contrast-agent 6.7.0 → 6.9.0

data/lib/contrast/configuration.rb

@@ -13,7 +13,7 @@ require 'contrast/components/scope'
 require 'contrast/components/inventory'
 require 'contrast/components/protect'
 require 'contrast/components/assess'
-require 'contrast/components/service'
+require 'contrast/components/config/sources'
 require 'contrast/config/server_configuration'
 
 module Contrast
@@ -44,30 +44,42 @@ module Contrast
     attr_writer :inventory
     # @return [Contrast::Components::Protect::Interface]
     attr_writer :protect
-    # @return [Contrast::Components::Service::Interface]
-    attr_writer :service
     # @return [Boolean, nil]
     attr_accessor :enable
+    # @return [Hash]
+    attr_accessor :loaded_config
+    # @return [Contrast::Config::Sources]
+    attr_accessor :sources
+    # @return [String,nil]
+    attr_reader :config_file
 
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'
     MILLISECOND_MARKER = '_ms'
-    CONVERSION = { 'agent.service.enable' => 'agent.start_bundled_service' }.cs__freeze
+    CONVERSION = {}.cs__freeze
     CONFIG_BASE_PATHS = ['', 'config/', '/etc/contrast/ruby/', '/etc/contrast/', '/etc/'].cs__freeze
     KEYS_TO_REDACT = %i[api_key url service_key user_name].cs__freeze
     REDACTED = '**REDACTED**'
 
-    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH
+    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH # rubocop:disable Metrics/AbcSize
       @default_name = default_name
 
       # Load config_kv from file
       config_kv = deep_symbolize_all_keys(load_config)
+      config_sources = assign_source_to(config_kv, Contrast::Components::Config::Sources::YAML)
 
       # Overlay CLI options - they take precedence over config file
       cli_options = deep_symbolize_all_keys(cli_options)
-      config_kv = deep_merge(cli_options, config_kv) if cli_options
+      if cli_options
+        config_kv = deep_merge(cli_options, config_kv)
+        config_sources = deep_merge(assign_source_to(cli_options, Contrast::Components::Config::Sources::CLI),
+                                    config_sources)
+      end
 
       # Some in-flight rewrites to maintain backwards compatibility
       config_kv = update_prop_keys(config_kv)
+      @loaded_config = config_kv
+
+      @sources = Contrast::Components::Config::Sources.new(config_sources)
 
       @api = Contrast::Components::Api::Interface.new(config_kv[:api])
       @enable = config_kv[:enable]
@@ -77,7 +89,6 @@ module Contrast
       @assess = Contrast::Components::Assess::Interface.new(config_kv[:assess])
       @inventory = Contrast::Components::Inventory::Interface.new(config_kv[:inventory])
       @protect = Contrast::Components::Protect::Interface.new(config_kv[:protect])
-      @service = Contrast::Components::Service::Interface.new(config_kv[:service])
     end
 
     # Get a loggable YAML format of this configuration
@@ -122,11 +133,6 @@ module Contrast
       @protect ||= Contrast::Components::Protect::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
     end
 
-    # @return [Contrast::Components::Service::Interface]
-    def service
-      @service ||= Contrast::Components::Service::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
-    end
-
     protected
 
     # TODO: RUBY-546 move utility methods to auxiliary classes
@@ -141,6 +147,7 @@ module Contrast
           next
         end
         config = yaml_to_hash(path) || {}
+        @config_file = path
         break
       end
 
@@ -316,5 +323,15 @@ module Contrast
     def redactable? key
       KEYS_TO_REDACT.include?(key.to_sym)
     end
+
+    def assign_source_to hash, source = Contrast::Components::Config::Sources::YAML
+      hash.transform_values do |value|
+        if value.is_a?(Hash)
+          assign_source_to(value, source)
+        else
+          source
+        end
+      end
+    end
   end
 end

data/lib/contrast/extension/assess/array.rb

@@ -5,6 +5,7 @@ require 'contrast/agent/patching/policy/patch'
 require 'contrast/agent/patching/policy/patcher'
 require 'contrast/components/scope'
 require 'contrast/agent/assess/events/event_data'
+require 'cs__assess_array/cs__assess_array'
 
 module Contrast
   module Extension
@@ -61,6 +62,14 @@ module Contrast
           end
         end
       end
+
+      # Helper module to call cs__join
+      module ContrastArray
+        def join *args
+          cs__join(*args)
+          super(*args)
+        end
+      end
     end
   end
 end

data/lib/contrast/extension/assess/erb.rb

@@ -39,7 +39,7 @@ module ERBPropagator
     # @param used_binding [Binding] the binding in of the current event, saved as preshift argument
     # @param erb_pre_result [String] the source saved in the preshift
     # @param properties [Contrast::Agent::Assess::Properties] properties of the target if none create new
-    # @param parent_events [Array<Contrast::Agent::Assess::ContrastEvent>] parents event extracted from the source
+    # @param parent_events [Array<Contrast::Agent::Reporting::FindingEvent>] parents event extracted from the source
     #                                                                      properties
     # @param ret [String] the Return of the invoked method
     # @return [Array<Symbol>]

data/lib/contrast/extension/delegator.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'delegate'
+
 # Some developers override various methods on Delegator, which can often
 # involve changing expected method parity/behavior which in turn prevents us
 # from being able to reliably use affected methods. Let's alias these methods

data/lib/contrast/framework/manager.rb

@@ -71,9 +71,11 @@ module Contrast
         first_framework_result(:application_name, 'root')
       end
 
+      # @return app_root [String] path
       def app_root
         found = first_framework_result(:application_root, nil)
-        found || ::Rack::Directory.new('').root
+        found ||= ::Rack::Directory.new('').root
+        found.to_s
       end
 
       # Build a request from the provided env, based on the framework(s) we're currently supporting.

data/lib/contrast/framework/rails/railtie.rb

@@ -25,7 +25,6 @@ module Contrast
         end
 
         rake_tasks do
-          load 'contrast/tasks/service.rb'
           load 'contrast/tasks/config.rb'
         end
       end

data/lib/contrast/framework/rails/support.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/dtm.pb'
 require 'contrast/framework/base_support'
 require 'contrast/framework/rails/patch/support'
 require 'contrast/utils/string_utils'

data/lib/contrast/tasks/config.rb

@@ -7,7 +7,7 @@ require 'contrast/agent/reporting/reporter'
 
 module Contrast
   # A Rake task to generate a contrast_security.yaml file with some basic settings
-  module Config # rubocop:disable Metrics/ModuleLength
+  module Config
     extend Rake::DSL
     DEFAULT_CONFIG = {
         'api' => {
@@ -17,13 +17,6 @@ module Contrast
             'user_name' => 'Enter your Contrast user name'
         },
         'agent' => {
-            'service' => {
-                'logger' => {
-                    'path' => 'contrast_service.log',
-                    'level' => 'ERROR' # DEBUG | INFO | WARN | ERROR
-                },
-                'socket' => '/tmp/contrast_service.sock'
-            },
             'logger' => {
                 'level' => 'ERROR',
                 'path' => 'contrast_agent.log'

data/lib/contrast/utils/assess/event_limit_utils.rb

@@ -12,18 +12,19 @@ module Contrast
       module EventLimitUtils
         include Contrast::Components::Logger::InstanceMethods
         # Checks to see if the event limit for the policy type has been met or exceeded
-        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] method to check for event limit
-        def event_limit? method_policy
+        # @param policy [Contrast::Agent::Patching::Policy::MethodPolicy,
+        #   Contrast::Agent::Patching::Policy::TriggerNode] method to check for event limit
+        def event_limit? policy
           return false unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
-          if method_policy.source_node
+          if policy.source_node
             max =  ::Contrast::ASSESS.max_context_source_events
-            return at_limit?(method_policy, context.source_event_count, max)
-
+            return at_limit?(policy, context.source_event_count, max, context)
           end
-          if method_policy.propagation_node
+
+          if policy.propagation_node
             max = ::Contrast::ASSESS.max_propagation_events
-            return at_limit?(method_policy, context.propagation_event_count, max)
+            return at_limit?(policy, context.propagation_event_count, max, context)
           end
 
           false # policy does not have limit
@@ -65,8 +66,10 @@ module Contrast
         private
 
         # helper method to check limit and log when necessary
-        def at_limit? method_policy, current_count, event_max
+        def at_limit? method_policy, current_count, event_max, context
           if current_count == event_max
+            return if event_limit_counts.key?(get_event_limit_key(method_policy, context))
+
             logger.warn('Event Limit Reached:',
                         {
                             count: current_count,
@@ -76,16 +79,21 @@ module Contrast
                         })
             # increment to be over count for logging purposes
             increment_event_count(method_policy)
+            increment_event_limit_logs(method_policy, context)
+
             return true
           elsif current_count > event_max
-            # increment to be over count for logging purposes
             increment_event_count(method_policy)
+            return if event_limit_counts.key?(get_event_limit_key(method_policy, context))
+
+            # increment to be over count for logging purposes
             logger.warn('Event Limit Exceeded:',
                         {
                             count: current_count,
                             policy: method_policy.method_name,
                             node: method_policy
                         })
+            increment_event_limit_logs(method_policy, context)
             return true
           end
           false
@@ -95,6 +103,20 @@ module Contrast
           @_rule_counts ||= Hash.new { |h, k| h[k] = 0 }
         end
 
+        def event_limit_counts
+          @_event_limit_counts ||= Hash.new { |h, k| h[k] = 0 }
+        end
+
+        def get_event_limit_key method_policy, context
+          "#{ method_policy.method_name }_#{ context.request.__id__ }"
+        end
+
+        def increment_event_limit_logs method_policy, context
+          event_limit_counter = get_event_limit_key(method_policy, context)
+
+          event_limit_counts[event_limit_counter] += 1
+        end
+
         # the time threshold for which to track rule counts resets when now >= threshold_time_limit
         # @return [Integer]
         def threshold_time_limit

data/lib/contrast/utils/assess/trigger_method_utils.rb

@@ -1,12 +1,15 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/utils/assess/event_limit_utils'
+
 module Contrast
   module Utils
     module Assess
       # This module will include all methods for some internal validations/appliers in the TriggerMethod module
       # and some other module methods from the same place, so we can ease the main module
       module TriggerMethodUtils
+        extend Contrast::Utils::Assess::EventLimitUtils
         # A request is reportable if it is not from ActionController::Live
         #
         # @param env [Hash] the env of the Request
@@ -33,10 +36,10 @@ module Contrast
 
         # Finds the first request along the left most tree of parent events
         #
-        # @param event [Contrast::Agent::Assess::ContrastEvent|Contrast::Agent::Assess::Events::SourceEvent]
+        # @param event [Contrast::Agent::Reporting::FindingEvent]
         # @return [Contrast::Agent::Request, nil]
         def find_event_request event
-          return event.request if event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+          return event.request if event&.source_type
 
           idx = 0
           while idx <= event.parent_events.length
@@ -44,9 +47,7 @@ module Contrast
             return found if found
 
             idx += 1
-            return event.request if event.request
           end
-          return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
 
           event.request
         end

data/lib/contrast/utils/duck_utils.rb

@@ -13,6 +13,7 @@ module Contrast
         # @param method [Symbol]
         # @return [Boolean]
         def quacks_to? object, method
+          object.cs__respond_to?(method)
           return true if object.cs__respond_to?(method)
           return false unless object.is_a?(Delegator)
 

data/lib/contrast/utils/hash_digest.rb

@@ -61,8 +61,8 @@ module Contrast
       def update_on_sources events
         events.each do |event|
           event.event_sources.each do |source|
-            update(source.type)
-            update(source.name) # rubocop:disable Security/Module/Name
+            update(source.source_type)
+            update(source.source_name)
           end
         end
       end

data/lib/contrast/utils/input_classification_base.rb

@@ -0,0 +1,155 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will include all the similar information for all input classifications
+        # between different rules
+        module InputClassificationBase
+          UNKNOWN_KEY = 'unknown'
+          THRESHOLD = 90.cs__freeze
+          WORTHWATCHING_THRESHOLD = 10.cs__freeze
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Components::Logger::InstanceMethods
+
+          KEYS_NEEDED = [COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE].cs__freeze
+
+          # Input Classification stage is done to determine if an user input is
+          # DEFINITEATTACK or to be ignored.
+          #
+          # @param rule_id [String] Name of the protect rule.
+          # @param input_type [Symbol, Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #                                                       agent analysis from the current
+          #                                                       Request.
+          # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
+          def classify rule_id, input_type, value, input_analysis
+            return unless (rule = Contrast::PROTECT.rule(rule_id))
+            return unless rule.applicable_user_inputs.include?(input_type)
+            return unless input_analysis.request
+
+            Array(value).each do |val|
+              Array(val).each do |v|
+                next unless v
+
+                result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, v)
+                input_analysis.results << result unless result.nil?
+              end
+            end
+
+            input_analysis
+          rescue StandardError => e
+            logger.debug("An Error was recorded in the input classification of the #{ rule_id }")
+            logger.debug(e)
+          end
+
+          # Creates new isntance of InputAnalysisResult with basic info.
+          #
+          # @param rule_id [String] The name of the Protect Rule.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          # @param path [String] the path of the current request context.
+          #
+          # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          def new_ia_result rule_id, input_type, path, value = nil
+            res = Contrast::Agent::Reporting::InputAnalysisResult.new
+            res.rule_id = rule_id
+            res.input_type = input_type
+            res.path = path
+            res.value = value
+            res
+          end
+
+          # This methods checks if input is value that matches a key in the input.
+          #
+          # @param request [Contrast::Agent::Request] the current request context.
+          # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          #
+          # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
+          def add_needed_key request, result, input_type, value
+            case input_type
+            when COOKIE_VALUE
+              result.key = request.cookies.key(value)
+            when PARAMETER_VALUE, URL_PARAMETER
+              result.key = request.parameters.key(value)
+            when HEADER
+              result.key = request.headers.key(value)
+            when UNKNOWN
+              result.key = UNKNOWN_KEY
+            else
+              result.key
+            end
+          rescue StandardError => e
+            logger.warn('Could not find proper key for input traced value', message: e)
+          end
+
+          # Some input types are not yet supported from the AgentLib.
+          # This will convert the type to the closet possible if viable,
+          # so that the input tracing could be done.
+          #
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @return [Integer<Contrast::AgentLib::Interface::INPUT_SET>]
+          def convert_input_type input_type
+            case input_type
+            when BODY, DWR_VALUE
+              Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
+            when HEADER
+              Contrast::AGENT_LIB.input_set[:HEADER_VALUE]
+            when MULTIPART_VALUE, MULTIPART_FIELD_NAME
+              Contrast::AGENT_LIB.input_set[:MULTIPART_NAME]
+            else
+              Contrast::AGENT_LIB.input_set[input_type]
+            end
+          rescue StandardError
+            Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
+          end
+
+          private
+
+          # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+          # key if needed and Creates new instance of InputAnalysisResult.
+          #
+          # @param request [Contrast::Agent::Request] the current request context.
+          # @param rule_id [String] The name of the Protect Rule.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          #
+          # @return res [Contrast::Agent::Reporting::InputAnalysisResult, nil]
+          def create_new_input_result request, rule_id, input_type, value
+            return unless Contrast::AGENT_LIB
+
+            input_eval = Contrast::AGENT_LIB.eval_input(value,
+                                                        convert_input_type(input_type),
+                                                        Contrast::AGENT_LIB.rule_set[rule_id],
+                                                        Contrast::AGENT_LIB.eval_option[:WORTHWATCHING])
+
+            ia_result = new_ia_result(rule_id, input_type, request.path, value)
+            score = input_eval&.score || 0
+            if score >= WORTHWATCHING_THRESHOLD
+              ia_result.score_level = WORTHWATCHING
+              ia_result.ids << self::WORTHWATCHING_MATCH
+            else
+              ia_result.score_level = IGNORE
+              return
+            end
+
+            add_needed_key(request, ia_result, input_type, value) if KEYS_NEEDED.include?(input_type)
+            ia_result
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/os.rb

@@ -13,26 +13,6 @@ module Contrast
       extend Contrast::Components::Scope::InstanceMethods
 
       class << self
-        def running?
-          result = false
-          with_contrast_scope do
-            process = `ps aux | grep contrast-servic[e]`
-            processes = process.split("\n")
-            result = !processes.empty? && processes.any? { |process_descriptor| !process_descriptor.include?('grep') }
-          end
-          result
-        end
-
-        # check if service was killed and is a zombie process
-        # returns an array of zombie process PIDs as strings; empty array if there are none
-        def zombie_pids
-          with_contrast_scope do
-            # retrieve pid of service processes
-            zombie_pid_list = `ps aux | grep contrast-servic[e] | grep Z | awk '{print $2}'`
-            zombie_pid_list.split("\n")
-          end
-        end
-
         # Check current OS type
         # returns true if check is correct or false if not
         def windows?

data/lib/contrast/utils/reporting/application_activity_batch_utils.rb

@@ -0,0 +1,81 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/application_activity'
+
+module Contrast
+  module Utils
+    module Reporting
+      # ApplicationActivityBatchUtils handles batching and reporting of ApplicationActivity events to TeamServer at a
+      # set interval
+      module ApplicationActivityBatchUtils
+        DEFAULT_REPORTING_INTERVAL_MS = 30_000.cs__freeze
+
+        # @return [Integer] time when activity batch was created in ms
+        attr_reader :batch_age
+
+        # Merge a ApplicationActivity into the ApplicationActivityBatch
+        # @param activity [Contrast::Agent::Reporting::ApplicationActivity] from a RequestContext
+        def add_activity_to_batch activity
+          return unless activity
+
+          activity_batch.query_count += activity.query_count
+          activity_batch.routes << activity.routes
+          activity_batch.routes.flatten!
+          merge_attackers(activity)
+          activity_batch.attach_inventory(activity.inventory) unless activity.inventory.empty?
+        end
+
+        # If the batch can be reported, mask the data and add it to the reporting queue, then reset the activity_batch
+        def report_batch
+          return unless report_batch?
+          return unless (reporter = Contrast::Agent.reporter)
+
+          Contrast::Agent::Reporting::Masker.mask(activity_batch)
+          reporter&.send_event(activity_batch)
+          reset_activity_batch
+        end
+
+        # @return Contrast::Agent::Reporting::ApplicationActivity
+        def activity_batch
+          return @activity_batch unless @activity_batch.nil?
+
+          reset_activity_batch
+          @activity_batch
+        end
+
+        private
+
+        def merge_attackers activity
+          return if activity.defend.attackers.empty?
+
+          activity.defend.attackers.each do |attacker|
+            if (existing = activity_batch.defend.find_existing_attacker_activity(attacker))
+              attacker.protection_rules.each_key do |key|
+                activity_batch.defend.attach_existing(existing, attacker, key)
+              end
+            else
+              activity_batch.defend.attackers << attacker
+            end
+          end
+        end
+
+        # resets the activity_batch object and it's batch_age
+        def reset_activity_batch
+          @batch_age = Contrast::Utils::Timer.now_ms
+          @activity_batch = Contrast::Agent::Reporting::ApplicationActivity.new
+        end
+
+        # @return [Boolean] if the age of the batch is outside the reporting interval
+        def report_batch?
+          reporting_interval <= (Contrast::Utils::Timer.now_ms - batch_age)
+        end
+
+        # @return [Integer] interval to report to TeamServer in seconds
+        def reporting_interval
+          Contrast::AGENT.polling.batch_reporting_interval_ms.to_i || DEFAULT_REPORTING_INTERVAL_MS
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/response_utils.rb

@@ -7,22 +7,6 @@ module Contrast
     module ResponseUtils
       private
 
-      # From the dtm for normalized_response_headers:
-      #   Key is UPPERCASE_UNDERSCORE
-      #
-      #   Example: Content-Type: text/html; charset=utf-8
-      #   "CONTENT_TYPE" => Content-Type,["text/html; charset=utf8"]
-      def append_pair map, key, value
-        return unless key && value
-        return if value.is_a?(Hash)
-
-        safe_key = Contrast::Utils::StringUtils.force_utf8(key)
-        hash_key = Contrast::Utils::StringUtils.normalized_key(safe_key)
-        map[hash_key] ||= Contrast::Api::Dtm::Pair.new
-        map[hash_key].key = safe_key
-        map[hash_key].values << Contrast::Utils::StringUtils.force_utf8(value)
-      end
-
       HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
 
       # Given some holder of the content of the response's body, extract that