contrast-agent 6.8.0 → 6.9.0

data/lib/contrast/agent/assess/contrast_event.rb

@@ -1,157 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/assess/tracking_util'
-require 'contrast/utils/class_util'
-require 'contrast/utils/duck_utils'
-require 'contrast/utils/object_share'
-require 'contrast/utils/stack_trace_utils'
-require 'contrast/utils/string_utils'
-require 'contrast/utils/timer'
-require 'contrast/agent/assess/contrast_object'
-require 'contrast/agent/reporting/reporting_events/finding_event'
-
-module Contrast
-  module Agent
-    module Assess
-      # This class holds the data about an event in the application We'll use it to build an event that TeamServer can
-      # consume if the object to which this event belongs ends in a trigger.
-      class ContrastEvent
-        # @return [Integer] the atomic id of this event
-        attr_reader :event_id
-        # @return [Contrast::Agent::Assess::Policy::PolicyNode] the node that governs this event.
-        attr_reader :policy_node
-        # @return [Array<String>] the execution stack at the time the method for this event was invoked
-        attr_reader :stack_trace
-        # @return [Integer] the time, in epoch ms, when this event was created
-        attr_reader :time
-        # @return [Integer] the object id of the thread on which this event was generated
-        attr_reader :thread
-        # @return [Contrast::Agent::Assess::ContrastObject] the safe representation of the Object on which the method
-        #   was invoked
-        attr_reader :object
-        # @return [Contrast::Agent::Assess::ContrastObject] the safe representation of the Return of the invoked method
-        attr_reader :ret
-        # @return [Array<Contrast::Agent::Assess::ContrastObject, nil>] the safe representation of the Arguments with
-        #   which the method was invoked
-        attr_reader :args
-        # @return [Hash<Contrast::Agent::Assess::Tag>]
-        attr_reader :tags
-
-        # We need this to track the parent id's of events to build up a flow chart of the finding
-        @atomic_id = 0
-        @atomic_mutex = Mutex.new
-        def self.next_atomic_id
-          @atomic_mutex.synchronize do
-            @atomic_id += 1
-            # Rollover things
-          rescue StandardError
-            @atomic_id = 1
-          end
-        end
-
-        # @param event_data [Contrast::Agent::Assess::Events::EventData]
-        def initialize event_data
-          @policy_node = event_data.policy_node
-          @time = Contrast::Utils::Timer.now_ms
-          @thread = Thread.current.object_id
-
-          # These methods rely on the above being set. Don't move them!
-          @event_id = Contrast::Agent::Assess::ContrastEvent.next_atomic_id
-          @tags = Contrast::Agent::Assess::Tracker.properties(event_data.tagged)&.get_tags
-          find_parent_events!(event_data.policy_node, event_data.object, event_data.ret, event_data.args)
-          snapshot!(event_data.object, event_data.ret, event_data.args)
-          capture_stacktrace!
-        end
-
-        # @return [Array<Contrast::Agent::Assess::ContrastEvent>]
-        def parent_events
-          @_parent_events ||= []
-        end
-
-        private
-
-        # Parent events are the events of all the sources of this event which were tracked prior to this event
-        # occurring. Depending on which, if any of the sources were tracked, there may be more than one parent.
-        #
-        # All events except for [Contrast::Agent::Assess::Events::SourceEvent] will have at least one parent.
-        #
-        # We set those events to this event's instance variables.
-        #
-        # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode] the node that governs this event.
-        # @param object [Object] the Object on which the method was invoked
-        # @param ret [Object] the Return of the invoked method
-        # @param args [Array<Object>] the Arguments with which the method was invoked
-        def find_parent_events! policy_node, object, ret, args
-          policy_node.sources.each do |source_marker|
-            source = value_of_source(source_marker, object, ret, args)
-            next unless source
-
-            event = Contrast::Agent::Assess::Tracker.properties(source)&.event
-            parent_events << event if event
-          end
-        end
-
-        # @param source [String] the marker for the source type
-        # @param object [Object] the Object on which the method was invoked
-        # @param ret [Object] the Return of the invoked method
-        # @param args [Array<Object>] the Arguments with which the method was invoked
-        # @return [Object,nil] the literal value of the source indicated by the given marker
-        def value_of_source source, object, ret, args
-          case source
-          when Contrast::Utils::ObjectShare::OBJECT_KEY
-            object
-          when Contrast::Utils::ObjectShare::RETURN_KEY
-            ret
-          else
-            args[source]
-          end
-        end
-
-        # Everything* is mutable in Ruby. As such, to ensure we can accurately report the application state at the time
-        # of this method's invocation, we have to snapshot the given values, making safe representations of them for
-        # our later use. We set those safe values to this event's instance variables.
-        #
-        # @param object [Object] the Object on which the method was invoked
-        # @param ret [Object] the Return of the invoked method
-        # @param args [Array<Object>] the Arguments with which the method was invoked
-        def snapshot! object, ret, args
-          @object = Contrast::Agent::Assess::ContrastObject.new(object) if object
-          @ret = Contrast::Agent::Assess::ContrastObject.new(ret) if ret
-          @args = safe_args_representation(args)
-          self
-        end
-
-        # Given an array of arguments, copy them into a safe, meaning String, format that we can use to send to SR and
-        # TS for rendering.
-        #
-        # @param args [Array<Object>] the arguments to translate
-        # @return [Array<Contrast::Agent::Assess::ContrastObject>] the String forms of those Objects, as determined by
-        #   Contrast::Utils::ClassUtil.to_contrast_string
-        def safe_args_representation args
-          return unless args
-          return Contrast::Utils::ObjectShare::EMPTY_ARRAY if args.empty?
-
-          args.map { |arg| arg ? Contrast::Agent::Assess::ContrastObject.new(arg) : nil }
-        end
-
-        # Capture stack traces only as configured. We'll use this to grab the start of the call stack as if the
-        # instrumented method were the caller. This means we'll start at the entry just after the first block of
-        # Contrast code.
-        def capture_stacktrace!
-          # If we're configured to not capture the stacktrace, usually for performance reasons, then don't and return an
-          # empty array instead
-          unless ::Contrast::ASSESS.capture_stacktrace?(policy_node)
-            @stack_trace = Contrast::Utils::ObjectShare::EMPTY_ARRAY
-            return
-          end
-
-          # Otherwise, find where in the stack the application / Ruby code starts
-          start = caller(0, 20)&.find_index { |stack| !stack.include?('/lib/contrast') }
-          # And then use that to build out the reported stacktrace, or a fallback if we couldn't find it.
-          @stack_trace = start ? caller(start + 1, 20) : caller(20, 20)
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/events/event_factory.rb

@@ -1,34 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/contrast_event'
-require 'contrast/agent/assess/events/source_event'
-require 'contrast/agent/assess/events/event_data'
-
-module Contrast
-  module Agent
-    module Assess
-      module Events
-        # This module returns the event type appropriate to the given Node
-        module EventFactory
-          # This method returns the event type appropriate to the given Node
-          #
-          # @param event_data [Contrast::Agent::Assess::Events::EventData]
-          # @param source_type [String] the type of this source, from the
-          #       source_node, or a KEY_TYPE if invoked for a map,
-          # @param source_name [String, nil] the name of this source, i.e.
-          #       the key used to accessed if from a map or nil if a type like,
-          # @return [Contrast::Agent::Assess::Events::SourceEvent, Contrast::Agent::Assess::ContrastEvent]
-          def self.build event_data, source_type = nil, source_name = nil
-            case event_data.policy_node
-            when Contrast::Agent::Assess::Policy::SourceNode
-              Contrast::Agent::Assess::Events::SourceEvent.new(event_data, source_type, source_name)
-            when Contrast::Agent::Assess::Policy::PolicyNode
-              Contrast::Agent::Assess::ContrastEvent.new(event_data)
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/events/source_event.rb

@@ -1,46 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/contrast_event'
-require 'contrast/agent/reporting/reporting_events/finding_event'
-require 'contrast/agent/reporting/reporting_events/finding_event_source'
-require 'contrast/utils/string_utils'
-
-module Contrast
-  module Agent
-    module Assess
-      module Events
-        # This class holds the data about an event in the application. We'll use it to build an event that TeamServer
-        # can consume if the object to which this event belongs ends in a trigger.
-        class SourceEvent < Contrast::Agent::Assess::ContrastEvent
-          # @return [Contrast::Agent::Request] our wrapper around the Rack::Request at the time this source
-          #   was created
-          attr_reader :request
-          # @return [String] the name of the source if it comes from a map-like entity
-          attr_reader :source_name
-          # @return [String] the TeamServer understood type of source; i.e. parameter
-          attr_reader :source_type
-          # @return [Contrast::Agent::Reporting::FindingEventSource] the source of this trace
-          attr_reader :event_source
-
-          # @param event_data [Contrast::Agent::Assess::Events::EventData]
-          # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
-          #   Hash
-          # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a Hash or
-          #   nil if a type like
-          def initialize event_data, source_type = nil, source_name = nil
-            super(event_data)
-            @source_type = Contrast::Utils::StringUtils.force_utf8(source_type)
-            @source_name = Contrast::Utils::StringUtils.force_utf8(source_name)
-            @event_source = Contrast::Agent::Reporting::FindingEventSource.new(@source_type, @source_name)
-            @request = Contrast::Agent::REQUEST_TRACKER.current&.request
-          end
-
-          def parent_events
-            nil
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/reporting/reporting_events/server_activity.rb

@@ -1,36 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/reporting/reporting_events/server_reporting_event'
-
-module Contrast
-  module Agent
-    module Reporting
-      # This class will initialize empty ServerActivity body to be send to TS. The server activity endpoint records
-      # actions taken on the server or process as a whole. It currently only reports the number of times a defensive
-      # action was taken and is most likely not populated by most agents. The main purpose of sending this message is
-      # for its response, which contains any updated server feature settings from TeamServer. The new Server Settings
-      # endpoint should let us remove this.
-      class ServerActivity < Contrast::Agent::Reporting::ServerReportingEvent
-        def initialize
-          @event_method = :PUT
-          @event_endpoint = "#{ Contrast::API.api_url }/api/ng/activity/server"
-          super
-        end
-
-        def file_name
-          'server-activity'
-        end
-
-        # Convert the instance variables on the class, and other information, into the identifiers required for
-        # TeamServer to process the JSON form of this message.
-        #
-        # @return [Hash]
-        # @raise [ArgumentError]
-        def to_controlled_hash
-          { lastUpdate: since_last_update }
-        end
-      end
-    end
-  end
-end