contrast-agent 6.9.0 → 6.11.0

data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb

@@ -0,0 +1,46 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/report'
+
+module Contrast
+  module Agent
+    module ReportingWorkers
+      # The ServerSettingsWorker will send request on interval, to make sure the Agent gets the settings it
+      # need to operate, from TS. This Thead should be started after the AgentStartup is complete.
+      class ServerSettingsWorker < WorkerThread
+        RESEND_INTERVAL_MS = 60_000.cs__freeze
+
+        def start_thread!
+          return if running?
+
+          @_thread = Contrast::Agent::Thread.new do
+            logger.info('[ServerSettingsWorker] Starting thread.', sending_interval: server_settings_resend_ms)
+            loop do
+              logger.info('[ServerSettingsWorker] Fetching Settings', sending_interval: server_settings_resend_ms)
+              Contrast::Agent.reporter&.send_event(settings_message)
+              sleep(server_settings_resend_ms / 1000)
+            end
+          end
+        end
+
+        private
+
+        # Polling messages for this thread. Including Server settings:
+        #
+        # @return [Contrast::Agent::Reporting::ReportingEvent]
+        def settings_message
+          @_settings_message ||= Contrast::Agent::Reporting::ServerSettings.new
+        end
+
+        # Get the value from settings or use the default one.
+        #
+        # @return resend_ms [Integer] time to resend the message
+        def server_settings_resend_ms
+          @_server_settings_resend_ms ||= Contrast::AGENT.polling.server_settings_ms&.to_i || RESEND_INTERVAL_MS
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/assess.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/assess_rule'
 
 module Contrast
   module Agent
@@ -14,7 +15,13 @@ module Contrast
           #
           # @return disabled_rules [Array<String>] Array with string rule_ids
           def disabled_rules
-            @_disabled_rules ||= []
+            @_disabled_rules ||= begin
+              disabled = []
+              rule_settings.each_pair do |rule_id, rules_setting|
+                disabled << rule_id unless rules_setting.enable
+              end
+              disabled
+            end
           end
 
           # @param disabled_rules [Array] with AssessRuleID strings
@@ -23,6 +30,12 @@ module Contrast
             @_disabled_rules = disabled_rules if disabled_rules.is_a?(Array)
           end
 
+          # @return [Hash<String,Contrast::Agent::Reporting::Settings::AssessRule>] map of rule, by id, to
+          #   configuration
+          def rule_settings
+            @_rule_settings ||= {}
+          end
+
           # The id of a session on TeamServer under which this session of this application should report
           # Overrides that set by application.session_id (should match if provided).
           #

data/lib/contrast/agent/reporting/settings/assess_rule.rb

@@ -0,0 +1,18 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # Settings for each assess rule
+        class AssessRule
+          # @return [Boolean] is the rule enabled or not
+          attr_accessor :enable
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/helpers.rb

@@ -51,9 +51,11 @@ module Contrast
 
             # rule_id => rule-id
             #
-            # @param id [String]
+            # @param id [String, Symbol]
             def to_rule_id id
-              id.to_s.tr('_', '-')
+              return Contrast::Utils::ObjectShare::EMPTY_STRING unless id.cs__is_a?(String) || id.cs__is_a?(Symbol)
+
+              id.to_s.downcase.tr('_', '-')
             end
           end
         end

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/protect_rule'
+require 'contrast/agent/reporting/settings/virtual_patch'
 
 module Contrast
   module Agent
@@ -10,8 +12,8 @@ module Contrast
       module Settings
         # Application level settings for the Protect featureset
         class Protect
-          # block at perimeter needs to be check against the blockAtEntry boolean value
-          PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
+          # modes set by NG endpoints; block at perimeter needs to be check against the blockAtEntry boolean value
+          NG_PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
           # The settings for each protect rule for this application
           #
           # @return protection_rules [Array<protectRule>] protectRule: {
@@ -22,6 +24,12 @@ module Contrast
             @_protection_rules ||= []
           end
 
+          # @return [Hash<String,Contrast::Agent::Reporting::Settings::ProtectRule>] map of rule, by id, to
+          #   configuration
+          def rule_settings
+            @_rule_settings ||= {}
+          end
+
           # Set the protection_rules array
           #
           # @param protection_rules [Array<protectRule>] protectRule: {
@@ -38,13 +46,7 @@ module Contrast
 
           # The virtual patches to apply for this application
           #
-          # @return virtual_patches [Array<VirtualPatch>] Array of VirtualPatch: {
-          #   name       [String] The name of the Virtual Patch
-          #   headers    [Array] The headers that must be present in the request to result in the request being blocked
-          #   parameters [Array] The parameters that must be present in the request
-          #                       to result in the request being blocked.
-          #   urls       [Array] The urls that must be present in the request to result in the request being blocked.
-          #   uuids      [String] The UUID of the Virtual Patch }
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatch>]
           def virtual_patches
             @_virtual_patches ||= []
           end
@@ -78,11 +80,11 @@ module Contrast
             modes_by_id = {}
             protection_rules.each do |rule|
               setting_mode = rule[:mode] || rule['mode']
-              api_mode = if PROTECT_RULES_MODE.include?(setting_mode)
+              api_mode = if NG_PROTECT_RULES_MODE.include?(setting_mode)
                            case setting_mode
-                           when PROTECT_RULES_MODE[1]
+                           when NG_PROTECT_RULES_MODE[1]
                              :MONITOR
-                           when PROTECT_RULES_MODE[2]
+                           when NG_PROTECT_RULES_MODE[2]
                              if rule[:blockAtEntry] || rule['blockAtEntry']
                                :BLOCK_AT_PERIMETER
                              else
@@ -92,8 +94,11 @@ module Contrast
                              :NO_ACTION
                            end
                          else
+                           # modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
+                           # can just be cast to symbols
                            setting_mode.to_sym
                          end
+
               id = rule[:id] || rule['id']
               modes_by_id[id] = api_mode
             end

data/lib/contrast/agent/reporting/settings/protect_rule.rb

@@ -0,0 +1,18 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # Settings for each protect rule
+        class ProtectRule
+          # @return [Symbol] the configured mode of the rule; OFF, MONITOR, BLOCK
+          attr_accessor :mode
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/protect_server_feature.rb

@@ -161,7 +161,7 @@ module Contrast
           #                    value          [String] }
           # }
           # @return rule_definition_list [Array<Contrast::Agent::Reporting::Settings::RuleDefinition>]
-          def rule_definition_list= list
+          def ng_rule_definition_list list
             Contrast::Agent::Reporting::Settings::Helpers.array_to_iv(
                 Contrast::Agent::Reporting::Settings::RuleDefinition,
                 rule_definition_list,

data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb

@@ -63,7 +63,7 @@ module Contrast
 
           # Build rules from hash
           #
-          # @param settings_rules [Hash] Response settings under Settings/sensitive_data_masking_policy/rules
+          # @param settings_rules [Array<Hash>] Response settings under Settings/sensitive_data_masking_policy/rules
           # @return rules [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>, nil
           def build_rules_form_settings settings_rules
             return if settings_rules.nil? || settings_rules.empty?

data/lib/contrast/agent/reporting/settings/virtual_patch.rb

@@ -0,0 +1,56 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/virtual_patch_condition'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The settings for each virtual patch in the agent.
+        class VirtualPatch
+          # @return [String]
+          attr_reader :name
+          # @return [String]
+          attr_reader :key
+          # @return [String]
+          attr_reader :uuid
+
+          def initialize hash
+            @name = hash[:name]
+            @key = hash[:key]
+            @uuid = hash[:uuid]
+
+            hash[:headers]&.each do |header_json|
+              headers << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+
+            hash[:parameters]&.each do |header_json|
+              parameters << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+
+            hash[:urls]&.each do |header_json|
+              urls << Contrast::Agent::Reporting::Settings::VirtualPatchCondition.new(header_json)
+            end
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def headers
+            @_headers ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def parameters
+            @_parameters ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def urls
+            @_urls ||= []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb

@@ -0,0 +1,47 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/protect_rule'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # The settings for each virtual patch condition in the agent.
+        class VirtualPatchCondition
+          # @return [String]
+          attr_reader :name
+          # @return [String]
+          attr_reader :value
+          # @return [String]
+          attr_reader :input_type
+          # @return [String]
+          attr_reader :evaluation
+
+          def initialize hash
+            @name = hash[:name]
+            @value = hash[:value]
+            @input_type = hash[:input_type]
+            @evaluation = hash[:evaluation]
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def headers
+            @_headers ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def parameters
+            @_parameters ||= []
+          end
+
+          # @return [Array<Contrast::Agent::Reporting::Settings::VirtualPatchCondition>]
+          def urls
+            @_urls ||= []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/request_context_extend.rb

@@ -50,6 +50,10 @@ module Contrast
         return false if @do_not_track
 
         if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
+          # Handle prefilter
+          Contrast::Agent::Protect::InputAnalyzer.input_classification(ia, prefilter: true)
+          # Reflected xss infilter
+          Contrast::Agent::Protect::InputAnalyzer.input_classification_for('reflected-xss', ia)
           @agent_input_analysis = ia
         else
           logger.trace('Analysis from Agent was empty.')
@@ -60,6 +64,22 @@ module Contrast
         logger.warn('Unable to extract protect information from request', e)
       end
 
+      # Builds IA only for postfilter rules. If rules during infilter were not triggered there will be
+      # no IA for them later to use it in postfilter.
+      #
+      # @raise [Contrast::SecurityException]
+      def protect_postfilter_ia
+        return false unless ::Contrast::AGENT.enabled?
+        return false unless ::Contrast::PROTECT.enabled?
+
+        # Handle postfilter
+        Contrast::Agent::Protect::InputAnalyzer.input_classification(@agent_input_analysis, postfilter: true)
+      rescue Contrast::SecurityException => e
+        raise(e)
+      rescue StandardError => e
+        logger.warn('Unable to extract protect information from request - postfilter', e)
+      end
+
       # append anything we've learned to the request seen message this is the sum-total of all inventory information
       # that has been accumulated since the last request
       def extract_after rack_response

data/lib/contrast/agent/telemetry/base.rb

@@ -14,7 +14,6 @@ module Contrast
       # This class will initialize and hold everything needed for the telemetry
       class Base < WorkerThread
         include Contrast::Components::Logger::InstanceMethods
-
         # this is where we will send the data from the agents
         URL = 'https://telemetry.ruby.contrastsecurity.com/'
         # Suggested timeout after each send is to be 3 hours (10800 seconds)
@@ -48,7 +47,8 @@ module Contrast
             @_client = Contrast::Utils::TelemetryClient.new
             ip_opt_out_telemetry = @_client.initialize_connection(URL)
             if ip_opt_out_telemetry.nil?
-              logger.warn("Connection was not established properly!!! \n Telemetry reporting will be disabled!")
+              logger.warn("[Telemetry] Connection was not established properly!!! \n
+                          Telemetry reporting will be disabled!")
               return false
             end
 
@@ -66,30 +66,30 @@ module Contrast
 
         def attempt_to_start?
           unless cs__class.enabled?
-            logger.warn('Telemetry service is disabled!')
+            logger.info('[Telemetry] Telemetry service is disabled!')
             return false
           end
 
-          logger.debug('Attempting to start telemetry thread') unless running?
+          logger.debug('[Telemetry] Attempting to start telemetry thread') unless running?
           true
         end
 
         def start_thread!
           return if running?
 
-          logger.debug('Starting background telemetry thread.')
+          logger.debug('[Telemetry] Starting background telemetry thread.')
           @_thread = create_thread
         end
 
         def send_event event
           if ::Contrast::AGENT.disabled?
-            logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
+            logger.warn('[Telemetry] Attempted to queue event with Agent disabled', caller: caller, event: event)
             return
           end
 
           return unless cs__class.enabled?
 
-          logger.debug('Enqueued event for sending', event_type: event.cs__class)
+          logger.debug('[Telemetry] Enqueued event for sending', event_type: event.cs__class)
           queue << event if event
         end
 
@@ -107,8 +107,7 @@ module Contrast
         end
 
         def request_with_response event
-          res = client.send_request(event, connection)
-          client.handle_response(res)
+          client.handle_response(client.send_request(event, connection))
         end
 
         private
@@ -120,7 +119,7 @@ module Contrast
         # It is recommended that implementations send a single payload of general metrics every 3 hours, starting from
         # implementation startup. This returns a thread configured to do so.
         #
-        # @return [Contrast::Agent::Thread]
+        # @return [::Thread] Contrast::Agent::Thread
         def create_thread
           Contrast::Agent::Thread.new do
             loop do
@@ -132,16 +131,15 @@ module Contrast
               until queue.empty?
                 event = queue.pop
                 begin
-                  logger.debug('This is the current processed event', event)
-                  sleep_time = request_with_response(event)
-                  if sleep_time
+                  logger.debug('[Telemetry] This is the current processed event', event)
+                  if (sleep_time = request_with_response(event))
                     sleep(sleep_time)
-                    logger.debug('Retrying to process event', event)
+                    logger.debug('[Telemetry] Retrying to process event', event)
                     retry_sleep_time = request_with_response(event)
                     sleep(retry_sleep_time) unless retry_sleep_time.nil?
                   end
                 rescue StandardError => e
-                  logger.error('Could not send message to service from telemetry queue.', e)
+                  logger.error('[Telemetry] Could not send message to service from telemetry queue.', e)
                   stop!
                 end
               end