contrast-agent 6.7.0 → 6.9.0

data/exe/contrast_service

@@ -1,23 +0,0 @@
-#!/usr/bin/env ruby
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-def mac?
-  RUBY_PLATFORM.include?('darwin')
-end
-
-def path
-  base_path = "#{ File.dirname(__FILE__) }/.."
-  if mac?
-    "#{ base_path }/service_executables/mac/contrast-service"
-  else
-    "#{ base_path }/service_executables/linux/contrast-service"
-  end
-end
-
-executable_path = path
-if File.exist?(executable_path)
-  Kernel.exec(executable_path)
-else
-  puts "Service executable not found at: #{ executable_path }"
-end

data/lib/contrast/agent/assess/contrast_event.rb

@@ -1,157 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/assess/tracking_util'
-require 'contrast/utils/class_util'
-require 'contrast/utils/duck_utils'
-require 'contrast/utils/object_share'
-require 'contrast/utils/stack_trace_utils'
-require 'contrast/utils/string_utils'
-require 'contrast/utils/timer'
-require 'contrast/agent/assess/contrast_object'
-require 'contrast/agent/reporting/reporting_events/finding_event'
-
-module Contrast
-  module Agent
-    module Assess
-      # This class holds the data about an event in the application We'll use it to build an event that TeamServer can
-      # consume if the object to which this event belongs ends in a trigger.
-      class ContrastEvent
-        # @return [Integer] the atomic id of this event
-        attr_reader :event_id
-        # @return [Contrast::Agent::Assess::Policy::PolicyNode] the node that governs this event.
-        attr_reader :policy_node
-        # @return [Array<String>] the execution stack at the time the method for this event was invoked
-        attr_reader :stack_trace
-        # @return [Integer] the time, in epoch ms, when this event was created
-        attr_reader :time
-        # @return [Integer] the object id of the thread on which this event was generated
-        attr_reader :thread
-        # @return [Contrast::Agent::Assess::ContrastObject] the safe representation of the Object on which the method
-        #   was invoked
-        attr_reader :object
-        # @return [Contrast::Agent::Assess::ContrastObject] the safe representation of the Return of the invoked method
-        attr_reader :ret
-        # @return [Array<Contrast::Agent::Assess::ContrastObject, nil>] the safe representation of the Arguments with
-        #   which the method was invoked
-        attr_reader :args
-        # @return [Hash<Contrast::Agent::Assess::Tag>]
-        attr_reader :tags
-
-        # We need this to track the parent id's of events to build up a flow chart of the finding
-        @atomic_id = 0
-        @atomic_mutex = Mutex.new
-        def self.next_atomic_id
-          @atomic_mutex.synchronize do
-            @atomic_id += 1
-            # Rollover things
-          rescue StandardError
-            @atomic_id = 1
-          end
-        end
-
-        # @param event_data [Contrast::Agent::Assess::Events::EventData]
-        def initialize event_data
-          @policy_node = event_data.policy_node
-          @time = Contrast::Utils::Timer.now_ms
-          @thread = Thread.current.object_id
-
-          # These methods rely on the above being set. Don't move them!
-          @event_id = Contrast::Agent::Assess::ContrastEvent.next_atomic_id
-          @tags = Contrast::Agent::Assess::Tracker.properties(event_data.tagged)&.get_tags
-          find_parent_events!(event_data.policy_node, event_data.object, event_data.ret, event_data.args)
-          snapshot!(event_data.object, event_data.ret, event_data.args)
-          capture_stacktrace!
-        end
-
-        # @return [Array<Contrast::Agent::Assess::ContrastEvent>]
-        def parent_events
-          @_parent_events ||= []
-        end
-
-        private
-
-        # Parent events are the events of all the sources of this event which were tracked prior to this event
-        # occurring. Depending on which, if any of the sources were tracked, there may be more than one parent.
-        #
-        # All events except for [Contrast::Agent::Assess::Events::SourceEvent] will have at least one parent.
-        #
-        # We set those events to this event's instance variables.
-        #
-        # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode] the node that governs this event.
-        # @param object [Object] the Object on which the method was invoked
-        # @param ret [Object] the Return of the invoked method
-        # @param args [Array<Object>] the Arguments with which the method was invoked
-        def find_parent_events! policy_node, object, ret, args
-          policy_node.sources.each do |source_marker|
-            source = value_of_source(source_marker, object, ret, args)
-            next unless source
-
-            event = Contrast::Agent::Assess::Tracker.properties(source)&.event
-            parent_events << event if event
-          end
-        end
-
-        # @param source [String] the marker for the source type
-        # @param object [Object] the Object on which the method was invoked
-        # @param ret [Object] the Return of the invoked method
-        # @param args [Array<Object>] the Arguments with which the method was invoked
-        # @return [Object,nil] the literal value of the source indicated by the given marker
-        def value_of_source source, object, ret, args
-          case source
-          when Contrast::Utils::ObjectShare::OBJECT_KEY
-            object
-          when Contrast::Utils::ObjectShare::RETURN_KEY
-            ret
-          else
-            args[source]
-          end
-        end
-
-        # Everything* is mutable in Ruby. As such, to ensure we can accurately report the application state at the time
-        # of this method's invocation, we have to snapshot the given values, making safe representations of them for
-        # our later use. We set those safe values to this event's instance variables.
-        #
-        # @param object [Object] the Object on which the method was invoked
-        # @param ret [Object] the Return of the invoked method
-        # @param args [Array<Object>] the Arguments with which the method was invoked
-        def snapshot! object, ret, args
-          @object = Contrast::Agent::Assess::ContrastObject.new(object) if object
-          @ret = Contrast::Agent::Assess::ContrastObject.new(ret) if ret
-          @args = safe_args_representation(args)
-          self
-        end
-
-        # Given an array of arguments, copy them into a safe, meaning String, format that we can use to send to SR and
-        # TS for rendering.
-        #
-        # @param args [Array<Object>] the arguments to translate
-        # @return [Array<Contrast::Agent::Assess::ContrastObject>] the String forms of those Objects, as determined by
-        #   Contrast::Utils::ClassUtil.to_contrast_string
-        def safe_args_representation args
-          return unless args
-          return Contrast::Utils::ObjectShare::EMPTY_ARRAY if args.empty?
-
-          args.map { |arg| arg ? Contrast::Agent::Assess::ContrastObject.new(arg) : nil }
-        end
-
-        # Capture stack traces only as configured. We'll use this to grab the start of the call stack as if the
-        # instrumented method were the caller. This means we'll start at the entry just after the first block of
-        # Contrast code.
-        def capture_stacktrace!
-          # If we're configured to not capture the stacktrace, usually for performance reasons, then don't and return an
-          # empty array instead
-          unless ::Contrast::ASSESS.capture_stacktrace?(policy_node)
-            @stack_trace = Contrast::Utils::ObjectShare::EMPTY_ARRAY
-            return
-          end
-
-          # Otherwise, find where in the stack the application / Ruby code starts
-          start = caller(0, 20)&.find_index { |stack| !stack.include?('/lib/contrast') }
-          # And then use that to build out the reported stacktrace, or a fallback if we couldn't find it.
-          @stack_trace = start ? caller(start + 1, 20) : caller(20, 20)
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/events/event_factory.rb

@@ -1,34 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/contrast_event'
-require 'contrast/agent/assess/events/source_event'
-require 'contrast/agent/assess/events/event_data'
-
-module Contrast
-  module Agent
-    module Assess
-      module Events
-        # This module returns the event type appropriate to the given Node
-        module EventFactory
-          # This method returns the event type appropriate to the given Node
-          #
-          # @param event_data [Contrast::Agent::Assess::Events::EventData]
-          # @param source_type [String] the type of this source, from the
-          #       source_node, or a KEY_TYPE if invoked for a map,
-          # @param source_name [String, nil] the name of this source, i.e.
-          #       the key used to accessed if from a map or nil if a type like,
-          # @return [Contrast::Agent::Assess::Events::SourceEvent, Contrast::Agent::Assess::ContrastEvent]
-          def self.build event_data, source_type = nil, source_name = nil
-            case event_data.policy_node
-            when Contrast::Agent::Assess::Policy::SourceNode
-              Contrast::Agent::Assess::Events::SourceEvent.new(event_data, source_type, source_name)
-            when Contrast::Agent::Assess::Policy::PolicyNode
-              Contrast::Agent::Assess::ContrastEvent.new(event_data)
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/events/source_event.rb

@@ -1,46 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/contrast_event'
-require 'contrast/agent/reporting/reporting_events/finding_event'
-require 'contrast/agent/reporting/reporting_events/finding_event_source'
-require 'contrast/utils/string_utils'
-
-module Contrast
-  module Agent
-    module Assess
-      module Events
-        # This class holds the data about an event in the application. We'll use it to build an event that TeamServer
-        # can consume if the object to which this event belongs ends in a trigger.
-        class SourceEvent < Contrast::Agent::Assess::ContrastEvent
-          # @return [Contrast::Agent::Request] our wrapper around the Rack::Request at the time this source
-          #   was created
-          attr_reader :request
-          # @return [String] the name of the source if it comes from a map-like entity
-          attr_reader :source_name
-          # @return [String] the TeamServer understood type of source; i.e. parameter
-          attr_reader :source_type
-          # @return [Contrast::Agent::Reporting::FindingEventSource] the source of this trace
-          attr_reader :event_source
-
-          # @param event_data [Contrast::Agent::Assess::Events::EventData]
-          # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
-          #   Hash
-          # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a Hash or
-          #   nil if a type like
-          def initialize event_data, source_type = nil, source_name = nil
-            super(event_data)
-            @source_type = Contrast::Utils::StringUtils.force_utf8(source_type)
-            @source_name = Contrast::Utils::StringUtils.force_utf8(source_name)
-            @event_source = Contrast::Agent::Reporting::FindingEventSource.new(@source_type, @source_name)
-            @request = Contrast::Agent::REQUEST_TRACKER.current&.request
-          end
-
-          def parent_events
-            nil
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb

@@ -1,64 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/object_share'
-
-module Contrast
-  module Agent
-    module Protect
-      module Rule
-        # This module implements the cmdi-worth-watching-v2 check to determine whether input
-        # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
-        # https://protect-spec.prod.dotnet.contsec.com/rules/cmd-injection.html#input-tracing
-        module CmdiWorthWatching
-          POSSIBLE_CHAINING_ELEMENTS = %w[& ; | $ < > `].cs__freeze
-          UNIX_COMMANDS = %w[
-            uname echo cat ping nestat nc whoami wget curl dir ls ps rm chmod cp kill
-            grep sleep mkdir pwd shutdown system touch timeout fetch bash sh
-          ].cs__freeze
-          UNIX_PATHS = %w[tmp opt etc home mnt proc lib bin sbin sys usr var root run].cs__freeze
-          WINDOWS_COMMANDS = %w[
-            sc net reg cmd query cmd.exe powershell powershell.exe hostname ifconfig ipconfig netsh
-            netstat systeminfo sysinfo whoami wscript cscript wmic PowerShell_ISE pskill psexec qprocess
-            regedit regini rename winrm wpeutil ntdsutil taskkill certutil mapisend shellrunas
-          ].cs__freeze
-          # This method will determine if a user input is Worth watching and return true if it is.
-          # This is done by running checks, and if the inputs is worth to watch it would be
-          # saved for the later sink cmdi input analysis.
-          #
-          # @param input [String] the user input to be inspected
-          # @return true | false
-          def cmdi_worth_watching? input
-            return false if input.nil? || input.empty? || input.length < 3
-
-            exploitable?(input) && worth_watching?(input)
-          end
-
-          private
-
-          # This method will check if the input is exploitable
-          #
-          # @param input [String] the user input to be inspected
-          def exploitable? input
-            contains_substring?(input, POSSIBLE_CHAINING_ELEMENTS)
-          end
-
-          def worth_watching? input
-            return true if contains_substring?(input, UNIX_COMMANDS)
-            return true if contains_substring?(input, UNIX_PATHS)
-            return true if contains_substring?(input, WINDOWS_COMMANDS)
-
-            false
-          end
-
-          def contains_substring? input, values
-            return true if values.any? { |val| input.include?(val) }
-            return true if values.include?(Contrast::Utils::ObjectShare::SPACE)
-
-            false
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb

@@ -1,118 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/object_share'
-
-module Contrast
-  module Agent
-    module Protect
-      module Rule
-        # This module implements the sqli-worth-watching-v2 check to determine whether input
-        # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
-        # https://protect-spec.prod.dotnet.contsec.com/rules/sql-injection.html#input-tracing
-        module SqliWorthWatching
-          COLOR_CODE = /^#[0-9A-Fa-f]{6}$/.cs__freeze
-          ALPHA_NUMERIC_AND_SPACES = /^+[a-zA-Z\d\s]+$/.cs__freeze
-          OR_CLAUSE = /[oO][rR]/.cs__freeze
-          EXPLOITABLE_SUBSTRING = %w[# -- // /*].cs__freeze
-          SUSPICIOUS_CHARS = %w[` " \' ; - % , ( ) | { } =].cs__freeze
-          SQL_COMMENTS = %w[# /* */ // -- @@].cs__freeze
-          BLOCK_START = '/*'.cs__freeze
-          BLOCK_END = '*/'.cs__freeze
-          SQL_KEYWORDS = %w[
-            alter begin between create case column_name
-            current_user delete drop exec execute from
-            group insert limit like merge order outfile
-            select session_user syslogins update union
-            UTL_INADDR UTL_HTTP
-          ].cs__freeze
-
-          # This method will determine if a user input is Worth watching and return true if it is.
-          # This is done by running checks, and if the inputs is worth to watch it would be
-          # saved for the later sink sqli input analysis.
-          #
-          # @param input [String] the user input to be inspected
-          # @return true | false
-          def sqli_worth_watching? input
-            return false if input.nil? || input.empty?
-
-            exploitable?(input) && (
-              input.match?(OR_CLAUSE) || sql_comments?(input) || suspicious_chars?(input) || language_keywords?(input)
-            )
-          end
-
-          private
-
-          # Check if input is exploitable, with min length set to 3 chars
-          #
-          # @param input [String] the user input to be inspected
-          # @return true | false
-          def exploitable? input
-            return false if input.length < 3 && input.match?(ALPHA_NUMERIC_AND_SPACES)
-            return false if input.length == 3 && !contains_substring?(input, EXPLOITABLE_SUBSTRING)
-            return false if input.length == 7 && input.match?(COLOR_CODE)
-
-            true
-          end
-
-          # Check if input contains sqli comments:
-          # '# /* */ // -- @@'
-          #
-          # @param input [String] the user input to be inspected
-          # @return true | false
-          def sql_comments? input
-            input.length >= 3 && contains_substring?(input, SQL_COMMENTS)
-          end
-
-          # Check if input contains block comments starting and
-          # ending with '/*..*/'
-          #
-          # @param input [String] the user input to be inspected
-          # @return true | false
-          def block_comments? input
-            idx1 = input.index(BLOCK_START)
-            idx2 = input.index(BLOCK_END)
-
-            return false if idx1.nil? || idx2.nil?
-
-            (idx1 >= 0 && idx2 >= 2 && (idx1 < idx2))
-          end
-
-          # Runs the input against suspicious chars array.
-          #
-          # @param input [String] the user input to be inspected
-          # @return true | false
-          def suspicious_chars? input
-            input.length >= 7 && (number_of_substrings(input, SUSPICIOUS_CHARS) >= 2 || block_comments?(input))
-          end
-
-          # Runs the input against SQL language preserved words.
-          #
-          # @param input [String] the user input to be inspected
-          # @return true | false
-          def language_keywords? input
-            contains_substring?(input, SQL_KEYWORDS)
-          end
-
-          # Helper method to find a substrings in given input.
-          #
-          # @param substrings [Array] set of substrings to inspect.
-          # @return true | false
-          def contains_substring? input, substrings
-            substrings.any? { |sub| input.include?(sub) }
-          end
-
-          # Helper method to find the number of substrings.
-          #
-          # @param input [String] the user input to be inspected
-          # @return number [Integer] Number of substrings
-          def number_of_substrings input, substring
-            number = 0
-            input.each_char.reduce(0) { |_acc, elem| number += 1 if contains_substring?(elem, substring) }
-            number
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb

@@ -1,45 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Agent
-    module Protect
-      module Rule
-        # Here will be made the match of the user input provided by the
-        # Agent InputAnalysis.
-        module UnsafeFileUploadMatcher
-          # EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze # rubocop:disable Style/AsciiComments
-          # # Extensions that can be executed on the server side or can be dangerous on the client side:
-          # # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
-          # EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
-          #
-          # # Match the user input to see if the filename
-          # # contains malicious file extension.
-          # #
-          # # @param input [String] The filename
-          # # extracted from the current request
-          # # @return true | false
-          # def unsafe_match? input
-          #   suspicious_chars?(input) || suspicious_extensions?(input)
-          # end
-          #
-          # private
-          #
-          # # @param input [String] The filename
-          # # extracted from the current request
-          # # @return true | false
-          # def suspicious_chars? input
-          #   input.chars.any? { |c| EXPLOIT_CHARS.include? c }
-          # end
-          #
-          # # @param input [String] The filename
-          # # extracted from the current request
-          # # @return true | false
-          # def suspicious_extensions? input
-          #   EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
-          # end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/reaction_processor.rb

@@ -1,47 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/disable_reaction'
-require 'contrast/components/logger'
-
-module Contrast
-  module Agent
-    # Because communication between the Agent/Service and TeamServer can only be initiated by outbound connections
-    # from the Agent/Service, we must provide a mechanism for the TeamServer to direct the Agent to take a specific
-    # action. This action is referred to as a Reaction. This class is how we handle those Reaction messages.
-    module ReactionProcessor
-      extend Contrast::Components::Logger::InstanceMethods
-
-      # Process the given Reactions from the application settings based on what
-      # TeamServer has indicated. Each Reaction will result in a log message
-      # and, optionally, an action.
-      #
-      # @param application_settings [Contrast::Api::Settings::ApplicationSettings]
-      #   those settings which the Service has relayed from TeamServer.
-      def self.process application_settings
-        return unless application_settings&.reactions&.any?
-
-        application_settings.reactions.each do |reaction|
-          # The enums are all uppercase, we need to downcase them before attempting to log.
-          level = if reaction.log_level.nil?
-                    :error
-                  else
-                    reaction.log_level.name.downcase # rubocop:disable Security/Module/Name -- ruby logger builtin.
-                  end
-
-          logger.with_level(level, reaction.message) if reaction.message
-
-          case reaction.operation
-          when Contrast::Api::Settings::Reaction::Operation::DISABLE
-            Contrast::Agent::DisableReaction.run(reaction, level)
-          when Contrast::Api::Settings::Reaction::Operation::NOOP
-            # NOOP
-          else
-            logger.warn('ReactionProcessor received a reaction with an unknown operation',
-                        operation: reaction.operation)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/reporting/reporting_events/server_activity.rb

@@ -1,36 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/reporting/reporting_events/server_reporting_event'
-
-module Contrast
-  module Agent
-    module Reporting
-      # This class will initialize empty ServerActivity body to be send to TS. The server activity endpoint records
-      # actions taken on the server or process as a whole. It currently only reports the number of times a defensive
-      # action was taken and is most likely not populated by most agents. The main purpose of sending this message is
-      # for its response, which contains any updated server feature settings from TeamServer. The new Server Settings
-      # endpoint should let us remove this.
-      class ServerActivity < Contrast::Agent::Reporting::ServerReportingEvent
-        def initialize
-          @event_method = :PUT
-          @event_endpoint = "#{ Contrast::API.api_url }/api/ng/activity/server"
-          super
-        end
-
-        def file_name
-          'server-activity'
-        end
-
-        # Convert the instance variables on the class, and other information, into the identifiers required for
-        # TeamServer to process the JSON form of this message.
-        #
-        # @return [Hash]
-        # @raise [ArgumentError]
-        def to_controlled_hash
-          { lastUpdate: since_last_update }
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/service_heartbeat.rb

@@ -1,35 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/worker_thread'
-require 'contrast/agent/reporting/report'
-
-module Contrast
-  module Agent
-    # The ServiceHeartbeat functions to keep the Contrast Service alive and ensure that it maintains this Agent's
-    # ApplicationContext.
-    class ServiceHeartbeat < WorkerThread
-      # Spec recommends 30 seconds, we're going with 15.
-      REFRESH_INTERVAL_SEC = 15
-
-      def start_thread!
-        return if ::Contrast::CONTRAST_SERVICE.unnecessary?
-        return if running?
-
-        @_thread = Contrast::Agent::Thread.new do
-          logger.info('Starting heartbeat thread.')
-          loop do
-            logger.info("Queue Size: #{ Contrast::Agent.messaging_queue&.queue&.length }")
-            Contrast::Agent.messaging_queue&.send_event_eventually(poll_message)
-            clean_properties
-            sleep(REFRESH_INTERVAL_SEC)
-          end
-        end
-      end
-
-      def poll_message
-        @_poll_message ||= Contrast::Api::Dtm::Poll.new
-      end
-    end
-  end
-end