RubyGems - contrast-agent - Versions diffs - 6.7.0 → 6.9.0 - Mend

contrast-agent 6.7.0 → 6.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (280) hide show

checksums.yaml +4 -4
data/.gitignore +0 -2
data/.simplecov +0 -1
data/Rakefile +0 -1
data/ext/cs__assess_array/cs__assess_array.c +41 -10
data/ext/cs__assess_array/cs__assess_array.h +4 -1
data/lib/contrast/agent/assess/policy/trigger_method.rb +3 -3
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +1 -1
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +1 -1
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +1 -1
data/lib/contrast/agent/assess/property/evented.rb +11 -11
data/lib/contrast/agent/assess.rb +0 -1
data/lib/contrast/agent/excluder.rb +53 -35
data/lib/contrast/agent/exclusion_matcher.rb +21 -9
data/lib/contrast/agent/middleware.rb +12 -6
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +6 -0
data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +146 -127
data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +116 -0
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +20 -0
data/lib/contrast/agent/protect/policy/rule_applicator.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +47 -55
data/lib/contrast/agent/protect/rule/base_service.rb +48 -24
data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +98 -0
data/lib/contrast/agent/protect/rule/bot_blocker.rb +81 -0
data/lib/contrast/agent/protect/rule/cmd_injection.rb +20 -2
data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +8 -5
data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +22 -22
data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +64 -0
data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +63 -0
data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb +2 -58
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +3 -14
data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +2 -2
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -11
data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb +29 -34
data/lib/contrast/agent/protect/rule/no_sqli.rb +25 -18
data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +61 -0
data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb +114 -0
data/lib/contrast/agent/protect/rule/path_traversal.rb +40 -13
data/lib/contrast/agent/protect/rule/sql_sample_builder.rb +33 -15
data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb +0 -14
data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +2 -62
data/lib/contrast/agent/protect/rule/sqli.rb +74 -3
data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +39 -63
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +6 -33
data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +58 -0
data/lib/contrast/agent/protect/rule/xss.rb +15 -20
data/lib/contrast/agent/protect/rule/xxe.rb +4 -24
data/lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb +19 -40
data/lib/contrast/agent/reporting/attack_result/response_type.rb +9 -9
data/lib/contrast/agent/reporting/details/ip_denylist_details.rb +10 -2
data/lib/contrast/agent/reporting/details/virtual_patch_details.rb +8 -2
data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb +27 -0
data/lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb +15 -0
data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +1 -2
data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb +16 -2
data/lib/contrast/agent/reporting/masker/masker.rb +2 -0
data/lib/contrast/agent/reporting/report.rb +1 -0
data/lib/contrast/agent/reporting/reporter.rb +35 -14
data/lib/contrast/agent/reporting/reporter_heartbeat.rb +3 -9
data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +16 -13
data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +12 -7
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +3 -3
data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +1 -2
data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb +6 -1
data/lib/contrast/agent/reporting/reporting_events/application_update.rb +0 -2
data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb +0 -1
data/lib/contrast/agent/reporting/reporting_events/finding.rb +6 -6
data/lib/contrast/agent/reporting/reporting_events/finding_event.rb +239 -93
data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb +10 -23
data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb +10 -9
data/lib/contrast/agent/reporting/reporting_events/finding_request.rb +0 -5
data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb +0 -1
data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +12 -0
data/lib/contrast/agent/reporting/reporting_events/poll.rb +1 -11
data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb +0 -1
data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb +0 -1
data/lib/contrast/agent/reporting/reporting_events/server_reporting_event.rb +8 -0
data/lib/contrast/agent/reporting/reporting_events/server_settings.rb +40 -0
data/lib/contrast/agent/reporting/reporting_utilities/audit.rb +2 -2
data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +6 -0
data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +43 -1
data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb +8 -4
data/lib/contrast/agent/reporting/reporting_utilities/response.rb +1 -1
data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +58 -4
data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +4 -6
data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +77 -16
data/lib/contrast/agent/reporting/server_settings_worker.rb +44 -0
data/lib/contrast/agent/reporting/settings/assess_server_feature.rb +14 -2
data/lib/contrast/agent/reporting/settings/code_exclusion.rb +6 -1
data/lib/contrast/agent/reporting/settings/exclusion_base.rb +18 -0
data/lib/contrast/agent/reporting/settings/exclusions.rb +2 -1
data/lib/contrast/agent/reporting/settings/helpers.rb +7 -0
data/lib/contrast/agent/reporting/settings/input_exclusion.rb +9 -3
data/lib/contrast/agent/reporting/settings/protect.rb +15 -15
data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +39 -2
data/lib/contrast/agent/reporting/settings/rule_definition.rb +3 -0
data/lib/contrast/agent/reporting/settings/security_logger.rb +77 -0
data/lib/contrast/agent/reporting/settings/server_features.rb +9 -0
data/lib/contrast/agent/reporting/settings/syslog.rb +34 -5
data/lib/contrast/agent/request.rb +3 -14
data/lib/contrast/agent/request_context.rb +6 -9
data/lib/contrast/agent/request_context_extend.rb +9 -148
data/lib/contrast/agent/request_handler.rb +5 -10
data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb +1 -1
data/lib/contrast/agent/thread_watcher.rb +37 -18
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/agent.rb +6 -11
data/lib/contrast/agent_lib/api/command_injection.rb +46 -0
data/lib/contrast/agent_lib/api/init.rb +101 -0
data/lib/contrast/agent_lib/api/input_tracing.rb +267 -0
data/lib/contrast/agent_lib/api/method_tempering.rb +29 -0
data/lib/contrast/agent_lib/api/panic.rb +87 -0
data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb +40 -0
data/lib/contrast/agent_lib/interface.rb +260 -0
data/lib/contrast/agent_lib/interface_base.rb +118 -0
data/lib/contrast/agent_lib/return_types/eval_result.rb +44 -0
data/lib/contrast/agent_lib/test.rb +29 -0
data/lib/contrast/api/communication/connection_status.rb +20 -5
data/lib/contrast/components/agent.rb +34 -14
data/lib/contrast/components/api.rb +23 -0
data/lib/contrast/components/app_context.rb +23 -5
data/lib/contrast/components/app_context_extend.rb +0 -25
data/lib/contrast/components/assess.rb +34 -4
data/lib/contrast/components/assess_rules.rb +18 -0
data/lib/contrast/components/base.rb +40 -0
data/lib/contrast/components/config/sources.rb +95 -0
data/lib/contrast/components/config.rb +19 -19
data/lib/contrast/components/heap_dump.rb +10 -0
data/lib/contrast/components/inventory.rb +15 -2
data/lib/contrast/components/logger.rb +18 -0
data/lib/contrast/components/polling.rb +36 -0
data/lib/contrast/components/protect.rb +52 -2
data/lib/contrast/components/ruby_component.rb +16 -1
data/lib/contrast/components/sampling.rb +70 -13
data/lib/contrast/components/security_logger.rb +13 -0
data/lib/contrast/components/settings.rb +105 -90
data/lib/contrast/config/certification_configuration.rb +14 -0
data/lib/contrast/config/config.rb +46 -0
data/lib/contrast/config/diagnostics.rb +114 -0
data/lib/contrast/config/diagnostics_tools.rb +98 -0
data/lib/contrast/config/effective_config.rb +65 -0
data/lib/contrast/config/effective_config_value.rb +32 -0
data/lib/contrast/config/exception_configuration.rb +12 -0
data/lib/contrast/config/protect_rule_configuration.rb +8 -8
data/lib/contrast/config/protect_rules_configuration.rb +23 -60
data/lib/contrast/config/request_audit_configuration.rb +13 -0
data/lib/contrast/config/server_configuration.rb +41 -2
data/lib/contrast/configuration.rb +29 -12
data/lib/contrast/extension/assess/array.rb +9 -0
data/lib/contrast/extension/assess/erb.rb +1 -1
data/lib/contrast/extension/delegator.rb +2 -0
data/lib/contrast/framework/manager.rb +3 -1
data/lib/contrast/framework/rails/railtie.rb +0 -1
data/lib/contrast/framework/rails/support.rb +0 -1
data/lib/contrast/tasks/config.rb +1 -8
data/lib/contrast/utils/assess/event_limit_utils.rb +31 -9
data/lib/contrast/utils/assess/trigger_method_utils.rb +5 -4
data/lib/contrast/utils/duck_utils.rb +1 -0
data/lib/contrast/utils/hash_digest.rb +2 -2
data/lib/contrast/utils/input_classification_base.rb +155 -0
data/lib/contrast/utils/os.rb +0 -20
data/lib/contrast/utils/reporting/application_activity_batch_utils.rb +81 -0
data/lib/contrast/utils/response_utils.rb +0 -16
data/lib/contrast/utils/routes_sent.rb +60 -0
data/lib/contrast/utils/stack_trace_utils.rb +3 -15
data/lib/contrast/utils/string_utils.rb +10 -7
data/lib/contrast/utils/telemetry_client.rb +1 -2
data/lib/contrast/utils/timer.rb +16 -0
data/lib/contrast.rb +5 -4
data/resources/protect/policy.json +1 -2
data/ruby-agent.gemspec +7 -6
metadata +69 -130
data/exe/contrast_service +0 -23
data/lib/contrast/agent/assess/contrast_event.rb +0 -157
data/lib/contrast/agent/assess/events/event_factory.rb +0 -34
data/lib/contrast/agent/assess/events/source_event.rb +0 -46
data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb +0 -64
data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb +0 -118
data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb +0 -45
data/lib/contrast/agent/reaction_processor.rb +0 -47
data/lib/contrast/agent/reporting/reporting_events/server_activity.rb +0 -36
data/lib/contrast/agent/service_heartbeat.rb +0 -35
data/lib/contrast/api/communication/messaging_queue.rb +0 -128
data/lib/contrast/api/communication/response_processor.rb +0 -90
data/lib/contrast/api/communication/service_lifecycle.rb +0 -77
data/lib/contrast/api/communication/socket.rb +0 -44
data/lib/contrast/api/communication/socket_client.rb +0 -130
data/lib/contrast/api/communication/speedracer.rb +0 -138
data/lib/contrast/api/communication/tcp_socket.rb +0 -32
data/lib/contrast/api/communication/unix_socket.rb +0 -28
data/lib/contrast/api/communication.rb +0 -20
data/lib/contrast/api/decorators/address.rb +0 -59
data/lib/contrast/api/decorators/agent_startup.rb +0 -56
data/lib/contrast/api/decorators/application_settings.rb +0 -43
data/lib/contrast/api/decorators/application_startup.rb +0 -56
data/lib/contrast/api/decorators/bot_blocker.rb +0 -37
data/lib/contrast/api/decorators/http_request.rb +0 -137
data/lib/contrast/api/decorators/input_analysis.rb +0 -18
data/lib/contrast/api/decorators/instrumentation_mode.rb +0 -35
data/lib/contrast/api/decorators/ip_denylist.rb +0 -37
data/lib/contrast/api/decorators/message.rb +0 -67
data/lib/contrast/api/decorators/rasp_rule_sample.rb +0 -52
data/lib/contrast/api/decorators/response_type.rb +0 -17
data/lib/contrast/api/decorators/server_features.rb +0 -25
data/lib/contrast/api/decorators/user_input.rb +0 -51
data/lib/contrast/api/decorators/virtual_patch.rb +0 -34
data/lib/contrast/api/decorators.rb +0 -22
data/lib/contrast/api/dtm.pb.rb +0 -363
data/lib/contrast/api/settings.pb.rb +0 -500
data/lib/contrast/api.rb +0 -16
data/lib/contrast/components/contrast_service.rb +0 -88
data/lib/contrast/components/service.rb +0 -55
data/lib/contrast/tasks/service.rb +0 -84
data/lib/contrast/utils/input_classification.rb +0 -73
data/lib/protobuf/code_generator.rb +0 -129
data/lib/protobuf/decoder.rb +0 -28
data/lib/protobuf/deprecation.rb +0 -117
data/lib/protobuf/descriptors/google/protobuf/compiler/plugin.pb.rb +0 -79
data/lib/protobuf/descriptors/google/protobuf/descriptor.pb.rb +0 -360
data/lib/protobuf/descriptors.rb +0 -3
data/lib/protobuf/encoder.rb +0 -11
data/lib/protobuf/enum.rb +0 -365
data/lib/protobuf/exceptions.rb +0 -9
data/lib/protobuf/field/base_field.rb +0 -380
data/lib/protobuf/field/base_field_object_definitions.rb +0 -504
data/lib/protobuf/field/bool_field.rb +0 -64
data/lib/protobuf/field/bytes_field.rb +0 -67
data/lib/protobuf/field/double_field.rb +0 -25
data/lib/protobuf/field/enum_field.rb +0 -56
data/lib/protobuf/field/field_array.rb +0 -102
data/lib/protobuf/field/field_hash.rb +0 -122
data/lib/protobuf/field/fixed32_field.rb +0 -25
data/lib/protobuf/field/fixed64_field.rb +0 -28
data/lib/protobuf/field/float_field.rb +0 -43
data/lib/protobuf/field/int32_field.rb +0 -21
data/lib/protobuf/field/int64_field.rb +0 -34
data/lib/protobuf/field/integer_field.rb +0 -23
data/lib/protobuf/field/message_field.rb +0 -51
data/lib/protobuf/field/sfixed32_field.rb +0 -27
data/lib/protobuf/field/sfixed64_field.rb +0 -28
data/lib/protobuf/field/signed_integer_field.rb +0 -29
data/lib/protobuf/field/sint32_field.rb +0 -21
data/lib/protobuf/field/sint64_field.rb +0 -21
data/lib/protobuf/field/string_field.rb +0 -51
data/lib/protobuf/field/uint32_field.rb +0 -21
data/lib/protobuf/field/uint64_field.rb +0 -21
data/lib/protobuf/field/varint_field.rb +0 -77
data/lib/protobuf/field.rb +0 -74
data/lib/protobuf/generators/base.rb +0 -85
data/lib/protobuf/generators/enum_generator.rb +0 -39
data/lib/protobuf/generators/extension_generator.rb +0 -27
data/lib/protobuf/generators/field_generator.rb +0 -193
data/lib/protobuf/generators/file_generator.rb +0 -262
data/lib/protobuf/generators/group_generator.rb +0 -122
data/lib/protobuf/generators/message_generator.rb +0 -104
data/lib/protobuf/generators/option_generator.rb +0 -17
data/lib/protobuf/generators/printable.rb +0 -160
data/lib/protobuf/generators/service_generator.rb +0 -50
data/lib/protobuf/lifecycle.rb +0 -33
data/lib/protobuf/logging.rb +0 -39
data/lib/protobuf/message/fields.rb +0 -233
data/lib/protobuf/message/serialization.rb +0 -85
data/lib/protobuf/message.rb +0 -241
data/lib/protobuf/optionable.rb +0 -72
data/lib/protobuf/tasks/compile.rake +0 -80
data/lib/protobuf/tasks.rb +0 -1
data/lib/protobuf/varint.rb +0 -20
data/lib/protobuf/varint_pure.rb +0 -31
data/lib/protobuf/version.rb +0 -3
data/lib/protobuf/wire_type.rb +0 -10
data/lib/protobuf.rb +0 -91
data/proto/dynamic_discovery.proto +0 -46
data/proto/google/protobuf/compiler/plugin.proto +0 -183
data/proto/google/protobuf/descriptor.proto +0 -911
data/proto/rpc.proto +0 -71
data/service_executables/.gitkeep +0 -0
data/service_executables/VERSION +0 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c688788c7666c5ea72351e52ad02fe838923dc0dde589199917d2bfa96080630
-  data.tar.gz: f63416e47b9b815f0ec7a79858fb11f866bf5c49c952cf278dfb851679f44957
+  metadata.gz: b850f63bce180f09f998f5363f58b01e9c69db61a2f98a31db97fb59b82564d7
+  data.tar.gz: 811072666998fb4daf0f49d2514d875b45c18d79d29398639862f1c2144aa930
 SHA512:
-  metadata.gz: 0b5ee56bb30a55609a6252a105c8ab60e0bf66bdcac23e4efa937cfbc99f7669ab5ed7ffdc41dfd1b9659a09a93d2f7714af0eb398b46069542f0dff753c1ccd
-  data.tar.gz: 84b72b0f516808677745cc1ea7ecdedf762309ceb79eaac2908f1f16ac6abc811f2997bc50673e78101d7845ddd67a73c996c7ed3ebdbca6d33cf88883926499
+  metadata.gz: ac0f4dcea0a62d6aa000659943f2b994a02940148fffdff2901ff4ff61d27fd257170ec4f48d0b1925d569dbc20de89a8866f76a17dd1c22aa15d9c80e4e9eb1
+  data.tar.gz: bd2490f015d1a5c8be5f0e7a0fc60e5acdc436b03e32420cbf19542a53b760c843cd84a17a0e7a8a3794ec69e3aa909e63fabdb32f4c32d5daa48ece261176aa

data/.gitignore CHANGED Viewed

@@ -21,7 +21,6 @@
 bin
 ruby-spec
 mspec
-service_executables
 # rspec generated files
 /spec/dummy_files/*
@@ -57,7 +56,6 @@ contrast-agent-*.gem
 .ruby-version
 .ruby-gemset
-service_executables/*-*
 # IDE stuff
 tags

data/.simplecov CHANGED Viewed

@@ -4,6 +4,5 @@
 SimpleCov.minimum_coverage(line: 94)
 SimpleCov.start do
   add_filter '/spec/'
-  add_filter '/lib/protobuf/'
   enable_coverage :branch
 end

data/Rakefile CHANGED Viewed

@@ -6,7 +6,6 @@ $stdout.sync = true
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rake/extensiontask'
-load 'protobuf/tasks/compile.rake'
 require 'fileutils'
 CLOBBER << 'shared_libraries/*'

data/ext/cs__assess_array/cs__assess_array.c CHANGED Viewed

@@ -31,15 +31,46 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
     return result;
 }
+static VALUE contrast_assess_prepend_array_join(const int argc, const VALUE *argv,
+                                        const VALUE ary) {
+    VALUE sep, result;
+    /* We need to figure out the separator the join method actually used. */
+    /* First, check if one was provided. */
+    rb_scan_args(argc, argv, "01", &sep);
+    /* Second, check to see if `$;` is set*/
+    if (NIL_P(sep)) {
+        sep = rb_output_fs;
+    }
+    /* call the Array.join but patched one */
+    result = rb_ary_join(ary, sep);
+    /* call the Contrast::Extensions::Assess::ArrayPropagator#cs__track_join */
+    result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3,
+                        ary, sep, result);
+    /*call original occurs in ruby*/
+    return Qtrue;
+}
 void Init_cs__assess_array(void) {
-    array_propagator =
-        rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
-    rb_sym_assess_track_array_join = rb_intern("cs__track_join");
-    /*
-     * Here we need to check before using the alias or prepend spec
-     * This patch is happening here, we register the cs__track_join
-     * method of the Array propagator, and call it here from Ruby.
-     */
-    rb_sym_assess_array_join =
-        contrast_register_patch("Array", "join", contrast_assess_array_join);
+     VALUE rb_mod_ary = rb_const_get(rb_cObject, rb_intern("Array"));
+     VALUE rb_sym_ary_join = ID2SYM(rb_intern("join"));
+     // check if prepended
+     VALUE is_prepended = contrast_check_prepended(rb_mod_ary, rb_sym_ary_join, Qtrue);
+     // register the cs__track_join method of the Array propagator, and call it here from Ruby.
+     array_propagator = rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
+     rb_sym_assess_track_array_join = rb_intern("cs__track_join");
+     // register the cs__join method of the ContrastArray for prepending, and call it here from Ruby.
+     VALUE contrast_array = rb_define_module_under(core_assess, "ContrastArray");
+     rb_define_module_function(contrast_array, "cs__join", contrast_assess_prepend_array_join, -1);
+    if(is_prepended == Qtrue) {
+       // do nothing prepend is done in Ruby
+    } else {
+       // register alias patch
+        rb_sym_assess_array_join =
+            contrast_register_patch("Array", "join", contrast_assess_array_join);
+    }
 }

data/ext/cs__assess_array/cs__assess_array.h CHANGED Viewed

@@ -3,8 +3,11 @@
 static VALUE array_propagator;
 static VALUE rb_sym_assess_array_join;
 static VALUE rb_sym_assess_track_array_join;
+static VALUE rb_mod_ary, rb_sym_ary_join, is_prepended, contrast_array;
 static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
                                         const VALUE ary);
+static VALUE contrast_assess_prepend_array_join(const int argc, const VALUE *argv,
+                                        const VALUE ary);
 void Init_cs__assess_array(void);

data/lib/contrast/agent/assess/policy/trigger_method.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/assess/events/event_factory'
 require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
 require 'contrast/agent/excluder'
 require 'contrast/components/logger'
@@ -15,6 +14,7 @@ require 'contrast/agent/reporting/reporting_events/preflight_message'
 require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
 require 'contrast/agent/reporting/reporting_utilities/build_preflight'
+require 'contrast/utils/assess/event_limit_utils'
 module Contrast
   module Agent
@@ -23,7 +23,7 @@ module Contrast
         # A trigger method is one which can perform a dangerous action, as described by the
         # Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after
         # invocation in order to determine if the call was done safely. In those cases where it was not, a Finding
-        # report is issued to the Service.
+        # report is issued to TeamServer.
         module TriggerMethod
           extend Contrast::Components::Logger::InstanceMethods
           extend Contrast::Utils::Assess::TriggerMethodUtils
@@ -105,7 +105,7 @@ module Contrast
               nil
             end
-            # Given a finding, append it to an activity message and send it to the Service for processing. If an
+            # Given a finding, append it to an activity message and send it to the TeamServer for processing. If an
             # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
             # immediately report it with the finding.
             #

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a REDOS finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module REDOSValidator
             RULE_NAME = 'redos'

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a SSRF finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module SSRFValidator
             RULE_NAME = 'ssrf'
             URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module Contrast
         module TriggerValidation
           # Validator used to assert a Reflected XSS finding is actually
           # vulnerable before serializing that finding as a DTM to report to
-          # the service.
+          # the TeamServer.
           module XSSValidator
             RULE_NAME = 'reflected-xss'
             SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze

data/lib/contrast/agent/assess/property/evented.rb CHANGED Viewed

@@ -1,8 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/assess/events/event_factory'
-require 'contrast/agent/assess/events/source_event'
+require 'contrast/agent/reporting/reporting_events/finding_event'
 module Contrast
   module Agent
@@ -25,7 +24,7 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event event_data, source_type = nil, source_name = nil
-            @event = Contrast::Agent::Assess::Events::EventFactory.build(event_data, source_type, source_name)
+            @event = Contrast::Agent::Reporting::FindingEvent.new(event_data, source_type, source_name)
             report_sources(event_data.tagged, @event)
           end
@@ -35,21 +34,22 @@ module Contrast
           # context's observed route
           #
           # @param tagged [Object] The Target of the Event
-          # @param event [Contrast::Agent::Assess::Events::ContrastEvent]
+          # @param event [Contrast::Agent::Reporting::FindingEvent]
           def report_sources tagged, event
             return unless tagged && !tagged.to_s.empty?
-            return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
             return unless event.source_type
             return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
-            if current_request.observed_route.sources.any? do |source|
-              source.type == event.source_type && source.name == event.source_name # rubocop:disable Security/Module/Name
-            end
+            event.event_sources&.each do |event_source|
+              if current_request.observed_route.sources.any? do |source|
+                source.source_type == event_source.source_type && source.source_name == event_source.source_name
+              end
-              return
-            end
+                next
+              end
-            current_request.observed_route.sources << event.event_source if event.event_source
+              current_request.observed_route.sources << event_source
+            end
           end
         end
       end

data/lib/contrast/agent/assess.rb CHANGED Viewed

@@ -18,7 +18,6 @@ module Contrast
       # reporting / tracking
       require 'contrast/agent/assess/properties'
       require 'contrast/agent/assess/tag'
-      require 'contrast/agent/assess/events/event_factory'
     end
   end
 end

data/lib/contrast/agent/excluder.rb CHANGED Viewed

@@ -1,13 +1,17 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+require 'contrast/agent/reporting/settings/url_exclusion'
 module Contrast
   module Agent
     # Given an array of exclusion matcher instances provides methods to
     # determine if the exclusions apply to particular urls.
     class Excluder # rubocop:disable Metrics/ClassLength
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       attr_reader :exclusions
+      # @param exclusions [Array<Contrast::Agent::ExclusionMatcher>]
       def initialize exclusions = []
         @exclusions = exclusions
       end
@@ -16,12 +20,12 @@ module Contrast
       # then we can avoid any tracking for the request.
       #
       # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
-      # return [Boolean]
+      # @return [Boolean]
       def assess_excluded_by_url? request
         request_path = request.path
-        assess_url_exclusions_for_all_rules.any? do |exclusion|
-          path_match?(exclusion, request_path)
+        assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path)
         end
       end
@@ -34,9 +38,9 @@ module Contrast
       def assess_excluded_by_url_and_rule? request, rule_id
         request_path = request.path
-        assess_url_exclusions.any? do |exclusion|
-          path_match?(exclusion, request_path) &&
-              (exclusion.assessment_rules.empty? || exclusion.assessment_rules.include?(rule_id))
+        assess_url_exclusions.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path) &&
+              (exclusion_matcher.assess_rules.empty? || exclusion_matcher.assess_rules.include?(rule_id))
         end
       end
@@ -44,13 +48,14 @@ module Contrast
       # rules, then we can avoid tracking this entry.
       #
       # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
-      # @param rule_id [String]
+      # @param source_type [String]
+      # @param source_name [String]
       # return [Boolean]
       def assess_excluded_by_input? request, source_type, source_name
         request_path = request.path
-        assess_input_exclusions_for_all_rules.any? do |exclusion|
-          input_match?(exclusion, source_type, source_name) && path_match?(exclusion, request_path)
+        assess_input_exclusions_for_all_rules.any? do |exclusion_matcher|
+          input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher, request_path)
         end
       end
@@ -66,18 +71,18 @@ module Contrast
         # We need to check for url exclusions here for the input rules as the url exclusions
         # that have already been checked didn't include the INPUT exclusions. So we look for
-        # any INPUT exclusions that apply to the current url and the suppleid rule.
+        # any INPUT exclusions that apply to the current url and the supplied rule.
         path = request.path
-        rule_input_exclusions = assess_input_exclusions.select do |exclusion|
-          (exclusion.protection_rules.empty? || exclusion.protection_rules.include?(rule)) && path_match?(exclusion,
-                                                                                                          path)
+        rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
+          (exclusion_matcher.protection_rules.empty? || exclusion_matcher.protection_rules.include?(rule)) &&
+              path_match?(exclusion_matcher, path)
         end
         return false if rule_input_exclusions.empty?
         event_sources = finding.events.flat_map(&:event_sources)
         event_sources.each do |event_source|
           return false unless rule_input_exclusions.any? do |exclusion|
-            input_match?(exclusion, event_source.type, event_source.name) # rubocop:disable Security/Module/Name
+            input_match?(exclusion, event_source.source_type, event_source.source_name)
           end
         end
@@ -94,72 +99,85 @@ module Contrast
       def protect_excluded_by_url? request
         request_path = request.path
-        protect_url_exclusions_for_all_rules.any? do |exclusion|
-          path_match?(exclusion, request_path)
+        protect_url_exclusions_for_all_rules.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path)
         end
       end
       private
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_url_exclusions_for_all_rules
-        @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion|
-          exclusion.assessment_rules.empty?
+        @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.assess_rules.empty?
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_url_exclusions
-        @_assess_url_exclusions ||= assess_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::URL
+        @_assess_url_exclusions ||= assess_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :URL
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_input_exclusions_for_all_rules
-        @_assess_input_exclusions_for_all_rules ||= assess_input_exclusions.select do |exclusion|
-          exclusion.assessment_rules.empty?
+        @_assess_input_exclusions_for_all_rules ||= assess_input_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.assess_rules.empty?
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_input_exclusions
-        @_assess_input_exclusions ||= assess_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::INPUT
+        @_assess_input_exclusions ||= assess_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :INPUT
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_exclusions
         @_assess_exclusions ||= @exclusions.select(&:assess)
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_url_exclusions_for_all_rules
-        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion|
-          exclusion.protection_rules.empty?
+        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.protect_rules.empty?
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_url_exclusions
-        @_protect_url_exclusions ||= protect_exclusions.select do |exclusion|
-          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::URL
+        @_protect_url_exclusions ||= protect_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :URL
         end
       end
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_exclusions
         @_protect_exclusions ||= @exclusions.select(&:protect)
       end
-      def path_match? exclusion, path
-        exclusion.wildcard_url || exclusion.urls.any? { |url| url.match?(path) }
+      # @return [Boolean]
+      def path_match? exclusion_matcher, path
+        exclusion_matcher.wildcard_url || exclusion_matcher.urls.any? { |url| url.match?(path) }
       end
+      # @param exclusion [Contrast::Agent::ExclusionMatcher]
+      # @param source_type [String]
+      # @param source_name [String]
+      # @return [Boolean]
       def input_match? exclusion, source_type, source_name
         case exclusion.input_type
-        when Contrast::Api::Settings::Exclusion::InputType::PARAMETER
+        when 'PARAMETER'
           input_match_parameter?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::COOKIE
+        when 'COOKIE'
           input_match_cookie?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::HEADER
+        when 'HEADER'
           input_match_header?(exclusion, source_type, source_name)
-        when Contrast::Api::Settings::Exclusion::InputType::BODY
+        when 'BODY'
           Contrast::Agent::Assess::Policy::SourceMethod::BODY_TYPE == source_type
-        when Contrast::Api::Settings::Exclusion::InputType::QUERYSTRING
+        when 'QUERYSTRING'
           Contrast::Agent::Assess::Policy::SourceMethod::QUERYSTRING_TYPE == source_type
         else
           false

data/lib/contrast/agent/exclusion_matcher.rb CHANGED Viewed

@@ -2,6 +2,10 @@
 # frozen_string_literal: true
 require 'contrast/components/logger'
+require 'contrast/agent/reporting/settings/exclusion_base'
+require 'contrast/agent/reporting/settings/code_exclusion'
+require 'contrast/agent/reporting/settings/input_exclusion'
+require 'contrast/agent/reporting/settings/url_exclusion'
 module Contrast
   module Agent
@@ -13,22 +17,30 @@ module Contrast
       extend Forwardable
-      attr_reader :protect, :assess, :urls, :wildcard_url, :wildcard_input
+      attr_reader :protect, :assess, :type, :urls, :wildcard_url, :wildcard_input
-      def_delegators :@exclusion, :type, :assessment_rules, :protection_rules, :input_type, :input_name
+      def_delegators :@exclusion, :protect_rules, :assess_rules, :input_type, :input_name
       # Create a matcher around an exclusion sent from TeamServer.
       #
-      # @param excl [Contrast::Api::Settings::Exclusion]
+      # @param excl [Contrast::Agent::Reporting::Settings::ExclusionBase]
       # @return [Contrast::Agent::ExclusionMatcher]
       def initialize excl
         @exclusion = excl
         @protect = @exclusion.protect
         @assess = @exclusion.assess
-        handle_wildcard_input
-        handle_wildcard_url
-        handle_wildcard_code
+        case excl
+        when Contrast::Agent::Reporting::Settings::CodeExclusion
+          handle_wildcard_code
+          @type = :CODE
+        when Contrast::Agent::Reporting::Settings::InputExclusion
+          handle_wildcard_input
+          @type = :INPUT
+        when Contrast::Agent::Reporting::Settings::UrlExclusion
+          handle_wildcard_url
+          @type = :URL
+        end
       end
       # According to the docs for exclusions, user input applies to all inputs if
@@ -97,7 +109,7 @@ module Contrast
       end
       def code?
-        @exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::CODE
+        @type == :CODE
       end
       def match_all?
@@ -105,12 +117,12 @@ module Contrast
       end
       # Determine if the given rule is excluded by this exclusion.
-      # In this case, the `protection_rules` being empty means apply to all rules,
+      # In this case, the `protect_rules` being empty means apply to all rules,
       # not no rules
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def protection_rule? rule
-        protect? && (@exclusion.protection_rules.empty? || @exclusion.protection_rules.include?(rule))
+        protect? && (@exclusion.protect_rules.empty? || @exclusion.protect_rules.include?(rule))
       end
       # Determine if the given rule is excluded by this exclusion.

data/lib/contrast/agent/middleware.rb CHANGED Viewed

@@ -15,7 +15,7 @@ require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
 require 'contrast/agent/telemetry/events/startup_metrics_event'
 require 'contrast/utils/middleware_utils'
+require 'contrast/utils/reporting/application_activity_batch_utils'
 require 'contrast/utils/timer'
 module Contrast
@@ -27,6 +27,7 @@ module Contrast
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
       include Contrast::Utils::MiddlewareUtils
+      include Contrast::Utils::Reporting::ApplicationActivityBatchUtils
       attr_reader :app
@@ -62,6 +63,7 @@ module Contrast
       #   the Rack framework.
       def call env
         logger.trace_with_time('Elapsed time for Contrast::Agent::Middleware#call') do
+          ::Contrast::Agent::ThreadWatcher.check_before_start
           return app.call(env) unless ::Contrast::AGENT.enabled?
           Contrast::Agent.heapdump_util.start_thread!
@@ -73,12 +75,12 @@ module Contrast
       private
       # Startup the Agent as part of the initialization process:
-      # - start the service sending thread, responsible for sending and processing messages
-      # - start the heartbeat thread, which triggers service startup
+      # - start the TeamServer sending thread, responsible for sending and processing messages
+      # - start the heartbeat thread, which handles periodic messages to TeamServer
       # - start instrumenting libraries and do a 'catchup' patch for everything we didn't see get loaded
       # - enable TracePoint, which handles all class loads and required instrumentation going forward
       def agent_startup_routine
-        logger.debug_with_time('middleware: starting service') do
+        logger.debug_with_time('middleware: starting reporting threads') do
           Contrast::Agent.thread_watcher.ensure_running?
         end
@@ -147,7 +149,7 @@ module Contrast
       #    which is being triggered when there is a failure within the pre-call with the agent
       def pre_call_with_agent context, request_handler
         with_contrast_scope do
-          context.service_extract_request
+          context.protect_input_analysis
           request_handler.ruleset.prefilter
         end
       rescue StandardError => e
@@ -173,13 +175,17 @@ module Contrast
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
           # All protect rules, which are trigger but require response to be reported
           Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
+          # Process Worth Watching Inputs for v2 rules
+          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity
             request_handler.stream_safe_postfilter
           else
             request_handler.ruleset.postfilter
-            request_handler.report_activity
+            request_handler.report_observed_route
+            add_activity_to_batch(context.activity)
+            report_batch
           end
         end
       # unsuccessful attack

data/lib/contrast/agent/patching/policy/after_load_patcher.rb CHANGED Viewed

@@ -56,6 +56,7 @@ module Contrast
               unless Contrast::Agent::Assess.cs__object_method_prepended?(Marshal, :load, false)
                 apply_marshal_load_alias_patch
               end
+              apply_array_join_prepend_patch if Contrast::Agent::Assess.cs__object_method_prepended?(Array, :join, true)
               true
             end
           end
@@ -121,6 +122,11 @@ module Contrast
             Marshal.alias_method(:cs__marshal_load, :load)
             Marshal.alias_method(:load, :cs__marshal_load)
           end
+          # Prepend Contrast::Extension::Assess::ContrastArray to pick up the ContrastArray#join method
+          def apply_array_join_prepend_patch
+            Array.prepend(Contrast::Extension::Assess::ContrastArray)
+          end
         end
       end
     end