contrast-agent 6.8.0 → 6.9.0

data/lib/contrast/agent/reporting/settings/server_features.rb

@@ -4,6 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/settings/assess_server_feature'
 require 'contrast/agent/reporting/settings/protect_server_feature'
+require 'contrast/agent/reporting/settings/security_logger'
 
 module Contrast
   module Agent
@@ -46,6 +47,13 @@ module Contrast
             @_log_file = log_file if log_file.is_a?(String)
           end
 
+          # Class holding security logger settings:
+          #
+          # @return [Contrast::Agent::Reporting::Settings::SecurityLogger]
+          def security_logger
+            @_security_logger ||= Contrast::Agent::Reporting::Settings::SecurityLogger.new
+          end
+
           # Controls for the reporting of telemetry events from the agent to TeamServer.
           # This is NOT for the agent telemetry feature collecting metrics sent to other services.
           #
@@ -74,6 +82,7 @@ module Contrast
 
           def to_controlled_hash
             {
+                security_logger: security_logger.settings_blank? ? nil : security_logger.to_controlled_hash,
                 assessment: @_assess ? assess.to_controlled_hash : {},
                 defend: @_protect ? protect.to_controlled_hash : {},
                 telemetry: telemetry

data/lib/contrast/agent/reporting/settings/syslog.rb

@@ -14,15 +14,24 @@ module Contrast
           # severity_blocked, severity_blocked_perimeter, severity_exploited, severity_probed,
           # severity_probed_perimeter
           SEVERITIES = %w[ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG].cs__freeze
-          SYSLOG_METHODS = %i[
+          # Order and elements matter, the same setter must be called against same response field.
+          SYSLOG_METHODS_NG = %i[
             enable= ip= port= facility= protocol= connection_type= severity_exploited= severity_blocked=
             severity_probed= severity_probed_suspicious= severity_blocked_perimeter= severity_probed_perimeter=
           ].cs__freeze
-          SYSLOG_RESPONSE_KEYS = %i[
+          SYSLOG_RESPONSE_KEYS_NG = %i[
             syslogEnabled syslogIpAddress syslogPortNumber syslogFacilityCode syslogProtocol
             syslogConnectionType syslogSeverityExploited syslogSeverityBlocked syslogSeverityProbed
             syslogSeveritySuspicious syslogSeverityBlockedPerimeter syslogSeverityProbedPerimeter
           ].cs__freeze
+          SYSLOG_METHODS = %i[
+            enable= ip= port= facility= connection_type= severity_blocked= severity_blocked_perimeter=
+            severity_exploited= severity_probed= severity_probed_perimeter=
+          ].cs__freeze
+          SYSLOG_RESPONSE_KEYS = %i[
+            enable ip facility connection_type severity_blocked severity_blocked_perimeter severity_exploited
+            severity_probed severity_probed_perimeter
+          ].cs__freeze
 
           # @return enable [Boolean]
           attr_accessor :enable
@@ -40,6 +49,21 @@ module Contrast
             @ip = Contrast::Utils::ObjectShare::EMPTY_STRING
             @port = 0
             @facility = 0
+            @blank = true
+          end
+
+          # check to see if object is being used
+          #
+          # @return [Boolean]
+          def settings_blank?
+            @blank
+          end
+
+          # Set the state of settings
+          #
+          # @return [Boolean]
+          def not_blank!
+            @blank = false
           end
 
           # @return connection_type [String] one of UNENCRYPTED, ENCRYPTED
@@ -134,10 +158,15 @@ module Contrast
           end
 
           # @param settings_array [Array] Settings retrieved from response
-          def assign_array settings_array
-            Contrast::Agent::Reporting::Settings::Syslog::SYSLOG_METHODS.each_with_index do |method, index|
-              send(method, settings_array[SYSLOG_RESPONSE_KEYS[index]])
+          # @param ng_ [Boolean]
+          def assign_array settings_array, ng_: true
+            methods = ng_ ? SYSLOG_METHODS_NG : SYSLOG_METHODS
+            response_keys = ng_ ? SYSLOG_RESPONSE_KEYS_NG : SYSLOG_RESPONSE_KEYS
+
+            methods.each_with_index do |method, index|
+              send(method, settings_array[response_keys[index]])
             end
+            not_blank!
           end
 
           def to_controlled_hash

data/lib/contrast/agent/request.rb

@@ -76,6 +76,7 @@ module Contrast
         @_normalized_uri ||= begin
           path = rack_request.path_info || rack_request.path.to_s
           path = '/' if path.empty?
+
           uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
           uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
           uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens

data/lib/contrast/agent/request_handler.rb

@@ -21,18 +21,13 @@ module Contrast
         @ruleset = ::Contrast::AGENT.ruleset
       end
 
-      # reports events[Contrast::Agent::Reporting::ReporterEvent] to TS
-      # This method is used to send our JSON messages directly to TeamServer at the end of each request. As we move
-      # more endpoints over, this method will take the messages originally sent by #send_actiivty_messages. At the end,
-      # that method should be removed.
-      def report_activity
+      # reports events[Contrast::Agent::Reporting::ObservedRoute] to TS
+      # Other ReportingEvents are handled through batching in the middleware
+      #
+      def report_observed_route
         return unless (reporter = Contrast::Agent.reporter)
 
-        reporter.send_event(context.observed_route)
-        # Mask Sensitive Data
-        Contrast::Agent::Reporting::Masker.mask(context.activity)
-        event = context.activity
-        reporter.send_event(event)
+        reporter.send_event(context.observed_route) if Contrast::ROUTES_SENT.sendable?(context.observed_route)
       end
 
       # If the response is streaming, we should only perform filtering on our stream safe rules

data/lib/contrast/agent/telemetry/events/exceptions/telemetry_exception_event.rb

@@ -33,7 +33,7 @@ module Contrast
           end
 
           def self.path
-            '/ruby/runtime'
+            '/error'
           end
 
           def to_controlled_hash

data/lib/contrast/agent/thread_watcher.rb

@@ -4,7 +4,10 @@
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/report'
 require 'contrast/agent/reporting/reporter_heartbeat'
+require 'contrast/agent/reporting/server_settings_worker'
 require 'contrast/agent/telemetry/base'
+require 'contrast/agent/protect/input_analyzer/worth_watching_analyzer'
+require 'contrast/config/diagnostics'
 
 module Contrast
   module Agent
@@ -18,13 +21,19 @@ module Contrast
       attr_reader :reporter
       # @return [Contrast::Agent::ReporterHeartbeat]
       attr_reader :reporter_heartbeat
+      # @return [Contrast::Agent::Protect::WorthWatchingInputAnalyzer]
+      attr_reader :worth_watching_analyzer
+      # @return [Contrast::Agent::ServerSettingsWorker]
+      attr_reader :reporter_settings_worker
 
       def initialize
         @pids = {}
         @heapdump_util = Contrast::Utils::HeapDumpUtil.new
         @reporter = Contrast::Agent::Reporter.new
         @reporter_heartbeat = Contrast::Agent::ReporterHeartbeat.new
+        @reporter_settings_worker = Contrast::Agent::ServerSettingsWorker.new
         @telemetry = Contrast::Agent::Telemetry::Base.new if Contrast::Agent::Telemetry::Base.enabled?
+        @worth_watching_analyzer = Contrast::Agent::Protect::WorthWatchingInputAnalyzer.new unless protect_disabled?
       end
 
       # @return [Hash, nil] map of process to thread startup status
@@ -34,11 +43,16 @@ module Contrast
         logger.debug('ThreadWatcher started threads')
         reporter_status = init_thread(reporter)
         reporter_heartbeat_status = init_thread(reporter_heartbeat)
-        @pids[Process.pid] = reporter_status && reporter_heartbeat_status
+        reporter_settings_worker_status = init_thread(reporter_settings_worker)
+        @pids[Process.pid] = reporter_status && reporter_heartbeat_status && reporter_settings_worker_status
         if Contrast::Agent::Telemetry::Base.enabled?
           telemetry_status = init_thread(telemetry_queue)
           @pids[Process.pid] = @pids[Process.pid] && telemetry_status
         end
+        unless protect_disabled?
+          worth_watching_analyzer_status = init_thread(worth_watching_analyzer)
+          @pids[Process.pid] = @pids[Process.pid] && worth_watching_analyzer_status
+        end
         @pids
       end
 
@@ -49,11 +63,27 @@ module Contrast
         startup!
       end
 
+      # This method will check the config and if the config is invalid - it will kill the agent
+      def self.check_before_start
+        return if Contrast::CONFIG.send(:validate)
+
+        @_diagnostics = Contrast::Agent::DiagnosticsConfig::Diagnostics.new(Contrast::AGENT.logger.path ||
+                                                                            Contrast::Components::Config::CONTRAST_LOG)
+        @_diagnostics.config.populate_fail_connection
+        @_diagnostics.write_to_file_logic(false, reset: false)
+        # kill agent
+        Contrast::AGENT.disable_agent!
+        # TODO: RUBY-1822
+        # set the in_application_scope to 1 so we short circuit it
+      end
+
       def shutdown!
         heapdump_util&.stop!
         telemetry_queue&.stop!
         reporter&.stop!
         reporter_heartbeat&.stop!
+        worth_watching_analyzer&.stop!
+        reporter_settings_worker&.stop!
       end
 
       # @return [Contrast::Agent::Telemetry::Base]
@@ -78,6 +108,10 @@ module Contrast
         logger.debug('Thread status', type: watcher.to_s, alive: result)
         result
       end
+
+      def protect_disabled?
+        ::Contrast::PROTECT.forcibly_disabled?
+      end
     end
   end
 end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '6.8.0'
+    VERSION = '6.9.0'
   end
 end

data/lib/contrast/agent.rb

@@ -73,6 +73,12 @@ module Contrast
       thread_watcher.reporter
     end
 
+    # @return [Contrast::Agent::Protect::WorthWatchingAnalyzer]
+    def self.worth_watching_analyzer
+      thread_watcher.worth_watching_analyzer
+    end
+
+    # @return [Contrast::Agent::ThreadWatcher]
     def self.thread_watcher
       @_thread_watcher ||= Contrast::Agent::ThreadWatcher.new
     end

data/lib/contrast/api/communication/connection_status.rb

@@ -10,6 +10,7 @@ module Contrast
           @last_success = nil
           @last_failure = nil
           @startup_messages_sent = false
+          @_startup_server_message_sent = false
         end
 
         # Whether we have sent startup message to TeamServer. True after successfully sending startup messages to
@@ -20,6 +21,20 @@ module Contrast
           @startup_messages_sent
         end
 
+        # Check to see if we have sent server message and received settings from TS.
+        #
+        # @return [Boolean]
+        def startup_server_message_sent?
+          @_startup_server_message_sent
+        end
+
+        # Set the server message status state
+        #
+        # @return [Boolean]
+        def server_response_success!
+          @_startup_server_message_sent = true
+        end
+
         # The last message sent was successful or not
         #
         # @return [Boolean]

data/lib/contrast/components/agent.rb

@@ -2,11 +2,13 @@
 # frozen_string_literal: true
 
 require 'rubygems/version'
+require 'contrast/components/base'
 require 'contrast/agent/rule_set'
 require 'contrast/components/logger'
 require 'contrast/components/security_logger'
 require 'contrast/components/heap_dump'
 require 'contrast/components/ruby_component'
+require 'contrast/components/polling'
 
 module Contrast
   module Components
@@ -17,11 +19,22 @@ module Contrast
       class Interface
         include Contrast::Components::ComponentBase
 
+        # @return [String]
+        attr_reader :canon_name
+        # @return [Array]
+        attr_reader :config_values
+
+        CANON_NAME = 'agent'
+        CONFIG_VALUES = %w[enabled? omit_body?].cs__freeze
+
         def initialize hsh = {}
+          @config_values = CONFIG_VALUES
+          @canon_name = CANON_NAME
           return unless hsh
 
           @_enable = hsh[:enable]
           @_omit_body = hsh[:omit_body]
+          @_polling = Contrast::Components::Polling::Interface.new(hsh[:polling])
           @_logger = Contrast::Components::Logger::Interface.new(hsh[:logger])
           @_security_logger = Contrast::Components::SecurityLogger::Interface.new(hsh[:security_logger])
           @_ruby = Contrast::Components::Ruby::Interface.new(hsh[:ruby])
@@ -34,6 +47,10 @@ module Contrast
           @_logger = Contrast::Components::Logger::Interface.new
         end
 
+        def polling
+          @_polling ||= Contrast::Components::Polling::Interface.new
+        end
+
         def security_logger
           return @_security_logger unless @_security_logger.nil?
 
@@ -87,6 +104,10 @@ module Contrast
           @_omit_body
         end
 
+        def disable_agent!
+          @_enable = false
+        end
+
         def exception_control
           @_exception_control ||= {
               enable: true?(ruby.exceptions.capture),
@@ -110,6 +131,19 @@ module Contrast
           Contrast::Agent::TracePointHook.enable!
         end
 
+        # Converts current configuration to effective config values class and appends them to
+        # EffectiveConfig class.
+        #
+        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+        def to_effective_config effective_config
+          super
+          logger&.to_effective_config(effective_config)
+          security_logger&.to_effective_config(effective_config)
+          ruby&.to_effective_config(effective_config)
+          heap_dump&.to_effective_config(effective_config)
+          polling&.to_effective_config(effective_config)
+        end
+
         protected
 
         def retrieve_protect_ruleset

data/lib/contrast/components/api.rb

@@ -17,6 +17,10 @@ module Contrast
         include Contrast::Components::ComponentBase
         include Contrast::Config::BaseConfiguration
 
+        CANON_NAME = 'api'
+        PROXY_NAME = "#{ CANON_NAME }.proxy"
+        CONFIG_VALUES = %w[api_key user_name service_key url].cs__freeze
+
         # @return [String]
         attr_accessor :api_key
         # @return [String]
@@ -120,8 +124,27 @@ module Contrast
           @_certification_key_file ||= ::Contrast::CONFIG.api.certificate.key_file
         end
 
+        # Converts current configuration to effective config values class and appends them to
+        # EffectiveConfig class.
+        #
+        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+        def to_effective_config effective_config
+          add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CONTRAST)
+          effective_proxy(effective_config)
+          request_audit&.to_effective_config(effective_config)
+          certificate&.to_effective_config(effective_config)
+        end
+
         private
 
+        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+        def effective_proxy effective_config
+          add_single_effective_value(effective_config, ENABLE, proxy_enable.to_s, PROXY_NAME, "#{ CONTRAST }.proxy")
+          return unless proxy_url && proxy_enable
+
+          add_single_effective_value(effective_config, 'url', proxy_url, PROXY_NAME, "#{ CONTRAST }.proxy")
+        end
+
         def certification_truly_enabled? config_path
           return false unless true?(config_path.enable)
           return true if file_exists?(certification_ca_file) && valid_cert?(certification_ca_file)

data/lib/contrast/components/app_context.rb

@@ -14,7 +14,7 @@ module Contrast
       # parent_configuration_spec.yaml.
       # Specifically, this allows for querying the state of the Application,
       # including the Client, Process, and Server information.
-      class Interface
+      class Interface # rubocop:disable Metrics/ClassLength
         include Contrast::Components::AppContextExtend
         include Contrast::Components::ComponentBase
         include Contrast::Config::BaseConfiguration
@@ -23,6 +23,8 @@ module Contrast
         DEFAULT_APP_PATH    = '/'
         DEFAULT_SERVER_NAME = 'localhost'
         DEFAULT_SERVER_PATH = '/'
+        CANON_NAME = 'application'
+        CONFIG_VALUES = %w[name version language path group tags code metadata session_id session_metadata].cs__freeze
 
         # @return [String]
         attr_accessor :version
@@ -30,15 +32,20 @@ module Contrast
         attr_accessor :language
         # @return [String]
         attr_accessor :group
-        # @return [String]
-        attr_accessor :tags
+        attr_writer :tags
         # @return [String]
         attr_accessor :code
         # @return [String]
         attr_accessor :metadata
+        # @return [String]
+        attr_reader :canon_name
+        # @return [Array]
+        attr_reader :config_values
 
         def initialize hsh = {}
           original_pid
+          @config_values = CONFIG_VALUES
+          @canon_name = CANON_NAME
           return unless hsh
 
           @_name = hsh[:name]
@@ -135,6 +142,10 @@ module Contrast
           end
         end
 
+        def tags
+          stringify_array(@tags)
+        end
+
         # Determines if the Process we're currently in matches that of the
         # Process in which the App Context instance was created.
         # If it doesn't, that indicates the running context is in a new
@@ -147,6 +158,15 @@ module Contrast
           current_pid != original_pid
         end
 
+        # Converts current configuration to effective config values class and appends them to
+        # EffectiveConfig class.
+        #
+        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+        def to_effective_config effective_config
+          super
+          Contrast::CONFIG.server.to_effective_config(effective_config)
+        end
+
         private
 
         def original_pid

data/lib/contrast/components/assess.rb

@@ -15,21 +15,36 @@ module Contrast
       class Interface # rubocop:disable Metrics/ClassLength
         include Contrast::Components::ComponentBase
 
-        # @return [String, nil]
-        attr_accessor :tags
         # @return [Boolean, nil]
         attr_accessor :enable
         # @return [Array, nil]
-        attr_writer :enable_scan_response, :enable_dynamic_sources, :sampling, :rules, :stacktraces
+        attr_writer :enable_scan_response, :enable_dynamic_sources, :sampling, :rules, :stacktraces, :tags
+        # @return [String]
+        attr_reader :canon_name
+        # @return [Array]
+        attr_reader :config_values
 
         DEFAULT_STACKTRACES = 'ALL'
         DEFAULT_MAX_SOURCE_EVENTS = 50_000
         DEFAULT_MAX_PROPAGATION_EVENTS = 50_000
         DEFAULT_MAX_RULE_REPORTED = 100
         DEFAULT_MAX_RULE_TIME_THRESHOLD = 300_000
-
+        CANON_NAME = 'assess'
+        CONFIG_VALUES = %w[
+          enabled?
+          tags
+          enable_scan_response
+          enable_original_object
+          stacktraces
+          max_context_source_events
+          max_propagation_events
+          max_rule_reported
+          time_limit_threshold
+        ].cs__freeze
         # rubocop:disable Naming/MemoizedInstanceVariableName
         def initialize hsh = {}
+          @config_values = CONFIG_VALUES
+          @canon_name = CANON_NAME
           return unless hsh
 
           @enable = hsh[:enable]
@@ -91,6 +106,11 @@ module Contrast
           @max_context_source_events ||= DEFAULT_MAX_SOURCE_EVENTS
         end
 
+        # @return [String, nil]
+        def tags
+          stringify_array(@tags)
+        end
+
         def enabled?
           # config overrides if forcibly set
           return false if forcibly_disabled?
@@ -187,6 +207,16 @@ module Contrast
           ::Contrast::SETTINGS.assess_state.session_id
         end
 
+        # Converts current configuration to effective config values class and appends them to
+        # EffectiveConfig class.
+        #
+        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+        def to_effective_config effective_config
+          super
+          sampling&.to_effective_config(effective_config)
+          rules&.to_effective_config(effective_config)
+        end
+
         # rubocop:enable Naming/MemoizedInstanceVariableName
         private
 

data/lib/contrast/components/assess_rules.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/config/base_configuration'
+require 'contrast/utils/object_share'
+require 'contrast/components/base'
 
 module Contrast
   module Components
@@ -10,17 +12,33 @@ module Contrast
     module AssessRules
       class Interface # :nodoc:
         include Contrast::Config::BaseConfiguration
+        include Contrast::Components::ComponentBase
 
         SPEC_KEY = :disabled_rules.cs__freeze
+        CANON_NAME = 'assess.rules'
+        NAME_PREFIX = "#{ CONTRAST }.#{ CANON_NAME }"
+
         # @return [Array, nil] list of disabled assess rules
         attr_accessor :disabled_rules
+        # @return [String]
+        attr_reader :canon_name
 
         def initialize hsh = {}
+          @canon_name = CANON_NAME
+          @disabled_rules = []
           return unless hsh
 
           @disabled_rules = cast_disabled_rules(hsh)
         end
 
+        # Converts current configuration to effective config values class and appends them to
+        # EffectiveConfig class.
+        #
+        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+        def to_effective_config effective_config
+          add_single_effective_value(effective_config, SPEC_KEY.to_s, disabled_rules, canon_name, NAME_PREFIX)
+        end
+
         private
 
         def cast_disabled_rules hsh

data/lib/contrast/components/base.rb

@@ -1,11 +1,33 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/config/diagnostics_tools'
+require 'contrast/utils/object_share'
+
 module Contrast
   module Components
     # All components should inherit from this,
     # whether Interfaces, InstanceMethods or ClassMethods.
     module ComponentBase
+      include Contrast::Agent::DiagnosticsConfig::DiagnosticsTools
+
+      CONTRAST = 'contrast'
+      ENABLE = 'enable'
+
+      # Used for config diagnostics. Override per rule.
+      #
+      # @return [String]
+      def canon_name
+        Contrast::Utils::ObjectShare::EMPTY_STRING
+      end
+
+      # Used for config diagnostics. Override per rule.
+      #
+      # @return [Array]
+      def config_values
+        Contrast::Utils::ObjectShare::EMPTY_ARRAY
+      end
+
       # use this to determine if the configuration value is literally boolean
       # false or some form of the word `false`, regardless of case. It should
       # be used for those values which default to `true` as they should only
@@ -58,6 +80,24 @@ module Contrast
 
         File.exist?(path)
       end
+
+      # Converts current configuration to effective config values class and appends them to
+      # EffectiveConfig class.
+      #
+      # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+      def to_effective_config effective_config
+        add_effective_config_values(effective_config, config_values, canon_name, "#{ CONTRAST }.#{ canon_name }")
+      end
+
+      # attempts to stringifys the config value if it is an array with the join char
+      # @param val[Object] val to stringify
+      # @param join_char[String, ','] join character defaults to ','
+      # @return [String, Object] the stringified val or the object as is
+      def stringify_array val, join_char = ','
+        return val.join(join_char) if val.cs__is_a?(Array)
+
+        val
+      end
     end
   end
 end