contrast-agent 6.8.0 → 6.10.0

data/lib/contrast/logger/aliased_logging.rb

@@ -41,31 +41,39 @@ module Contrast
 
       private
 
+      # @param type [ALIASED_FATAL, ALIASED_ERROR, ALIASED_WARN] the type of error, used to indicate the function used
+      #   for logging
+      # @param message [String] the exception message
+      # @param exception [Exception] The exception or error
+      # @param data [Object] Any structured data
       def build_exception type, message = nil, exception = nil, data = nil
-        stack_trace = get_stack_trace(type)
-        stack_frame_type = Contrast::Agent::Telemetry::TelemetryException::Obfuscate.obfuscate_type(
-            stack_trace[1].path.delete_prefix(Dir.pwd))
-        stack_frame_function = stack_trace[1].label
+        stack_trace = wrapped_caller_locations
+        caller_idx = stack_trace&.find_index { |stack| stack.to_s.include?(type) } || 0
+        # The caller_stack is the method in which the error occurred, so has to be above this method
+        caller_idx += 1
+        caller_frame = stack_trace[caller_idx]
+        stack_frame_type = caller_frame.path.delete_prefix(Dir.pwd)
+        stack_frame_function = caller_frame.label
         key = "#{ stack_frame_type }|#{ stack_frame_function }|#{ message }"
-        if TELEMETRY_EXCEPTIONS[key]
-          TELEMETRY_EXCEPTIONS.increment(key)
+        if Contrast::TELEMETRY_EXCEPTIONS[key]
+          Contrast::TELEMETRY_EXCEPTIONS.increment(key)
           return
         end
 
-        return if TELEMETRY_EXCEPTIONS.exception_limit?
-
-        message_exception_type = Contrast::Agent::Telemetry::TelemetryException::Obfuscate.obfuscate_exception_type(
-            exception ? exception.cs__class.to_s : stack_frame_type.split('/').last)
+        return if Contrast::TELEMETRY_EXCEPTIONS.exception_limit?
 
+        message_exception_type = exception ? exception.cs__class.to_s : stack_frame_type.split('/').last
         event_message = create_message(stack_frame_function,
                                        stack_frame_type, message_exception_type,
                                        data, exception,
                                        message)
+        build_stack(event_message, stack_trace, caller_idx)
         TELEMETRY_EXCEPTIONS[key] = event_message
       rescue StandardError => e
-        debug('Unable to report exception to telemetry', e)
+        debug('[Telemetry] Unable to report exception', e)
       end
 
+      # @return [Contrast::Agent::Telemetry::TelemetryException::Event]
       def create_message stack_frame_function, stack_frame_type, message_exception_type, data, exception, message
         message_for_exception = if exception
                                   exception.cs__respond_to?(:message) ? exception.message : exception
@@ -89,12 +97,37 @@ module Contrast
         message = Contrast::Agent::Telemetry::TelemetryException::Message.build(tags, [message_exception])
         Contrast::Agent::Telemetry::TelemetryException::Event.new(message)
       rescue ArgumentError => e
-        debug('TelemetryException failed from aliased logging with: ', e)
+        debug('[Telemetry] TelemetryException failed from aliased logging with: ', e)
+      end
+
+      # Convert the given caller_stack from the event into the exception StackFrame format for reporting, appending it
+      # to the Exception wrapped in the Event.
+      #
+      # @param event_message [Contrast::Agent::Telemetry::TelemetryException::Event]
+      # @param caller_stack [(Array<Thread::Backtrace::Location>, nil]
+      # @param caller_idx [Integer] the starting location for the exception, which allows filtering out the logger code
+      #   from the stack
+      def build_stack event_message, caller_stack, caller_idx = 0
+        return unless caller_stack
+
+        event_exception = event_message.exceptions[0]
+        event_exception_message = event_exception.exceptions[0]
+
+        caller_stack.each_with_index do |caller, idx|
+          next unless idx > caller_idx
+
+          stack_frame =
+            Contrast::Agent::Telemetry::TelemetryException::StackFrame.build(caller.label,
+                                                                             caller.path.delete_prefix(Dir.pwd))
+          event_exception_message.push(stack_frame)
+        end
       end
 
-      def get_stack_trace type
-        start = caller_locations&.find_index { |stack| stack.to_s.include?(type) }
-        start ? caller_locations(start + 1, 20) : caller_locations(20, 20)
+      # This is purely a wrapper around caller_locations used for testing
+      #
+      # @return [Array<Thread::Backtrace::Location>, nil]
+      def wrapped_caller_locations
+        caller_locations
       end
     end
   end

data/lib/contrast/utils/assess/event_limit_utils.rb

@@ -12,18 +12,19 @@ module Contrast
       module EventLimitUtils
         include Contrast::Components::Logger::InstanceMethods
         # Checks to see if the event limit for the policy type has been met or exceeded
-        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] method to check for event limit
-        def event_limit? method_policy
+        # @param policy [Contrast::Agent::Patching::Policy::MethodPolicy,
+        #   Contrast::Agent::Patching::Policy::TriggerNode] method to check for event limit
+        def event_limit? policy
           return false unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
-          if method_policy.source_node
+          if policy.source_node
             max =  ::Contrast::ASSESS.max_context_source_events
-            return at_limit?(method_policy, context.source_event_count, max)
-
+            return at_limit?(policy, context.source_event_count, max, context)
           end
-          if method_policy.propagation_node
+
+          if policy.propagation_node
             max = ::Contrast::ASSESS.max_propagation_events
-            return at_limit?(method_policy, context.propagation_event_count, max)
+            return at_limit?(policy, context.propagation_event_count, max, context)
           end
 
           false # policy does not have limit
@@ -65,8 +66,10 @@ module Contrast
         private
 
         # helper method to check limit and log when necessary
-        def at_limit? method_policy, current_count, event_max
+        def at_limit? method_policy, current_count, event_max, context
           if current_count == event_max
+            return if event_limit_counts.key?(get_event_limit_key(method_policy, context))
+
             logger.warn('Event Limit Reached:',
                         {
                             count: current_count,
@@ -76,16 +79,21 @@ module Contrast
                         })
             # increment to be over count for logging purposes
             increment_event_count(method_policy)
+            increment_event_limit_logs(method_policy, context)
+
             return true
           elsif current_count > event_max
-            # increment to be over count for logging purposes
             increment_event_count(method_policy)
+            return if event_limit_counts.key?(get_event_limit_key(method_policy, context))
+
+            # increment to be over count for logging purposes
             logger.warn('Event Limit Exceeded:',
                         {
                             count: current_count,
                             policy: method_policy.method_name,
                             node: method_policy
                         })
+            increment_event_limit_logs(method_policy, context)
             return true
           end
           false
@@ -95,6 +103,20 @@ module Contrast
           @_rule_counts ||= Hash.new { |h, k| h[k] = 0 }
         end
 
+        def event_limit_counts
+          @_event_limit_counts ||= Hash.new { |h, k| h[k] = 0 }
+        end
+
+        def get_event_limit_key method_policy, context
+          "#{ method_policy.method_name }_#{ context.request.__id__ }"
+        end
+
+        def increment_event_limit_logs method_policy, context
+          event_limit_counter = get_event_limit_key(method_policy, context)
+
+          event_limit_counts[event_limit_counter] += 1
+        end
+
         # the time threshold for which to track rule counts resets when now >= threshold_time_limit
         # @return [Integer]
         def threshold_time_limit

data/lib/contrast/utils/assess/trigger_method_utils.rb

@@ -1,12 +1,15 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/utils/assess/event_limit_utils'
+
 module Contrast
   module Utils
     module Assess
       # This module will include all methods for some internal validations/appliers in the TriggerMethod module
       # and some other module methods from the same place, so we can ease the main module
       module TriggerMethodUtils
+        extend Contrast::Utils::Assess::EventLimitUtils
         # A request is reportable if it is not from ActionController::Live
         #
         # @param env [Hash] the env of the Request
@@ -33,10 +36,10 @@ module Contrast
 
         # Finds the first request along the left most tree of parent events
         #
-        # @param event [Contrast::Agent::Assess::ContrastEvent|Contrast::Agent::Assess::Events::SourceEvent]
+        # @param event [Contrast::Agent::Reporting::FindingEvent]
         # @return [Contrast::Agent::Request, nil]
         def find_event_request event
-          return event.request if event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+          return event.request if event&.source_type
 
           idx = 0
           while idx <= event.parent_events.length
@@ -44,9 +47,7 @@ module Contrast
             return found if found
 
             idx += 1
-            return event.request if event.request
           end
-          return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
 
           event.request
         end

data/lib/contrast/utils/hash_digest.rb

@@ -61,8 +61,8 @@ module Contrast
       def update_on_sources events
         events.each do |event|
           event.event_sources.each do |source|
-            update(source.type)
-            update(source.name) # rubocop:disable Security/Module/Name
+            update(source.source_type)
+            update(source.source_name)
           end
         end
       end

data/lib/contrast/utils/input_classification_base.rb

@@ -43,7 +43,7 @@ module Contrast
                 next unless v
 
                 result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, v)
-                input_analysis.results << result unless result.nil?
+                append_result(input_analysis, result)
               end
             end
 
@@ -51,6 +51,7 @@ module Contrast
           rescue StandardError => e
             logger.debug("An Error was recorded in the input classification of the #{ rule_id }")
             logger.debug(e)
+            nil
           end
 
           # Creates new isntance of InputAnalysisResult with basic info.
@@ -103,16 +104,24 @@ module Contrast
           # @return [Integer<Contrast::AgentLib::Interface::INPUT_SET>]
           def convert_input_type input_type
             case input_type
-            when BODY, DWR_VALUE
+            when URI, URL_PARAMETER
+              Contrast::AGENT_LIB.input_set[:URI_PATH]
+            when BODY, DWR_VALUE, SOCKET, UNDEFINED_TYPE, UNKNOWN, REQUEST, QUERYSTRING
               Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
             when HEADER
               Contrast::AGENT_LIB.input_set[:HEADER_VALUE]
             when MULTIPART_VALUE, MULTIPART_FIELD_NAME
               Contrast::AGENT_LIB.input_set[:MULTIPART_NAME]
+            when JSON_ARRAYED_VALUE
+              Contrast::AGENT_LIB.input_set[:JSON_KEY]
+            when PARAMETER_NAME
+              Contrast::AGENT_LIB.input_set[:PARAMETER_KEY]
             else
               Contrast::AGENT_LIB.input_set[input_type]
             end
-          rescue StandardError
+          rescue StandardError => e
+            logger.debug('Protect Input classification could not determine input type, falling back to default',
+                         error: e)
             Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
           end
 
@@ -133,8 +142,7 @@ module Contrast
             input_eval = Contrast::AGENT_LIB.eval_input(value,
                                                         convert_input_type(input_type),
                                                         Contrast::AGENT_LIB.rule_set[rule_id],
-                                                        Contrast::AGENT_LIB.
-                                                          eval_option[:WORTHWATCHING])
+                                                        Contrast::AGENT_LIB.eval_option[:PREFER_WORTH_WATCHING])
 
             ia_result = new_ia_result(rule_id, input_type, request.path, value)
             score = input_eval&.score || 0
@@ -149,6 +157,14 @@ module Contrast
             add_needed_key(request, ia_result, input_type, value) if KEYS_NEEDED.include?(input_type)
             ia_result
           end
+
+          def append_result ia_analysis, result
+            unless result.nil?
+              ia_analysis.results << result
+              ia_analysis.triggered_rules << result.rule_id unless ia_analysis.triggered_rules.include?(result.rule_id)
+            end
+            ia_analysis
+          end
         end
       end
     end

data/lib/contrast/utils/reporting/application_activity_batch_utils.rb

@@ -0,0 +1,81 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/application_activity'
+
+module Contrast
+  module Utils
+    module Reporting
+      # ApplicationActivityBatchUtils handles batching and reporting of ApplicationActivity events to TeamServer at a
+      # set interval
+      module ApplicationActivityBatchUtils
+        DEFAULT_REPORTING_INTERVAL_MS = 30_000.cs__freeze
+
+        # @return [Integer] time when activity batch was created in ms
+        attr_reader :batch_age
+
+        # Merge a ApplicationActivity into the ApplicationActivityBatch
+        # @param activity [Contrast::Agent::Reporting::ApplicationActivity] from a RequestContext
+        def add_activity_to_batch activity
+          return unless activity
+
+          activity_batch.query_count += activity.query_count
+          activity_batch.routes << activity.routes
+          activity_batch.routes.flatten!
+          merge_attackers(activity)
+          activity_batch.attach_inventory(activity.inventory) unless activity.inventory.empty?
+        end
+
+        # If the batch can be reported, mask the data and add it to the reporting queue, then reset the activity_batch
+        def report_batch
+          return unless report_batch?
+          return unless (reporter = Contrast::Agent.reporter)
+
+          Contrast::Agent::Reporting::Masker.mask(activity_batch)
+          reporter&.send_event(activity_batch)
+          reset_activity_batch
+        end
+
+        # @return Contrast::Agent::Reporting::ApplicationActivity
+        def activity_batch
+          return @activity_batch unless @activity_batch.nil?
+
+          reset_activity_batch
+          @activity_batch
+        end
+
+        private
+
+        def merge_attackers activity
+          return if activity.defend.attackers.empty?
+
+          activity.defend.attackers.each do |attacker|
+            if (existing = activity_batch.defend.find_existing_attacker_activity(attacker))
+              attacker.protection_rules.each_key do |key|
+                activity_batch.defend.attach_existing(existing, attacker, key)
+              end
+            else
+              activity_batch.defend.attackers << attacker
+            end
+          end
+        end
+
+        # resets the activity_batch object and it's batch_age
+        def reset_activity_batch
+          @batch_age = Contrast::Utils::Timer.now_ms
+          @activity_batch = Contrast::Agent::Reporting::ApplicationActivity.new
+        end
+
+        # @return [Boolean] if the age of the batch is outside the reporting interval
+        def report_batch?
+          reporting_interval <= (Contrast::Utils::Timer.now_ms - batch_age)
+        end
+
+        # @return [Integer] interval to report to TeamServer in seconds
+        def reporting_interval
+          Contrast::AGENT.polling.batch_reporting_interval_ms.to_i || DEFAULT_REPORTING_INTERVAL_MS
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/routes_sent.rb

@@ -0,0 +1,60 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+# require 'contrast/components/logger'
+# require 'contrast/agent/telemetry/events/exceptions/telemetry_exception_event'
+
+module Contrast
+  module Utils
+    # This is the RoutesSent class, which determines whether observed routes can be sent to TeamServer.
+    # Routes that have not been seen (according to the cache) can be sent, as well as any route that
+    # # has been seen but not within the time limit.
+    class RoutesSent
+      # include Contrast::Components::Logger::InstanceMethods
+      ROUTES_LIMIT = 500
+      TIME_LIMIT_IN_SECONDS = 60
+
+      attr_accessor :cache
+
+      def initialize
+        @cache = {}
+      end
+
+      # Determine whether the provided route can be sent to TeamServer.
+      #
+      # @param route [Contrast::Agent::Reporting::ObservedRoute] the route
+      # @return [boolean]
+      def sendable? route
+        route_hash = route.hash_id
+
+        # If hash doesn't exist in @cache...
+        #   - Add hash to @cache (with Time.now)
+        #   - Clear oldest entries (if more than ROUTES_LIMIT)
+        #   - Return *true*
+        unless cache.key?(route_hash)
+          cache[route_hash] = Time.now
+          remove_oldest_entries!
+          return true
+        end
+
+        # If hash exists in @cache...
+        #   - Return *true* if more than a minute since time recorded for hash
+        #   - Return *false* if not than a minute since time recorded for hash
+        return false unless Time.now.to_i - cache.fetch(route_hash, 0).to_i > TIME_LIMIT_IN_SECONDS
+
+        cache[route_hash] = Time.now
+        true
+      end
+
+      private
+
+      def remove_oldest_entries!
+        return if cache.size < ROUTES_LIMIT
+
+        route_hashes = cache.sort_by { |_, v| -v.tv_nsec }.
+            to_h.keys.slice(0, ROUTES_LIMIT)
+        @cache = cache.slice(*route_hashes)
+      end
+    end
+  end
+end

data/lib/contrast/utils/telemetry.rb

@@ -9,7 +9,7 @@ module Contrast
   module Utils
     # Tools for supporting the Telemetry feature
     module Telemetry
-      DIR = '/ect/contrast/ruby-agent/'.cs__freeze
+      DIR = '/etc/contrast/ruby-agent/'.cs__freeze
       FILE = '.telemetry'.cs__freeze
       CURRENT_DIR = Dir.pwd.cs__freeze
       CONFIG_DIR = CURRENT_DIR + '/config/contrast/'.cs__freeze

data/lib/contrast/utils/telemetry_client.rb

@@ -97,10 +97,9 @@ module Contrast
       # @param event [Contrast::Agent::Telemetry::Event, Array<Contrast::Agent::Telemetry::TelemetryException::Event>]
       # @return [String] - JSON
       def get_event_json event
-        hsh = [event.to_controlled_hash]
-        hsh.to_json
+        Array(event.to_controlled_hash).to_json
       rescue Exception => e # rubocop:disable Lint/RescueException
-        logger.error('Unable to convert TelemetryEvent to JSON string', e, hsh)
+        logger.error('[Telemetry] Unable to convert TelemetryEvent to JSON string', e, hsh)
         raise(e)
       end
     end

data/lib/contrast/utils/timer.rb

@@ -22,6 +22,22 @@ module Contrast
       def self.now_ms
         (Time.now.to_f * 1000).to_i
       end
+
+      # Return current time in iso8601 format.
+      #
+      # @return[String]
+      def self.time_now
+        Time.now.utc.iso8601(7)
+      end
+
+      # Converts time given in ms format form TS to HttpDate.
+      # Returns time format for If-Modified-Since: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
+      # Note: The Time class treats GMT (Greenwich Mean Time) and UTC (Coordinated Universal Time) as equivalent.
+      #
+      # @param time [Integer] time in ms.
+      def self.ms_to_httpdate time
+        Time.at(time / 1000).httpdate unless time.nil?
+      end
     end
   end
 end

data/lib/contrast.rb

@@ -60,12 +60,13 @@ require 'contrast/components/protect'
 require 'contrast/components/sampling'
 require 'contrast/components/scope'
 require 'contrast/components/settings'
+require 'contrast/utils/routes_sent'
 require 'contrast/utils/telemetry_hash'
 require 'contrast/utils/telemetry'
 require 'contrast/agent/telemetry/events/exceptions/telemetry_exception_event'
 require 'contrast/agent_lib/interface'
 
-module Contrast
+module Contrast # :nodoc:
   CONFIG = Contrast::Components::Config::Interface.new
   SCOPE = Contrast::Components::Scope::Interface.new
   API = CONFIG.api
@@ -81,6 +82,7 @@ end
 
 module Contrast
   TELEMETRY_EXCEPTIONS = (Contrast::Utils::TelemetryHash.new if Contrast::Utils::Telemetry.exceptions_enabled?)
+  ROUTES_SENT = Contrast::Utils::RoutesSent.new
 end
 
 # This needs to be required very early, after component interfaces, and before instrumentation attempts

data/resources/protect/policy.json

@@ -128,6 +128,14 @@
             "database": "MongoDB"
           }
         },{
+          "class_name": "Mongo::Collection",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "find",
+          "properties": {
+            "database": "MongoDB"
+           }
+         },{
           "class_name": "Moped::Node",
           "method_name": "read",
           "instance_method": true,

data/ruby-agent.gemspec

@@ -101,7 +101,11 @@ end
 
 # Dependencies not mocked out during RSpec that we test real code of, beyond just frameworks.
 def self.add_tested_gems spec
-  spec.add_development_dependency 'async'
+  if RUBY_VERSION < '3.0.0'
+    spec.add_development_dependency 'async', '~> 1.30.3'
+  else
+    spec.add_development_dependency 'async'
+  end
   spec.add_development_dependency 'execjs'
   spec.add_development_dependency 'rhino'
   spec.add_development_dependency 'sqlite3'
@@ -117,7 +121,7 @@ end
 def self.add_dependencies spec
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
   spec.add_dependency 'rack', '~> 2.0'
-  spec.add_dependency 'contrast-agent-lib', '~> 0.1.0'
+  spec.add_dependency 'contrast-agent-lib',  '~> 0.1.0', '>= 0.1.3'
   spec.add_dependency 'ffi', '~> 1.0'
 end