RubyGems - contrast-agent - Versions diffs - 6.7.0 → 6.9.0 - Mend

contrast-agent 6.7.0 → 6.9.0

Files changed (280) hide show

checksums.yaml +4 -4
data/.gitignore +0 -2
data/.simplecov +0 -1
data/Rakefile +0 -1
data/ext/cs__assess_array/cs__assess_array.c +41 -10
data/ext/cs__assess_array/cs__assess_array.h +4 -1
data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -3
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
data/lib/contrast/agent/assess/property/evented.rb +11 -11
data/lib/contrast/agent/assess.rb +0 -1
data/lib/contrast/agent/excluder.rb +53 -35
data/lib/contrast/agent/exclusion_matcher.rb +21 -9
data/lib/contrast/agent/middleware.rb +12 -6
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -0
data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +146 -127
data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +116 -0
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +20 -0
data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +47 -55
data/lib/contrast/agent/protect/rule/base_service.rb +48 -24
data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
data/lib/contrast/agent/protect/rule/cmd_injection.rb +20 -2
data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -5
data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +22 -22
data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +64 -0
data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +63 -0
data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +2 -58
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +3 -14
data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +2 -2
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -11
data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +29 -34
data/lib/contrast/agent/protect/rule/no_sqli.rb +25 -18
data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
data/lib/contrast/agent/protect/rule/path_traversal.rb +40 -13
data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +33 -15
data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +0 -14
data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -62
data/lib/contrast/agent/protect/rule/sqli.rb +74 -3
data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +39 -63
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +6 -33
data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
data/lib/contrast/agent/protect/rule/xss.rb +15 -20
data/lib/contrast/agent/protect/rule/xxe.rb +4 -24
data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +19 -40
data/lib/contrast/agent/reporting/attack_result/response_type.rb +9 -9
data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +10 -2
data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +8 -2
data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -2
data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +16 -2
data/lib/contrast/agent/reporting/masker/masker.rb +2 -0
data/lib/contrast/agent/reporting/report.rb +1 -0
data/lib/contrast/agent/reporting/reporter.rb +35 -14
data/lib/contrast/agent/reporting/reporter_heartbeat.rb +3 -9
data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +16 -13
data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +12 -7
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +3 -3
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -2
data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +6 -1
data/lib/contrast/agent/reporting/reporting_events/application_update.rb +0 -2
data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -1
data/lib/contrast/agent/reporting/reporting_events/finding.rb +6 -6
data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +239 -93
data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +10 -23
data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +10 -9
data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +0 -5
data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +0 -1
data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +12 -0
data/lib/contrast/agent/reporting/reporting_events/poll.rb +1 -11
data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +0 -1
data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +0 -1
data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +8 -0
data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +2 -2
data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +43 -1
data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +8 -4
data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +58 -4
data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +4 -6
data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +77 -16
data/lib/contrast/agent/reporting/server_settings_worker.rb +44 -0
data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +14 -2
data/lib/contrast/agent/reporting/settings/code_exclusion.rb +6 -1
data/lib/contrast/agent/reporting/settings/exclusion_base.rb +18 -0
data/lib/contrast/agent/reporting/settings/exclusions.rb +2 -1
data/lib/contrast/agent/reporting/settings/helpers.rb +7 -0
data/lib/contrast/agent/reporting/settings/input_exclusion.rb +9 -3
data/lib/contrast/agent/reporting/settings/protect.rb +15 -15
data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +39 -2
data/lib/contrast/agent/reporting/settings/rule_definition.rb +3 -0
data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
data/lib/contrast/agent/reporting/settings/server_features.rb +9 -0
data/lib/contrast/agent/reporting/settings/syslog.rb +34 -5
data/lib/contrast/agent/request.rb +3 -14
data/lib/contrast/agent/request_context.rb +6 -9
data/lib/contrast/agent/request_context_extend.rb +9 -148
data/lib/contrast/agent/request_handler.rb +5 -10
data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +1 -1
data/lib/contrast/agent/thread_watcher.rb +37 -18
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/agent.rb +6 -11
data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
data/lib/contrast/agent_lib/api/init.rb +101 -0
data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
data/lib/contrast/agent_lib/api/panic.rb +87 -0
data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
data/lib/contrast/agent_lib/interface.rb +260 -0
data/lib/contrast/agent_lib/interface_base.rb +118 -0
data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
data/lib/contrast/agent_lib/test.rb +29 -0
data/lib/contrast/api/communication/connection_status.rb +20 -5
data/lib/contrast/components/agent.rb +34 -14
data/lib/contrast/components/api.rb +23 -0
data/lib/contrast/components/app_context.rb +23 -5
data/lib/contrast/components/app_context_extend.rb +0 -25
data/lib/contrast/components/assess.rb +34 -4
data/lib/contrast/components/assess_rules.rb +18 -0
data/lib/contrast/components/base.rb +40 -0
data/lib/contrast/components/config/sources.rb +95 -0
data/lib/contrast/components/config.rb +19 -19
data/lib/contrast/components/heap_dump.rb +10 -0
data/lib/contrast/components/inventory.rb +15 -2
data/lib/contrast/components/logger.rb +18 -0
data/lib/contrast/components/polling.rb +36 -0
data/lib/contrast/components/protect.rb +52 -2
data/lib/contrast/components/ruby_component.rb +16 -1
data/lib/contrast/components/sampling.rb +70 -13
data/lib/contrast/components/security_logger.rb +13 -0
data/lib/contrast/components/settings.rb +105 -90
data/lib/contrast/config/certification_configuration.rb +14 -0
data/lib/contrast/config/config.rb +46 -0
data/lib/contrast/config/diagnostics.rb +114 -0
data/lib/contrast/config/diagnostics_tools.rb +98 -0
data/lib/contrast/config/effective_config.rb +65 -0
data/lib/contrast/config/effective_config_value.rb +32 -0
data/lib/contrast/config/exception_configuration.rb +12 -0
data/lib/contrast/config/protect_rule_configuration.rb +8 -8
data/lib/contrast/config/protect_rules_configuration.rb +23 -60
data/lib/contrast/config/request_audit_configuration.rb +13 -0
data/lib/contrast/config/server_configuration.rb +41 -2
data/lib/contrast/configuration.rb +29 -12
data/lib/contrast/extension/assess/array.rb +9 -0
data/lib/contrast/extension/assess/erb.rb +1 -1
data/lib/contrast/extension/delegator.rb +2 -0
data/lib/contrast/framework/manager.rb +3 -1
data/lib/contrast/framework/rails/railtie.rb +0 -1
data/lib/contrast/framework/rails/support.rb +0 -1
data/lib/contrast/tasks/config.rb +1 -8
data/lib/contrast/utils/assess/event_limit_utils.rb +31 -9
data/lib/contrast/utils/assess/trigger_method_utils.rb +5 -4
data/lib/contrast/utils/duck_utils.rb +1 -0
data/lib/contrast/utils/hash_digest.rb +2 -2
data/lib/contrast/utils/input_classification_base.rb +155 -0
data/lib/contrast/utils/os.rb +0 -20
data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +81 -0
data/lib/contrast/utils/response_utils.rb +0 -16
data/lib/contrast/utils/routes_sent.rb +60 -0
data/lib/contrast/utils/stack_trace_utils.rb +3 -15
data/lib/contrast/utils/string_utils.rb +10 -7
data/lib/contrast/utils/telemetry_client.rb +1 -2
data/lib/contrast/utils/timer.rb +16 -0
data/lib/contrast.rb +5 -4
data/resources/protect/policy.json +1 -2
data/ruby-agent.gemspec +7 -6
metadata +69 -130
data/exe/contrast_service +0 -23
data/lib/contrast/agent/assess/contrast_event.rb +0 -157
data/lib/contrast/agent/assess/events/event_factory.rb +0 -34
data/lib/contrast/agent/assess/events/source_event.rb +0 -46
data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +0 -64
data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +0 -118
data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +0 -45
data/lib/contrast/agent/reaction_processor.rb +0 -47
data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +0 -36
data/lib/contrast/agent/service_heartbeat.rb +0 -35
data/lib/contrast/api/communication/messaging_queue.rb +0 -128
data/lib/contrast/api/communication/response_processor.rb +0 -90
data/lib/contrast/api/communication/service_lifecycle.rb +0 -77
data/lib/contrast/api/communication/socket.rb +0 -44
data/lib/contrast/api/communication/socket_client.rb +0 -130
data/lib/contrast/api/communication/speedracer.rb +0 -138
data/lib/contrast/api/communication/tcp_socket.rb +0 -32
data/lib/contrast/api/communication/unix_socket.rb +0 -28
data/lib/contrast/api/communication.rb +0 -20
data/lib/contrast/api/decorators/address.rb +0 -59
data/lib/contrast/api/decorators/agent_startup.rb +0 -56
data/lib/contrast/api/decorators/application_settings.rb +0 -43
data/lib/contrast/api/decorators/application_startup.rb +0 -56
data/lib/contrast/api/decorators/bot_blocker.rb +0 -37
data/lib/contrast/api/decorators/http_request.rb +0 -137
data/lib/contrast/api/decorators/input_analysis.rb +0 -18
data/lib/contrast/api/decorators/instrumentation_mode.rb +0 -35
data/lib/contrast/api/decorators/ip_denylist.rb +0 -37
data/lib/contrast/api/decorators/message.rb +0 -67
data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -52
data/lib/contrast/api/decorators/response_type.rb +0 -17
data/lib/contrast/api/decorators/server_features.rb +0 -25
data/lib/contrast/api/decorators/user_input.rb +0 -51
data/lib/contrast/api/decorators/virtual_patch.rb +0 -34
data/lib/contrast/api/decorators.rb +0 -22
data/lib/contrast/api/dtm.pb.rb +0 -363
data/lib/contrast/api/settings.pb.rb +0 -500
data/lib/contrast/api.rb +0 -16
data/lib/contrast/components/contrast_service.rb +0 -88
data/lib/contrast/components/service.rb +0 -55
data/lib/contrast/tasks/service.rb +0 -84
data/lib/contrast/utils/input_classification.rb +0 -73
data/lib/protobuf/code_generator.rb +0 -129
data/lib/protobuf/decoder.rb +0 -28
data/lib/protobuf/deprecation.rb +0 -117
data/lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb +0 -79
data/lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb +0 -360
data/lib/protobuf/descriptors.rb +0 -3
data/lib/protobuf/encoder.rb +0 -11
data/lib/protobuf/enum.rb +0 -365
data/lib/protobuf/exceptions.rb +0 -9
data/lib/protobuf/field/base_field.rb +0 -380
data/lib/protobuf/field/base_field_object_definitions.rb +0 -504
data/lib/protobuf/field/bool_field.rb +0 -64
data/lib/protobuf/field/bytes_field.rb +0 -67
data/lib/protobuf/field/double_field.rb +0 -25
data/lib/protobuf/field/enum_field.rb +0 -56
data/lib/protobuf/field/field_array.rb +0 -102
data/lib/protobuf/field/field_hash.rb +0 -122
data/lib/protobuf/field/fixed32_field.rb +0 -25
data/lib/protobuf/field/fixed64_field.rb +0 -28
data/lib/protobuf/field/float_field.rb +0 -43
data/lib/protobuf/field/int32_field.rb +0 -21
data/lib/protobuf/field/int64_field.rb +0 -34
data/lib/protobuf/field/integer_field.rb +0 -23
data/lib/protobuf/field/message_field.rb +0 -51
data/lib/protobuf/field/sfixed32_field.rb +0 -27
data/lib/protobuf/field/sfixed64_field.rb +0 -28
data/lib/protobuf/field/signed_integer_field.rb +0 -29
data/lib/protobuf/field/sint32_field.rb +0 -21
data/lib/protobuf/field/sint64_field.rb +0 -21
data/lib/protobuf/field/string_field.rb +0 -51
data/lib/protobuf/field/uint32_field.rb +0 -21
data/lib/protobuf/field/uint64_field.rb +0 -21
data/lib/protobuf/field/varint_field.rb +0 -77
data/lib/protobuf/field.rb +0 -74
data/lib/protobuf/generators/base.rb +0 -85
data/lib/protobuf/generators/enum_generator.rb +0 -39
data/lib/protobuf/generators/extension_generator.rb +0 -27
data/lib/protobuf/generators/field_generator.rb +0 -193
data/lib/protobuf/generators/file_generator.rb +0 -262
data/lib/protobuf/generators/group_generator.rb +0 -122
data/lib/protobuf/generators/message_generator.rb +0 -104
data/lib/protobuf/generators/option_generator.rb +0 -17
data/lib/protobuf/generators/printable.rb +0 -160
data/lib/protobuf/generators/service_generator.rb +0 -50
data/lib/protobuf/lifecycle.rb +0 -33
data/lib/protobuf/logging.rb +0 -39
data/lib/protobuf/message/fields.rb +0 -233
data/lib/protobuf/message/serialization.rb +0 -85
data/lib/protobuf/message.rb +0 -241
data/lib/protobuf/optionable.rb +0 -72
data/lib/protobuf/tasks/compile.rake +0 -80
data/lib/protobuf/tasks.rb +0 -1
data/lib/protobuf/varint.rb +0 -20
data/lib/protobuf/varint_pure.rb +0 -31
data/lib/protobuf/version.rb +0 -3
data/lib/protobuf/wire_type.rb +0 -10
data/lib/protobuf.rb +0 -91
data/proto/dynamic_discovery.proto +0 -46
data/proto/google/protobuf/compiler/plugin.proto +0 -183
data/proto/google/protobuf/descriptor.proto +0 -911
data/proto/rpc.proto +0 -71
data/service_executables/.gitkeep +0 -0
data/service_executables/VERSION +0 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c688788c7666c5ea72351e52ad02fe838923dc0dde589199917d2bfa96080630
-  data.tar.gz: f63416e47b9b815f0ec7a79858fb11f866bf5c49c952cf278dfb851679f44957
+  metadata.gz: b850f63bce180f09f998f5363f58b01e9c69db61a2f98a31db97fb59b82564d7
+  data.tar.gz: 811072666998fb4daf0f49d2514d875b45c18d79d29398639862f1c2144aa930
 SHA512:
-  metadata.gz: 0b5ee56bb30a55609a6252a105c8ab60e0bf66bdcac23e4efa937cfbc99f7669ab5ed7ffdc41dfd1b9659a09a93d2f7714af0eb398b46069542f0dff753c1ccd
-  data.tar.gz: 84b72b0f516808677745cc1ea7ecdedf762309ceb79eaac2908f1f16ac6abc811f2997bc50673e78101d7845ddd67a73c996c7ed3ebdbca6d33cf88883926499
+  metadata.gz: ac0f4dcea0a62d6aa000659943f2b994a02940148fffdff2901ff4ff61d27fd257170ec4f48d0b1925d569dbc20de89a8866f76a17dd1c22aa15d9c80e4e9eb1
+  data.tar.gz: bd2490f015d1a5c8be5f0e7a0fc60e5acdc436b03e32420cbf19542a53b760c843cd84a17a0e7a8a3794ec69e3aa909e63fabdb32f4c32d5daa48ece261176aa

data/.gitignore CHANGED Viewed

@@ -21,7 +21,6 @@
 bin
 ruby-spec
 mspec
-service_executables
 # rspec generated files
 /spec/dummy_files/*
@@ -57,7 +56,6 @@ contrast-agent-*.gem
 .ruby-version
 .ruby-gemset
-service_executables/*-*
 # IDE stuff
 tags

data/.simplecov CHANGED Viewed

@@ -4,6 +4,5 @@
 SimpleCov.minimum_coverage(line: 94)
 SimpleCov.start do
   add_filter '/spec/'
-  add_filter '/lib/protobuf/'
   enable_coverage :branch
 end

data/Rakefile CHANGED Viewed

@@ -6,7 +6,6 @@ $stdout.sync = true
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rake/extensiontask'
-load 'protobuf/tasks/compile.rake'
 require 'fileutils'
 CLOBBER << 'shared_libraries/*'

data/ext/cs__assess_array/cs__assess_array.c CHANGED Viewed

@@ -31,15 +31,46 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
     return result;
 }
+static VALUE contrast_assess_prepend_array_join(const int argc, const VALUE *argv,
+                                        const VALUE ary) {
+    VALUE sep, result;
+    /* We need to figure out the separator the join method actually used. */
+    /* First, check if one was provided. */
+    rb_scan_args(argc, argv, "01", &sep);
+    /* Second, check to see if `$;` is set*/
+    if (NIL_P(sep)) {
+        sep = rb_output_fs;
+    }
+    /* call the Array.join but patched one */
+    result = rb_ary_join(ary, sep);
+    /* call the Contrast::Extensions::Assess::ArrayPropagator#cs__track_join */
+    result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3,
+                        ary, sep, result);
+    /*call original occurs in ruby*/
+    return Qtrue;
+}
 void Init_cs__assess_array(void) {
-    array_propagator =
-        rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
-    rb_sym_assess_track_array_join = rb_intern("cs__track_join");
-    /*
-     * Here we need to check before using the alias or prepend spec
-     * This patch is happening here, we register the cs__track_join
-     * method of the Array propagator, and call it here from Ruby.
-     */
-    rb_sym_assess_array_join =
-        contrast_register_patch("Array", "join", contrast_assess_array_join);
+     VALUE rb_mod_ary = rb_const_get(rb_cObject, rb_intern("Array"));
+     VALUE rb_sym_ary_join = ID2SYM(rb_intern("join"));
+     // check if prepended
+     VALUE is_prepended = contrast_check_prepended(rb_mod_ary, rb_sym_ary_join, Qtrue);
+     // register the cs__track_join method of the Array propagator, and call it here from Ruby.
+     array_propagator = rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
+     rb_sym_assess_track_array_join = rb_intern("cs__track_join");
+     // register the cs__join method of the ContrastArray for prepending, and call it here from Ruby.
+     VALUE contrast_array = rb_define_module_under(core_assess, "ContrastArray");
+     rb_define_module_function(contrast_array, "cs__join", contrast_assess_prepend_array_join, -1);
+    if(is_prepended == Qtrue) {
+       // do nothing prepend is done in Ruby
+    } else {
+       // register alias patch
+        rb_sym_assess_array_join =
+            contrast_register_patch("Array", "join", contrast_assess_array_join);
+    }
 }

data/ext/cs__assess_array/cs__assess_array.h CHANGED Viewed

@@ -3,8 +3,11 @@
 static VALUE array_propagator;
 static VALUE rb_sym_assess_array_join;
 static VALUE rb_sym_assess_track_array_join;
+static VALUE rb_mod_ary, rb_sym_ary_join, is_prepended, contrast_array;
 static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
                                         const VALUE ary);
+static VALUE contrast_assess_prepend_array_join(const int argc, const VALUE *argv,
+                                        const VALUE ary);
 void Init_cs__assess_array(void);

data/lib/contrast/agent/assess/policy/trigger_method.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/assess/events/event_factory'
 require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
 require 'contrast/agent/excluder'
 require 'contrast/components/logger'
@@ -15,6 +14,7 @@ require 'contrast/agent/reporting/reporting_events/preflight_message'
 require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
 require 'contrast/agent/reporting/reporting_utilities/build_preflight'
+require 'contrast/utils/assess/event_limit_utils'
 module Contrast
   module Agent
@@ -23,7 +23,7 @@ module Contrast
         # A trigger method is one which can perform a dangerous action, as described by the
         # Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after
         # invocation in order to determine if the call was done safely. In those cases where it was not, a Finding
-        # report is issued to the Service.
+        # report is issued to TeamServer.
         module TriggerMethod
           extend Contrast::Components::Logger::InstanceMethods
           extend Contrast::Utils::Assess::TriggerMethodUtils
@@ -105,7 +105,7 @@ module Contrast
               nil
             end
-            # Given a finding, append it to an activity message and send it to the Service for processing. If an
+            # Given a finding, append it to an activity message and send it to the TeamServer for processing. If an
             # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
             # immediately report it with the finding.
             #

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a REDOS finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module REDOSValidator
             RULE_NAME = 'redos'

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a SSRF finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module SSRFValidator
             RULE_NAME = 'ssrf'
             URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module Contrast
         module TriggerValidation
           # Validator used to assert a Reflected XSS finding is actually
           # vulnerable before serializing that finding as a DTM to report to
-          # the service.
+          # the TeamServer.
           module XSSValidator
             RULE_NAME = 'reflected-xss'
             SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze

data/lib/contrast/agent/assess/property/evented.rb CHANGED Viewed

@@ -1,8 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/assess/events/event_factory'
-require 'contrast/agent/assess/events/source_event'
+require 'contrast/agent/reporting/reporting_events/finding_event'
 module Contrast
   module Agent
@@ -25,7 +24,7 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event event_data, source_type = nil, source_name = nil
-            @event = Contrast::Agent::Assess::Events::EventFactory.build(event_data, source_type, source_name)
+            @event = Contrast::Agent::Reporting::FindingEvent.new(event_data, source_type, source_name)
             report_sources(event_data.tagged, @event)
           end
@@ -35,21 +34,22 @@ module Contrast
           # context's observed route
           #
           # @param tagged [Object] The Target of the Event
-          # @param event [Contrast::Agent::Assess::Events::ContrastEvent]
+          # @param event [Contrast::Agent::Reporting::FindingEvent]
           def report_sources tagged, event
             return unless tagged && !tagged.to_s.empty?
-            return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
             return unless event.source_type
             return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
-            if current_request.observed_route.sources.any? do |source|
-              source.type == event.source_type && source.name == event.source_name # rubocop:disable Security/Module/Name
-            end
+            event.event_sources&.each do |event_source|
+              if current_request.observed_route.sources.any? do |source|
+                source.source_type == event_source.source_type && source.source_name == event_source.source_name
+              end
-              return
-            end
+                next
+              end
-            current_request.observed_route.sources << event.event_source if event.event_source
+              current_request.observed_route.sources << event_source
+            end
           end
         end
       end

data/lib/contrast/agent/assess.rb CHANGED Viewed

@@ -18,7 +18,6 @@ module Contrast
       # reporting / tracking
       require 'contrast/agent/assess/properties'
       require 'contrast/agent/assess/tag'
-      require 'contrast/agent/assess/events/event_factory'
     end
   end
 end

data/lib/contrast/agent/excluder.rb CHANGED Viewed

@@ -1,13 +1,17 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+require 'contrast/agent/reporting/settings/url_exclusion'
 module Contrast
   module Agent
     # Given an array of exclusion matcher instances provides methods to
     # determine if the exclusions apply to particular urls.
     class Excluder # rubocop:disable Metrics/ClassLength
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       attr_reader :exclusions
+      # @param exclusions [Array<Contrast::Agent::ExclusionMatcher>]
       def initialize exclusions = []
         @exclusions = exclusions
       end
@@ -16,12 +20,12 @@ module Contrast
       # then we can avoid any tracking for the request.
       #
       # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
-      # return [Boolean]
+      # @return [Boolean]
       def assess_excluded_by_url? request
         request_path = request.path
-        assess_url_exclusions_for_all_rules.any? do |exclusion|
-          path_match?(exclusion, request_path)
+        assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path)
         end
       end
@@ -34,9 +38,9 @@ module Contrast
       def assess_excluded_by_url_and_rule? request, rule_id
         request_path = request.path
-        assess_url_exclusions.any? do |exclusion|
-          path_match?(exclusion, request_path) &&
-              (exclusion.assessment_rules.empty? || exclusion.assessment_rules.include?(rule_id))
+        assess_url_exclusions.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path) &&
+              (exclusion_matcher.assess_rules.empty? || exclusion_matcher.assess_rules.include?(rule_id))
         end
       end
@@ -44,13 +48,14 @@ module Contrast
       # rules, then we can avoid tracking this entry.
       #
       # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
-      # @param rule_id [String]
+      # @param source_type [String]
+      # @param source_name [String]
       # return [Boolean]
       def assess_excluded_by_input? request, source_type, source_name
         request_path = request.path
-        assess_input_exclusions_for_all_rules.any? do |exclusion|
-          input_match?(exclusion, source_type, source_name) && path_match?(exclusion, request_path)
+        assess_input_exclusions_for_all_rules.any? do |exclusion_matcher|
+          input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher, request_path)
         end
       end
@@ -66,18 +71,18 @@ module Contrast
         # We need to check for url exclusions here for the input rules as the url exclusions
         # that have already been checked didn't include the INPUT exclusions. So we look for
-        # any INPUT exclusions that apply to the current url and the suppleid rule.
+        # any INPUT exclusions that apply to the current url and the supplied rule.
         path = request.path
-        rule_input_exclusions = assess_input_exclusions.select do |exclusion|
-          (exclusion.protection_rules.empty? || exclusion.protection_rules.include?(rule)) && path_match?(exclusion,
-                                                                                                          path)
+        rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
+          (exclusion_matcher.protection_rules.empty? || exclusion_matcher.protection_rules.include?(rule)) &&
+              path_match?(exclusion_matcher, path)
         end
         return false if rule_input_exclusions.empty?
         event_sources = finding.events.flat_map(&:event_sources)
         event_sources.each do |event_source|
           return false unless rule_input_exclusions.any? do |exclusion|
-            input_match?(exclusion, event_source.type, event_source.name) # rubocop:disable Security/Module/Name
+            input_match?(exclusion, event_source.source_type, event_source.source_name)
           end
         end
@@ -94,72 +99,85 @@ module Contrast
       def protect_excluded_by_url? request
         request_path = request.path
-        protect_url_exclusions_for_all_rules.any? do |exclusion|
-          path_match?(exclusion, request_path)
+        protect_url_exclusions_for_all_rules.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path)
         end
       end
       private
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_url_exclusions_for_all_rules
-        @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion|
-          exclusion.assessment_rules.empty?
+        @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.assess_rules.empty?
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_url_exclusions
-        @_assess_url_exclusions ||= assess_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::URL
+        @_assess_url_exclusions ||= assess_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :URL
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_input_exclusions_for_all_rules
-        @_assess_input_exclusions_for_all_rules ||= assess_input_exclusions.select do |exclusion|
-          exclusion.assessment_rules.empty?
+        @_assess_input_exclusions_for_all_rules ||= assess_input_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.assess_rules.empty?
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_input_exclusions
-        @_assess_input_exclusions ||= assess_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::INPUT
+        @_assess_input_exclusions ||= assess_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :INPUT
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_exclusions
         @_assess_exclusions ||= @exclusions.select(&:assess)
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_url_exclusions_for_all_rules
-        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion|
-          exclusion.protection_rules.empty?
+        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.protect_rules.empty?
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_url_exclusions
-        @_protect_url_exclusions ||= protect_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::URL
+        @_protect_url_exclusions ||= protect_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :URL
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_exclusions
         @_protect_exclusions ||= @exclusions.select(&:protect)
       end
-      def path_match? exclusion, path
-        exclusion.wildcard_url || exclusion.urls.any? { |url| url.match?(path) }
+      # @return [Boolean]
+      def path_match? exclusion_matcher, path
+        exclusion_matcher.wildcard_url || exclusion_matcher.urls.any? { |url| url.match?(path) }
       end
+      # @param exclusion [Contrast::Agent::ExclusionMatcher]
+      # @param source_type [String]
+      # @param source_name [String]
+      # @return [Boolean]
       def input_match? exclusion, source_type, source_name
         case exclusion.input_type
-        when Contrast::Api::Settings::Exclusion::InputType::PARAMETER
+        when 'PARAMETER'
           input_match_parameter?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::COOKIE
+        when 'COOKIE'
           input_match_cookie?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::HEADER
+        when 'HEADER'
           input_match_header?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::BODY
+        when 'BODY'
           Contrast::Agent::Assess::Policy::SourceMethod::BODY_TYPE == source_type
-        when Contrast::Api::Settings::Exclusion::InputType::QUERYSTRING
+        when 'QUERYSTRING'
           Contrast::Agent::Assess::Policy::SourceMethod::QUERYSTRING_TYPE == source_type
         else
           false

data/lib/contrast/agent/exclusion_matcher.rb CHANGED Viewed

@@ -2,6 +2,10 @@
 # frozen_string_literal: true
 require 'contrast/components/logger'
+require 'contrast/agent/reporting/settings/exclusion_base'
+require 'contrast/agent/reporting/settings/code_exclusion'
+require 'contrast/agent/reporting/settings/input_exclusion'
+require 'contrast/agent/reporting/settings/url_exclusion'
 module Contrast
   module Agent
@@ -13,22 +17,30 @@ module Contrast
       extend Forwardable
-      attr_reader :protect, :assess, :urls, :wildcard_url, :wildcard_input
+      attr_reader :protect, :assess, :type, :urls, :wildcard_url, :wildcard_input
-      def_delegators :@exclusion, :type, :assessment_rules, :protection_rules, :input_type, :input_name
+      def_delegators :@exclusion, :protect_rules, :assess_rules, :input_type, :input_name
       # Create a matcher around an exclusion sent from TeamServer.
       #
-      # @param excl [Contrast::Api::Settings::Exclusion]
+      # @param excl [Contrast::Agent::Reporting::Settings::ExclusionBase]
       # @return [Contrast::Agent::ExclusionMatcher]
       def initialize excl
         @exclusion = excl
         @protect = @exclusion.protect
         @assess = @exclusion.assess
-        handle_wildcard_input
-        handle_wildcard_url
-        handle_wildcard_code
+        case excl
+        when Contrast::Agent::Reporting::Settings::CodeExclusion
+          handle_wildcard_code
+          @type = :CODE
+        when Contrast::Agent::Reporting::Settings::InputExclusion
+          handle_wildcard_input
+          @type = :INPUT
+        when Contrast::Agent::Reporting::Settings::UrlExclusion
+          handle_wildcard_url
+          @type = :URL
+        end
       end
       # According to the docs for exclusions, user input applies to all inputs if
@@ -97,7 +109,7 @@ module Contrast
       end
       def code?
-        @exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::CODE
+        @type == :CODE
       end
       def match_all?
@@ -105,12 +117,12 @@ module Contrast
       end
       # Determine if the given rule is excluded by this exclusion.
-      # In this case, the `protection_rules` being empty means apply to all rules,
+      # In this case, the `protect_rules` being empty means apply to all rules,
       # not no rules
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def protection_rule? rule
-        protect? && (@exclusion.protection_rules.empty? || @exclusion.protection_rules.include?(rule))
+        protect? && (@exclusion.protect_rules.empty? || @exclusion.protect_rules.include?(rule))
       end
       # Determine if the given rule is excluded by this exclusion.

data/lib/contrast/agent/middleware.rb CHANGED Viewed

@@ -15,7 +15,7 @@ require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
 require 'contrast/agent/telemetry/events/startup_metrics_event'
 require 'contrast/utils/middleware_utils'
+require 'contrast/utils/reporting/application_activity_batch_utils'
 require 'contrast/utils/timer'
 module Contrast
@@ -27,6 +27,7 @@ module Contrast
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
       include Contrast::Utils::MiddlewareUtils
+      include Contrast::Utils::Reporting::ApplicationActivityBatchUtils
       attr_reader :app
@@ -62,6 +63,7 @@ module Contrast
       #   the Rack framework.
       def call env
         logger.trace_with_time('Elapsed time for Contrast::Agent::Middleware#call') do
+          ::Contrast::Agent::ThreadWatcher.check_before_start
           return app.call(env) unless ::Contrast::AGENT.enabled?
           Contrast::Agent.heapdump_util.start_thread!
@@ -73,12 +75,12 @@ module Contrast
       private
       # Startup the Agent as part of the initialization process:
-      # - start the service sending thread, responsible for sending and processing messages
-      # - start the heartbeat thread, which triggers service startup
+      # - start the TeamServer sending thread, responsible for sending and processing messages
+      # - start the heartbeat thread, which handles periodic messages to TeamServer
       # - start instrumenting libraries and do a 'catchup' patch for everything we didn't see get loaded
       # - enable TracePoint, which handles all class loads and required instrumentation going forward
       def agent_startup_routine
-        logger.debug_with_time('middleware: starting service') do
+        logger.debug_with_time('middleware: starting reporting threads') do
           Contrast::Agent.thread_watcher.ensure_running?
         end
@@ -147,7 +149,7 @@ module Contrast
       #    which is being triggered when there is a failure within the pre-call with the agent
       def pre_call_with_agent context, request_handler
         with_contrast_scope do
-          context.service_extract_request
+          context.protect_input_analysis
           request_handler.ruleset.prefilter
         end
       rescue StandardError => e
@@ -173,13 +175,17 @@ module Contrast
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
           # All protect rules, which are trigger but require response to be reported
           Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
+          # Process Worth Watching Inputs for v2 rules
+          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity
             request_handler.stream_safe_postfilter
           else
             request_handler.ruleset.postfilter
-            request_handler.report_activity
+            request_handler.report_observed_route
+            add_activity_to_batch(context.activity)
+            report_batch
           end
         end
       # unsuccessful attack

data/lib/contrast/agent/patching/policy/after_load_patcher.rb CHANGED Viewed

@@ -56,6 +56,7 @@ module Contrast
               unless Contrast::Agent::Assess.cs__object_method_prepended?(Marshal, :load, false)
                 apply_marshal_load_alias_patch
               end
+              apply_array_join_prepend_patch if Contrast::Agent::Assess.cs__object_method_prepended?(Array, :join, true)
               true
             end
           end
@@ -121,6 +122,11 @@ module Contrast
             Marshal.alias_method(:cs__marshal_load, :load)
             Marshal.alias_method(:load, :cs__marshal_load)
           end
+          # Prepend Contrast::Extension::Assess::ContrastArray to pick up the ContrastArray#join method
+          def apply_array_join_prepend_patch
+            Array.prepend(Contrast::Extension::Assess::ContrastArray)
+          end
         end
       end
     end