contrast-agent 6.9.0 → 6.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -1
- data/ext/build_funchook.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/split.rb +1 -4
- data/lib/contrast/agent/assess/rule/response/body_rule.rb +1 -1
- data/lib/contrast/agent/middleware.rb +5 -3
- data/lib/contrast/agent/patching/policy/method_policy_extend.rb +6 -2
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -1
- data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb +76 -83
- data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb +40 -35
- data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -0
- data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +6 -3
- data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +5 -2
- data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +3 -0
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +12 -0
- data/lib/contrast/agent/protect/rule/base.rb +19 -5
- data/lib/contrast/agent/protect/rule/base_service.rb +7 -2
- data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/bot_blocker.rb +8 -0
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb +9 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_chained_command.rb +1 -1
- data/lib/contrast/agent/protect/rule/cmdi/cmdi_dangerous_path.rb +1 -1
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -2
- data/lib/contrast/agent/protect/rule/no_sqli.rb +24 -2
- data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/path_traversal.rb +8 -0
- data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +0 -1
- data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb +0 -1
- data/lib/contrast/agent/protect/rule/sqli.rb +6 -10
- data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb +6 -2
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
- data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb +1 -1
- data/lib/contrast/agent/protect/rule/xss.rb +8 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +2 -2
- data/lib/contrast/agent/protect/rule.rb +0 -3
- data/lib/contrast/agent/reporting/attack_result/user_input.rb +0 -1
- data/lib/contrast/agent/reporting/details/details.rb +0 -1
- data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb +12 -0
- data/lib/contrast/agent/reporting/report.rb +1 -0
- data/lib/contrast/agent/reporting/reporter.rb +12 -15
- data/lib/contrast/agent/reporting/reporting_events/application_activity.rb +4 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb +13 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb +20 -5
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb +0 -1
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb +5 -0
- data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb +10 -1
- data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb +2 -1
- data/lib/contrast/agent/reporting/reporting_events/application_reporting_event.rb +10 -0
- data/lib/contrast/agent/reporting/reporting_events/application_settings.rb +40 -0
- data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb +9 -5
- data/lib/contrast/agent/reporting/reporting_events/observed_route.rb +8 -5
- data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb +7 -7
- data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb +137 -0
- data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb +12 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb +100 -107
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb +5 -4
- data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb +101 -67
- data/lib/contrast/agent/reporting/reporting_workers/application_server_worker.rb +46 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporter_heartbeat.rb +51 -0
- data/lib/contrast/agent/reporting/reporting_workers/reporting_workers.rb +14 -0
- data/lib/contrast/agent/reporting/reporting_workers/server_settings_worker.rb +46 -0
- data/lib/contrast/agent/reporting/settings/assess.rb +14 -1
- data/lib/contrast/agent/reporting/settings/assess_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/helpers.rb +4 -2
- data/lib/contrast/agent/reporting/settings/protect.rb +17 -12
- data/lib/contrast/agent/reporting/settings/protect_rule.rb +18 -0
- data/lib/contrast/agent/reporting/settings/protect_server_feature.rb +1 -1
- data/lib/contrast/agent/reporting/settings/sensitive_data_masking.rb +1 -1
- data/lib/contrast/agent/reporting/settings/virtual_patch.rb +56 -0
- data/lib/contrast/agent/reporting/settings/virtual_patch_condition.rb +47 -0
- data/lib/contrast/agent/request_context_extend.rb +20 -0
- data/lib/contrast/agent/telemetry/base.rb +13 -15
- data/lib/contrast/agent/telemetry/events/exceptions/obfuscate.rb +108 -103
- data/lib/contrast/agent/telemetry/events/startup_metrics_event.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +16 -10
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +12 -0
- data/lib/contrast/agent_lib/api/init.rb +1 -7
- data/lib/contrast/agent_lib/api/input_tracing.rb +2 -4
- data/lib/contrast/agent_lib/interface.rb +1 -16
- data/lib/contrast/agent_lib/interface_base.rb +52 -39
- data/lib/contrast/agent_lib/return_types/eval_result.rb +2 -2
- data/lib/contrast/components/assess.rb +26 -4
- data/lib/contrast/components/config.rb +1 -1
- data/lib/contrast/components/polling.rb +4 -1
- data/lib/contrast/components/settings.rb +46 -3
- data/lib/contrast/config/config.rb +2 -2
- data/lib/contrast/config/protect_rule_configuration.rb +1 -1
- data/lib/contrast/config/protect_rules_configuration.rb +1 -1
- data/lib/contrast/extension/assess/array.rb +3 -3
- data/lib/contrast/extension/assess/regexp.rb +2 -2
- data/lib/contrast/framework/rack/patch/session_cookie.rb +2 -1
- data/lib/contrast/logger/aliased_logging.rb +48 -15
- data/lib/contrast/utils/duck_utils.rb +18 -0
- data/lib/contrast/utils/heap_dump_util.rb +1 -1
- data/lib/contrast/utils/input_classification_base.rb +21 -4
- data/lib/contrast/utils/log_utils.rb +1 -1
- data/lib/contrast/utils/middleware_utils.rb +1 -1
- data/lib/contrast/utils/patching/policy/patch_utils.rb +2 -2
- data/lib/contrast/utils/routes_sent.rb +6 -2
- data/lib/contrast/utils/telemetry.rb +2 -2
- data/lib/contrast/utils/telemetry_client.rb +1 -1
- data/resources/protect/policy.json +8 -0
- data/ruby-agent.gemspec +6 -6
- metadata +40 -30
- data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb +0 -96
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +0 -83
- data/lib/contrast/agent/reporting/details/http_method_tempering_details.rb +0 -27
- data/lib/contrast/agent/reporting/reporter_heartbeat.rb +0 -47
- data/lib/contrast/agent/reporting/server_settings_worker.rb +0 -44
- data/lib/contrast/agent_lib/api/method_tempering.rb +0 -29
@@ -7,111 +7,116 @@ module Contrast
|
|
7
7
|
module TelemetryException
|
8
8
|
# Here will be all known gems to obfuscate during the building of TelemetryExceptions
|
9
9
|
module Obfuscate
|
10
|
+
# TODO: RUBY-1984 Re-enable/Remove Telemetry Obfuscation.
|
11
|
+
#
|
10
12
|
# List of known gems to be third parties not containing any
|
11
13
|
# user sensitive data.
|
12
|
-
KNOWN_GEMS = %w[
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
#
|
44
|
-
#
|
45
|
-
#
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
14
|
+
# KNOWN_GEMS = %w[
|
15
|
+
# activesupport redis-activesupport redis builder dry-types rails rails-html-sanitizer rails-observers
|
16
|
+
# sinatra
|
17
|
+
# benchmark-ips bundler climate_control execjs factory_bot debride fake_ftp fasterer flay openssl
|
18
|
+
# parallel_tests contrast contrast-agent ruby pry-byebug byebug pry resolv ougai protobuf async nokogiri
|
19
|
+
# benchmark grape-order grape-activerecord newrelic newrelic-grape grape-rails-cache grape-msgpack
|
20
|
+
# grape-batch rspec rake rubocop grape-jbuilder rack-test rack-protection minitest grape-instrumentation
|
21
|
+
# minitest-global_expectations rack-proxy rack-attack rack-ssl grape-cancan grape-attack grape-rake-tasks
|
22
|
+
# grape-route-helpers benchmark-memory grape-rabl grape-kaminari grape-path-helpers grape-swagger-entity
|
23
|
+
# grape-swagger-rails grape-roar newrelic-rake grapes-wagger-representative grape-forgery_protection
|
24
|
+
# grape-papertrail grape-app grape-middleware-logger rack-protection rake-compile rhino rspec-benchmark
|
25
|
+
# rspec_junit_formatter rspec-rails rake-performance rubocop-rails rubocop-rake rubocop-rspec
|
26
|
+
# ruby-debug-ide simplecov sqlite steep tilt tzinfo-data warning xpath sinatra-activerecord sinatra-param
|
27
|
+
# sinatra-partial sinatra-flash sinatra-reloader sinatra-sinatra rake_fly rack rack-accept grape
|
28
|
+
# grape-entity
|
29
|
+
# sinatra-advanced-routes sinatra-warden grape_logging grape-swagger sinatra-namespace sinatra-resource
|
30
|
+
# sinatra-hashfix sinatra-instrumentation sinatra-helpers redis-rack sinatra-support sinatra-assetpack
|
31
|
+
# sinatra-router sinatra-cross_origin sinatra_more sinatra-jsonp faraday-rack zlib mustermann
|
32
|
+
# mustermann-grape
|
33
|
+
# rspec-expectations rspec-core rspec-mocks rspec-sidekiq
|
34
|
+
# ].cs__freeze
|
35
|
+
# KNOWN_ERRORS = %w[
|
36
|
+
# ActiveModel Error Errors Resolv Rspec ActiveRecord nil NilClass NoMemoryError ScriptError
|
37
|
+
# LoadError NotImplementedError SyntaxError SecurityError SignalException Interrupt
|
38
|
+
# StandardError ArgumentError UncaughtThrowError FiberError IOError EOFError IndexError KeyError
|
39
|
+
# StopIteration LocalJumpError NameError NoMethodError RangeError FloatDomainError RegexpError
|
40
|
+
# RuntimeError FrozenError SystemCallError ThreadError TypeError ZeroDivisionError SystemExit
|
41
|
+
# SystemStackError fatal Warning buffer OpenSSL SSL SSLError Errno Timeout Exception EOFError
|
42
|
+
# ECONNRESET ECONNREFUSED ETIMEDOUT EINVAL ESHUTDOWN EHOSTDOWN EHOSTUNREACH EISCONN
|
43
|
+
# ECONNABORTED ENETRESET ENETUNREACH Net HTTPBadResponse HTTPHeaderSyntaxError ProtocolError
|
44
|
+
# Faraday BadRequestError UnauthorizedError ForbiddenError ResourceNotFound ProxyAuthError
|
45
|
+
# ConflictError UnprocessableEntityError ClientError
|
46
|
+
# ].cs__freeze
|
47
|
+
# CHARS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'.cs__freeze
|
48
|
+
# # This will generate different chars for each agent startup but will be constant
|
49
|
+
# # for current run and will make identical obfuscation to be compared if given type
|
50
|
+
# # is the same.
|
51
|
+
# CYPHER = CHARS.chars.shuffle.join
|
52
|
+
#
|
53
|
+
# class << self
|
54
|
+
# # Returns paths for known gems.
|
55
|
+
# #
|
56
|
+
# # @return [Array<Regexp>] known paths
|
57
|
+
# def known_gem_paths
|
58
|
+
# @_known_gem_paths ||= KNOWN_GEMS.map do |gem_name|
|
59
|
+
# to_regexp(File.join(
|
60
|
+
# 'gems', gem_name.tr('-', ''), 'lib'))
|
61
|
+
# end
|
62
|
+
# end
|
63
|
+
#
|
64
|
+
# # Returns known modules names.
|
65
|
+
# #
|
66
|
+
# # @return [Array<Regexp>] known modules
|
67
|
+
# def known_modules
|
68
|
+
# @_known_modules ||= KNOWN_ERRORS.map { |module_name| to_regexp(module_name) }
|
69
|
+
# end
|
70
|
+
#
|
71
|
+
# # Obfuscate a type and replace it with random characters.
|
72
|
+
# #
|
73
|
+
# # @param type [String] the StackFrame type to obfuscate
|
74
|
+
# # @return [String] obfuscated type
|
75
|
+
# def obfuscate_type type
|
76
|
+
# return unless type
|
77
|
+
#
|
78
|
+
# check = type.tr('[^0-9].-', '')
|
79
|
+
# type = cypher(type) unless match_known(known_gem_paths, check)
|
80
|
+
# type
|
81
|
+
# end
|
82
|
+
#
|
83
|
+
# # Obfuscate a type and replace it with random characters.
|
84
|
+
# #
|
85
|
+
# # @param exception_type [String] the exception type to obfuscate
|
86
|
+
# # @return [String] obfuscated exception type
|
87
|
+
# def obfuscate_exception_type exception_type
|
88
|
+
# return unless exception_type
|
89
|
+
#
|
90
|
+
# exceptions = exception_type.split('::').each do |exception|
|
91
|
+
# cypher(exception) unless match_known(known_modules, exception)
|
92
|
+
# end
|
93
|
+
# exceptions.join('::')
|
94
|
+
# end
|
95
|
+
#
|
96
|
+
# private
|
97
|
+
#
|
98
|
+
# # Transforms string to regexp
|
99
|
+
# #
|
100
|
+
# # @param string [String]
|
101
|
+
# def to_regexp string
|
102
|
+
# /#{ string }/
|
103
|
+
# end
|
104
|
+
#
|
105
|
+
# # Add cypher to path to make it obscure, but unique enough for
|
106
|
+
# # comparisons. Mutates original or duplicate if frozen string.
|
107
|
+
# #
|
108
|
+
# # @param string [String] string to be transformed.
|
109
|
+
# def cypher string
|
110
|
+
# string = string.dup if string.cs__frozen?
|
111
|
+
# string.to_s.tr!(CHARS, CYPHER)
|
112
|
+
# end
|
113
|
+
#
|
114
|
+
# # @param known [Array<Regexp>] Array of regexp to match against
|
115
|
+
# # @param type [String] type to check
|
116
|
+
# def match_known known, type
|
117
|
+
# known.any? { |regexp| type =~ regexp }
|
118
|
+
# end
|
119
|
+
# end
|
115
120
|
end
|
116
121
|
end
|
117
122
|
end
|
@@ -51,7 +51,7 @@ module Contrast
|
|
51
51
|
super
|
52
52
|
@settings = []
|
53
53
|
add_config_keys(::Contrast::CONFIG.config, 'root')
|
54
|
-
@settings << ENV.keys.select { |v| v.
|
54
|
+
@settings << ENV.keys.select { |v| v.start_with?('CONTRAST') }
|
55
55
|
@settings.flatten
|
56
56
|
add_tags
|
57
57
|
end
|
@@ -3,8 +3,7 @@
|
|
3
3
|
|
4
4
|
require 'contrast/components/logger'
|
5
5
|
require 'contrast/agent/reporting/report'
|
6
|
-
require 'contrast/agent/reporting/
|
7
|
-
require 'contrast/agent/reporting/server_settings_worker'
|
6
|
+
require 'contrast/agent/reporting/reporting_workers/reporting_workers'
|
8
7
|
require 'contrast/agent/telemetry/base'
|
9
8
|
require 'contrast/agent/protect/input_analyzer/worth_watching_analyzer'
|
10
9
|
require 'contrast/config/diagnostics'
|
@@ -19,19 +18,22 @@ module Contrast
|
|
19
18
|
attr_reader :heapdump_util
|
20
19
|
# @return [Contrast::Agent::Reporter]
|
21
20
|
attr_reader :reporter
|
22
|
-
# @return [Contrast::Agent::ReporterHeartbeat]
|
21
|
+
# @return [Contrast::Agent::ReportingWorkers::ReporterHeartbeat]
|
23
22
|
attr_reader :reporter_heartbeat
|
24
23
|
# @return [Contrast::Agent::Protect::WorthWatchingInputAnalyzer]
|
25
24
|
attr_reader :worth_watching_analyzer
|
26
|
-
# @return [Contrast::Agent::ServerSettingsWorker]
|
25
|
+
# @return [Contrast::Agent::ReportingWorkers::ServerSettingsWorker]
|
27
26
|
attr_reader :reporter_settings_worker
|
27
|
+
# @return [Contrast::Agent::ReportingWorkers::ApplicationServerWorker]
|
28
|
+
attr_reader :reporter_app_settings_worker
|
28
29
|
|
29
30
|
def initialize
|
30
31
|
@pids = {}
|
31
32
|
@heapdump_util = Contrast::Utils::HeapDumpUtil.new
|
32
33
|
@reporter = Contrast::Agent::Reporter.new
|
33
|
-
@reporter_heartbeat = Contrast::Agent::ReporterHeartbeat.new
|
34
|
-
@reporter_settings_worker = Contrast::Agent::ServerSettingsWorker.new
|
34
|
+
@reporter_heartbeat = Contrast::Agent::ReportingWorkers::ReporterHeartbeat.new
|
35
|
+
@reporter_settings_worker = Contrast::Agent::ReportingWorkers::ServerSettingsWorker.new
|
36
|
+
@reporter_app_settings_worker = Contrast::Agent::ReportingWorkers::ApplicationServerWorker.new
|
35
37
|
@telemetry = Contrast::Agent::Telemetry::Base.new if Contrast::Agent::Telemetry::Base.enabled?
|
36
38
|
@worth_watching_analyzer = Contrast::Agent::Protect::WorthWatchingInputAnalyzer.new unless protect_disabled?
|
37
39
|
end
|
@@ -41,10 +43,8 @@ module Contrast
|
|
41
43
|
return unless ::Contrast::AGENT.enabled?
|
42
44
|
|
43
45
|
logger.debug('ThreadWatcher started threads')
|
44
|
-
|
45
|
-
|
46
|
-
reporter_settings_worker_status = init_thread(reporter_settings_worker)
|
47
|
-
@pids[Process.pid] = reporter_status && reporter_heartbeat_status && reporter_settings_worker_status
|
46
|
+
|
47
|
+
@pids[Process.pid] = reporter_threads
|
48
48
|
if Contrast::Agent::Telemetry::Base.enabled?
|
49
49
|
telemetry_status = init_thread(telemetry_queue)
|
50
50
|
@pids[Process.pid] = @pids[Process.pid] && telemetry_status
|
@@ -56,6 +56,11 @@ module Contrast
|
|
56
56
|
@pids
|
57
57
|
end
|
58
58
|
|
59
|
+
def reporter_threads
|
60
|
+
init_thread(reporter) && init_thread(reporter_heartbeat) &&
|
61
|
+
init_thread(reporter_settings_worker) && init_thread(reporter_app_settings_worker)
|
62
|
+
end
|
63
|
+
|
59
64
|
def ensure_running?
|
60
65
|
return if @pids[Process.pid] == true
|
61
66
|
|
@@ -84,6 +89,7 @@ module Contrast
|
|
84
89
|
reporter_heartbeat&.stop!
|
85
90
|
worth_watching_analyzer&.stop!
|
86
91
|
reporter_settings_worker&.stop!
|
92
|
+
reporter_app_settings_worker&.stop!
|
87
93
|
end
|
88
94
|
|
89
95
|
# @return [Contrast::Agent::Telemetry::Base]
|
data/lib/contrast/agent.rb
CHANGED
@@ -55,6 +55,7 @@ module Contrast
|
|
55
55
|
|
56
56
|
# @return [Contrast::Framework::Manager]
|
57
57
|
def self.framework_manager
|
58
|
+
reinitialize_with_log
|
58
59
|
@_framework_manager ||= Contrast::Framework::Manager.new
|
59
60
|
end
|
60
61
|
|
@@ -82,6 +83,17 @@ module Contrast
|
|
82
83
|
def self.thread_watcher
|
83
84
|
@_thread_watcher ||= Contrast::Agent::ThreadWatcher.new
|
84
85
|
end
|
86
|
+
|
87
|
+
# Apparently by some unknown reason - if we have already some instance for the AgentLib - we can set the
|
88
|
+
# logger with options. That's why in rspec it started passing - because when we set the const in
|
89
|
+
# protect_spec_helper in the with AgentLib context - we've already set the AGENT_LIB constant.
|
90
|
+
#
|
91
|
+
# So that leads to this methods logic here, which somehow works
|
92
|
+
def self.reinitialize_with_log
|
93
|
+
return if Contrast::AGENT_LIB.enable_log
|
94
|
+
|
95
|
+
Contrast.cs__const_set(:AGENT_LIB, Contrast::AgentLib::Interface.new(true, 2, nil))
|
96
|
+
end
|
85
97
|
end
|
86
98
|
end
|
87
99
|
|
@@ -30,7 +30,6 @@ module Contrast
|
|
30
30
|
# @return [Integer] Return type of the function.
|
31
31
|
attach_function :init, [], :int
|
32
32
|
|
33
|
-
# TODO: RUBY-1693
|
34
33
|
# Initialize agent lib without any optional settings. To set optional settings consider using
|
35
34
|
# `init_with_options` instead If you want to enable logging, it must be set using environment variables
|
36
35
|
# `CONTRAST_AGENTLIB_LOG_LEVEL` - set to log level. Must of one of ERROR, WARN, INFO, DEBUG or TRACE
|
@@ -45,7 +44,6 @@ module Contrast
|
|
45
44
|
# @return [Integer] Return type of the function.
|
46
45
|
attach_function :init_with_options, %i[bool string string], :int
|
47
46
|
|
48
|
-
# TODO: RUBY-1693
|
49
47
|
# Change log settings for agent lib after it's been initialized. This api must be used after init
|
50
48
|
#
|
51
49
|
# Safety
|
@@ -55,7 +53,6 @@ module Contrast
|
|
55
53
|
# if logging is enabled
|
56
54
|
attach_function :change_log_settings, %i[bool string], :int
|
57
55
|
|
58
|
-
# TODO: RUBY-1693
|
59
56
|
# Initialize AgentLib with options.
|
60
57
|
# If init returns 0 = successful setup with options
|
61
58
|
# if init returns 1 = unsuccessful setup with options
|
@@ -83,16 +80,13 @@ module Contrast
|
|
83
80
|
init.zero?
|
84
81
|
end
|
85
82
|
|
86
|
-
# TODO: RUBY-1693
|
87
83
|
# Change the log settings. This api must be called after the dl__init_with_options.
|
88
84
|
#
|
89
85
|
# @param enable_log [Boolean] flag to enable or disable logging this sets the inner flag.
|
90
86
|
# @param log_level [String] OFF, ERROR, WARN, INFO, DEBUG or TRACE.
|
91
87
|
# @return [Boolean] true if initialized false if not.
|
92
88
|
def dl__change_log_settings enable_log, log_level
|
93
|
-
|
94
|
-
log_dir_pointer = FFI::MemoryPointer.from_string(log_level.dup.force_encoding('UTF-8'))
|
95
|
-
return true if change_log_settings(enable_log, log_dir_pointer).zero?
|
89
|
+
return true if change_log_settings(enable_log, log_level).zero?
|
96
90
|
|
97
91
|
false
|
98
92
|
end
|
@@ -53,12 +53,10 @@ module Contrast
|
|
53
53
|
ffi_lib ContrastAgentLib::CONTRAST_C
|
54
54
|
ffi_convention :stdcall
|
55
55
|
|
56
|
-
DbType = enum(:DB2, :MySQL, :Oracle, :Postgres, :Sqlite, :SqlServer, :Unknown)
|
57
|
-
|
58
56
|
# Returns 0 if evaluation was successful, -1 if there was an unexpected error.
|
59
57
|
attach_function :check_cmd_injection_query, %i[int int string pointer], :int
|
60
58
|
# Return 0 if evaluation was successful, -1 iif there was an unexpected error.
|
61
|
-
attach_function :check_sql_injection_query, [
|
59
|
+
attach_function :check_sql_injection_query, %i[int int int string pointer], :int
|
62
60
|
# Free function for all input tracing results pass to check functions.
|
63
61
|
attach_function :free_check_query_sink_result, [:pointer], :int
|
64
62
|
# Evaluate header input:
|
@@ -126,7 +124,7 @@ module Contrast
|
|
126
124
|
# @return [Hash, nil] Returns 0 if evaluation was successful, -1 if there was an unexpected error.
|
127
125
|
def dl__check_sql_injection_query input_index, input_length, db_type, sql_query
|
128
126
|
db_type = :Sqlite if db_type.to_s.casecmp('sqlite3').zero?
|
129
|
-
dbtype =
|
127
|
+
dbtype = Contrast::AGENT_LIB.db_set[db_type.to_s.upcase.to_sym]
|
130
128
|
pointer = FFI::MemoryPointer.new(:pointer)
|
131
129
|
check = check_sql_injection_query(input_index, input_length, dbtype, sql_query, pointer)
|
132
130
|
|
@@ -5,7 +5,6 @@ require 'contrast/agent_lib/api/init'
|
|
5
5
|
require 'contrast/agent_lib/api/command_injection'
|
6
6
|
require 'contrast/agent_lib/api/input_tracing'
|
7
7
|
require 'contrast/agent_lib/api/panic'
|
8
|
-
require 'contrast/agent_lib/api/method_tempering'
|
9
8
|
require 'contrast/agent_lib/api/path_semantic_file_security_bypass'
|
10
9
|
require 'contrast/components/logger'
|
11
10
|
require 'contrast/utils/object_share'
|
@@ -24,8 +23,6 @@ module Contrast
|
|
24
23
|
include Contrast::AgentLib::Panic
|
25
24
|
include Contrast::AgentLib::InputTracing
|
26
25
|
include Contrast::AgentLib::CommandInjection
|
27
|
-
# TODO: RUBY-1632
|
28
|
-
# include Contrast::AgentLib::MethodTempering
|
29
26
|
include Contrast::AgentLib::PathSemanticFileSecurityBypass
|
30
27
|
include Contrast::Components::Logger::InstanceMethods
|
31
28
|
|
@@ -113,7 +110,7 @@ module Contrast
|
|
113
110
|
# @param level [Integer, nil] one of:
|
114
111
|
# [-1...4]
|
115
112
|
def log_level= level = nil
|
116
|
-
set_level = level.nil? ?
|
113
|
+
set_level = level.nil? ? 4 : level
|
117
114
|
update_log_level(set_level)
|
118
115
|
end
|
119
116
|
|
@@ -243,18 +240,6 @@ module Contrast
|
|
243
240
|
|
244
241
|
with_mutex { dl__does_file_bypass_security(file_path, is_custom_code) }
|
245
242
|
end
|
246
|
-
|
247
|
-
# TODO: RUBY-1632 Test after integration and if method-tempering is covered
|
248
|
-
# # Check to see if method is being tempered or not.
|
249
|
-
# # Used with Protect method-tampering rule.
|
250
|
-
# #
|
251
|
-
# # @param method [String] method to check
|
252
|
-
# # @return [Boolean]
|
253
|
-
# def method_tempered? method
|
254
|
-
# return false unless method
|
255
|
-
#
|
256
|
-
# with_mutex { dl__method_tempered?(method) }
|
257
|
-
# end
|
258
243
|
end
|
259
244
|
end
|
260
245
|
end
|
@@ -1,46 +1,16 @@
|
|
1
1
|
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require 'contrast-agent-lib'
|
5
|
+
require 'contrast/agent/reporting/settings/helpers'
|
6
|
+
|
4
7
|
module Contrast
|
5
8
|
module AgentLib
|
6
9
|
# Base class to set basic rule sets and input list.
|
7
10
|
class InterfaceBase
|
8
|
-
# This could be changed to regular Hash.
|
9
|
-
# This format is used to supports this kind of log_level assignment:
|
10
|
-
# via Contrast::Api::Settings::LogLevel::WARN => 3
|
11
|
-
# ( note -1 is not supported in the protobuf LogLevel)
|
12
11
|
LOG_LEVEL = { -1 => 'OFF', 0 => 'TRACE', 1 => 'DEBUG', 2 => 'INFO', 3 => 'WARN', 4 => 'ERROR' }.cs__freeze
|
13
12
|
LOG_DIR = File.join(Dir.pwd).cs__freeze
|
14
|
-
#
|
15
|
-
# Corresponding to Rust's ulong enum
|
16
|
-
RULE_SET = {
|
17
|
-
'unsafe-file-upload' => 1 << 0,
|
18
|
-
'path-traversal' => 1 << 1,
|
19
|
-
'reflected-xss' => 1 << 2,
|
20
|
-
'sql-injection' => 1 << 3,
|
21
|
-
'cmd-injection' => 1 << 4,
|
22
|
-
'nosql-injection' => 1 << 5,
|
23
|
-
'bot-blocker' => 1 << 6,
|
24
|
-
'ssjs-injection' => 1 << 7,
|
25
|
-
'method-tampering' => 1 << 8
|
26
|
-
}.cs__freeze
|
27
|
-
# Named same as Contrast::Agent::Reporting::InputTypes
|
28
|
-
INPUT_SET = {
|
29
|
-
COOKIE_NAME: 1,
|
30
|
-
COOKIE_VALUE: 2,
|
31
|
-
HEADER_NAME: 3,
|
32
|
-
HEADER_VALUE: 4,
|
33
|
-
JSON_NAME: 5,
|
34
|
-
JSON_VALUE: 6,
|
35
|
-
METHOD: 7,
|
36
|
-
PARAMETER_NAME: 8,
|
37
|
-
PARAMETER_VALUE: 9,
|
38
|
-
URI: 10,
|
39
|
-
URL_PARAMETER: 11,
|
40
|
-
MULTIPART_NAME: 12,
|
41
|
-
XML_VALUE: 13
|
42
|
-
}.cs__freeze
|
43
|
-
EVAL_OPTIONS = { NONE: 0, WORTHWATCHING: 1 }.cs__freeze
|
13
|
+
# Parameters passed to AgentLib. WorthWatching is used for those rules only that support it.
|
44
14
|
|
45
15
|
# Initializes the Agent lib.
|
46
16
|
#
|
@@ -54,18 +24,33 @@ module Contrast
|
|
54
24
|
# Override
|
55
25
|
end
|
56
26
|
|
57
|
-
# Return list of available rules
|
27
|
+
# Return list of available rules. On first call the constants are extracted from the gem and set
|
28
|
+
# to resemble the protect rules ids used across the agent, e.g. CMD_INJECTIONS => cmd-injection.
|
29
|
+
#
|
30
|
+
# *** Note that the NoSQLI rules is used within the agent, but in future need arise to be used with the
|
31
|
+
# AgentLib, the rule_id for that rule atm is 'nosql-injection-mongo' ***
|
58
32
|
#
|
33
|
+
# All the rules types extracted from the AgentLib gem will have value corresponding to an ulong enum in
|
34
|
+
# Rust land.
|
59
35
|
# @return [Hash]
|
36
|
+
# @raise [NameError] If Gem is loaded but not constants are generated there could be not defined
|
37
|
+
# module name, or if module was renamed.
|
60
38
|
def rule_set
|
61
|
-
|
39
|
+
@_rule_set ||= extract_constants(ContrastAgentLib::RuleType, to_rule_id: true)
|
62
40
|
end
|
63
41
|
|
64
|
-
# Returns list of available input types
|
42
|
+
# Returns list of available input types
|
65
43
|
#
|
66
44
|
# @return [Hash]
|
67
45
|
def input_set
|
68
|
-
|
46
|
+
@_input_set ||= extract_constants(ContrastAgentLib::InputType)
|
47
|
+
end
|
48
|
+
|
49
|
+
# Return the AgentLib supported Database types.
|
50
|
+
#
|
51
|
+
# @return [Hash]
|
52
|
+
def db_set
|
53
|
+
@_db_set ||= extract_constants(ContrastAgentLib::DbType)
|
69
54
|
end
|
70
55
|
|
71
56
|
# Return list of input evaluation options:
|
@@ -73,7 +58,12 @@ module Contrast
|
|
73
58
|
#
|
74
59
|
# @return [Hash]
|
75
60
|
def eval_option
|
76
|
-
|
61
|
+
@_eval_option ||= begin
|
62
|
+
consts = extract_constants(ContrastAgentLib::EvalOptions).dup
|
63
|
+
# Adding the option to call the AgentLib without WorthWatching:
|
64
|
+
consts[:NONE] = 0
|
65
|
+
consts.cs__freeze
|
66
|
+
end
|
77
67
|
end
|
78
68
|
|
79
69
|
private
|
@@ -113,6 +103,29 @@ module Contrast
|
|
113
103
|
FileUtils.mkdir_p(LOG_DIR)
|
114
104
|
LOG_DIR
|
115
105
|
end
|
106
|
+
|
107
|
+
# This method extracts constats from the AgentLib gem, from specific module.
|
108
|
+
# If the to_rule_id flag is set the constant names would be transformed from
|
109
|
+
# Symbols to string protect rule ids: e.g. CMD_INJECTIONS => cmd-injection.
|
110
|
+
#
|
111
|
+
# @param module_name [Module] e.g. ContrastAgentLib::RuleType
|
112
|
+
# @param to_rule_id [Boolean] Flag to convert the keys of the hash to protect rule_id style
|
113
|
+
# @return [Hash] Frozen hash with the extracted constants
|
114
|
+
def extract_constants module_name, to_rule_id: false
|
115
|
+
hash = {}
|
116
|
+
return hash unless module_name.cs__is_a?(Module)
|
117
|
+
|
118
|
+
module_name.cs__constants.each do |constant|
|
119
|
+
key = to_rule_id ? Contrast::Agent::Reporting::Settings::Helpers.to_rule_id(constant) : constant
|
120
|
+
hash[key] = module_name.cs__const_get(constant)
|
121
|
+
end
|
122
|
+
hash.cs__freeze
|
123
|
+
rescue NameError => e
|
124
|
+
# This should be log as error since if there is no rule set there will be no ia happening,
|
125
|
+
# and something has gone wrong with enabling the gem for the Agent.
|
126
|
+
logger.error("[AgentLib] Could not extract #{ module_name } constants", error: e)
|
127
|
+
{}.cs__freeze
|
128
|
+
end
|
116
129
|
end
|
117
130
|
end
|
118
131
|
end
|
@@ -26,8 +26,8 @@ module Contrast
|
|
26
26
|
def initialize hsh
|
27
27
|
return unless hsh&.cs__is_a?(Hash)
|
28
28
|
|
29
|
-
@rule_id = Contrast::
|
30
|
-
@input_type = Contrast::
|
29
|
+
@rule_id = Contrast::AGENT_LIB.rule_set.key(hsh[:rule_id])
|
30
|
+
@input_type = Contrast::AGENT_LIB.input_set.key(hsh[:input_type])
|
31
31
|
@score = hsh[:score]
|
32
32
|
end
|
33
33
|
|
@@ -23,6 +23,16 @@ module Contrast
|
|
23
23
|
attr_reader :canon_name
|
24
24
|
# @return [Array]
|
25
25
|
attr_reader :config_values
|
26
|
+
# @return [Boolean]
|
27
|
+
attr_writer :enable_original_object
|
28
|
+
# @return [Integer]
|
29
|
+
attr_writer :max_context_source_events
|
30
|
+
# @return [Integer]
|
31
|
+
attr_writer :max_propagation_events
|
32
|
+
# @return [Integer]
|
33
|
+
attr_writer :max_rule_reported
|
34
|
+
# @return [Integer]
|
35
|
+
attr_writer :time_limit_threshold
|
26
36
|
|
27
37
|
DEFAULT_STACKTRACES = 'ALL'
|
28
38
|
DEFAULT_MAX_SOURCE_EVENTS = 50_000
|
@@ -55,10 +65,7 @@ module Contrast
|
|
55
65
|
@sampling = Contrast::Components::Sampling::Interface.new(hsh[:sampling])
|
56
66
|
@rules = Contrast::Components::AssessRules::Interface.new(hsh[:rules])
|
57
67
|
@stacktraces = hsh[:stacktraces]
|
58
|
-
|
59
|
-
@max_propagation_events = hsh[:max_propagation_events]
|
60
|
-
@max_rule_reported = hsh[:max_rule_reported]
|
61
|
-
@time_limit_threshold = hsh[:time_limit_threshold]
|
68
|
+
assign_limits(hsh)
|
62
69
|
end
|
63
70
|
|
64
71
|
# @return [Boolean, true]
|
@@ -224,6 +231,21 @@ module Contrast
|
|
224
231
|
@_forcibly_enabled = true?(::Contrast::CONFIG.assess.enable) if @_forcibly_enabled.nil?
|
225
232
|
@_forcibly_enabled
|
226
233
|
end
|
234
|
+
|
235
|
+
# Sets Event limits from configuration and converts string numbers to integers.
|
236
|
+
def assign_limits hsh
|
237
|
+
return unless hsh
|
238
|
+
|
239
|
+
source_limit = hsh[:max_context_source_events]&.to_i
|
240
|
+
propagation_limit = hsh[:max_propagation_events]&.to_i
|
241
|
+
max_rule_reporter = hsh[:max_rule_reported]&.to_i
|
242
|
+
time_limit = hsh[:time_limit_threshold]&.to_i
|
243
|
+
|
244
|
+
@max_context_source_events = source_limit if source_limit
|
245
|
+
@max_propagation_events = propagation_limit if propagation_limit
|
246
|
+
@max_rule_reported = max_rule_reporter if max_rule_reporter
|
247
|
+
@time_limit_threshold = time_limit if time_limit
|
248
|
+
end
|
227
249
|
end
|
228
250
|
end
|
229
251
|
end
|