contrast-agent 6.9.0 → 6.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -1
- data/ext/build_funchook.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +1 -4
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +1 -1
- data/lib/contrast/agent/middleware.rb +5 -3
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +6 -2
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +76 -83
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +40 -35
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +6 -3
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +5 -2
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +3 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +12 -0
- data/lib/contrast/agent/protect/rule/base.rb +19 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +7 -2
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +8 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +9 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -2
- data/lib/contrast/agent/protect/rule/no_sqli.rb +24 -2
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/path_traversal.rb +8 -0
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +0 -1
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +0 -1
- data/lib/contrast/agent/protect/rule/sqli.rb +6 -10
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +6 -2
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/xss.rb +8 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +2 -2
- data/lib/contrast/agent/protect/rule.rb +0 -3
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +0 -1
- data/lib/contrast/agent/reporting/details/details.rb +0 -1
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +12 -0
- data/lib/contrast/agent/reporting/report.rb +1 -0
- data/lib/contrast/agent/reporting/reporter.rb +12 -15
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +4 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +13 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +20 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +5 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +10 -1
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +10 -0
- data/lib/contrast/agent/reporting/reporting_events/application_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +9 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +8 -5
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +7 -7
- data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb +137 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +12 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +100 -107
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +5 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +101 -67
- data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +46 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb +14 -0
- data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +46 -0
- data/lib/contrast/agent/reporting/settings/assess.rb +14 -1
- data/lib/contrast/agent/reporting/settings/assess_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/helpers.rb +4 -2
- data/lib/contrast/agent/reporting/settings/protect.rb +17 -12
- data/lib/contrast/agent/reporting/settings/protect_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +1 -1
- data/lib/contrast/agent/reporting/settings/virtual_patch.rb +56 -0
- data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb +47 -0
- data/lib/contrast/agent/request_context_extend.rb +20 -0
- data/lib/contrast/agent/telemetry/base.rb +13 -15
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +108 -103
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +16 -10
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +12 -0
- data/lib/contrast/agent_lib/api/init.rb +1 -7
- data/lib/contrast/agent_lib/api/input_tracing.rb +2 -4
- data/lib/contrast/agent_lib/interface.rb +1 -16
- data/lib/contrast/agent_lib/interface_base.rb +52 -39
- data/lib/contrast/agent_lib/return_types/eval_result.rb +2 -2
- data/lib/contrast/components/assess.rb +26 -4
- data/lib/contrast/components/config.rb +1 -1
- data/lib/contrast/components/polling.rb +4 -1
- data/lib/contrast/components/settings.rb +46 -3
- data/lib/contrast/config/config.rb +2 -2
- data/lib/contrast/config/protect_rule_configuration.rb +1 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +3 -3
- data/lib/contrast/extension/assess/regexp.rb +2 -2
- data/lib/contrast/framework/rack/patch/session_cookie.rb +2 -1
- data/lib/contrast/logger/aliased_logging.rb +48 -15
- data/lib/contrast/utils/duck_utils.rb +18 -0
- data/lib/contrast/utils/heap_dump_util.rb +1 -1
- data/lib/contrast/utils/input_classification_base.rb +21 -4
- data/lib/contrast/utils/log_utils.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +1 -1
- data/lib/contrast/utils/patching/policy/patch_utils.rb +2 -2
- data/lib/contrast/utils/routes_sent.rb +6 -2
- data/lib/contrast/utils/telemetry.rb +2 -2
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/resources/protect/policy.json +8 -0
- data/ruby-agent.gemspec +6 -6
- metadata +40 -30
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +0 -96
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -83
- data/lib/contrast/agent/reporting/details/http_method_tempering_details.rb +0 -27
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +0 -47
- data/lib/contrast/agent/reporting/server_settings_worker.rb +0 -44
- data/lib/contrast/agent_lib/api/method_tempering.rb +0 -29
@@ -0,0 +1,46 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/agent/worker_thread'
|
5
|
+
require 'contrast/agent/reporting/report'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module ReportingWorkers
|
10
|
+
# The ServerSettingsWorker will send request on interval, to make sure the Agent gets the settings it
|
11
|
+
# need to operate, from TS. This Thead should be started after the AgentStartup is complete.
|
12
|
+
class ServerSettingsWorker < WorkerThread
|
13
|
+
RESEND_INTERVAL_MS = 60_000.cs__freeze
|
14
|
+
|
15
|
+
def start_thread!
|
16
|
+
return if running?
|
17
|
+
|
18
|
+
@_thread = Contrast::Agent::Thread.new do
|
19
|
+
logger.info('[ServerSettingsWorker] Starting thread.', sending_interval: server_settings_resend_ms)
|
20
|
+
loop do
|
21
|
+
logger.info('[ServerSettingsWorker] Fetching Settings', sending_interval: server_settings_resend_ms)
|
22
|
+
Contrast::Agent.reporter&.send_event(settings_message)
|
23
|
+
sleep(server_settings_resend_ms / 1000)
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
# Polling messages for this thread. Including Server settings:
|
31
|
+
#
|
32
|
+
# @return [Contrast::Agent::Reporting::ReportingEvent]
|
33
|
+
def settings_message
|
34
|
+
@_settings_message ||= Contrast::Agent::Reporting::ServerSettings.new
|
35
|
+
end
|
36
|
+
|
37
|
+
# Get the value from settings or use the default one.
|
38
|
+
#
|
39
|
+
# @return resend_ms [Integer] time to resend the message
|
40
|
+
def server_settings_resend_ms
|
41
|
+
@_server_settings_resend_ms ||= Contrast::AGENT.polling.server_settings_ms&.to_i || RESEND_INTERVAL_MS
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
@@ -2,6 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/settings/assess_rule'
|
5
6
|
|
6
7
|
module Contrast
|
7
8
|
module Agent
|
@@ -14,7 +15,13 @@ module Contrast
|
|
14
15
|
#
|
15
16
|
# @return disabled_rules [Array<String>] Array with string rule_ids
|
16
17
|
def disabled_rules
|
17
|
-
@_disabled_rules ||=
|
18
|
+
@_disabled_rules ||= begin
|
19
|
+
disabled = []
|
20
|
+
rule_settings.each_pair do |rule_id, rules_setting|
|
21
|
+
disabled << rule_id unless rules_setting.enable
|
22
|
+
end
|
23
|
+
disabled
|
24
|
+
end
|
18
25
|
end
|
19
26
|
|
20
27
|
# @param disabled_rules [Array] with AssessRuleID strings
|
@@ -23,6 +30,12 @@ module Contrast
|
|
23
30
|
@_disabled_rules = disabled_rules if disabled_rules.is_a?(Array)
|
24
31
|
end
|
25
32
|
|
33
|
+
# @return [Hash<String,Contrast::Agent::Reporting::Settings::AssessRule>] map of rule, by id, to
|
34
|
+
# configuration
|
35
|
+
def rule_settings
|
36
|
+
@_rule_settings ||= {}
|
37
|
+
end
|
38
|
+
|
26
39
|
# The id of a session on TeamServer under which this session of this application should report
|
27
40
|
# Overrides that set by application.session_id (should match if provided).
|
28
41
|
#
|
@@ -0,0 +1,18 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
module Settings
|
10
|
+
# Settings for each assess rule
|
11
|
+
class AssessRule
|
12
|
+
# @return [Boolean] is the rule enabled or not
|
13
|
+
attr_accessor :enable
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -51,9 +51,11 @@ module Contrast
|
|
51
51
|
|
52
52
|
# rule_id => rule-id
|
53
53
|
#
|
54
|
-
# @param id [String]
|
54
|
+
# @param id [String, Symbol]
|
55
55
|
def to_rule_id id
|
56
|
-
id.
|
56
|
+
return Contrast::Utils::ObjectShare::EMPTY_STRING unless id.cs__is_a?(String) || id.cs__is_a?(Symbol)
|
57
|
+
|
58
|
+
id.to_s.downcase.tr('_', '-')
|
57
59
|
end
|
58
60
|
end
|
59
61
|
end
|
@@ -2,6 +2,8 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/settings/protect_rule'
|
6
|
+
require 'contrast/agent/reporting/settings/virtual_patch'
|
5
7
|
|
6
8
|
module Contrast
|
7
9
|
module Agent
|
@@ -10,8 +12,8 @@ module Contrast
|
|
10
12
|
module Settings
|
11
13
|
# Application level settings for the Protect featureset
|
12
14
|
class Protect
|
13
|
-
# block at perimeter needs to be check against the blockAtEntry boolean value
|
14
|
-
|
15
|
+
# modes set by NG endpoints; block at perimeter needs to be check against the blockAtEntry boolean value
|
16
|
+
NG_PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
|
15
17
|
# The settings for each protect rule for this application
|
16
18
|
#
|
17
19
|
# @return protection_rules [Array<protectRule>] protectRule: {
|
@@ -22,6 +24,12 @@ module Contrast
|
|
22
24
|
@_protection_rules ||= []
|
23
25
|
end
|
24
26
|
|
27
|
+
# @return [Hash<String,Contrast::Agent::Reporting::Settings::ProtectRule>] map of rule, by id, to
|
28
|
+
# configuration
|
29
|
+
def rule_settings
|
30
|
+
@_rule_settings ||= {}
|
31
|
+
end
|
32
|
+
|
25
33
|
# Set the protection_rules array
|
26
34
|
#
|
27
35
|
# @param protection_rules [Array<protectRule>] protectRule: {
|
@@ -38,13 +46,7 @@ module Contrast
|
|
38
46
|
|
39
47
|
# The virtual patches to apply for this application
|
40
48
|
#
|
41
|
-
# @return
|
42
|
-
# name [String] The name of the Virtual Patch
|
43
|
-
# headers [Array] The headers that must be present in the request to result in the request being blocked
|
44
|
-
# parameters [Array] The parameters that must be present in the request
|
45
|
-
# to result in the request being blocked.
|
46
|
-
# urls [Array] The urls that must be present in the request to result in the request being blocked.
|
47
|
-
# uuids [String] The UUID of the Virtual Patch }
|
49
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatch>]
|
48
50
|
def virtual_patches
|
49
51
|
@_virtual_patches ||= []
|
50
52
|
end
|
@@ -78,11 +80,11 @@ module Contrast
|
|
78
80
|
modes_by_id = {}
|
79
81
|
protection_rules.each do |rule|
|
80
82
|
setting_mode = rule[:mode] || rule['mode']
|
81
|
-
api_mode = if
|
83
|
+
api_mode = if NG_PROTECT_RULES_MODE.include?(setting_mode)
|
82
84
|
case setting_mode
|
83
|
-
when
|
85
|
+
when NG_PROTECT_RULES_MODE[1]
|
84
86
|
:MONITOR
|
85
|
-
when
|
87
|
+
when NG_PROTECT_RULES_MODE[2]
|
86
88
|
if rule[:blockAtEntry] || rule['blockAtEntry']
|
87
89
|
:BLOCK_AT_PERIMETER
|
88
90
|
else
|
@@ -92,8 +94,11 @@ module Contrast
|
|
92
94
|
:NO_ACTION
|
93
95
|
end
|
94
96
|
else
|
97
|
+
# modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
|
98
|
+
# can just be cast to symbols
|
95
99
|
setting_mode.to_sym
|
96
100
|
end
|
101
|
+
|
97
102
|
id = rule[:id] || rule['id']
|
98
103
|
modes_by_id[id] = api_mode
|
99
104
|
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
|
6
|
+
module Contrast
|
7
|
+
module Agent
|
8
|
+
module Reporting
|
9
|
+
module Settings
|
10
|
+
# Settings for each protect rule
|
11
|
+
class ProtectRule
|
12
|
+
# @return [Symbol] the configured mode of the rule; OFF, MONITOR, BLOCK
|
13
|
+
attr_accessor :mode
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -161,7 +161,7 @@ module Contrast
|
|
161
161
|
# value [String] }
|
162
162
|
# }
|
163
163
|
# @return rule_definition_list [Array<Contrast::Agent::Reporting::Settings::RuleDefinition>]
|
164
|
-
def
|
164
|
+
def ng_rule_definition_list list
|
165
165
|
Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(
|
166
166
|
Contrast::Agent::Reporting::Settings::RuleDefinition,
|
167
167
|
rule_definition_list,
|
@@ -63,7 +63,7 @@ module Contrast
|
|
63
63
|
|
64
64
|
# Build rules from hash
|
65
65
|
#
|
66
|
-
# @param settings_rules [Hash] Response settings under Settings/sensitive_data_masking_policy/rules
|
66
|
+
# @param settings_rules [Array<Hash>] Response settings under Settings/sensitive_data_masking_policy/rules
|
67
67
|
# @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, nil
|
68
68
|
def build_rules_form_settings settings_rules
|
69
69
|
return if settings_rules.nil? || settings_rules.empty?
|
@@ -0,0 +1,56 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/settings/virtual_patch_condition'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Reporting
|
10
|
+
module Settings
|
11
|
+
# The settings for each virtual patch in the agent.
|
12
|
+
class VirtualPatch
|
13
|
+
# @return [String]
|
14
|
+
attr_reader :name
|
15
|
+
# @return [String]
|
16
|
+
attr_reader :key
|
17
|
+
# @return [String]
|
18
|
+
attr_reader :uuid
|
19
|
+
|
20
|
+
def initialize hash
|
21
|
+
@name = hash[:name]
|
22
|
+
@key = hash[:key]
|
23
|
+
@uuid = hash[:uuid]
|
24
|
+
|
25
|
+
hash[:headers]&.each do |header_json|
|
26
|
+
headers << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
|
27
|
+
end
|
28
|
+
|
29
|
+
hash[:parameters]&.each do |header_json|
|
30
|
+
parameters << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
|
31
|
+
end
|
32
|
+
|
33
|
+
hash[:urls]&.each do |header_json|
|
34
|
+
urls << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
39
|
+
def headers
|
40
|
+
@_headers ||= []
|
41
|
+
end
|
42
|
+
|
43
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
44
|
+
def parameters
|
45
|
+
@_parameters ||= []
|
46
|
+
end
|
47
|
+
|
48
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
49
|
+
def urls
|
50
|
+
@_urls ||= []
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'contrast/utils/object_share'
|
5
|
+
require 'contrast/agent/reporting/settings/protect_rule'
|
6
|
+
|
7
|
+
module Contrast
|
8
|
+
module Agent
|
9
|
+
module Reporting
|
10
|
+
module Settings
|
11
|
+
# The settings for each virtual patch condition in the agent.
|
12
|
+
class VirtualPatchCondition
|
13
|
+
# @return [String]
|
14
|
+
attr_reader :name
|
15
|
+
# @return [String]
|
16
|
+
attr_reader :value
|
17
|
+
# @return [String]
|
18
|
+
attr_reader :input_type
|
19
|
+
# @return [String]
|
20
|
+
attr_reader :evaluation
|
21
|
+
|
22
|
+
def initialize hash
|
23
|
+
@name = hash[:name]
|
24
|
+
@value = hash[:value]
|
25
|
+
@input_type = hash[:input_type]
|
26
|
+
@evaluation = hash[:evaluation]
|
27
|
+
end
|
28
|
+
|
29
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
30
|
+
def headers
|
31
|
+
@_headers ||= []
|
32
|
+
end
|
33
|
+
|
34
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
35
|
+
def parameters
|
36
|
+
@_parameters ||= []
|
37
|
+
end
|
38
|
+
|
39
|
+
# @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
|
40
|
+
def urls
|
41
|
+
@_urls ||= []
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -50,6 +50,10 @@ module Contrast
|
|
50
50
|
return false if @do_not_track
|
51
51
|
|
52
52
|
if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
|
53
|
+
# Handle prefilter
|
54
|
+
Contrast::Agent::Protect::InputAnalyzer.input_classification(ia, prefilter: true)
|
55
|
+
# Reflected xss infilter
|
56
|
+
Contrast::Agent::Protect::InputAnalyzer.input_classification_for('reflected-xss', ia)
|
53
57
|
@agent_input_analysis = ia
|
54
58
|
else
|
55
59
|
logger.trace('Analysis from Agent was empty.')
|
@@ -60,6 +64,22 @@ module Contrast
|
|
60
64
|
logger.warn('Unable to extract protect information from request', e)
|
61
65
|
end
|
62
66
|
|
67
|
+
# Builds IA only for postfilter rules. If rules during infilter were not triggered there will be
|
68
|
+
# no IA for them later to use it in postfilter.
|
69
|
+
#
|
70
|
+
# @raise [Contrast::SecurityException]
|
71
|
+
def protect_postfilter_ia
|
72
|
+
return false unless ::Contrast::AGENT.enabled?
|
73
|
+
return false unless ::Contrast::PROTECT.enabled?
|
74
|
+
|
75
|
+
# Handle postfilter
|
76
|
+
Contrast::Agent::Protect::InputAnalyzer.input_classification(@agent_input_analysis, postfilter: true)
|
77
|
+
rescue Contrast::SecurityException => e
|
78
|
+
raise(e)
|
79
|
+
rescue StandardError => e
|
80
|
+
logger.warn('Unable to extract protect information from request - postfilter', e)
|
81
|
+
end
|
82
|
+
|
63
83
|
# append anything we've learned to the request seen message this is the sum-total of all inventory information
|
64
84
|
# that has been accumulated since the last request
|
65
85
|
def extract_after rack_response
|
@@ -14,7 +14,6 @@ module Contrast
|
|
14
14
|
# This class will initialize and hold everything needed for the telemetry
|
15
15
|
class Base < WorkerThread
|
16
16
|
include Contrast::Components::Logger::InstanceMethods
|
17
|
-
|
18
17
|
# this is where we will send the data from the agents
|
19
18
|
URL = 'https://telemetry.ruby.contrastsecurity.com/'
|
20
19
|
# Suggested timeout after each send is to be 3 hours (10800 seconds)
|
@@ -48,7 +47,8 @@ module Contrast
|
|
48
47
|
@_client = Contrast::Utils::TelemetryClient.new
|
49
48
|
ip_opt_out_telemetry = @_client.initialize_connection(URL)
|
50
49
|
if ip_opt_out_telemetry.nil?
|
51
|
-
logger.warn("Connection was not established properly!!! \n
|
50
|
+
logger.warn("[Telemetry] Connection was not established properly!!! \n
|
51
|
+
Telemetry reporting will be disabled!")
|
52
52
|
return false
|
53
53
|
end
|
54
54
|
|
@@ -66,30 +66,30 @@ module Contrast
|
|
66
66
|
|
67
67
|
def attempt_to_start?
|
68
68
|
unless cs__class.enabled?
|
69
|
-
logger.
|
69
|
+
logger.info('[Telemetry] Telemetry service is disabled!')
|
70
70
|
return false
|
71
71
|
end
|
72
72
|
|
73
|
-
logger.debug('Attempting to start telemetry thread') unless running?
|
73
|
+
logger.debug('[Telemetry] Attempting to start telemetry thread') unless running?
|
74
74
|
true
|
75
75
|
end
|
76
76
|
|
77
77
|
def start_thread!
|
78
78
|
return if running?
|
79
79
|
|
80
|
-
logger.debug('Starting background telemetry thread.')
|
80
|
+
logger.debug('[Telemetry] Starting background telemetry thread.')
|
81
81
|
@_thread = create_thread
|
82
82
|
end
|
83
83
|
|
84
84
|
def send_event event
|
85
85
|
if ::Contrast::AGENT.disabled?
|
86
|
-
logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
|
86
|
+
logger.warn('[Telemetry] Attempted to queue event with Agent disabled', caller: caller, event: event)
|
87
87
|
return
|
88
88
|
end
|
89
89
|
|
90
90
|
return unless cs__class.enabled?
|
91
91
|
|
92
|
-
logger.debug('Enqueued event for sending', event_type: event.cs__class)
|
92
|
+
logger.debug('[Telemetry] Enqueued event for sending', event_type: event.cs__class)
|
93
93
|
queue << event if event
|
94
94
|
end
|
95
95
|
|
@@ -107,8 +107,7 @@ module Contrast
|
|
107
107
|
end
|
108
108
|
|
109
109
|
def request_with_response event
|
110
|
-
|
111
|
-
client.handle_response(res)
|
110
|
+
client.handle_response(client.send_request(event, connection))
|
112
111
|
end
|
113
112
|
|
114
113
|
private
|
@@ -120,7 +119,7 @@ module Contrast
|
|
120
119
|
# It is recommended that implementations send a single payload of general metrics every 3 hours, starting from
|
121
120
|
# implementation startup. This returns a thread configured to do so.
|
122
121
|
#
|
123
|
-
# @return [Contrast::Agent::Thread
|
122
|
+
# @return [::Thread] Contrast::Agent::Thread
|
124
123
|
def create_thread
|
125
124
|
Contrast::Agent::Thread.new do
|
126
125
|
loop do
|
@@ -132,16 +131,15 @@ module Contrast
|
|
132
131
|
until queue.empty?
|
133
132
|
event = queue.pop
|
134
133
|
begin
|
135
|
-
logger.debug('This is the current processed event', event)
|
136
|
-
sleep_time = request_with_response(event)
|
137
|
-
if sleep_time
|
134
|
+
logger.debug('[Telemetry] This is the current processed event', event)
|
135
|
+
if (sleep_time = request_with_response(event))
|
138
136
|
sleep(sleep_time)
|
139
|
-
logger.debug('Retrying to process event', event)
|
137
|
+
logger.debug('[Telemetry] Retrying to process event', event)
|
140
138
|
retry_sleep_time = request_with_response(event)
|
141
139
|
sleep(retry_sleep_time) unless retry_sleep_time.nil?
|
142
140
|
end
|
143
141
|
rescue StandardError => e
|
144
|
-
logger.error('Could not send message to service from telemetry queue.', e)
|
142
|
+
logger.error('[Telemetry] Could not send message to service from telemetry queue.', e)
|
145
143
|
stop!
|
146
144
|
end
|
147
145
|
end
|