contrast-agent 6.8.0 → 6.10.0

data/lib/contrast/agent/reporting/settings/protect_server_feature.rb

@@ -17,6 +17,10 @@ module Contrast
         # Application level settings for the Protect featureset.
         # Used for the FeatureSet TS response
         class ProtectServerFeature
+          PROTECT_RULES_KEYS = %i[
+            cmd_injection method_tampering nosql_injection path_traversal redos reflected_xss sql_injection
+            ssrf unsafe_file_upload untrusted_deserialization xxe
+          ].cs__freeze
           # Indicate if the protect feature set is enabled for this server or not.
           #
           # @return enabled [Boolean]
@@ -32,6 +36,21 @@ module Contrast
             @_enabled = enabled
           end
 
+          # When false, the agent should not track observations.
+          # when true, the agent should track observed usage of protect URLs
+          #  { enable: true }
+          #
+          # @return observability [Boolean]
+          def observability
+            @_observability
+          end
+
+          # @param enable [Boolean]
+          # @return observability [Boolean]
+          def observability= enable
+            @_observability = enable
+          end
+
           # Indicate if the bot protection feature set is enabled for this server or not.
           #
           # @return bot_blocker [Contrast::Agent::Reporting::Settings::BotBlocker]
@@ -142,13 +161,30 @@ module Contrast
           #                    value          [String] }
           # }
           # @return rule_definition_list [Array<Contrast::Agent::Reporting::Settings::RuleDefinition>]
-          def rule_definition_list= list
+          def ng_rule_definition_list list
             Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(
                 Contrast::Agent::Reporting::Settings::RuleDefinition,
                 rule_definition_list,
                 list)
           end
 
+          # Transforms ServerSettings hash rules to definition_list
+          #
+          # @param rules [Hash]
+          def rules_to_definition_list rules
+            return unless rules&.cs__is_a?(Hash)
+
+            definition_list = []
+            rules.slice(*PROTECT_RULES_KEYS).each_pair do |key, rule|
+              new_entry = Contrast::Agent::Reporting::Settings::RuleDefinition.new
+              new_entry.name = Contrast::Agent::Reporting::Settings::Helpers.to_rule_id(key)
+              new_entry.patterns = rule[:patterns]
+              new_entry.keywords = rule[:keywords]
+              definition_list << new_entry
+            end
+            @_rule_definition_list = definition_list
+          end
+
           # Controls for the syslogging feature in the agent.
           #
           # @return syslog [Contrast::Agent::Reporting::Settings::Syslog]
@@ -175,13 +211,14 @@ module Contrast
             {
                 botBlockers: bot_blocker.bots.map(&:to_controlled_hash),
                 enabled: enabled?,
+                observability: observability, # used with ServerSettings only
                 logEnhancers: log_enhancers.map(&:to_controlled_hash),
                 ipDenylist: ip_denylist.map(&:to_controlled_hash),
                 ipAllowlist: ip_allowlist.map(&:to_controlled_hash),
-                syslog: syslog.to_controlled_hash,
+                syslog: syslog.settings_blank? ? nil : syslog.to_controlled_hash, # used with ServerSettings only
                 ruleDefinitionList: rule_definition_list.map(&:to_controlled_hash),
                 'bot-blocker': bot_blocker.to_controlled_hash
-            }
+            }.compact
           end
         end
       end

data/lib/contrast/agent/reporting/settings/rule_definition.rb

@@ -12,6 +12,9 @@ module Contrast
         class RuleDefinition
           ATTRIBUTES = %i[name keywords patterns].cs__freeze
 
+          # For the ServerSettings this name is not used instead it is used as key to the keywords and patterns
+          # arrays. It is used in the agent startup message.
+          #
           # @return name [String] Name of the rule
           attr_accessor :name
 

data/lib/contrast/agent/reporting/settings/security_logger.rb

@@ -0,0 +1,77 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/settings/syslog'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # this class will hold the security logger settings.
+        class SecurityLogger
+          def initialize
+            @blank = true
+          end
+
+          # check to see if object is being used
+          #
+          # @return [Boolean]
+          def settings_blank?
+            @blank
+          end
+
+          # Set the state of settings
+          #
+          # @return [Boolean]
+          def not_blank!
+            @blank = false
+          end
+
+          # The level at which the agent should log. Overridden by agent.logger.level
+          # if set in a local configuration
+          #
+          # @return log_level [String] [ ERROR, WARN, INFO, DEBUG, TRACE ]
+          def log_level
+            @_log_level ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # set the log level
+          #
+          # @param log_level [String]
+          # @return log_level [String] [ ERROR, WARN, INFO, DEBUG, TRACE ]
+          def log_level= log_level
+            @_log_level = log_level if log_level.is_a?(String)
+          end
+
+          # Where to log the agent's log file, if set by the user. Overridden by agent.logger.path
+          # if set in a local configuration.
+          #
+          # @return log_file [String] path
+          def log_file
+            @_log_file ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the log file
+          #
+          # @param log_file [String] path
+          # @return log_file [String] path
+          def log_file= log_file
+            @_log_file = log_file if log_file.is_a?(String)
+          end
+
+          def syslog
+            @_syslog ||= Contrast::Agent::Reporting::Settings::Syslog.new
+          end
+
+          def to_controlled_hash
+            {
+                level: log_level,
+                path: log_file,
+                syslog: syslog.to_controlled_hash
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb

@@ -63,7 +63,7 @@ module Contrast
 
           # Build rules from hash
           #
-          # @param settings_rules [Hash] Response settings under Settings/sensitive_data_masking_policy/rules
+          # @param settings_rules [Array<Hash>] Response settings under Settings/sensitive_data_masking_policy/rules
           # @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, nil
           def build_rules_form_settings settings_rules
             return if settings_rules.nil? || settings_rules.empty?

data/lib/contrast/agent/reporting/settings/server_features.rb

@@ -4,6 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/settings/assess_server_feature'
 require 'contrast/agent/reporting/settings/protect_server_feature'
+require 'contrast/agent/reporting/settings/security_logger'
 
 module Contrast
   module Agent
@@ -46,6 +47,13 @@ module Contrast
             @_log_file = log_file if log_file.is_a?(String)
           end
 
+          # Class holding security logger settings:
+          #
+          # @return [Contrast::Agent::Reporting::Settings::SecurityLogger]
+          def security_logger
+            @_security_logger ||= Contrast::Agent::Reporting::Settings::SecurityLogger.new
+          end
+
           # Controls for the reporting of telemetry events from the agent to TeamServer.
           # This is NOT for the agent telemetry feature collecting metrics sent to other services.
           #
@@ -74,6 +82,7 @@ module Contrast
 
           def to_controlled_hash
             {
+                security_logger: security_logger.settings_blank? ? nil : security_logger.to_controlled_hash,
                 assessment: @_assess ? assess.to_controlled_hash : {},
                 defend: @_protect ? protect.to_controlled_hash : {},
                 telemetry: telemetry

data/lib/contrast/agent/reporting/settings/syslog.rb

@@ -14,15 +14,24 @@ module Contrast
           # severity_blocked, severity_blocked_perimeter, severity_exploited, severity_probed,
           # severity_probed_perimeter
           SEVERITIES = %w[ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG].cs__freeze
-          SYSLOG_METHODS = %i[
+          # Order and elements matter, the same setter must be called against same response field.
+          SYSLOG_METHODS_NG = %i[
             enable= ip= port= facility= protocol= connection_type= severity_exploited= severity_blocked=
             severity_probed= severity_probed_suspicious= severity_blocked_perimeter= severity_probed_perimeter=
           ].cs__freeze
-          SYSLOG_RESPONSE_KEYS = %i[
+          SYSLOG_RESPONSE_KEYS_NG = %i[
             syslogEnabled syslogIpAddress syslogPortNumber syslogFacilityCode syslogProtocol
             syslogConnectionType syslogSeverityExploited syslogSeverityBlocked syslogSeverityProbed
             syslogSeveritySuspicious syslogSeverityBlockedPerimeter syslogSeverityProbedPerimeter
           ].cs__freeze
+          SYSLOG_METHODS = %i[
+            enable= ip= port= facility= connection_type= severity_blocked= severity_blocked_perimeter=
+            severity_exploited= severity_probed= severity_probed_perimeter=
+          ].cs__freeze
+          SYSLOG_RESPONSE_KEYS = %i[
+            enable ip facility connection_type severity_blocked severity_blocked_perimeter severity_exploited
+            severity_probed severity_probed_perimeter
+          ].cs__freeze
 
           # @return enable [Boolean]
           attr_accessor :enable
@@ -40,6 +49,21 @@ module Contrast
             @ip = Contrast::Utils::ObjectShare::EMPTY_STRING
             @port = 0
             @facility = 0
+            @blank = true
+          end
+
+          # check to see if object is being used
+          #
+          # @return [Boolean]
+          def settings_blank?
+            @blank
+          end
+
+          # Set the state of settings
+          #
+          # @return [Boolean]
+          def not_blank!
+            @blank = false
           end
 
           # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
@@ -134,10 +158,15 @@ module Contrast
           end
 
           # @param settings_array [Array] Settings retrieved from response
-          def assign_array settings_array
-            Contrast::Agent::Reporting::Settings::Syslog::SYSLOG_METHODS.each_with_index do |method, index|
-              send(method, settings_array[SYSLOG_RESPONSE_KEYS[index]])
+          # @param ng_ [Boolean]
+          def assign_array settings_array, ng_: true
+            methods = ng_ ? SYSLOG_METHODS_NG : SYSLOG_METHODS
+            response_keys = ng_ ? SYSLOG_RESPONSE_KEYS_NG : SYSLOG_RESPONSE_KEYS
+
+            methods.each_with_index do |method, index|
+              send(method, settings_array[response_keys[index]])
             end
+            not_blank!
           end
 
           def to_controlled_hash

data/lib/contrast/agent/reporting/settings/virtual_patch.rb

@@ -0,0 +1,56 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/virtual_patch_condition'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The settings for each virtual patch in the agent.
+        class VirtualPatch
+          # @return [String]
+          attr_reader :name
+          # @return [String]
+          attr_reader :key
+          # @return [String]
+          attr_reader :uuid
+
+          def initialize hash
+            @name = hash[:name]
+            @key = hash[:key]
+            @uuid = hash[:uuid]
+
+            hash[:headers]&.each do |header_json|
+              headers << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+
+            hash[:parameters]&.each do |header_json|
+              parameters << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+
+            hash[:urls]&.each do |header_json|
+              urls << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def headers
+            @_headers ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def parameters
+            @_parameters ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def urls
+            @_urls ||= []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb

@@ -0,0 +1,47 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/protect_rule'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The settings for each virtual patch condition in the agent.
+        class VirtualPatchCondition
+          # @return [String]
+          attr_reader :name
+          # @return [String]
+          attr_reader :value
+          # @return [String]
+          attr_reader :input_type
+          # @return [String]
+          attr_reader :evaluation
+
+          def initialize hash
+            @name = hash[:name]
+            @value = hash[:value]
+            @input_type = hash[:input_type]
+            @evaluation = hash[:evaluation]
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def headers
+            @_headers ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def parameters
+            @_parameters ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def urls
+            @_urls ||= []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/request.rb

@@ -76,6 +76,7 @@ module Contrast
         @_normalized_uri ||= begin
           path = rack_request.path_info || rack_request.path.to_s
           path = '/' if path.empty?
+
           uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
           uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
           uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens

data/lib/contrast/agent/request_context_extend.rb

@@ -50,6 +50,10 @@ module Contrast
         return false if @do_not_track
 
         if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
+          # Handle prefilter
+          Contrast::Agent::Protect::InputAnalyzer.input_classification(ia, prefilter: true)
+          # Reflected xss infilter
+          Contrast::Agent::Protect::InputAnalyzer.input_classification_for('reflected-xss', ia)
           @agent_input_analysis = ia
         else
           logger.trace('Analysis from Agent was empty.')
@@ -60,6 +64,22 @@ module Contrast
         logger.warn('Unable to extract protect information from request', e)
       end
 
+      # Builds IA only for postfilter rules. If rules during infilter were not triggered there will be
+      # no IA for them later to use it in postfilter.
+      #
+      # @raise [Contrast::SecurityException]
+      def protect_postfilter_ia
+        return false unless ::Contrast::AGENT.enabled?
+        return false unless ::Contrast::PROTECT.enabled?
+
+        # Handle postfilter
+        Contrast::Agent::Protect::InputAnalyzer.input_classification(@agent_input_analysis, postfilter: true)
+      rescue Contrast::SecurityException => e
+        raise(e)
+      rescue StandardError => e
+        logger.warn('Unable to extract protect information from request - postfilter', e)
+      end
+
       # append anything we've learned to the request seen message this is the sum-total of all inventory information
       # that has been accumulated since the last request
       def extract_after rack_response

data/lib/contrast/agent/request_handler.rb

@@ -21,18 +21,13 @@ module Contrast
         @ruleset = ::Contrast::AGENT.ruleset
       end
 
-      # reports events[Contrast::Agent::Reporting::ReporterEvent] to TS
-      # This method is used to send our JSON messages directly to TeamServer at the end of each request. As we move
-      # more endpoints over, this method will take the messages originally sent by #send_actiivty_messages. At the end,
-      # that method should be removed.
-      def report_activity
+      # reports events[Contrast::Agent::Reporting::ObservedRoute] to TS
+      # Other ReportingEvents are handled through batching in the middleware
+      #
+      def report_observed_route
         return unless (reporter = Contrast::Agent.reporter)
 
-        reporter.send_event(context.observed_route)
-        # Mask Sensitive Data
-        Contrast::Agent::Reporting::Masker.mask(context.activity)
-        event = context.activity
-        reporter.send_event(event)
+        reporter.send_event(context.observed_route) if Contrast::ROUTES_SENT.sendable?(context.observed_route)
       end
 
       # If the response is streaming, we should only perform filtering on our stream safe rules

data/lib/contrast/agent/telemetry/base.rb

@@ -48,7 +48,8 @@ module Contrast
             @_client = Contrast::Utils::TelemetryClient.new
             ip_opt_out_telemetry = @_client.initialize_connection(URL)
             if ip_opt_out_telemetry.nil?
-              logger.warn("Connection was not established properly!!! \n Telemetry reporting will be disabled!")
+              logger.warn("[Telemetry] Connection was not established properly!!! \n
+                          Telemetry reporting will be disabled!")
               return false
             end
 
@@ -66,30 +67,30 @@ module Contrast
 
         def attempt_to_start?
           unless cs__class.enabled?
-            logger.warn('Telemetry service is disabled!')
+            logger.info('[Telemetry] Telemetry service is disabled!')
             return false
           end
 
-          logger.debug('Attempting to start telemetry thread') unless running?
+          logger.debug('[Telemetry] Attempting to start telemetry thread') unless running?
           true
         end
 
         def start_thread!
           return if running?
 
-          logger.debug('Starting background telemetry thread.')
+          logger.debug('[Telemetry] Starting background telemetry thread.')
           @_thread = create_thread
         end
 
         def send_event event
           if ::Contrast::AGENT.disabled?
-            logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
+            logger.warn('[Telemetry] Attempted to queue event with Agent disabled', caller: caller, event: event)
             return
           end
 
           return unless cs__class.enabled?
 
-          logger.debug('Enqueued event for sending', event_type: event.cs__class)
+          logger.debug('[Telemetry] Enqueued event for sending', event_type: event.cs__class)
           queue << event if event
         end
 
@@ -120,7 +121,7 @@ module Contrast
         # It is recommended that implementations send a single payload of general metrics every 3 hours, starting from
         # implementation startup. This returns a thread configured to do so.
         #
-        # @return [Contrast::Agent::Thread]
+        # @return [::Thread] Contrast::Agent::Thread
         def create_thread
           Contrast::Agent::Thread.new do
             loop do
@@ -132,16 +133,16 @@ module Contrast
               until queue.empty?
                 event = queue.pop
                 begin
-                  logger.debug('This is the current processed event', event)
+                  logger.debug('[Telemetry] This is the current processed event', event)
                   sleep_time = request_with_response(event)
                   if sleep_time
                     sleep(sleep_time)
-                    logger.debug('Retrying to process event', event)
+                    logger.debug('[Telemetry] Retrying to process event', event)
                     retry_sleep_time = request_with_response(event)
                     sleep(retry_sleep_time) unless retry_sleep_time.nil?
                   end
                 rescue StandardError => e
-                  logger.error('Could not send message to service from telemetry queue.', e)
+                  logger.error('[Telemetry] Could not send message to service from telemetry queue.', e)
                   stop!
                 end
               end