          rule = ::Contrast::PROTECT.rule(rule_id)
-          next unless rule
-
-          logger.debug(BUILD_ATTACK_LOGGER_MESSAGE, result: ia_result.inspect) if logger.debug?
-          results_by_rule[rule_id] = attack_result(rule, rule_id, ia_result, results_by_rule)
-        end
-
-        results_by_rule.each_pair do |_, attack_result|
-          logger.info('Blocking attack result', rule: attack_result.rule_id)
-          activity.attach_defend(attack_result)
-        end
-      end
-
-      # Generates the attack result
-      #
-      # @param rule [Contrast::Agent::Protect::Rule, Contrast::Agent::Assess::Rule]
-      # @param rule_id [String] String name of the rule
-      # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
-      #   analysis of the input that was determined to be an attack
-      # @param results_by_rule [Hash] attack results from any evaluations on the agent settings object.
-      # @return [Contrast::Api::Dtm::AttackResult] the attack result from this input
-      def attack_result rule, rule_id, ia_result, results_by_rule
-        @_attack_result = if rule.mode == :BLOCK
-                            # special case for rules (like reflected xss) that used to have an infilter / block mode
-                            # but now are just block at perimeter
-                            rule.build_attack_with_match(self, ia_result, results_by_rule[rule_id], ia_result.value)
-                          else
-                            rule.build_attack_without_match(self, ia_result, results_by_rule[rule_id])
-                          end
-      end
-
-      # @param protection_rules [Array<rule_id => Contrast::Agent::Reporting::ApplicationDefendAttackActivity>] Array
-      # of all protection rules per active attackers of this request life cycle.
-      def logging_logic protection_rules
-        protection_rules.any? do |rule_id, activity|
-          next unless CEF_LOGGING_RULES.include?(rule_id)
-
-          outcome = activity.response_type
-          rule_details = details_builder(outcome, activity)
-          case rule_id
-          when /bot-blocker/i
-            cef_logger.bot_blocking_message(rule_details.to_controlled_hash, outcome) if rule_details
-          when /virtual-patch/i
-            cef_logger.virtual_patch_message(rule_details.to_controlled_hash, outcome) if rule_details
-          when /ip-denylist/i
-            sender_ip = extract_sender_ip
-            next unless sender_ip
-            next unless rule_details && rule_details.ip == sender_ip
-
-            cef_logger.ip_denylisted_message(sender_ip, rule_details.to_controlled_hash, outcome)
-          end
-        end
-      end
-
-      # @param outcome [Symbol<Contrast::Agent::Reporting::ResponseType>]
-      # @param activity [Contrast::Agent::Reporting::ApplicationDefendAttackActivity]
-      def details_builder outcome, activity
-        case outcome
-        when ::Contrast::Agent::Reporting::ResponseType::BLOCKED
-          blocked = activity.blocked
-          get_details(blocked)
-        when ::Contrast::Agent::Reporting::ResponseType::MONITORED
-          exploited = activity.exploited
-          get_details(exploited)
-        when ::Contrast::Agent::Reporting::ResponseType::PROBED
-          ineffective = activity.ineffective
-          get_details(ineffective)
-        when ::Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
-          activity.suspicious.samples[0].details
-          suspicious = activity.suspicious
-          get_details(suspicious)
-        end
-      end
-
-      # @param type [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
-      # @return details [Contrast::Agent::Reporting::ProtectRuleDetails] depends on rule
-      def get_details type
-        sample = nil
-        sample = type.samples[0] unless type.samples.empty?
-        sample&.details
-      end
     end
   end
 end

data/lib/contrast/agent/thread_watcher.rb

@@ -2,8 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
-require 'contrast/agent/service_heartbeat'
-require 'contrast/api/communication/messaging_queue'
 require 'contrast/agent/reporting/report'
 require 'contrast/agent/reporting/reporter_heartbeat'
 require 'contrast/agent/telemetry/base'
@@ -16,10 +14,6 @@ module Contrast
 
       # @return [Contrast::Utils::HeapDumpUtil]
       attr_reader :heapdump_util
-      # @return [Contrast::Agent::ServiceHeartbeat, nil]
-      attr_reader :heartbeat
-      # @return [Contrast::Api::Communication::MessagingQueue, nil]
-      attr_reader :messaging_queue
       # @return [Contrast::Agent::Reporter]
       attr_reader :reporter
       # @return [Contrast::Agent::ReporterHeartbeat]
@@ -28,10 +22,6 @@ module Contrast
       def initialize
         @pids = {}
         @heapdump_util = Contrast::Utils::HeapDumpUtil.new
-        unless ::Contrast::CONTRAST_SERVICE.unnecessary?
-          @heartbeat = Contrast::Agent::ServiceHeartbeat.new
-          @messaging_queue = Contrast::Api::Communication::MessagingQueue.new
-        end
         @reporter = Contrast::Agent::Reporter.new
         @reporter_heartbeat = Contrast::Agent::ReporterHeartbeat.new
         @telemetry = Contrast::Agent::Telemetry::Base.new if Contrast::Agent::Telemetry::Base.enabled?
@@ -42,16 +32,13 @@ module Contrast
         return unless ::Contrast::AGENT.enabled?
 
         logger.debug('ThreadWatcher started threads')
-        heartbeat_status = init_thread(heartbeat)
-        messaging_status = init_thread(messaging_queue)
-        @pids[Process.pid] = messaging_status && heartbeat_status
+        reporter_status = init_thread(reporter)
+        reporter_heartbeat_status = init_thread(reporter_heartbeat)
+        @pids[Process.pid] = reporter_status && reporter_heartbeat_status
         if Contrast::Agent::Telemetry::Base.enabled?
           telemetry_status = init_thread(telemetry_queue)
           @pids[Process.pid] = @pids[Process.pid] && telemetry_status
         end
-        reporter_status = init_thread(reporter)
-        reporter_heartbeat_status = init_thread(reporter_heartbeat)
-        @pids[Process.pid] = @pids[Process.pid] && reporter_status && reporter_heartbeat_status
         @pids
       end
 
@@ -63,8 +50,6 @@ module Contrast
       end
 
       def shutdown!
-        heartbeat&.stop!
-        messaging_queue&.stop!
         heapdump_util&.stop!
         telemetry_queue&.stop!
         reporter&.stop!

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '6.7.0'
+    VERSION = '6.8.0'
   end
 end

data/lib/contrast/agent.rb

@@ -42,9 +42,6 @@ require 'contrast/utils/thread_tracker'
 # Framework support
 require 'contrast/framework/manager'
 
-# Communication to SR
-require 'contrast/api/communication'
-
 require 'contrast/agent/thread_watcher'
 
 module Contrast
@@ -66,11 +63,6 @@ module Contrast
       thread_watcher.heapdump_util
     end
 
-    # @return [nil, Contrast::Api::Communication::MessagingQueue]
-    def self.messaging_queue
-      thread_watcher.messaging_queue
-    end
-
     # @return [nil, Contrast::Agent::Telemetry::Base]
     def self.telemetry_queue
       thread_watcher.telemetry_queue
@@ -87,14 +79,11 @@ module Contrast
   end
 end
 
-require 'contrast/api'
-
 require 'contrast/utils/resource_loader'
 require 'contrast/utils/duck_utils'
 require 'contrast/agent/tracepoint_hook'
 require 'contrast/agent/at_exit_hook'
 
-# communication with contrast service
 require 'contrast/agent/exclusion_matcher'
 
 # threads that handle contrast scope

data/lib/contrast/agent_lib/api/command_injection.rb

@@ -0,0 +1,46 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+require 'ffi'
+# require the gem
+require 'contrast-agent-lib'
+
+module Contrast
+  module AgentLib
+    # This module is defined in Rust as external, we used it here.
+    # Initializes the AgentLib. Here will be all methods from
+    # the C bindings  contrast_c::cmdi_semantic_chained_command module.
+    module CommandInjection
+      extend FFI::Library
+      ffi_lib ContrastAgentLib::CONTRAST_C
+
+      attach_function :get_index_of_chained_command, [:string], :long_long
+      attach_function :does_command_contain_dangerous_path, [:string], :int
+
+      private
+
+      # Checks that a given shell command contained a chained command.
+      # This is used for the cmd-injection-semantic-chained-commands rule.
+      #
+      # @param cmd [String] command to check.
+      # @return index[Integer] Returns the index of the command chaining if found.
+      # If the chaining index is >= 0, an injection is detected. Returns -1 when
+      # no command chaining is found.
+      def dl__index_of_chained_command cmd
+        get_index_of_chained_command(cmd)
+      end
+
+      # Checks if a given shell command is trying to access a dangerous path.
+      # This is used for the cmd-injection-semantic-dangerous-paths rule.
+      #
+      # @param path [String] path to check.
+      # @return index[Boolean] Returns 1 if a dangerous path is found.
+      # Returns 0 if no dangerous paths are found.
+      def dl__dangerous_path? path
+        return false if does_command_contain_dangerous_path(path).zero?
+
+        true
+      end
+    end
+  end
+end

data/lib/contrast/agent_lib/api/init.rb

@@ -0,0 +1,101 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+require 'ffi'
+# require the gem
+require 'contrast-agent-lib'
+
+module Contrast
+  module AgentLib
+    # This module is defined in Rust as external, we used it here.
+    # Initializes the AgentLib. Here will be all methods from
+    # the C bindings agent_init mod.
+    module Init
+      extend FFI::Library
+      ffi_lib ContrastAgentLib::CONTRAST_C
+
+      # Init
+      #
+      # 0 => OK, -1 => Err
+      # The attach function could be called also like this:
+      # attach_function :ruby_name, :c_name, [ :params ], :returns, { :options => values }
+      # an that way we define a ruby_name for the C method, but we alias to make a documentation
+      # for the method.
+      #
+      # Also we extend the FFI::Library inside this module so we could also redefine the
+      # attach_function to our taste, not worry about it leaking outside of this module.
+      #
+      # @param [Symbol] Name of required function.
+      # @param [Array] An array of argument types.
+      # @return [Integer] Return type of the function.
+      attach_function :init, [], :int
+
+      # TODO: RUBY-1693
+      #  Initialize agent lib without any optional settings. To set optional settings consider using
+      # `init_with_options` instead If you want to enable logging, it must be set using environment variables
+      # `CONTRAST_AGENTLIB_LOG_LEVEL` - set to log level.  Must of one of ERROR, WARN, INFO, DEBUG or TRACE
+      # `CONTRAST_AGENTLIB_LOG_DIR` - must point to an accessible directory where logs will be written.
+      #  The name of the log file
+      # is auto-generated and cannot be set. The format is 'libcontrast_<date>_<process_id>.log'
+      #
+      # If these environment variables are not present during `init`, agent-lib will be initialized with
+      # logging disabled and you will not be able to re-enable it using `change_log_settings`
+      # @param [Symbol] Name of required function.
+      # @param [Array] An array of argument types.
+      # @return [Integer] Return type of the function.
+      attach_function :init_with_options, %i[bool string string], :int
+
+      # TODO: RUBY-1693
+      # Change log settings for agent lib after it's been initialized.  This api must be used after init
+      #
+      # Safety
+      # The `log_level` parameter must point to must point to an UTF-8 encoded string C-string
+      # @param enable_logging [Boolean] flag to enable or disable logging.
+      # @param log_level [String] UTF-8 encoded string indicating the maximum log level
+      # if logging is enabled
+      attach_function :change_log_settings, %i[bool string], :int
+
+      # TODO: RUBY-1693
+      # Initialize AgentLib with options.
+      # If init returns 0 = successful setup with options
+      # if init returns 1 = unsuccessful setup with options
+      #
+      # @param enable_logging [Boolean] flag to enable or disable logging.
+      # @param log_dir [String] path to existing log directory.
+      # @param log_level [String] OFF, ERROR, WARN, INFO, DEBUG or TRACE.
+      # @return [Boolean] true if initialized false if not.
+      def dl__init_with_options enable_logging, log_dir, log_level
+        # This is useful for scope sensitive string pointers, if function ends and
+        # you need them to be picked up after the C function.
+        init_with_options(enable_logging, log_dir, log_level).zero?
+      end
+
+      private
+
+      # Initialize AgentLib without options. Log level could not be set after.
+      # If you want to set the log levels you can do it be ENV variables:
+      # EVN [CONTRAST_AGENTLIB_LOG_LEVEL] - set to log level.  Must of one of ERROR, WARN, INFO, DEBUG or TRACE
+      # ENV['CONTRAST_AGENTLIB_LOG_DIR'] - must point to an accessible directory where logs will be written.
+      # The name of the log file.
+      #
+      # @return [Boolean] true if initialized, false if not.
+      def dl__init
+        init.zero?
+      end
+
+      # TODO: RUBY-1693
+      # Change the log settings. This api must be called after the dl__init_with_options.
+      #
+      # @param enable_log [Boolean] flag to enable or disable logging this sets the inner flag.
+      # @param log_level [String] OFF, ERROR, WARN, INFO, DEBUG or TRACE.
+      # @return [Boolean] true if initialized false if not.
+      def dl__change_log_settings enable_log, log_level
+        # transform to C strings pointers here and pass to function.
+        log_dir_pointer = FFI::MemoryPointer.from_string(log_level.dup.force_encoding('UTF-8'))
+        return true if change_log_settings(enable_log, log_dir_pointer).zero?
+
+        false
+      end
+    end
+  end
+end