contrast-agent 6.9.0 → 6.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -1
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +1 -1
- data/lib/contrast/agent/middleware.rb +4 -2
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +76 -83
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +40 -35
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +6 -3
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -0
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +3 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +12 -0
- data/lib/contrast/agent/protect/rule/base.rb +19 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +6 -0
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +8 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +8 -0
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -2
- data/lib/contrast/agent/protect/rule/no_sqli.rb +24 -2
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/path_traversal.rb +8 -0
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +0 -1
- data/lib/contrast/agent/protect/rule/sqli.rb +6 -10
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +6 -2
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/xss.rb +8 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +2 -2
- data/lib/contrast/agent/protect/rule.rb +0 -3
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +0 -1
- data/lib/contrast/agent/reporting/details/details.rb +0 -1
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +12 -0
- data/lib/contrast/agent/reporting/report.rb +1 -0
- data/lib/contrast/agent/reporting/reporter.rb +11 -10
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +4 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +13 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +20 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +5 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +10 -1
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +10 -0
- data/lib/contrast/agent/reporting/reporting_events/application_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb +137 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +12 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +100 -107
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +5 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +97 -63
- data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +46 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb +14 -0
- data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +46 -0
- data/lib/contrast/agent/reporting/settings/assess.rb +14 -1
- data/lib/contrast/agent/reporting/settings/assess_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/helpers.rb +4 -2
- data/lib/contrast/agent/reporting/settings/protect.rb +17 -12
- data/lib/contrast/agent/reporting/settings/protect_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +1 -1
- data/lib/contrast/agent/reporting/settings/virtual_patch.rb +56 -0
- data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb +47 -0
- data/lib/contrast/agent/request_context_extend.rb +20 -0
- data/lib/contrast/agent/telemetry/base.rb +11 -10
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +108 -103
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +16 -10
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +12 -0
- data/lib/contrast/agent_lib/api/init.rb +1 -7
- data/lib/contrast/agent_lib/api/input_tracing.rb +2 -4
- data/lib/contrast/agent_lib/interface.rb +1 -16
- data/lib/contrast/agent_lib/interface_base.rb +52 -39
- data/lib/contrast/agent_lib/return_types/eval_result.rb +2 -2
- data/lib/contrast/components/assess.rb +26 -4
- data/lib/contrast/components/polling.rb +4 -1
- data/lib/contrast/components/settings.rb +46 -3
- data/lib/contrast/config/config.rb +2 -2
- data/lib/contrast/config/protect_rule_configuration.rb +1 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +3 -3
- data/lib/contrast/extension/assess/regexp.rb +2 -2
- data/lib/contrast/logger/aliased_logging.rb +48 -15
- data/lib/contrast/utils/input_classification_base.rb +21 -4
- data/lib/contrast/utils/routes_sent.rb +2 -2
- data/lib/contrast/utils/telemetry.rb +1 -1
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/resources/protect/policy.json +8 -0
- data/ruby-agent.gemspec +1 -1
- metadata +28 -18
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +0 -96
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -83
- data/lib/contrast/agent/reporting/details/http_method_tempering_details.rb +0 -27
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +0 -47
- data/lib/contrast/agent/reporting/server_settings_worker.rb +0 -44
- data/lib/contrast/agent_lib/api/method_tempering.rb +0 -29
@@ -1,6 +1,7 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require 'contrast/agent/reporting/reporting_utilities/ng_response_extractor'
|
4
5
|
require 'contrast/agent/reporting/reporting_utilities/response_extractor'
|
5
6
|
require 'contrast/agent/disable_reaction'
|
6
7
|
|
@@ -9,6 +10,7 @@ module Contrast
|
|
9
10
|
module Reporting
|
10
11
|
# This module holds utilities required by the reporting service response handler
|
11
12
|
module ResponseHandlerUtils
|
13
|
+
include Contrast::Agent::Reporting::NgResponseExtractor
|
12
14
|
include Contrast::Agent::Reporting::ResponseExtractor
|
13
15
|
|
14
16
|
ANALYZE_WHEN = %w[200 204].cs__freeze
|
@@ -115,7 +117,7 @@ module Contrast
|
|
115
117
|
ready_after, error_message, auth_error = extract_response_info(response)
|
116
118
|
# log, suspend, disable:
|
117
119
|
if mode == @_mode.running
|
118
|
-
|
120
|
+
log_error_msg(message,
|
119
121
|
response: response.__id__,
|
120
122
|
request: Contrast::Agent::REQUEST_TRACKER.current&.request&.type,
|
121
123
|
error_message: error_message || 'none',
|
@@ -151,9 +153,9 @@ module Contrast
|
|
151
153
|
# @return last_modified[integer, nil] Time since last server update
|
152
154
|
def extract_response_last_modified response
|
153
155
|
return unless response.cs__is_a?(Net::HTTPResponse)
|
156
|
+
return unless (header = response['last-modified'])
|
154
157
|
|
155
|
-
|
156
|
-
@_last_server_modified = header if header
|
158
|
+
@_last_server_modified = header
|
157
159
|
end
|
158
160
|
|
159
161
|
# Cease reporting about this application
|
@@ -162,7 +164,7 @@ module Contrast
|
|
162
164
|
# @param info_hash [Hash] information about the context to log.
|
163
165
|
def stop_reporting message, info_hash
|
164
166
|
Contrast::Agent.reporter&.stop!
|
165
|
-
|
167
|
+
log_error_msg(message, info_hash)
|
166
168
|
::Contrast::AGENT.disable!
|
167
169
|
end
|
168
170
|
|
@@ -220,7 +222,16 @@ module Contrast
|
|
220
222
|
end
|
221
223
|
end
|
222
224
|
|
223
|
-
# Converts response from Net to Reporting Response object
|
225
|
+
# Converts response from Net to Reporting Response object. Unfortunately, there are four types of responses
|
226
|
+
# that TeamServer can send back to us. The FeatureSet for Servers, which come from Agent Startup and Server
|
227
|
+
# Settings, and the SettingsState for Applications, which come from Application Startup and Application
|
228
|
+
# Settings.
|
229
|
+
#
|
230
|
+
# The Startup messages come from NG and have the nested structure w/ success, message, and features/settings.
|
231
|
+
# The Settings messages come from v1 and have the flat structure.
|
232
|
+
# Neither have uniform keys, for instance assessment in startup vs assess in settings.
|
233
|
+
#
|
234
|
+
# This method works to extract away these differences.
|
224
235
|
#
|
225
236
|
# @param response [Net::HTTP::Response, nil]
|
226
237
|
# @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
|
@@ -248,70 +259,95 @@ module Contrast
|
|
248
259
|
# this is used to check the expected response type for this event.
|
249
260
|
# @return response [Contrast::Agent::Reporting::Response, nil]
|
250
261
|
def populate_response response_data, event
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
|
262
|
+
# Responses fall into one of two types - those for Servers or those for Applications
|
263
|
+
response = case event
|
264
|
+
# Server feature based events
|
265
|
+
when Contrast::Agent::Reporting::AgentStartup, Contrast::Agent::Reporting::ServerSettings
|
266
|
+
Contrast::Agent::Reporting::Response.build_server_response
|
267
|
+
# Application settings based events
|
268
|
+
when Contrast::Agent::Reporting::ApplicationStartup,
|
269
|
+
Contrast::Agent::Reporting::ApplicationSettings
|
270
|
+
|
271
|
+
Contrast::Agent::Reporting::Response.build_application_response
|
272
|
+
end
|
273
|
+
return unless response
|
274
|
+
|
275
|
+
return unless (success, messages = extract_success(response_data))
|
276
|
+
|
277
|
+
response.success = success
|
278
|
+
response.messages = messages
|
279
|
+
# Features & Settings have to be parsed from the response based on the event type sent
|
280
|
+
case event
|
281
|
+
when Contrast::Agent::Reporting::AgentStartup
|
282
|
+
extract_agent_startup(response_data, response)
|
283
|
+
when Contrast::Agent::Reporting::ApplicationStartup
|
284
|
+
extract_application_startup(response_data, response)
|
285
|
+
when Contrast::Agent::Reporting::ServerSettings
|
286
|
+
extract_server_settings(response_data, response)
|
287
|
+
when Contrast::Agent::Reporting::ApplicationSettings
|
288
|
+
extract_application_settings(response_data, response)
|
262
289
|
else
|
263
|
-
|
264
|
-
response = Contrast::Agent::Reporting::Response.build_server_response
|
265
|
-
response.success = success
|
266
|
-
response.messages = messages
|
267
|
-
server_features = if event.cs__is_a?(Contrast::Agent::Reporting::ServerSettings)
|
268
|
-
# do the new extraction.
|
269
|
-
build_server_settings(response_data, response)
|
270
|
-
else
|
271
|
-
build_feature_settings(response_data, response)
|
272
|
-
end
|
273
|
-
logger.trace('Agent: Received updated feature settings', raw: response_data, processed: server_features)
|
274
|
-
server_features
|
290
|
+
return
|
275
291
|
end
|
292
|
+
logger.trace('Agent: Received updated features or settings',
|
293
|
+
event: event.cs__class,
|
294
|
+
raw: response_data,
|
295
|
+
processed: response)
|
296
|
+
response
|
276
297
|
end
|
277
298
|
|
278
299
|
# This method is used with the ng endpoint.
|
279
300
|
#
|
280
|
-
# @param response_data [Hash]
|
281
|
-
#
|
282
|
-
|
283
|
-
|
284
|
-
|
285
|
-
|
286
|
-
|
287
|
-
|
288
|
-
response
|
301
|
+
# @param response_data [Hash] JSON of the response body from a Contrast::Agent::Reporting::ApplicationStartup
|
302
|
+
# event
|
303
|
+
# @param response [Contrast::Agent::Reporting::Response] the object to populate with the body data
|
304
|
+
def extract_application_startup response_data, response
|
305
|
+
return unless response_data[:settings]
|
306
|
+
|
307
|
+
ng_extract_assess(response_data, response)
|
308
|
+
ng_extract_protect(response_data, response)
|
309
|
+
ng_extract_exclusions(response_data, response)
|
310
|
+
ng_extract_reactions(response_data, response)
|
311
|
+
ng_extract_sensitive_data_policy(response_data, response)
|
289
312
|
end
|
290
313
|
|
291
314
|
# This method is used with the ng startup endpoint.
|
292
315
|
#
|
293
|
-
# @param response_data [Hash]
|
294
|
-
# @
|
295
|
-
def
|
296
|
-
|
297
|
-
extract_assess_settings(response_data, response)
|
298
|
-
extract_protect_server_features(response_data, response)
|
299
|
-
extract_protect_lists(response_data, response)
|
300
|
-
extract_log_settings(response_data, response)
|
316
|
+
# @param response_data [Hash] JSON of the response body from a Contrast::Agent::Reporting::AgentStartup event
|
317
|
+
# @param response [Contrast::Agent::Reporting::Response] the object to populate with the body data
|
318
|
+
def extract_agent_startup response_data, response
|
319
|
+
ng_extract_log_settings(response_data, response)
|
301
320
|
response.server_features.telemetry = response_data[:telemetry]
|
302
|
-
|
321
|
+
return unless response_data[:features]
|
322
|
+
|
323
|
+
ng_extract_reactions(response_data, response)
|
324
|
+
ng_extract_assess_features(response_data, response)
|
325
|
+
ng_extract_protect_features(response_data, response)
|
326
|
+
ng_extract_protect_lists(response_data, response)
|
303
327
|
end
|
304
328
|
|
305
329
|
# This method is used with the server settings endpoint.
|
306
330
|
#
|
307
|
-
# @param response_data [Hash]
|
308
|
-
# @
|
309
|
-
def
|
331
|
+
# @param response_data [Hash] JSON of the response body from a Contrast::Agent::Reporting::ServerSettings event
|
332
|
+
# @param response [Contrast::Agent::Reporting::Response] the object to populate with the body data
|
333
|
+
def extract_server_settings response_data, response
|
310
334
|
extract_loggers(response_data, response)
|
311
335
|
extract_protect_server_settings(response_data, response)
|
312
|
-
|
336
|
+
extract_assess_server_settings(response_data, response)
|
313
337
|
response.server_features.telemetry = response_data[:telemetry][:enable]
|
314
|
-
|
338
|
+
end
|
339
|
+
|
340
|
+
# This method is used with the ng startup endpoint.
|
341
|
+
#
|
342
|
+
# @param response_data [Hash] JSON of the response body from a Contrast::Agent::Reporting::ApplicationSettings
|
343
|
+
# event
|
344
|
+
# @param response [Contrast::Agent::Reporting::Response] the object to populate with the body data
|
345
|
+
def extract_application_settings response_data, response
|
346
|
+
extract_assess_application_settings(response_data, response)
|
347
|
+
extract_protect_application_settings(response_data, response)
|
348
|
+
extract_exclusions(response_data, response)
|
349
|
+
extract_sensitive_data_policy(response_data, response)
|
350
|
+
extract_reactions(response_data, response)
|
315
351
|
end
|
316
352
|
|
317
353
|
# This method with check the success and messages field of the response.
|
@@ -320,20 +356,18 @@ module Contrast
|
|
320
356
|
# @param response_data [Hash]
|
321
357
|
# @return [Array, nil] Returns the success status or nil if request
|
322
358
|
# was not processed by TS.
|
323
|
-
def extract_success response_data
|
324
|
-
|
325
|
-
|
326
|
-
|
327
|
-
|
328
|
-
|
329
|
-
|
330
|
-
|
331
|
-
|
359
|
+
def extract_success response_data
|
360
|
+
# If we are here we have receive 200 or 204 response code. We'll try and
|
361
|
+
# extract the success and messages received,but not all of the responses
|
362
|
+
# we receive will have success field or messages. All of the new non-ng
|
363
|
+
# endpoints won't have messages or success. The way we'll be sure that
|
364
|
+
# a response is successful is by checking the response code.
|
365
|
+
#
|
366
|
+
# To extract response we need only 200 response code.
|
367
|
+
success = @_last_response_code == '200'
|
368
|
+
messages = response_data[:messages] || []
|
332
369
|
return [success, messages] if success
|
333
370
|
|
334
|
-
logger.error('Unable to connect to Contrast UI') if messages.nil?
|
335
|
-
logger.error('Failure on Contrast UI processing request', reasons: messages.join(', ')) if messages
|
336
|
-
|
337
371
|
nil
|
338
372
|
end
|
339
373
|
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/worker_thread'
|
5
|
+
require 'contrast/agent/reporting/report'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module ReportingWorkers
|
10
|
+
# The ApplicationServerWorker will send request on interval, to make sure the Agent gets the settings it
|
11
|
+
# need to operate, from TS. This Thead should be started after the ApplicationStartup is complete.
|
12
|
+
class ApplicationServerWorker < WorkerThread
|
13
|
+
RESEND_INTERVAL_MS = 30_000.cs__freeze
|
14
|
+
|
15
|
+
def start_thread!
|
16
|
+
return if running?
|
17
|
+
|
18
|
+
@_thread = Contrast::Agent::Thread.new do
|
19
|
+
logger.info('[ApplicationSettingsWorker] Starting thread.', sending_interval: application_server_ms)
|
20
|
+
loop do
|
21
|
+
logger.info('[ApplicationSettingsWorker] Fetching Settings', sending_interval: application_server_ms)
|
22
|
+
Contrast::Agent.reporter&.send_event(application_settings_message)
|
23
|
+
sleep(application_server_ms / 1000)
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
# This method will generate the reporting event for the application settings
|
31
|
+
#
|
32
|
+
# @return [Contrast::Agent::Reporting::ReportingEvent]
|
33
|
+
def application_settings_message
|
34
|
+
@_application_settings_message ||= Contrast::Agent::Reporting::ApplicationSettings.new
|
35
|
+
end
|
36
|
+
|
37
|
+
# Get the value from settings or use the default one.
|
38
|
+
#
|
39
|
+
# @return resend_ms [Integer] time to resend the message
|
40
|
+
def application_server_ms
|
41
|
+
@_application_server_ms ||= Contrast::AGENT.polling.app_settings_ms&.to_i || RESEND_INTERVAL_MS
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
@@ -0,0 +1,51 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/worker_thread'
|
5
|
+
require 'contrast/agent/reporting/report'
|
6
|
+
require 'contrast/agent/inventory/dependency_usage_analysis'
|
7
|
+
require 'contrast/agent/reporting/reporting_events/poll'
|
8
|
+
|
9
|
+
module Contrast
|
10
|
+
module Agent
|
11
|
+
module ReportingWorkers
|
12
|
+
# The ReporterHeartbeat will make sure that the process remains marked alive by TeamServer and that we
|
13
|
+
# periodically reach out to get the latest settings for this application. It also sends out those
|
14
|
+
# messages which do not need to be associated directly with a request,
|
15
|
+
# such as Server Activity and Library Observation.
|
16
|
+
class ReporterHeartbeat < WorkerThread
|
17
|
+
# TeamServer will mark an application offline after 5 minutes. Sending this every one should be more than enough
|
18
|
+
# to satisfy our goals.
|
19
|
+
REFRESH_INTERVAL_SEC = 60
|
20
|
+
|
21
|
+
def start_thread!
|
22
|
+
return if running?
|
23
|
+
|
24
|
+
@_thread = Contrast::Agent::Thread.new do
|
25
|
+
logger.info('[Heartbeat] Starting thread.')
|
26
|
+
loop do
|
27
|
+
polling_events.each do |event|
|
28
|
+
Contrast::Agent.reporter&.send_event(event)
|
29
|
+
end
|
30
|
+
clean_properties
|
31
|
+
sleep(REFRESH_INTERVAL_SEC)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
private
|
37
|
+
|
38
|
+
def poll_message
|
39
|
+
@_poll_message ||= Contrast::Agent::Reporting::Poll.new
|
40
|
+
end
|
41
|
+
|
42
|
+
# Those events which should be sent periodically, rather than on event or request.
|
43
|
+
#
|
44
|
+
# @return [Array<Contrast::Agent::Reporting::ReportingEvent>]
|
45
|
+
def polling_events
|
46
|
+
[Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage, poll_message].compact
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Contrast
|
5
|
+
module Agent
|
6
|
+
# This module will include all the worker that we have, which are not part of the regular thread reporters
|
7
|
+
module ReportingWorkers
|
8
|
+
end
|
9
|
+
end
|
10
|
+
end
|
11
|
+
|
12
|
+
require 'contrast/agent/reporting/reporting_workers/reporter_heartbeat'
|
13
|
+
require 'contrast/agent/reporting/reporting_workers/server_settings_worker'
|
14
|
+
require 'contrast/agent/reporting/reporting_workers/application_server_worker'
|
@@ -0,0 +1,46 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/worker_thread'
|
5
|
+
require 'contrast/agent/reporting/report'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module ReportingWorkers
|
10
|
+
# The ServerSettingsWorker will send request on interval, to make sure the Agent gets the settings it
|
11
|
+
# need to operate, from TS. This Thead should be started after the AgentStartup is complete.
|
12
|
+
class ServerSettingsWorker < WorkerThread
|
13
|
+
RESEND_INTERVAL_MS = 60_000.cs__freeze
|
14
|
+
|
15
|
+
def start_thread!
|
16
|
+
return if running?
|
17
|
+
|
18
|
+
@_thread = Contrast::Agent::Thread.new do
|
19
|
+
logger.info('[ServerSettingsWorker] Starting thread.', sending_interval: server_settings_resend_ms)
|
20
|
+
loop do
|
21
|
+
logger.info('[ServerSettingsWorker] Fetching Settings', sending_interval: server_settings_resend_ms)
|
22
|
+
Contrast::Agent.reporter&.send_event(settings_message)
|
23
|
+
sleep(server_settings_resend_ms / 1000)
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
# Polling messages for this thread. Including Server settings:
|
31
|
+
#
|
32
|
+
# @return [Contrast::Agent::Reporting::ReportingEvent]
|
33
|
+
def settings_message
|
34
|
+
@_settings_message ||= Contrast::Agent::Reporting::ServerSettings.new
|
35
|
+
end
|
36
|
+
|
37
|
+
# Get the value from settings or use the default one.
|
38
|
+
#
|
39
|
+
# @return resend_ms [Integer] time to resend the message
|
40
|
+
def server_settings_resend_ms
|
41
|
+
@_server_settings_resend_ms ||= Contrast::AGENT.polling.server_settings_ms&.to_i || RESEND_INTERVAL_MS
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
@@ -2,6 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/settings/assess_rule'
|
5
6
|
|
6
7
|
module Contrast
|
7
8
|
module Agent
|
@@ -14,7 +15,13 @@ module Contrast
|
|
14
15
|
#
|
15
16
|
# @return disabled_rules [Array<String>] Array with string rule_ids
|
16
17
|
def disabled_rules
|
17
|
-
@_disabled_rules ||=
|
18
|
+
@_disabled_rules ||= begin
|
19
|
+
disabled = []
|
20
|
+
rule_settings.each_pair do |rule_id, rules_setting|
|
21
|
+
disabled << rule_id unless rules_setting.enable
|
22
|
+
end
|
23
|
+
disabled
|
24
|
+
end
|
18
25
|
end
|
19
26
|
|
20
27
|
# @param disabled_rules [Array] with AssessRuleID strings
|
@@ -23,6 +30,12 @@ module Contrast
|
|
23
30
|
@_disabled_rules = disabled_rules if disabled_rules.is_a?(Array)
|
24
31
|
end
|
25
32
|
|
33
|
+
# @return [Hash<String,Contrast::Agent::Reporting::Settings::AssessRule>] map of rule, by id, to
|
34
|
+
# configuration
|
35
|
+
def rule_settings
|
36
|
+
@_rule_settings ||= {}
|
37
|
+
end
|
38
|
+
|
26
39
|
# The id of a session on TeamServer under which this session of this application should report
|
27
40
|
# Overrides that set by application.session_id (should match if provided).
|
28
41
|
#
|
@@ -0,0 +1,18 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
module Settings
|
10
|
+
# Settings for each assess rule
|
11
|
+
class AssessRule
|
12
|
+
# @return [Boolean] is the rule enabled or not
|
13
|
+
attr_accessor :enable
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -51,9 +51,11 @@ module Contrast
|
|
51
51
|
|
52
52
|
# rule_id => rule-id
|
53
53
|
#
|
54
|
-
# @param id [String]
|
54
|
+
# @param id [String, Symbol]
|
55
55
|
def to_rule_id id
|
56
|
-
id.
|
56
|
+
return Contrast::Utils::ObjectShare::EMPTY_STRING unless id.cs__is_a?(String) || id.cs__is_a?(Symbol)
|
57
|
+
|
58
|
+
id.to_s.downcase.tr('_', '-')
|
57
59
|
end
|
58
60
|
end
|
59
61
|
end
|
@@ -2,6 +2,8 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/settings/protect_rule'
|
6
|
+
require 'contrast/agent/reporting/settings/virtual_patch'
|
5
7
|
|
6
8
|
module Contrast
|
7
9
|
module Agent
|
@@ -10,8 +12,8 @@ module Contrast
|
|
10
12
|
module Settings
|
11
13
|
# Application level settings for the Protect featureset
|
12
14
|
class Protect
|
13
|
-
# block at perimeter needs to be check against the blockAtEntry boolean value
|
14
|
-
|
15
|
+
# modes set by NG endpoints; block at perimeter needs to be check against the blockAtEntry boolean value
|
16
|
+
NG_PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
|
15
17
|
# The settings for each protect rule for this application
|
16
18
|
#
|
17
19
|
# @return protection_rules [Array<protectRule>] protectRule: {
|
@@ -22,6 +24,12 @@ module Contrast
|
|
22
24
|
@_protection_rules ||= []
|
23
25
|
end
|
24
26
|
|
27
|
+
# @return [Hash<String,Contrast::Agent::Reporting::Settings::ProtectRule>] map of rule, by id, to
|
28
|
+
# configuration
|
29
|
+
def rule_settings
|
30
|
+
@_rule_settings ||= {}
|
31
|
+
end
|
32
|
+
|
25
33
|
# Set the protection_rules array
|
26
34
|
#
|
27
35
|
# @param protection_rules [Array<protectRule>] protectRule: {
|
@@ -38,13 +46,7 @@ module Contrast
|
|
38
46
|
|
39
47
|
# The virtual patches to apply for this application
|
40
48
|
#
|
41
|
-
# @return
|
42
|
-
# name [String] The name of the Virtual Patch
|
43
|
-
# headers [Array] The headers that must be present in the request to result in the request being blocked
|
44
|
-
# parameters [Array] The parameters that must be present in the request
|
45
|
-
# to result in the request being blocked.
|
46
|
-
# urls [Array] The urls that must be present in the request to result in the request being blocked.
|
47
|
-
# uuids [String] The UUID of the Virtual Patch }
|
49
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatch>]
|
48
50
|
def virtual_patches
|
49
51
|
@_virtual_patches ||= []
|
50
52
|
end
|
@@ -78,11 +80,11 @@ module Contrast
|
|
78
80
|
modes_by_id = {}
|
79
81
|
protection_rules.each do |rule|
|
80
82
|
setting_mode = rule[:mode] || rule['mode']
|
81
|
-
api_mode = if
|
83
|
+
api_mode = if NG_PROTECT_RULES_MODE.include?(setting_mode)
|
82
84
|
case setting_mode
|
83
|
-
when
|
85
|
+
when NG_PROTECT_RULES_MODE[1]
|
84
86
|
:MONITOR
|
85
|
-
when
|
87
|
+
when NG_PROTECT_RULES_MODE[2]
|
86
88
|
if rule[:blockAtEntry] || rule['blockAtEntry']
|
87
89
|
:BLOCK_AT_PERIMETER
|
88
90
|
else
|
@@ -92,8 +94,11 @@ module Contrast
|
|
92
94
|
:NO_ACTION
|
93
95
|
end
|
94
96
|
else
|
97
|
+
# modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
|
98
|
+
# can just be cast to symbols
|
95
99
|
setting_mode.to_sym
|
96
100
|
end
|
101
|
+
|
97
102
|
id = rule[:id] || rule['id']
|
98
103
|
modes_by_id[id] = api_mode
|
99
104
|
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
module Settings
|
10
|
+
# Settings for each protect rule
|
11
|
+
class ProtectRule
|
12
|
+
# @return [Symbol] the configured mode of the rule; OFF, MONITOR, BLOCK
|
13
|
+
attr_accessor :mode
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -161,7 +161,7 @@ module Contrast
|
|
161
161
|
# value [String] }
|
162
162
|
# }
|
163
163
|
# @return rule_definition_list [Array<Contrast::Agent::Reporting::Settings::RuleDefinition>]
|
164
|
-
def
|
164
|
+
def ng_rule_definition_list list
|
165
165
|
Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(
|
166
166
|
Contrast::Agent::Reporting::Settings::RuleDefinition,
|
167
167
|
rule_definition_list,
|
@@ -63,7 +63,7 @@ module Contrast
|
|
63
63
|
|
64
64
|
# Build rules from hash
|
65
65
|
#
|
66
|
-
# @param settings_rules [Hash] Response settings under Settings/sensitive_data_masking_policy/rules
|
66
|
+
# @param settings_rules [Array<Hash>] Response settings under Settings/sensitive_data_masking_policy/rules
|
67
67
|
# @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, nil
|
68
68
|
def build_rules_form_settings settings_rules
|
69
69
|
return if settings_rules.nil? || settings_rules.empty?
|
@@ -0,0 +1,56 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/settings/virtual_patch_condition'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Reporting
|
10
|
+
module Settings
|
11
|
+
# The settings for each virtual patch in the agent.
|
12
|
+
class VirtualPatch
|
13
|
+
# @return [String]
|
14
|
+
attr_reader :name
|
15
|
+
# @return [String]
|
16
|
+
attr_reader :key
|
17
|
+
# @return [String]
|
18
|
+
attr_reader :uuid
|
19
|
+
|
20
|
+
def initialize hash
|
21
|
+
@name = hash[:name]
|
22
|
+
@key = hash[:key]
|
23
|
+
@uuid = hash[:uuid]
|
24
|
+
|
25
|
+
hash[:headers]&.each do |header_json|
|
26
|
+
headers << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
|
27
|
+
end
|
28
|
+
|
29
|
+
hash[:parameters]&.each do |header_json|
|
30
|
+
parameters << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
|
31
|
+
end
|
32
|
+
|
33
|
+
hash[:urls]&.each do |header_json|
|
34
|
+
urls << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
39
|
+
def headers
|
40
|
+
@_headers ||= []
|
41
|
+
end
|
42
|
+
|
43
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
44
|
+
def parameters
|
45
|
+
@_parameters ||= []
|
46
|
+
end
|
47
|
+
|
48
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
49
|
+
def urls
|
50
|
+
@_urls ||= []
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|