RubyGems - contrast-agent - Versions diffs - 6.9.0 → 6.10.0 - Mend

contrast-agent 6.9.0 → 6.10.0

Files changed (94) hide show

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 6.9.0
+  version: 6.10.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-10-07 00:00:00.000000000 Z
+date: 2022-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -650,6 +650,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.1.0
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -657,6 +660,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.1.0
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.3
 - !ruby/object:Gem::Dependency
   name: ffi
   requirement: !ruby/object:Gem::Requirement
@@ -678,22 +684,22 @@ email:
 executables: []
 extensions:
 - ext/cs__common/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_kernel/extconf.rb
 - ext/cs__assess_module/extconf.rb
+- ext/cs__assess_test/extconf.rb
+- ext/cs__assess_string/extconf.rb
+- ext/cs__tests/extconf.rb
 - ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_array/extconf.rb
-- ext/cs__os_information/extconf.rb
-- ext/cs__assess_string_interpolation/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
-- ext/cs__assess_string/extconf.rb
-- ext/cs__assess_hash/extconf.rb
-- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_string_interpolation/extconf.rb
 - ext/cs__contrast_patch/extconf.rb
-- ext/cs__assess_kernel/extconf.rb
-- ext/cs__assess_test/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__os_information/extconf.rb
+- ext/cs__assess_hash/extconf.rb
 - ext/cs__scope/extconf.rb
+- ext/cs__assess_array/extconf.rb
 - ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__tests/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -1017,8 +1023,6 @@ files:
 - lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb
 - lib/contrast/agent/protect/rule/default_scanner.rb
 - lib/contrast/agent/protect/rule/deserialization.rb
-- lib/contrast/agent/protect/rule/http_method_tampering.rb
-- lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb
 - lib/contrast/agent/protect/rule/no_sqli.rb
 - lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb
 - lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb
@@ -1047,7 +1051,6 @@ files:
 - lib/contrast/agent/reporting/details/bot_blocker_details.rb
 - lib/contrast/agent/reporting/details/cmd_injection_details.rb
 - lib/contrast/agent/reporting/details/details.rb
-- lib/contrast/agent/reporting/details/http_method_tempering_details.rb
 - lib/contrast/agent/reporting/details/ip_denylist_details.rb
 - lib/contrast/agent/reporting/details/no_sqli_details.rb
 - lib/contrast/agent/reporting/details/path_traversal_details.rb
@@ -1072,7 +1075,6 @@ files:
 - lib/contrast/agent/reporting/masker/masker_utils.rb
 - lib/contrast/agent/reporting/report.rb
 - lib/contrast/agent/reporting/reporter.rb
-- lib/contrast/agent/reporting/reporter_heartbeat.rb
 - lib/contrast/agent/reporting/reporting_events/agent_startup.rb
 - lib/contrast/agent/reporting/reporting_events/application_activity.rb
 - lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb
@@ -1084,6 +1086,7 @@ files:
 - lib/contrast/agent/reporting/reporting_events/application_inventory.rb
 - lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb
 - lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb
+- lib/contrast/agent/reporting/reporting_events/application_settings.rb
 - lib/contrast/agent/reporting/reporting_events/application_startup.rb
 - lib/contrast/agent/reporting/reporting_events/application_startup_instrumentation.rb
 - lib/contrast/agent/reporting/reporting_events/application_update.rb
@@ -1117,6 +1120,7 @@ files:
 - lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb
 - lib/contrast/agent/reporting/reporting_utilities/endpoints.rb
 - lib/contrast/agent/reporting/reporting_utilities/headers.rb
+- lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb
 - lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb
 - lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb
 - lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb
@@ -1125,9 +1129,13 @@ files:
 - lib/contrast/agent/reporting/reporting_utilities/response_handler.rb
 - lib/contrast/agent/reporting/reporting_utilities/response_handler_mode.rb
 - lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb
-- lib/contrast/agent/reporting/server_settings_worker.rb
+- lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb
+- lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb
+- lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb
+- lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb
 - lib/contrast/agent/reporting/settings/application_settings.rb
 - lib/contrast/agent/reporting/settings/assess.rb
+- lib/contrast/agent/reporting/settings/assess_rule.rb
 - lib/contrast/agent/reporting/settings/assess_server_feature.rb
 - lib/contrast/agent/reporting/settings/bot_blocker.rb
 - lib/contrast/agent/reporting/settings/code_exclusion.rb
@@ -1139,6 +1147,7 @@ files:
 - lib/contrast/agent/reporting/settings/keyword.rb
 - lib/contrast/agent/reporting/settings/log_enhancer.rb
 - lib/contrast/agent/reporting/settings/protect.rb
+- lib/contrast/agent/reporting/settings/protect_rule.rb
 - lib/contrast/agent/reporting/settings/protect_server_feature.rb
 - lib/contrast/agent/reporting/settings/reaction.rb
 - lib/contrast/agent/reporting/settings/rule_definition.rb
@@ -1151,6 +1160,8 @@ files:
 - lib/contrast/agent/reporting/settings/syslog.rb
 - lib/contrast/agent/reporting/settings/url_exclusion.rb
 - lib/contrast/agent/reporting/settings/validator.rb
+- lib/contrast/agent/reporting/settings/virtual_patch.rb
+- lib/contrast/agent/reporting/settings/virtual_patch_condition.rb
 - lib/contrast/agent/request.rb
 - lib/contrast/agent/request_context.rb
 - lib/contrast/agent/request_context_extend.rb
@@ -1178,7 +1189,6 @@ files:
 - lib/contrast/agent_lib/api/command_injection.rb
 - lib/contrast/agent_lib/api/init.rb
 - lib/contrast/agent_lib/api/input_tracing.rb
-- lib/contrast/agent_lib/api/method_tempering.rb
 - lib/contrast/agent_lib/api/panic.rb
 - lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb
 - lib/contrast/agent_lib/interface.rb

data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb DELETED Viewed

@@ -1,96 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-require 'contrast/utils/object_share'
-require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/agent/reporting/attack_result/attack_result'
-require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
-require 'contrast/utils/input_classification_base'
-module Contrast
-  module Agent
-    module Protect
-      module Rule
-        # This module will do the Input Classification stage of HttpMethodTampering rule
-        # as a result input would be marked as DEFINETEATTACK or IGNORE,
-        # to be analyzed at the sink level.
-        module HttpMethodTamperingInputClassification
-          # class << self
-          #   include InputClassificationBase
-          #
-          #   # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
-          #   #
-          #   # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
-          #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
-          #   # analysis from the current request.
-          #   def classify input_type, input_analysis
-          #     return unless input_analysis.request
-          #     return unless input_type == METHOD
-          #
-          #     rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-          #
-          #     ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
-          #     input_analysis.results << ia_result
-          #
-          #     return input_analysis if ia_result.score_level == IGNORE
-          #
-          #     attack_result = build_attack_result ia_result, rule_id
-          #
-          #     if :BLOCK != Contrast::PROTECT.rule_mode(rule_id)
-          #       attack_result.response = :EXPLOITED
-          #       Contrast::Agent::EXPLOITS.push attack_result
-          #       return input_analysis
-          #     end
-          #
-          #     attack_result.response = :BLOCKED
-          #     context.activity.results << attack_result
-          #     raise Contrast::SecurityException.new(self,
-          #                                           'HTTP Method Tampering rule triggered. '\
-          #                                           "Call to #{ input_analysis.request.path } with " \
-          #                                           "#{ input_analysis.request.request_method } blocked.")
-          #   end
-          #
-          #   private
-          #
-          #   # @param request [Contrast::Agent::Request] the current request context.
-          #   def method_tampering_exploited? request
-          #     !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
-          #   end
-          #
-          #   # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-          #   # key if needed and Creates new instance of InputAnalysisResult.
-          #   #
-          #   # @param request [Contrast::Agent::Request] the current request context.
-          #   # @param rule_id [String] The name of the Protect Rule.
-          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-          #   #
-          #   # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-          #   def method_tampering_new_input_analysis request, rule_id, input_type
-          #     ia_result = new_ia_result rule_id, input_type, request.path
-          #     if method_tampering_exploited? request
-          #       ia_result.score_level = DEFINITEATTACK
-          #       ia_result.ids << rule_id
-          #     else
-          #       ia_result.score_level = IGNORE
-          #     end
-          #
-          #     ia_result
-          #   end
-          #
-          #   def build_attack_result ia_result, rule_id
-          #     rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
-          #     result = Contrast::Agent::Reporting::AttackResult.new
-          #     result.rule_id = rule_id
-          #     result.samples << rasp_rule_sample
-          #     result
-          #   end
-          #
-          #   def context
-          #     Contrast::Agent::REQUEST_TRACKER.current
-          #   end
-          # end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/protect/rule/http_method_tampering.rb DELETED Viewed

@@ -1,83 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-require 'contrast/agent/protect/rule/base_service'
-module Contrast
-  module Agent
-    module Protect
-      module Rule
-        # The Ruby implementation of the Protect HTTP Method Tampering rule.
-        class HttpMethodTampering < Contrast::Agent::Protect::Rule::BaseService
-          NAME = 'method-tampering'
-          # STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
-          #
-          # APPLICABLE_METHODS_INPUTS = %w[
-          #   ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
-          #   DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
-          #   MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
-          #   PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
-          #   UNLOCK UPDATE VERSION-CONTROL
-          # ].cs__freeze
-          def rule_name
-            NAME
-          end
-          # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
-          # agent with protect library, we should re-enable these tests and that rule.
-          # TODO: RUBY-1574
-          # def enabled?
-          #   super && false
-          # end
-          #
-          # def postfilter context
-          #   return unless enabled? && POSTFILTER_MODES.include?(mode)
-          #   return if normal_request?(context)
-          #
-          #   # The only way to be here in postfilter with a result is if the rule mode was MONITOR
-          #   ia_results = gather_ia_results(context)
-          #   return if ia_results.empty?
-          #
-          #   # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
-          #   response_code = context&.response&.response_code
-          #   return unless response_code
-          #
-          #   method = ia_results.first.value
-          #   result = if response_code.to_s.start_with?('4', '5')
-          #              build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
-          #            else
-          #              build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
-          #            end
-          #
-          #   return unless result
-          #
-          #   append_to_activity(context, result)
-          #   cef_logging result, :ineffective_attack
-          # end
-          #
-          # protected
-          #
-          # def build_sample context, evaluation, _candidate_string, **kwargs
-          #   sample = build_base_sample(context, evaluation)
-          #   sample.user_input.value = kwargs[:method]
-          #   sample.user_input.input_type = :METHOD
-          #
-          #   sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
-          #   sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
-          #   code = kwargs[:response_code] || -1
-          #   sample.method_tampering.response_code = code.to_i
-          #   sample
-          # end
-          #
-          # private
-          #
-          # def normal_request? context
-          #   method = context.request.request_method
-          #   context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
-          # end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/reporting/details/http_method_tempering_details.rb DELETED Viewed

@@ -1,27 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-require 'contrast/agent/reporting/details/protect_rule_details'
-module Contrast
-  module Agent
-    module Reporting
-      module Details
-        # HttpMethodTemperingDetails IA result details info.
-        class HttpMethodTemperingDetails < ProtectRuleDetails
-          # @return [String]
-          attr_accessor :method
-          # @return [Integer]
-          attr_accessor :response_code
-          def to_controlled_hash
-            {
-                method: method, # rubocop:disable Security/Object/Method
-                responseCode: response_code
-            }
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/reporting/reporter_heartbeat.rb DELETED Viewed

@@ -1,47 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-require 'contrast/agent/reporting/reporter'
-require 'contrast/agent/inventory/dependency_usage_analysis'
-require 'contrast/agent/reporting/reporting_events/poll'
-module Contrast
-  module Agent
-    # The ReporterHeartbeat will make sure that the process remains marked alive by TeamServer and that we periodically
-    # reach out to get the latest settings for this application. It also sends out those messages which do not need to
-    # be associated directly with a request, such as Server Activity and Library Observation.
-    class ReporterHeartbeat < Reporter
-      # TeamServer will mark an application offline after 5 minutes. Sending this every one should be more than enough
-      # to satisfy our goals.
-      REFRESH_INTERVAL_SEC = 60
-      def start_thread!
-        return if running?
-        @_thread = Contrast::Agent::Thread.new do
-          logger.info('Starting heartbeat thread.')
-          loop do
-            polling_events.each do |event|
-              Contrast::Agent.reporter&.send_event(event)
-            end
-            clean_properties
-            sleep(REFRESH_INTERVAL_SEC)
-          end
-        end
-      end
-      private
-      def poll_message
-        @_poll_message ||= Contrast::Agent::Reporting::Poll.new
-      end
-      # Those events which should be sent periodically, rather than on event or request.
-      #
-      # @return [Array<Contrast::Agent::Reporting::ReportingEvent>]
-      def polling_events
-        [Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage, poll_message].compact
-      end
-    end
-  end
-end

data/lib/contrast/agent/reporting/server_settings_worker.rb DELETED Viewed

@@ -1,44 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-require 'contrast/agent/worker_thread'
-require 'contrast/agent/reporting/report'
-module Contrast
-  module Agent
-    # The ServerSettingsWorker will send request on interval, to make sure the Agent gets the settings it
-    # need to operate, from TS. This Thead should be started after the AgentStartup is complete.
-    class ServerSettingsWorker < WorkerThread
-      RESEND_INTERVAL_MS = 60_000.cs__freeze
-      def start_thread!
-        return if running?
-        @_thread = Contrast::Agent::Thread.new do
-          logger.info('Starting Server Settings Worker thread.', sending_interval: server_settings_resend_ms)
-          loop do
-            logger.info('Fetching Settings', sending_interval: server_settings_resend_ms)
-            Contrast::Agent.reporter&.send_event(settings_message)
-            sleep(server_settings_resend_ms / 1000)
-          end
-        end
-      end
-      private
-      # Polling messages for this thread. Including Server settings:
-      #
-      # @return [Contrast::Agent::Reporting::ReportingEvent]
-      def settings_message
-        @_settings_message ||= Contrast::Agent::Reporting::ServerSettings.new
-      end
-      # Get the value from settings or use the default one.
-      #
-      # @return resend_ms [Integer] time to resend the message
-      def server_settings_resend_ms
-        @_server_settings_resend_ms ||= Contrast::AGENT.polling.server_settings_ms&.to_i || RESEND_INTERVAL_MS
-      end
-    end
-  end
-end

data/lib/contrast/agent_lib/api/method_tempering.rb DELETED Viewed

@@ -1,29 +0,0 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: false
-require 'ffi'
-# require the gem
-require 'contrast-agent-lib'
-module Contrast
-  module AgentLib
-    # This module is for method tempering bindings: contrast_c::method_tampering
-    module MethodTempering
-      # TODO: RUBY-1632
-      # extend FFI::Library
-      # ffi_lib ContrastAgentLib::CONTRAST_C
-      #
-      # # returns 1 => true, 0 => false
-      # attach_function :is_method_tampering, [:string], :int32
-      #
-      # # Check to see if method is being tempered or not.
-      # # Used with Protect method-tampering rule.
-      # #
-      # # @param method [String] method to check
-      # # @return [Boolean]
-      # def dl__method_tempered? method
-      #   is_method_tampering(method).positive?
-      # end
-    end
-  end
-end